Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Arman Capili (Technical Communications)

    Malware targeting machines running on Mac OS are quickly becoming quite common, with new variants appearing on a seemingly monthly basis. Just last week, our friends at Intego reported of new variant of the RSPLUG Trojan in the wild.

    Taking its cue from the routines of the first RSPLUG malware, this latest incarnation no longer limits itself to porn sites. It has been determined to be hosted in several websites linked to one another, offering keygens, cracks, and serial numbers for Mac applications.

    Detected by Trend Micro as OSX_RSPLUG.B, this malware arrives on an affected system as a downloaded file from the Web and uses the file name serial_Avid.Xpress.Pro.5.7.2.dmg. And like the earlier variant, it also causes the affected system to redirect to a malicious URL by modifying the system’s network settings.

    Worthy of note is its similarity to last month’s Mac Trojan, detected as OSX_KROWI.A, that piggybacked on pirated versions of Apple iWorks 2009 and Adobe Photoshop for Mac. Both incidents appear to ride on the ease-of-use and predictability of software installation on Macs – an apparently successful social engineering ruse.

    Perpetrators of these malware continue to circumvent stumbling blocks in directly infecting Macs by tapping into the weakness and gullibility of users downloading and installing pirated software. Trend Micro reiterates its advice to users to use legitimate software only to avoid brushes with these types of security concerns. The Smart Protection Network already detects OSX_RSPLUG.B and provides solutions for its cleanup and removal.


    A few days ago, Trend Micro got wind of a .DLL worm detected as WORM_DOWNAD.A that exploits the MS08-067 vulnerability. Its routines have led our security analysts to postulate that it is a key component in the development of a new botnet.

    Initially thought to be working in conjunction with a NETWORM variant, WORM_DOWNAD.A is now believed to be an updated version of an attack from the same criminal botnet gang.

    Fresh reports, however, suggest that this threat seems to have gone wider and has even extended its reach around the globe. More than 500,000 unique hosts have since been discovered to have fallen victim to this threat.

    These infected hosts are spread across different countries and as a random check by Trend Micro Advanced Threats Researcher Ivan Macalintal revealed, they can be found in service provider networks in the U.S., China, India, the Middle East, Europe, and Latin America — several residential broadband providers appear to have a larger number of infected customers.

    The Trend Micro Smart Protection Network already protects users from WORM_DOWNAD.A and provides solutions for its cleanup and removal. Our engineers are still closely monitoring this threat. Updates will be posted as soon as they become available.


    There appeared a timely follow-up to the Angelina Nude Movie spam run last month just as the coveted first pictures of the so-called Brangelina’s twins (offspring of actor couple Brad Pitt and Angelina Jolie) came out in celebrity magazines.

    Trend Micro has just received reports of a new spam email message using the same social engineering technique to trick unknowing users into downloading malicious files onto their systems.

    Detected by Trend Micro as TROJ_CHEPVIL.RAR, this compressed .RAR file is attached to email messages purportedly containing a nude video of Hollywood A-List actress Angelina Jolie (although her first name is misspelled). A password is even provided within the email message to extract the said attachment.

    Below is a screenshot of the spammed email message:


    Of course, there is no video in the attachment — only another Trojan detected as TROJ_CHEPVIL.C. Executing the Trojan triggers a series of downloads starting with TROJ_AGENT.AVSZ (which disables Windows Firewall) and TROJ_RENOS.ADX.

    Upon execution, TROJ_RENOS.ADX downloads another malicious file, which is detected as TROJ_FAKEALER.HO.

    Potential victims, especially fans of the actress should be wary of this spam run, and are strongly advised not to open attachments from unknown senders.

    Attacks leveraging on the popularity of celebrities are abundant; using them as the perfect bait in spam runs. Attacks similar to the one discussed on this post can be found here:

    Meanwhile, Trend Micro customers are already protected against this Web threat attack by the Smart Protection Network. Updates on this developing issue will be posted as soon as they are available.

    Posted in Malware, Spam | Comments Off on ‘Anjelina’ Spam Follows Through, Unfortunately

    Sporting events are arguably one of the best crowd drawers in modern history. And with the ongoing 2008 European Soccer Championships in Switzerland and Austria, the Alps is sure to be flooding with endless chanting, colors, and cash from all over Europe.

    Trend Micro recently got hold of a spam email message that banks on the popularity of soccer and its hordes of European fans in a bid to extort money illegally. The email, written in German with an English translation right after it, purportedly offers to buy the recipient’s ticket to the games at a profit. All a user needs to do is place a call to any of certain Austria-based phone numbers listed in the email message.

    Although the real intent of scammers is unclear, a successful extortion can lead to the disclosure of the victim’s bank account information. Alternatively, it could be that the scammers would simply resell the purchased tickets to yet other fans at a much higher price.

    Sample spam enticing users to sell Euro 2008 Soccer tickets
    Figure 1. Sample spam enticing users to sell their tickets for a profit

    Global sporting events are as common a subject of spam attacks as any other world event in the Internet age. A fan site of popular English soccer team Arsenal was reportedly compromised in February this year. Some malware actually and specifically targeted sports fans during gaming events. Such is the case for WORM_BAGLE.EV that sent email messages that sell tickets to the Torino Winter Olympic Games in 2006.

    And this early, Trojanized .DOC and .XLS files have been seen that capitalizes on the upcoming 2008 Summer Olympics. As the Olympic torch finds its way to Beijing this August, a plethora of security issues are sure to be not running far behind.

    Related posts:

    Posted in Spam | 1 TrackBack »

    Scam artists have recently taken center stage on LinkedIn, a social networking site for professionals. Reports indicate that scammers have eyed the lucrative membership base of LinkedIn since these miscreants are fully aware that they are no longer dealing with mere teenagers but grown-ups with money.

    The scam techniques are notably old and well-known as 419 scams or advanced fee fraud to email users, but it seems they have been relatively successful in social networking sites. Users have placed enormous confidence in the security provided by social networking sites that many fraudsters in turn, have taken advantage of extorting information from unknowing users.

    Scammers use the old trick of posing as a foreigner looking for a business partner to handle or secure a large amount of money in a private bank account—be it in a form of an inheritance or some dubious investment. The victim need only give access to his/her bank account and withdrawals are then made instead of actual deposits.

    LinkedIn is the latest in a string of security issues involving social networking sites. Others such as MSN and PerfSpot were directly or indirectly used for phishing activities. Of course, the more popular sites of Facebook and MySpace served as prime targets (or even vectors) for malicious online activities such as the installation of spyware and adware. With more innovations and services being offered by today’s social networking sites, expect to see more security breaches and cybercrime as society gets even more tangled in the World Wide Web.

    We can look back at other social networking attacks in the previous months in the following links:



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice