Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    November 2014
    S M T W T F S
    « Oct    
     1
    2345678
    9101112131415
    16171819202122
    23242526272829
    30  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - JM Hipolito (Technical Communications)




    We were recently made aware of attacks leveraging the recent data breach that involved Epsilon.

    According to reports, the attack involves a Web page that looks very similar to the press release issued by Epsilon concerning the breach. The page also instructs the recipients to click a link at the bottom of the post in order to download and run a tool that will supposedly help them determine if their personal information was among those disclosed during the attack.

    We were able to analyze the details of the attack and found that the link  downloads an .EXE file now detected as TROJ_MSPOSER.ASM. Running TROJ_MSPOSER.ASM displays the following GUI, which seems to suggest that the system is being checked. 

    Of course, the graphic is really just there in an attempt to convince the victims that what they downloaded was really a tool that will help them determine if their information is still secure. In the background, however, another malicious file is being installed into the system.

    Read the rest of this entry »

     



    We’re currently monitoring a still-ongoing mass compromise involving a great number of websites. The compromised sites have been injected with a malicious script that triggers redirects to certain URLs that lead to malware such as FAKEAV.

    Based on Google searches, there is no common denominator in terms of the industry to which the compromised sites belong. We saw compromised websites related to astronomy, clubs, hospitals, sports, funeral homes, electronics, and others.

    More URLs Involved

    Investigations revealed that five URLs were used for the attack and were inserted into the compromised sites through SQL injection. The said URLs all resolve to a single IP server—a known malicious IP Trend Micro researchers are monitoring. Thus, the related URLs have been proactively blocked by Trend Micro as early as March 25, 2011:

    • {BLOCKED}of-books.com/ur.php
    • {BLOCKED}ane.com/ur.php
    • {BLOCKED}carter.com/ur.php
    • {BLOCKED}on.com/ur.php
    • {BLOCKED}6.info/ur.php

    New developments are currently being observed. We’re seeing compromised websites that were previously inserted with a script leading to {BLOCKED}on.com/ur.php already modified to connect to {BLOCKED}s.com/ur.php. The said URL also resolves to the same IP server as the four previously mentioned URLs. It is possible that the cybercriminal behind this attack is updating the compromised sites with new URLs to connect to since the previous ones are already being blocked.

    Read the rest of this entry »

     



    We got hold of an exploit targeting the vulnerability Adobe reported in its most recent security advisory.

    The exploit, detected as TROJ_ADOBFP.B (now detected as TROJ_ADOBFP.SM), takes advantage of the referenced vulnerability to drop another malicious file detected as TROJ_DROPPER.ADO.

    TROJ_ADOBFP.B arrives in users’ systems as a malicious .SWF file that has been embedded into an .XLS file. This .SWF file contains the code for the exploit. TROJ_DROPPER.ADO, on the other hand, drops another malicious file detected as BKDR_COSMU.KO. BKDR_COSMU.KO connects to a URL to execute certain commands. It also retrieves information from the affected system such as drive information, OS, file or directory list, as well as a list of existing processes and services.

    The vulnerability related to this threat affects the following software and their corresponding versions:

    • Adobe Flash Player 10.2.152.33 for Windows, Macintosh, Linux, and Solaris OSs
    • Adobe Flash Player 10.1.106.16 and earlier versions for Android
    • Adobe Reader and Acrobat X (10.0.1) for Windows and Macintosh OSs (specifically the Authplay.dll component)

    Adobe posted a schedule for the release of security updates that will address this vulnerability. All affected versions, except Adobe Reader X, will be patched on March 21. The update for Adobe Reader X will be released on June 14. Until the updates are released, users are advised to be extra careful, especially when dealing with .XLS files coming from unknown users.

    Update as of March 22, 2011, 12:50 AM Pacific Time

    Adobe released the security updates for Adobe Flash Player and Adobe Reader and Acrobat. More information on the said updates can be found in the following pages:

    Users are strongly advised to apply the said updates as soon as possible.

     



    Online transactions offer great convenience to both vendors and customers alike. It provides a means to conduct transactions that are better suited to most users’ current lifestyle, which increasingly involves the Internet.

    Unfortunately, this increased dependency on online banking and e-commerce is directly proportional to cybercriminals’ interest on how to leverage this to their advantage. Recently we’ve seen certain technologies used in online financial transactions that are being abused:

    Session IDs

    As detailed in a Trusteer report, a new banking Trojan, detected by Trend Micro as TSPY_ODDJOB.SMA, has been found to be capable of hijacking customers’ online banking sessions. Session IDs, which give users a temporary identity, are meant to be short-lived and expire after a predetermined time of inactivity. TSPY_ODDJOB.SMA effectively keeps sessions open even after customers have logged off, thus enabling cybercriminals to commit fraud.

    The capability may be noteworthy, but Trend Micro Smart Protection Network has so far detected and blocked only one instance of the  Trojan.  However, this new technique could prove to be greatly attractive to those criminals using ZeuS and SpyEye, especially because it is relatively simple to incorporate.

    In the next few months, session hijacking could easily become a default functionality in banking Trojans.

    Read the rest of this entry »

     



    The two recent zero-day vulnerabilities in Internet Explorer and the Graphics Rendering Engine found in late December and in early January, respectively, have been addressed by today’s Patch Tuesday release.

    This month’s release comprises 12 bulletins, three of which are rated “critical” while the remaining nine are rated “important.” The other bulletins include those that address vulnerabilities in Windows Kernel, Microsoft Visio, Active Directory and Local Security Authority Subsystem Service (LSASS). A cumulative update for Internet Explorer is also provided, which covers two vulnerabilities, including one reported by Trend Micro Threat Solutions Engineer Yuki Chen.

    Despite the number of bulletins, Microsoft’s list of notable bugs to patch has yet to be cleared, as the recently found vulnerability in MHTML remains unpatched.

    Although no active attacks have been found exploiting the MHTML vulnerability, applying security measures to protect systems from possible exploits is strongly recommended. Users may opt to implement the workarounds that Microsoft has provided. Trend Micro product users are already safe from being victimized by exploits leveraging this specific vulnerability through Deep Security and OfficeScan with the Intrusion Defense Firewall (IDF) plug-in.

    Microsoft is not the only one to update their software this patch tuesday, as Adobe also released patches for their products. Security updates were released for Adobe Reader and Acrobat, Adobe Flash Player, and Shockwave Player. All updates were rated as “critical”, and majority of the vulnerabilities may lead to remote code execution. As such, users are strongly advised to apply the patches for their respective software as soon as possible.

     


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice