Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    April 2014
    S M T W T F S
    « Mar    
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Trend Micro

    The perpetrators behind the police ransomware are no longer just using the reputation of law enforcement to build credibility for their schemes — they’re using those of security vendors as well.

    We’ve spotted a police ransomware variant which tells of a supposed “treaty” between the law enforcement and antivirus vendors. It even has icons of these security vendors to appear legitimate. Trend Micro detects this new ransomware variant as TROJ_REVETON.IT.

    According to our findings, the .DLL file in the malware variant contains a lock screen image which contains logos of various antivirus companies such as Trend Micro, Symantec, McAfee, Sophos, and Microsoft among others. The text goes on to say, “To make the work of the Police more effective, on December 04, 2012 the International Treaty was signed between the companies who developes anti-virus software for identification of cyber-criminals.”  Of course, this is merely a ruse to trick people into believing its legitimacy. Once the malware is executed, it locks users’ computers and displays the fake message that says “Your computer has been locked. You have broken the law, your actions are illegal and will lead to criminal liability.”

    Read the rest of this entry »


    3:47 am (UTC-7)   |    by

    Yes, it does. And depending on where you are located, it can even speak in your mother tongue.

    As discussed in our paper Police Ransomware Update, the people behind police Trojan/Ransomware have implemented improvements to make this threat more effective. Gone are the days when ransomware simply showed a message that users’ systems are “captured” and that they have to pay for a fee to have them back.

    These days, this new breed of ransomware notifies users of the fee (or ransom) under the guise of the victim’s local law enforcement agencies. Thus, a user with a ransomware-infected system from France will get a notification from the Gendarmerie Nationale, while a US-based one will likely receive a message from the FBI.

    To level up the ante, we received a report that a new police Trojan variant even has a “voice”. Detected as TROJ_REVETON.HM, it locks the infected system but instead of just showing a message, it now verbally urges users to pay. The user won’t need a translator to understand what the malware is saying – it speaks the language of the country where the victim is located.

    Read the rest of this entry »


    6:59 am (UTC-7)   |    by

    A wave of WORM_VOBFUS variants has recently emerged with some variants even spreading through Facebook. But based on initial analysis, this crop of WORM_VOBFUS presents no new routines. For good measure, users are encouraged to observe best practices such as disabling Autorun feature and updating their antivirus program with the latest pattern, just to name a few.

    What You Need to Know About WORM_VOBFUS

    WORM_VOBFUS takes advantage of Windows Autorun feature to drop copies onto removable and mapped network drives. They also arrive as downloaded or dropped files of other malware family. Users may unknowingly download WORM_VOBFUS variants when visiting malicious sites.

    These variants were also reported to be spreading on Facebook, usually using (but not limited to) sexually-suggestive file names to pique users’ interest.

    The VOBFUS malware drops copies of itself in removable drives using the file names of the user’s folders and files with the following extensions:

    • .avi
    • .bmp
    • .doc
    • .gif
    • .jpe
    • .jpg
    • .mp3
    • .mp4
    • .mpg
    • .pdf
    • .png
    • .tif
    • .txt
    • .wav
    • .wma
    • .wmv
    • .xls

    This worm hides these files mentioned above as original files and folders. Thus, users may think that they are clicking normal files or folders, while in fact these are WORM_VOBFUS variants in disguise. Like your typical worm, it drops an AUTORUN.INF to automatically execute the file when the drive is accessed.

    To know if system is infected, users must check for the following files:

    • {drive letter}:\Passwords.exe
    • {drive letter}:\Porn.exe
    • {drive letter}:\Secret.exe
    • {drive letter}:\Sexy.exe

    This worm connects to a remote site where it downloads and executes other malware. Specifically, it connects to the following sites:

    • http://{random number}{random characters}?{random character}
    • http://{random number}{random characters}/?{random character}

    Once the file is downloaded it is saved as %User Profile%\ (detected as TSPY_BANCOS.JFB). However, some sites where this malware connects to are already inaccessible.

    Read the rest of this entry »


    11:00 am (UTC-7)   |    by

    Ransomware has become major concern among users, particularly those variants that mimic law enforcement agencies like the FBI (known as police ransomware). Certain features have also been incorporated into the threat recently, such as an audio file and just now, fake digital certificates.

    We encountered two samples bearing the same fake digital signature, which Trend Micro detects as TROJ_RANSOM.DDR. According to senior threat researcher David Sancho, the digital signature’s name and its issuing provider are very suspicious. Sancho believes that the fake signature’s sole purpose is likely to elude digisig checks.

    Users may encounter these files by visiting malicious sites or sites exploiting a Java vulnerability.

    Once executed, TROJ_RANSOM.DDR holds the system “captive” and prevents users from accessing it. It then displays a warning message to scare its victims into paying a fee. To intimidate users further, this warning message often spoofs law enforcement agencies like the FBI, often claiming that they caught users doing something illegal (or naughty) over the Internet.

    Read the rest of this entry »

    Posted in Malware | 1 TrackBack »

    9:56 pm (UTC-7)   |    by

    In American football, reviewing films from previous game days is fundamental to achieving victory on Sunday. Understanding an opponent’s tactics and stratagems is critical to crafting a defensive strategy for a football team. Reviewing your upcoming opponent’s past games helps you to have a direct understanding of how they really operate and what they’re likely to do when it’s your turn to face them. Implicit in taking the time to understand your opponent like this is the fact that you recognize that you’re facing a skilled opponent, and are paying appropriate respect to your opponent and their skills.

    In a new opinion piece titled The Knight Fork: Defining Defense in 2013, Trend Micro’s Tom Kellermann reviews the “game day films” of cyberattacks and APT campaigns of the past year. As we get ready to enter 2013, he looks at these past trends to outline what defensive tactics may define risk management for security professionals in the coming year.

    In this short paper, he draws on one of the key defensive principles in chess, the idea of the “knight’s fork”, a move that is assured of success by simultaneously attacking two pieces at once. Similarly, in an increasingly dangerous world with equally limited budgets, he outlines areas of focus that can maximize defensive benefit with the greatest cost benefit.

    As Tom says, “The greatest head coaches as the greatest hackers are all grandmasters of chess. As we close out 2012 we must ask ourselves – how might we spin the cyber chess board and create a knight’s fork?”

    Take some time and read The Knight Fork: Defining Defense in 2013 and you’ll get some ideas on how you can better protect your environment by creating a knight’s fork for 2013.

    Posted in Malware | Comments Off


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice