Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Miray Lozada (Technical Communications)

    We’ve always known that malware is one big drama queen. A new Trojan pulls all intrigue stops to play scary detective to the hilt as it drives its spread via spammed messages that have these to say:

    This email must have a taken a page out of the assassin extortion scam spam that started going around during January this year. The FBI even got involved as the agency issued a warning against such scams.

    Trend Micro detects this… histrionic Trojan as TROJ_AGENT.AAPN (talk about a fitting detection name). So do not be taken in with these kinds of malware theatrics. If in doubt, follow the FBI’s advise: contact the police or report the matter via the Internet Crime Complaint Centre Web site.

    Posted in Malware | Comments Off on Big Malware is Watching You

    Spam has gone audible, or at least spam generated by yes-they’re-at it-again the Storm network. It has been confirmed that the celebotnet of the moment employs yet another deviously creative gimmick to further its pump-and-dump stock scams. Trend Micro threat analyst David Sancho confirmed that EMEA TrendLabs’ Storm system has been catching a lot of spammed email messages with attachments such as the following:

    • babylaugh.mp3
    • bartsimpson.mp3
    • cassidy.mp3
    • chrisbrown.mp3
    • ringtones.mp3

    Yup, you’ve heard, er, you’ve read it right folks. Spam are now carrying MP3 files. These babies don’t even have Subject and Message Body details. The MP3 files speak for themselves, literally. Transcribed, the attached files usually say the following pitch in a female android voice:

    hallo, this is an invest-tone alert
    hexitone ring incorporated has announced that it’s ready
    to launch it’s new textforcards dot com Web site,
    already a huge success in Canada.
    We are expecting amazing results in the USA
    go read the news and get on EXTO
    that symbol again is EXTO
    thank you

    File size ranges roughly from 50-120KB. This “invest-tone” alert appears to be marketing the stock EXTO of Exit Only, Inc., an Internet company that sells and buy cars via Stock Web sites show that this particular stock, as of 2:12 PM EST, has its price on a slow rise. Tsk, tsk.

    Trend Micro researcher Ivan Macalintal analyzed some of the mail samples and identified the distinctive string “LAME” in the offset:

    0001e8b0h: 55 55 55 4C 41 4D 45 33 2E 39 37 55 55 55 55 55 ; UUULAME3.97UUUUU

    This may be connected to LAME, an open source shareware MP3 encoder/decoder, mainly popular to Unix users.

    There’s just no abating for the Storm network. It has now gone and done a caterwaul of a musical. Yes, we are certainly ‘hearing’ the menace of Storm annoyingly loud and cringingly clear.

    Posted in Botnets, Spam | 1 TrackBack »

    8:40 am (UTC-7)   |    by

    Spammers are Excel-ing, literally. Text and image spam as PDF files are now old news as MS Excel enters the spam scene. Last July 22, Trend Micro researchers started noticing email messages that carry ZIP-packed Excel files. When opened, these Excel files stink of pump-and-dump schemes that spam mails are now notorious for. See images below:




    Zip Archive


    Excel File

    Using ZIP as carrier of malicious files is already a known routine of many malware families like WORM_BAGLE and TROJ_YABE. Using ZIP as carrier or as part of a spam scheme, however, is quite new and may be a social engineering tactic more than anything else. The fact that the email arrives as an Excel file packed in ZIP may have more to do with an attempt to lend credence to a stock-related email at a time when authorities are seriously running after pump-and-dump spammers. That the spammer chose Excel, an application usually associated with accounting ergo money, may not be a coincidence as well.

    Spam Excel(s) now and it is not far off the mark that it Word(s) and PowerPoint(s) in the future…and Photoshop(s) and Outlook(s) and ….

    Posted in Bad Sites | Comments Off on Spam Excel(s)

    Experts are raining on the parade of the gadget celebutante of the moment, Apple’s iPhone. This week, at least two reports surfaced claiming to have found vulnerabilities on iPhone that can give way to malicious activities.

    The Register described iPhone as a “phisherman’s friend” after a security company reported a possible hole on iPhone’s email client that can expose users to phishing Web sites. iPhone’s email client displays only the the first few characters of a Web link, making it relatively easy to hide the end of fake links.

    Another possible hole is how iPhone links its Internet browser and phone functions, which can allow the embedding of scam telephone numbers within Web sites that unsuspecting users may be prompted to dial. also reports this vulnerability citing SPI Labs’ warnings on the use of the Safari browser in dialing telephone numbers via mobile devices. The security company clarifies that the bug they found is not exclusive to iPhone and may be applicable to Treos or Windows Mobile devices but they chose to check iPhone first. Note that a user can dial any phone number displayed on a Web page simply by tapping it on iPhone. An attack like this can be launched from a malicious site, from a legitimate site with XSS, or as part of a malware’s payload.

    These reports, however, are just drizzle that can hardly stop iPhone’s march. Real downpour is yet to come.

    Posted in Bad Sites | Comments Off on Experts Rain on iPhone’s Parade

    5:51 am (UTC-7)   |    by

    Yes, WORM_NUWAR’s at it again and this time around it is using image spam tactics. Spammed messages related to this variant, detected by Trend Micro as WORM_NUWAR.EN, have message bodies in GIF format. The number of image spam dramatically rose late last year when spammers realized how effective using images can be in evading email content filters. WORM_NUWAR.EN may be capitalizing on this effectivity to expand its already versatile spamming repertoire.

    Another thing notable for this paticular Nuwar is its availability on several IP addresses, most of which are .HK (Hong Kong) domains. Usual file name of the executable is ECARD.EXE. Its cherry topping, however, is a rootkit capability that enables it to hide its network activities.

    Where as WORM_NUWARs, in general, usually bank on their social engineering skills to carry out effective attacks, this latest iteration saw to taking Nuwar’s technical chops to another level. Yes, WORM_NUWAR is indeed at it again and it’s hitting on different areas that’re still sure to hurt.

    Posted in Bad Sites | Comments Off on NUWAR at It Again


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice