Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Ardin Maglalang (Anti-Spam Research Engineer)

    While we encounter a wide variety of threats on a regular basis, sometimes we come across those that are truly unusual. This is one of them: it appears to be a PHP backdoor delivered via spammed emails.

    At first glance, this threat appears to be a fairly typical malicious spam email: it pretends to be a notification from Visa that the user’s card has been suspended.

    Figure 1. Fake email notification

    The body of the email itself appears to be blank. Neither a malicious attachment nor a link to a website can be found here. So what is the threat here?

    Figure 2. Embedded PHP code

    The body of the email is actually not blank; instead it contains PHP code. This particular code is actually a well-known website backdoor known as c99madshell, which we detect as PHP_C99SHEL.SMC. C99madshell has been around since at least 2008. It allows an attacker who has compromised a website via FTP to control the said website using an easy-to-use control panel accessible with any browser, as can be seen below running on a test machine:

    Figure 3. c99madshell control panel

    It should be clear right away that something is very off-base here. The control panel is meant to be accessed by the attacker, not the victim. It would make no sense for the victim to see a backdoor to their own server’s control panel!

    That assumes, of course, that the backdoor would even run. It is theoretically possible, but in practice it is very difficult. Anyone reading the email on a non-webmail client – such a desktop email client, or a mobile app – would merely see the blank page. Even then, the webmail client would have to be configured to allow arbitrary embedded PHP code to run in the first place, which is extraordinarily dangerous. Finally, the attacker would then be unable to view the page unless he got access to the email inboxes somehow.

    There are several possibilities as to how this happened. One possible attack scenario is that the attacker was going after a webmail provider or email list archive; however in such a case the attacker would not need to send spam messages with this content. In addition, this would require a server set up so insecurely, it would be insane.

    Other possibilities involve mistakes on the part of the attacker: he could have made a mistake in inserting the contents of the email, or it could be an attacker with faulty knowledge of PHP. However, without getting into the mind of the attacker, we cannot be sure.

    Both the email and file components of this attack are detected and blocked by the appropriate Trend Micro solutions.

    Posted in Malware, Spam | Comments Off on (Failed) PHP Backdoor Via Spam

    WikiLeaks’ publication of various leaked confidential U.S. documents has created a global stir and brought several security and political issues into the spotlight. The topic has become a global concern, garnering everyone’s attention, including the security industry and cybercriminals alike. And, as history has taught us, cybercriminals are not too far behind with their attacks every time something hot comes up.

    We found a couple of spam runs leveraging WikiLeaks. The first one bore “IRAN Nuclear BOMB!” as subject and contained the URL http://wikileaks1.{BLOCKED}, which connected to http://ugo.{BLOCKED} to download a malicious file detected as WORM_AUTORUN.FJK.

    Click for larger view

    The other slew of spammed messages appeared to have come from Twitter. It sported the subject “WikiLeaks on Twitter!” and a link that seems direct to the WikiLeaks Twitter profile at In reality, however, it connected to http://{BLOCKED}, a site that sells pharmaceutical products. Read the rest of this entry »


    TrendLabs received a recent spammed message that uses fake news about the death of Hollywood celebrities and famous athletes.

    The spam came in two varieties—one has a .ZIP file attachment that contains the malicious file news.exe that is detected as TROJ_DLDER.AU. TROJ_DLDER.AU connects to a certain URL to, in turn, download TROJ_BREDOLAB.XY.

    The other comes with an .HTML file attachment detected as JS_REDIR.BB. It leads to a couple of URL redirects which ultimately lead to the download of the malicious file HTML_REDIR.BA. HTML_REDIR.BA connects to another URL, possibly to download another malware though the said URL is now inaccessible.

    Click for larger view Click for larger view

    Curiously, the description of the incident that supposedly killed these celebrities is based on a real incident–the 1996 death of U.S. Commerce Secretary Ronald Brown. All of the details cited in the email were identical to the crash that killed Brown. Using the details from a real-life incident may have been an attempt to make the spammed messages more convincing to readers.

    Most people have a natural tendency to gravitate toward every bit of news and controversy surrounding celebrities, especially if the news has to do with their death. This has made celebrity deaths one of the most consistently used social engineering ploys for malware attacks. The attacks that use this kind of news range from spam with malware attachments to blackhat SEO attacks. Here are just some of the celebrities and popular figures that have been used for this social engineering tactic:

    Heath Ledger

    No sooner had the world learned of the untimely death of Heath Ledger than cybercriminals started using the late actor’s name as a social engineering ploy. Within hours of reports, malicious URLs immediately turned up when users key in the search terms “heath” and “ledger.”

    Farrah Fawcett

    Cybercriminals peppered the Internet with blackhat SEO links that were likely to attract users who were searching for news about the death of “Charlie’s Angels” star Farrah Fawcett, who at age 62, lost her battle with cancer.

    Michael Jackson

    Being one of the most popular music artists of all time, the King of Pop’s last moments in the hospital prior to his death, led to the proliferation of malicious links in the wild via the instant-messaging (IM) application MSN.


    Spammed messages recently went around claiming that rapper Eminem died in a car crash. The spammed messages tried to trick users by claiming to come from legitimate news sources.

    Other attacks seen in the past include those surrounding the deaths of Corey Haim, Brittany Murphy, and former Philippine President Corazon Aquino.

    Trend Micro™ Smart Protection Network™ protects users from these threats by blocking the related spammed messages and malicious sites as well as by detecting the related malicious files.

    Update as of August 26, 2010, 3:25 p.m. (UTC)

    Upon further investigation, we’ve found that HTML_REDIR.BA connects to two URLs by using an IFRAME and a meta refresh tag. When using an IFRAME, the browser is not redirected to the website. Instead, it connects to the site and displays the site’s contents in the specified frame. When using a meta refresh tag, however, the entire browser is redirected to the site. The site, which the meta refresh tag redirects to, is the final landing page.

    Posted in Malware, Spam | 1 TrackBack »


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice