Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    July 2013
    S M T W T F S
    « Jun   Aug »
  • Email Subscription

  • About Us

    Archive for July 31st, 2013

    The Blackhole Exploit Kit is one of the most notorious exploit kits currently in circulation among the cybercriminal underground today. Thus, we continuously monitor for incidents and attacks involving the exploit kit itself.

    Last week we reported about the spam campaign leveraging the birth of Prince William’s and Kate Middleton’s son. Our analysis of the campaign yielded its connection to other currently-ongoing campaigns that used other recent news events, such as the controversy surrounding the upcoming movie Ender’s Game.

    Some of the other connected campaigns also used Facebook and eBay as lures to get users to click malicious links.

    The volume of spammed messages related to this spam run reached up to 0.8% of all spam messages collected during the time period — a relatively large percentage compared to other runs. We’ve also identified a list of countries that we detect where the bulk of the spam is coming from, and found that a large portion of them were from the US.

    Another notable aspect of this run is its payload, which includes the information stealer TSPY_FAREIT. TSPY_FAREIT variants are often used as payload in campaigns that leverage BHEK.

    The exact variant in this particular run, detected as TSPY_FAREIT.AFM, not only steals FTP client account information on the system it affects, but also steals stored email credentials, stored login information from browsers and ALSO brute-forces Windows login with a list of predetermined passwords. It basically plunders the affected computer of personal information that can be used to compromise the user’s financial accounts, personal information and even the security of the system they’re using.

    These recent developments regarding this particular exploit kit can certainly be disconcerting, but nothing particularly new in regards to BHEK being used in new, unpredictable ways. What we can glean from this, however, is that even such an old approach is still effective in getting victims, which means that more users need to be protected about this threat. And user protection is not all that hard – as we’ve reminded everyone in the past, guarding against this kind of threat is a simple matter of a)being vigilant against socially-engineered attacks and b) having a security solution that blocks out the threats themselves.

    Infection can be avoided by extra vigilance by users on not clicking on the links that present themselves through suspicious mails such as these. Other precautions include: always installing the latest Java security update (Find out more on how you can use Java safely here), and using a web reputation security product.

    Trend Micro users are protected from all the malicious elements involved in this overarching spam campaign. For more information regarding the Blackhole Exploit Kit, refer to our paper on the subject here.

    With additional inputs from Matt Yang and Rhena Inocencio.

    Posted in Bad Sites, Malware, Spam | Comments Off on The Current State of the Blackhole Exploit Kit

    The Andromeda botnet is still active in the wild and not yet dead. In fact, it’s about to undergo a major update real soon. This botnet was first reported back in 2011 but has recently risen to prominence due to the latest modifications in the threat.

    Initially, this project to update Andromeda was about to die but the botnet’s author found a successor (even though he did not officially retire). Here is the author’s previous post, which basically says that if no buyer is found to take over the software, the service will be discontinued.

    Online Post on Underground Forum

    Just recently, however, we’ve uncovered that there is an ongoing development in the Andromeda botnet. This latest announcement was posted just recently and basically says that Andromeda code is going to be updated heavily. They suspended the sales of plug-ins to focus more on developing the new version. Here is the rough translation of the post (it’s in Russian) about what this major update:

    Currently suspended sales of all plug-ins.
    The project is undergoing a global modernization. In the near future will happen a few important but not visible changes:
    1. Will update the admin principal. Externally, will remain the same, but the principle of storage change that will reduce the load.
    2. All plugins will undergo fundamental changes both in format and structure. Those who wrote plugins for andromeda, need to ping waahoo for further informations.
    3. why such a change? First of all – it fixes bugs and flaws found, secondly because of the bugs found that have to completely change the approach to plug-ins that have this pain in the ass and should not not pop up in future.
    4. I’m not going on vacation for a long time. On the work of Andromeda or its purchases – please contact the author of the project

    Rootkit and socks5, which are popular plugins, are also now free of charge. Previously, the rootkit was sold $300 and $1000 for socks5 with BackConnect. BackConnect is a plug-in used to turn an infected machine into a SOCKS5 proxy — it allows the criminal to control the infected machine directly via infected machine IP and a random port.

    As of this writing, there is no definite date on when the new version will come out. But once implemented, this latest version of Andromeda is expected to be more stable and powerful than the previous ones and may come with more plug-ins.

    Posted in Botnets | Comments Off on Andromeda Botnet Gets an Update


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice