Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    December 2014
    S M T W T F S
    « Nov    
     123456
    78910111213
    14151617181920
    21222324252627
    28293031  
  • Email Subscription

  • About Us

    Aug17
    1:48 am (UTC-7)   |    by

    This week saw a couple of notable spam making rounds in the Internet.

    The first one, which actually isn’t much of a surprise, is related to the NUWAR family of worms. As we all know, NUWAR has undergone several social engineering makeovers — from doomsday messages of war to CNN top stories and more recently, e-Card greetings. The latest spam is just a variant of the latter, as seen in the following screenshot:

    ecard_mail2.gif

    However, based on the analysis by our Senior Threat Analyst PB Cruz, the new twist here is that unlike its predecessor, which instantly downloads the worm after a user clicks on the link on the message, the link on the new messages points to a Web page. The said page displays an error message saying that the user needs to install Microsoft Data Access to properly view the e-Card (see image).

    webpage.gif

    If the tactic looks somewhat familiar, that’s because another malware family has been using it. ZLOB Trojans, after all, have this penchant for disguising itself as codecs that the user “needs” to install to view videos, right? Anyhow, even if the above link is not clicked, the page hosts a malicious JavaScript that takes advantage of (ironically) Microsoft Data Access Components (MDAC) vulnerability (as discussed in Microsoft Security Bulletin MS06-014) to download Trojan downloaders. These downloaders, in turn, download the NUWAR variant onto an affected system.

    Trend Micro detects the malicious JavaScript as JS_DLOADER.PCT. The downloaders and the NUWAR variant, on the other hand, are detected as TROJ_DLOADER.KTY, TROJ_TIBS.AMA, and WORM_NUWAR.MV. Slight variations of both the spam message and the malware components have been spotted as well, although Trend Micro users are protected from them, as long as they keep their pattern files updated. :)

    The second notable spam (or rather, spamming technique) comes in the form of special characters. Literally:

    stock1.gif stock4.gif

    Notice the strikethroughts and all that extra symbols and characters. The messages all talk about — again not surprisingly — stocks, although given this heavily obfuscated tactic that’s almost suspicious, do spammers really expect to be taken seriously?

    According to Lalaine Gregorio of the Content Security team, whoever created these messages are clearly just trying to avoid filtering techniques used by security applications. “Spamming is really cheap, so it doesn’t really matter if they send out nonsense mail,” Gregorio states. “Eventually someone will take the message seriously, which will then make them [the spammers] gain profit.”

    Nonsense or not, spam still spells bad news.

    Additional data provided by Lala Manly





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    Comments are closed.



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice