Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:


  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
     12345
    6789101112
    13141516171819
    20212223242526
    27282930  
  • Email Subscription

  • About Us


    Author Archive - Maydalene Salvador (Anti-spam Research Engineer)




    Trend Micro researchers found spammed messages with a .ZIP file attachment that contains a malware. It bears the subject, “Contract of Settlements,” and purports to come from LSM Company. It informs users to open and check the attached file that holds a contract, which in actual fact, is an executable file (contract_1.exe) detected by Trend Micro as TROJ_FAKEALE.JH.

    When executed in the system, TROJ_FAKEALE.JH connects to http://{BLOCKED}edrdosubor.com/K1er0Lj5n8H0NM4E8h0u where users get another FAKEAV variant, TROJ_FAKEAV.BQN.

    Click for larger view

    Click for larger view

    Accordingly, users cannot scan the attached file because it is password protected. However, a password is included in the email to open the said file. This is probably to trick users into thinking that the said file is legitimate.

    As usual, users are advised to refrain from opening any suspicious-looking emails. Trend Micro product users are protected from this spam attack via the Smart Protection Network. Non-Trend Micro product users can utilize HouseCall, Trend Micro’s highly popular and capable on-demand scanner for identifying and removing viruses, Trojans, worms, unwanted browser plugins, and other malware.

     
    Posted in Malware, Spam | 1 TrackBack »



    Thumbnail of spam image
    Just today, we at the Content Security team received a large number of spam with a ZIP attachment that contains a backdoor. The said email informs the user that the product he/she has ordered/purchased online is already sent. It then asks the user to view the tracking document details by opening the attachment.

    The attachment is not an Office file, it is instead an executable which Trend Micro detects as BKDR_REDOLAB.AL. This backdoor’s main duty appears to be to download TROJ_RENOS.BAV. Renos variants are known downloaders of rogue antivirus components/software. Our engineers are currently analyzing the capabilities of this Trojan.

    Various Web-based infection vectors have been used in connection with rogue antivirus scams. In the last couple of months, rogue antivirus has been the final payload of blackhat SEO attacks (as in the case of malicious links that come up when users searched for news about Corazon Aquino’s death and the latest solar eclipse) and malicious Twitter posts. The last we have seen of malicious attachments that lead to rogue antivirus was in the Reconfigure Your Outlook spam.

    The latest spam pattern in the Trend Micro Smart Protection Network already blocks this spam run. The malicious files are detected as BKDR_REDOLAB.AL and TROJ_RENOS.BAV. This entry will be updated for the full behavior of the RENOS Trojan.

     



    The Trend Micro Content Security team discovered spoofed email messages that pretend to be from Delta Airlines. The fake email message contains a confirmation numbers of supposed ticket purchase and a ZIP file. Recipients are told that this said file contains details on the travel itinerary.

    Here’s a screenshot of a spammed message:


    Figure 1. Sample spam.

    The ZIP file is, of course, a malicious file detected by Trend Micro as TROJ_DELF.PSZ.


    Figure 2. Malicious file.

    The Trojan automatically runs at every system startup by modifying a registry entry. It has rootkit routines which enable the binary to hide its processes, files, or registry entries. The file also connects to a website to download files. This exposes an infected system to more threats.

    This would not be the first time cybercriminals used airline tickets as bait. A fake American Airlines website was used for phishing late last year. The fact that airline tickets are relatively inexpensive now could also be a factor in the proliferation of these types of threats. Users may think they’re having a free vacation but in fact their PCs are already being infected with malware.

    The Trend Micro Smart Protection Network already blocks TROJ_DELF.PSZ and provides solutions for its cleanup and removal.

     
    Posted in Malware | 1 TrackBack »



    This is probably the type of support one wouldn’t want to have.

    Spammed email messages were found pretending to come from Microsoft Windows Support and claiming that Microsoft Service Pack 1 and Service Pack 2 have been discovered to have an error that can damage the computer’s software or even the hardware.
    Fake Windows Support spam
    Figure 1. Spammed messages purporting to come from Windows Support

    These messages encourage users to download and install a file in order to fix the problem. When users click the download button they are redirected to a site and are asked to download a file which Trend Micro detects as TROJ_DLOADER.CUT.

    Downloaded malware
    Figure 2. User is prompted to download a malicious file

    TROJ_DLOADER.CUT connects to a certain URL to download another malicious file, which in turn is detected by Trend Micro as TSPY_BANKER.MCL. TSPY_BANKER.MCL monitors the affected user’s online transactions and steals banking related information.

    Not too many TSPY_BANKER variants have been reported to be related to notable attacks recently, and this incident may pretty much mark the end of the hiatus. Users are advised to ignore spammed messages and, more importantly, to never click links embedded in these messages.

    Trend Micro users are protected from this attack by the Smart Protection Network, as the related files, spam, and URL are already detected and blocked.

     



    Orkut is a Google-owned social networking service with most users located in Brazil and India. It recently ranked 21st in Compete.com’s top 25 social networking sites, with more than 5 million monthly visits in January of 2009.

    Now, much like the other social networking sites in the said list, Orkut is now also being used by cyber criminals to carry a malware that can compromise a victim’s computer.

    Spoofed emails which claim to be from Orkut inform the recipient that their account has been found fake and is doing illegal activities such as sending out spam to other Orkut members.

    Figure 1. Sample spammed message posing to be from Orkut

    Figure 2. A fake warning for Orkut users

    The first email translates to:

    Problems with your profile.

    Dear user,

    Your profile was reported to be containing illegal information, and will be blocked in the next 48 hours.

    You are probably using non-authorized or copyrighted information.

    To see all the information and instructions required to normalize your account, click here.

    This will be the last notification sent from our system, and in case you do not perform any required action, your profile will be blocked definitely.

    ATTENTION: your request will be analyzed by our team and will be subject for approval.

    To get more details about your profile, download the software below:

    The second:

    Problems with your account

    Dear user,

    We are receiving daily inquiries showing that your profile is fake, and is sending spam to other Orkut members.

    If you really do exist and would want to keep using Orkut, we require you to change your password and do a personal confirmation of your profile.

    Enable your profile:

    IMPORTANT: Your reactivation is due in the next 48 hours.

    Sincerely
    Orkut.com

    Recipients are given 48 hours to and activate of their profile by clicking the given link. Upon clicking the link they will be redirected to a website where they are prompted to download a file which is found to be a malware detected as TROJ_DLOADER.WKV.


    Figure 3. Prompt to download the malicious file.

    TROJ_DLOADER.WKV terminates antivirus applications found present on the affected system. This routine is possibly done to prevent antivirus software from detecting files that this Trojan downloads from malicious URLs, which are inaccessible as of this writing.

    Either way, spammed messages such as the one shown above are already blocked, while malicious files are already detected, all through the Trend Micro Smart Protection Network.

    Here are a couple of past reports involving Orkut:

     
    Posted in Malware | 1 TrackBack »


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice