Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Macky Cruz (Technical Communications)

    Research Manager Ivan Macalintal found a bogus profile in LinkedIn that appears as one of the search results when the keyword “obama” is used.

    Cybercriminals riddled the profile page with links. The .cn links lead to a URL under the y0utybe domain (notice similarity with the legitimate video-sharing site), which in turn leads to a URL (under the .com domain localtubeonline). Finally, the links land the user on familiar malicious territory–an .EXE download (file name flash-plugin_update.40069.exe).

    The said landing page is actually one of the landing pages used in the blackhat SEO attack leveraging 9/11 memorials.

    Trend Micro detects the binary as TROJ_RENOS.BGI. The Trojan’s primary payload is to connect to other URLs to download other components for the attack’s completion. At the time of analysis, the URLs in the malware’s code are unavailable.

    Users are advised to refrain from clicking on links coming from untrusted sources. Social networking sites–even a business/corporated-oriented one such as LinkedIn–can easily be used by cybercriminals to get into people’s circle of trust. We have seen this in the following attacks:

    The best protection is to make sure security applications are updated with the latest patterns to avoid the effects of these latest threats.


    Today’s Patch Tuesday from Microsoft comes with 9 security advisories, 5 of which are tagged as critical, 4 as important. Collectively, 19 flaws are addressed in these advisories, 15 of which are critical. This set of advisories also includes the bulletin that addresses the previously exploited Microsoft Office Web Components bug.

    The critical advisories include patches for vulnerabilities in Microsoft Office Web Components (MS09-043), Remote Desktop Connection (MS09-044), Internet Name Service (MS09-039), Windows Media File Processing (MS09-038), and Active Template library (MS09-037).

    The other advisories are for vulnerabilities in ASP.NET (MS09-036), Message Queuing (MS09-040), Workstation Service (MS09-041) and Telnet (MS09-042).

    Details about these vulnerabilities can be found at our Security Advisory for the August 2009 Patch Tuesday at the Threat Encyclopedia. The Microsoft blog says that five of the six critical patches are rated “1” in their Exploitability Index. They are thus expecting there to be some in-the-wild exploits targeting these within 30 days from now.

    Again, this is a reminder to make sure that all your applications and operating systems are up to date with the latest patches. Software vendors issue these patches to prevent cybercriminals from exploiting these vulnerabilities. Update now.

    Trend Micro OfficeScan users with Intrusion Defense Firewall plugin installed should apply today’s update for the latest filters (IDF09024). This version contains protection from attacks exploiting the above and other vulnerabilities.


    Cybercriminals take the low road once again as they pepper the Internet with blackhat SEO links that are likely to attract users searching for news about the death of Charlie’s Angels star Farrah Fawcett, who, at age 62, finally ended a long struggle with cancer.

    Figure 1. Blackhat SEO links for Farrah Fawcett searches sets in

    Hosted on is-the-boss domains (last seen in the H1N1 blackhat SEO attack), the links that come up in search results redirect to other URLs that eventually land on all-too-familiar territory: a rogue antivirus download.

    In one specific infection chain traced by Research Manager Ivan Macalintal, the initial link redirects to another URL in the same domain, and then redirects another URL that has referrer checks before unfolding its contents. This is an evasion technique used by cybercriminals to avoid analysis by security researchers or being crawled (and rated) by search engines.

    Once the requester is cleared, the URL redirects to two more URLs before finally landing on a download page (within a certain thesecuritytools domain–now blocked by Trend Micro). The page downloads install.exe, which is a rogue antivirus detected as TROJ_FAKEAV.BBM.

    As this report is being written our engineers are analyzing the behavior of this malware. Trend Micro Smart Protection Network already blocks malicious URLs related to this attack.

    Not long after news of Farrah Fawcett’s passing hit mainstream news, singer/entertainer Michael Jackson likewise meets an untimely death. Users are advised to exercise extreme caution in searching for related news and information surrounding the deaths of these celebrities.

    One of the more famous blackhat SEO manipulation attack we have documented thus far include the attack that happened shortly after Heath Ledger’s death.

    Update (2:30 am (UTC-7)): TROJ_FAKEAV.BBM behaves fairly similarly to other rogue antivirus we’ve seen to date. Here’s a screenshot of its “scanning window”:

    TROJ_FAKEAV.BBM window
    Figure 2. The rogue antivirus program’s window

    Users who have the misfortune of coming across “System Security Antivirus” are advised to run their legitimate antivirus if this makes an appearance on their system.


    There have been some concerns over whether another new Conficker variant (DOWNAD for Trend Micro) has been released or not. Recall that in January, we have witnessed cybercriminals update WORM_DOWNAD.A‘s routines to include being able to propagate via more channels to become WORM_DOWNAD.AD. Reports talk of yet more updated functionalities in a more recent Conficker run.

    This variant, which we also detect as WORM_DOWNAD.AD, has brought in two new paths for binary validation and execution. Both bypass the use of Internet Rendezvous points which, for the earlier variant, is used by bot masters to make contact with DOWNAD drones for tracking or new payload updates:

    • One path is in an extension to netapi32.dll which checks for URLs in RPC traffic. If valid, the file from the URL is downloaded, and if the file is valid for the malware’s purposes, the file is executed.
    • The other new path is when the malware creates a named pipe which it will use to receive any URL sent by the botmaster, much like a backdoor. The malware reads from the named pipe and, if it does not return an error, passes it to another function which will then download, validate and execute a file.

    Fortunately for Trend Micro users, Smart Protection Network has been protecting their computers early on since Trend Micro also detects this malware as WORM_DOWNAD.AD. Infected users should read and follow the instructions at the solution page for this malware here. We also provide a fixtool which can likewise help non-Trend Micro users.

    Conficker/DOWNAD entries here:


    10:25 pm (UTC-7)   |    by

    There are an increasing number of reports from several countries about a complex file infector with several infection routines. Arriving via the Internet, this new strain bypasses the Windows Firewall, infects using various infection types and using more than one layer of encryption. The US seems to be the most affected amongst all other regions as of this writing.

    Typical file infectors choose any of the following infection styles:

    • cavity – the virus inserts its code into available spaces within the normal file
    • appending – the virus inserts its code after the normal file’s code
    • prepending – the virus inserts its code before the normal file’s code
    • entry-point obscuring – a complex infection technique used to evade immediate detection

    The VIRUX strain, however, uses the following infection schema:

    Figure 1. PE_VIRUX hunts down target files and infects them using more than one infection technique and sometimes more than one encryption routine

    It can and will infect both .EXE and .SCR files using the above scheme, turning them into PE_VIRUX variants themselves. The ultimate payload might explain the pains that the cybercriminals took to make cleaning PCs of this infection difficult: this file infector connects to IRC servers, after which it joins a channel to receive and execute commands on the affected PC. It is “anything goes” from there.

    PE_VIRUX.A also connects to websites to download files. A little earlier this week it was downloading TROJ_INJECTOR.AR, however, a few hours after that the URL began downloading another PE_VIRUX variant.

    Apart from the above routine, PE_VIRUX also infects script files. For script files (.PHP, .ASP, and .HTML), PE_VIRUX inserts a malicious IFrame code, which is automatically loaded when the script files are opened. Trend Micro detects infected scripts as HTML_IFRAME.NV. This catapults the possibility of spreading even farther; if the script files happen to be uploaded to a publicly accessible website, any visitor to the affected sites will be led to the URL embedded in the iFrame code. Undoubtedly malicious, the said URL automatically downloads HTML_XPLOIT.V onto the system, which in turn downloads PE_VIRUT.BO.

    PE_VIRUT.BO, on the other hand, when cleaned, becomes TROJ_VIRUX.A. This Trojan connects to websites, which, as of this writing, are inaccessible, but may go live any time.

    PE_VIRUX variants also infects files of similar file types located in all of the infected PC’s physical drives, folders and subfolders.

    Figure 2. PE_VIRUX Infection Diagram

    Readers may recall a file infector of a similar name, PE_VIRUT, which likewise wreaked havoc due to its nasty infection routines. See the following blog entries discussing this threat:

    While we are careful in noting the similarities between the two, TrendLabs engineers are quick to point out that VIRUX is indeed a notch higher than VIRUT in terms of complexity (which is the cybercriminals’ bid for malware persistence and increasing likelihood of reinfection).

    TrendLabs engineers are working on an in-depth analysis of this malware. Trend Micro Smart Protection Network blocks all URLs related to this entire attack, ensuring users are protected from ever accessing them. See the complete malware description of PE_VIRUX.A at its Virus Encyclopedia entry.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice