Traditional antivirus has always been every company’s first line of defense. They protect employees who still commit the usual mistakes that security experts tell everyone to avoid: opening malicious attachments, clicking unknown URLs, and visiting untrustworthy websites. In this context, these products may seem sufficient: they can identify bad files and known malware before they enter computers. Some may even think that free products represent a satisfactory solution for these threats.

Hoever, there are many threats today that use sophisticated tools and techniques to bypass these techniques. These techniques are used in order to aggressively pursue and compromise chosen targets to steal sensitive information.

Protecting your computer with antivirus software helps in blocking known malicious files, but what about lower-profile attacks that slip under the radar? These types of attacks may be attributed to “risky” employee behavior, some of which involve falling for social engineering tactics in the form of phishing scams and shortened or disguised URLs. Without more sophisticated and complete solutions that go beyond simple antivirus, users are at risk from these threats.

More complete products are able to deal with the sophisticated threats of today. For example, exploits can be minimized through the use of products with deep packet inspection (DPI) which block these threats at the network layer. Other tools block various threats at the browser/endpoint layer. To meet today’s complete threats, complete solutions are needed as well. Meeting these challenges is not free, but compared to the costs of a breach, they are minuscule.

Our primer for small and medium-sized businesses (SMBs) 5 Reasons Why Your Antivirus Software Is Not Enough” offers insights on the risks of solely relying on antivirus software. Our e-guide Why Free Antivirus Is Not Enough also details the security issues that computers face with free software.

Cybercriminals have once again used a not-so-new but still a seemingly promising medium for their malware campaigns. Earlier today, ZDNet reported a “new” exploit that targets Skype users. This exploit takes advantage of a vulnerability in a Skype component—EasyBits Extras Manager. While the vulnerability was found and fixed as early as October 2009, many users are still running older, vulnerable versions.

The vulnerability is being used to download malicious files, among them a ZBOT variant, TROJ_ZBOT.COC. As is typical of ZBOT variants, it steals a user’s personal information, particularly those related to online banking.

Good thing that Trend Micro already had coverage for these payloads many months before the cyber-criminals actually made use of this Skype vulnerability described above as a means to deploy these malicious codes!!

Over the years, Skype has been targeted and used as an infection vector by several malware families, including STRAT, KOOBFACE, and, more recently, PALEVO, due to its growing user base.

Skype currently hosts more than 500 million registered users and is still adding 300,000 users per day. Skype CEO John Silverman aims to have about 100 million PCs shipped preloaded with the popular VoIP software in 2011. This January, TeleGeography reported that Skype’s traffic growth has soared over last year while the international phone traffic declined, proving that more and more users are preferring Skype as a medium for international voice communications.

Unfortunately, Skype vulnerabilities have been found and exploited in the past:

• New Skype Vulnerabilities
• Skype Releases Security Bulletin to Address CrossZone Scripting Vulnerability
• SkypeFind Still Flawed!

This attack highlights how important it is to keep applications updated. Nowadays, many popular applications have auto-update capabilities. Users should use these to ensure that all their commonly used applications, particularly those that run whenever their systems start—are updated.

On a similar note, the popularity of Skype is also now being used in spam campaigns. Trend Micro engineers received the following spam message targeting Skype users:

As expected, the link in the message does not go to a legitimate Skype page although this site is currently down.

All threats discussed in this post are already covered by Trend Micro products.

Additional text by Jonathan Leopando, Merianne Polintan and Threat Research Manager Ivan Macalintal. Thanks Ivan for the heads-up!

Heads-up for users still running Windows XP: The unpatched Help Center flaw revealed last week is now out in the wild and being used to launch malware attacks against target users.

This new zero-day exploit takes advantage of the vulnerability that exists in the Microsoft Windows Help Center, a default Microsoft application that allows users to access online documentation for Windows. This vulnerability could allow remote code execution if a user views a malicious website.

Based on the analysis of TrendLabs^SM threat analyst Joseph Cepe, there are two ways in which a user can get infected as shown below.

The first method yields a prompt, which when clicked, redirects users to a compromised website that downloads a malicious JavaScript file. In this case, the compromised page is detected as TROJ_HCPEXP.A while the malicious script is detected as JS_HCPDL.A. This then downloads another file detected as TROJ_DROPPR.TEJ. This last malicious file drops multiple downloaders onto the affected system. In turn, these download a wide variety of malware onto affected systems (including, unsurprisingly, FAKEAV malware.)

The second method uses a more stealthy approach wherein the malware automatically performs the download without prompting the users to click anything. It instead runs Windows Media Player and automatically downloads a malicious Advanced Stream Redirector (.ASX) file, simple.asx. This .ASX file contains a link that references to another Web page. However, as of this writing, the URL that it redirects to is currently inaccessible.

The disclosure of this vulnerability has been controversial to say the least. Microsoft learned about the flaw on June 5 from its discoverer, Tavis Ormandy. Ormandy released the full details to the public on the Exploits Database site five days later. Microsoft was not particularly happy with Ormandy, as its blog post confirming the vulnerability makes clear. Despite the fact that Ormandy works for Google, it should be noted that he was doing this as a personal project and not as a Google employee.

However one feels about Ormandy’s disclosure, the fact is that the vulnerability is out in the wild for cybercriminals to exploit and causing damage.

Microsoft updated its advisory earlier today saying that it is aware of the “limited, targeted active attacks that use the exploit” and is actively monitoring the situation. Microsoft also added via its Security Response team’s Twitter account that Server 2003 users are currently not at risk based on the seen attacks. (It would be a mistake, however, for Server 2003 users to think that will always be the case.) It is not clear if an out-of-bound patch is forthcoming although that is something that cannot be ruled out.

Until a patch does arrive, however, users are left to apply workarounds for the issue. “The best workaround is to unregister the hcp:// protocol handler. Doing so will prevent the chain of events that leads to the code execution,” Cepe advises. Microsoft has provided an online tool to help users do this.

Additional text by Jonathan Leopando. Thanks to Ivan Macalintal for giving the heads-up on the exploit.

With the underground economy still thriving, cybercriminals will surely use any method such as Canadian pharma spam runs to facilitate their information theft operations.

Canadian pharmacy sites are known to be used by scammers to sell a wide range of fake medicines usually for impotence and other serious medical conditions at much lower prices compared with regular pharmacies. These sites employ various techniques to fool users into believing that their sites are legitimate and secure. For instance, when you purchase from their site, they claim to take your credit card information on a secure connection. However, this is not exactly the case.

For cybercriminals, this is another opportunity to profit and steal personal information from users. This is why pharma site scams have also been associated with big malware campaigns, including the infamous Storm worm a couple of years back.

At present, there is still a very high demand for user information in the underground economy because of the amount of money that cybercriminals can make from it. Trend Micro advanced threats researcher Joey Costoya has been monitoring underground activities and reports that email addresses can range from US$7–30 per bulk, depending on the mail servers used. Another report shows a much higher rate than that.

Recently, cybercriminals have once again been seen targeting customers of antivirus firms by using the name and reputation of antivirus companies in their social engineering ploys. We received reports of a spoofed Trend Micro notification that redirected users to a Canadian pharmacy website. As in previous spam runs, cybercriminals sent spammed messages to target recipients, claiming to be from a legitimate source. In this case, these claimed to be from an administrator of Trend Micro.

The email messages notified recipients that their accounts have been hacked and were thus temporarily inaccessible. These then advised users to open the .HTML file that came attached to the email for instructions on how to enable their accounts. Opening the attachment, of course, redirected users to a Canadian pharmacy website.

Trend Micro detects the file attachment as JS_REDIR.VIAG. Through email and Web reputation services, Trend Micro™ Smart Protection Network™ protects users from this threat by blocking the spammed messages along with user access to the spam sites. Smart Protection Network also detects and deletes files detected as JS_REDIR.VIAG via the file reputation service.

This is not the first time that Trend Micro has been used in Web attacks. In fact, in 2007, a fake Trend Micro website was used to phish sensitive information from customers. Customers and users alike are thus advised to be very wary of email notifications and to ensure the authenticity of the emails they receive and the websites they visit before giving out any information. Note that Trend Micro does not send unsolicited emails to its customers, especially ones that redirect users to suspicious-looking sites.

As cybercriminals continue performing attacks like these, they increase their chances of successfully stealing information by sending such an email to people they know who are from Trend Micro. Such is the nature of threats today—they are getting more personal and thus more “real.”

Special thanks to Anti-Spam Research Engineer Mary Aquino for initially reporting this incident.

Update as of June 14, 2010, 12:30 a.m. (UTC -8:00)

This particular campaign is not limited to fake notifications. The ongoing “World Cup” is being used as well.

What do the “FIFA World Cup” and Gaza attack have in common? They are both currently being used as social engineering ploys by a couple of malware campaigns seen on Twitter. TrendLabs^SM senior threat researcher Ivan Macalintal spotted several malicious programs being distributed via the popular microblogging site. These malware campaigns take advantage of noteworthy events to lure users into clicking malicious links in Tweets.

The first malware run makes use of the upcoming “FIFA World Cup” (set to see record levels of global interactivity according to CNN) by sending the following Tweet:

Clicking the link leads users to download a copy of a backdoor detected as BKDR_BIFROSE.SMK, which connects to IP addresses that allow a remote user to perform malicious activities on affected systems. These activities include sending and receiving files, keylogging, and retrieving user names and passwords. It also has rootkit capabilities, which enable it to hide its processes and files from its victims.

The second campaign, on the other hand, sends out the following Tweet related to the Gaza attacks:

This time, the malware that is downloaded from the link is BKDR_BIFROSE.PAB, which opens a hidden Internet Explorer (IE) window and opens TCP port 788 to listen for commands from a remote malicious user who may initiate a denial-of-service (DoS) attack to target systems using specific flooding methods.

Trend Micro™ Smart Protection Network™ protects users from these threats by detecting and deleting BKDR_BIFROSE.SMK and BKDR_BIFROSE.PAB via the file reputation service. Users must also be wary of and double-check shortened links in microblogging site updates.

The “FIFA World Cup” is an incredibly popular global event that has already moved opportunistic cybercriminals into action as seen in the following previous posts:

• Latest Online Scam Targets FIFA Fans
• 2010 FIFA World Cup Spam Strikes Again
• Scammers Attempt to Score Through the FIFA World Cup

The past couple of months proved to be no safer for microblogging (i.e., Twitter) users either as seen in:

• Your Tweet Is My Command
• Search for News on Moscow Subway Explosions Result in FAKEAV
• Diet Twitter Spam (on the) Run