Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Joey Costoya

    The current wave of Mac OS X FAKEAV infections follows a three-step process. To those familiar with Windows-based FAKEAV variants, the pattern in this infection chain will be quite familiar.

    1. Displays a “scanning page” from poisoned Google searches.
    2. Prompts the user to download a .ZIP file that contains a .PKG installer. This installer installs a downloader.
    3. The downloader downloads another .ZIP file that contains the actual FAKEAV .APP file.

    In step 2, the downloaded installer package (.PKG file) contains two notable files:

    • The downloader binary
    • A .PNG file

    The downloader binary is responsible for downloading (and executing) the final FAKEAV payload. Interestingly, an important part of the download URL—the IP address—is stored not within the downloader binary. Instead, the host IP address is stored at the end of the above-mentioned .PNG file.

    Read the rest of this entry »


    For some years now, FAKEAV variants have been plaguing Windows-based systems. Recently, this malware type has entered the Mac OS X scene. As with Windows-based FAKEAV variants, poisoned search terms are the most common infection Mac FAKEAV vectors.

    Take, for example, the following poisoned search result:

    Accessing the website while using a Mac will directly lead the user to the following page:

    Read the rest of this entry »


    9:59 pm (UTC-7)   |    by

    Fake YouTube pages are a distinctive characteristic of the KOOBFACE bot. These pages are used as lure to convince prospective victims to install the “codec” needed to play a video, in this case, supposedly from a “hidden camera.”

    Click for larger view

    These fake YouTube pages at one time included the KOOBFACE gang’s reactions to their list of nefarious activities as released by Dancho Danchev.

    A few days ago, these pages started to include a short JavaScript code, which enables the KOOBFACE gang to directly monitor page hits. The tracking code is located at the very bottom of the page, which was pushed way below by a lot of <br> tags.

    Click for larger view

    The tracking code uses a hit counter Web service. According to the information gleaned from the hit count page, the KOOBFACE gang started to use this tracking method beginning July 28, 2010.

    Since the tracking started, there have been 126,717 unique page hits.

    It even tracks the page hits by time period.

    Click for larger view

    The hourly tracking helps the gang correlate the user activity (based on time of day) and KOOBFACE infection count. However, the statistics page contains no indication of the time zone so there may not be much use to interpret the hourly data.

    The 126,717 “hits” represent the number of unique visits to the fake YouTube page, which pushes the KOOBFACE loader with the file name setupNNNN.exe where NNNN is a random number. There’s no actual data in the hit count page on how many users actually ran the KOOBFACE loader. Let’s just hope that a substantial portion didn’t fall for the fake YouTube page trick.


    Busy day in TrendLabs today, first the full analysis of and news on ZeuS and SALITY, which are exploiting the Windows shortcut vulnerability. Now we’ve identified a ton of compromised websites leading to an “online pharmacy.”

    We’re currently seeing a wave of fake pharma spam that do not directly advertise the URL of the fake pharma site. Instead, the spammed messages advertise URLs that point to HTML pages hosted on compromised sites.

    Obfuscation Layer for Spam

    These HTML pages are uploaded to the Web root of the compromised sites while the HTML redirectors provide an obfuscation layer to hide the final landing page, in this case, the real fake pharma site—the infamous “Canadian Pharmacy” or “Pharmacy Express.”

    These HTML pages are very simple redirectors. From what I’ve seen so far, they either use a meta refresh or a JavaScript redirect.

    We’re seeing a daily average of around 1,000 new compromised sites caught by our spam traps. Some of these sites were repeatedly compromised, as indicated by several HTML redirectors uploaded in their Web roots.

    Click for larger view

    Click for larger view

    In most cases, two files are uploaded to the compromised sites—the HTML redirector and a .JPEG file. The .JPEG file bears the same file name as the .HTML file and is used as the display image in the spam, as shown in Figure 4 above.

    The Underlying Compromise

    The compromised sites’ Web platforms vary; some don’t even use any CMS, only plain .HTML files. There is also no commonality between the Web platforms the compromised sites use, ruling out the possibility that these were compromised via Web application exploits.

    Logic tells us that the easiest way to compromise a lot of these sites is through stealing FTP credentials. After all, stolen FTP accounts are widely being traded in underground markets. An enterprising buyer can get get as many as 300,000 FTP accounts for only 250 WMZ (WMZ or Web money currency where 1 wmz = US$1). Tools to do mass file uploads given a list of FTP credentials are also readily available.

    Researchers from another security firm already tracked the spam sample above and confirmed that it is a product of the prominent Rustock spam bot. This suggests that the operators behind this mass Web compromise and the operators of the Rustock spam botnet have very close ties, if not one and the same.

    Recommendations for Web Masters

    Most websites nowadays are managed by fancy CMS software with user-friendly administrative interfaces. This makes managing websites very easy. The downside is that Web masters may not notice small .HTML files that are uploaded to their sites. To address this, Web masters are advised to do the following:

    1. Regularly check the Web root for any dropped .HTML files. The file names of these .HTML files follow some conventions (like ovary40.html, slouch77.html, island57.html, e.html, and b.html). Sometimes, however, the file names are just random (like yfogewef.html, esyqaso.html, and oxbm.html).
    2. Delete such files if found.
    3. Change FTP passwords after cleaning up the site to prevent reinfection. Remember to use a strong password.

    If a malware infection—a keylogger, more specifically—is suspected, users are advised to revert to the last known clean backup, to change FTP passwords, and to install an integrity-checking tool such as OSSEC or Deep Security to help protect the site. Lastly, and most importantly, users are advised to keep their security software up-to-date and running to ensure that they’re protected from the latest threats.

    Additional text by Martin Roesler (Director for Threat Research)

    Posted in Spam | Comments Off on Redirectors in Compromised Sites Used in Spammed Messages

    5:15 am (UTC-7)   |    by

    Mega-D is one of the most prolific spam botnets accounting for around 7 percent of the spam traffic worldwide. It once accounted for as much as 50 percent of the world’s spam volume but has quieted down since the high-profile takedown of the McColo hosting service, and the 2009 takedown of its command-and-control (C&C) servers.

    Mega-D is still alive though not as prolific as it once was. We let loose a Mega-D spam bot sample in our malware lab to see how many spammed messages one spam bot can generate in a day.

    Click for larger view

    As shown in the chart above, the single spam bot was able to generate around 2,553,940 spammed messages in a span of 24 hours, an average of 1,764 spammed messages per minute.

    Based on FireEye’s 2009 estimate, the Mega-D spam bot’s population reached 264,784, amounting to an overall spam volume of 676,242,448,960 messages. That is a lot of spam!

    The following is a spam sample generated by the Mega-D spam bot.

    Click for larger view

    The link in the said spammed message will direct a user to a fake pharma site, the now all-too-familiar Web page of “Canadian Pharmacy” shown below.

    Click for larger view

    The “Canadian Pharmacy” sites peddled by Mega-D bots are all hosted in .RU ccTLD (country code Top Level Domain). As of this writing, these .RU domains resolve to an IP space somewhere in China.

    Note that the spam traffic graph was generated via Mailgraph. Rest assured that no spammed messages escaped our malware lab. The outgoing mail traffic shown in the Mailgraph chart were all directed to one of our spam-processing systems.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice