Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Dianne Lagrimas (Technical Communications)

    Before one could get hired, spammers made sure you remember your school days. And they do this by way of celebrating Classmates’ Day, as seen on the spreading message below:


    Clicking on the continue link takes you to the following legitimate-looking Web page:


    After which, a download dialog box appears, prompting you to download a file to be able to see the video:


    In true spammer-malware author fashion, the downloaded file is an executable, which Trend Micro detects as a TSPY_PAPRAS variant.

    This post will be updated as more information on the analysis of the downloaded file comes in.

    Posted in Spam | Comments Off on Spammers Celebrate Classmates’ Day!

    Phishers now have their eyes on child support payment recipients in the US. EPPICard users are warned of a phishing scheme that not only goes around via spammed mail, but also is spreading via SMS. The phishing scam works like your usual phishing scheme: phishers send spam mail with a link to the phishing Web site. The message content varies from enticing users to view a security message, urging recipients to update their accounts, or by joining a “protection against phishing” program, similar to the one shown below:


    The phishing scam was seen as early as May. Phishers perpetrating the EPPICard scam also invaded the SMS scene by sending text messages that urge recipients to update EPPICard details via a URL that is also included in the message.

    EPPICard works like a debit card. It can be used for purchases just like a credit card, and can also be used to obtain cash. To help users further avoid phishing scams related to them, the official EPPICard Web site flashes the following notice:


    Wherever the (online) money is, you can be sure that phishers are trailing behind.

    Posted in Mobile | Comments Off on Child Support Payments May End Up with Phishers

    Barely recovering from the flurry of analysis surrounding the weekend compromise, Trend Micro researchers from Taiwan have yet again discovered a new attack.

    The nature of affected sites seem to be quite diverse, although a big chunk belongs to the Asia Pacific region. Hackers have apparently conducted another massive SQL injection attack, causing well over 160,000 Web sites to contain a certain malicious script.

    Figure 1. Trend Micro product in action, blocking access to sites containing this script.

    Trend Micro detects the script as HTML_IFRAME.NG. When unsuspecting users visit one of these infected pages, they are redirected to any of three URLs containing various exploits. The scripts found in these URLs are detected by Trend Micro as the following:

    JS_DLOADER.JYT, in turn, exploits the MS Data Access Components (MDAC) vulnerability (as described in Microsoft Security Bulletin MS06-014).

    JS_REALPLR.CB, JS_REALPLR.CD and JS_DLOADER.JYT all access a URL in the same domain which downloads 1.exe onto the infected PC. Trend Micro detects 1.exe as TSPY_LINEAGE.PJ (update: the file is now TROJ_AGENT.WPA as of this writing).

    The attack algorithm is illustrated below:

    {attack infection diagram}

    Figure 2. Attack algorithm

    Users are bound to be infected by the aforementioned malware should their browsers allow automatic execution of ActiveX controls. Since users are viewing legitimate sites, it is highly likely that even when browsers are configured to prompt for ActiveX or script download, users will still agree to download the offered file.

    Only a strong Web Threat Protection suite breaks the the infection chain at various points of the attack. This becomes incredibly important considering that the final payload, 1.exe, appears to change with every download. If the user is prevented from accessing URLs which the initial script redirects to in the first place, then the user is effectively protected from whatever threat the final payload may bring.

    Note: Our regional partners are now trying to reach the appropriate CERTs of the affected sites. We have also blocked all related malicious domains and detected all malicious files.

    Consolidated findings of the Research (Taiwan), Escalation, and Threat Response teams at TrendLabs.


    There’s no breathing easy when it comes to online security these days. As some several thousands of Web sites try to recover from being hacked via SQL injection barely two days ago, in comes another massive attack on more than half a million Web sites.

    Advanced Threats Research Program Manager Ivan Macalintal found the malicious script JS_SMALL.QT injected into various Web sites believed to be either using poorly implemented phpBB, or are using older, exploitable versions of the said program. In the past, some of these compromised sites were found to have been riddled with “phake pharma” and porn comment spam, while others were seen to be previously defaced by underground hackers. Advanced Threats Researcher Alice Decker have seen infections relating to this malicious script as early as February this year.

    This compromise is almost similar to the mass compromises that we’ve seen earlier — visiting a compromised site leads to a series of redirections, which eventually causes the downloading of malware. In this case, TROJ_ZLOB.CCW is on the tail-end. In true ZLOB fashion, this variant poses as a video codec installer:

    {Fake video codec}

    Sure, this one is not at all tricky, since we’ve seen our share of ZLOB variants posing as video codecs before. However, consider that this specific variant tries to lure users into installing the codec by presenting itself as being necessary to view porn:

    {Porn site downloading video codec}

    Who wouldn’t want free porn? Unfortunately users expecting explicit videos will instead get a slew of Trojans detected as the following:

    These types of Trojans are known for changing an affected system’s local DNS and Internet browser settings, thus making the system vulnerable for even more potential threats.

    Trend Micro Web Threat Protection already prevents access to the malicious URLs. And as always, users are advised to display extra caution when browsing Web sites, and ensure their security software is up to date.

    Our researchers are continuing to investigate this case. We will be posting updates on this compromise as more information becomes available.

    Consolidated findings of the Advanced Threats Research, Escalation, and Threat Respone teams at TrendLabs


    Yahoo! Music Jukebox may dish out malware instead of hits, after the discovery of exploits made for ActiveX vulnerabilities in the media player. The Register identifies Elazar Broad as the researcher discovering the targeted vulnerabilities: two unpatched ActiveX flaws which, when successfully exploited, cause a buffer overflow that may allow an attacker to run malicious code on the affected system. Broad posted a proof-of-concept (POC) code on a public Web site, and a day after, malware authors pounced on the POC, modified the code, and voila – a new exploit making its rounds on the Web.

    It seems that malware authors are having a grand time exploiting various Web applications via ActiveX flaws. Just hours ago, we reported that malicious URLs are exploiting the Chinese gaming platform Lianzong, add to that zero-day ActiveX flaws in Facebook and MySpace. Interestingly, the exploits taking advantage of the flaws in both Yahoo! Music Jukebox and the Chinese gaming application are detected by Trend Micro as EXPL_EXECOD.A, proof that malware authors are modifying codes to specifically target certain applications. It may seem like a stretch but it’s safe to say that this tactic broadens the target “audience” of this exploit.

    As of this writing, Yahoo! has not issued a patch for the ActiveX vulnerabilities. However, proactive detection of the exploit and the malicious URLs by Trend Micro products’ Web Threat Protection technology ensures our customers that they are safe from the unwanted effects of the malware/malicious URL.

    Posted in Vulnerabilities | Comments Off on Yahoo! Jukebox Plays Malware Instead of Hits


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice