Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Author Archive - Jasper Pimentel (Advanced Threats Researcher)

    Notable Malware


    These worms used the famous social networking site Facebook in their propagation routines. While executing on an affected user’s system, these worms search for cookies related to Facebook. Once a match is found, the worms access the user’s Facebook profile using the credentials contained in the cookie files. The worms then modify the user’s Facebook profile to include a link to pointing to the malware to infect more systems.

    The attack places at risk the great number of Facebook users, which the social networking claims to have grown to over one hundred million.


    As its name implies, TROJ_FAKEAV.CX poses as an antivirus product. Like other malware of this type, it could be downloaded from malicious links contained in spammed email messages. TROJ_FAKEAV.CX displays several messages alerting the user about malware threats. To further convince users, it drops another Trojan on the system detected by Trend Micro as TROJ_RENOS.ACG. The dropped Trojan has visual payloads that readily alert users to the presence of malware on the system.

    Furthermore, the payload for this type of attack goes beyond the damage on affected system; it also causes unnecessary panic and waste of time for the users.


    TROJ_CHEPVIL.RAR arrives as an attachment in spammed email messages that promise the user a chance to view a video of actress Angelina Jolie. Of course, the video which is supposedly contained in the attachment, is the Trojan itself. In order to bypass email filters, the attachment comes as a password-protected .RAR file, a tactic used by email-borne worms in the outbreak era years ago. When executed, the Trojan leads to the download of TROJ_RENOS.ADX and TROJ_AGENT.AVSZ.

    The danger however, does not end there, as both TROJ_RENOS.ADX and TROJ_AGENT.AVSZ causes more trouble of their own. TROJ_RENOS.ADX drops JOKE_BLUESCREEN and TROJ_FAKEALER.HO. JOKE_BLUESCREEN uses a bluescreen as the system’s screensaver, which may alarm the user into thinking that a critical error has occurred. TROJ_FAKEALER.HO isn’t much different, displaying warnings on the affected system then prompting the installation of a rogue antivirus program. TROJ_AGENT.AVSZ on the other hand disables the firewall of the affected system, leaving it vulnerable to more attacks.


    This is another variant of the Storm malware. Similar to its brethren, it is installed in systems when users visit malicious Web sites. The URLs of these said Web sites are included in spammed email messages. The spammed messages are posed as eCards, a disguise known to have been used by Storm before. But recycling of techniques isn’t surprising to see from the Storm gang, as it has consistently shifted its techniques to distribute malware to unknowing users.

    Web Incident

    In mid-August, we discovered a massive SEO poisoning that involved a lot of compromised Web sites. Entering specific search strings such as “changes on the river amazon” or “changes made for mount Pinatubo” in Google led users to one of the compromised sites, which when accessed redirected users to another URL that downloads a malicious program on the system.

    Upon installation, the system displays some alarming prompts, stating a supposed malware infection. The user, who will then will probably be in panic, will then be told to download an antivirus program to help clean up their system. This solution however will only make things worse; the file that poses as an antivirus program is nothing more than malware itself, detected as TROJ_FAKEAV.DM and TROJ_FRAUDLOA.WM.

    Further investigation revealed that the hackers responsible for this incident have almost 1 million search phrases at their disposal for SEO poisoning.

    Posted in Malware | Comments Off on August Malware Roundup

    Notable Malware

    These malware took advantage of the Fourth of July celebrations in the United States to increase their chances of distribution. A malicious URL was included in eCards that were spammed during this time. The URL pointed to locations from where these malware could be downloaded.

    Sometime in mid-July, an email was being spammed, foretelling the supposed death of the Internet in 2010. The email had a PDF attachment, which contained “more details” of the news. Users who were tricked into clicking the PDF attachment open would soon find themselves with an unexpected guest on their systems, in the form of TROJ_PIDIEF.JT.

    POISON and FAKECLEAN are two malware that pose as virus cleaning tools. Towards the end of July, these malware were being sent out through email by Chinese hackers. The email claimed that these “applications” were Trend Micro Virus Clean Tools. There is actually a Trend Micro Virus Clean tool, but what makes this incident suspicious is that Trend never sends applications as attachments through email.

    Exploits and Vulnerabilities

    Internet Explorer Vulnerability
    As July began, a vulnerability was discovered in Internet Explorer. According to reports regarding the vulnerability, access to an HTML document’s frames was not restricted, implying that the frame contents could be replaced, presumably with malicious content. This allows for further potential in browser-based attacks against the user.

    Even the 2008 Summer Olympics was not spared as a tool for malware distribution. In the early weeks of July, .DOC files with malicious content were spreading around. Users were tricked into opening them since the documents seemed to have some info or news on the Olympic games. These .DOC files were actually exploits that took advantage of a vulnerability in Microsoft Word 2002 Service Pack 3. When exploited, the unspecified remote code-execution vulnerability could allow remote attackers to take complete control of an affected system, or cause the application to crash.

    Web Incidents

    TROJ_AGENT.AYZO is the malware behind the recent wave of compromised Web sites. In July, quite a number of legitimate Web sites were compromised. Additional Web pages were added to the Web sites’ domain, usually ending in START.HTML, BEGIN.HTML or R.HTML. Once accessed, these malicious Web pages redirect the browser to a location where TROJ_AGENT.AYZO can be downloaded.

    Posted in Bad Sites | Comments Off on July Malware Roundup

    May’s series of Web site compromises were replaced with spam and spoofed sites last June. Users were also served with a bigger serving of spam with a malware aftertaste, as many of the malware that emerged this month used were distributed through spam links.

    Notable Malware

    This malware, which could be downloaded from a malicious URL, was revealed to have the capability to exploit an unknown vulnerability in Adobe Acrobat. When exploited successfully, Acrobat would download another malware from the same malicious URL and execute it. What makes TROJ_PIDIEF.AC notable is that it deceives the user into thinking that it has caused a BSOD (Blue Screen of Death), which is actually a fake one.

    When Nuwar first appeared, it used the threat of a nuclear war to attract the user’s attention into reading the spammed mail and executing the malware from the download location. It seems that is has reverted to its old tactics once again. This particular variant of Nuwar informs the user of a “new” earthquake that has struck China. Of course the claim is a fake one and is meant to entice users to click on the link to download a copy of the worm.

    These new variants of Zlob were first reported to have emerged during the second week of June. Unlike their other codec-posing-but-actually-a-malware-in-disguise brethren, TROJ_ZLOB.CCS and TROJ_ZLOB.CCT target the routers to redirect URL requests to malicious URLs. It does this by accessing the web page file used in setting up the routers and supplies its own predefined list of login names and passwords to hack into the configuration. If successful, the Trojan modifies the system’s DNS records so that requests for legitimate URLs would point to malicious ones.

    An incident involving ransomware some time ago made use of a 660-bit algorithm for encrypting an unwitting user’s files and holding it for “ransom” . Another version of this kind of threat has come out recently, in the form of TROJ_GPCODE.AD, which uses a 1024-bit key, thus making it more difficult to decrypt the files.

    Exploits and Vulnerabilities

    BKDR_HOVDY.A is known to exploit a vulnerability in Apple’s Remote Desktop feature. This backdoor elevates the user privilege level to root and upon doing so can perform a variety of backdoor functions that include adding a hidden admin user, opening ports in the firewall and enabling personal web sharing. Thus once the system has been compromised, it makes it more vulnerable for future attacks and can be possibly used for malware distribution purposes.

    Firefox 3.0 Vulnerability
    A vulnerability has been disclosed to be present in Mozilla Firefox 3.0. When exploited, this vulnerability could allow malicious code to be executed but it requires user interaction. As of now, Mozilla has yet to issue a patch for this vulnernability.

    Web Incidents

    For June, there were less reported incidents of Web sites being compromised. Instead, there were a lot of instances of scam and spoofed sites emerging. Furthermore, there were a lot of malware whose distribution tactics relied on spammed mail with links to malicious URLs.

    Posted in Bad Sites | Comments Off on June Malware Roundup

    Last month started with an April Fool’s message being spammed around. The spammed email contained a link from where a variant of the Storm malware could be downloaded. Aside from that, we’ve had our usual fill of Trojans and malicious scripts that plagued compromised Web sites for April.

    Notable Malware

    This Trojan poses as a browser plugin that must be installed first to view files that are supposed to come from a fake US federal judiciary Web site. Reported last April 15, the link to the fake site comes from spammed email messages claiming to be legitimate court subpoenas. To add credibility to the spammed email, the sender uses a email address, which may seem authentic to unsuspecting recipients of the message.

    TROJ_SPAMBOT.AF is the Trend Micro detection for the malware behind Kraken, which is an emerging botnet rivaling the Storm botnet. Some researchers who have analyzed Kraken have stated that this may be a variant of the Bobax malware family.

    Reported last April 5, this Trojan uses an old technique to trick users into compromising their systems. Users receive a spammed email, under the guise of a Microsoft security bulletin, urging the users to download a patch from a certain link present in the email. Of course, the patch is actually the malware itself, which Trend Micro detects as TROJ_AGENT.AZZZ.

    TrendLabs researchers discovered a Web site that offers what looks like a YouTube-style streaming video service. The infection vector and messaging are actually still the same — that is, users are most likely to access this site via links on specially crafted blogs. What is interesting this time is that on the suspect site, users are required to download the so-called “Storm Codec” in order to view the video. Yes, you read that right: the codec is called Storm Codec. Of course, the “codec” is actually a NUWAR variant, which Trend Micro already detects as WORM_NUWAR.JQ since April 2.

    Exploits and Vulnerabilities

    A backdoor exploiting a recent vulnerability in Microsoft’s GDI processing was discovered right after Patch Tuesday last April 8. A file named TOP.JPG has been found to do this. It arrives on a system as an executable, now detected as EXPL_NEVAR.B. With just this opening available to malware authors, they can do pretty much anything after exploiting this vulnerability. Its specific routine is to connect to a URL to download a file named WORD.GIF (also detected as BKDR_POISONIV.QI).

    Web Incidents

    Early this month, several Web sites have been compromised by search engine optimization (SEO) poisoning. Some of the compromised sites were that of the Washington State University and several news sites such as Sun Gazette and Tribune-Chronicle. For the past few months, education Web sites (*.edu) were the ones targeted for such attacks, averaging about three per month. In this recent incident, JS_IFRAME.US is the iFrame component that is inserted into the HTML code of the Web page. When the browser is redirected by this malicious iFrame, it downloads the malicious script file JS_DLOADER.TVP.

    That’s it for today. As of this writing, it seems that another Italian Job is underway, with ~100 compromised Web sites. We shall take a look at more of this in next month’s malware roundup.


    For those of you who have read last month’s malware roundup, Fidel Castro is still alive. Thanks to some malware authors, a spammed email message spread in the early weeks of March, claiming that the old Cuban leader had already passed away. As expected, the link present in the spammed email led to a malicious Web site and resulted in the download of TROJ_AGENT.LAM.

    A lot of Web sites also got compromised last March, most of them belonging to educational institutions. Moreover, we had the usual handful of reported malware and some of them really had some significant impact, like the ones that led to massive Web hacking.

    Notable Malware

    These three have been responsible in a mass compromise attack on certain Web sites. Sometime during March 12, malicious scripts were inserted into certain legitimate Web sites. The malicious script was responsible for downloading JS_DLOADER.TZE, which in turn downloaded TROJ_AGENT.KAQ and TROJ_AGENT.TM. The attack took advantage of a vulnerability in RealPlayer. The purpose of the attack was to obtain online gaming information since several variants of notorious online game stealers have been found at the end of the download series.

    Early last March, a malware targeting Windows Mobile PocketPC was reported. Detected as WINCE_INFOJACK.A, this worm specifically runs on Windows Mobile environment, leaves the mobile phone open to other malware and installs unsigned applications without the user’s consent. It also steals information like mobile device IMEI or serial number, OS version, model and platform and hosts name among others, to which it sends back to the malware author/s. Aside from this, WINCE_INFOJACK.A also changes the security settings of the phone.

    Exploits and Vulnerabilities

    Towards the end of March, targeted attacks were reported. It was mentioned that an unpatched security flaw in Microsoft’s Jet Database Engine was involved. This vulnerability is exploited through a specially crafted Microsoft Word document detected by Trend Micro as TROJ_EMBED.AA. The Word file launches a Microsoft Database (MDB) file detected as TROJ_MSJET.C, which serves as a mail-merge file once the document is opened. At this point the vulnerability is exploited, allowing the Word document to drop a malicious .EXE file on the affected system.

    Trojanized Excel Files
    Early last March, there were reports of Trojanized MS-Excel files that have been sent as email attachments. This was an attempt to compromise computers that are yet to receive a security patch on a still unpatched Microsoft Excel vulnerability reported under CVE-2008-0081. The Trojanized Excel files are known to be capable of dropping and executing Windows binary executables on target machines.

    CA Software Vulnerability
    A zero-day exploit has been discovered — this time targeting an unpatched ActiveX vulnerability in the CA BrightStor ARCserve Backup product. Reportedly, this exploit code can be used to launch code execution attacks on notebook and desktop computers in businesses. The author has posted the exploit code to this vulnerability online. This discovery goes to show that even security measures can be compromised, and ever more vigilance is needed across all users.

    Web Incidents

    For March there were more than 10 Web threat incidents that were reported. Almost all of the reported incidents are actually legitimate Web sites that have been compromised to distribute malware. With respect to Web site category, 28% of the reported incidents are related to education Web sites.

    That’s all for today. Yesterday we have received some spammed email messages regarding April Fool’s Day. A simple prank or something sinister? More of this on next month’s malware roundup.

    Posted in Bad Sites | Comments Off on March Malware Roundup


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice