Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Author Archive - Jessa De La Torre (Senior Threat Researcher)

    Brazilian banks are once again in the hotseat as a banking Trojan emerges with a new technique. This time, the cybercriminals targeting these banks are using GMER, a popular anti-rootkit application. Trend Micro detects this banking Trojan as TROJ_DLOAD.BB. Upon execution, this Trojan downloads a legitimate copy of GMER and a malicious rootkit component detected as TROJ_DAMMI.AB.

    TROJ_DLOAD.BB creates a batch file that terminates the processes related to the G-Buster Browser Defense, a security program used by many Brazilian banks as protection from information theft and as protection of customers’ privacy during online transactions. Without this application, the information relayed in these transactions may be exposed to malicious users and can be used for fraudulent activities later on.


    The batch file created by TROJ_DLOAD.BB uses GMER’s -killfile option, TROJ_DLOAD.BB terminates GBPlugin and its components. TROJ_DAMMI.AB is then rendered as a rootkit and service to make sure that any instance of GBPlugin is terminated.

    Trend Micro protects users via its Trend Micro Smart Protection Network that already blocks the download URLs and detects the related malicious files. Non-Trend Micro users can use HouseCall, Trend Micro’s free scanner for identifying and removing malware.

    Update as of 20 October 2009, 17:00

    Aviv Raff, one of our partners from RSA, confirmed this kind of approach that cybercriminals use in malicious routines. He stated that GMER is not the only malware removal tool utilized by cybercriminals. Another tool, called The Avenger, has been used to terminate GBPlugin. The Avenger is the work of a security researcher who uses the alias Swandog46. As his website states, The Avenger is a powerful program, which doesn’t make it hard to imagine the tool being misused. And true enough, the cybercriminals did.

    Posted in Malware | Comments Off on New Banking Trojan Uses GMER

    Cybercriminals leveraged on the tropical storm, Ondoy (International name: Ketsana) that hit the Philippines and killed around 140 people. Senior Threat Analyst Joseph Pacamarra found several malicious sites that appeared each time the users search the strings, “manila flood,” “Ondoy Typhoon,” and “Philippines Flood,” among others. The said sites emerged as one of the top search results.

    Once the user clicks the URL, they will be redirected to several landing pages where they are asked to download an EXE file, soft_207.exe. Trend Micro detects it as TROJ_FAKEAV.BND. This attack does GeoIP checks, which mean it only targets specific regions or location (one of the landing sites is hxxp://{BLOCKED}

    Figure 1. Screenshot of the malicious search result
    Click Figure 2. The EXE file that users need to download

    “Cybercriminals heartlessly exploited the calamity that unfolded in the Philippines. They rigged multiple URLs related to this news to point unknowing users to FAKEAV. Such SEO poisoning campaigns attract users all over the Web especially those who are trying to get information about their loved ones and fellow countrymen in the Philippines,” Pacamarra said.

    Although riding on tragic events is not exactly new, what is notable is it employed once again blackhat SEO to lead users to a FAKEAV as we had previously discussed here.

    Users are advised to be wary in clicking any URLs. Trend Micro protects users from this attack via its Trend Micro Smart Protection Network as it blocks all URLs and detects the said FAKEAV.


    Trend Micro researchers were alerted of blackhat SEO campaigns that led to FAKEAV or rogue antivirus. The cybercriminals behind these attacks hitchhiked on high profile news like the recent death of Patrick Swayze, Kanye West’s infamous interruption on MTV VMA awards, and the death of Yale student Anne Le.

    Upon further analysis, our researchers discovered that the poisoned keywords are not only limited to recent events. According to Advanced Threats Researcher Joey Costoya, there are many hijacked search items that point to FAKEAV.

    Here are some of the search terms:

    • Act Registration
    • Alan Thicke
    • Archer FX
    • Archer Fx
    • Beaches Movie
    • Cbs Survivor
    • Community Imdb
    • Community Nbc
    • Community Show
    • Community Tv
    • Delta Smelt
    • Dina Meyer
    • Divas Live 2009
    • Ernie Anastos
    • Fx Network
    • Gillian Jacobs
    • Grandma S Boy
    • Huron Ca
    • Huron California
    • Janet Napolitano
    • Joel Mchale
    • Kanye West Interruption Video
    • Katherine Heigl Baby
    • Melinda Loveless
    • My Date With The President S Daughter
    • Polwizjer
    • Ralphie May
    • Russell Hantz Oil Company
    • San Joaquin Valley
    • Sniffish
    • Starship Troopers
    • The Gang Exploits The Mortgage Crisis
    • The Office Gossip
    • The Valley Hope Forgot
    • Volkswagen L1 Concept

    These search strings might be based on Google Trends as it shows the top searches people made in Google. These hijacked search strings are then linked to sites that served FAKEAV.

    In addition, the cybercriminals behind such attacks are doing GeoIP checks. If the user sports a US IP address, the FAKEAV sites emerge. Otherwise, accessing the URL will produce an HTTP 404 page. Thus our advice for users from the US which are obviously singled out as the target of these attacks: Be extra careful!!

    SEO poisoning is becoming the main contraption of rogue antivirus applications. It often rides on current events as we had blogged before in the following posts:

    Users are advised to be cautious in their Web searches and to visit credible websites only. Trend Micro already blocks and detects all malicious URLs through its Trend Micro Smart Protection Network.


    As the anniversary of the horrible September 11 attacks in The United States approaches, Trend Micro researchers donned their research coats and waited for the people behind FAKEAV to make their move. Predictably, they did not disappoint.

    Through SEO poisoning, users searching for any reports related to September 11 may find themselves stacked with Google search results that lead to a rogue AV malware detected by Trend Micro as TROJ_FAKEAV.BOH.

    September 11 search results

    Figure 1. Poisoned Google search results

    As shown in the image above, TROJ_FAKEAV.BOH may arrive on the system as Scanner-7c545a_2031.exe from several malicious Web sites that can all be found in the poisoned Google search results.

    Trend Micro users are already protected from this threat, as the malicious file(s) are already detected and the download links are already identified and blocked by the Web Reputation Service.

    The people behind FAKEAV still show no sign of slowing down. With the holiday season coming up, users are also advised to refrain from visiting unknown sites returned in Search Engine results  and rely on reputable news agencies instead.



    Trend Micro researchers recently came across samples that exploited a new zero-day vulnerability in Adobe Reader 9.1.2 and Adobe Flash Player 9 and 10.

    The exploit arrives as a PDF file embedded with Flash objects and malicious binary files. The Flash object contains a shellcode that allocates heaps of blocks in a system’s memory.

    The exploits uses a technique known as heap spraying. Once a user opens a specially crafted PDF file, two binary executables are dropped and executed on his/her system. The .PDF file is detected by Trend Micro as TROJ_PIDIEF.ANQ or TROJ_PIDIEF.ANP, while the dropped files are detected as BKDR_HAYDEN.K, BKDR_HAYDEN.L, TROJ_AGENT.AXWS, and TROJ_AGENT.IAAK.

    Since Adobe has not yet provided patches for the said vulnerabilities, users are advised to take extreme caution when viewing .PDF files. A workaround has been offered, but it also disables all Flash objects embedded in PDF files – which may or may not be acceptable, depending on one’s usage patterns. Patches from Adobe are not expected until the end of the month.

    July has been an exceptionally busy for zero-day exploits. Early in the month, an exploit involving ActiveX controls was used to spread FAKEAV malware; just days ago this was joined by an exploit affecting Mozilla Firefox.

    Trend Micro Smart Protection Network users are already protected from these threats.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice