In an inevitable turn of events, cybercriminals leveraged the death of Apple co-founder Steve Jobs through Facebook scams within hours after the announcement.

The particular scam we found involves a website, which claims that Apple has decided to give away 1,000 iPads in memory of Steve Jobs. The said site displays the following:

The site asks users to share the page, in order to be eligible to get an iPad. Following the instructions directs users to an ad site while in the background, the link is posted on their Facebook wall.

Read the rest of this entry »

Last week, we discussed the SK Communications data breach where a large number of user accounts in South Korea were exposed. The scope appears to be bigger than initially reported, as ESTsoft, a South Korean company that develops software (including antivirus, compression utility, and other software), came forward with a public notice disclosing that one of their update servers was compromised.

According to the advisory, a vulnerability found in a common DLL update module allowed a hacker to drop a malicious file (BKDR_SOGU.A, the same file discussed in the entry, “Analysis of BKDR_SOGU.A, a Database-Accessing Malware,”) onto infected computers.

ESTsoft already released a patch on August 4 and pushed it as an update. They also stressed that they are cooperating and closely working with South Korean law enforcement agencies to understand the cause and extent of the said compromise.

As of today, the details of the attack are still incomplete but the above suggests that ESTsoft is one possible infection vector, among others, that may eventually have led to the SK Comms data breach. With this development, the involvement of not one but several companies indicates that this may not have started as a targeted attack specifically against one company. The attacker may have first triggered a wide range of initial attacks, a reconnaissance step to find vulnerable public-facing interfaces while assessing if those vulnerable interfaces will be useful. In this case, ESTsoft may have been a useful infection vector to host the malicious file while SK Comms served as a good target due to its rich repository of information that can be of further use to cybercriminals.

Read the rest of this entry »

Last week, there was ample coverage of the SK Comms data breach, which involved one of the more popular service providers in South Korea that offers social networking and instant-messaging (IM) as well as mobile phone services. The breach affected the user accounts of the NATE portal and Cyworld, both SK Comms offerings.

Within the same week, we also found a malware that may be related to the particular incident. The said backdoor, which we detect as BKDR_SOGU.A (with the SHA1 hash 1733217aa852957269cd201f6cf53ef314e86897), connects to {BLOCKED}n.duamlive.com, its C&C server. The C&C server communicates with the remote infected system via HTTP POST in order to send and receive commands from a remote malicious user.  As of this writing, this URL is already inaccessible.

One notable routine of this backdoor is its capability to access a specific database in infected systems in order to fetch and collect data from the said database. This routine was done using several ODBC APIs such as SQLAllocHandle, SQLDriverConnect, SQLNumResultCols, SQLFetch, and SQLExecDirect. The figures below show the code disassembly of how the malware uses the said APIs.

Read the rest of this entry »

Wouldn’t it be cool if you had immediate access to your favorite music and bands? What if these are readily available on your favorite social networking site?

Unfortunately, spammers also find this cool. We recently noted messages and wall posts circulating on Facebook that promote a supposed new music player feature. Below is a screenshot of what these spammed messages typically look like.

Read the rest of this entry »

Recently, my colleague Ryan Flores wrote about the sudden spike in demand for information that was triggered by the Japan earthquake and how it was met by cybercriminals with blackhat SEO attacks. The spike was evident as well in terms of search engine stats from Google and malicious URL traffic blocked by the Trend Micro™ Smart Protection Network™.

After the blackhat SEO attacks that leveraged the recent earthquake in Japan, we opted to look back and to continue investigating the infection chains related to the said attack and found some interesting trends.

Monitoring the daily infection chain starting from search engine results pages, we found that each infection chain and its infrastructure did not remain static. Below is a screenshot for one instance of such an infection chain:

We observed that cybercriminals used different malicious registered sites that rapidly varied as much as every 10 minutes. These malicious registered sites were embedded in doorway pages with such frequency that different users may be redirected to different chains every visit. The technique is used in order to evade traditional URL blocking for malicious sites.

Read the rest of this entry »