Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    July 2014
    S M T W T F S
    « Jun    
     12345
    6789101112
    13141516171819
    20212223242526
    2728293031  
  • About Us

    What is it with Paris Hilton these days? Just this week we’ve seen several pictures of the celebrity in a spam run that is yet again pushing rogue AV.

    Although we’re quite familiar with the social engineering technique involved in name-dropping celebrities in order to pique more interest (and therefore hits), the last celebrity we’ve seen in the run was Angelina Jolie — around the time of the release of the movie Wanted, in which she starred.

    These spammers are apparently in touch with the pop culture scene, as Paris followers (and naysayers) from all over the world are by now intimately familiar with that viral video where Paris says, “I want America to know that I’m, like, totally ready to lead.” This was in answer to the John McCain ad where a clip of his opponent Barack Obama was placed between a Paris Hilton and Britney Spears footage, implying that Obama is merely a celebrity.


    Figure 1. Spammers play off off-beat mainstream news.

    Trend Micro Advanced Threats Researcher Jamz Yaneza tells us that tempted users who open the message will find any of the following URLs in the message body:

    • hxxp://www.{BLOCKED}n-gmbh.de/video_1.exe
    • hxxp://{BLOCKED}tchmansearch.com/video_1.exe
    • hxxp://www.{BLOCKED}ic.com/video_1.exe
    • hxxp://{BLOCKED}ypaypower.com/video_1.exe
    • hxxp://{BLOCKED}ports.com.ar/stream.exe
    • hxxp://{BLOCKED}ton.adm.br/stream.exe
    • hxxp://{BLOCKED}oynegociosinmobiliarios.com/stream.exe
    • hxxp://{BLOCKED}eb.com.ar/stream.exe
    • hxxp://www.{BLOCKED}ance.com/player.exe
    • hxxp://{BLOCKED}arana.com.ar/player.exe
    • hxxp://{BLOCKED}-chloride.com/player.exe
    • hxxp://www.{BLOCKED}webgroup.com/player.exe
    • hxxp://{BLOCKED}rastour.com/player.exe
    • hxxp://www.{BLOCKED}eemann.ch/play.exe

    And that clicking the link to the “video” leads to the download of components detected by Trend Micro as TROJ_FAKEAV.FP and TROJ_FAKEAV.FW.

    While we are indeed detecting a trend that rogue AV programs are having a field day in the past few weeks, the volume of unique Paris-related spam-for-rogue-AV attacks and the actual victims (a big chunk of whom are from North America based on our Virus Tracking Center) say that this particular social engineering technique does click.

    Never mind if the spam doesn’t make sense…


    Figure 2. Paris spam pushing rogue AV, sample 2

    …isn’t even remotely sensational…


    Figure 3. Paris spam pushing rogue AV, sample 3

    …or just too good to be true.


    Figure 4. Paris spam pushing rogue AV, sample 4

    All URLs and spam mail mentioned above are already blocked by the Smart Protection Network.

    Recent reports of rogue AV in the blog:





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    Comments are closed.



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice