In the past we reported a couple of attacks involving malware that turn infected systems into Bitcoin miners. We also said that cybercriminals will increasingly do so in the future. We recently encountered another familiar and well-known malware family—TDL4—that turns infected systems into Bitcoin miners.

TDL4 is a well-known TDSS variant that evades antivirus detection by infecting systems’ boot sector. We have since been monitoring TDSS-related developments. Earlier this year, we saw TDL4 exhibit propagation routines through a worm component that Trend Micro detects as WORM_OTORUN.ASH.

In the course of our research, we found that recent variants of WORM_OTORUN.ASH contain code that attempts to participate in a Bitcoin pool known as Deepbit.

Figure 1 shows some parameters that include getwork, which gets a job from the mining pool. A job is a Bitcoin block header which the miner, in this case the infected system, hashes in order to earn a Bitcoin share. In Bitcoin pools, users sign up and join a network of miners to work on the same jobs for faster payout.

Read the rest of this entry »

A lot of the developments that occurred in the computing world in the past years involved the automation of day-to-day tasks. These developments have made peoples’ lives so much easier, causing the development of a dependency on them. Paralleled by innovations, however, is abuse, as cybercriminals continually employ them in malicious schemes with a single goal in mind—to gain profit.

This very reason—profit—has proven to be a sufficient motivation for blackhat hackers to constantly innovate in terms of attacking security technology. They research, explore, and develop malicious programs that we now call “malware.” Although these malware are continuously developed, whether to become more resilient to antivirus solutions or to become more effective in terms of their intended payload, the threat trends paint a consistent picture—malware automate hacking.

Manual Hacking in the Early Days

In the early days of hacking, everything had to be manually done. Hackers needed to manually check computers for weaknesses or for open ports to in order to hack targeted machines. Once in, hackers manually executed their intended actions, depending on their intention.

Today, various tools like vulnerability and port scanners are widely available on the Internet. Backdoor applications can remotely manipulate compromised systems and worms automated the proliferation of malware through self replication. Even generating malicious files can be automated with the help of malicious toolkits.

Information and Financial Theft

Given the malware advancements today, one can assume that pretty soon, cybercriminals will just spread malware on the Internet, watch TV, and wait for stolen money to be deposited into their bank accounts (if this is not already happening). This is something that we interestingly saw materialize in the form of TSPY_BANKER.PHT.

TSPY_BANKER.PHT is a banking Trojan that specifically targets users associated with the Brazilian bank, Banco do Brasil. Upon stealing user account information, this malware attempts to automatically transfer money to a predetermined account. This is similar to a ZeuS and SpyEye feature known as auto-transfer system (ATS). Here is a screenshot of a dump of TSPY_BANKER.PHT’s code:

Read the rest of this entry »

We recently received reports of a BANKER malware that is being distributed in Spain. This malware, detected by Trend Micro as TROJ_BANLOD.QSPN, reportedly arrives via mass-mailed spammed messages that supposedly come from the National Police of Spain. The email message contains a link that leads to the download of TROJ_BANLOD.QSPN—a downloader that downloads TSPY_BANCOS.QSPN.

One thing we noticed about this particular attack is the fact that it uses compromised sites for its malicious operations. The download sites and phone-home URLs are all legitimate and contain specific directories and contents used for the attack. TSPY_BANCOS.QSPN furthermore obtains the phone-home URLs from the site http://{BLOCKED}s:81/images/cancel.txt.

This makes the phone-home URLs dynamic, as the content of this site can be updated anytime. It is also worth mentioning that the phone-home URLs to which the site points to have also been compromised and contain a specific malicious PHP script that is responsible for transmitting the phone-home report to the actual malicious server. These routines effectively conceal the identity of the perpetrators behind the attack.

As for the payload, TSPY_BANCOS.QSPN monitors Internet Explorer and Mozilla Firefox address bars for strings that are related to the following financial firms based in Spain:

• Banco Popular
• Bankinter
• Cajasol
• Caixa
• Wester Union

Read the rest of this entry »

It has been a week since an official report saying that the infamous ZeuS source code was leaked to the public came out. It was uploaded to a file sharing site and soon virally spread primarily in underground forums. This incident was anticipated months ago. Now that it has happened, it seems like everyone is talking about the leakage’s negative effects, particularly about future attacks. There are, however, some things to consider before such an attack can take place. There may also be ways by which we can make the incident work to the security industry’s advantage.

Fellow threat response engineer Jasper Manuel reviewed the code and said it was authored by someone with a deep understanding of C preprocessor (cpp) and macros. He added that the way by which ZeuS was coded was unconventional and did not use standard libraries. Someone who wishes to modify the code, therefore, should have a similar or the same level of understanding as the original authors. We know that the majority of ZeuS users are fairly inexperienced and wish to earn money through cybercrimes. In addition, ZeuS became mainstream because of its sophistication and of its volume of inexperienced or noncoder cybercriminal users—two vastly opposing factors. If ZeuS’ source code falls into the hands of its existing users, they may not be able to modify it and come up with a more intricate Trojan.

Read the rest of this entry »

In our previous FAKEAV white paper, we presented how Trend Micro researchers tracked down the evolution of FAKEAV and followed its development behaviorwise from one generation to the next. One of the earlier generations (fourth, to be exact) in the paper comprises DLL-based FAKEAV—fake antivirus that use a .DLL file to perform all of their malicious routines to primarily avoid easy termination. A few months ago, however, we saw this particular generation again making its rounds in the wild in the form of TROJ_FAKEAV.BTV.

In terms of appearance, fourth-generation FAKEAV variants are not particularly different from earlier generations. However, in the background, fourth-generation FAKEAV varaints are characterized by the considerably big file size of their DLL components (TROJ_FAKEAV.BTV samples are around 1.50MB in size). This is because the fake pop-up warnings, GUIs, and other scareware modules are all found in the DLL.

Read the rest of this entry »