Just today, we at the Content Security team received a large number of spam with a ZIP attachment that contains a backdoor. The said email informs the user that the product he/she has ordered/purchased online is already sent. It then asks the user to view the tracking document details by opening the attachment.
The attachment is not an Office file, it is instead an executable which Trend Micro detects as BKDR_REDOLAB.AL. This backdoor’s main duty appears to be to download TROJ_RENOS.BAV. Renos variants are known downloaders of rogue antivirus components/software. Our engineers are currently analyzing the capabilities of this Trojan.
Various Web-based infection vectors have been used in connection with rogue antivirus scams. In the last couple of months, rogue antivirus has been the final payload of blackhat SEO attacks (as in the case of malicious links that come up when users searched for news about Corazon Aquino’s death and the latest solar eclipse) and malicious Twitter posts. The last we have seen of malicious attachments that lead to rogue antivirus was in the Reconfigure Your Outlook spam.
The latest spam pattern in the Trend Micro Smart Protection Network already blocks this spam run. The malicious files are detected as BKDR_REDOLAB.AL and TROJ_RENOS.BAV. This entry will be updated for the full behavior of the RENOS Trojan.