Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    October 2014
    S M T W T F S
    « Sep    
     1234
    567891011
    12131415161718
    19202122232425
    262728293031  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Roddell Santos (Threats Analyst)




    Noted for its stealth routine, PlugX and its developers now appear to be using several legitimate applications, in particular those used by Microsoft, Lenovo, and McAfee, in an effort to remain under the radar.

    PLUGX variants are known for its use of normal applications to load its malicious .DLL components. This .DLL hijacking technique is not new and was initially discussed by last July 2010 by Mandiant here. PlugX is able to use any executable and has started to use known applications. The malware also takes advantage of a certain vulnerability found in an executable when .DLLs are loaded, specifically on how executables load the first .DLL file in a specific folder.

    Unfortunately, many applications – old and even new ones – still contain this vulnerability.
    The first PlugX variant that used this technique is BKDR_PLUGX.SME. It used the legitimate NVIDIA file NvSmart.exe, which imports the functions of the malware’s malicious .DLL. Since then, PLUGX variants have been using other applications to hide their tracks from antimalware software.

    Below are some of the malware that use various normal files to load its malicious components:

    BKDR_PLUGX.DMI

    • uses HHC.EXE which is a legitimate Microsoft file for HTML Help
    • loads hha.dll, which then loads hha.dll.bak
    • both files are also detected as BKDR_PLUGX.DMI

    BKDR_PLUGX.AI

    • uses CamMute.exe which is a Lenovo software related to Camera Mute Control Service for ThinkPad
    • loads CommFunc.dll, which then loads CommFunc.jax
    • both two files are also detected as BKDR_PLUGX.AI

    BKDR_PLUGX.AQT

    • uses Mc.exe which is a legitimate McAfee file
    • loads McUtil.dll, which then loads McUtil.dll.url
    • both files are also detected as BKDR_PLUGX.AQT
    • connects to the fake anti-malware site vip.{BLOCKED}ate.com

    Note that in each case, a specific DLL was paired with an executable. New to these variants is the loading of the encrypted file with the same file name with an additional extension. Here is a code snippet that shows how the encrypted .DLL is loaded:

    Plugx-snippet-code

    Figure 1. Screenshot of PlugX code snippet

    Read the rest of this entry »

     



    The popular Japanese word processor software Ichitaro is no stranger to threats, particularly exploits taking advantage of the software’s vulnerabilities. Since 2007, we have reported the malware targeting Ichitaro’s security flaws.

    This time, however, we uncovered an attack that employs an old trick that even Microsoft Office was previously vulnerable to (CVE-2011-1980). Typically, when an application or document is executed, it loads several .DLL files. It first checks the current directory where it was opened and if the .DLL is present, it then loads that file; but if not, it checks other folders such as System folder.

    An attacker can take advantage of this to get an application to load a malicious DLL file instead of a legitimate one; this particular attack is known as DLL preloading. The samples we found only refers to the filename of the DLL file, so it will first search the current directory before checking the other folders in the system. While this vulnerability could be used to access a malicious DLL that is in a remote folder, that was not the case here.

    The attack arrives as a malicious compressed file, attached to an email message. Inside the compressed file are two Ichitaro documents and JSMISC32.DLL. Using the vulnerability cited above, the Ichitaro software loads the modified .DLL (detected as PTCH_ETUMBOT.AV) once users open the document. We have been detecting this DLL file and its subsequent payload since January of this year.

    Read the rest of this entry »

     
    Posted in Malware | Comments Off



    Reports are circulating that a fake installer for Mac OS has surfaced, proving that Mac OS is still fair game when it comes to web threats.

    Our friends from Dr. Web have uncovered a fake installer for Mac OS X. Detected as OSX_ARCHSMS.A, users may encounter this threat by downloading from websites peddling supposed legitimate software. Once installed, it shows an image that looks like an installation wizard window.

    The curious aspect of this threat is that OSX_ARCHSMS.A asks users for their cellphone number and for the verification code to be sent via SMS. When done, users are prompted to agree with the terms and conditions of the program, which include being charged regularly via their mobile phone account. Needless to say, no program is installed and users end up being charged for a fake (and non-existent) program.

    Read the rest of this entry »

     
    Posted in Mac | Comments Off



    On the heels of Yahoo!’s recent announcement of upcoming updates for the Messenger platform, certain bad guys are already taking this chance to release their own, malicious versions of Yahoo! Messenger.

    While doing my research, I encountered this particular file (detected by Trend Micro as TROJ_ADCLICK.TNH), which looks like a legitimate Yahoo! Messenger executable.

    However, when I checked its file properties, I found that it is actually an AutoIt compiled file.

    Once users download and execute this file, which is saved as C:\Program Files\Yahoo Messenger.exe, the malware checks if an Internet connection is available by pinging Google. If it returns any value not equal to 0, it proceeds to checking the user’s existing Internet browser(s).

    Read the rest of this entry »

     
    Posted in Bad Sites | Comments Off



    Because of its promise of improved feature and security, Windows 8 is naturally making waves in the tech industry and among ardent Windows users. Unfortunately, we are all too aware of the pitfalls of popularity when it comes to online security. It’s just a matter of time before cybercriminals will take advantage of Windows 8′s popularity.

    We got hold of two samples that are packaged as key generator apps for Windows 8, which are available on http://{BLOCKED}en2eqqh2.cloudfront.net. Key generators are used to generate serial numbers and are typically used for bootleg copies of a paid software. Based on our analysis, the apps we’ve found are malicious. Trend Micro detects these as ADW_SOLIMBA and JOKE_ARCHSMS respectively.

    When executed, ADW_SOLIMBA displays a fake message informing users to click ‘OK’ to download Windows 8 via the web browser. On the other hand, JOKE_ARCHSMS purports as a Windows 8 activator. Similar to ADW_SOLIMBA, JOKE_ARCHSMS also displays images to trick users into thinking that they can activate Windows once they have sent an SMS to a certain number. In addition, it also connects to the following URLs for click fraud:

    • http://{BLOCKED}rchant.net/api/open.php?aid=2102499&v
    • http://{BLOCKED}rchant.net/50qjpr21e2bd/2102499/

    Read the rest of this entry »

     
    Posted in Bad Sites, Malware | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice