Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    August 2014
    S M T W T F S
    « Jul    
     12
    3456789
    10111213141516
    17181920212223
    24252627282930
    31  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Mayee Corpin (Technical Communications)




    Malware criminals were quick to pounce on the recently discovered — and still unpatched — zero-day exploit for Internet Explorer and to mount mass SQL injection attacks, Trend Micro researchers have found. Researchers industry-wide have correctly warned that it was only a matter of time before this exploit, which is publicly available, was used for a wider scope of attack. The folks at the SANS Internet Storm Center (ISC) are also reporting this.

    Advanced Threats Researcher Ivan Macalintal puts the number of infected sites so far at 6,000 and (quickly) increasing in number. He cites at least two Web sites infected with code that exploits the zero-day vulnerability, one in the .tw domain, and the other under .cn. The first is a Taiwanese search engine [Update: Now clean. -Ed.] which was found injected with the malicious JavaScript code through SQL injection.

    The second is a Chinese sporting goods site with a traffic rank of close to 7 million, which was found containing HTML code directing users to a remote site which contains the same malicious script.


    Fig. 1. A webpage of the compromised popular Chinese skating/sporting goods site


    Fig. 2. An image of an injected redirection to a third-party site hosting the exploit

    The final payload is a worm detected by Trend Micro as WORM_AUTORUN.BSE. Other exploits that also lead to the worm are as follows:

    • HTML_IFRAME.ZM
    • JS_DLOADER.QGV
    • HTML_AGENT.CPZZ

    Obfuscated JavaScript in the HTML webpages are also detected as JS_DLOAD.MD, the same malicious script found to exploit the zero-day vulnerability in IE7.

    Microsoft posted revisions to its Security Advisory with the latest analysis about the underlying flaw in this attack, which the advisory also states, renders Microsoft Internet Explorer 5.01 Service Pack 4, Microsoft Internet Explorer 6 Service Pack 1, Microsoft Internet Explorer 6, and Windows Internet Explorer 8 Beta 2 on all supported versions of Microsoft Windows as potentially vulnerable.

    The Trend Micro Smart Protection Network already detects the malicious scripts as well as WORM_AUTORUN.BSE at the desktop level, and provides solutions for the removal of the worm. We recommend using the Trend Micro Web Protection Add-On.

     



    Planning your fall holiday? Be careful when booking flights online or opening emails about your “online flight ticket”—or you could crash-land on a heap of malware trouble.

    TrendLabs researchers caught spammed email messages featuring bogus eTickets supposedly from Continental Airlines, the fourth-largest airline in the U.S. The message thanks the recipient for availing of a new service called “Buy flight ticket Online” and provides account details (even a password). Then it makes the recipient simply print out the attached “purchase invoice and plane ticket” before they use these, and they’re off! How convenient!

    Here’s a screenshot:

    The attachment is named E-TICKET.ZIP, which in turn contains the file E-TICKET.DOC.EXE. “It’s the old double-extension trick to hopefully fool the user to double-click the attachment,” observed Advanced Threats Researcher Joey Costoya.

    Trend Micro detects the file contained in the zipped attachment as WORM_AUTORUN.CTO. This worm propagates via removable drives and accesses websites to download other possibly malicious files. It also displays the icon of files related to Microsoft Word to avoid easy detection and consequent removal.

    Costoya also said, “The phrase Your credit card has been charged… will just add more worry for the user, convincing him more to examine (read: double-click) the ‘flight details.’”

    This seems to be a renewed campaign, as we first saw it in late August—only the featured airline then was Northwest Airlines, and the spam attachment led to rogue AV installation instead of a worm. Since then, the transaction fee has gone up; Northwest supposedly charged almost $700 while Continental about $915. And JetBlue Airways, it would seem, “charged” even more, according to this sample:

    Users who receive the same messages, please don’t click on the attachment. Trend Micro has already stopped this worm’s takeoff with the Smart Protection Network.

     
    Posted in Malware, Spam | 1 TrackBack »


    Jul9
    10:04 am (UTC-7)   |    by

    While China is bracing for the 2008 Summer Olympics that it will be hosting in the capital of Beijing from August 8 to August 24, 2008, malware authors are now also busy mounting attacks that play on this quadrennial sporting event.

    Reports have surfaced about a zero-day MS Word vulnerability affecting Microsoft Word 2002 Service Pack 3. It is said to affect even patched versions of the popular word-processing application on certain MS Office versions. When exploited, the unspecified remote code-execution vulnerability could allow remote attackers to take complete control of an affected system, or cause the application to crash.

    TrendLabs experts confirm that there are malicious .DOC files spreading in the wild, adding the following observation: these use the imminent Olympics to get more users to click on them.

    The samples that TrendLabs has come across are detected as TROJ_MDROPPER.ZT and have the following file names:

    • attachment .doc
    • appeal_letter_of_fttj.doc
    • attend_the_opening_ceremony_of_the_29th_olympic_games_in_beijing.doc
    • lingotto_con_fiat.doc
    • tibetan_independence_vs_beijing_olympic.doc

    Here are screenshots of two of these files:

    These files are zero-day exploits under CVE-2008-2244.

    Furthermore, TrendLabs has seen more than just Trojanized Word files; there are also Trojan samples of .PPT and .XLS circulating, all having to do with the Olympics and the Tibet conflict. The conflict is related to the Olympics as it has spurred pro-Tibetan parties to call for an Olympic boycott.

    Here are screenshots of the PowerPoint samples:

    And a screenshot of one Excel file:

    Trend Micro detects the malicious Excel files as TROJ_MDROPPER.ZY, and the PowerPoint files as TROJ_PPDROP.M. It is important to note that these files are not confirmed to have zero-day vulnerabilities as of yet. Please stand by for updates.

    With 10,500 athletes expected to compete in 28 sports, the Olympics is the most prestigious affair of its kind, and as such commands a worldwide audience. It is thus expected that it will be included in malicious users’ arsenal of social engineering techniques.

    We have already seen it referred to in four separate incidents this year alone, as detailed in these posts:

    • Trojanized .DOC Files in Targeted Attack
    • Trojanized Word Docs Used in Another Targeted Attack
    • Spam Buys Tickets to Euro 2008
    • Storm Makes Fake Quake Felt

    Trend Micro Smart Protection Network already got Trend Micro customers covered by blocking this threat. We urge non-Trend Micro to beware of this particular attack and to use appropriate protection.

    Updates as of July 10, 2008, 3:00 PM, PST

    TROJ_MDROPPER.ZT

    Upon successful exploitation, TROJ_MDROPPER.ZT executes a shell code which executes an embedded file. The embedded file may be any of the following:

    (Note: %System% is the Windows system folder, which is usually C:WindowsSystem on Windows 98 and ME, C:WINNTSystem32 on Windows NT and 2000, or C:WindowsSystem32 on Windows XP and Server 2003. %Windows% is the Windows folder, which is usually C:Windows or C:WINNT.)

    Involved exploit is similar to a previously patched vulnerability, which also allows remote code execution. More information on this vulnerability can be found on this Microsoft page.

    TROJ_MDROPPER.ZY

    Upon successful exploitation, TROJ_MDROPPER.ZY drops the following files:

    (Note: %User Temp% is the current user’s Temp folder, which is usually C:Documents and Settings{user name}Local SettingsTemp on Windows 2000, XP, and Server 2003.)

    TROJ_PPDROP.M

    Upon successful exploitation, TROJ_PPDROP.M drops the following files:

    Both TROJ_MDROPPER.ZY and TROJ_PPDROP.M are not zero-day exploits.

     



    In early June, Storm creators inundated inboxes with love-themed email messages, as they are wont to do. Now, three weeks later, a new deluge of Storm spam is bringing news of a “new” earthquake that supposedly struck China.

    There are several subject lines used, mostly referring to the earthquake. A sample of a spammed email message is as follows:

    This does not seem to refer to the month-old Sichuan earthquake that devastated parts of the said country May 12th, but is rather bogus news meant to cast the upcoming 2008 Olympics in dangerous light (as can be inferred from a most telling line in the quoted text below). The link in the message body points to a Web site, where the following text appears (emphasis ours):

    Strongest earthquake hits Beijing A new powerful disaster just occurred in China. The most deadly, 9 magnitude, earthquake took away million of lives in the heart of China, Beijing. Rapidly growing panic paralyzed life of Chinese capital. 2008 Olympic Games are under the threat of failure. Click on the video to see the details of this terrible disaster and choose either Open or Run.

    The above text is followed by a supposed video which, when clicked, downloads a file named BEIJING.EXE. This is a malicious file detected by Trend Micro as WORM_NUWAR.YH.

    Carrying “news” in spammed email messages that it issues is another old trick from Storm’s social engineering book. After hitchhiking on real news the first time (after which it earned its “Storm” brand), Storm’s subsequent headlines did not necessarily have to be true, as long as they still hinted of gloom and doom. These methods have been noticed as warnings regarding missile strikes and World War III were propagated.

    Thus the latest development goes in this long-running malware family, which has so far been the most active in maintaining its social engineering calendar, churning out spam and malware on (or in anticipation of) red-letter dates — or, in this case, stringing together sensational headlines that trivialize genuine tragedies.

    While not from the Storm botnet, aftershocks of last May’s real earthquake came in the form of a scam, targeting would-be donors to the rescue efforts in China. Of course, it seems particularly insensitive to either target those who want to help, or make up an incident that could revive fears so soon after such an event just came to pass for real, but compassion is not something one could expect from criminals.

    Users of Trend Micro products with Smart Protection Network are already protected from the abovementioned spam. We recommend that others be careful not to click haphazardly on similar-sounding email messages that are unsolicited, as their curiosity and/or good intentions might work in malicious users’ favor.

     
    Posted in Malware, Spam | Comments Off



    The terrible news of a Tokyo man going on a stabbing spree is now making the rounds in spam, PandaLabs first reported. Samples of the spam were seen a mere couple of days after the incident transpired, where 17 people were reported killed by stab wounds in just three minutes after first being run down by a truck by a 25-year-old man.

    Interestingly, the spammed email message (shown above) is in Spanish/Latin American language. It looks like a notice from RPP, or Radio Programas del Peru. Trend Micro threat researchers think that it could have worked to spammers’ favor had it been in Japanese. Then again, Peru has a Japanese community, and one of their last presidents was of Japanese descent — so it actually makes sense for it to be directed at Peruvian or Latin American Internet users.

    The message is believed fashioned for Spanish users because the description of the event indicates “Spanish mainland time zone,” according to threat researcher David Sancho. The intended recipients could have been from Spain indeed. “It could also mean that the text was ripped from a news story from Spain.”

    The video grab contained in the message is meant to get users to view a clip, but it actually downloads malware.

    Trend Micro is still looking further into this case. More details will be posted as they become available.

     
    Posted in Spam | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice