Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    December 2014
    S M T W T F S
    « Nov    
     123456
    78910111213
    14151617181920
    21222324252627
    28293031  
  • Email Subscription

  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Michael Tants (Threats Analyst)




    Today, spam may not be regarded as the most high-profile concern, but it’s still a serious day-to-day threat. Every month, our users alone have to deal with billions of spam messages. These are also frequently used to deliver malware using attachments or links to malicious sites.

    One of the most powerful tools in dealing with spam is IP reputation. This checks the IP address that sent a particular email against addresses that are known to have sent spam messages before. These addresses come both from external sources and internal threat intelligence sources.

    IP reputation is necessary because of the large volume of spam messages that all organizations have to deal with. The volume is simply too high to try and filter email based strictly on content and/or included links. IP reputation is able to catch large volumes of spam messages with relatively little resources expended by the organization. This also reduces the load on other security solutions like content and file scanning. Error messages can be sent back so the sender of the email can be informed about the reason why their messages were not accepted.

    Many organizations rely on email as a key communications tool. With more and more spam messages arriving in their mailboxes, they are always looking for spam filtering solutions. IP reputation is an excellent solution in this context; the organization’s mail servers check the IP reputation of the sending server during the SMTP handshake. This gives the receiving server an opportunity to reject incoming emails.

    Sometimes, however, even legitimate email senders get affected by this. For example, if the server they are using, or the server used by their email provider was flagged for sending spam in the past, then the emails they send may be tagged as spam. In this post, we’ll explain more why this happens, and how email senders can take action.

    How do legitimate email senders get tagged as spammers?

    There are many more parties involved in email than just “sender” and “recipient”. There are actually multiple “roles” involved, which include the following:

    • Email Service Provider (ESP)
    • ESP customers
    • Spammers
    • Security solution providers
    • Users of email security solutions

    Email service providers are organizations that allow their customers to send large numbers of bulk emails, such as newsletters. ESPs provide a good channel for business owners to be able to communicate with their customers. However, this is also seen by cybercriminals as an opportunity to reach their potential victims. Spammers compromise the account of legitimate email senders or even sign up for the ESP services themselves to abuse it. When this happens and spam messages sent through the ESPs are analyzed by email solutions, the SMTP servers of ESPs can inadvertently end up in IP blacklists.

    More often than not though, when an IP address is added to a blacklist, the registered owner is notified. The notification is sent to the contact information available through whois (In many cases, the ESP will be the listed organization here.). This makes it critical for the whois information to be updated, because if an IP is “wrongfully” added to a blacklist because of spammers using the same ESP, the result will be a false positive – when legitimate email servers are flagged as spam senders.

    Are your emails being flagged as spam?

    If you think your emails are being flagged as spam, the best course of action is to contact the ESP for assistance. The ESPs should serve as the liaison between their customers and security providers with IP reputation technologies. We, for instance, proactively work with various ESPs. In these cases, we provide the information necessary to shut down any abuse to the ESP, so no addresses need to be listed in blacklists and legitimate customers are not affected.

    Email remains to be a very effective tool to communicate via the Internet and we find great importance in making sure that it does not get abused for cybercriminal operations.

     
    Posted in Spam | Comments Off



    Recently, the German Federal Office for Information Security disclosed that the email accounts of up to 16 million users had been compromised. The computers of these users were infected with information-stealing malware which were used to steal these login credentials.

    The German government has set up a page where users can check if their email accounts have been compromised. We recommend that users in Germany check their accounts, as we’re seeing a re-occurrence of certain scams which rely on compromised email accounts.

    Recently, a German user came to us saying that his friends had told him his account was sending suspicious emails. He later discovered that both his email and his Facebook accounts had no content. The user changed their email password, but this did not stop the suspicious activity.

    Soon after, contacts began receiving emails from a new email address that was near-identical to the original address. The new address was an alias of the original and had an additional “I” in the name (e.g., “badboy” became “badIboy”), which recipients may not notice at first glance.

    These emails use the well-worn “distressed tourist” scam.  The emails claim that the sender was attacked in a foreign country and requires financial aid to get home.


    Figure 1. Email asking for money

    Users who actually reply to this initial email soon get another one with details on how to send money. The abuse only stopped after the new address was removed from the original account’s list of aliases.


    Figure 2. Second email providing details

    Protecting email accounts should be a top priority, considering the amount of sensitive information stored in them and the other accounts that can be controlled via password resets. Users should remember a few key safety tips:

    • Always use different complex passwords or passphrases for different accounts. Password managers can help create and manage multiple online accounts.
    • Opt for two-factor authentication when possible.
    • Only log in using secure and trusted devices. Think twice before logging in from public devices such as Internet cafes.
    • Users can also opt for encryption services for added protection.
     
    Posted in Social | Comments Off



    While filtering URLs from emails gathered with an email honey pot we came across mails containing URLs pointing to a file named “video.exe”. We assumed it to be a very obvious hint to possible malicious activity, so we decided to get our hands dirty and do some digging. Here’s a screenshot of the sample mail:

    The URL behind the Watch hyperlink is a redirection made by doubleclick.net which is an advertising service. It seems that the file was moved from its server, causing the advertising service to make a redirection to certain Web sites that also host the file VIDEO.EXE. The said file is detected by Trend Micro as TROJ_NUWAR.ZJ.

    So far we have seen two Web sites that seem to have been compromised to house the malicious file. The sites hxxp://infopointitalia.it and hxxp://escortsmurcia.com are the two sites affected, but it should be noted that visiting the sites won’t trigger infection; adding the filename VIDEO.EXE to the end of the URL however, will lead to trouble (users are warned that doing this will lead to possible malware infection). Owners of both affected Web sites had been informed of this, and as of this writing, the malicious file had been removed from hxxp://escortmurcia.com.

    TROJ_NUWAR.ZJ installs itself as a service on the affected system and hooks the browser with a malicious BHO (browser helper object). In doing so, it is able to download a text file that contains several URLs related to porn and advertising Web sites. It also writes on text files found on the affected system words related to adult, pharmacy and finance Web content.

    The trouble does not end there. When the user restarts the browser or the affected system, several annoying “spyware warning” symptoms start to appear:

  • The browser starts with a file named C:Windowsindex.html instead of the homepage URL. It then displays a Web site for an antispyware product.
  • A warning appears on the screen that their system if being infiltrated, prompting the installation of an antispyware application. A “Windows Security Center Warning” also appears on the taskbar, telling the user that their computer is running slowly due to malware activity. Here is a screenshot of the said warnings:
  • Another warning is shown through Internet Explorer, showing an image similar to Windows Security Center messages, telling the user that a possible spyware infection has been detected:
  • The desktop background image is changed to a picture of alarming color, made to rattle the user:
  • Task Manager is disabled by the malware, inabling the user from terminating the malware process. When the user gets desperate and finally tries to download the “AntiSpySpider” software to solve the issue, the user will find that the system is still infected.
  • Searching “AntiSpySpider” through Google reveals that it is indeed a rouge antispyware program.
  • Additionally, the initial redirection the advertising server does seem to make a connection to an other URL, hxxp://{BLOCKED}front.net/l.php?id=119.The URL leads to a download of a windows executable that is runtime encrypted. Playing around with the ids at the end of the URL leads to several other files that are binary different but of the same size and are triggering the heuristic detection TROJ_TIBS.JHT.

    All files involved were already submitted to TrendLabs for detection.

    The article is based on a joint research with Alice Decker.

     
    Posted in Bad Sites, Malware | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice