Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Joseph Cepe (Threats Analyst)

    A spammed message supposedly from Newegg, a popular online computer hardware/software seller has been found in the wild. It informs users that their online purchase has been charged to their Visa card. It also contains two clickable links that point to the same malicious page, an example of which is http://{BLOCKED} Clicking the link leads to a series of redirections that ultimately land users on a FAKEAV-hosting site where TROJ_FAKEAV.FNZ may be downloaded.

    In addition to the FAKEAV download, the binary on the landing page constantly changes so users may also end up with TROJ_HILOTI.FNZ and ADWARE_ZANGO infections, too.

    Click for larger view Click for larger view

    Upon further investigation, we discovered that the email is not the only malware vector the cybercriminals behind the attack are employing. They also leveraged compromised Blogspot pages to host the same spam. We believe that the cybercriminals are using Blogspot’s email feature. The secret email addresses set up by the blog owners may have somehow been harvested to send out spam, in effect auto-posting these in Blogspot pages. The followers of compromised Blogspot pages can thus be potentially infected, too, since the malicious spam is hosted on a known source.

    Click for larger view Click for larger view
    Click for larger view Click for larger view

    Threats analyst Edgardo Diaz adds that one of the download binary connections lead to {BLOCKED}.{BLOCKED}.117.21, which has its own status page. Further analysis of the IP address and the compromised Blogspot pages revealed that some of the compromised pages’ URLs point to domains hosted on the same IP address.

    Users are advised to be wary of clicking any link even if it is posted on a trusted source. Furthermore, changing one’s secret Mail2Blogger email address once found to have been used in a spam run will definitely help, as the attacker can easily reuse this address to instigate another spam run.

    Trend Micro product users need not worry, however, as they are already protected from this attack via the Smart Protection Network™ , which prevents the spammed messages from even reaching users’ inboxes, blocks access to all malicious URLs, and detects all related malware.

    Additional analysis and screenshots provided by threats analysts Patrick Estavillo and Edgardo Diaz.

    Update as of August 25, 2010, 10:30 p.m. (UTC)

    After further investigation, we’ve found that other kinds of spam were also found posted in affected Blogspot pages. Spam related to UPS, Amazon, LinkedIn, and run-of-the-mill Resume and eCard spam messages were found posted in the said blogs. Affected Blogspot users are advised to change their Mail2Blogger email address as soon as possible.

    Posted in Malware, Spam | 1 TrackBack »

    Early this year, the SASFIS Trojan became notorious in relation to spoofed email messages supposedly from Facebook. SASFIS infections usually result in tons of other malware infections, as this particular family makes systems susceptible to botnet attacks, particularly from ZeuS and BREDOLAB, and is affiliated with various FAKEAV variants, usually those associated with pornographic sites.

    TrendLabsSM engineer Shih-Hao Weng came across a new SASFIS variant that uses the right-to-left override (RLO) technique, which was more commonly associated with spamming in the past, but has now become a new social engineering tactic.

    Click for larger view

    This SASFIS Trojan arrives via a spammed message with a .RAR file attachment, which contains an .XLS file. Upon extraction to the desktop, the supposed .XLS file looks like an authentic MS Excel document. In reality, however, the file is a screensaver detected by Trend Micro as TROJ_SASFIS.HBC. This Trojan drops BKDR_SASFIS.AC, which allows threads to be injected to the normal svchost.exe process.

    While the file may appear at first to be an Excel worksheet, it possesses a Win32 binary header, which only executable files have. Its real file name (minus the Chinese characters) is phone&mail).[U+202e}slx.scr, wherein U+202e is the Unicode control character that tells the system to render succeeding characters from right to left. Thus, to the user, the file will appear to be named phone&mail).xls.scr. This could lead them to believe that the file is indeed an Excel file and thus “safe” to open, when in reality it is an executable .SCR file.

    This technique also uses other file names for the same purpose, such as BACKS[U+2020e]FWS.BAT and I-LOVE-YOU-XOX[U+2020e]TXT.EXE to be rendered as BACKSTAB.SWF and I-LOVE-YOU-XOXEXE.TXT instead. In the former case, a batch file is disguised as an Adobe Flash file; in the latter an executable file is disguised as a text file.

    Click for larger view

    Users can, however, prevent this attack from affecting their systems by employing the usual best practices—not opening suspicious-looking email messages and not downloading and executing attachments.

    Trend Micro™ Smart Protection Network™ protects product users from this threat by preventing the spammed messages from even reaching their inboxes via the email reputation service. Trend Micro products also detect and delete the malicious files TROJ_SASFIS.HBC and BKDR_SASFIS.AC from affected systems via the file reputation service.

    Update as of June 2, 2010, 12:30 a.m. (GMT – 7:00)

    In related news, JPCERT/CC has issued an alert warning users in Japan that spam messages with a malicious attachment are now using this very tactic. (A translation of the alert into English can be found here.) Trend Micro detects this malicious attachment as TROJ_UNDEF.QC.


    Last week, Trend Micro was alerted to the increasing number of ILOMO infections.  ILOMO Trojans  (some examples are TROJ_ILOMOB.,TROJ_ILOMO.F, and TROJ_ILOMO.L) arrive on systems via Web-based exploits and use different infection routines for the payload.

    Notable with these variants is that even when users have deleted the malicious file from the hard disk, its code remains actively injected in system memory. In effect, users are continuously annoyed of the reinfection symptoms.

    Analysis of TROJ_ILOMO’s spaghetti-like code reveal several things. Once running in an infected system, a variant updates its own Gates-List which is probably part of the infected nodes that forms its peer-to-peer botnet. This model is quite similar to the one used by the Storm botnet. The malware saves this list in the registry.

    Figure 1. Registry list.

    Entries on the list have the format {IP address}/{certain strings} and they are considered to be a list of compromised machines.

    With an updated Gates-List, the ILOMO malware then attempts to access the sites and download binary encrypted data. It stores the values in the local registry in values named M00, M01, and M02. The ILOMO Trojan decrypts then the data, which in fact forms an malicious executable code that is later injected to certain Internet Explorer processes.

    Figure 2. Injected code.

    Once found, it injects the downloaded and now decrypted code and executes this remote thread. This said thread enables ILOMO to perform additional malicious activities on the infected system. TROJ_ILOMO variants have also been found to send and receive information from certain IP addresses, thereby compromising system security. Confidential or private information may find its way to cybercriminals in this attack too.

    Trend Micro Smart Protection Network already detects and blocks TROJ_ILOMO and its adjacent droppers, preventing them from executing in systems.

    Posted in Malware | 1 TrackBack »

    XLS files specially designed to exploit a currently unpatched vulnerability in Microsoft Excel (identified as CVE-2008-0081) are reportedly being sent as email attachments in the wild.

    The attachments, which arrive either as OLYMPIC.XLS or SCHEDULE.XLS are capable of dropping and executing Windows binary executables. This Trojan also drops a non-malicious Excel file and opens it upon execution to trick the user that it is the attached Excel file. Below are screenshots of the dropped Excel files of OLYMPIC.XLS and SCHEDULE.XLS respectively.

    OLYMPIC.XLS dropped file

    SCHEDULE.XLS dropped file

    Both OLYMPIC.XLS and SCHEDULE.XLS are observed to use similar exploit templates and even allow malware writers to customize the exploit to perform other routines.

    With the release of a security patch from Microsoft still a week away, malware authors are using this window of opportunity to infect a large number of computers. More information on this exploit can be found on this Microsoft Security Advisory.

    Trend Micro advises users to be wary of opening unsolicited email messages, much more of files attached to them. Trend Micro already detects the above files as TROJ_MDROP.AH as of Control Pattern 5.136.12.


    TSPY_MAHA.S, is a keylogger Trojan Spy that uploads captured information to a certain site. Testing one of the URLs being accessed by the keylogger to check if it was still up.


    The URL displayed nothing which was a good sign that it was still up. No error messages returned. Testing further, by simply removing “parse.php” from the URL, I wanted to see if I can find further information.



    To my surprise, directory listing is enabled! From here, you can either download the whole arhive (archive_5f4a8.tar.gz) or just browse through the logged keystrokes in the folder “Logs”.


    The malware used the format _ of the infected machine/account where logged keystrokes are found.

    Browsing further inside, log files are named in the format DD_MM_YYYY.html where it corresponds to the actual date the log file was posted to the server.


    Various types of logged keystrokes (such as Bank Accounts, Yahoo! & MSN accounts, PayPal account, Email conversations) were found inside the folders which I believe are still active and the password have not been changed.

    Posted in Bad Sites | Comments Off on TSPY_MAHA stolen information discovered online


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice