Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    October 2014
    S M T W T F S
    « Sep    
     1234
    567891011
    12131415161718
    19202122232425
    262728293031  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Joey Costoya



    Dec15
    6:37 am (UTC-7)   |    by

    It looks like spammers have found a new service to host their sites in. For several days, Trend Micro threat researchers have seen spammed messages advertising various prescription medications.

    As expected, clicking any of the links in the email will lead you to the spammers’ website. Unusually, however, the links are hosted on blogs that are hosted by Yahoo!

    The presence of Yahoo!’s logo on these sites may well be interpreted by some users either as an endorsement or as a sign that the site is legitimate.

    Trend Micro product users need not worry, however, as the spammed messages are blocked by the Smart Protection Network, along with user access to the spam sites.

     
    Posted in Spam | 1 TrackBack »


    Dec15
    6:36 am (UTC-7)   |    by

    ZBOT has currently been spotted engaging in another spam run targeting Facebook yet again.

    Click for larger view

    By clicking the link embedded in the email, users will land on a Facebook phishing page.

    Click for larger view

    This time, however, the phishing page contains an iframe that points to a Web exploit toolkit. This exploit toolkit can deliver a variety of exploits, depending upon the user’s browser and OS.

    Click for larger view

    For users of Firefox, the toolkit will push a .PDF file (detected by Trend Micro as TROJ_PIDIEF.PAL) to exploit a known vulnerability in Collab.getIcon. If the user is not infected via the exploit toolkit, ZBOT is still left with the social engineering aspect. After a user enters credentials into the phishing page, the user is led to a download page of updatetool.exe or the ZBOT binary (detected as TSPY_ZBOT.CCB).

    Click for larger view

    Trend Micro Smart Protection Network blocks all related spammed mesasges and ZBOT domains and prevents the download of all related files.

     


    Oct22
    6:09 am (UTC-7)   |    by

    In this most recent spam campaign, our spam traps caught an uncanny combination of a CapitalOne phish and a ZBOT variant. Below is a screenshot of an email sample making the rounds: The spam campaign would have you believe that you would need to install a Digital Certificate in order to use CapitalOne’s website. Clicking on the email link brings you to the following site: This is the phishing part. After filling in the required login information, the website now conveniently gives you a download link to the supposedly digital certificate: The download link will lead you not to a digital certificate, but to a ZBOT variant. Running the so-called ‘digital certificate’ will only install the notorious ZBOT malware into your system, and will proceed to log your keystrokes, steal personally-identifiable information, and most especially, steal your personal financial information. Trend Micro now detects the said ZBOT malware as TROJ_ZBOT.CKA. The above website does not only host a CapitalOne phish, but also a Bank of America phish. Earlier this week, the same group also had a spam campaign, but was pushing a BoA phish: The phishing website in that campaign asks a lot of questions–three pages full of these. It basically asks all of your personal information pertinent to your banking account:

    The websites for both the CapitalOne and Bank of America phishing attacks are all hosted on fast flux domains, and uses wildcarded subdomains. Here’s a list of some of the domains actually used:

    • 11qioz.co.uk
    • 11qwod.co.uk
    • easder1q.co.uk
    • f1iiitl.com
    • iiizad1z.co.uk
    • ij1tli.com
    • ltiil1.com
    • nekz1mqv.co.uk
    • nezz1cza.co.uk
    • racder1c.net
    • racder1x.com
    • raeder1f.net
    • rarder1g.com
    • raxsder1.com
    • t1fliil.tc
    • tj1fiil.co.nz
    • uunuyr.com
    • yyy1yyrd.co.uk
    • yyy1yyre.co.uk
    • yyy1yyrf.co.uk
    • yyy1yyrg.co.uk
    • yyy1yyrj.co.uk
    • yyy1yyrk.co.uk
    • yyy1yyrl.co.uk
    • yyy1yyrm.co.uk
    • yyy1yyro.co.uk
    • yyy1yyrq.co.uk
    • yyy1yyrr.co.uk
    • yyy1yyru.co.uk
    • yyy1yyrv.co.uk
    • yyy1yyrx.co.uk

    The IP addresses these fast flux domains point to are comprised of residential broadband IP addresses, suggesting that the machines serving the websites’ contents are hosted on compromised residential PCs. The current spam campaigns (digital certificate lure) and its corresponding websites (fast flux, wildcarded subdomains) share the same characteristics like last year’s SSL Certificate spam campaign. A screenshot of last year’s spam campaign is shown below.

    It looks like as though the same group has reemerged using the same tactic they’ve used last year. Maybe last year’s campaign has been successful enough that they’re hoping to duplicate the winning formula in the recent spam wave.

    Trend Micro users are now protected from this attack through the Smart Protection Network. Non-users of Trend Micro producs, on the other hand, can opt to stay protected by using the eMail ID and Web Protection Add-On.

     


    Sep28
    6:00 am (UTC-7)   |    by

    Trend Micro threat analysts recently snagged an email pushing a bogus Windows Live Messenger residing in http://{BLOCKED}s-live-msn.serveftp.com/Windows_Live_9.0_beta.exe (detected as WORM_VB.PAB). The .EXE file is, of course, not the “real” Windows Live Messenger but a bot that reports to an IRC-based C&C with the following details about the infected system:

    Server: {BLOCKED}s.rvsanmiguel.com
    Server IP: {BLOCKED}.{BLOCKED}.110.141
    Port: 6767
    Serverkey: m4s3rvp4ssz
    Channel: #s3k4nt
    Chankey: m4n0sp4z

    Click for larger view

    Figure 1. Sample spam email

    The said bot’s primary function seems to be MSN spamming. As of this writing, the C&C channel is currently idle, as it has not yet issued commands. Apart from MSN spamming, the said bot was also designed to spread via USB autorun and P2P networks like Kazaa and Limewire.

    Windows Live Messenger users should thus refrain from clicking the malicious URL spreading via email to avoid infection. Trend Micro Smart Protection Network already blocks the malicious URL and detects the fake Windows Live Messenger as WORM_VB.PAB.

     


    Aug17
    11:27 pm (UTC-7)   |    by

    Over the past week, Koobface intensified its Twitter campaign, tweeting a variety of messages instead of the usual one message at a time spam campaign as with the text “My home video : ).”

    Click for larger view

    So far, we have seen more than 40 distinct messages spammed to Twitter. Here is a sample of the new Koobface campaign.

    Click for larger view
    Click for larger view

    Click for larger view

     

    The following list the messages we have seen spammed in Twitter.

    Congratulations! You are on hidden camera!
    Congratulations! You are on news!
    Congratulations! You are on TV!
    Hey! Are you really in that video?
    Hey! Is that really you in that video?
    Hey! You are on hidden camera!
    Hey! You are on news!
    Hey! You are on TV!
    Holly shit! Are you really in this video?
    Holly shit! You are on hidden camera!
    Holly shit! You are on news!
    Holly shit! You are on TV!
    Nice! Your ass looks awesome on this video!
    Nice! Your ass looks great on this video!
    Nice! Your body looks awesome on this video!
    Nice! Your booty looks awesome on this video!
    Nice! Your booty looks great on this video!
    Saw that video the other day… Did you really do that?
    Saw that video the other day… How could you do something like that?
    Saw that video the other day… How could you do such a thing?
    Saw that video the other day… Why did you do that?
    Saw that video yesterday… Did you really do that?
    Saw that video yesterday… How could you do something like that?
    Saw that video yesterday… How could you do such a thing?
    Saw that video yesterday… Why did you do that?
    Sweet! Your ass looks awesome on this video!
    Sweet! Your ass looks great on this video!
    Sweet! Your body looks great on this video!
    Sweet! Your booty looks awesome on this video!
    Wow! Are you really in that video?
    Wow! Are you really in this video?
    Wow! Is that really you in that video?
    You were caught on our hidden camera!
    You were caught on our secret camera!
    You were caught on our stealthy camera!
    You were seen on our hidden camera!
    You were seen on our secret camera!
    You were seen on our stealthy camera!
    You were sighted on our hidden camera!
    You were sighted on our secret camera!
    You were sighted on our stealthy camera!

    All of those messages come with a URL pointing to a copycat Facebook website, which will try to install setup.exe—the Koobface malware.

    Click for larger view

    Trend Micro Smart Protection Network blocks the malicious URLs in this attack so that users never get to download the malicious file. The malicious file, nevertheless, is already detected as WORM_KOOBFACE.V.

     


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice