Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Jake Soriano (Technical Communications)

    Cybercriminals are actively taking advantage of another vulnerability, this time in Microsoft Office Excel. This is the third threat in less than two weeks that featured exploits. Exploit codes on IE7 and PDF bugs were discovered last week and earlier this week respectively.

    Microsoft acknowledges the Excel vulnerability in a recent bulletin. The software giant says that it is now investigating the case.

    A malicious binary detected by Trend Micro as TROJ_MDROPPER.XR is found exploiting this said Excel bug in the wild . The Trojan arrives on systems as a specially-crafted Excel file, through spammed messages or via remote malicious websites. Its routines are triggered when it is opened by unknowing users.

    TROJ_MDROPPER.XR drops and executes BKDR_AGENT.FAX, which in turn executes at every system startup. The backdoor connects to websites to send and receive information. It also gives cybercriminals almost the same user rights as the infected local user by opening a random port and enabling a remote user to execute the following commands:

    • delete files
    • download files from a specified remote site
    • execute a specified file/program
    • kill process
    • list drives
    • list file in the system
    • open command shell
    • sleep for a specified amount of time
    • upload files to a specified remote site

    The Trend Micro Smart Protection Network already prevents TROJ_MDROPPER.XR and BKDR_AGENT.FAX from running in systems. It also provides solutions for the removal of these malware. Malicious websites are also already blocked.


    3:30 am (UTC-7)   |    by

    The emergence of Twitter as a major microblogging tool with the feel of a social networking site also means it becomes a worthy cybercriminal target. Recent pranks, annoying at worst but not essentially harmful to accounts or systems, continue the series of attacks on the site. We blogged about Twitter threats before:

    In this recent prank, Twitter entries show up containing links preceded by the warning Don’t Click, thus tricking curious users into actually clicking the link, curiosity being the weakest link in online security.

    Clicking on that link creates an exact copy of the entry, but on the clicker’s profile this time. Twitter engineers were able to promptly fix the first prank, but a second and similar attack followed shortly, with slight variations to bypass fixes. As of this writing, Twitter has successfully fixed the problem.

    This type of threat is called clickjacking, or the theft of mouse cursor clicks from users. We previously blogged about the implications of this relatively new malicious technique. The Twitter pranks tell us now that clickjacking is no longer just a theoretical threat. It is real, and while in this case it was used in what could be a harmless experiment, it’s only a matter of time before it is used with more malicious intent.

    Configuring Web browsers to disable scripts is a recommended precaution. Firefox, notably, has a NoScript plugin that could be installed to defend agains clickjacking attacks.

    The Register reports about this Twitter incident here.

    Posted in Bad Sites | Comments Off on Clickjackers Tweet

    Cybercriminals are actively exploiting a critical vulnerability in Internet Explorer 7, which arises from the browser’s improper handling of errors when attempting to access deleted objects. This vulnerability allows remote attackers to execute arbitrary codes on a vulnerable machine.

    The threat starts with a spammed malicious .DOC file detected as XML_DLOADR.A. This file has a very limited distribution script, suggesting it may be a targeted attack. It contains an ActiveX object that automatically accesses a site rigged with a malicious HTML detected by the Trend Micro Smart Protection Network as HTML_DLOADER.AS.

    HTML_DLOADER.AS exploits the CVE-2009-0075 vulnerability, which is already addressed by the MS09-002 security patch released last week. On an unpatched system though, successful exploitation by HTML_DLOADER.AS downloads a backdoor detected as BKDR_AGENT.XZMS.

    This backdoor further installs a .DLL file that has information stealing capabilities. It sends its stolen information to another URL via port 443.

    This is how the threat works.
    Figure 1. Threat Infection Chain.

    Although the install base of the IE family is slowly eaten up by stiff competition such as Firefox and Chrome, IE7 is used by about one in every four Web users, a much larger share than previous versions of IE. This could explain why cybercriminals seem to be eagerly searching for more bugs. Zero-day exploits, also in IE7, were big news last December:

    Our engineers are still working on the details of this threat. We will post updates as soon as more information becomes available. The Smart Protection Network already prevents HTML_DLOADER.AS, XML_DLOADR.A, and BKDR_AGENT.XZMS from running in systems. It also blocks malicious URLs. Users meanwhile are advised to PATCH NOW!

    Update as of 17 February 2009, 6PM PST

    Analysis by Trend Micro researchers reveal that BKDR_AGENT.XZMS takes screenshots of the infected system and sends these screenshots to a remote malicious location. It also creates a hidden Internet Explorer window which connects to a website to listen for commands.

    Update as of 1 March 2009, 7PM PST

    Advanced Threats Researcher Jamz Yaneza points at some details that may link this attack to the wave of exploits related to the Beijing Olympics frenzy last year, as well as the related problem regarding Tibet. The previous exploits also used specially crafted MS documents. BKDR_AGENT.XZMS meanwhile contains a string related to the 50th anniversary of the Tibetan uprising. The backdoor also waits for commands from a website in China, which interestingly is linked to port-scanning and SQL attacks before.


    Phishers are now into TinyURLs, using the popular Web service to shrink long URL strings and hide destinations from users. Trend Micro Advanced Threats Researcher Joey Costoya discovered a malicious shortened link hidden in this spammed message:

    Figure 1. Sample spam.

    The link may look legitimate but it masks a TinyURL that leads to the following malicious page:

    Figure 2. Phishing page.

    This is a fake website of Liberty Reserve, a company with services including online payments. The information entered by unknowing users in the login boxes is logged and stolen by cyber criminals.

    The cyber criminal advantage of using TinyURL is that when this link is used in spammed email messages the exact URL of the destination is concealed from users until they land on the page itself. Recipients may then be tricked into clicking URLs purporting to be shortened versions of whatever company the spammer has chosen. Spam filter evasion is another key advantage.

    The good practice here is to first substitute for to get a preview of the final link before one proceeds to the page itself. The best advice is to altogether avoid clicking on links in unsolicited email.

    Trend Micro Smart Protection Network already blocks the phishing spam and URL.


    The Yahoo! open search redirection threat we blogged about just days ago may be from a totally different cybercriminal gang, but this new blackhat SEO poisoning makes clear that online search tools are quickly becoming favorite platforms for online criminals in their operations.

    Search traffic on Google Video were found to be polluted: instead of legitimate videos researchers found some 400,000 queries returning video results that have a single redirection point, and one that eventually leads to malware download and execution.

    Trend Micro detects the malicious executable as WORM_AQPLAY.A. This worm – file name FlashPlayer.v3.181.exe and from that alone one can already guess the social engineering strategy – spreads via removable and network drives when autorun is enabled. It masquerades as an Adobe Flash installer, which users who visit certain spoofed versions of video streaming websites are prompted to download and install.

    What’s more interesting here is how users get to these spoofed websites in the first place. Researchers believe that the gang behind this threat is maintaining a notable number of domains for their malicious operations. These domains have keyword-riddled pages, so they appear on top of search results when users enter certain related strings.

    A user, thinking that top search results are reliable, is then unknowingly trapped into visiting a malicious website. This is typical of most SEO poisoning attacks, but it does not end there. This new threat also comes with a detection-evasion technique: only users who are redirected from Google Video are prompted to download FlashPlayer.v3.181.exe.

    Blackhat SEO threats take advantage of the trust users put on online search tools. Through this method cybercriminals are able to manipulate results such that malicious websites appear first on search lists. Other threats that use this same technique include:

    The Trend Micro Smart Protection Network already prevents WORM_AQPLAY.A from running on systems.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice