Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    November 2012
    S M T W T F S
    « Oct   Dec »
     123
    45678910
    11121314151617
    18192021222324
    252627282930  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Archive for November 28th, 2012




    In the discussion of targeted attacks, it is usually taken for granted that they arrived via some sort of spear-phishing attack. The discussion then goes into an analysis of the malware involved and/or the servers used or compromised in the attack.

    However, to avoid attacks in the first place, it is of value to look at the spear-phishing attacks themselves. More information about these attacks would allow administrators to consider which emails could pose a security risk, and design their defenses accordingly.

    With that in mind, we wrote our paper titled Spear-Phishing Email: Most Favored APT Attack Bait. In addition to looking at the attachments and file types used, we also looked at the industries/sectors that are targeted, and investigated the importance of good reconnaissance in launching targeted attacks.

    Among our key findings are just who is targeted by APTs, and how attackers can find them. Just under two-thirds, or 65 percent, of APT campaigns targeted governments. Just over one-third (35 percent) targeted activists.

    In addition, we found that a disturbing number of email addresses can be found online rather easily. Three-fourth of all e-mail addresses that were targets of spear phishing could be found online. This indicates that for would-be attackers, it is very easy to build up a “target list” for any spear-phishing campaigns.

    For our full findings, you can read our paper, which you can download by clicking the link below: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-spear-phishing-email-most-favored-apt-attack-bait.pdf

     
    Posted in Spam | Comments Off


    Nov28
    6:59 am (UTC-7)   |    by

    A wave of WORM_VOBFUS variants has recently emerged with some variants even spreading through Facebook. But based on initial analysis, this crop of WORM_VOBFUS presents no new routines. For good measure, users are encouraged to observe best practices such as disabling Autorun feature and updating their antivirus program with the latest pattern, just to name a few.

    What You Need to Know About WORM_VOBFUS

    WORM_VOBFUS takes advantage of Windows Autorun feature to drop copies onto removable and mapped network drives. They also arrive as downloaded or dropped files of other malware family. Users may unknowingly download WORM_VOBFUS variants when visiting malicious sites.

    These variants were also reported to be spreading on Facebook, usually using (but not limited to) sexually-suggestive file names to pique users’ interest.

    The VOBFUS malware drops copies of itself in removable drives using the file names of the user’s folders and files with the following extensions:

    • .avi
    • .bmp
    • .doc
    • .gif
    • .jpe
    • .jpg
    • .mp3
    • .mp4
    • .mpg
    • .pdf
    • .png
    • .tif
    • .txt
    • .wav
    • .wma
    • .wmv
    • .xls

    This worm hides these files mentioned above as original files and folders. Thus, users may think that they are clicking normal files or folders, while in fact these are WORM_VOBFUS variants in disguise. Like your typical worm, it drops an AUTORUN.INF to automatically execute the file when the drive is accessed.

    To know if system is infected, users must check for the following files:

    • {drive letter}:\Passwords.exe
    • {drive letter}:\Porn.exe
    • {drive letter}:\Secret.exe
    • {drive letter}:\Sexy.exe

    This worm connects to a remote site where it downloads and executes other malware. Specifically, it connects to the following sites:

    • http://{random number}.ddns1.eu/{random characters}?{random character}
    • http://{random number}.ddns1.eu/{random characters}/?{random character}

    Once the file is downloaded it is saved as %User Profile%\google.com (detected as TSPY_BANCOS.JFB). However, some sites where this malware connects to are already inaccessible.

    Read the rest of this entry »

     


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice