Around the world, every day, security researchers study the activities, behaviors, forum communications, and networks of cybercriminals in an effort to make the world safe for the exchange of digital information.

In addition to preventing attacks, we gather and share intelligence with the appropriate industry anti-cybercrime groups and law enforcement authorities.

We’ve been tracking for one particular criminal who we’ll call Mr. L for some time now. He’s been preying on innocent users, primarily from Chile and Mexico, and according to our latest findings, he is still up to his old tricks of data and monetary theft. Just last week, we discovered an active command-and-control (C&C) server plus other criminal tools, including one based on a customized version of the CrimePack Exploit Pack, a practice that this criminal has carried out with his previous botnets.

We’ve already shared our findings with our law enforcement contacts but wanted you to also be aware, on your toes, and on the lookout for suspect email messages and other events.

So what do we know so far?

In September 2010, we published an in-depth research paper that discussed the technical aspect of this particular criminals’ botnets and toolkits.

The first botnet Trend Micro identified was the Tequila botnet. Then came the Mariachi botnet and the Alebrije and Mehika Twitter botnets. These botnets are collectively known as the Botnet PHP family.

Read the rest of this entry »

A few days ago, I stumbled upon a post by a certain user in a public forum that advertised a little application developed to check the credit scores and criminal records of Brazilian citizens.

Looking at the application, I found out that it basically makes HTTP requests to public sites to get the information and to display the results. Nothing particularly malicious, right?

However, upon checking the code, I was able to locate a function called “Virus.” The said function, unsurprisingly, downloads one Bancos Trojan detected by Trend Micro as TROJ_BANKER.LEB.

This kind of instance is definitely not uncommon. I’ve seen instances wherein cybercriminals tried to deceive the users to download and use an application. What the users don’t know is that the real intention of the author is to steal bank credentials and other personally identifiable information (PII).

Users should always keep in mind that a certain level of trust should be involved when it comes to installing and utilizing applications. Any software, once installed gains access to a system. This may include access to critical user information. Thus, users should only install software that come from trusted developers or from verified sources.

During a recent analysis of a particular malware sample, we came across the author’s online nickname. After some digging, we found a link to the location where the author advertised his malware and allowed others to freely download its source code.

The blurbs in the said site promote some of the malware’s features such as the fact that it works in Windows XP, Vista, and 7 and that it can capture screenshots. It also lists the banks and browsers from which the malware can steal information.

Eight days after we saw the page, the same person came out with a new version of his malware, which he called Version 2.0. To this, he added a new target (a credit score firm) and the ability to terminate two security programs.

Read the rest of this entry »

MercadoLibre, the leading auction site in Latin America, was recently used to spread malware. Cybercriminals were able to inject a malicious script into the page, which prompted users to download and run a fake Adobe Flash Player installer.

The supposed installer, however, is actually a malicious file detected as TSPY_DABVEGI.E. Running this file would cause the malicious file’s routines to be seen on the affected system.

This incident highlights how even “clean” and well-run websites can be used by cybercriminals to spread malware. The security team of MercadoLibre has removed the malicious code that had been injected into the pages. Hat tip to Juan Castro of Trend Micro LAR for initially bringing this threat to light.

Leveraging social networking sites to gain control of user systems, and to make them part of botnets is no longer a new tactic. In a recent research, we came across a malware that uses a Twitter account to send out commands to the new Mehika Twitter botnet’s zombies.

But why are cybercriminals using a social networking site to send out commands to botnet zombies? The answer is quite simple. Using a social networking site does not require installation, configuration, and command-and-control (C&C) server management. Instead, posting messages in a specific account can instantly send out commands and instructions to zombies.

It is also interesting to note that since social networking sites have thousands or even millions of user profiles, locating a suspicious account is difficult, especially if cybercriminals take time out to cover their tracks.

Trend Micro product users, however, should not worry, as Smart Protection Network™ already detects the Mehika Twitter botnet binary as WORM_TWITBOT.A and prevents it from reaching users’ systems. If you would like to know more about the Mehika Twitter botnet and its predecessors, read our latest research paper, “Discerning Relationships: The Mexican Botnet Connection.”