Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    April 2014
    S M T W T F S
    « Mar    
     12345
    6789101112
    13141516171819
    20212223242526
    27282930  
  • About Us

    The Trend Micro Advanced Threats Research has discovered a number of malicious URLs under the domain of global Internet advertising company, DoubleClick:

    • hxtp://ad.doubleclick.net/click;h=ADWAJJzSVGmEDCBbJkMiTUfmdIhuADWAJJzS;~ss cs=%3fhttp://www.{BLOCKED}ola.lv/msvideoc.exe
    • hxtp://ad.doubleclick.net/click;h=aHPDZwqljHnlNScXoBJgzRzaFppDaHPDZwql;~ss cs=%3fhttp://www.{BLOCKED}ina.com/msvideoc.exe
    • hxtp://ad.doubleclick.net/click;h=ahRQJQoWHYpFFYzgAFizZJdQnlgvahRQJQoW;~ss cs=%3fhttp://www.{BLOCKED}otel.eu/msvideoc.exe
    • hxtp://ad.doubleclick.net/click;h=aKXFNafnFbXukmAZjmqAhawpjVYYaKXFNafn;~ss cs=%3fhttp://www.{BLOCKED}ola.lv/msvideoc.exe
    • hxtp://ad.doubleclick.net/click;h=aMwjNqwdSMZFJUDKSnOUSUwsRiQLaMwjNqwd;~ss cs=%3fhttp://www.{BLOCKED}ina.com/msvideoc.exe
    • hxtp://ad.doubleclick.net/click;h=AMZEPQvqcklBUaAiRxzguoHmlydDAMZEPQvq;~ss cs=%3fhttp://www.{BLOCKED}ina.com/msvideoc.exe

    All links interestingly lead to the file msvideoc.exe, which causes the affected system to connect to a remote site. Upon connection, it downloads a file detected by Trend Micro as TROJ_DLOAD.DI. This file then downloads a file detected as TROJ_MUTANT.GC. Note that the listed DoubleClick links however are already blocked.

    TROJ_MUTANT variants typically perform routines that assist or are necessary to a main malware’s algorithm. Although merely a component, they do largely enable the successful execution of malware payloads.

    In the past, cyber criminals have previously abused open redirect services (see entries Just Got Unlucky and Just Got Unlucky (AOL Version) to feign legitimacy. For one, it does become harder for antispam efforts to identify these links as malicious since the redirector is under a legitimate domain. Second, the link looks legitimate because of the familiar-looking domain at the beginning of the URL. However, a closer look at the final landing FQDNs show us that these fronts are indeed false.

    Only Trend Micro Smart Protection Network is in a position formidable enough to prevent the various points of entry malware writers may use in relation to this entire attack.

    Related Posts:





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    Comments are closed.



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice