Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    July 2014
    S M T W T F S
    « Jun    
     12345
    6789101112
    13141516171819
    20212223242526
    2728293031  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Jocelyn Racoma (Threat Analyst)




    As the WORM_VOBFUS story unfolds, new variants are surfacing, including one that connects to a new site and uses the names of Google and MSN to label its dropped files.

    We recently reported on the wave of WORM_VOBFUS variants that emerged in the wild last November. We have been monitoring the said threat and found out that its latest variant (detected as WORM_VOBFUS.SMIS) accesses a new URL (http://{random number}.noip.at:443/{random string}) to drop a downloader file that leads to ZBOT and CINJECT malware.

    When executed, WORM_VOBFUS.SMIS drops any of these files (porn.exe, secret.exe, and sexy.exe), which in turn downloads the file msn.com (detected as WORM_VOBFUS.SMIT). Note that the filenames of the dropped files use enticing keywords or names of popular sites like Google and MSN to trick users that these files are harmless.

    WORM_VOBFUS.SMIT is capable of downloading any of the following files, which leads to ZBOT and CINJECT malware:

    • 1pom.exe
    • 2pom.exe
    • 3pom.exe
    • 4pom.exe
    • 5pom.exe

    Read the rest of this entry »

     
    Posted in Malware | 1 TrackBack »



    We’re currently investigating several file infectors that have affected several countries, particularly Australia. Trend Micro detects these as PE_XPAJ.C, PE_XPAJ.C-1, PE_XPAJ.C-2, and PE_XPAJ.C-O.

    Based on our initial analysis, these PE_XPAJ variants connect to the following C&C servers to send and receive information:

    PE_XPAJ C&C

    The infected file (detected as PE_XPAJ variants) is capable of downloading randomly generated encrypted filename for its mother and loading it to the memory. As such, the copy of the mother file can be found in Windows folder using random file name and extension. Users will notice the re-infection once these encrypted files exist again in the said Windows folder and use the same filename and extension that was employed before.

    PE_XPAJ variants infect EXE, .SCR, .DLL and .SYS files. They also infect the Master Boot Record (MBR) to automatically load itself before the OS loads. One of their payloads is click fraud. These variants have the capability to redirect users to ad-clicking scam, to generate profit for the cybercriminals.
    Read the rest of this entry »

     



    Without verifying its legitimacy, users who may be anticipating a WebEx conference are at risk of downloading variants of a notorious info stealing malware.

    Last week, we received two spoofed emails that redirect users to a fake Adobe Flash Player update. These messages use different approaches to lure users into downloading the malicious file update_flash_player.exe (detected as TSPY_FAREIT.SMC).

    The first email is disguised as a WebEx email containing an HTM attachment. Once users execute this attachment, they are lead to a malicious site hosting TSPY_FAREIT.SMC. Employees may be trick into opening this as it appears to be an alert coming from a business tool they often use. The second sample, on the other hand, is a spoofed PayPal email that features transaction details. Curious users who click these details are then directed to the webpage hosting the rogue Flash update file.

    Read the rest of this entry »

     
    Posted in Malware, Spam | Comments Off



    Three of the most notorious malware families we’ve seen proliferate as of late have now been seen working together in a single attack.

    In the past months we saw QUERVAR, ransomware, and SIREFEF/ZACCESS grow rampant in certain regions. QUERVAR was seen widespread in the North America, EMEA, and ANZ regions, ransomware malware family has been prominent in EMEA, while SIREFEF or ZACCESS has been rampant in NABU.

    Now, we’re seeing attacks that involve all three malware families.

    After a widespread infection of QUERVAR in August this year, QUERVAR infections totally stopped in the first half of September. However, as shown in the Trend Micro™ Smart Protection Network™ data below, infections returned after a few days.

    These are detected as PE_QUEARVAR.A-O, PE_QUEARVAR.B-O, PE_QUEARVAR.C-O, and PE_QUEARVAR.D-O.

    Click for larger view

    In September 27, we saw a new QUERVAR variant with a new structure, different from the previously detected variants but with the same infection routines. These included infecting .EXE and Microsoft Excel and Word files and then renaming them with a .SCR extension. However, the newer variants came with a new payload: downloading ransomware and ZACCESS variants.

    The new QUERVAR variants are detected as PE_QUERVAR.E-O. PE_QUERVAR.E-O accesses the following malicious files below to download ransomware variants detected as TROJ_RANSOM.CMY and HTML_RANSOM.CMY, and the ZACCESS variant TROJ_SIREFEF.SZP.

    • http://{BLOCKED}ewidea1.ru/1.php?000102E0&pin=16FB2534B0B2D6E3
    • http://www.{BLOCKED}coservisi.com/test/php/way.php?000076A8&pin=16FB2534B0B2D6E3
    • http://{BLOCKED}y90.com/c/osnovnoj2.exe?00022F68 – detected as TROJ_RANSOM.CMY
    • http://{BLOCKED}lhgkjl.{BLOCKED}ilesexchnges.su/get.php?id=2 – detected as HTML_RANSOM.CMY
    • http://{BLOCKED}lhgkjl.un {BLOCKED}ilesexchnges.su/landings/first/US/NL_files/buttons.css
    • http://{BLOCKED}lhgkjl.{BLOCKED}ilesexchnges.su/landings/first/US/NL_files/jquery.min.js
    • http://{BLOCKED}lhgkjl.{BLOCKED}ilesexchnges.su/landings/first/US/FBI.png
    • http://{BLOCKED}lhgkjl.{BLOCKED}ilesexchnges.su/landings/first/US/NL_files/keyboard.js
    • http://{BLOCKED}lil.ru/33797470/2a06754.50664748/3052832ace10d474336096b36fbd49f05f190.exe?{random characters} – detected as TROJ_SIREFEF.SZP

    The ransomware TROJ_RANSOM.CMY hijacks the infected system and displays the image below. It tricks users into thinking that it is a legitimate FBI warning that enforces copyright laws. The ransomware then locks the computer and prevents users from accessing it. The fake FBI warning also tells users that they are under surveillance by displaying the user’s IP address.

    Click for larger view

    On the other hand, SIREFEF/ZACCESS variants are known rootkit malware, which hides system modifications from users. In particular, the downloaded file (detected as TROJ_SIREFEF.SZP) patches services.exe in both 32bit and 64bit platform to prevent detection. It also disables/terminates Windows Security-related services. This technique is further documented in our previous entry ZACCESS/SIREFEF Arrives with New Infection Technique.

    Trend Micro users need not worry as they are protected via the Smart Protection Network™. In particular, file reputation services blocks and deletes related malicious files, while the web reputation services blocks access to the sites where PE_QUERVAR.E-O downloads its malicious payload.

     


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice