Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Author Archive - Jake Soriano (Technical Communications)

    The massive number of WORM_DOWNAD.AD infections would make it one of the more memorable outbreak worms, and clearly a destructive one, in an age when malware are mostly geared for profit. Poor patch management, weak passwords, and the propagation routines of the worm itself are main factors in its continuing upsurge.

    Figure 1. WORM_DOWNAD.AD infections are a global concern.

    The North American region has the most number of infected PCs, with users from the United States being hit the most. Japan, China, and Taiwan are also major DOWNAD-affected countries. In Europe, Italy and Spain have the most infections.

    Users observe the following symptoms when they are infected with WORM_DOWNAD.AD:

    • Blocked access to antivirus-related sites
    • Disabled services such as Windows Automatic Update Service
    • High traffic on affected system’s port 445
    • Hidden files even after changes in Folder Options
    • Inability to log in using Windows credentials because they are locked out

    A .DLL file with random file names and autorun.inf also appear in all mapped drives, and in Internet Explorer and Movie Maker folders under the Program Files directory.

    The worm locks its dropped copy to prevent users from reading, writing, and deleting the malicious file.
    It also makes several registry changes to allow simultaneous network connections. By re-infecting machines, this worm manages to keep its malicious activities going on. One of the prominent reasons for its success in global diffusion (details were described in our last Security Policy for Dummies previous blog entry) is its multiple propagation routines: it spreads by exploiting a Microsoft OS vulnerability, via network shares, or via removable and network drives.

    Figure 2. WORM_DOWNAD.AD infection diagram.

    An earlier DOWNAD worm variant also raised havoc among online users. Exploiting the same operating system vulnerability, WORM_DOWNAD.A infected more than 500,000 unique hosts around the globe. This infection threat closely followed the shutdown of spam giant McColo, with evidence that cybercriminals are using the worm to developa new botnet.

    Both variants of this worm family also exhibit the following routines:

    • Connecting to certain legitimate sites to retrieve dates
    • Generating URLs after certain date criteria are met, which the worms compute from certain strings in the said legitimate URLs
    • Appending of .biz, .info, .org, .net, or .com to the generated URLs

    Patching systems and programs as soon as fixes are made available and disabling autorun are two of the most important actions required to reduce the risk of infection, infection propagation or reinfection with variant updates.
    Cleanup instructions and technical details can be followed in Trend Micro’s Virus Encyclopedia.


    Earlier this week, we blogged about the range of Web threats that would take advantage of Barack Obama’s inauguration on the 20th. We mentioned fake news as a possible social engineering ploy and cybercriminals did not disappoint. They were a little early in fact: Trend Micro Advanced Threats Researcher Paul Ferguson discovered bogus websites with headlines like Barack Obama has refused to be a president and links that lead to malicious executables.

    Figure 1. This fake news website leads to malware.

    Trend Micro detects some of the binaries (with file names like barack.exe and baracknews.exe for maximum effect) as WORM_WALEDAC variants – the same malware family that featured prominently in a spamming and malware operation just after New Year’s and which researchers believe is associated with bot giant Storm. WORM_WALEDAC variants are also notorious for their information-stealing routines.


    These malware are mostly hosted on domains that contain Obama-related key words. We found crafted web sites where all links lead to malware.

    Users are advised to just trust known legitimate news websites for information.

    Our engineers are still analyzing this threat further. We will post updates as soon as more information becomes available.

    Update as of 18 January 2009, 8:00 PM PST

    The following spammed email messages contain links that lead to fake Obama websites and ultimately to the download of WORM_WALEDAC.KAX:

    Figures 2 & 3. These email messages also contain fabricated news reports.

    WORM_WALEDAC.KAX steals email addresses by searching for these in files found in fixed, network, and RAM drives. It saves and encrypts a file containing its stolen information, and sends this file to several IP addresses using HTTP post. This worm also has backdoor capabilities. It opens random ports in an affected system to listen for commands from a remote user.

    Update as of 20 January 2009, 9:00 PM PST

    More malicious URLs purporting to be related to Barack Obama host another WALEDAC variant detected by Trend Micro as WORM_WALEDAC.AI. This worm has identical propagation and stealing routines as WORM_WALEDAC.KAX. Like the other worm, it also compromises system security by opening random ports, giving malicious users remote access.


    Barack Obama’s campaign and eventual election to the United States presidency proved an excellent opportunity for cybercriminals in their malicious operations. News about the president-elect was a popular, and most of the time effective, social engineering technique used to trick unknowing Web users into downloading and installing malicious files in their PCs.

    Web threats that feature Obama-related baits may have died down after what has been a historic election, however users could expect more of them before and after his inauguration on January, 20th. At the begin of the week TrendLabs researchers predicted that soon cybercriminals will take advantage of this event. Ticket scams were considered to be a most probable cybercriminal attack.

    Tickets for the said Washington occasion are for free but they are to be distributed by both Senators and Representatives of the 111th Congress, as reported on the SignOnSanDiego website. Detailed information on tickets may be found at the official web site of  The Joint Congressional Committee on Inaugural Ceremonies .

    Spammers might send scamming emails promising their recipients tickets to the inauguration. Non-existent tickets may be offered in exchange for money. Or they may be given away for free; users would just need to click on links or download and print tickets, where the supposed ticket turns out be malicious binaries.

    Scams may not be limited to just inauguration tickets alone. The huge demand for hotel rooms, accommodations, and even parking spaces could also be potentially used in Web attacks.

    Post-inauguration threats would likely include fake news and fabricated events that again may be used to lead users to malware. Threats could use the same strategies as those we saw in the elections:

    We advise Web users to not trust spammed messages and to be careful in clicking unknown links. Several scam warnings are already posted on the Web, and may also provide useful to users.

    Trend Micro continues to monitor threats related to Obama’s inauguration.


    Neither. Or both. It depends on whether you think it is authentic or fake.

    Twitter users are facing yet another attack, this time a phishing threat. A spamming operation previously flooded users of the social networking and micro-blogging site with follower notifications which led to spammy and bogus profiles.

    Cyber criminals are now exploiting Twitter’s Direct Messages function, instructing users that pictures of them were seen on another website, and the link is provided in the same message. A variation of this baiting technique informs users that the same website offers a free popular mobile phone.

    Figure 1. Sample Twitter update feed with an unsolicited update

    The link provided in the messages have the domain twitterblog(dot)access, which appears to be somehow related to Twitter itself. Interestingly, clicking on the link redirects users to a bogus Facebook login page, one that looks convincingly like the original.

    Figure 2. Embedded spam link leads to this page (above)

    Any login credentials provided are logged and stolen. To hide the theft, phishers designed the page to give the appearance of processing the submitted information. Once submitted, it then displays an error message, and then loads the legitimate Facebook site, as if nothing happened.

    Facebook credentials were also the object of a phishing attack back in September. Other Facebook-related Web threats include:

    The Trend Micro Smart Protection Network already blocks the phishing site, protecting users from information theft. Users are strongly cautioned against logging into sites where they are redirected to/from spammed links. Checking browser address bars for the proper URLs helps in verify the proper site, too. URL inconsistencies should immediately be a warning of fraud.

    Earlier today, in an unrelated but equally troublesome attack, a hacker seems to have found their way to the Twitter accounts of some thirty-plus personalities (including Fox News, President-Elect Barack Obama, CNN’s Rick Sanchez,  and Britney Spears). This security breach forced Twitter to lock down the accounts and investigate the issue. Considering cybercriminals’ propensity to ‘go where the money is,’ micro-blogging has indeed hit mainstream.


    9:32 pm (UTC-7)   |    by

    Year-end lists are quite popular at this time of the year — here’s our own top threats in 2008.

    Most Prolific: Mass Compromises
    Attacks were targeted to a specific group of users and were targeted at popular Web sites. Diverse Web sites — entertainment, political, online shopping, social networking — were all used to spread malware. Compromises were at its height in May, when Web sites from around the world were injected with malicious codes to infect unknowing Internet users. This trend, unfortunately, seems to be continuing at a pace that defies the imagination.

    Most Persistent: Botnets
    Botnets are resident evils, and they’re always there. Giants like Storm, Kraken, Mega-D/Odzok, MayDay, and ASProx — all created ripples throughout 2008, remaining consistently on the radar of botnet researchers. The shutdown of McColo, a major cyber crime hoster in November, only temporarily deterred bot masters from looking for alternative means to proliferate.

    Largest Distribution Campaign: Fake AV
    “Rogue AV” software has two functions: they convince users that they are infected with malware by faking infection symptoms, and lure users into purchasing a fake antivirus programs to clean the fake infection. These threats use a variety of arrival and infection channels, from spam to mass SEO poisoning, involving several compromised Web sites.

    Most Untraceable: DNS Changers
    Two DNS changing malware detected by Trend Micro as TROJ_AGENT.NDT and BKDR_AGENT.CAHZ poison other hosts on the local subnet by installing a rogue Dynamic Host Configuration Protocol (DHCP) server on the network. These malware monitor traffic and intercept request packets from other computers in the network. They reply to intercepted requests with packets containing malicious DNS servers causing the recipients of the malicious packets to be redirected to malicious sites without their consent.

    Most Automated: Exploits
    A .DLL worm, WORM_DOWNAD.A, which exploits the MS08-067 vulnerability, and exhibited routines that led security analysts to postulate that it is a key component in the development of a new botnet. More than 500,000 unique hosts spread across different countries have since been discovered to have fallen victim to this threat.

    A zero-day bug in Internet Explorer also prominently featured in at least two massive online threats: an information stealing campaign and a mass SQL injection attack on some 6,000 websites. Cyber criminals are able to exploit these bugs with very minimal user interaction, if none at all.

    Most Technologically Advanced: Rootkits
    The MBR (Master Boot Record) rootkit threat made waves early in 2008. Trend Micro detects the rootkit as TROJ_SINOWAL.AD. It looks for the bootable partition of the affected system and creates a new malicious MBR that loads the rootkit component, detected as RTKT_AGENT.CAV. It is then saved in an arbitrary sector within the bootable partition.

    Most Destructive: Ransomware
    A new version of the GPcode ransomware, which Trend Micro detects as TROJ_RANDSOM.A, surfaced in November. It searches and encrypts files found on any readable and writable drive on the system, rendering them inaccessible without the encryption key. Victims are informed that a decrypting tool must be purchased to decrypt the files. This is done through a text file dropped in each folder containing an encrypted file.

    Most Irritating: AUTORUN Malware
    Removable and physical drives are the fourth highest source of infection globally. Of the total infection number in Asia and Australia, 15% are from malware borne by removable drives. Most Asian countries have AUTORUN malware as their top infector and the top malware infecting PCs in Europe, Middle East and Africa (EMEA) also include several AUTORUN malware. They are so successful in propagation that they have also infiltrated the NASA and the U.S. Department of Defense networks.

    News of pre-shipped malware on USBs also didn’t die down. The most recent product to be reported carrying worms is HP’s Proliant USB Keys.

    The Trend Micro Smart Protection Network secures PCs and keeps them safe from all of these threats by filtering malicious spam, blocking dangerous URLs, and detecting malware and providing solutions for their cleanup and removal.

    Image source: UC Davis Magazine



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice