Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Author Archive - Det Caraig (Technical Communications)

    2011 was rife with both challenges and wins not only for Trend Micro but also for the rest of the security industry and our fellow cybercrimefighters in law enforcement. True to one of our predictions, 2011 has been dubbed the “Year of Data Breaches,” as we witnessed organizations worldwide succumb to targeted breach attacks and lose what we have come to know as the new digital currency—data.

    As we prepare for the year ahead, let us take a look at some of the Trend Micro 2011 predictions that came true and how we contributed to the security industry’s wins against the continuing war against cybercrime.


    What we foresaw… What came to pass…
    We will see more targeted attacks and cyber espionage. As we predicted, several organizations the world over succumbed to targeted attacks that cost them dearly. RSA and Sony PlayStation—two of the biggest APT targets in 2011—lost millions of customer data and had to spend huge sums of money just to fix the damage done.
    We will see more mobile device attacks. The huge growth in the Android malware volume spurred the maturity of the mobile threat landscape. Led by RuFraud and DroidDreamLight variants—two of the most prominent families in 2011—Trojanized and other kinds of malicious Android apps littered not only third-party app stores but the Android Market as well.
    We will see more clever malware campaigning. Cybercriminals more earnestly spammed and scammed social networkers worldwide with even more attention-grabbing social engineering lures and more innovative tools. Thousands of social media users fell prey to all sorts of scams that ultimately cost their privacy and, at times, even their identities.
    We will see the use of vulnerabilities and exploits evolve. Despite the decline in the number of reported exploited vulnerabilities, cybercriminals continued to launch a slew of exploit attacks in 2011. Three of the most exploited vulnerabilities—CVE-2011-3402, CVE-2011-3544, and CVE-2011-3414—unsurprisingly targeted products of three of top 5 vendor exploit targets—Microsoft, Oracle, and Adobe.
    We will see old malware reinfections and consolidation in the cybercriminal underground. Though now considered part of the threat landscape’s white noise, traditional threats continued to wreak havoc among users. All acting as means to an end—data, financial, and/or identity theft—traditional threats came armed with new and better tools and lures to infect unwitting users’ systems and other devices.

    Read the rest of this entry »


    Spammers have moved into new fields like social media (e.g., Facebook and Twitter). Like mass-mailing attacks, social media spam runs are triggered by the same motivation. Businesses that use social media can come across Web threats in the course of marketing and promotion. Social media spam may also cause system infections through employees who access social networking sites at work.

    Spam have come a long way since their first incarnation as text strings. In fact, trying to mitigate this nuisance translates to profit loss for most businesses, as according to a recent study, spam cost European companies an estimated US$2.8 billion worth of productivity loss while U.S.-based companies reported a loss of US$20 billion. These have rapidly become a major security threat—a catalyst for potential financial drain or for intellectual property theft—to organizations worldwide.

    Read the rest of this entry »


    The first half of 2011 was marred by a spate of data breaches, vulnerability exploit attacks, the proliferation of more and more Android malware, improved social networking scams, and notable developments in traditional system infections.

    As our security experts predicted, enterprises suffered from a slew of data breaches of never-before-seen magnitude. This spelled disaster not only for attack targets but for their clients and customers, too. At the rate cybercriminals are launching attacks—targeted or not—there’s just no telling how many more companies and users will succumb to the dangers these pose before the year ends.

    Making headlines several times in the short span of just three months, Trend Micro researchers proved how risky viewing Webmail accounts at work and downloading Trojanized apps are to users and businesses alike. Several attacks targeting these platforms put millions of users at risk of losing critical personal data or, worse, of opening their organizations’ back doors to cybercriminals.

    Six months rife with all sorts of security threats have passed and though we hope the latter half of the year won’t be as cybercrime heavy, we can’t really expect the bad guys to just take things lying down. If anything, the rapid shifts in the threat landscape and the never-ending flow of new technological developments may only inspire cybercriminals to create even more successful scams.

    To give you a more in-depth view of the ever-evolving threat landscape as the shifts occur and even more valuable insights direct from our security experts on what these mean for you, take a look at our comprehensive threat report, “2Q 2011 Threat Roundup.”


    Cybercriminals have been found riding on Brittany Murphy’s sudden death to scare people into buying FAKEAV. Searching for keywords like “brittany murphy’s death” on Google resulted in at least two suspicious URLs:

    • http://{BLOCKED}
    • http://{BLOCKED}

    The spike in searches on Murphy’s death has become the theme for the latest blackhat search engine optimization (SEO) attack, which pushed malicious sites to redirect users to scareware portals. These portals have been injected with a malicious script detected by Trend Micro as HTML_FAKEAV.WAF.

    Users who click poisoned search results will be alerted to supposed malware infections via a fake message prompt, followed by bogus scanning results and another message prompting them to download a FAKEAV to rid their system of the infection.

    Click Click

    HTML_FAKEAV.WAF also accesses URLs (detected by Trend Micro as JS_RENOS.WCF) to download more malware and TROJ_KRAP.DAM (a damaged FAKEAV installer).

    Users are thus advised to rely only on trusted news sites for reports on Murphy’s death to prevent system infection. By now, they should have learned that cybercriminals often use celebrity deaths to further their malicious causes as shown in earlier blog posts:

    Trend Micro product users are protected from this threat by the Smart Protection Network, which blocks user access to related malicious sites and prevents the download of the malicious scripts.


    Tricking users into downloading rogue AV is an age-old cybercriminal tactic that still works. Hence the continuous rise in the number of rogue AV pushed to unwitting scam victims up to this day. In fact, the FBI just recently warned the public about the threat that rogue AV software poses, saying this has resulted in more than US$150 million in losses to victims.

    Click Click

    The earliest rogue AV ploys relied on scareware tactics that resorted to warning users of supposed infections. The shift toward a more profit-driven threat landscape, however, also prompted cybercriminals to employ more devious and cunning techniques. Today, they often use search engine optimization (SEO) techniques that infected users just by visiting certain sites, seemingly mimicking the manner by which real-time antivirus products protect systems.

    Some rogue AV employ “ransomware” tactics. They encrypt files, taking them hostage so users cannot use them. To recover the files, a user has to download a paid version of the program but just like its predecessors, this is all just a scam. In reality, however, the paid version of the program fixes the problem that it created in the first place but only after the user has been forced to pay up.

    Click Click

    Cybercriminals use several social engineering techniques to spread rogue AV among computer users. Spammed messages containing URLs that lead to sites where rogue AV can be downloaded are very common. Some, however, are more imaginative, rigging search engine results with links to downloadable, seemingly legitimate antivirus applications.

    Another ingenious social engineering ploy to spread rogue AV involves the use of codecs. As several media files require codecs for playback, users who want to stream videos are often victimized by downloading rogue AV posing as video codecs. Celebrity deaths (e.g., Corazon Aquino) and tragic events (e.g., tropical storms) have also become unwitting participants in rogue AV scams.

    Social networking sites such as Twitter and Facebook have also become unwilling sources of rogue AV, thanks to the KOOBFACE botnet’s dedicated FAKEAV installer component.

    TrendLabs has observed that rogue AV authors, sellers, and resellers now employ enhanced social engineering tactics, taking advantage of trendy topics in popular search engines. They have also been found to use GeoIP tracking. These attacks employ similar techniques as blackhat SEO campaigns albeit in a more targeted sense.

    Cybercriminals will really stop at nothing just to further their profiteering schemes. And though users have been warned time and again of staying away from links that come from unknown users—whether in emails or tweets—it seems curiosity will still get the better of them, allowing cybercriminals to continue infecting them with the great mass of available rogue AV on the Web.

    Fortunately, Trend Micro Smart Protection Network protects users against all these kinds of rogue AV and other similar malware threats.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice