Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Valerie Boquiron (Technical Communications)

    TrendLabs researchers recently received a report on malvertisements that appeared while a user was browsing through a popular Web-based email service.

    At first glance, the ads may seem like the typical Web browser nuisance. However, random ads were proven to be vectors for downloading malware onto users’ systems. In one instance, an ad pointed to a URL containing exploits that download and execute several files on affected systems. The downloaded files include a malicious Java file (detected by Trend Micro as JS_BYTEVER.BG) and .PDF files (detected as TROJ_PIDIEF.GBA and TROJ_PIDIEF.GBB), among others.

    According to advanced threats researcher Jonell Baltazar, these .PDF files exploit known vulnerabilities found in Adobe Reader (Collab.collectEmailInfo, Collab.getIcon, and util.printf) to download a file if the user’s application remains unpatched. Furthermore, Baltazar explains, the malicious .PDF files use getPageNumWords() and getPageNthWords() Adobe JavaScript application programming interfaces (APIs). The files also used the field of the .PDF document to store the encoded payload URL, which enables them to defeat automated PDF and JavaScript analysis tools.

    Click for larger view Click for larger view

    As discussed in the 2010 Threat Predictions by Trend Micro CTO Raimund Genes, drive-by infections are the norm and one Web visit is enough to get infected. Users are thus advised to disable JavaScript on their Web browsers and to practice vigilance, verify URLs, and update browsers to avoid being redirected to malicious URLs.

    Trend Micro™ Smart Protection Network™ protects product users from this threat by detecting and preventing the execution of the malicious files via the file reputation service. It also protects customers by blocking user access to malicious websites.

    Non-Trend Micro product users can also stay protected from such threats via free tools like Web Protection Add-On, which prevents user access to potential malicious websites.

    Update as of March 17, 2010, 4:23 p.m. (GMT +8:00):

    Senior threat response engineer Vincent Cabuag adds that this relatively new encryption technique renders standard analysis tools useless in detecting the malicious script inside the .PDF file. The malicious script is obfuscated in a way that requires the use of certain APIs to decrypt. Thus, it would require manual analysis to be able to emulate the embedded script.

    Update as of March 18, 2010, 7:54 p.m. (GMT +8:00):

    According to further research by Baltazar, the attack used the “Liberty Exploit Kit,” which exploits known vulnerabilities found in Internet Explorer (IE) like MS06-014 (MDAC) and MS DirectShow. The exploit kit also includes exploits targeting Flash 9 (the most probable vector for malicious ads) and the above-mentioned PDF exploits.

    Thus, no user intervention is necessary for an attack to be successful. Users must keep their Flash, Adobe Reader, and IE browsers updated with the latest security patches in order to stay protected from this attack.


    Hot on the heels of this month’s security bulletin, a new vulnerability exploit surfaces with a malware in tow. The new zero-day vulnerability, as described in a previous post, prompted Microsoft to release Security Advisory (981374) while investigations are still underway. This Internet Explorer (IE) vulnerability exists due to an invalid pointer reference bug within IE, which, under certain conditions, could be exploited to execute hostile code.

    This vulnerability primarily affects IE 6 and 7. IE 8 is not affected. Users using the affected browsers are advised to follow the workarounds in Microsoft’s advisory until the applicable patches are released. Systems using the latest Windows versions—Windows 7 and Server 2008—are automatically immune from this threat since the said OS versions are shipped with IE 8. Those using earlier versions, however, would benefit from upgrading their browsers to IE 8.

    In relation to this vulnerability, Trend Micro currently detects a malicious JavaScript file as JS_SHELLCODE.CD, which exploits CVE-2010-0806 and allows the unauthorized download of files onto affected machines.

    Trend Micro™ Smart Protection Network™ protects customers from this threat by blocking user access to the malicious website the JavaScript connects to via the Web reputation service. It also detects and prevents the download of JS_SHELLCODE.CD via the file reputation service.

    Trend Micro Deep Security™ and Trend Micro OfficeScan™ likewise protect business users via the Intrusion Defense Firewall (IDF) plug-in if their systems are updated with the IDF10-011 release, rule number IDF10011.


    April 3 cannot come soon enough for those who are eager to get their hands on the iPad. If anything, Apples recent announcement that the gadget will soon be available in the United States only added to the excitement over the much-talked-about gadget. Unfortunately, spammers are using the current enthusiasm over the iPad to their advantage as well.

    In fact, Trend Micro anti-spam research engineers have already seen a number of spammed messages that promise free iPads to lure unwitting users into their scams. In one such spam sample, recipients are being invited to test the iPad at no cost by simply applying to be part of a “word-of-mouth” marketing campaign. They may not have to shell out a single cent but the price they have to pay will be their identities.

    Click for larger view Click for larger view

    The spammed messages instruct users to reply to the email with their personal information, which spammers could easily use for further malicious activities. As Trend Micro anti-spam research engineer Argie Gallego recommends, “Users should be suspicious of any freebies offered online, particularly those requiring sensitive personal information such as full names and contact numbers. We have only seen a number of iPad-related spam so far but we expect the numbers to rise as April 3 draws near.”

    This recent spam run is no different from how cybercriminals leveraged the iPad launch in January, which led to a FAKEAV variant. Users should thus continue exercising caution in opening email messages from unknown senders. It is also important to be cautious in conducting Web searches on hot topics such as the iPad, as these are often used for blackhat search engine optimization (SEO) attacks as seen in the past. Interestingly, Apple does not own any iPad-related domain names so users should really pay close attention to URLs before they click.

    Trend Micro™ Smart Protection Network™ prevents spammed messages from reaching users’ inboxes via the Web reputation service.

    Non-Trend Micro product users can also stay protected by using eMail ID, which prevents fake messages from reaching their inboxes. It also helps users quickly find legitimate messages.

    Posted in Spam | TrackBacks (3) »

    As previously announced in the Microsoft Security Bulletin Advance Notification released last week, this month’s patch cycle includes 13 bulletins intended to patch 26 vulnerabilities in several versions of Windows OS and Office. The record release is a far cry from last month’s lone patch.

    The long list includes five bulletins rated “critical,” which specifically patch nine vulnerabilities that could lead to remote code execution. Unless patched, an attacker could exploit any of the said vulnerabilities to gain control of the user’s system. Most notable on the list is MS10-013, which could give an attacker complete control of an affected system. Considering the damage that exploiting this vulnerability could cause, it is very important that users patch their systems as soon as possible.

    The February release also includes seven bulletins rated “important” and one rated “moderate.” It is also important to note the addition of MS10-015 to the list, which addresses the so-called 17-year-old hole described in Security Advisory 979682. However, Microsoft reiterates that while it is aware of publicly available proof-of-concept (POC) code for the issue, it has yet to see any active exploits. More information on the complete list of security advisories can be found in this Trend Micro Security Advisory page.

    Coinciding with this month’s release is yet another FAKEAV variant detected by Trend Micro as TROJ_FAKEAV.BLJ, this FAKEAV incidentally purports to be a Windows Automatic Update that supposedly installs a Windows XP update. It then proceeds to use the same old scareware tactics that warn users of bogus system infections. Users are thus advised to download security updates only from the official Microsoft Security Bulletin page.

    Click for larger view Click for larger view

    Trend Micro™ Smart Protection Network™ protects users from this threat by detecting and preventing the download of harmful codecs and malicious files such as TROJ_FAKEAV.BLJ.

    Even non-Trend Micro product users can stay protected via HouseCall, Trend Micro’s free on-demand scanner that identifies and removes viruses, Trojans, worms, unwanted browser plug-ins, and other malware from infected systems.

    Update as of February 1, 2010, 9:06 p.m. (GMT +8:00):

    Microsoft has released an official statement concerning restart issues that some users are currently experiencing after installing this month’s patch updates. Specifically, initial analysis suggests that a limited number of users encounter a blue screen after installing MS10-015. As the Microsoft team continues to conduct tests, they have temporarily stopped offering the Windows Update. However, a workaround has been made available with a Microsoft Fix.


    It has been a year since WORM_DOWNAD.AD (aka Conficker) began a trail of system infections around the world. Since then, Trend Micro has detected new variants, including WORM_DOWNAD.KK, which proved to be an upgraded version that enabled the worm to increase the number of domains it generated from 250 to 50,000.

    In recent months, things have been relatively quiet in the DOWNAD/Conficker front. This does not mean, however, that the world is now safe from a similar massive number of infections that it previously experienced. In fact, data released by the Conficker Working Group, of which Trend Micro is part of, proves that the worm remains active. Recently released data also shows that there has been an average of more than 100 million unique IP addresses connecting to the group’s tracking systems in the first week of 2010 alone. The graph below shows the number of unique IP addresses connecting to the tracking systems in a span of one year.

    These figures are further supported by the State of the Internet report for Q3 2009 from Akamai. Based on the report, there continues to be significant port 445 activity. Updates on the worm further show that there has been a change in the trend with most attacks now originating from Russia and Brazil, replacing China and the United States as the top 2 sources of traffic.

    As such, users should consistently patch their systems and programs as soon as fixes are made available. It is also advisable to continue disabling AutoRun to reduce risks of infection propagation or reinfection.

    Trend Micro™ Smart Protection Network™ protects users from all known variants of DOWNAD/Conficker in real-time by blocking access to identified malicious sites and domains and by detecting and preventing the download of malicious files.

    The firewall modules available in Trend Micro’s desktop products stop DOWNAD/Conficker from spreading in networks. Moreover, applying the Trend Micro Deep Security solution assures protection on servers and clients against this particular and other network attacks.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice