As the anniversary of the horrible September 11 attacks in The United States approaches, Trend Micro researchers donned their research coats and waited for the people behind FAKEAV to make their move. Predictably, they did not disappoint.

Through SEO poisoning, users searching for any reports related to September 11 may find themselves stacked with Google search results that lead to a rogue AV malware detected by Trend Micro as TROJ_FAKEAV.BOH.

Figure 1. Poisoned Google search results

As shown in the image above, TROJ_FAKEAV.BOH may arrive on the system as Scanner-7c545a_2031.exe from several malicious Web sites that can all be found in the poisoned Google search results.

Trend Micro users are already protected from this threat, as the malicious file(s) are already detected and the download links are already identified and blocked by the Web Reputation Service.

The people behind FAKEAV still show no sign of slowing down. With the holiday season coming up, users are also advised to refrain from visiting unknown sites returned in Search Engine results  and rely on reputable news agencies instead.

Trend Micro researchers recently came across samples that exploited a new zero-day vulnerability in Adobe Reader 9.1.2 and Adobe Flash Player 9 and 10.

The exploit arrives as a PDF file embedded with Flash objects and malicious binary files. The Flash object contains a shellcode that allocates heaps of blocks in a system’s memory.

The exploits uses a technique known as heap spraying. Once a user opens a specially crafted PDF file, two binary executables are dropped and executed on his/her system. The .PDF file is detected by Trend Micro as TROJ_PIDIEF.ANQ or TROJ_PIDIEF.ANP, while the dropped files are detected as BKDR_HAYDEN.K, BKDR_HAYDEN.L, TROJ_AGENT.AXWS, and TROJ_AGENT.IAAK.

Since Adobe has not yet provided patches for the said vulnerabilities, users are advised to take extreme caution when viewing .PDF files. A workaround has been offered, but it also disables all Flash objects embedded in PDF files – which may or may not be acceptable, depending on one’s usage patterns. Patches from Adobe are not expected until the end of the month.

July has been an exceptionally busy for zero-day exploits. Early in the month, an exploit involving ActiveX controls was used to spread FAKEAV malware; just days ago this was joined by an exploit affecting Mozilla Firefox.

Trend Micro Smart Protection Network users are already protected from these threats.

A new ransomware spreading through email is on the loose.

On the outset, the worm detected by Trend Micro as WORM_RANSOM.FD may look like a normal mass-mailing worm but further analysis reveals that this comes with a deadly payload. With only a few exceptions (files with .rwg, .dll, .exe, .ini, .vxd, and .drv extensions are not affected), it encrypts files in the affected system using the Blowfish algorithm, thereby rendering them unusable. A .RWG extension is then appended to the filenames to serve as a marker.

Defying the norm of a typical ransomware however, WORM_RANSOM.FD does not ask for money in exchange for the files. Instead, it gives the affected user three options as to how he or she can retrieve his or her files:

So, unless Windows users are willing to migrate to Linux or wait for the decryptor program that may or may not come, Option 1 may seem the only plausible solution. Resourceful techies may opt to try their hand in manually decrypting the files, but for those stuck with Option 1, Trend Micro already provides a fixtool that will automatically restore the files.

Our experts believe that ransomware is a high-risk/moderate reward business model that will not significantly increase. This is because it goes against one of the key features most cybercriminals are relying on in terms of developing malware, which is stealth. Almost all aspects of a ransomware attack is quite visible.

For one, the payload is visible — users are informed that their files are held hostage, so these users can easily turn to their AV vendors for help in detection/cleanup, mitigating further infection from other users. Another is that cybercriminals have to leave contact details for the payment. These contact details can be used by law enforcement to track down the attackers.

Users who’ve found themselves victims of this attack may either use Trend Micro’s fixtool or ask for assistance.