Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Roderick Ordoñez (Technical Communications)

    Facebook reverts back to its old Terms of Service (TOS) after causing quite an online ruckus when it decided to update its TOS a few weeks ago. Interesting lines in the new TOS that enraged users included:

    • You hereby grant Facebook an irrevocable, perpetual, non-exclusive, transferable, fully paid, worldwide license (with the right to sublicense)…
    • The following sections will survive any termination of your use of the Facebook Service…

    The said clauses indicate that the any user-content uploaded to Facebook becomes Facebook’s property, under an irrevocable, perpetual (aka forever), non-exclusive, transferable, fully paid, worldwide license, which does not expire even after the user terminates the service.

     In response, Facebook creator Mark Zuckerberg replied in his blog:

    When a person shares information on Facebook, they first need to grant Facebook a license to use that information so that we can show it to the other people they’ve asked us to share it with. Without this license, we couldn’t help people share that information.

    One of the questions about our new terms of use is whether Facebook can use this information forever. When a person shares something like a message with a friend, two copies of that information are created—one in the person’s sent messages box and the other in their friend’s inbox. Even if the person deactivates their account, their friend still has a copy of that message. We think this is the right way for Facebook to work, and it is consistent with how other services like email work. One of the reasons we updated our terms was to make this more clear.

    In reality, we wouldn’t share your information in a way you wouldn’t want. The trust you place in us as a safe place to share information is the most important part of what makes Facebook work.

    Actually, putting anything on the Web is a sure-fire way to make information available for an indefinite period of time. Sites like Facebook, however, do allow the user to control how much information is available to the general public, though it is assumed that the information is deleted once a user opts out of the service.

    When a TOS declares that a certain establishment has full rights to your information (or content in this case) during and even after you’ve long stopped using the service, privacy concerns are raised. Most specifically: how is your data going to be used?

    While openly available profiles may be considered willing victims to data miners, privacy settings do give a sense of security that your information is not available to the outside world. Again, declaring that your user-content is now owned by an establishment makes users think that their data may be possibly misused from the inside. One is left to trust that Facebook does not use the user-submitted information in any manner offensive to users themselves.

    The lesson of the story is: just be careful what you post or put on the Web. The Web is a great way to socialize and share data. You just never know who will use that data and for what purpose, regardless of where you put it or what service you choose to use—and that holds true even with or without a TOS.


    After December’s Patch Tuesday, yet another vulnerability surfaces, this time targeting one of the Microsoft’s more usual members: WordPad. Trend Micro detects this vulnerability as TROJ_MCWORDP.A.

    The exploit works by using a specially-crafted .DOC, .WRI, or .RTF file to take advantage of the WordPad vulnerability, thereby causing the said application to crash. This crash may then allow a remote malicious user to take control of an affected system. Microsoft has already issued a bulletin regarding the issue, which can be found at the following link:

    What makes the malware exploiting this bug more interesting is that it exhibits a VMware-checking routine. If it detects that it is being run inside a virtual machine, it does not continue to exploit the affected system. Otherwise, it drops another malicious file detected as BKDR_AGENT.VBI. This backdoor opens a random port to allow hackers to connect to a system and once successful, they are able to execute commands.

    WordPad is Microsoft’s initial word processor, especially on a fresh install, but its presence eventually goes unnoticed once users install a more recognized word-processing suite like MS Office or Open Office. However, this seemingly trivial piece of software has had patches made for it in the past, so it may not come as a surprise that it has been exploited again.

    This exploit is just one of a series to affect Microsoft immediately after it released its monthly security updates. A zero-day bug in Internet Explorer was actively exploited just days ago to infect users with information-stealing malware. Mass SQL injections exploiting the same vulnerability were soon discovered affecting a Taiwanese search engine and a Chinese sporting goods site.

    Our engineers are now also still analyzing a proof-of-concept threat that exploits yet another zero-day flaw, this time in Microsoft’s SQL Server. Users are advised to apply patches once they are made available.

    The Trend Micro Smart Protection Network provides protection to Trend Micro customers against this recently discovered flaw, yet caution is urged since it remains unpatched by Microsoft.


    The spam attached to a “delivery failure notice” last month has reappeared. Now dropping its “delivery failure notice” cover, the second coming of this spam is no less dangerous, and in fact more bundled with bonus malware. See screenshot below:

    Although this spam comes with the same subject, same attachment file name, and same spam content as before, executing the attachment’s contents deploys TROJ_ROOTKIT.BA and TSPY_GOLDUN.RF onto the system, as opposed to only TROJ_DLOADR.IB in the first spam sample. Trend Micro detects the attached ZIP files of the first and second spam samples as TROJ_DLOADZIP.A and TROJ_PAKES.AXQ, respectively.

    Worth noting is that the latter variant delivers a more damaging payload than the first. It may be safe to speculate that this series of spam runs may get nastier as newer strains appear. But rest assured that Trend Micro will always be looking ahead to provide protection to its users through the Smart Protection Network.

    Posted in Malware, Spam | Comments Off on Spam ‘Delivery Verification’ Gets Nastier

    After fake sites, fake Antivirus, fake blogs, and fake forums, spammers plough on with fake news.

    Threat analyst Juan Pablo Castro reports of spam announcing the declaration of World War III.

    Figure 1. Sample spam that warns of World War 3
    Figure 2. Another sample spam that warns of World War 3

    The link provided points to a legitimate-looking CNN page with a video. However, users wishing to view this video are prompted to install an ActiveX Object:

    Figure 3. Missing ActiveX object is actually a spyware

    Note that CNN’s real URL is

    The supposed ActiveX Object is actually malware, which Trend Micro detects as TSPY_BANCOS.JN. TSPY_BANCOS.JN, like all BANCOS variants, is an info stealer that monitors the browser of the affected system. It waits for the user to access certain banking-related Web sites, then spoofs the login pages of the bank Web site to steal sensitive account information.

    The request to install an ActiveX Object is a popular ploy to spread malware these days, and this bogus ActiveX Object is yet another one designed to deceive the user to believe that he’s installing something useful.

    Then again, use of sensational headlines is nothing new, and spammers are constantly churning their creative juices to invent the most inviting email subjects. Though Trend Micro products already block the malicious URL, the spam and the related malware through Smart Protection Network, users are advised to do the following for the next spam that finds it way to their inboxes:

    Never reply. Never click. Never believe.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice