Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    April 2014
    S M T W T F S
    « Mar    
     12345
    6789101112
    13141516171819
    20212223242526
    27282930  
  • About Us

    As expected, criminals are now taking advantage of the notoriety of Stuxnet as a mechanism to deploy malicious code. Senior Threats Researcher Ivan Macalintal found poisoned search results that leveraged on this notorious malware threat. Some of the search strings used in this blackhat SEO campaign include “stuxnet SCADA,” “stuxnet removal tool,” “stuxnet cleanup,” “stuxnet siemens,” and “stuxnet worm” among others. Some of these poisoned search words/phrases appeared on top results. One of the malicious URLs ({BLOCKED}lo-canada.org/2008/stuxnet.html) where the search strings points to, leads users to sites that exploit vulnerabilities as described in CVE-2010-0886 and CVE-2010-1885. Moreover, in some of the search results seen, users are redirected to sites with PDF and SWF exploits.

    In effect, it leads to various payloads which include a downloader that installs other malicious codes on the system, and a FAKEAV variant detected as TROJ_FAKEAV.SMZU. FAKEAV variants are known for banking on popular searches and news events to lead users into buying rogue antivirus software.

    Click for larger view Click for larger view

    Another example is the malicious URL, {BLOCKED}l.com/loja/media/stuxnet.html (another malicious site that the search strings yield) that guises itself as a fake Youtube page pointing users to a malware. Trend Micro detects it as TROJ_CODECPAY.AY.

    In the past, cybercriminals have taken advantage of popular security threats like Conficker to proliferate their malicious deeds.

    Users who were infected by Stuxnet and/or curious about this threat maybe lured into clicking these poisoned search results. As a safety precaution, never clicked on these URLs and get information (about Stuxnet) from trusted websites only.

    Here are some previous blog posts that have discussed Stuxnet:

    Trend Micro users are protected from this attack via its Trend Micro™ Smart Protection Network™ that blocks all related malicious URLs and detects the malicious files.

    Update as of October 1, 2010, 12:30 AM, UTC-7

    The PDF and SWF exploits that were seen in these attacks are now detected as TROJ_PIDIEF.XE and SWF_AGENT.WAW, respectively.

    Stuxnet was first seen in relation to the Windows LNK zero-day vulnerability, as discussed in the following link:





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon






     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice