Looks like the Storm gang (or at least the Russian/Ukrainian criminals behind it) is expanding its business.

Is it because of the “arrival” of Kraken, which, following the footsteps of MayDay and Mega-D, is challenging the said gang for the “Biggest Zombie Network” title? Whatever the case, only days after re-professing its love to unsuspecting users via blog pages, the Storm malware is at it again, this time posing as a video codec.

TrendLabs researchers discovered several sites that offer, what looks like, a YouTube-look-alike streaming video. The infection vector and messaging is actually still the same, that is, users are most likely to access this site via links on specially crafted, love-themed blogs. What is interesting this time is that on the said site, users are required to download the so-called Storm Codec in order to view the said video. Yes, you read that right: the codec is called Storm Codec. Below is a screenshot:

Is that blatant enough?

Of course, the said “codec” is actually a NUWAR/Storm variant, which Trend Micro already detects as WORM_NUWAR.JQ since April 2.

If the social engineering tactic of using video codecs is familiar, it’s because it is — ZLOB Trojans became infamous because of it, after all (see some detailed analysis here). Thus, the Storm gang’s attempt to venture into the said codec “business” has our researchers speculating whether they are now in cahoots with the ZLOB authors, or that they are trying to take over ZLOB’s niche, much like they did with STRATION when the two first started battling it out late 2006. Or maybe the gang is just trying to reaffirm to their competition that they’re still the one to beat.

In the end though, it’s still the unsuspecting users who become collateral damage of all this brouhaha. Users are thus advised to be wary when visiting Web sites or blogs, especially those that require installation or execution of files. Video files — especially those posted online — almost always do not require video codecs anymore, lest they lose the much coveted site traffic to other sites (YouTube, anyone?). Come to think of it, if someone really loves a person that much, he or she won’t have that person go all through the trouble of finding the appropriate codec, right?

Two months ago, TrendLabs reported of a massive DNS poisoning attack in Mexico. The said incident is believed to be one of the first (if not the first) “drive-by pharming” attacks seen in the wild. Now, we have received reports of a similar incident — and by “similar” we mean that quite literally.

According to Trend Micro Engineer Juan Pablo Castro, just like the previous attempt, this new attack also takes advantage of a vulnerability in 2wire modems and arrives via spammed email messages. This time, though, the email messages are disguised to trick users into thinking that they have received an electronic postcard from Gusanito.com, a popular eCard Web site.

Once a user clicks on the link where the supposed postcard can be viewed, he or she is then directed to a spoofed Gusanito page:

Unbeknowst to the user, the said page loads a couple of .SWF files (or Flash controls), including a malicious one that modifies the 2wire modem localhost table. The said routine effectively redirects users to a fraudulent site whenever they attempt to access pages related to Banamex.com — the same banking site targeted two months ago.

Below is a screenshot of the codes in the fake Gusanito page, calling the malicious Flash controls:

It seems that drive-by pharming has indeed “arrived” in the threat scene. One may wonder now who will be targeted next, given the stealth and sophisitication of this threat. User awareness, product/application updates, and in-the-cloud protection are needed more than ever. For its part, Trend Micro will detect the malicious .SWF file as SWF_ADHIJACK.D. All related malicious URLs have also been blocked by Trend Micro Web Threat Protection.

In the security industry, Italy is probably best remembered for three things: the gay porn worm that hit the Italian senate in 2004, the Gromozon/LINKOPTIM event (2006), and more recently, the Italian Job (2007). Not surprisingly, other attacks followed (see this, this), and for the past couple of days, TrendLabs researchers were again alerted of a couple of malicious activities that seem to be trying to make their own marks — however bad — on the said country.

The first attack is a slew of email messages purporting to be coming from “CAFF” (Comando Antifrode — which, by the way, is a non-existent organization), asking the recipients to go to a very legitimate-looking Web site because the said recipients are supposedly under investigation. Unbeknownst to these recipients, the Web site contains links that download a malware.

This incident comes on the heels of another incident TrendLabs has been monitoring because it appears to be taking a page from the Italian Job. Research Engineer Juan Pablo Castro came across several Italian Web sites that were hacked and inserted with a folder named portal_memberdata/portraits/{random string} in order to redirect users to adult site or fake pharmaceutical sites, among others.

Upon further investigation, it was found that all the compromised sites were created using Plone, an open-source content management platform. Juan Pablo believes that the miscreants took advantage of a vulnerability in the said platform (there have been some discovered before, such as this one, according to AusCERT) to perform the abovementioned redirection routine.

Trend Micro already blocks malicious URLs and detects malicious files related to these recent attacks.

Ancient Chinese belief has it that a lunar eclipse occurs because a great dragon swallowed the moon. People must therefore beat their mirrors (which represented the said celestial body) because doing so will cause the dragon to cough the moon out and return it to the sky.

In the age of Web threats, a lunar eclipse would mean a cybercrook “swallowing” an affected system to perform his bidding. No amount of mirror-beating will resolve that.

Yes, a total lunar eclipse just happened yesterday and miscreants are already trying to take advantage of the said celestial event — not set to happen again until 2010 — to lure users into downloading a malware into their systems.

TrendLabs has received samples of email messages promising a video of the eclipse. Below is a screenshot of one of the said message:

Once the user clicks on the link however, a backdoor detected as BKDR_AGENT.AKJZ is downloaded instead.

This is yet another example of cybercriminals riding on interesting events in order to spread threats. Those who may have missed the event or are unable to see it in the first place due to geographical reasons (i.e., if it happened during the day in one’s time zone) would probably be tempted to click the link. After all, such events do happen rarely, but that does not mean we throw all caution to the wind and click on suspicious links in email messages (or even in search results pages for that matter, given the recent malicious SEO tactics).

Here’s a tip: there are two more eclipses in 2008. Again, not all may have the chance to see them, but best mark your calendars if you really want to see one. Solar eclipses are the best, by the way.

“Dial ‘M’ for malware” sounds like a good phrase to sum this up…

TrendLabs researchers have received reports of what appears to be an attempt of a massive DNS poisoning attack in Mexico. True to the growing complexity of Web threats, the weapons of choice include social engineering, malware download, pharming, and — here’s the clincher — a DSL modem.

Yes, the attack begins with the exploitation of a known vulnerability in 2Wire modems. The said vulnerability allows an attacker to modify the local DNS servers and hosts. One of the main Internet Service Providers in Mexico offers 2Wire modems to their customers, and it is estimated that more than 2 million users are at risk.

According to Trend Micro Engineer Juan Pablo Castro, the said exploit arrives with a newsy email message similar to this one:

The subject and the headline of the article roughly translate to “EU gave 40 years to Mexican Main narco operator of the Tijuana Cartel.”

The said message includes the following exploit code:

Notice that the code is embedded in an “img src” tag. This means that once an unsupecting user opens the email in its full HTML format, the exploit code automatically attempts to access the modem’s Web console and modify the local host database to redirect all requests for banamex.com — the Web site of one of the largest banks in Mexico — to a fraudulent site.

Thus, for affected users who wish to access the banking site, even typing banamex.com — which is a legitimate, non-malicious, fully qualified domain name (FQDN) — leads to the fraudulent site. I think we all know how the rest of the story turns out…

Unfortunately, that’s not all. The malicious email message also promises a “video” and includes a link that points to the a malicious URL where the .RAR archive Video_Narco.rar can be downloaded. This archive contains the malicious file Video_Narco.exe, which Trend Micro detects as TROJ_QHOST.FX.

You got to hand it to these criminals: they’re making sure no stone is left unturned, no security hole unexploited… In any case, Trend Micro already blocks all related malicious URLs/IPs with its Web Threat Protection. Even users whose DNS servers may have been poisoned will receive a notification of a possible pharming activity (see image below).

Of course, smart computing practices are still the best policy. As the Web (along with its threats) becomes — like I said — more and more complex, users should arm themselves with all the knowledge and precautions they can get.

Additional information provided by TrendLabs Content Security