Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Author Archive - Carolyn Guevarra (Technical Communications)

    Recent news of a swimsuit mishap involving a popular Philippine TV personality, Anne Curtis, spread like wildfire when members of the press captured the said incident and circulated supposed videos over the Web. The incident happened last Sunday while the Australian-born TV host and movie actress was performing a dance number while shooting live for a local noontime TV show.

    Fans and detractors of the actress alike had a field day with the occurrence. Apparently, cybercriminals caught on as they are now taking advantage of Curtis’ wardrobe malfunction incident to spread new FAKEAV variants.

    Using the usual blackhat search engine optimization (SEO) techniques, cybercriminals were able to make their malicious links the top-ranking results when users search for videos of the nip-slip incident.

    Click for larger view

    These links lead to the download of TROJ_FAKEAV.ENZ, which when executed, displays the following fake warning boxes and application windows, tricking users into thinking their systems are infected by several malware and thus buying the fake antivirus.

    Click for larger view Click for larger view
    Click for larger view Click for larger view

    For cybercriminals, a celebrity’s demise is always an opportunity to make money. Other celebrities that were taken advantage of and used for social-engineering tactics include Brittany Murphy, Farrah Fawcett, and, of course, the ever-controversial Paris Hilton.

    As always, users should be careful about clicking links, especially if these have to do with news on celebrity tragedies. Trend Micro product users are protected from this threat by the Smart Protection Network™, which blocks user access to related malicious sites and prevents them from being downloaded onto systems.

    Non-Trend Micro product users can likewise stay protected by using free tools like Web Protection Add-On, a lightweight add-on solution designed to proactively protect computers against Web threats and works alongside existing desktop protection.


    The number of serious zero-day vulnerabilities and potential exploits discovered in recent days is higher than normal. This can enable cybercriminals to gain more leverage in their attacks, allowing them to target a considerably large number of users while these vulnerabilities remain unpatched.

    As part of its regular Patch Tuesday schedule, Microsoft released two security fixes to address vulnerabilities found in certain versions of Windows Movie Maker and Office Excel. This is the first time in almost two years that Microsoft did not include any critical patch in its release.

    Both vulnerabilities allow remote code execution when a user opens a specially crafted Movie Maker or Microsoft Producer project file and a specially crafted Excel file. More information on the security advisories can be found in this Trend Micro Security Advisory page.

    While this may be good news, this was somewhat balanced out by the discovery of a new zero-day exploit found in Internet Explorer (IE). This exploit is the second found in the last 60 days. The previous one was discovered in January. This exploit takes advantage of an invalid pointer reference vulnerability to execute arbitrary code. Only IE 6 and 7 are vulnerable. Users of IE 8 are safe from this threat.

    The exploit code is now available publicly and some related attacks are being tracked.

    But Microsoft is not alone in being hit by vulnerabilities this week.

    Alternate browser, Opera, was also found to have a flaw in the way it handles the Content-Length HTTP header. At the very least, this can cause the browser to crash.

    Server applications also came under fire. The popular spam blocker, SpamAssassin, was also found to have a security flaw. This flaw can allow code contained in a specially crafted email that was processed by the application to be executed with administrative privileges on an email server. However, as the specially crafted email would have an invalid recipient, it is unclear if properly configured servers are also vulnerable.

    Patching vulnerable applications sounds like a solution but that may not be ideal, particularly for enterprise users. Restarting servers is often not as simple for them as it is for home users. In addition, some individuals who discover vulnerabilities believe, wrongly or not, that software vendors take a long time to issue patches as well as downplay the severity of any known flaw. Because of this, some prefer to reveal the flaws publicly to force vendors to release patches as soon as possible.

    Trend Micro advises users to keep their security programs up to date and to immediately apply patches once they are released by their vendors. Users can download this month’s Microsoft patches from the official Microsoft Security Bulletin page or run Windows Update to automatically download and apply the patches.

    For business users, Trend Micro Deep Security™ and Trend Micro OfficeScan™ users with Intrusion Defense Firewall (IDF) plug-in can be shielded from vulnerabilities, often even before vendor patches are available.


    Spam about diet or weight loss plans have been around for ages now, mostly spreading through email. However, spammed messages recently made their rounds on Twitter, compromising unwitting users’ accounts and spreading via these infected accounts.

    Compromised Twitter accounts post Tweets that tell their followers to click the shortened link to try out a new diet/weight loss plan.


    Clicking the given link redirects users to possibly malicious websites that promote Acai Berry.

    Click Click

    Compromised accounts were possibly infected from previous Twitter spam runs previously featured in the following blog entries and are being used again for this new attack:

    As of this writing, Twitter is already aware of this latest spam attack and has taken the necessary corrective actions to prevent the spam from spreading further.

    Users are strongly advised to refrain from clicking the links contained in Tweets with similar messages even if they come from a known or a trusted user. On the other hand, users who think their accounts may be one of those that have been compromised should change their passwords as soon as possible.

    Trend Micro™ Smart Protection Network™ protects product users from this kind of attack by blocking user access to the malicious domains and other related sites.

    For Twitter users, follow @TrendMicro to get the latest security information and updates on how to stay protected from new and upcoming threats.

    Posted in Spam | TrackBacks (2) »

    Following the shutdown of the Mariposa botnet recently, three alleged members of the group behind the said botnet were finally arrested last week by the Spanish Police, although they are still pursuing another suspect that may still be at large somewhere in South America.

    The Mariposa botnet was one of the largest botnets to date. It was reportedly responsible for attacking millions of businesses around the world, including Fortune 1000 companies, in a mission to steal online banking, business, and personal information from compromised systems.

    Mariposa was discovered in 2009 by the Mariposa Working Group, an informal group of volunteers from the security industry and law enforcement agencies, formed to specifically investigate and to eventually eliminate the said botnet. The group was also responsible for giving out pertinent information on the botnet, which led to the arrest of three of its perpetrators.

    Throughout its lifetime, Mariposa was able to launch several bot variants that were able to compromise up to 12.7 million computers from all over the world. Trend Micro detects  malware related to this botnet as WORM_AUTORUN.ZRO (now named WORM_PALEVO.SMZR). This worm spreads copies of itself through physical and removable drives as well as through the popular instant-messaging application, MSN Messenger. It also propagates via known peer-to-peer (P2P) file-sharing applications, particularly Kazaa, BearShare, iMesh, Shareaza, DC++, Emule, and LimeWire. It can also perform denial-of-service (DoS) attacks against targeted systems.

    The take-down of the Mariposa botnet may mean less zombies for cybercriminals to operate with. However, there are still other infamous botnets that have not been caught yet and even new ones that are gaining notoriety once again such as ZeuS, SDBOT IRC, Chuck Norris, and DOWNAD/Conficker botnets.

    Trend Micro™ Smart Protection Network™ already protects product users from these threats by detecting and preventing the file’s execution on affected systems via the file reputation service.

    Non-Trend Micro product users, on the other hand, can use free tools like RUBotted, which monitors computers for suspicious activities and regularly checks with an online service to identify behaviors associated with bots. Upon discovering potential infections, it prompts users to scan and clean their computers.


    Another Proof-of-Concept (POC) Revealed

    The changing threat landscape has brought about more sophisticated Web threats and left the online population clamoring for better security features in the systems and applications that they use. This has pushed Microsoft to develop security mechanisms within its applications like Windows’ Data Execution Protection (DEP) and Address Space Layout Randomization (ASLR).

    Both DEP and ASLR are security mechanisms that Microsoft included in its latest Windows releases starting with XP SP2 and Vista, respectively, which should ideally protect systems from being attacked by exploit codes. DEP prevents the execution of code (including malicious shellcode) from certain regions of computer memory (nonexecutable). ASLR, on the other hand, randomizes the layout of regions (data areas) in memory to make guessing the exact location more difficult. But what if these security mechanisms are not so secure after all?

    This is what Berend-Jan Wever aka Skylined (the security researcher responsible for disclosing the heap-spraying technique) came to discover as he reported a new exploit technique that bypasses DEP if the ASLR feature is disabled. In Wever’s full disclosure of the exploit, he discusses the method on how to go around DEP and ASLR using return-to-libc attacks wherein an attacker uses existing code (of the applications being exploited or of the library functions) to carry out the attack rather than run his/her own code.

    Possibilities Explored

    Although these features make it more difficult to launch code execution on a system, these mechanisms are not perfect and can be bypassed, as revealed in Wever’s exploit codes. This exploit may take advantage of an already fixed vulnerability in Internet Explorer (IE) but this new technique may pave the way for new exploits that can defeat DEP.

    As Trend Micro researcher Rajiv Motwani puts it, “History could repeat itself. After Wever released his heap-spraying exploit codes in 2005, a lot of new exploits started using that technique. It would thus be not farfetched that the release of this new POC could lead to the same scenario—new exploits could start using return-to-libc to achieve DEP bypass.”

    Furthermore, because the exploit affects DEP, which Microsoft only recently introduced with Windows XP SP2, and ASLR was only enabled by default from Windows Vista onward, we can expect to see more reliable code execution vulnerabilities on new versions of Windows.

    Thoughts on Public Disclosure

    Given the increasing number of POCs that have gone public, there seems to be a need to give responsible disclosure considerable thought. Trend Micro global director for education David Perry notes that there seems to be a lot of disclosure rather than response on the exploit. Public disclosures currently act as double-edged swords that both contribute and complicate the threat landscape.

    On one hand, disclosures raise public awareness and push developers to act quickly. On the other hand, however, putting such critical information in the hands of the public could lead to significant exploits, as we recently saw with the most recent zero-day IE vulnerability.

    While actual exploits of this vulnerability have yet to be seen in the wild, Trend Micro Deep Security™ already shields users from potential future exploits. Trend Micro OfficeScan™ users with Intrusion Defense Firewall (IDF) plug-in are also protected from this attack if their systems are updated with the latest IDF filters.

    Additional text by Ria Rivera



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice