Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Author Archive - Det Caraig (Technical Communications)

    Threat researchers have been alerted to the discovery of a new exploit targeting Internet Explorer. Analysts have conducted tests and confirmed that the exploit affects versions 6 and 7 of the browser. Although the exploit is currently unreliable, cybercriminals may be able to create a reliable exploit in the near future. This may allow them to exploit websites and infect visitors. However, an attack may only succeed if hackers lure victims to specially crafted malicious Web pages or compromised websites. The attack also requires JavaScript in order to exploit Internet Explorer.

    The exploit targets a vulnerability with regard to how Internet Explorer uses cascading style sheet (CSS) information. Trend Micro detects this exploit as HTML_SHELLCOD.WT and protects users via the Smart Potection Network.  

    Internet Explorer users are advised to make sure their antivirus definitions are up-to-date. Disabling JavaScript and visiting trusted sites until fixes become available from Microsoft are also suggested.

    Update as of 23 November 2009, 7:56 AM UTC:

    Microsoft issued a security advisory on this vulnerability and confirmed that Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6 and Internet Explorer 7 on supported editions of Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 are all affected.

    According to the advisory, successful attempts to exploit the vulnerability results in the attacker gaining user rights to the system as a local user does.


    Worm Exploits MS08-067 Bug

    DOWNAD, also known as the Conficker worm, was first seen in the wild taking advantage of the MS08-067 vulnerability. True to form, it propagated via shared networks. Like its predecesors—the Sasser and Nimda worms—it also raised security concerns with regard to a spike in port 445 activity.

    A few days after its appearance, reports suggested that the threat had spread. More than 500,000 unique hosts spread across networks in the United States, China, India, the Middle East, Europe, and Latin America fell prey to the threat. Several residential broadband service providers also reported having an even larger number of infected customers.

    New Year, New Variant

    In January of this year, a few security websites and media outlets reported a wave of detections of another DOWNAD variant.

    This variant first sent exploit packets for a Microsoft Server Service Vulnerability to every machine on the network and to several randomly selected targets over the Internet. It then dropped a copy of itself in the Recycler folder of all available removable and network drives and created an obfuscated autorun.inf file on these drives so it can execute every time a user browsed a network folder or removable drive without actually clicking on the file. It then enumerated the available servers on the network and, using this information, gathered a list of user accounts on the machines.

    Afterward, it ran a dictionary attack against these accounts using a predefined password list. If it succeeds, it dropped a copy of itself on the systems and used a scheduled task to execute the worm.

    Improved Domain Generation Functionality

    In March, the most hyped DOWNAD variant reared its ugly head. WORM_DOWNAD.KK’s additional features included an increased number of generated domains, from the 250 generated by earlier variants to 50,000.

    While it only attempted to connect to around 500 randomly selected domains at a time, this modification was seen as an effort to increase the botnet’s chances of survival until it was set to unleash its enigmatic payload on April Fools’ Day.

    DOWNAD Uses P2P

    April 1 came and went. No signs of the DOWNAD worm were seen until a week after. Threat researchers keeping an eye out for new DOWNAD-related activities saw a new file—the newest worm variant—in infected systems’ Windows Temp folder created exactly on April 7, 2009 at 07:41:21. What was odd about this was that no HTTP download took place around that time though a huge encrypted TCP response from a known DOWNAD/Conficker peer-to-peer (P2P) IP node, which was hosted somewhere in Korea, was found.

    This variant was set to stop running on May 3, 2009; ran using random file and service names; deleted dropped components afterward; propagated via an exploit to external IP addresses if the system had Internet access or to local IP addresses if it did not; opened port 5114 and served as an HTTP server by broadcasting via an SSDP request; and connected to sites such as MySpace, MSN, and eBay.

    Infection Peaks

    In a span of just four months (November 2008–February 2009), the DOWNAD infection count peaked, from initially infecting around 500,000 PCs to 9 million PCs. It certainly wreaked a lot of damage, taking advantage of exploits to spread malicious code as a social engineering ploy. DOWNAD was used to create a botnet that can be utilized for the usual range of threats that lurk in the Web—spamming, distributed denial of service (DDoS) attacks, and spreading FAKEAV. According to Trend Micro Advanced Threats Researcher Ryan Flores, “DOWNAD/Conficker opened the IT security industry’s eyes by exposing several truths and areas that IT professionals commonly overlook.”

    Updated Patches Still Key

    It has been a year since DOWNAD/Conficker first infected PCs. If we have learned anything from this experience, it should be that most worms spread by exploiting network-based vulnerabilities. That is why it is very important to secure connected devices, and keep them up-to-date with the latest patches.

    Of course, this would be hard to do if you use pirated software. So using legitimate software copies is also key to keeping data and even your identity secure, especially in today’s worsening threat landscape.


    4:27 am (UTC-7)   |    by

    The month of October in the threat landscape is often associated with scary social engineering tactics in time for Halloween. As in years past, the threats that lurk in and plague the current threat landscape are real. Most of them can cause irreparable damage, often resulting in information, or worse, identity theft as shown in the following blog entries:

    But just how scary is the Web 2.0 environment nowadays? Let us run down a list of the scariest threats thus far:

    • 2009 saw the emergence or resurfacing of three of the most notorious botnets in relation to information, financial, and identity theftKoobface, ZeuS, and Ilomo. Botnets control more compromised machines than previously believed. Only a handful of cybercriminals have more than 100 million computers under their control. This means they have more computing power at their disposal than the entire world’s supercomputers combined. It’s no wonder then that more than 90% of all email worldwide is now spam.Koobface is most known for preying on social networking and micro-blogging site users. It has transcended from its original design of taking over accounts to spread malicious links using the affected users’ credentials to spreading a FAKEAV or its variant to users who just happen to visit a compromised site or to click anywhere on a malicious page where a copy of the malware is hosted.

      The ZeuS botnet, on the other hand, is best known for ebanking attacks targeting small businesses that do not have full-time IT staff and only 1–2 payroll personnel. It was first introduced by Rock Phishers this April, paving the way for the rise of easy-to-use kits that yielded professional-looking phishing pages. Its latest components, also known as “ZBOT variants,” now come compressed in more and more complex packers.

      Ilomo, the third most dangerous botnet, Ilomo, also known as “CLAMPI” or “LOMOL,” is known for injecting code into an affected user’s browser to wait for him/her to connect to one of over 4,000 banking, financial, or Web mail sites so it can steal his/her credentials. It can, however, also “piggyback” on the user’s session to transfer funds from his/her account to a remote one while making a mockery of the bank’s secure login system. The botnet also sells “anonymity as a service” as every infected machine can act as a proxy, allowing cybercriminals to route their illegal activities through different networks and countries, thereby evading detection.

    • Tricking users into downloading FAKEAV has been an age-old cybercriminal tactic that apparently has not stopped working. Hence the continuous rise in the number of FAKEAV pushed to unwitting scam victims up to this day. Trend Micro estimates that more than 100,000 users receive messages saying they have been infected by malware while visiting malicious sites and that there are more than 48,000 FAKEAV offerings per month.Apart from its ability to rake in a lot of dough, it is also hard to detect due to its numerous domains and redirectors, giving security experts a hard time tracking all related activities down. FAKEAV will thus continue to plague users for a long time because its ploy works.
    • In June 2009, Microsoft broke its December 2008 record of releasing patches for 28 vulnerabilities with the release of 10 security advisories to address 31 vulnerabilities in its OSs and other software.
      Unpatched vulnerabilities can allow cybercriminals to exploit users’ systems. For instance, unpatched vulnerabilities in a system’s browser can allow cybercriminals to run arbitrary code if the user happens to browse through a malicious website, leaving him/her at the mercy of online predators.Microsoft was not alone in this predicament though. Adobe and Firefox have had their share of exploited vulnerabilities as well.
    • Why do more and more people join the cybercriminal bandwagon? The answer is plain and simple, because there is a lot of money to be made in infecting users. FAKEAV, for instance, sell for an average price of US$50 each. Just imagine how much money cybercriminals can make even if they just sell to a fraction of their target user base!  Our threat research papers provide detailed information of such cybercrime activity, if you’re interested, you can read them here.

    And if that isn’t scary enough, Trend Micro’s threat researchers found that the going rates for stolen data (credit card information and user credentials) and for infecting users’ systems continue to rise each year. Cybercriminals never seem to run out of tricks to spread threats to users throughout the Web. No wonder U.S. President Obama officially announced October as the “National Cyber Security Awareness Month!”


    A day before Michael Jackson’s new song, “This Is It,” was slated to premier on on October 12, a spam run promoting a 45-second preview on YouTube already made the rounds.

    The email below, purporting to be from was spammed to users in an effort to trick them into clicking the link to watch the supposed preview.


    Trend Micro threat experts analyzed the URL embedded in the email (http://www.{BLOCKED} and found it to be malicious. It redirected users to the following sites:

    • http://{BLOCKED}
    • http://{BLOCKED}

    The said sites have been injected with a malicious VBScript detected by Trend Micro as VBS_PSYME.DLV. It then led users to a remote site to download the file, http://www.{BLOCKED} detected by Trend Micro as BKDR_RUNRUB.A.

    BKDR_RUNRUB.A is a Ruby-compiled malware that waits for an active Internet connection to send information from the infected user’s machine such as the local computer name, local username, and IP address to a malicious client. Information such as this may be used by cybercriminals to further their profiteering schemes or sold to other malicious users.

    We urge users not to open suspicious-looking emails nor click links that come from people you do not know. Cybercriminals will strive to make their malicious schemes seem legitimate, using the names of reputable news companies such as CNN in this case, as bait.

    Trend Micro Smart Protection Network™ protects both Windows and Mac users from this threat by blocking access to malicious URLs and preventing the download of malicious files.

    Posted in Malware, Spam | 1 TrackBack »

    A specially crafted .PDF file, detected by Trend Micro as TROJ_PIDIEF.ASP, was recently found to be hosted by several Indian, Thai, and New Zealand websites.

    The Trojan takes advantage of critical vulnerabilities in Adobe Reader 9.1.3 and Acrobat 9.1.3; Adobe Reader 8.1.6 and Acrobat 8.1.6 for Windows, Macintosh, and UNIX; and Adobe Reader 7.1.3 and Acrobat 7.1.3 for Windows and Macintosh. These vulnerabilities can cause the application to crash and can potentially allow an attacker to take control of an affected system. Adobe has thus advised users to patch their systems and download the necessary updates.

    The Trojan belongs to an old but notable malware family known as “ASProx,” which plagued the Web last year. It was so notable that it made its way to Trend Micro’s Top 8 in 2008 list.

    Most ASProx variants, including this most recent one, exhibited the same payload. They first compromised several websites. Visiting the said sites then triggerred redirections to various malicious URLs that ultimately led to the download of more malicious files.

    The recent reemergence of the ASProx code or the cybercriminals behind it may not have brought anything new to the table but it is noteworthy in that this attack seemingly brought the botnet back from the dead after almost a year of inactivity.

    Users, as usual, are thus warned to refrain from opening suspicious-looking files. They are also strongly advised to patch their systems regularly to avoid becoming prey to vulnerability exploits.

    Trend Micro Smart Protection Network™ protects users from this threat by blocking access to malicious URLs and preventing the download of malicious files. Mac users are also protected through Trend Micro Security for Mac and Smart Surfing for Mac.

    Non-Trend Micro product users, on the other hand, can also stay protected with Housecall, Trend Micro’s highly popular and capable on-demand scanner for identifying and removing viruses, Trojans, worms, unwanted browser plugins, and other malware.

    Important correction, posted October 16, 2009: TROJ_PIDIEF.ASP exploits vulnerabilities cited in CVE-2009-0927 and CVE-2007-5659, not the previously posted vulnerability discussed in the second paragraph above. We apologize for any confusion caused by this oversight. Adobe users should enable the auto-update feature in their product to receive patches that address these vulnerabilities.

    Posted in Bad Sites, Malware | Comments Off on ASProx Resurfaces with a Mass Compromise in Tow


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice