Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    December 2014
    S M T W T F S
    « Nov    
     123456
    78910111213
    14151617181920
    21222324252627
    28293031  
  • Email Subscription

  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - JM Hipolito (Technical Communications)




    Microsoft recently released a security advisory for a certain vulnerability that affects all supported Microsoft Windows systems. The vulnerability specifically involves Internet Explorer and its impact is described to be similar to those of server-side cross-site scripting (XSS) vulnerabilities.

    According to the security advisory, the bug is related to how MIME Encapsulation of Aggregate HTML (MHTML) interprets MIME-formatted requests. MHTML is basically the file format used to save entire Web pages, which includes actual page content, format, and others such as images and animations. Although no active attacks leveraging the said vulnerability has been found, the availability of the proof of concept (POC) to the public increases the chances that it will be maliciously used.

    In a typical attack scenario, an attacker may convince a user through social engineering techniques to click a specially crafted link that injects a malicious script into the user’s instance of Internet Explorer. This then enables the attacker to execute certain routines such as altering content on the currently displayed site, to collect user information, or to even take action in the displayed site without the consent of the affected user.

    The continued exploitation of vulnerabilities in OSs is just one of the Trend Micro threat predictions this year. 2011 is set to bring about growth in exploits for alternative OSs, programs, and Web browsers, combined with tremendous growth in the exploitation of application vulnerabilities.

    Microsoft provided workarounds that users may implement while waiting for the patch to be released. Trend Micro, on the other hand, protects users from exploits that may arise through Deep Security and OfficeScan with Intrusion Defense Firewall (IDF) plug-in.

     



    Just recently, reports were released about a new kind of malware propagating through removable drives. The said malware exploits a newly discovered vulnerability in shortcut files, which allows random code to be executed on the user’s system. Microsoft has officially acknowledged the vulnerability and released a security advisory.

    Our engineers were able to take hold of a sample of this malware, which is now detected as WORM_STUXNET.A, and analyze its routines. Here is a summary of their findings:

    Propagation

    Instead of dropping an AUTORUN.INF file and a copy of itself into removable and fixed drives, WORM_STUXNET.A drops a .LNK file—a shortcut file that points to an executable file—into the drives instead. The dropped .LNK file exploits this vulnerability to drop a new copy WORM_STUXNET.A onto other systems. Trend Micro detects these .LNK files as LNK_STUXNET.A.

    Stealth Capabilities

    Apart from dropping copies of itself onto removable drives, this worm also drops a rootkit, which is now detected as RTKT_STUXNET.A, which it uses to hide its routines. This enables the worm to remain unnoticed by the user and to make analysis harder for researchers.

    Football Connections

    WORM_STUXNET.A was also found attempting to connect to certain websites, which were, interestingly enough, related to football. The purpose of the said routine remains undetermined, as our engineers found no trace of malicious activities on the said sites.

    This new method of dropping .LNK files is yet another development in terms of how worms propagate through removable drives. Just recently, we reported about the use of the AUTORUN.INF Action Key to automatically execute malicious files.

    Despite the numerous potential techniques for proliferation being offered by the Web, USB malware continue to be distributed by cybercriminals, which only proves their effectiveness. This type of malware was further discussed in the article “Understanding USB Malware.”

    Because the vulnerability has to do with how Windows processes the shortcut icons, one suggested workaround is to disable displaying icons for all shortcuts. Procedures on how to do this are contained in the Microsoft security advisory.

    Trend Micro users are already protected from this type of malware through the Trend MicroTM Smart Protection NetworkTM. Other users may also use our free cleanup tools such as HouseCall.

    Update as of July 20, 2010, 5:17 a.m. (UTC-7)

    Code for exploiting the vulnerability involved in this attack is already released in the wild. To protect users from future attacks, we now detect all malware leveraging on the Windows Shell Vulnerability as WORM_STUXNET.SM.

    Additionally, further analysis on WORM_STUXNET.A by Threat Response Engineer Cris Pantanilla reveals that the said worm attempts to access a certain database and execute SQL commands.

    Update as of July 21, 2010, 1:00 a.m. (UTC-7)

    Users of Deep Security and OfficeScan with the Intrusion Defense Firewall (IDF) plugin can partially protect themselves by downloading newly-released rules that deal with this vulnerability. These rules prevent this vulnerability from being exploited via network shares and WebDAV.

    Update as of August 3, 2010, 3:30 a.m. (UTC-7)

    Microsoft has issued an out-of-cycle patch to resolve this issue. Details may be found here.

     



    Social media has affected business organizations in many different ways through the years and these effects caused the development of a rather complicated relationship between the two.

    Social media has proven to be an effective marketing tool for businesses. Data collected last year from Fortune’s Global 100 revealed that more than 50 percent of the said companies have Twitter, Facebook, and YouTube accounts. On the other hand, social media tools such as social networks have been reported to affect office productivity and also serve as popular media for online threats.

    In the same way that businesses use social media, cybercriminals do as well. Just recently, we saw an advertisement for fake point-of-sale (POS) devices in an underground forum where the seller offered a fake POS device for 1,000 EUR.

    This time, we found an advertisement for a malicious tool, in a more “mainstream” channel.

    Click for larger view

    The YouTube video above is actually an advertisement for a distributed denial-of-service (DDoS) tool. A screenshot of the tool is shown on the video while features and other details such as the price and the URL where to purchase the tool are indicated in the details. (It has since been taken down by YouTube.)

    Notably, the video had more than 600 views. Though the number is relatively small, one can’t help but wonder how many of those viewers were enticed enough to visit the given site and to purchase the tool. After all, it’s only US$15.

    The said post is just one of the many malware ads in social networks. If anything, the above-mentioned advertisement only goes to show that cybercriminals are using social networks the same way legitimate businesses do to gain “customers” even if the customers in question are other cybercriminals.

    For best practices to follow in managing a social network account, you can check our white paper, “Security Guide to Social Networks.”

     



    Trend Micro threat analysts from EMEA have found a blackhat search engine optimization (SEO) attack that uses strings with the phrase “free printable” to hijack search traffic by directing it to a rogue search engine.

    Our researchers found that search engine queries using the string “free printable” yield results that include compromised websites (see Figure 1). The said compromised sites are rigged with malicious JavaScript malware detected as JS_REDIRECT.SMF and JS_REDIRCT.MAC. JS_REDIRECT.SMF and JS_REDIRCT.MAC trigger a set of redirections whenever users visit compromised sites. The redirections ultimately lead to a rogue search engine, which by default puts the original search string into its own search text box.

    As of now, the cybercriminals’ goal in all these seems to be hijacking search traffic from search engines and redirecting them to their own ones to earn money. If it stays as such is not yet known but users need to be wary since it would be very easy for cybercriminals to change the final landing site of the redirections to a malware-hosting site.

    A diagram illustrating how hijacking searches work is shown below.

    Click for larger view

    It is very possible that this blackhat SEO attack takes advantage of the fact that the interest in free printable items is relatively high, especially in South Africa and in the United States.

    We are strongly advising users not to use search strings that include the words “free printable,” as the results may lead to malicious websites.

    We are currently monitoring this attack and will update this entry for developments.

    Update  as of January 27, 2010, 5:30 p.m. (GMT +8:00):

    Below are screenshots of a page (and its source code) found inside a hijacked website that comes up when using the search string “free printable (some item).”

    Click for larger view Click for larger view

    The compromised sites were made to host these pages ridden with keywords in an attempt to lead users to eventually execute the malicious JavaScript malware.

     



    BREDOLAB set out on a spam rerun just in time for the holidays. This recent run is similar to the laptop delivery note spam run we reported in August. This time, however, the spammed message appears to have come from known courier, DHL.

    The spammed message makes it appear as though the users have received a notification from DHL, alerting them about an error in shipping a certain package. The message also prompts the users to open an attached file.

    Click for larger view

    The attached file DHL_package_label_cfb35.exe is detected as TROJ_BREDOLAB.CB.

    The dynamics of this spam run, although relatively old and simple, could still pack a punch, especially now that we are well within that part of the holiday season where most people do their gift shopping. People who may have purchased a laptop online and are expecting it to come through the mail are prone to being victimized by this attack.

    Last month, we posted a Trend Micro research, which revealed connections between BREDOLAB and FAKEAV and ZBOT. BREDOLAB has been used numerous times to deploy FAKEAV and ZBOT variants. Such behavior is similar to PUSHDO, which also led to the conclusion that PUSHDO and BREDOLAB were developed by the same cybercriminals. Our full report on BREDOLAB can be found here.

    Trend Micro product users are protected from this threat through the Smart Protection Network.

     


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice