Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Argie Gallego (Anti-spam Research Engineer)

    Cybercriminals once again used the passing of Michael Jackson, the ‘King of Pop,’ a few days ago as an opportunity to go about with their malicious activities and attack innocent users.

    We spotted an email (see Figure 1 below) about Michael Jackson’s death written in Spanish claiming to be from CNN Mexico.

    Click Click

    Upon closer analysis (see Figure 2 above), we found that the sender of the email isn’t valid – which is a spammed sender. The email also contained accurate information about Michael Jackson, buying itself credibility in order to lure users into clicking the links contained within the message.

    The said email also contained a suspicious-looking link to an ‘exclusive CNN video’ about the event. Most of the other links on the spammed message were inaccessible and could not display the correct website. But one link—el sitio en internet TMZ (translated to English: ‘found in the TMZ website’)—which was a link to the site where the video is supposedly hosted but it redirects the user to another malicious site—http://{BLOCKED}.com/openbb/avatars/imagen/CNN/indexx.php. The threat in the said page is detected by Trend Micro as HTML_DLOADR.ARM.

    Click Flash

    This site does not contain anything but a black background and a message box telling the user that the Flash player version running on his/her system cannot play the said video. The message box contains three buttons (see Figure 3 above), clicking any of which will trigger the download of a malicious file—flash-installer-windows.exe—which claims to be the right Flash player version that will allow him/her to view the exclusive video. The said malicious file is detected as BKDR_IRCBOT.BW. BKDR_IRCBOT.BW connects to a certain IRC server and then joins an IRC channel where it waits for commands from a remote user.

    Quite notable is that even if a user chooses the Cancel button, which should allow him/her to quit from downloading the file, the site will continue to push the download of the codec, leaving users with no choice but to deal with the malicious file downloaded into their system.

    The spam message and malicious website used in this attack are already blocked by the Trend Micro Smart Protection Network.


    Microsoft Corporation regularly issues updates to fix bugs and security vulnerabilities in its software products. These updates are meant to protect its users from different attacks that depend mainly on exploiting these documented bugs.

    Close to the weekend, we identified spam (click Figure 1 thumbnail for larger view) claiming to be a Microsoft Outlook and Outlook Express critical update that “offers the highest levels of stability and security.”

    Click here for larger view

    A tricky difference here is that all the links in the email (the links to Contact Us, Privacy Statement, Trademarks, and Terms of Use) are legitimate–except one. The URL where the “critical update” may be downloaded looks legitimate, but hovering over the hyperlink (or checking the source code of the mail) reveals a totally different destination.

    For content security experts this already bears the marks of an email-based cyber-criminal attack. True enough, the URL leads to the download of a file (detected as TROJ_ZBOT.BTS) that on its execution it accesses a website to download a .bin file with information referring to where the Trojan can download an updated copy of itself, and where to send stolen data. The list also contains compromised websites targeted for stealing information. Our engineers confirm that the list was containing several names of banking institutions, among other social networking targets like Facebook and MySpace, and media sites YouTube and Flickr. The list can be viewed here. Note that the said list may be changed at any time.
    How does the scam work? Whenever the user visits any of the monitored sites, the Trojan starts logging keystrokes. It then saves gathered information (which presumably includes sensitive information like user name and password, credit card information, etc.) in a file and then sends the file to a dedicated server via HTTP POST.

    Postings to spam as Microsoft updates can be read in the following blog posts:

      Bogus ‘MS Update’ Comes with Malicious Attachment
      Bogus Microsoft Update Delivers Nasty File Infector

    Trend Micro Smart Protection Network blocks the related spam, the malicious URL, and detects TROJ_ZBOT.BTS.


    They say the Internet is making the world smaller. Whether that’s the case for the rest of us is debatable or not, but for one group of people it’s definitely true: spammers.

    Consider this new sample that our team came across recently:

    Click for larger view

    It appears to come from the Brazilian portal site Terra. That, in itself, makes it a little unusual as attacks of this type usually target more well-known global portals such as Yahoo and Google.

    The spam claims that someone sent a message and that the user can access the message and photos by clicking on the link provided on email itself. Note, too, that the bottom of the e-mail contains a claim that the message has been scanned by security software. It tries to make users believe that the e-mail is clean of malign code — which, no surprise, it isn’t.

    When the user clicks on the link, it redirects and downloads a malicious file “AlbumPicasa.scr,” a Trojan which is detected as TROJ_DLOADR.VIA.

    This Trojan connects to URLs to download files named “WindowsUpdate.exe” and “rootx.exe” which are a TROJ_BANKER variant and another TROJ_DLOADR, respectively. BANKER variants are infamously rampant in the Latin American region, where users consider online banking a major convenience–a trend cybercriminals did not miss.

    Trend Micro Smart Protection Network blocks spam–protecting users from encountering this threat.


    Along with the flowers, heart-shaped boxes of chocolates, and other sundry Valentine’s Day gifts that come rolling in at this time of the year, there are always malware attacks attempting to take advantage of the holiday.

    A recently reported case of malware-related spam contains a short Valentine’s message — and with an embedded URL that leads to malicious content, under the guise of L’amor:

    Figure 1. Sample spam email

    Upon clicking the link, it opens a browser and directs to a Valentine’s Day-themed website.

    Figure 2. Valentine’s-themed website with links to malicious files

    The site contains a short message and links which when clicked asks the user to download the file vcard.exe, that is allegedly a tool that allows the victim to create personalized Valentine’s e-card.

    Figure 3.Prompt to download malicious file

    The malicious file is actually a WALEDAC variant detected, specifically detected as WORM_WALEDAC.BG. This doesn’t really come on as a surprise, since WALEDAC variants have been previously served through e-card spam:

    WORM_WALEDAC.BG automatically executes at every system startup and propagates by spamming copies of itself. It steals email addresses stored in infected PCs and sends its gathered information to malicious IP addresses. The Trend Micro Smart Protection Network already detects this worm and prevents it from executing.

    Posted in Botnets | Comments Off on WALEDAC Spreads More Malware Love

    Parts 1 and 2 happened in succession in November two years ago: the open redirection services of Google and AOL were used by spammers to trick unknowing email recipients into clicking links which led them to different websites. This sequel’s celebrity is Yahoo!:

    Figures 1 & 2. Sample spam.

    The above sample spammed messages contain links with the string, which may convince users to think the site is legitimate or trusted. They are led to sites (an example is shown below) which, true enough, sell replica watches and other cheap products.

    Figure 3. This website offers cheap replica watches.

    These sites have been created just this month, and they share a single IP address. Similar to the old Google and AOL incidents, spammers took advantage of open redirection functionalities, which is used by search engines to redirect users to target websites automatically. Users need to just enter a URL or string that is predictably related, even if not exactly, to the site they are looking for and they are immediately led to it without having to see a results page.

    The links given in the email messages in this attack look like Yahoo! itself yielded the results, but spammers were able to fiddle through search results and obfuscate the URLs to add credibility to the sites they are advertising.

    Given the two-year time difference between the earlier two spamming operations and this current one, it seems clear that this technique still works for spammers. Other than adding site credibility, spammed messages are also able to evade filters because the links inside them appear legitimate. This kind of search engine exploitation is considered to be blackhat SEO (Search Engine Optimization) practice.

    The timing of this run may also be related to the upcoming Valentine’s Day as more users are expected to purchase presents online. The malware family WALEDAC was first to take advantage of this said event, sending fake ecards that led to malware.

    The Trend Micro Smart Protection Network already blocks these spammed messages.

    Posted in Spam | Comments Off on Just Got Unlucky: Part 3


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice