Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    July 2014
    S M T W T F S
    « Jun    
     12345
    6789101112
    13141516171819
    20212223242526
    2728293031  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Jessa De La Torre (Senior Threat Researcher)




    Trend Micro recently came across a .PDF file sample that exploits a vulnerability that was discovered as early as mid-2009. The specially crafted .PDF file detected as TROJ_PIDIEF.SML contains malicious JavaScript in its code that uses the getAnnots() method to corrupt an affected system’s memory.

    It is interesting to note that its final payload is the download of a malicious binary file that happens to be a ZBOT/ZeuS variant detected as TROJ_ZBOT.BYZ. This acts as a combination of the two most
    prevalent threats today—ZBOT and PDF exploits
    . From phishing emails to social-networking sites, the widespread ZeuS Trojan has now been making its rounds across various attack vectors to get into users’ systems.

    ZeuS has been around since 2007 and even if most antivirus companies have caught on with its stealth and polymorphic routines, this malware still shows no signs of slowing down.

    Learn more about ZBOT/ZeuS by reading more about the various tactics it uses in the following blog entries:

    Trend Micro protects users from this attack via the Smart Protection Network™, which blocks user access to all malicious URLs via the Web reputation service and detects all related malware via the file reputation service. Not a Trend Micro user? We also offer free system checks with HouseCall, which identifies and removes all kinds of viruses, Trojans, worms, unwanted browser plug-ins, and other malware from affected systems. You may also use RUBotted to find out if your machine is already part of a botnet.

     



    Another PDF sample that exploits an unpatched vulnerability in Adobe Reader and Acrobat has been spotted in the wild. The sample (detected by Trend Micro as TROJ_PIDIEF.WIA) uses the heap spray technique to execute shellcode in its stream. As a result, a malicious file detected as BKDR_POISON.UC is dropped into the system.

    When executed, BKDR_POISON.UC opens an instance of Internet Explorer and connects to a remote site, cecon.{BLOCKED}-show.org. Once connected, a malicious user may execute any command on the affected system.

    Adobe has announced that it will provide a patch for this vulnerability on January 12, 2010 but until then, users are advised to disable JavaScript in Adobe Reader and Acrobat as cybercriminals are sure to take advantage of this unpatched vulnerability. To do this, follow the steps below.

    1. Click Edit > Preferences.
    2. In the left panel, select JavaScript.
    3. Untick the Enable Acrobat JavaScript option.
    4. Click OK.

    In addition, Adobe also plans to release an automatic/silent updater that will automatically patch systems even without user intervention. This will hopefully lessen the number of users who can be victimized by attacks employing exploits for already patched vulnerabilities.

    Trend Micro protects users from this threat via the Smart Protection Network, which detects all related malicious files. OfficeScan users with Intrusion Defense Firewall (IDF) plug-in are also protected from this attack if their systems are updated with IDF1003879 and IDF003885 filters.

     



    In this month’s Patch Tuesday, Microsoft released six security advisories to address 12 vulnerabilities. Three of these security bulletins are deemed “critical” (MS09-071, MS09-074, MS09-072) while the rest are tagged as “important.”

    The recently reported vulnerability exploit in Internet Explorer versions 6 and 7 has also been fixed in MS09-072. The said vulnerability could grant the attacker user rights access to the system. In addition, it also allows malicious users to execute arbitrary code in the system. Trend Micro detects this as HTML_SHELLCOD.WT.

    Similarly, Adobe also released two security advisories to address recently discovered vulnerabilities in Flash Player and Illustrator. Accordingly, the vulnerability in Flash Player could give malicious users control of the system if successfully exploited.

    With the holiday season just around the corner, along with a truckload of holiday-related scams (fake e-cards, phishing attacks, etc.) and malware, users are strongly advised to apply these patches immediately and keep their systems up-to-date.

     



    As Filipinos and Puerto Ricans were busy rooting for their champions in yesterday’s fight, so were cybercriminals who wished to capitalize on the match. Through SEO poisoning, users searching for a live stream of the Pacquiao vs Cotto fight were instead served a FAKEAV variant.

    Click for larger view

    According to Threat Response Engineer Jasper Manuel, search results led to the download of TROJ_FAKEAV.MAN. Clicking the link displays the following image:

    Click for larger view

    Users who are interested in watching Pacquaio’s upcoming fights (i.e., with Mayweather) are advised to stay away from suspicious-looking links. Trend Micro Smart Protection Network™ blocks user access to malicious URLs and detects the said FAKEAV.

     



    When BREDOLAB entered the threat landscape several months ago, it was initially thought of as a common downloader (that downloads executable files) designed for malware infection only. However, Trend Micro researchers noticed a sudden increase in its activities in August 2009. This pushed our researchers to delve more into the inner workings and behaviors of BREDOLAB.

    Our analysis then observed BREDOLAB’s connections to two notorious malware families, FAKEAV and ZBOT/ZeuS. The samples always include the aforementioned malware in its download repertoire. Adding BREDOLAB to their long lists of carriers, these malware families mostly focused on information and financial theft.

    BREDOLAB also exhibited certain similarities with another well-known botnet, PUSHDO in terms of downloading routine. This led our threat researchers to believe that the cybercriminals behind PUSHDO and BREDOLAB are the same.

    Trend Micro’s Senior Threat Researcher David Sancho has written an in-depth analysis on this new threat. Read it here: You Scratch My Back…BREDOLAB’s Sudden Rise in Prominence.

     


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice