Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Author Archive - Erika Mendoza (Threat Response Engineer)

    A new exploit has been found in the Japanese word processor Ichitaro. JP-RTL engineers have received a sample Ichitaro document, which is capable of exploiting the previously unknown vulnerability. It is released by Japanese Vulnerability Notes as JVNDB-2010-000024. If exploited, arbitrary code could be run on users’ systems.

    The file that exploits this new vulnerability has been detected as TROJ_TARODROP.XZ. This malicious Ichitaro document actually contains two files, which are both dropped and opened on the affected system—a malicious executable file detected as TROJ_TARO.XZ and a nonmalicious document.

    TROJ_TARO.XZ primarily serves as a means for malicious users to download malicious files onto the affected system. At this time, the downloaded file does not execute on user systems. However, this file could easily be replaced by a working malicious file at a later date.

    JustSystems, Ichitaro’s publisher, has released a patch to remedy this flaw. (An English-language version of the patch page can be found here.) Until users can patch their systems, Trend Micro advises them to be cautious in opening Ichitaro documents, especially those that come from unknown or untrustworthy sources. More TROJ_TARODROP variants are expected to be seen in the coming days, as cybercriminals rush to exploit this flaw.

    Trend Micro product users, however, need not fret as Smart Protection Network™ already protects them from this threat by detecting TROJ_TARODROP.XZ and TROJ_TARO.XZ as well as by preventing the files’ execution on their systems.


    TrendLabs threat analysts found another FAKEAV campaign piggybacking on the Leonid meteor shower and the much-anticipated sequel to the Twilight saga, New Moon. Users searching for news and updates using the keywords “meteor shower tonight november 16 time” and New Moon premiere live stream” end up with poisoned search results. These results redirect users to fake online scanners, which ultimately lead to the download of a FAKEAV variant detected by Trend Micro as TROJ_FAKEAV.MET.

    Click for larger view Click for larger view

    Upon execution, TROJ_FAKEAV.MET drops malicious files and displays fake warning messages. These messages urge users to avail of a bogus antivirus product, Security Tool.

    Click for larger view Click for larger view

    FAKEAV is notorious for capitalizing on hot news and popular searches via SEO poisoning. Hence, users are advised to be wary of suspicious-looking URLs when conducting online searches. Trend Micro protects users from this attack via the Smart Protection Network™ that blocks and detects all related malicious files and URLs.


    Apart from SEO poisoning, cybercriminals have found another avenue to proliferate FAKEAV malware—bogus sponsored links (sitio patrocinados in Spanish). Just recently, Trend Micro researchers were alerted to malicious search engine ads that appeared in Microsoft’s Bing and AltaVista, among others, when a user searches the string “malwarebytes.” (Malwarebytes is a free antivirus product, but of course, not a FakeAV.) Clicking the malicious URL points the user to an executable file named MalwareRemovalBot.exe-1 (detected by Trend Micro as TROJ_FAKEAV.DMZ).

    Click for larger view

    Figure 1. Malicious banner ad on Bing

    Click for larger view

    Figure 2. Malicious banner ad on AltaVista

    Upon execution, the rogue antivirus displays false information that the system is infected with files that do not even exist.

    Click for larger view

    Figure 3. Fake scan results

    In the past, cybercriminals employed the same tactic when it hitchhiked on Trend Micro. Some Google searches then showed banner ads that led to a fraudulent Trend Micro website.

    Though the ads may not appear in all regions, all users are still strongly advised to be extra careful when clicking links in search engines. Users connected to the Trend Micro Smart Protection Network are protected from this attack as it detects and blocks all malicious URLs.


    This weekend, we at TrendLabs came across a FAKEAV variant similar to the one peddled in the solar eclipse 2009 in America attack in this recent blog post. This one, however, introduces another new scare tactic (so far the latest new ploy we’ve seen is the ransomware/FAKEAV that encrypts files in the infected computer and offers a bogus fixtool for a price).

    This FAKEAV variant terminates any executed file with an .EXE file extension and displays a pop-up message saying that the .EXE file is infected and cannot execute.

    Click for larger view Click for larger view

    This way, users are left with no choice but to activate the antivirus product since no other application works. This Trojan is detected by Trend Micro as TROJ_FAKEAV.B. It avoids terminating critical processes to prevent system crashes.

    Unfortunately, cybercriminals work hard in creating so many gimmicks, that we can only guess what comes next in FAKEAV. Fortunately though, the Trend Micro Smart Protection Network provides users protection from such threats.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice