Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    February 2015
    S M T W T F S
    « Jan    
  • Email Subscription

  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Maydalene Salvador (Anti-spam Research Engineer)

    Cybercriminals are known opportunists. They will take advantage of anything newsworthy and craft their schemes around (for example) sporting events like FIFA and the Olympics. As the London 2012 Olympics opening event draws near, we can expect a surge of spammed messages that leverage this event.

    Below are some spammed messages we’ve spotted using the 2012 Olympics as bait, one involved an email that says “winning notification”, another message asks for personal details in exchange for a prize, and another that asks users to notify a specific contact person. Users who fall for any of these traps are at risk of having their information stolen or their machines infected with malware. Some spam may even lead to monetary loss.

    Prize, Free Tickets in Exchange for Your Information

    The first Olympic-related spam we’ve seen is an email that asks for personal information. For users to willingly give these details, the message inform recipients that they won free tickets. However to claim their prizes, users must divulge personal information such as home address/location, marital status, and even occupation. The message also stretches the truth further by informing users they won a big amount of cash prize.

    The scammers behind this spam may use the gathered information in their future malicious schemes. They may also sell data to other cybercriminal groups.

    Malware Disguised as Prize Notification

    We have also encountered several messages supposedly related to London Olympics 2012 that arrive with attachments disguised as “winning notifications” and contain the details of the prize. Curious users who download and open the attachments are actually executing malicious files. Below is a sample email:

    In a different spam run, we noticed a message with an attached file that is actually a Trojan (detected as TROJ_ARTIEF.ZIGS) that exploits RTF Stack Buffer Overflow Vulnerability (CVE-2010-3333). Once exploit is successful, the malware drops the backdoor BKDR_CYSXL.A. Based on our analysis, this backdoor connects to remote user who may perform commands onto the infected system. What’s more alarming is that systems infected with backdoors are vulnerable to other threats, which may include malware that steal online banking credentials (passwords, usernames etc.).

    Spam Asking Users to Contact Specific People

    The third type of spam may look legitimate at first. To look authentic, the messages may spoof well-known entities like Visa and contain contact details of a supposed coordinator or contact person affiliated with the fake promo.

    In the message, recipients are instructed to contact the supposed “coordinator” indicated in these messages. Once users send replies to the addresses, they will receive a reply from the scammer with instructions on how to claim their prizes. Eventually, users would be asked to disclose personal information. The scammers behind this threat may ask users for account details or deposit money to specific bank accounts, in order to get their prize.

    Why These Spam Remain

    These types of scams are nothing new. Some of its previous incarnations include spam claiming to be associated with the Beijing Olympics 2008 and the Torino Winter Games. So why is this still a threat to users? Cybercriminals are still earning money from this threat. Senior Threat Researcher Robert McArdle believes that “…attackers are still using these because these scams are still giving them successful margins. Social engineering has worked for years and there are little signs of that changing.” Thus, so long as users are still falling for this trap, scammers will continue to create new spam runs using events like the London Olympics to make a quick buck.

    Trend Micro protects users from this threat via Smart Protection Network™, specifically web reputation service that blocks these messages from even arriving to users’ in-boxes. File reputation service, on the other hand, detects and deletes the related malware.

    Users can also prevent these threats by doing some simple checking of emails. They should be wary of these tell-tale signs:

    • Sloppy/unprofessional email format
    • Obvious grammar mistakes
    • Claim of an unbelievable amount of cash prize

    For the latest news about the upcoming Olympics and related contests, users should rely on credible news sources/sites. To know more about how to better protect yourself from this threat, you may read our Digital Life e-guide How Social Engineering Works and our FAQ article Sports as Bait: Cybercriminals Play to Win.

    Posted in Malware, Spam | Comments Off

    We recently saw some articles on the Web saying that Slim Shady aka Eminem died in a car crash. Today, we received a spammed message that still claims the rumor is true. The email pretends to be from CBS News informing the recipient of the news about Eminem’s alleged car crash. It also asks if the user wants to see more information about it. A link is provided in the email to show the user the supposed video. Instead of the video, however, the link redirects to a site that downloads an executable file.

    Below are screenshots related to this attack.

    Click for larger view Click for larger view

    The .EXE file, of course, turns out to be malicious. It is another member of the infamous and persistent ZBOT family of infostealers, which is detected as TROJ_ZBOT.HBI. The activities of ZBOT malware and the related ZeuS botnet were discussed in a Trend Micro white paper earlier this year. It’s not the first time that spam has been used to spread ZBOT either, as in March this year, two spam campaigns did so. The first campaign used fake notices from the Internal Revenue Service (IRS) while the second used allegedly posted photos.

    Trend Micro product users are already protected from this threat via the Smart Protection Network, which blocks the spammed message, the download URL, and the malicious file.


    TrendLabs Web content security analysts recently received spammed messages that purported to be from hi5, “a global destination where young people meet and play.” The site claims to have more than 50 million monthly visitors and to be the third largest social media site in the world.

    Click for larger view

    The bogus email asks users to add its sender to their lists of friends just like any normal social networking invitation. What is odd about this email, however, is that it first asks recipients to download and open an attachment, which supposedly contains an invitation.

    Click for larger view

    Unsuspecting users who are tricked into downloading and opening the compressed file (Invitation end up executing a malware detected as WORM_PROLACO.AA instead of an invitation. The attachment contains a file named Document.htm. However, upon closer examination by expanding the Name column in the window, users will discover that the supposed .HTM file is really a malicious .EXE file.

    The social engineering technique used in this spam run is probably one of the oldest tricks in the “Spammers’ Handbook,” if there is one. This is precisely why users are always reminded to be wary of opening email messages from people they do not know and to scan file attachments before downloading them onto their systems.

    Trend Micro™ Smart Protection Network™ protects users from this threat by preventing the spammed messages from even reaching their inboxes via its email reputation service. It also detects and blocks the malicious file from being downloaded onto and executed in users’ systems via its file reputation service.

    Non-Trend Micro product users can also stay protected from this threat via eMail ID, a free tool that helps them avoid opening and acting on email messages attempting to spoof real companies.


    Trend Micro researchers found spammed messages with a .ZIP file attachment that contains a malware. It bears the subject, “Contract of Settlements,” and purports to come from LSM Company. It informs users to open and check the attached file that holds a contract, which in actual fact, is an executable file (contract_1.exe) detected by Trend Micro as TROJ_FAKEALE.JH.

    When executed in the system, TROJ_FAKEALE.JH connects to http://{BLOCKED} where users get another FAKEAV variant, TROJ_FAKEAV.BQN.

    Click for larger view

    Click for larger view

    Accordingly, users cannot scan the attached file because it is password protected. However, a password is included in the email to open the said file. This is probably to trick users into thinking that the said file is legitimate.

    As usual, users are advised to refrain from opening any suspicious-looking emails. Trend Micro product users are protected from this spam attack via the Smart Protection Network. Non-Trend Micro product users can utilize HouseCall, Trend Micro’s highly popular and capable on-demand scanner for identifying and removing viruses, Trojans, worms, unwanted browser plugins, and other malware.

    Posted in Malware, Spam | 1 TrackBack »

    Thumbnail of spam image
    Just today, we at the Content Security team received a large number of spam with a ZIP attachment that contains a backdoor. The said email informs the user that the product he/she has ordered/purchased online is already sent. It then asks the user to view the tracking document details by opening the attachment.

    The attachment is not an Office file, it is instead an executable which Trend Micro detects as BKDR_REDOLAB.AL. This backdoor’s main duty appears to be to download TROJ_RENOS.BAV. Renos variants are known downloaders of rogue antivirus components/software. Our engineers are currently analyzing the capabilities of this Trojan.

    Various Web-based infection vectors have been used in connection with rogue antivirus scams. In the last couple of months, rogue antivirus has been the final payload of blackhat SEO attacks (as in the case of malicious links that come up when users searched for news about Corazon Aquino’s death and the latest solar eclipse) and malicious Twitter posts. The last we have seen of malicious attachments that lead to rogue antivirus was in the Reconfigure Your Outlook spam.

    The latest spam pattern in the Trend Micro Smart Protection Network already blocks this spam run. The malicious files are detected as BKDR_REDOLAB.AL and TROJ_RENOS.BAV. This entry will be updated for the full behavior of the RENOS Trojan.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice