We’re currently monitoring a still-ongoing mass compromise involving a great number of websites. The compromised sites have been injected with a malicious script that triggers redirects to certain URLs that lead to malware such as FAKEAV.

Based on Google searches, there is no common denominator in terms of the industry to which the compromised sites belong. We saw compromised websites related to astronomy, clubs, hospitals, sports, funeral homes, electronics, and others.

More URLs Involved

Investigations revealed that five URLs were used for the attack and were inserted into the compromised sites through SQL injection. The said URLs all resolve to a single IP server—a known malicious IP Trend Micro researchers are monitoring. Thus, the related URLs have been proactively blocked by Trend Micro as early as March 25, 2011:

• {BLOCKED}of-books.com/ur.php
• {BLOCKED}ane.com/ur.php
• {BLOCKED}carter.com/ur.php
• {BLOCKED}on.com/ur.php
• {BLOCKED}6.info/ur.php

New developments are currently being observed. We’re seeing compromised websites that were previously inserted with a script leading to {BLOCKED}on.com/ur.php already modified to connect to {BLOCKED}s.com/ur.php. The said URL also resolves to the same IP server as the four previously mentioned URLs. It is possible that the cybercriminal behind this attack is updating the compromised sites with new URLs to connect to since the previous ones are already being blocked.

Read the rest of this entry »

We got hold of an exploit targeting the vulnerability Adobe reported in its most recent security advisory.

The exploit, detected as TROJ_ADOBFP.B (now detected as TROJ_ADOBFP.SM), takes advantage of the referenced vulnerability to drop another malicious file detected as TROJ_DROPPER.ADO.

TROJ_ADOBFP.B arrives in users’ systems as a malicious .SWF file that has been embedded into an .XLS file. This .SWF file contains the code for the exploit. TROJ_DROPPER.ADO, on the other hand, drops another malicious file detected as BKDR_COSMU.KO. BKDR_COSMU.KO connects to a URL to execute certain commands. It also retrieves information from the affected system such as drive information, OS, file or directory list, as well as a list of existing processes and services.

The vulnerability related to this threat affects the following software and their corresponding versions:

• Adobe Flash Player 10.2.152.33 for Windows, Macintosh, Linux, and Solaris OSs
• Adobe Flash Player 10.1.106.16 and earlier versions for Android
• Adobe Reader and Acrobat X (10.0.1) for Windows and Macintosh OSs (specifically the Authplay.dll component)

Adobe posted a schedule for the release of security updates that will address this vulnerability. All affected versions, except Adobe Reader X, will be patched on March 21. The update for Adobe Reader X will be released on June 14. Until the updates are released, users are advised to be extra careful, especially when dealing with .XLS files coming from unknown users.

Update as of March 22, 2011, 12:50 AM Pacific Time

Adobe released the security updates for Adobe Flash Player and Adobe Reader and Acrobat. More information on the said updates can be found in the following pages:

• Security update available for Adobe Flash Player
• Security updates available for Adobe Reader and Acrobat

Users are strongly advised to apply the said updates as soon as possible.

Online transactions offer great convenience to both vendors and customers alike. It provides a means to conduct transactions that are better suited to most users’ current lifestyle, which increasingly involves the Internet.

Unfortunately, this increased dependency on online banking and e-commerce is directly proportional to cybercriminals’ interest on how to leverage this to their advantage. Recently we’ve seen certain technologies used in online financial transactions that are being abused:

Session IDs

As detailed in a Trusteer report, a new banking Trojan, detected by Trend Micro as TSPY_ODDJOB.SMA, has been found to be capable of hijacking customers’ online banking sessions. Session IDs, which give users a temporary identity, are meant to be short-lived and expire after a predetermined time of inactivity. TSPY_ODDJOB.SMA effectively keeps sessions open even after customers have logged off, thus enabling cybercriminals to commit fraud.

The capability may be noteworthy, but Trend Micro Smart Protection Network has so far detected and blocked only one instance of the  Trojan.  However, this new technique could prove to be greatly attractive to those criminals using ZeuS and SpyEye, especially because it is relatively simple to incorporate.

In the next few months, session hijacking could easily become a default functionality in banking Trojans.

Read the rest of this entry »

The two recent zero-day vulnerabilities in Internet Explorer and the Graphics Rendering Engine found in late December and in early January, respectively, have been addressed by today’s Patch Tuesday release.

This month’s release comprises 12 bulletins, three of which are rated “critical” while the remaining nine are rated ”important.” The other bulletins include those that address vulnerabilities in Windows Kernel, Microsoft Visio, Active Directory and Local Security Authority Subsystem Service (LSASS). A cumulative update for Internet Explorer is also provided, which covers two vulnerabilities, including one reported by Trend Micro Threat Solutions Engineer Yuki Chen.

Despite the number of bulletins, Microsoft’s list of notable bugs to patch has yet to be cleared, as the recently found vulnerability in MHTML remains unpatched.

Although no active attacks have been found exploiting the MHTML vulnerability, applying security measures to protect systems from possible exploits is strongly recommended. Users may opt to implement the workarounds that Microsoft has provided. Trend Micro product users are already safe from being victimized by exploits leveraging this specific vulnerability through Deep Security and OfficeScan with the Intrusion Defense Firewall (IDF) plug-in.

Microsoft is not the only one to update their software this patch tuesday, as Adobe also released patches for their products. Security updates were released for Adobe Reader and Acrobat, Adobe Flash Player, and Shockwave Player. All updates were rated as “critical”, and majority of the vulnerabilities may lead to remote code execution. As such, users are strongly advised to apply the patches for their respective software as soon as possible.

Microsoft recently released a security advisory for a certain vulnerability that affects all supported Microsoft Windows systems. The vulnerability specifically involves Internet Explorer and its impact is described to be similar to those of server-side cross-site scripting (XSS) vulnerabilities.

According to the security advisory, the bug is related to how MIME Encapsulation of Aggregate HTML (MHTML) interprets MIME-formatted requests. MHTML is basically the file format used to save entire Web pages, which includes actual page content, format, and others such as images and animations. Although no active attacks leveraging the said vulnerability has been found, the availability of the proof of concept (POC) to the public increases the chances that it will be maliciously used.

In a typical attack scenario, an attacker may convince a user through social engineering techniques to click a specially crafted link that injects a malicious script into the user’s instance of Internet Explorer. This then enables the attacker to execute certain routines such as altering content on the currently displayed site, to collect user information, or to even take action in the displayed site without the consent of the affected user.

The continued exploitation of vulnerabilities in OSs is just one of the Trend Micro threat predictions this year. 2011 is set to bring about growth in exploits for alternative OSs, programs, and Web browsers, combined with tremendous growth in the exploitation of application vulnerabilities.

Microsoft provided workarounds that users may implement while waiting for the patch to be released. Trend Micro, on the other hand, protects users from exploits that may arise through Deep Security and OfficeScan with Intrusion Defense Firewall (IDF) plug-in.