Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    April 2014
    S M T W T F S
    « Mar    
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Maria Manly (Anti-spam Research Engineer)

    The past few weeks have seen the ransomware CryptoLocker emerge as a significant threat for many users. Our monitoring of this threat has revealed details on how it spreads, specifically its connection to spam and ZeuS. However, it looks there is more to the emergence of this thread than initially discovered.

    We have identified one possible factor in this growth: the arrest of Paunch, the creator of the Blackhole Exploit Kit. Paunch’s arrest led to a significant reduction in spam campaigns using exploit kits. Clearly, this caused a vacuum in the spam-sending world – spammers would not all of a sudden stop sending spam. So they would need to send something out; what would this be?

    One of those replacements has turned out to be UPATRE. We’ve found that the Cutwail botnet responsible for the major Blackhole Exploit Kit spam runs started sending out runs carrying UPATRE (which ultimately leads to CryptoLocker) right around October, the same month of Paunch’s arrest. In fact, we have monitored multiple IPs involved in the transition – sending Blackhole Exploit Kit spam shortly before the arrest and sending CryptoLocker spam after the arrest.

    The Cutwail-UPATRE-ZEUS-CRILOCK infection chain we spotted on October 21 may be the most common infection chain used to spread CryptoLocker. The Cutwail botnet has the capability to send very high numbers of spam messages, which explains the high incidence of this recent spin in ransomware. It also highlights, somewhat perversely, how resilient cybercrime can be: the response to Paunch’s departure was remarkably quick and may have ended up affecting more people than they had before.

    We’ve discussed in the previous CryptoLocker entries how to avoid becoming a victim. We reiterate that users should absolutely not open attachments that they were not expecting to receive. This will help minimize the exposure of users to this threat.

    Posted in Malware, Spam | Comments Off

    2010 has been an active year both for spammers and anti-spammers alike. No new spamming techniques or tricks were used in 2010. However, the spammers kept the spam threat alive and kicking by recycling old tricks and combining popular spamming techniques seen in the past. Here are some of the notable spam types and techniques that continued to circulate this past year.

    Pharmaceutical and other health-related spam remained the most notorious type throughout the year. This spam type was not limited to selling pharmaceutical products online, the spammers also used these messages to disguise their phishing and malware attacks.

    Phishing attacks not only targeted banks. Phishers gradually switched their focus to target popular social networking sites such as Facebook, Twitter, MySpace, and the like. Sometimes, links in email messages redirected users to fake sites where their credentials were stolen. At other times, the links led to affiliate marketing sites such as online pharmacies or replica product websites.

    Social engineering was on the rise all year long using different noteworthy events and topics like the tax season, Wikileaks, and social networking sites to spread malware.

    Online gambling and casino-related spammed messages were especially prevalent in Europe where such activities were less strictly regulated than in North America. This spam type was frequently seen written in Spanish. Similarly, German was used in many spammed messages selling replicas in the third quarter as well. Other non-English spammed messages contained dating, adult, and commercial content.

    Nigerian scams and fake lottery notifications also continued to proliferate in 2010. We saw multiple variants presented in different styles and used varying techniques.
    Read the rest of this entry »

    Posted in Spam | TrackBacks (4) »

    Trend Micro security experts have not seen pump-and-dump spam campaigns in a fairly long time. In fact, some of the most recent attacks of this kind were last seen last year:

    In a pump-and-dump attack, spammers raise the stock prices of companies they own shares in by sending spammed messages with misleading or outright untrue positive news about the said companies. Once the companies’ real stock prices have sufficiently risen, the spammers will then sell or dump their own shares to gain profit.

    TrendLabs engineers, however, recently saw the recent comeback of this tactic hit the popular VoIP application, Skype. Spammers used the application’s instant-messaging (IM) feature to send the pump-and-dump spammed messages below.

    Click for larger view Click for larger view

    Spammers tried to promote two companies—EcoBlu Products, Inc. and Terra Energy & Resource. Like other spam runs using IM applications, Skype users received these email messages from users who were not in their lists of contacts.

    As usual, we urge users not to click any link in messages sent via email or IM applications that come from people they do not know.

    Trend Micro™ Smart Protection Network™ protects product users from this threat by preventing the spammed messages from reaching their inboxes via the email reputation service and by blocking access to malicious sites via the Web reputation service.

    Non-Trend Micro product users, on the other hand, can also keep their systems safe by using free tools like eMail ID, a browser plug-in that helps identify legitimate email messages in your inboxes.


    This is hardly the first time cybercriminals used Facebook to spread spam and malware. As anti-spammers became vigilant with these techniques, these spammers keep up and think of different ways to spread dangerous links to malicious websites. Sample seen recently uses a revived technique: make the email look like it came from a trustworthy source (in this case Facebook), then insert random email addresses into the Reply-To field.

    Facebook spam in Spanish containing malicious links
    Figure 1. Facebook spam contains several links, the first one even looks safe to click. Hovering the mouse over the link reveals it is anything but safe.

    The result: when a user hits the reply button, the mail will automatically include all the email addresses to the recipients field.

    Email window showing the automatically populated To field
    Figure 2. Several email addresses automatically populate the To field.

    The Spanish text of the email message roughly translates to:

    A user of Facebook to send you this message

    The photos arrived you that send you before? because me not respondistes bue you the command debuelta by if the doubts are those of the partuza eye q be not enlivened your girlfriend ciao{BLOCKED}.php

    Click on the link to view the content

    Posted by: I can not say but I know

    If you can not see the content properly click here

    Clicking on any of the links will summon the following prompt:

    Dialogue prompt for download of strangely named file
    Figure 3. The file offered is named strangely. Notice the long underscore.

    Needless to say, the downloaded file is a malicious component, TROJ_DLOAD.AEY. It leads to a BANKER variants TROJ_BANKER.HIJ, which is now currently being analyzed. BANKER variants are notorious data-stealing malware targeting users with online bank accounts. Good thing Smart Protection Network recognizes threats before they ever arrive to the desktop, eliminating the risks to users who may encounter this spam-malware attack.

    Posted in Spam | TrackBacks (2) »

    The depths which cybercriminals choose to sink into for the sake of financial gain is truly appalling. In the midst of the crisis brought by the global recession, they have managed to come up with illicit schemes that target those people, who despite the desperate times are trying to get through the crisis the proper, lawful way.

    Just recently, we have found spam emails posing to be from job search sites Huxley Associates and

    Figure 1.Sample spam email purporting to be from

    Figure 2.Sample spam email purporting to be from Huxley Associates

    The email message comes as a notification to the recipient that they did not get the job they supposedly applied for.

    Figure 3.The malicious attachment

    Attached to the message is a .ZIP file, stated to be a copy of the recipients’ application form. However, opening and executing it reveal that the said file is actually a worm detected by Trend Micro as WORM_PROLACO.C. This worm propagates via removable drives and P2P networks. It drops copies of itself in P2P-related shared folders using commonly searched file names of software cracks and ring tones.

    In such a dire condition with job losses at every corner, prices going up, and the unpleasant pronouncement “the worst is yet to come,” people are left with no choice but to scramble for every possible job opportunity they could get. Now, what more convenient way to seek more opportunities in such a short time but to look for a job online?

    But with job openings rate decreasing, competition tightens, which leads people to become desperate, and more importantly—careless. This is what cybercriminals are counting on at this point, leveraging on the current need of people for a stable job despite the rocky economic conditions. The current global crisis creates a domino effect, which triggers a human vulnerability, now relentlessly exploited by cybercriminals.

    Users of the Trend Micro Smart Protection Network are protected from this threat, as both spam message and malicious file are now blocked and detected, respectively. Other users are advised to ignore such email messages, and refrain from opening file attachments from unsolicited emails.

    Posted in Malware, Spam | Comments Off


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice