Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Author Archive - Ivan Macalintal (Threat Research Manager)

    In the past few weeks, my colleagues and I have been exchanging views about the changes we’ve seen in the threat landscape in 2010.

    It didn’t come as a surprise therefore that Web threats dominated the threat landscape throughout the entire year. As the general public further integrated Internet usage into their everyday lives, so did cybercriminals with their malicious attacks. The prevalence of Web threats was further amplified by the rampant use of malicious toolkits, which enabled even less-technically savvy malicious users to come up with fairly sophisticated schemes. We expect to see more of similar threats in 2011 and aim to keep users protected with the help of the Trend Micro™ Smart Protection Network™.

    So, just to bring everyone up to speed, here is a complete list of our “2010 in Review” posts:


    Rightly or wrongly, the most talked-about issue in the security industry in 2010 has been Stuxnet. Some of this attention is rightly due to the attack’s sophistication, but even more is due to breathless speculation about “cyber-warfare,” the alleged links to Israel and Iran, and speculations about the foreign policy effects of Stuxnet. However, all this media attention tended to cloud the issue. Let me explain why.

    There’s no doubt that Stuxnet is a highly sophisticated piece of malware with significant resources in terms of time, money, and manpower spent to develop. However, in terms of impact, most users were not significantly affected. True, Stuxnet did spread to a lot of systems around the world. But for almost all of the affected systems, it wasn’t a big problem. It did not steal information, it did not peddle fake antivirus products, neither did it send out spammed messages.

    Neither is it completely accurate to say that Stuxnet heralded a new age of malware threats affecting “real-world” facilities. As early as 2003, the Slammer worm did hit a nuclear facility in Ohio and shut down a monitoring system. The DOWNAD/Conficker worm hit multiple high-profile institutions like hospitals (even infecting MRI machines), law enforcement agencies, and even various military organizations.

    What can be said about Stuxnet is that it marks the first time someone decided that it was worth deliberately targeting a specific vendor’s SCADA platform. The technology to do so was already available but the motivation to do so was not.

    These types of malware attack are few and far between in today’s threat landscape. Currently, information theft is still the biggest problem around. Data-stealing malware account for the majority of malware Trend Micro finds daily. For every Stuxnet infection we see today, we find thousands of incidents involving credential theft malware such as ZeuS and SpyEye.

    Two separate lessons can be drawn from Stuxnet. For industrial control systems similar to those targeted by Stuxnet, it should serve as a huge wake-up call. Stuxnet hit “soft” targets that were not secured well. These systems were not properly secured, as they were in the “interior” of their networks and it may have been assumed that perimeter security would have been sufficient. Ultimately, a network is only as secure as its weakest link. Therefore, computers and networks that are part of these industrial control systems will have to be hardened at all levels. Third-party applications that are frequently targeted by exploits  such as Adobe Flash Player and Reader should always be kept up-to-date, if not removed from these systems if possible. Even attacks via removable devices such as USB drives have to be considered and defended against. This is not likely to be quick, easy to do, or inexpensive.

    However, for users who are not in charge of critical systems, the danger from Stuxnet has to be placed in the proper context. Credential theft malware poses a far greater threat. In addition, it should be remembered that threats targeting critical systems are likely to be just that—targeted. The typical user is more likely to see more generic threats like credential theft and fake antivirus malware.

    The bottom line is that while Stuxnet has enjoyed a great deal of media attention, it’s more significant as a warning to system administrators to secure critical systems—even the ones they think wouldn’t be exposed to malware—than as an actual threat. It’s a problem that has to be placed in the context of the greater malware threat, which sees tens of thousands of new threats every day, the vast majority of which end up stealing user information.


    Yesterday, we blogged about WORM_MEYLME.B that sent various spammed messages containing bogus PDF documents and/or CVs. In just a few hours, the worm infected many users worldwide, proving the effectiveness of its social engineering tactic.

    Upon closer investigation, the spam campaign that we believe started around July 17 or even earlier, initially targeted human resource or administration email addresses in various companies and the military. The spam bore the subject, “MY CV,” and the message, “Hello, This is my CV. I hope I can Find a Job.” It also had a link pointing to the malware. From July 29 to August 3, it specifically targeted members of the African Union using the subject, “to af.union,” and the message, “I have worked in Human Rights Community and would like to work with you. This is my CV including my personal picture.” The URL in the email then redirects users to the malicious URL http://{BlOCKED}

    As of this writing, Trend Micro has contacted the African Union but we haven’t received any response yet. Another thing to note is that a copy of the spammed message has also been sent to a certain email address. We are still looking into this as of the current time. Fortunately, it is good to know that the email address with the name “Alicia,” which was used to send the spammed messages has already been suspended.

    Click for larger view

    There are also some other things regarding this malware campaign that piqued our interest. As indicated above, this attack may have been initially targeted and is not really the resurgence of mass mailers, as some may be prone to believe. The intended attack may have gone haywire and infected others apart from the original intended victims because of its propagation routines (i.e., removable drives, network shares, email). Furthermore, unlike other typical mass mailers of bygone years, this worm shows more ominous criminal payloads in that it installs a backdoor detected as BKDR_BIFROSE.SMU and steals passwords used for browsers, instant-messaging apps, wireless keys, and remote desktop access, among others. Another thing is that WORM_MEYLME.B is similar to TROJ_ILOMO since it also propagates across the domain using re.exe (which is actually psexec.exe). Moreover, aside from the worm also being able to harvest Yahoo! Messenger contacts, which it uses for further propagation, this malware also rendered infected systems vulnerable because it made folders to be shared without the users’ consent.

    Click for larger view

    Trend Micro is able to break the infection chain early since it detects the spammed messages and all related malware and malicious URLs via the Smart Protection Network™. Trend Micro customers are also advised to upgrade to Titanium, as the list of service names that the malware is targeting do not include the service names Titanium uses! Finally, above everything else, users are strongly advised to change the passwords they use for the applications mentioned above and to be always cautious when opening unsolicited email messages, attachments, and links.

    Additional analysis provided by threats analyst Edgardo Diaz, Jr.

    Posted in Malware, Spam | Comments Off on From Alicia to Africa to Anywhere Else: Possible Origin of the ‘Here you have’ Spam Campaign

    Days after the April 1st activation date of Conficker, nothing interesting was seen so far in our Downad/Conficker monitoring system except the continuous checking of dates and times via Internet sites, checking of updates via HTTP, and the increasing P2P communications from the Conficker peer nodes.

    Well that was until last night when we saw a new file (119,296 bytes) in the Windows Temp folder. Checking on the file properties reveals that the file was created exactly on April 7, 2009 at 07:41:21.

    Checking also on traffic captures show that there was no HTTP download that occurred somewhere around that time frame, which was from April 7, 2009 at 07:40:00 up to April 7, 2009 at 07:42:00. However, we noticed a huge encrypted TCP response (134,880 bytes) from a known Conficker P2P IP node (verified by other independent sources), which was hosted somewhere in Korea.

    The size of the encrypted TCP blob pretty much matches the size of the binary that got created in the aforementioned folder. There are some additional bytes, which could be the headers and keys that Conficker/Downadup has been known to use.

    Trend now detects this new Conficker variant as WORM_DOWNAD.E. Some interesting things (well at least in our perspective) found are:

    1. (Un)Trigger Date – May 3, 2009, it will stop running
    2. Runs using a random file name and random service name
    3. Deletes this dropped component afterwards
    4. Propagates via MS08-067 to external IPs if Internet is available, if no connections, uses local IPs
    5. Opens port 5114, and serves as an HTTP server by broadcasting via SSDP request
    6. Connects to the following sites:

    It also does not leave a trace of itself in the host machine. It runs and deletes all traces, no files, no registries etc.

    Another interesting thing we also noticed was that the Downad/Conficker box was trying to access a known Waledac domain (goodnewsdigital(dot)com) and download yet another encrypted file. This coincidentally happened just after the creation of the new Downad/Conficker binary described below (07:41:23):

    IP download file

    The domain currently resolves to an IP address that is hosting a known Waledac ploy in HTML to download print.exe, which has been verified to be a new Waledac binary.

    Two things can be summed up from the events that transpired:

    1. As expected, the P2P communications of the Downad/Conficker botnet may have just been used to serve an update, and not via HTTP. The Conficker/Downad P2P communications is now running in full swing!
    2. Conficker-Waledac connection? Possible, but we still have to dig deeper into this…

    Research and collaboration is currently ongoing in our own labs, as well as within the Conficker Working Group, and will update this blog post for new findings.

    Thanks to Joseph Cepe and Paul Ferguson for working on additional information for this entry.

    UPDATE: 10:50 PDT, 9 April 2009:

    Having followed the activities of Eastern European online cyber crime for several years, there is one thing we are certain about — these criminals are motivated by one thing: money.

    How was Downad/Conficker helping them meet their goals? It wasn’t. A very large botnet of compromised computers doesn’t make money if it justs “sits there” doing nothing.

    So now we saw — as described above — that the Downad/Conficker botnet has awakened, and perhaps their desire to monetizing their efforts is becoming more clear.

    In the latest activity, we see infected Downad.KK/Conficker.C nodes pulling down new Waledac binaries (perhaps for spamming, as Waledac has been known to do)from a fast-flux domain infrastructure, but also now it is also installing Fake/Rogue AntiVirus  (AV) malware, too. See screenshot below:

    FAKEAV screenshot

    As we have seen, the ongoing Rogue AV efforts by this criminal organization has been widespread, pernicious, unabated, and obviously profitable.

    Stay tuned — this situation is still unravelling.

    – Paul Ferguson, Threat Reasearch

    To have a view of past WALEDAC activity, you may visit the following links below:

     • DOWNAD/Conficker Watch: New Variant in The Mix?
     • Waledac Spamming Image Hosting and Italian Job Offers
     • WALEDAC Spamming Madness
     • Waledac Localizes Social Engineering
     • WALEDAC Spreads More Malware Love
     • What is Old is New Again: Malicious New Year e-Card Spam
     • Fake Obama News Sites Abound
     • WALEDAC Loves (to Spam) You!
     • Just Got Unlucky: Part 3

    FAKEAV variants have also been making the rounds since early this year, as can be seen on the following posts:

     • What Will Go DOWNAD on April 1?
     • Crack Sites Distribute VIRUX and FakeAV
     • Gmail Downtime Exposes Ad-Rigged Site
     • Cybercrooks Handing Out Malware
     • Bogus LinkedIn Profiles Harbor Malicious Content


    Their current propagation statistics was next to non-existent, said Sunbelt, and added that being less in number doesn’t exactly equate to “safe”.

    The MBR (Master Boot Record) rootkit threat — perhaps a perfect product of recycling — had been making waves in the Internet for days, seemingly making an entry to the modern security scene as a new Web threat. TrendLabs researchers have analyzed it and came up with the following technical findings.

    This rootkit arrives when certain URLs/Web sites are accessed:

    http://%bad domain%/ld/mat{any number from 2-20}/index.php?b=3

    where %bad domain% can be one of the following:


    After successful infiltration using the exploits of Web threats that we’ve come to know, malicious codes are downloaded and executed and the rootkit is installed via the MBR.

    The Trojan, detected by Trend Micro as TROJ_SINOWAL.AD, then creates a mutex to ensure that only one instance of itself is running on the affected system.

    It then looks for the bootable partition of the affected system. Once found, this Trojan creates a new malicious MBR that loads the rootkit component of this Trojan.

    Writing to the MBR may look like the following:

    Writing to the MBR

    Modified sectors 61, 62 and 63 of the physical disk are shown below:

    Modified certain sectors of the MBR

    The modified MBR may look like the following:

    Modified MBR

    The rootkit component, which is detected as RTKT_AGENT.CAV, is then saved in an arbitrary sector within the bootable partition. After performing its malicious routines, this Trojan restarts the affected system.

    Trend Micro advises users to scan systems using the latest pattern file versions to remove the Trojan. The content security feature of our products can block all related domains, as well.

    More information at:

    Update courtesy of Senior Escalation Engineers Joseph Cepe and Marvin Cruz



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice