Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Macky Cruz (Technical Communications)

    The LinkedIn professional networking site connects more than 30 million users from across many different industries. The advantages of maintaining a list of trusted business contacts for career planning purposes is not lost on LinkedIn‘s users.

    The fostering of business relationships is further enhanced by features such as LinkedIn Answers and access from mobile devices.

    Advanced Threats Researcher Ivan Macalintal found some bogus LinkedIn profiles which contain links to malware, using the  names and images of  famous personalities such as:

    • Beyoncé Knowles
    • Victoria Beckham
    • Christina Ricci
    • Kirsten Dunst
    • Salma Hayek
    • Kate Hudson

    … and several others.

    Below is a screenshot of the previously mentioned fake Beyoncé LinkedIn profile, with malicious links highlighted:

    Bogus Profile of Beyoncé Knowles

    Malicious links contained in these bogus profiles lead browsers through a series of redirections, but ultimately to malware.

    Note that there are several routes this infection path may take. We are conducting a deeper investigation of these attacks in order best provide detection and protection against these threats. We will update this blog entry with additional information when it is available.

    Update as of January 6 2008, 10:00 PM PST

    The malicious file downloaded from the links contained in the mentioned fake profiles is detected by Trend Micro as TROJ_DLOAD.ML. Upon execution, TROJ_DLOAD.ML accesses certain URLs to download files detected as the following:


    In turn, these files attempt to download a fake antivirus application detected by Trend Micro as TROJ_FAKEAV.GDS.

    Cybercriminals are said to be using pre-registered accounts on social networks as launchpads for this type of attack. Such pre-registered accounts are reportedly being sold in the black market today.

    Update as of January 8 2008, 7:00 AM PST

    Reports suggest that the previously mentioned pre-registered accounts are sold in black markets by the hundreds. The accounts are then used to send spam inside affected social networks.

    Update as of January 15 2008

    Analysis by Trend Micro researchers reveal that TROJ_FAKEAV.GDS has the following routines:

    Upon execution, it displays the following GUI:

    Figure 1. Fake antivirus software GUI

    It also displays an icon on the system bar and a fake message alert:

    Figure 2. Alarming warnings designed to rattle the user

    When the user clicks the abovementioned message alert, the following fake Microsoft Security Center GUI is displayed:

    Figure 3.Fake Microsoft Security Center GUI

    Furthermore, clicking any link on the abovementioned Microsoft Security Center GUI will display the following prompt for registration:

    Figure 4.Users are asked to register to be able to rid their system of viruses allegedly affecting it


    We gathered malware data from January to November 2008 to give us an idea of just how dangerous surfing the Internet is. We analyzed the arrival methods of the top 100 malware infecting the most number of systems for the said period and came up with the following statistics:

    Figure 1. Infection Vectors of Top 100 Malware

    Coverage: Malware Analyzed by Trend Micro Researchers
    Date Range: January 1, 2008 to November 25, 2008

    This allows us to make some interesting insights:

    1. Globally, the source of the most number of infections for these top 100 malware is the Internet, specifically in surfing unknown or malicious sites, or accepting links offered in unsolicited email.
    2. The second highest source of infections is the presence of other malware on already infected systems. Since threats today are multipcomponent, malware routine frequently include retrieving files from remote locations and downloading them onto the PCs for added functionality or stealth.
    3. The third highest source of infections is the opening of email attachments that come from unknown or malicious sources.
    4. The percentages do not add up to 100% because most malware we have analyzed arrive on systems using more than one infection vector. This reflects the inherent flexibility of using the Internet: a Trojan may be hosted on a malicious website, which can reach a target system through (1) a spammed email containing a link to the Trojan, (2) direct download by accidentally surfing malicious sites (in search of, say, application cracks), (3) drive-by downloads (as in visiting a hacked legitimate site which has scripts that download and execute the Trojan automatically on visitors’ PCs), or (4) as a file downloaded by other Trojans already on the system.

    Regional data reflects the same general trend:

    Although overall still the land of adware, North America’s threat profile includes data-stealing malware that arrive via the Web.

    Figure 2. Infection Vectors of Top Malware in North America

    Malware borne by removable drives (portable / external hard drives, thumb drives, flash disks, memory cards, etc.) are at 15% in Asia and Australia. Most Asian countries have autorun malware as their top infectors, the highest concentration compared to other regions. However, the prevalence of file infectors and online gaming spyware in China has diluted this profile.

    Figure 3. Infection Vectors of Top Malware in Asia and Australia

    The top malware infecting PCs in Europe, Middle East and Africa (EMEA) also included several autorun malware, although in terms of number of PCs infected by any one malware, notorious Trojan downloaders are prominent in this region. EMEA also registered several infections via malicious iframes.

    Figure 4. Infection Vectors of Top Malware in Europe, Middle East and Africa

    Latin America’s top threats are varied in profile but the persistence of multicomponent attacks are distinctly apparent. Several malware found in PCs have in fact been dropped by other malware already present in the PC.

    Figure 5. Infection Vectors of Top Malware in Latin America

    Note however that this is not representative of the profiles of all malware samples–admittedly nobody can lay such a claim on any existing data set. What we are saying is that a majority of the top 100 malware that was most prevalent during this year arrived by surfing malicious or unknown sites. A sad confirmation that despite all awareness campaigns for safe computing, users still tend to victimize themselves out of curiosity.


    First detected in 2007, the WORM_VOTERAI family, which turned up during the presidential election season in Kenya that year, seems to be making a comeback in time for the US elections this year via WORM_VOTERAI.N. This worm, notable for dropping the following incomplete image file of Raila Odinga, has registered several infection counts in North America:

    Apart from dropping the above file, this worm performs system changes to ensure its automatic execution at every system startup. It spreads via removable drives since its routines include dropping a copy of itself along with an Autorun file in all accessible drives. The copies of itself dropped in the removable drives are typically named SMSS.EXE and Ralia Odinga.exe. The dropped copies use Microsoft Word icons in a classic ploy to trick users that it is okay to open the files.

    Ralia Odinga is the incumbent Prime Minister of Kenya, and although he is not directly related to the US elections in any way, there “was” news early this year about Odinga claiming to be Obama’s cousin. Obama is running for US president against John McCain.

    USB-borne malware has always been the fare for Asian countries, so since this worm is proliferating mainly in North America there is room to think that this political angle (however oblique) may have contributed to its spread.

    Trend Micro Smart Protection Network allows users to access the latest protection whenever and wherever they connect. Users without Trend Micro protection should make sure their removable devices are clean before plugging them in to PCs.

    Posted in Malware | Comments Off on Belated Odinga Campaign

    This month’s Patch Tuesday was prematurely ushered in by a spam attack purporting to carry MS Updates. Don’t be fooled, though, we have found the said spam to carry a backdoor (BKDR_HAXDOOR.MX), and has nothing to do with Microsoft’s official release.

    The October 2008 MS Patch Tuesday addresses 20 vulnerabilities, with 4 bulletins marked as critical, six marked as important, and one marked as moderate.

    More details about this batch of updates can be read at the Microsoft Security Bulletin for October 2008. The page includes an exploitability index.

    Today’s online world has become scarier. The least you can do as a matter of due diligence is to make sure your operating system and applications are all up to date. The latest patches can protect you from several vulnerabilities that malware writers can use to conduct attacks onto your PC.

    Posted in Vulnerabilities | Comments Off on October 2008 MS Patch Tuesday

    October has just begun and Trend Micro threat researchers keep seeing more and more — slightly different, but yet increasingly more annoying — variations to the set of rogue AV infection signals we have been documenting on this blog.

    Fake BSOD

    Figure 1. Fake BSOD (actually a screensaver) now sports a specific mention of the problem — an unregistered version of a certain AV product.

    Fake reboot screen

    Figure 2. Now even the fake reboot screen (also a screensaver) has text

    Project Manager Paul Fan reminds us that malware criminals continue a “take no prisoners” approach to vandalizing PCs in their bid to convince victims to purchase bogus security software.

    Advanced Threats Researcher David Sancho even calls it the “Annoy and Conquer Strategy” — cybercriminals literally calling attention to themselves by using all visual means available to instill a sense of discomfort in users that may just be enough to get these users to fall for the act — an unfortunately common scare tactic.

    We’ve already discussed this threat and how the Smart Protection Network protects users in recent blog posts:

    This variant is an ongoing iteration of the Antivirus 2009 campaign and is detected as TROJ_FAKEAV.SV.

    One additional note — it is nice to see Microsoft and the State of Washington going after “scareware” purveyors. We completely support efforts to bring these criminals to justice.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice