Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Zero-Day Alerts

  • Hacking Team Leak

  • Recent Posts

  • Calendar

    July 2015
    S M T W T F S
    « Jun    
  • Email Subscription

  • About Us

    Author Archive - Trend Micro

    The very first computer virus did not happen on a Windows machine, or a Mac or an Apple II. The first virus did not travel via the Internet or in an email or in a floppy disk. The first virus was not on a minicomputer, nor was it on a mainframe. That’s because the first computer virus didn’t exist on any computer hardware or software of any kind.

    It was in a work of fiction.

    By the late1970’s, movies books and television shows had given the public a very strong impression of hackers, viruses, and other computer threats.

    Unfortunately, these dramatic ideas have nothing at all to do with reality.

    In the movies, viruses destroy computer hardware, sometimes leaving a trail of smoke and fire. In reality, no virus was ever known to damage any computer hardware. Ever.

    In the movies, a virus or worm always has an immediate and dramatic visual effect. There is always an animated screen (HACKERS) or a warning message (SNEAKERS) or you can actually see the data being destroyed before your very eyes (THE NET). In reality most malware leaves no visible trace of it’s existence.

    On the big screen, malware is used to open bank vault doors, to tip over an oil tanker, to blow up a power plant or even to crash an alien spacecraft. In reality, the most insidious virus ever would locate a spread sheet and randomly change one number.

    Computer geeks (like me) get a real laugh out of movies about hacking and cybercrime. When a “hacker movie” opens you will find theaters in Silicon Valley or other computer tech havens full of people laughing at all the wrong things, and at all the things gotten wrong. To our amusement and dismay, these overblown, crazy overdramatic portrayals of hacking and cybercrime are what sets the public’s understanding of all things cyber. People believe in the world described by these movies. It frequently makes them less safe behind the keyboard.

    So I was very interested by an ad for a movie called UNTRACEABLE. It portrayed a criminal Web site and the FBI effort to bring it down. I got ready to watch another travesty of technical misrepresentation, and talked my boss into letting me watch the very first screening.

    And I was wrong. They got every single technical detail right. When they talk about spoofing, or IP addresses, or keyloggers, they get it exactly right. Now all of those old school movies did research. (One of them sent the screenwriter to talk to me personally, some years ago) and still got it wrong. They couldn’t let go of the idea that in a visual medium, the computers needed to respond with something visual. They couldn’t get over the fact that fighting computer crime is primarily done at a computer keyboard, staring at long columns of numbers.

    But not UNTRACEABLE, they got it all right. The Web page was only used for a limited period of time, and was proxied and mirrored and botnetted all over the place, standard operation in cybercrime. The social engineering used to get a backdoor into the FBI agent’s home Wi-fi network was right out of the real world. None of the computer screens at the FBI headquarters had magic graphics to show where the Web site was hosted. All in all, very very believable — well done to the screenwriters and researchers involved.

    Just one little problem. The movie was about horror porn online, and a serial killer with a need to invent ever escalating and absurdly disgusting ways to kill people, while feeding video to a growing internet spectator crowd. Now I know there is a long tradition of graphic violence in drama (Oedipus Rex, anyone? Romeo and Juliet?) but the modern craft is so convincing that a Grand Guignol fest like this was too much for me. I covered my eyes, I went for a diet soda, coming back to watch the plot. Diane Lane was actually quite good, as was the rest of the cast, and the procedural/plotting of the mystery and denouement were clever and inventive — but the movie has a LOT of problems, and is too preachy. It got a Rotten Tomato score of 14 (out of 100). Notably, Roger Ebert liked it a lot, and pretty much everyone else did not. Several reviewers refused to even see it.

    So we have a movie that is finally getting the tech right (thanks again, guys) and pretty much nobody will see it. Not on my recommendation, anyway.

    I leave with the hope that more movies get the tech right (help is offered if anyone is interested) and the prayer that nothing like this movie ever happens this side of the projector.

    This post was authored by David Perry, Trend Micro’s Director of Global Education.


    2:41 am (UTC-7)   |    by

    The 2007 Internet weather report is in: It was the Stormiest we have seen. The security arena endured a year of Storm — the ever-changing pool of malware with a propensity to keep its calendar busy and rain on the AV parade. This was where its seeds were planted and where it was already noted for its enhanced social engineering, plus its multi-component, complex techniques for profit.

    {timeline on Storm techniques}

    Its dark clouds started to form in October of 2006 when the WORM_NUWAR family first started spreading doomsday messages like the alleged death of the incumbent US president, the Third World War, and an imminent nuclear war.

    It would not be heard from again until January 2007, when it earned its “Storm” stamp for squatting on the real-world European storm Kyrill. The spammed email messages that it sent out contained a Trojan that creates a unique P2P-like botnet and downloads files, including a worm that mass-mails itself. Its use of fake eCards and timely events as social engineering techniques were also observed, as well as its bid for Web world domination as it attacked the STRAT malware family.

    From then on, it lived up to its name by maintaining a year-round bad weather for the Internet and its users. The skies were relatively clear until April 2007, when new worm variants were spammed via email messages with subjects referring to the US-Iran conflict, missile strikes, and World War III being started by the US, Iran, or Israel. After that, it was a series of hitchhikes on whatever big-calendar events passed. Its spam runs often coincided with or anticipated holidays like the Fourth of July, Labor Day, the NFL season, Halloween, Christmas, and the New Year (even managing an early Valentine’s 2008 treat).

    Its arsenal of nifty social engineering techniques also included offering free games, posing as notifications from antivirus companies, or pretending to be a YouTube video file. We have seen it move from an attachment-based attack to one that is Web-based; from its links pointing to a domain instead of single IP addresses; from being one big botnet to a segmented one; and so on.

    It was last October when researchers found reason to believe that there was more than met the eye in its attempts at victimizing users, for it looked like the massive Storm botnet that was already under scrutiny by the security industry is breaking down into smaller segments. Although seemingly counter-intuitive, given that botnets grow stronger with each new addition of infected computers, this tactical move seems to suggest that botnet herders are ready to go into (bigger) business by renting out its bots to other spammers.

    True enough, analysts found phishing pages early this month that were hosted on known Storm-related domains. The difficulty in pinning down these malicious domains lies in the recently observed fast-flux technique. With these subsequent discoveries of clues about the bigger agenda on the minds of Storm’s creators and operators, researchers believe that this 2008, Storm’s armies of botnets will come up with craftier social engineering techniques to more easily evade file scanning and fool automated crawlers used by security companies, making analysis even harder for anti-malware engineers.

    Looking back, like a real natural calamity, Storm’s impact is unforgettable. It has been a year since it first unleashed its power over the computing community and the cyber cyclone is not about to stop. In fact, it may be whipping up new winds of infections at the moment. Clearly, Storm watchers have their work cut out for them as the security industry stands ever more vigilant, creating technologies that continue to protect users from becoming casualties along Storm’s path of destruction.

    “The bad guys behind this resilient Web threat appear to have a knack for knowing just what buttons to push year-long to social-engineer users into getting themselves mired in its wake,” says Trend Micro Research Project Manager Jamz Yaneza. He adds, “The security industry isn’t as near as it would like to be at this point, but we’re getting there. After all, there must be a rainbow after this Storm!”


    6:55 am (UTC-7)   |    by

    Today, the storm malware has changed ways again. They are now spamming an email with a link to a domain, instead of individual IP addresses. The page has been designed to look more real than before so it might fool unaware users. Please, do not believe unexpected emails sending you to a supposed NFL tracker.



    8:35 am (UTC-7)   |    by

    Google falls prey to malware authors’ agenda to spread evil to computers. TrendLabs received the following sample of an email message wriggling its way to inboxes:


    Once recipients click on the link in the said message, a copy of WORM_AGENT.AAWD is downloaded on the affected system. The message looks pretty much the same with NFL-related NUWAR/Storm malware, also currently making its rounds on the Internet using NFL as bait. WORM_AGENT.AAWD’s routine is also somewhat similar to WORM_SKIPI.A in that it also prevents access to antivirus and security-related Web sites by modifying an affected system’s HOSTS file.

    Trend Micro strongly advises users to avoid opening email messages that are from unknown/untrusted sources, and to avoid clicking links that are within messages suspicious email messages.

    Additional data provided by Ryan Flores.

    Posted in Bad Sites | Comments Off on Worm Googles its way to inboxes

    11:54 am (UTC-7)   |    by

    Folks at Skype submitted to us for analysis a piece of malware that is currently spreading using their application. The said malware, which Trend Micro detects as WORM_SKIPI.A, sends messages via Skype’s chat feature. The messages it sends contain a link that alleges to be a picture waiting to be downloaded. Below is a screenshot of a message exchange:


    Some of the links that are used by this worm are displayed as follows:

    • http://www.{BLOCKED}
    • http://www.{BLOCKED}

    Note that the supposed file to be downloaded is DSC027.JPG. However, the above links actually point to the following URLs, where a copy of this worm named DSC027.SCR is located:

    • http://given-up.{BLOCKED}
    • http://{BLOCKED}

    Once the worm copy is downloaded and executed on the system, it displays the following image:


    This worm also modifies the status of the affected user from Online to Do Not Disturb or Invisible. Additionally, this worm prevents access to several antivirus-related Web sites. It does the said routine by modifying the HOSTS file, as seen below:



    Trend Micro already detects this worm via the latest pattern, while the URLs are already blocked by the In-the-cloud Filtering Service. We strongly advise Skype users to be wary of messages inviting to click any link. In addition, considering the number of users of Skype (estimated to be around 220 million), this worm may skip and spread to a huge number of Skype contacts.

    Data provided by Loucif Kharouni. Additional information provided by Ivan Macalintal.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice