Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    June 2013
    S M T W T F S
    « May   Jul »
  • Email Subscription

  • About Us

    Archive for June 25th, 2013

    On Tuesday, South Korea raised the country’s cyber security alarm from level 1 to 3, because of several incidents that affected different government and news websites in South Korea. One of the several attacks related to the June 25 security incident involved the compromise of the auto-update mechanism related to the legitimate installer file SimDisk.exe, which we were able to get a sample of. SimDisk is a file-sharing and storage service.

    Most software vendors’ auto-update mechanisms are intended to be non-intrusive to the user experience in order to help consumers keep their software patched and updated with the latest versions of the software. This is extremely important in preventing exploit attacks that leverage software vulnerabilities in order to perpetrate cybercrime or targeted attacks.

    In the SimDisk case, the legitimate software are configured to automatically download updates from a specific website. However, this website was compromised with a modified version of the installer (detected as TROJ_DIDKR.A). The modified version drops a copy of the legitimate installer in order to simulate what should typically happen. But it actually also drops another file, which is a malicious component that connects to a malicious location, allowing the infection chain to play out as intended.

    Figure 1. Possible attack scenario

    All the files noted above are detected as TROJ_DIDKR.A. The malicious file which connects to the Tor network takes its name from any process that is currently running on the system.

    We are currently investigating this and related incidents. We currently do not have exact details about the method of compromise, but this shows that users also need to be vigilant about the security of the auto-update mechanism of the vendors they choose to trust. Software vendors should also prioritize safeguarding product servers and the overall security of their network using products, considering the impact that a compromise in this area has on their software’s users.

    Trend Micro blocks all the malicious URLs related to this specific attack and also the malicious component of the compromised installer file. Trend Micro Deep Discovery helps enterprises defend their networks through network-wide visibility, insight, and control.

    With additional analysis from Threat researchers Harli Aquino and Nikko Tamaña

    Update as of June 26, 6:35 AM PDT

    We also found evidence that the same technique of compromising the auto-update mechanisms of web application installers is being used in other attacks. Specifically, Songsari_setup.exe, a legitimate installer file, has also been modified to drop a malicious component that will connect to a URL to download files. Our detection for these compromised installer files and other related files is TROJ_DIDKR.A.

    Figure 2. Possible attack scenario

    With additional analysis from Network threat researcher Dexter To

    Posted in Targeted Attacks | Comments Off on Compromised Auto-Update Mechanism Affects South Korean Users

    Another scam site is offering to increase a user’s Instagram followers. Unlike previous attacks, however, these sites require payment – with the amount depending on the number of followers you prefer.

    Figure 1. Pricelist for Instagram followers

    Despite the site’s liberal use of the Instagram logo, it has nothing to do with the service. It has a reservation form that asks for user’s name, e-mail address, telephone number, and payment information. Even if you try to fill-up the form using a dummy account it will accept the any information that the user inputs. It even has information about the site itself, as well as a FAQ page.

    Figure 2. About page

    Figure 3. FAQ page

    In the end, however, not only does the user not get the promised followers, he has handed over his personal information to scammers. This particular site has a .RU domain name, was only registered earlier this year, and is also hosted in Russia; in fact it is one of many malicious Instagram-related domains on the .RU country top-level domain. These sites are already blocked in order to protect Trend Micro customers from these threats.

    Instagram’s recent introduction of video means that more users may be looking at using the already-popular service. Users should keep in mind that all offers of added followers – whether it be free or paid – are likely scams that will steal the user’s information, money, or both.

    Posted in Bad Sites, Social | Comments Off on Scam Sites Now Selling Instagram Followers


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice