Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    November 2013
    S M T W T F S
    « Oct   Dec »
  • Email Subscription

  • About Us

    Archive for November 13th, 2013

    Soon after Paunch was arrested, we found that the flow of spam campaigns going to sites with the Blackhole Exploit Kit (BHEK) had slowed down considerably. Instead, we saw an increase in messages with a malicious attachment.

    Recently, however, we came across rather unusual spam samples that combines characteristics of both attacks.

    Figure 1. Spammed message

    These particular messages contain both a link to a malicious site, as well as a malicious attachment. Having a spam message that contains both kinds of threats is not common – generally, spam will have one or the other.

    The URLs linked to by these messages are generally compromised sites, which point to Javascript files in a similar manner to that used by the Blackhole Exploit Kit. We cannot confirm whether these Javascript files resulted in redirects to landing sites that would lead to exploit kits, but the added content to the compromised sites we have seen is almost identical to that used by Blackhole campaigns.

    The malicious attachment is another UPATRE variant, TROJ_UPATRE.SMB. This downloader installs a ZBOT variant onto the affected system. We had earlier identified that the Cutwail botnet had been sending out spam messages with UPATRE downloaders as attachments, and that is also the case here.

    Long term, it’s unclear what this indicates. It may mean that attackers are turning to another exploit kit to replace BHEK as a long-term solution, but we cannot say for sure. We are continuously looking out for new threats in order to protect our users. In the meantime, we block the spam messages, websites, and files associated with this threat.

    Additional analysis by Emmanuel Nisperos

    Posted in Malware, Spam | Comments Off on Unusual BHEK-Like Spam With Attachment Found

    The year might be coming to a close but we’re still seeing our 2013 predictions come true. We encountered an attack that featured an old malware with new routines. This malware, detected as BKDR_SINOWAL.COP specifically attempts to disable the Rapport software from Trusteer.

    Figure 1. Code that looks for the Trusteer Rapport module

    Rapport is software that protects users from phishing and man-in-the-browser (MitB) attacks. It is frequently provided to users by their banks to improve their security. If the attacker succeeded in disabling Rapport, users would be more vulnerable to man-in-the-browser attacks, which are frequently used by banking malware.

    A side note: we have been in contact with Trusteer regarding this threat, and they have confirmed that it does not succeed in disabling Rapport, so users are not at increased risk.

    However, BKDR_SINOWAL.COP does not have the ability to perform MitB attacks by itself. This means that it requires a plugin component or another malware to successfully perform this type of attack.

    Feedback from the Smart Protection Network shows that the attack arrived as an email attachment. This attachment is a compressed file which contains a variant of BKDR_ANDROM malware, detected as BKDR_ANDROM.LSK. This malware will drop and execute both the SINOWAL malware and TSPY_ZBOT.IRF.

    Figure 2. SINOWAL routine

    Knowing this, we can say that the attacker intended to make ZBOT’s MitB routine (via web injects) more successful by using BKDR_SINOWAL’s capability to disable software that prevents that specific attack.

    This threat shows how different threats can work together to increase their effectiveness in carrying out their malicious activities, like stealing information. We already detect the malware associated with this attack.

    The following are the SHA1 hashes of the files that are related to this threat:

    • 1888306B7A47CB2A0EE88529D9C0C55D5E43A870
    • 494F4902437F446C7C4178672489980889111CC1
    • 9DFB7E2EF011B537ED0238FA64058AFB7340EA27
    • B6598BB118F903175FFE5914A28F7D2E03BF471F
    • C9D153A22E75F30F4246F6B4E730D8CF5E33A333
    • FABCDC9564E1E7D59C406969C871C6C53652284E
    Posted in Malware, Spam | Comments Off on SINOWAL Attempts To Disable Rapport, Aid ZBOT


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice