Our researchers at TrendLabs have discovered a new set of rogue antivirus software circulating in the wild. Based on initial analysis, these threats arrive mainly via spammed email messages that contain a link to a bogus celebrity video scandal. We have also received reports that the said link is circulating in instant messaging applications and private messages in social networking Web sites, too.

Once the said URL link is clicked, the Web threat infection chain begins and ultimately leads to the download of a Trojan detected by Trend Micro as TROJ_FAKEAV.CX. This Trojan is a rogue antivirus that displays very convincing (and for some, alarming) messages, such as the following:

Note that since users are only using the “trial version,” TROJ_FAKEAV.CX even convinces users to get the full version so that they are always supposedly protected:

TROJ_FAKEAV.CX also drops another malware, detected as TROJ_RENOS.ACG. RENOS Trojans are known to have very visual payloads that may further alarm users — for example, they modify the system’s wallpaper and screensaver settings to display BSOD (Blue Screen of Death/Doom). Thus, users may be more convinced that something’s wrong with their system, not knowing that their new software is the one causing it.

Rogue antispyware isn’t entirely new, although our researchers have been seeing an increase in activity for the past couple of months (the Anjelina spam being one of the more recent examples).

Perhaps it’s because this is also the time of the year when the more legitimate security suites are releasing their latest software updates, and cyber criminals are riding on this season to ramp up their profits. Bad news for the infected users, though, as their latest versions of “antivirus software” are actually adding more threats to their system.

Trend Micro is still investigating this spam run. Updates will be posted when more information becomes available.

Rumors about the Internet as we know it dying by 2012 have been circulating for some time now, so it’s not really that surprising when the TrendLabs Content Security team was alerted that a Trojan is taking advantage of this conspiracy theory in order to trick users into running it.

Then again, spammed email with sensational headlines do make even the most cautious computer users take a peek (the latest NUWAR/Storm run being a prime example). What more when the said headlines tell them that the Internet, which has been practically their extra limbs since the last century, will suddenly be up for…TV-like subscriptions?

The malware involved in this spam run is detected by Trend Micro as TROJ_PIDIEF.JT, a Trojan that arrives as a PDF file named DOC.PDF. This file promises more information regarding the alleged Internet death, and based on the email subjects and details it arrives with (see sample messages below), it’s not easy NOT to double-click on it:

PIDIEF Trojans are known malware droppers or downloaders, so once users click on the attached PDF file — and whether or not they believe the theory — another malware is already up and running on their systems and doing malicious routines. The death of the Internet is going to be the least of their problems after that…

Trend Micro already blocks this spam with its Smart Protection Network. Other users, as always, are advised to keep their systems and applications up to date with the latest security patches and to be wary when opening suspicious email, no matter how interesting they appear to be.

Joining the growing list of Web site compromises is whitehouse.org, the “officious” parody site of current U.S. White House administration, and all the colorful punditry that accompanies it.

According to Trend Micro Advanced Threats Researcher David Sancho, whitehouse.org has been compromised to harbor some malicious, obfuscated JavaScript code which “background downloads” code to unsuspecting visitors of the site, where a malicious file is downloaded (which is detected by Trend Micro as TROJ_DELF.GKP).

Of course, the official White House Web site is whitehouse.gov, and although it has been reported that some people believe whitehouse.org is the real deal, even those looking for this site specifically should be forewarned.

This incident is yet additional proof that Web threats are no joke (pun intended).

Additional information provided by Advanced Threats Researcher Paul Ferguson.

Unsuspecting users who may wish to buy (or simply admire) the new Honda Accord are warned that may fall victim to a drive-by download, leading to the installation of an info-stealing malware. TrendLabs discovered today an attack on the official web site of Honda Cars in Thailand.

According to Advanced Threats Researcher Jonell Baltazar, who discovered the compromise, the affected page, hxxp://www.honda.co.th:80/accord, was injected with a malicious script tag (detected by Trend Micro as HTML_IFRAME.QJ), which loads a page within the cleverly named getanewmazda.info domain. This page contains a script that looks for vulnerabilities to download and execute a certain file on the victim’s system. The downloaded file (which is named crypt.exe and saved as c:winQZfio771.exe) is detected as TSPY_ZBOT.LA.

This compromise was discovered due to a feedback technology on our customers’ products. This mechanism allows our systems to monitor and block potential malicious URLs. In this case, a client visit to the compromised site automatically registered the HTML_IFRAME.QJ detection, thereby protecting the user from further infection. Trend Micro Web Threat Protection has prevented access to the compromised site, protecting customers from possible infection.

Below is a screenshot of the compromised page within the Honda Cars site. Note that the malicious script also affects both the English and Thai landing pages (main.html) after a user accesses any one of them:

The downloaded TSPY_ZBOT.LA, in turn, accesses yet another domain, where possibly more malicious files can be downloaded. As of this writing, our researchers found user names and passwords related stored in this domain, suggesting that it is used either as a phishing page or mere storage in which cyber criminals can easily retrieve stolen information.

This is not the first time a Thai site has been compromised. In the past couple of months, we have reported similar incidents affecting the sites of the Royal Thai Air Force and Udiya Tours of Northern Thailand, among others.

Note that this seems to be an isolated incident so as far as the Honda enterprise is concerned, only Honda Cars Thailand site has been injected with the malicious script. As of this writing, Honda Cars Thailand has promptly taken their site offline in order to address the matter.

Consolidated findings of the Advanced Threats Research, APAC RTL, and Web Threat Protection teams at TrendLabs

Iron Man just made almost a hundred million dollars during its opening weekend in the US. Yes, summer movie season has just kicked in. You know, that time of the year (even if one’s not in the said country) when all the big blockbuster flicks are jockeying for the “box office hit” title. Almost every week there a new highly anticipated film or sequel (or the now-overused term “threequel”) opens in theaters, much to the delight of moviegoers and, in some cases, cyber criminals as well.

The use of movies as a social engineering bait by hackers is not new; in fact, it has sort of become a tradition that one has to expect every year. So while reading Entertainment Weekly’s “fearless” predictions for the season, we decided to come up with predictions of our own. Only this time we’re calling them “fearful” predictions, mainly because these are the types of predictions we hope would not come true.

1. Spammers and phishers will lure potential victims with raffle entries for tickets or merchandise. In 2005, Revenge of the Sith became the bait of choice of a Yahoo! phishing attack. Last year, spammers sent a supposedly short survey related to The Simpsons Movie in an attempt to gather email addresses. It will not be surprising if a similar tactic pops up this year, just in time when the anticipation for movies like Sex and the City or the X-Files sequel reaches fever pitch. After all, in the gaming arena, it has already happened with the release of Grand Theft Auto IV.

2. At least one malware will pose as an “exclusive” trailer, free movie passes for the premiere, or the “uncut version” of a movie. Unfortunately one has to download the “codec” or the “raffle entry form” first.

3. The official site of one movie will get compromised. Or a high-traffic fan site or blog, for that matter. Users who would want more information about a particular flick (show times, reviews, etc.) will click on the compromised page, where a slew of malware will be downloaded onto the unknowing victim’s computer.

Then again, with the ongoing trend of SEO poisoning and creating fake pages from scratch (which are laden with spammy links and keywords), users only need to Google a keyword in order to get infected. Speaking of SEO poisoning…

4. “Heath Ledger” will be once again a good keyword for poisoned pages. As the buzz surrounding the actor’s portrayal of The Joker in the upcoming The Dark Knight grows louder — some already claim it’s his finest role yet worthy of a posthumous Oscar — whose interest won’t be piqued?