Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    September 2014
    S M T W T F S
    « Aug    
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Michael Tants (Threats Analyst)

    Recently, the German Federal Office for Information Security disclosed that the email accounts of up to 16 million users had been compromised. The computers of these users were infected with information-stealing malware which were used to steal these login credentials.

    The German government has set up a page where users can check if their email accounts have been compromised. We recommend that users in Germany check their accounts, as we’re seeing a re-occurrence of certain scams which rely on compromised email accounts.

    Recently, a German user came to us saying that his friends had told him his account was sending suspicious emails. He later discovered that both his email and his Facebook accounts had no content. The user changed their email password, but this did not stop the suspicious activity.

    Soon after, contacts began receiving emails from a new email address that was near-identical to the original address. The new address was an alias of the original and had an additional “I” in the name (e.g., “badboy” became “badIboy”), which recipients may not notice at first glance.

    These emails use the well-worn “distressed tourist” scam.  The emails claim that the sender was attacked in a foreign country and requires financial aid to get home.

    Figure 1. Email asking for money

    Users who actually reply to this initial email soon get another one with details on how to send money. The abuse only stopped after the new address was removed from the original account’s list of aliases.

    Figure 2. Second email providing details

    Protecting email accounts should be a top priority, considering the amount of sensitive information stored in them and the other accounts that can be controlled via password resets. Users should remember a few key safety tips:

    • Always use different complex passwords or passphrases for different accounts. Password managers can help create and manage multiple online accounts.
    • Opt for two-factor authentication when possible.
    • Only log in using secure and trusted devices. Think twice before logging in from public devices such as Internet cafes.
    • Users can also opt for encryption services for added protection.
    Posted in Social | Comments Off

    While filtering URLs from emails gathered with an email honey pot we came across mails containing URLs pointing to a file named “video.exe”. We assumed it to be a very obvious hint to possible malicious activity, so we decided to get our hands dirty and do some digging. Here’s a screenshot of the sample mail:

    The URL behind the Watch hyperlink is a redirection made by which is an advertising service. It seems that the file was moved from its server, causing the advertising service to make a redirection to certain Web sites that also host the file VIDEO.EXE. The said file is detected by Trend Micro as TROJ_NUWAR.ZJ.

    So far we have seen two Web sites that seem to have been compromised to house the malicious file. The sites hxxp:// and hxxp:// are the two sites affected, but it should be noted that visiting the sites won’t trigger infection; adding the filename VIDEO.EXE to the end of the URL however, will lead to trouble (users are warned that doing this will lead to possible malware infection). Owners of both affected Web sites had been informed of this, and as of this writing, the malicious file had been removed from hxxp://

    TROJ_NUWAR.ZJ installs itself as a service on the affected system and hooks the browser with a malicious BHO (browser helper object). In doing so, it is able to download a text file that contains several URLs related to porn and advertising Web sites. It also writes on text files found on the affected system words related to adult, pharmacy and finance Web content.

    The trouble does not end there. When the user restarts the browser or the affected system, several annoying “spyware warning” symptoms start to appear:

  • The browser starts with a file named C:Windowsindex.html instead of the homepage URL. It then displays a Web site for an antispyware product.
  • A warning appears on the screen that their system if being infiltrated, prompting the installation of an antispyware application. A “Windows Security Center Warning” also appears on the taskbar, telling the user that their computer is running slowly due to malware activity. Here is a screenshot of the said warnings:
  • Another warning is shown through Internet Explorer, showing an image similar to Windows Security Center messages, telling the user that a possible spyware infection has been detected:
  • The desktop background image is changed to a picture of alarming color, made to rattle the user:
  • Task Manager is disabled by the malware, inabling the user from terminating the malware process. When the user gets desperate and finally tries to download the “AntiSpySpider” software to solve the issue, the user will find that the system is still infected.
  • Searching “AntiSpySpider” through Google reveals that it is indeed a rouge antispyware program.
  • Additionally, the initial redirection the advertising server does seem to make a connection to an other URL, hxxp://{BLOCKED} URL leads to a download of a windows executable that is runtime encrypted. Playing around with the ids at the end of the URL leads to several other files that are binary different but of the same size and are triggering the heuristic detection TROJ_TIBS.JHT.

    All files involved were already submitted to TrendLabs for detection.

    The article is based on a joint research with Alice Decker.

    Posted in Bad Sites, Malware | Comments Off


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice