Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Japan Regional TrendLabs

    Another swine flu-related spam run was recently reported, this time targeting Japanese users. Aside from using the swine flu as its social engineering method, which has already been used in earlier spam runs, this spam run also uses a technique where the sender of the message appears to use the domain. This serves not only as a means to evade spam filters, but also to further fool the users that the message is legitimate, thus convincing them to open an attached malicious file.

    Spammed messages with the subject Warning of Swine Flu claiming to be from the National Institute of Infectious Diseases, encourages users to open an attached .ZIP file, to “learn” more about the pandemic (detection available as TROJ_PIDIEF.UA and TROJ_PIDIEF.TY). Our engineers have verified that TROJ_PIDIEF.TY drops and executes BKDR_KUPS.G.

    The real National Institute of Infectious Diseases issued a warning of the fake spam messages on their website to alert users who may get the deceiving message.

    Click for larger view

    Here is a translation of the text contained in the spam message:

    From: National Institute of Infectious Diseases
    Subject: Warning of Swine Flu!
    Attached file name: Information on the swine flu


    The swine flu has been spreading. Infection cases in UK were reported, following the cases in Mexico, US, Canada and Spain. Although the measures against the flu have been conducted globally, possible infection cases are reported from many countries. One such report has been heard from Korea on 28th. The infection has likewise been ongoing for weeks in Mexico. Some experts say that there is a possibility that the flu has already arrived in Japan. We should protect ourselves by learning more on the swine flu.

    National Institute of Infectious Diseases


    Users are strongly advised not to judge the legitimacy of an email simply by its content.


    4:12 am (UTC-7)   |    by

    On March 11, Regional TrendLabs in Japan found a zero-day exploit attack that targeted Just System’s well-known Japanese word-processor, Ichitaro. The malware exploting the vulnerability was noticed to arrive via spam and via malicious websites using the Ichitaro file extension name, .JTD.

    The malware ( TROJ_TARODROP.BA) drops a file {random letters}.tmp ( TROJ_DROPPER.PAO) that in turn drops another file named  beer80.exe ( TROJ_AGENT.KLQW).

    Notable of this scheme is that after TROJ_TARODROP.BA and TROJ_DROPPER.PAO have executed their routines, the last dropped Trojan (TROJ_DROPPER.PAO) creates non-malicious files using them to overwrite itself and the initial TROJ_TARODROP.BA. Thus, when the user checks the files after the infection is completed, all the user will see are legitimate Ichitaro files (this is considered to be a stealth technique applied by the malware).

    Unknown to the user at that point is that the final payload TROJ_AGENT.KLQW is already and still in the system. This Trojan (TROJ_AGENT.KLQW) gathers the following information from the affected system then sends the data to a remote site:

    • Computer Name
    • IP Address
    • Process ID of (injected) legitimate process, svchost.exe
    • OS version
    • Locale Information

    Figure 1. the sleight of hand is performed by the second malware in line, TROJ_DROPPER.PAO.

    According to Trend Micro researchers, the initial attack on Ichitaro happened in August 2006. Since then, every time a new Ichitaro vulnerability is found, cybercriminals are expected to attempt to exploit it–and they do so with increasing social engineering savvy. Past attacks followed the same straightforward drill: the first malware exploits the vulnerability and the second one conducts the main routines such as autostart and dropping files, etc. It is only recently (in 2008) we have begun to see the additional overwriting trick meant to fool users.

    Previous Ichitaro-related attacks include the following:

    New Ichitaro zero-day exploit discovered
    Ichitaro Exploited Anew
    A Closer Look at Ichitaro

    Information on this vulnerability, as well as the patch provided by Just System, can be found on their website.

    Read the Japanese writeup of this attack from the Japanese Malware Blog.

    Posted in Exploits | 1 TrackBack »

    10:24 am (UTC-7)   |    by

    Of late, there’s no lack of news about information theft and data breaches, not only in Japan but also the rest of the world. But as these incidents get more common, so are these getting more blatant in the way that these are being carried out. Whereas we used to hear of stolen information being peddled at underground forums and bulletin boards, IRC, and so on, malware authors now seem to pay no mind to keeping things under the radar.

    Blowing the lid off such transactions, they conduct illicit deals in the open through well-known sites—a tendency we would like to call the popularization of cyber crimes.

    Back in February, we had an entry in the Japanese version of this blog about a similar case, in which a popular Korean net auction firm called Auction, Inc. ( confirmed that the information of 10.81 million individuals had indeed been compromised. This is a large-scale theft that, to say the least, got its users worried; some groups even contemplated filing lawsuits.

    Then there is the Chinese Internet portal O2SKY, in whose free market page were posted at least two entries seemingly related to the aforementioned Korean incident: the first on March 29, the second on April 11. These say: “Naver, I can sell the IDs of Auction, Inc.” Naver is one of Korea’s famous portals. The entries include the email addresses and telephone numbers of the vendors.

    Here’s a screenshot of that entry:


    O2SKY is owned by Yan Fan, Inc., which is located in Jilin Province, China. While it is a Chinese company, we can assume that the said entry was posted for Korean users, due to the geographical advantage of nearby Korea.

    Taking a closer look into other related entries, we also found some that are encouraging readers to try out techniques to perform site breaches, hackings, compromises. These are a kind of advertisement dangling high salaries for those equipped with such skills. These are open invitations meant to lure the malicious-minded, making no secrets of its intentions.

    Here’s a screenshot of the said ad looking for those with “skillz”:


    In the two cases detailed above, there are several reasons why we believe these should not be classified as professional or organized crime. One is that the malicious users are openly posting their own easily traceable information in the public forums that almost anyone can anonymously visit.

    So if these are perpetrated by neither professionals nor organized crime syndicates, then who is posting such entries? The possible figures would be as follows:

    • Script Kiddies – they usually use the openly available cracking tools to steal individual information and sell it to others
    • “Customers” of cyber criminals – they try to sell individual information that they initially bought from the professional criminals
    • People who read media reports – those pretending to sell the individual information, but do not actually have said information. Another set of readers may be the adventurous type who want to recreate the same offenses based on the information they got from the media.

    The existence of the so-called script kiddies should never be ignored. As the said hack and breach techniques are made more widely available, they also become more sophisticated that there will come a time when it will be harder to distinguish between a manually conducted breach and an automated one.

    As part of the protection, some companies try to hire so-called ethical hackers who can help enhance their organizational security measures. In Sun Tzu’s The Art of War, the chapter on attack by stratagem shares this bit of wisdom: “If you know the enemy and know yourself, you need not fear the result of a hundred battles.” This statement is a basic principle that can be applied even—or perhaps especially—to cyber crime and our ongoing fight against it.

    Updated by Mayee Corpin (Technical Communications)

    Posted in Bad Sites | Comments Off on Barefaced Cyber Crime

    9:29 pm (UTC-7)   |    by

    Last Friday, yet another Ichitaro zero-day exploit was discovered. Ichitaro is a well-known Japanese word processor produced by JustSystems.

    While the case is still under analysis, the apparent behavior is that a malware is automatically installed when a malicious .JTD file is opened with the Ichitaro application. The affected platform is Windows XP SP2 Japanese version with Ichitaro 2006. Trend Micro detects the said malicious .JTD file as TROJ_TARODROP.AB, which installs a backdoor detected as BKDR_AGENT.AIAJ.

    This year, the number of targeted attacks on Japanese applications has increased, seen to be in line with the increase of language-specific regional attacks. Malware authors targeting Ichitaro are bound to be successful as this application is popular. Users of the said application therefore need to take extra caution.

    As noted at 18:30 last December 14, JustSystems has released the security update module to fix the vulnerability. If you are using the JustSystem product, please update it as soon as possible.

    Again, this is not the first Ichitaro exploit. This year alone, in August, a malicious Ichitaro document taking advantage of a vulnerability to drop a Trojan on target systems was reported. A full year before that, the first Ichitaro exploit was identified.

    Posted in Vulnerabilities | Comments Off on Ichitaro Exploited Anew

    As everyone knows, new Japanese Prime Minister Mr. Yasuo Fukuda has just been appointed and already a suspicious email supposedly coming from the new PM is making its rounds.

    The said email message comes with the attachment named MOFA.ZIP, which looks like the following when uncompressed. It uses the icon for MS Word but instead of using the normal .DOC extension, it uses .EXE:

    {Mofa icon}

    Once MOFA.EXE is executed, MOFA.DOC opens. Part of the new Japanese Prime Minister’s official Web site is saved in the said .DOC file. The said content uses a font called SimSun, which can display Chinese characters on Japanese platform, or Japanese characters on a Chinese platform. On Windows XP systems, this font can be displayed normally. However, on Windows 2000 platforms with MS Word 2000 version, the result is the following:

    {SimSun on Windows 2000 with MS Word 2000}

    When you check “Property”, you can see some Chinese characters in the name field:

    {SimSun on Windows 2000 with MS Word 2000}

    {SimSun on Windows 2000 with MS Word 2000}

    It is most probable that the opening of this document is a trick to distract users. It is possible that when the document opened, malicious activity is started in the background. The said .EXE file is detected by Trend Micro as BKDR_DARKMOON.BG.

    As of now, a warning about has been issued regarding this suspicious email message. It may be found on the official Web site of the Japanese PM.

    Users are advised to not open attachments that are not expected or from suspicious senders.
    Additional information from the Japan Regional TrendLabs

    Posted in Spam | Comments Off on Japanese PM Yasuo Fukuda Sends You a Message


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice