Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    January 2014
    S M T W T F S
    « Dec   Feb »
  • Email Subscription

  • About Us

    Archive for January, 2014

    We’ve seen “get Twitter followers” scams in the past, but a recent one stood out for a very good reason: it actually delivers what it promises—and then some.

    This scam tries to attract potential victims by using tweets with the phrase “GET MORE F0LL0WERS” and a URL that is apparently from Google. (In this particular case, Google is just used as a redirector to the scammer’s site.) It also uses Twitter’s Discover feature and trending topics to boost its visibility. It also uses tweets that mention random Twitter users.

    Figure 1. Sample tweets promoting the site

    When users click the link in the post, they will be redirected to a “get free followers” site. The site offers two options—a free and a premium service. The free option requires users to authorize a Twitter app named “LAAY PAAY” created by the scammers; this will grant them access to the user’s Twitter account. After the user is returned to the scam site from the app authorization process, the site will show a “processing” page. The user will gain random Twitter followers, including those with private accounts.

    The premium service boasts new followers per minute, no ads, and instant activation. This service costs five euros and can be paid via PayPal.

    Figure 2. Choice between the free or premium service

    What’s the catch? Yes, they get new followers, but these followers are other users who signed up for this service as well. By agreeing to the service, their accounts will also be used to follow other accounts as well.

    In addition, spam tweets will also be sent from the victim’s Twitter account. Even paying five euros will not stop these spam tweets. Note that to get more followers you have to log in repeatedly (otherwise you drop off the “list”), repeating the whole cycle.

    Figure 3. Service confirmation page

    Gaining access to Twitter accounts and sending spam tweets is not the only goal of the scammers here. They also load various advertising-laden affiliate sites in the background, in order to gain pageviews and thus, revenue for the owners of the ads.

    We’ve seen 35 separate domains in this attack, all of which lead to an IP address hosted in the United States. The US also accounts for almost 70% of this site’s visitors, based on Smart Protection Network feedback. Other countries in the top 5 include Turkey, New Zealand, Britain, and the Philippines.

    Users are encouraged to avoid clicking links on social media posts unless the source can be verified. Users should also avoid giving access to their social media accounts unless the sites are established and well-known.  Lastly, they should always remember that “free” services often aren’t. They may ask for something in exchange, be it information or access to accounts.

    Trend Micro blocks all URLs related to this scam. Twitter has suspended some accounts that were involved in this attack, and spammed tweets have also been removed.

    Posted in Social | 1 TrackBack »

    1:19 am (UTC-7)   |    by

    Earlier this week, it was announced by the United States Department of Justice that the creator of the notorious SpyEye banking malware, Aleksandr Andreevich Panin (also known as Gribodemon or Harderman), had pleaded guilty before a federal court to charges related to creating and distributing SpyEye.

    Trend Micro was a key part of this investigation and has been working with the FBI on this case for quite some time. In particular, information provided by Trend Micro (such as the online “handles” and accounts used) was used to help find the real identities of Panin and his accomplices. It took considerable effort for all parties involved to bring this investigation to a successful conclusion.

    Our investigation

    One of Panin’s accomplices was Hamza Bendelladj, who went by the alias bx1. Both Panin and Bendelladj were involved in creating and setting up various SpyEye domains and servers, which was how we were able to obtain information on the pair. While SpyEye was created in such a way that few of these files were publicly available, we were still able to obtain these and acquire the information in these files, which included (for example) the email address of a server’s controller.

    We correlated the information obtained from these configuration files with information we had gathered elsewhere. For example, we infiltrated various underground forums where both Panin and Bendelladj were known to visit. Just by reading their posts, they would inadvertently disclose information like their email address, ICQ number, or Jabber number – all information that might reveal their actual identities.

    For example, we discovered the C&C server, as well as the associated SpyEye binaries and configuration files. The decrypted configuration files included the handle bx1. A configuration file on that server also contained the email address. A second configuration file – also using the bx1 name – was found which contained login credentials for virtest, a detection-testing service used by cybercriminals.

    spyeye1_1 spyeye2_2

    Figure 1. Configuration files

    The following post in an underground forum shows that Bendelladj’s involvement in SpyEye was more in-depth than he claimed in public:

    Figure 2. Underground forum post

    This graph shows the some of the relationships among various websites, email addresses, and malware used by Bendelladj:

    (Click above to enlarge)

    Figure 3. Diagram showing the relationships among related websites, email addresses, and malware

    Investigating Gribodemon

    We carried out the same kind of investigation to look into Panin. As with his partner in crime, we found that Panin was linked to various domain names and email addresses.

    While Panin believed that he was very good at hiding his tracks, it’s now obvious that he wasn’t as good as he thought he was. Around the time he was selling SpyEye, he also became very sloppy and not particularly careful; despite using multiple handles and email addresses, Trend Micro, working together with the FBI, found his real identity.

    Panin started selling SpyEye in 2009, and it quickly became a well-regarded competitor to the more well-known ZeuS. At the time, it was popular due to its lower cost and the ability to add custom plug-ins, something ZeuS didn’t offer. In late 2010, in two posts, we took a very good look at SpyEye’s control panels.

    Some cybercriminals were not particularly fond of SpyEye due to its poor coding compared with ZeuS, while others liked the features that SpyEye brought to the table. Whatever the case, SpyEye was well-known enough in the cybercrime community that when ZeuS creator Slavik left, he gave the code to Panin.

    Panin used this code to create a new version of SpyEye which combined features of both the older versions of SpyEye and ZeuS. In addition, he outsourced some of the coding to his accomplices (like Bendelladj) in order to improve SpyEye’s quality. Later versions showed significant changes to the underlying code, including reusing code from ZeuS.

    This arrest shows how security companies, working closely with law enforcement agencies, can deliver results. By going after the cybercriminals themselves instead of their servers, we ensured that permanent damage was done to the whole underground, instead of relatively quick and easily repairable damage caused by takedowns. We believe that this is the way to attack cybercrime and make the Internet safer for all users.

    Posted in Malware | Comments Off on Eyeing SpyEye

    In the past few months,  the Tor anonymity service as been in the news for various reasons. Perhaps most infamously, it was used by the now-shuttered Silk Road underground marketplace. We delved into the topic of the Deep Web in a white paper titled Deepweb and Cybercrime. In our 2014 predictions, we noted that cybercriminals would go deeper underground – and part of that would be using Tor in greater numbers.

    Cybercriminals are clearly not blind to the potential of Tor, and network administrators have to consider that Tor-using malware might show up on their network. How should they react to this development?

    What’s Tor, anyway?

    Tor is designed to solve a fairly specific problem: to stop a man-in-the-middle (such as network administrators, ISPs, or even countries) from determining or blocking the sites that a user visits. How does it do this?

    Previously known as “The Onion Router”, Tor is an implementation of the concept of onion routing, where a number of nodes located on the Internet that serve as relays for Internet traffic. A user who wants to use the Tor network would install a client on their machine.

    This client would contact a Tor directory server, where it gets a list of nodes. The user’s Tor client would select a path for the network traffic via the various Tor nodes to the destination server. This path is meant to be difficult to follow. In addition, all traffic between nodes is encrypted. (More details about Tor may be found at the official website of the Tor project.)

    In effect, this hides your identity (or at least, IP address) from the site you visited, as well as any potential attackers inspecting your network traffic along the way. This is quite useful if you’re a visitor who wants to cover your tracks or if, for some reason, the server that you’re trying to connect to denies connections from your IP address.

    This can be done for both legitimate and illegitimate reasons. Unfortunately, this means that it can and has already been used for malicious purposes.

    How can it be used maliciously?

    Malware can just as easily use Tor as anyone else. In the second half of 2013, we saw more malware making use of it to hide their network traffic. In September, we blogged about the Mevade malware that downloaded a Tor component for backup command and control (C&C) communication. In October 2013, Dutch police arrested four persons behind the TorRAT malware, a malware family which also used Tor for its C&C communication. This malware family targeted the bank accounts of Dutch users, and investigation was difficult because of the use of underground crypting services to evade detection and the use of cryptocurrencies (like Bitcoin).

    In the last weeks of 2013, we saw some ransomware variants that called itself Cryptorbit that explicitly asked the victim to use the Tor Browser (a browser bundle pre-configured for Tor) when paying the ransom. (The name may have been inspired by the notorious CryptoLocker malware, which uses similar behavior.)

    Figure 1. Warning from Tor-using ransomware

    Earlier this month, we discussed several ZBOT samples that in addition to using Tor for its C&C connection, also embeds its  64-bit version “inside” the normal, 32-bit version.

    Figure 2. Running 64-bit ZBOT malware

    This particular malware runs perfectly in a 64-bit environment and is injected into the running svchost.exe process, as is typically the case with injected malware.

    This increase in Tor-using malware means that network administrators may want to consider additional steps to be aware of Tor, how to spot its usage, and (if necessary) prevent its use. Illegitimate usage of Tor could result in various problems, ranging from circumvented IT policies to exfiltrated confidential information.

    We will discuss these potential steps in a succeeding blog post.

    Posted in Malware | Comments Off on Defending Against Tor-Using Malware, Part 1

    File infectors and ZBOT don’t usually go together, but we recently saw a case where these two kinds of threats did.

    This particular file infector – PE_PATNOTE.A (MD5 871246d00caffdbed56b1374975c368e) – appends its code to all executable files on the infected system, like so:

    Figure 1. Before infection

    Figure 2. After infection

    What does this code do? It drops and executes the embedded ZBOT variant, TSPY_ZBOT.PNR (MD5 5c492c6300fd9def233bfaa56fb6b0f2), as well as infecting other executable files. TSPY_ZBOT.PNR is dropped as %User Temp%\notepat.exe.

    As we mentioned earlier, PE_PATNOTE.A spreads by adding its code to all executable files on the system. This includes removable and network drives, not just fixed drives on the system. This may allow it to spread across multiple systems, making cleanup and removal much more difficult.

    In addition to its rather unusual behavior, this malware also uses some of the anti-analysis techniques that we started seeing earlier this year. This thwarts some common analysis tools like OllyDbg, ProcDump, StudPDE, and WinHex. This may be an indicator that we will see greater use of these techniques moving forward.

    Figure 3. Embedded ZBOT variant

    This isn’t the first time we’ve seen file infectors used to spread ZBOT. In late 2010, we found that ZBOT was being spread by the LICAT file infector. However, there were some differences between then and now. Then, ZBOT was being downloaded onto the system; today the ZBOT code is dropped directly onto the affected system. This makes it more likely that infection can take place even in networks with restricted Internet access.

    We detect both the file infector (PE_PATNOTE.A) and the ZBOT variant (TSPY_ZBOT.PNR) through the Trend Micro Smart Protection Network.

    Posted in Malware | Comments Off on File Infectors and ZBOT Team Up, Again

    Fake Flash player scams have been around for a long time, but remarkably they still haven’t gone away. Now, they’re targeting users in Turkey.

    A recent attack that we found starts off with a video link sent to users via Facebook’s messaging system (sent in Turkish). This “video” prompts users to install a Flash Player update ; it actually installs a browser extension that blocks access to various antivirus sites. It also sends a link to the “video” to the victim’s Facebook friends via the messaging system, restarting the cycle.

    This targeting appears to have worked: based on feedback from the Smart Protection Network, 93% of those who accessed pages related to this attack were from Turkey.

    The browser extension pushed to users was in the format used by Chromium-based browsers like Google Chrome. It would not work in other browsers, like Internet Explorer and Mozilla Firefox. It also stops the user from accessing the extension settings page, to prevent the user from removing or disabling the extension.

    As we noted earlier, this threat is cyclical. The fake update, detected as TROJ_BLOCKER.J, installs the extension (detected as JS_BLOCKER.J) that blocks the antivirus websites. JS_BLOCKER.J then downloads a malicious script which is used to send the Facebook messages with the link to the video. This script is detected as HTML_BLOCKER.K.

    In addition to Facebook messages, Twitter accounts “promoting” this page were also spotted:

    Turkey is one of the world’s most active Facebook-using countries, with 19 million daily active users and 33 million monthly active users.  In addition, this attack’s behavior – blocking antivirus sites – is not actively harmful to users, although it would leave them vulnerable to future attacks.

    Facebook is working diligently to prevent users from encountering these types of attacks. We protect users by detecting and blocking the files and sites related to this attack. Users can also protect themselves further through these simple tips:

    • Don’t click or access any strange and unfamiliar URLs that pop up on your wall, profile, or from a private message.
    • If you’re asked to update any software, go to the software vendor’s site directly, and not through any other supplied link.
    • Get a security solution that automatically blocks malicious downloads and fraudulent websites.

    With analysis from Anthony Melgarejo and Paul Tiu

    Posted in Bad Sites, Malware, Social, Spam | Comments Off on Fake Adobe Flash Update Aimed At Turkish Users


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice