Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    July 2014
    S M T W T F S
    « Jun    
     12345
    6789101112
    13141516171819
    20212223242526
    2728293031  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Roddell Santos (Threats Analyst)




    The popular Japanese word processor software Ichitaro is no stranger to threats, particularly exploits taking advantage of the software’s vulnerabilities. Since 2007, we have reported the malware targeting Ichitaro’s security flaws.

    This time, however, we uncovered an attack that employs an old trick that even Microsoft Office was previously vulnerable to (CVE-2011-1980). Typically, when an application or document is executed, it loads several .DLL files. It first checks the current directory where it was opened and if the .DLL is present, it then loads that file; but if not, it checks other folders such as System folder.

    An attacker can take advantage of this to get an application to load a malicious DLL file instead of a legitimate one; this particular attack is known as DLL preloading. The samples we found only refers to the filename of the DLL file, so it will first search the current directory before checking the other folders in the system. While this vulnerability could be used to access a malicious DLL that is in a remote folder, that was not the case here.

    The attack arrives as a malicious compressed file, attached to an email message. Inside the compressed file are two Ichitaro documents and JSMISC32.DLL. Using the vulnerability cited above, the Ichitaro software loads the modified .DLL (detected as PTCH_ETUMBOT.AV) once users open the document. We have been detecting this DLL file and its subsequent payload since January of this year.

    Read the rest of this entry »

     
    Posted in Malware | Comments Off



    Reports are circulating that a fake installer for Mac OS has surfaced, proving that Mac OS is still fair game when it comes to web threats.

    Our friends from Dr. Web have uncovered a fake installer for Mac OS X. Detected as OSX_ARCHSMS.A, users may encounter this threat by downloading from websites peddling supposed legitimate software. Once installed, it shows an image that looks like an installation wizard window.

    The curious aspect of this threat is that OSX_ARCHSMS.A asks users for their cellphone number and for the verification code to be sent via SMS. When done, users are prompted to agree with the terms and conditions of the program, which include being charged regularly via their mobile phone account. Needless to say, no program is installed and users end up being charged for a fake (and non-existent) program.

    Read the rest of this entry »

     
    Posted in Mac | Comments Off



    On the heels of Yahoo!’s recent announcement of upcoming updates for the Messenger platform, certain bad guys are already taking this chance to release their own, malicious versions of Yahoo! Messenger.

    While doing my research, I encountered this particular file (detected by Trend Micro as TROJ_ADCLICK.TNH), which looks like a legitimate Yahoo! Messenger executable.

    However, when I checked its file properties, I found that it is actually an AutoIt compiled file.

    Once users download and execute this file, which is saved as C:\Program Files\Yahoo Messenger.exe, the malware checks if an Internet connection is available by pinging Google. If it returns any value not equal to 0, it proceeds to checking the user’s existing Internet browser(s).

    Read the rest of this entry »

     
    Posted in Bad Sites | Comments Off



    Because of its promise of improved feature and security, Windows 8 is naturally making waves in the tech industry and among ardent Windows users. Unfortunately, we are all too aware of the pitfalls of popularity when it comes to online security. It’s just a matter of time before cybercriminals will take advantage of Windows 8′s popularity.

    We got hold of two samples that are packaged as key generator apps for Windows 8, which are available on http://{BLOCKED}en2eqqh2.cloudfront.net. Key generators are used to generate serial numbers and are typically used for bootleg copies of a paid software. Based on our analysis, the apps we’ve found are malicious. Trend Micro detects these as ADW_SOLIMBA and JOKE_ARCHSMS respectively.

    When executed, ADW_SOLIMBA displays a fake message informing users to click ‘OK’ to download Windows 8 via the web browser. On the other hand, JOKE_ARCHSMS purports as a Windows 8 activator. Similar to ADW_SOLIMBA, JOKE_ARCHSMS also displays images to trick users into thinking that they can activate Windows once they have sent an SMS to a certain number. In addition, it also connects to the following URLs for click fraud:

    • http://{BLOCKED}rchant.net/api/open.php?aid=2102499&v
    • http://{BLOCKED}rchant.net/50qjpr21e2bd/2102499/

    Read the rest of this entry »

     
    Posted in Bad Sites, Malware | Comments Off



    Thinking of updating your web browsers? Just make sure that you download from legitimate sources, instead of downloading malware disguised as browser updates onto your system.

    Just recently, we were alerted to a report of several websites offering updates for Internet browsers like Firefox, Chrome, and Internet Explorer just to name some. Users may encounter these pages by clicking malicious ads.

    The bad guys behind this threat made an effort to make this ruse appear legitimate. These pages, as seen below, were made to look like the browsers’ official sites. To further convince users to download the fake update, the sites even offers an integrated antivirus protection:

    Instead of an update, users download a malware detected as JS_DLOADR.AET, which was found capable of changing the downloaded binary to have a different payload.

    The malicious JavaScript, in turn, downloads TROJ_STARTPA.AET and saved it as {Browser Download Path}\install.exe. Based on our initial analysis, the Trojan modifies the user’s Internet Explorer home page to http://{BLOCKED}rtpage.com, a site that may host other malicious files that can further infect a user’s system.

    Read the rest of this entry »

     


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice