Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Macky Cruz (Technical Communications)

    At 4:18 PM PST yesterday, Advanced Threats Researcher Ivan Macalintal discovered a spy-phishing scheme targeting the Fortune 500 company and 4th largest banking chain in the US, Wachovia Bank (NYSE: WB). This attack ends in the execution of a rootkit detected as TROJ_ROOTKIT.FX, which is a file that hides files and processes, allowing malicious attacks to run entirely beneath the radar.

    Macalintal warns that he has seen the following subject headings used in this attack:

    • Wachovia Connection Update Alert.
    • Wachovia Connection Customer Support – Security Updates.
    • Wachovia Connection upgrade warning.
    • Wachovia Connection Emergency Alert System.

    Below is a screenshot of a sample email:

    The malicious links download a file named SPlusWachoviadigicert.exe. Trend Micro Smart Protection Network detects this as TROJ_AGENT.AINZ. It accesses a certain URL to download another malware that in turn drops and installs TROJ_ROOTKIT.FX. This infection chain can be cut off at various points by the Smart Protection Network as we already detect the spam, the malicious links therein, and the files that are downloaded and executed on the system.

    Malicious rootkits are especially sneaky because they can hide processes and files from even tech-savvy users. This means entire attacks can transpire without the victim even guessing that there is something wrong with the PC. Malicious rootkits are often associated with information theft, and given that this spam appears to target Wachovia subscribers means that malware writers are counting on the chances that the victim’s PC contains critical financial information they can then collect for their own use.

    The legitimate Wachovia Security Plus link can be accessed here, where the company discusses several security issues and precautionary measures to avoid being tricked by these types of attacks.

    Related blog posts:

    We previously saw TROJ_ROOTKIT.FX a couple of weeks back in a phishing run targeting the Bank of America, as early as 8:35 AM EDT of September 9. Unlike phishing sites which are already harmful by themselves, these types of spam borrow legitimacy from online banking sites to deliver malware. The infection chain of the Bank of America attack starts with the download of an AGENT variant and, like this attack, ends in the initialization of TROJ_ROOTKIT.FX.

    Thanks to Jessa dela Torre of the Threat Response Team for the analysis of the infection chain.


    Rogue antivirus programs continue to plague our customers as submissions this September echoed August’s top malware profile. FAKEAV variants and components vicitimized users from all over the world. These threats are still among the most common case submissions we have been receiving even just two weeks into September.

    Rogue AV attacks’ sophisticated modus operandi starts with the surreptitious downloading of a seemingly legitimate file via several possible infection vectors. So far we’ve seen actual rogue AV attacks that begin in:

    • Spammed email messages (ecards) that contain malicious links
    • Instant messaging applications where links are sent as messages
    • Private messages in social networking sites
    • As codecs for videos hosted on social networking sites
    • Downloaded by malware in a prior infection
    • Mass SEO poisoning involving several compromised Web sites

    What happens from that point onward may vary, but the objective remains to convince the user through a variety of system modifications and invasive warning signals that something is wrong with their PCs. These scare tactics include showing fake Windows popup balloons, modifying the PC’s wallpaper to an alarming message, and performing an unsolicited system scan that yields worrying scan results.

    Here we highlight two of the latest attacks we’ve seen which are both multi-component in nature and have presented unique difficulties in terms of cleanup. While it is difficult to determine whether these rogue AV programs, WinAntispyware 2008 and Antivirus XP 2008, are related to the spate of Antivirus 2009 attacks seen in August, their prevalence this September suggests that it is time to pay these types of attacks the attention they deserve.

    Trend Micro detects WinAntispyware 2008 as TROJ_FAKEAV.RIT and Antivirus XP 2008 as TROJ_FAKEAV.IE.

    Both require the user to have clicked on a link or opened an attachment that led to the download of a Trojan dropper onto their systems. TROJ_FAKEAV.RIT follows the more conservative path as it depends on an Internet connection to see the attack through its end. It first drops some files, some of which run at restart to download another file from the Internet. This file is not the rogue AV yet, it is just a program that displays a fake popup saying that the system is infected. It is when the user clicks on the popup balloon that the rogue AV continues the rest of the show: by displaying a fake security console GUI, then performing a fake scan, then showing fake results, convincing the user to purchase a full version.

    Losing $50 for a fake program is bad enough, but victims should be worrying, though, about losing much, much more. After all, once hackers get their hands on credit card information there is no telling what risks are in store for victims.

    Figure 1. WinAntispyware 2008 product purchase page

    The second notable attack we’ve seen is by TROJ_FAKEAV.IE because of its more wholesale approach to delivering the attack. Instead of relying on Internet connection every step of the way, all it takes to risk an infection from this program is the download of the Trojan dropper TROJ_FAKEALER.DQ. This dropper gives its all: files to help scare the user like a wallpaper and a screensaver–and even the rogue AV program itself. Perhaps the mind behind this attack wants to take as much advantage as it can of its foot in the door.

    It modifies the system’s wallpaper and screensaver settings so the first thing the user will notice is his/her desktop image had changed. If he decides to investigate he will see that the Desktop and Screensaver tabs from the Desktop Properties are missing. A few seconds into suspecting that something is wrong, a EULA comes out from nowhere.

    Figure 2. Antivirus XP 2008 Fake EULA

    If the user clicks on Agree and Install (after all the EULA looks like most program EULAs which people do not really read), the system immediately conducts a system scan and shows a fake scan results page. After this the browser opens a window where the user is asked to give his contact information.

    Figure 3. Antivirus XP 2008 product purchase discount page

    The attacker might have a slightly diffierent intention, but the attack’s risks are no less dangerous. By obtaining the victims’ name, phone and email address, hackers can steal user identities and perform social engineering attacks using the victims’ credentials. Email addresses can be sold to spammers as active accounts.

    Here is a visual presentation of what a typical attack may look like:

    Related blog posts:

    Trend Micro Smart Protection Network, a next generation cloud-client security infrastructure, effectively protects our users from harmful, multi-component and intricate Web threats such as these. It combines in-the-cloud technologies with smaller, lighter-weight clients, giving users immediate access to the latest protection.


    What is it with Paris Hilton these days? Just this week we’ve seen several pictures of the celebrity in a spam run that is yet again pushing rogue AV.

    Although we’re quite familiar with the social engineering technique involved in name-dropping celebrities in order to pique more interest (and therefore hits), the last celebrity we’ve seen in the run was Angelina Jolie — around the time of the release of the movie Wanted, in which she starred.

    These spammers are apparently in touch with the pop culture scene, as Paris followers (and naysayers) from all over the world are by now intimately familiar with that viral video where Paris says, “I want America to know that I’m, like, totally ready to lead.” This was in answer to the John McCain ad where a clip of his opponent Barack Obama was placed between a Paris Hilton and Britney Spears footage, implying that Obama is merely a celebrity.

    Figure 1. Spammers play off off-beat mainstream news.

    Trend Micro Advanced Threats Researcher Jamz Yaneza tells us that tempted users who open the message will find any of the following URLs in the message body:

    • hxxp://www.{BLOCKED}
    • hxxp://{BLOCKED}
    • hxxp://www.{BLOCKED}
    • hxxp://{BLOCKED}
    • hxxp://{BLOCKED}
    • hxxp://{BLOCKED}
    • hxxp://{BLOCKED}
    • hxxp://{BLOCKED}
    • hxxp://www.{BLOCKED}
    • hxxp://{BLOCKED}
    • hxxp://{BLOCKED}
    • hxxp://www.{BLOCKED}
    • hxxp://{BLOCKED}
    • hxxp://www.{BLOCKED}

    And that clicking the link to the “video” leads to the download of components detected by Trend Micro as TROJ_FAKEAV.FP and TROJ_FAKEAV.FW.

    While we are indeed detecting a trend that rogue AV programs are having a field day in the past few weeks, the volume of unique Paris-related spam-for-rogue-AV attacks and the actual victims (a big chunk of whom are from North America based on our Virus Tracking Center) say that this particular social engineering technique does click.

    Never mind if the spam doesn’t make sense…

    Figure 2. Paris spam pushing rogue AV, sample 2

    …isn’t even remotely sensational…

    Figure 3. Paris spam pushing rogue AV, sample 3

    …or just too good to be true.

    Figure 4. Paris spam pushing rogue AV, sample 4

    All URLs and spam mail mentioned above are already blocked by the Smart Protection Network.

    Recent reports of rogue AV in the blog:

    Posted in Malware, Spam | Comments Off on Paris Hilton Hits the Rogue AV Scene

    Trend Micro Advanced Threats Researchers Ivan Macalintal and Paul Ferguson report that Internet spammers have turned to file-sharing scare-tactics. This is to entice would-be victims to open a malicious attachment, threatening the unfortunate recipients with interrupted Internet connectivity or legal action.

    Here are screenshots of two sample email messages:

    Figure 1. A certain “ISP Consorcium” [sic] purports to protect the rights of software authors by monitoring networks.

    Figure 2. Media Defender, a company known to protect clients from copyright infringement, was used this time. The spam says that the company claimed to have logged Internet activity on several BitTorrent sites.

    Recipients are most likely to be motivated by fear to fall for this ruse. It is, after all, the Internet surfer’s worst nightmare to have all their Internet activities known to other parties — epecially those who threaten legal prosecution.

    These spam runs seem to use a self-righteous tone against piracy, which makes the ruse even all the more believable. (Remember the Feds supposedly scanning Facebook accounts? Or how about the even more far-fetched one about the death of the Internet?)

    However, downloading the attached file is not in the recipient’s best interests. We advise users to consider all unsolicited email suspect. We are currently investigating this incident and will update this entry as more information becomes available.

    Posted in Spam | TrackBacks (3) »

    Malware criminals seem to never run out of tricks.

    This time they seem to have spun off sensational (but fake) news about the current Iraqi conflict. Advanced Threats Researcher Paul Ferguson recently encountered the following spam mail:

    Figure 1. Spam purporting to carry news about the latest Al Qaeda offensive.

    The spam even goes on to discuss all the past diversionary (and equally terroristic) attacks allegedly linked to Osama Bin Laden and Al Qaeda, perhaps to raise the level of emotion required for users to throw all caution to the wind. After enumerating all these terrorist activities, the spam includes the link it introduced in the first paragraph with the enticing interview appearance of Osama Bin Laden. Users are cautioned to not let their curiosity get the best of them.

    However, the lack of user discretion has an ugly price: the link leads to an executable file named news_usama_video.exe. The video is not a video; it is TROJ_AGENT.AKNH, a variant of a Trojan family known for playing support roles for malware in a bigger multi-component attack against users.

    The URL link and the executable are both blocked and detected, respectively, by Trend Micro Smart Protection Network. Trend Micro customers, especially those with a keen interest in current affairs and the tension in the Middle East, are safe from this attack.

    Other users should always maintain a clear head when dealing with unsolicited email, regardless of content. Embedded URL links have always been an easy way in for malware criminals to victimize PCs. It is best to set email applications to render all links in messages inactive and, in general, to treat all unsolicited email as suspect.

    This is not the first time sensational (and bogus) content in connection to spam and malware infection has been used to attract victims:

    Posted in Malware, Spam | Comments Off on al Qaeda News Spam: A Malware Diversionary Tactic


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice