These worms used the famous social networking site Facebook in their propagation routines. While executing on an affected user’s system, these worms search for cookies related to Facebook. Once a match is found, the worms access the user’s Facebook profile using the credentials contained in the cookie files. The worms then modify the user’s Facebook profile to include a link to pointing to the malware to infect more systems.
The attack places at risk the great number of Facebook users, which the social networking claims to have grown to over one hundred million.
As its name implies, TROJ_FAKEAV.CX poses as an antivirus product. Like other malware of this type, it could be downloaded from malicious links contained in spammed email messages. TROJ_FAKEAV.CX displays several messages alerting the user about malware threats. To further convince users, it drops another Trojan on the system detected by Trend Micro as TROJ_RENOS.ACG. The dropped Trojan has visual payloads that readily alert users to the presence of malware on the system.
Furthermore, the payload for this type of attack goes beyond the damage on affected system; it also causes unnecessary panic and waste of time for the users.
TROJ_CHEPVIL.RAR arrives as an attachment in spammed email messages that promise the user a chance to view a video of actress Angelina Jolie. Of course, the video which is supposedly contained in the attachment, is the Trojan itself. In order to bypass email filters, the attachment comes as a password-protected .RAR file, a tactic used by email-borne worms in the outbreak era years ago. When executed, the Trojan leads to the download of TROJ_RENOS.ADX and TROJ_AGENT.AVSZ.
The danger however, does not end there, as both TROJ_RENOS.ADX and TROJ_AGENT.AVSZ causes more trouble of their own. TROJ_RENOS.ADX drops JOKE_BLUESCREEN and TROJ_FAKEALER.HO. JOKE_BLUESCREEN uses a bluescreen as the system’s screensaver, which may alarm the user into thinking that a critical error has occurred. TROJ_FAKEALER.HO isn’t much different, displaying warnings on the affected system then prompting the installation of a rogue antivirus program. TROJ_AGENT.AVSZ on the other hand disables the firewall of the affected system, leaving it vulnerable to more attacks.
This is another variant of the Storm malware. Similar to its brethren, it is installed in systems when users visit malicious Web sites. The URLs of these said Web sites are included in spammed email messages. The spammed messages are posed as eCards, a disguise known to have been used by Storm before. But recycling of techniques isn’t surprising to see from the Storm gang, as it has consistently shifted its techniques to distribute malware to unknowing users.
In mid-August, we discovered a massive SEO poisoning that involved a lot of compromised Web sites. Entering specific search strings such as “changes on the river amazon” or “changes made for mount Pinatubo” in Google led users to one of the compromised sites, which when accessed redirected users to another URL that downloads a malicious program on the system.
Upon installation, the system displays some alarming prompts, stating a supposed malware infection. The user, who will then will probably be in panic, will then be told to download an antivirus program to help clean up their system. This solution however will only make things worse; the file that poses as an antivirus program is nothing more than malware itself, detected as TROJ_FAKEAV.DM and TROJ_FRAUDLOA.WM.
Further investigation revealed that the hackers responsible for this incident have almost 1 million search phrases at their disposal for SEO poisoning.