Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Carolyn Guevarra (Technical Communications)

    TrendLabsSM engineers Alvin Bacani and Jayson Pryde recently analyzed a new spyware (detected by Trend Micro as OSX_OPINIONSPY.A) that came bundled with screensavers, according to Intego, in sites that host free applications and software updates like MacUpdate, Softpedia, and VersionTracker.

    Interestingly, the same spyware was also found in the Apple Downloads site. Users browsing the legitimate site might have been exposed to this threat unknowingly. However, Apple’s swift takedown minimized the exposure time and prevented the continued spread of the said spyware.

    The said screensavers were found to be nonmalicious but did download information-stealing spyware, which robbed users of their email addresses, iChat message headers and URLs, as well as other personal data like user names, passwords, credit card numbers, and Web browser bookmarks and histories. Once installed, the spyware connects to a certain site to send the data (e.g., campaign ID, OS version, OS type) it gathers from affected systems.

    What makes OSX_OPINIONSPY.A more interesting, however, is its monitoring routine. It connects to a URL to download an upgraded copy of itself—another spyware that sniffs for instant-messaging (IM) application (i.e., AIM, GoogleTalk, MSN Messenger, and Yahoo! Messenger) as well as Real-Time Messaging Protocol (RTMP) data packets. This allows cybercriminals to acquire user names and passwords from both IM and RTMP streams. Sniffing packets off of these applications may also include information sent and received during conversations.

    Click for larger view

    Based on our analysis, the spyware does not only target Macs but also affects Windows-based systems (detected as SPYW_RELEKNOW). The threat may also come in the form of another application and not just a screensaver. Threat Research Manager, Ivan Macalintal, describes the code used in this attack as “very persistent and sneaky,” as it is possible for the spyware infection to go unnoticed. “This is just another example that debunks the legend that MAC is secure and is malware-free. We will see more and more of cyber-criminals attacking the MAC platform as more and more people are converting from Windows to MAC, ” Macalintal further adds.

    TrendLabs has reported several other instances when Mac malware were distributed in the same manner—posing as legitimate applications in the following entries:

    Users, regardless of OS, can stay protected from this threat via the Trend Micro™ Smart Protection Network™. Trend Micro products prevent access to sites where the malicious files are hosted via the Web reputation service. They also prevent the download and execution of the malicious files—OSX_OPINIONSPY.A and SPYW_RELEKNOW—on user systems via the file reputation service.

    Update as of June 6, 2010, 9:16 p.m. (GMT -8:00)

    OSX_OPINIONSPY.A includes the ability to download updated copies of itself, and the cybercriminals behind this attack are now using that feature. These variants are now being detected as OSX_OPNIONSPY.SM.


    TrendLabsSM received reports of a suspicious email claiming to be an IT notification. It informs users that their mailbox settings have been changed. This email has a .PDF attachment that supposedly contains instructions that the users need to read before updating their settings.

    This attack is similar to many we have seen previously purporting to come from a real sender and looking like a semilegitimate company notification.  Through this design, cybercriminals hope to make the malicious email more believable for recipients, enticing them to open the .PDF attachment. Here is a sample screenshot of the of one of the emails we received:

    Click for larger view

    There are some simple safe computing practices that can always be used when opening emails and executing attachments.

    • Always check who the email sender is.
    • Look for errors in messages.
    • Do not click embedded links.
    • Check attachments’ real extension names and never click executable files.

    The .PDF attachment is actually a malicious file Trend Micro detects as TROJ_PIDIEF.ZAC. When executed, this .PDF file calls on the embedded script batscript.vbs, which drops and executes a worm component named game.exe. The worm component also carries the rootkit file bp.sys to possibly hide its malicious routines and to prevent itself from being discovered by the user.

    These components are detected as follows:

    Ultimately, this threat tries to access an FTP server to possibly download other malicious files onto the affected system.

    TrendLabs engineers are currently working to provide a more detailed analysis of this threat. Updates will be provided shortly.

    Our in-the-cloud correlation engines quickly identified the multiple components of this attack to ensure the protection of Trend Micro customers.  Trend Micro protects users from this attack via the Smart Protection Network™, which blocks user access to malicious URLs and blocks spammed messages through the Web and email reputation services. It also detects all malware related to this attack via the file reputation service.

    If you think your system may have already been infected, scan and clean your system with HouseCall, Trend Micro’s free online malware scanner.

    Update as of April 28, 2010, 5:30 p.m. (GMT +8:00):
    Other spam messages using similar social engineering techniques have been spotted. These contain a malicous attachment detected as TROJ_KATUSHA.F.

    Update as of April 30, 2010, 9:19 a.m. (GMT +8:00)
    Upon further analysis of WORM_EMOTI.A there was no longer any indication that the URL http://{BLOCKED} is an FTP site that resolves to HTTP. However, it may still access two additional URLs: http://{BLOCKED} and http://{BLOCKED}


    Intego discovered a new OS X malware last week. Based on its report, however, this new malware is a variant of an early Mac OS X malware that was first seen in 2004. It was reported that cybercriminals have been using several different forums to distribute copies of this new variant.

    This OS X malware arrives on a system as a package purporting to be an iPhoto installer. iPhoto is a Mac application that allows users to easily edit and manage photos on their computers. Trend Micro detects this malware as OSX_HELLRTS.A. It acts as a backdoor program that can allow remote attackers to gain direct access to an infected Mac computer. Users who unwittingly install this malicious package are at risk of having their systems compromised and controlled by cybercriminals.

    Click for larger view

    Mac users are protected by Trend Micro™ Smart Protection Network™ against this threat by detecting and preventing the malicious package from being installed onto a user’s system. Mac users are thus strongly advised to use Trend Micro Smart Surfing for Mac.

    Posted in Malware | 1 TrackBack »

    News of a twin bombing attack in Russia shocked the world on Monday morning as two female suicide bombers blew themselves up in Moscow subway stations. According to news reports, the attacks killed at least 38 and wounded more than 60 people. Jumping at the chance to make profit from terrible events, cybercriminals quickly picked the news up and used it for their own malicious attacks.

    Shortly after the news broke out, cybercriminals once again employed their blackhat search engine optimization (SEO) tactics to make their malicious links the top-ranking search results in Google. Their links achieved the top 2 spots for about 2 hours for the keywords Moscow subway explosion and are now placing within the top 11 spots for the keywords Moscow bombing. Apparently, this news topic has made Moscow a popular trending topic not only in Google but in social networks as well. In Twitter, searching for Moscow also showed results with embedded malicious URLs within Tweets.

    Click Click

    The links, of course, will not direct users to news sites but instead open a fake scanning page. It then reports that the computer is vulnerable to malware attacks and recommends that the users proceed with checking for infections.

    Click Click

    Agreeing to install the rogue antivirus downloads the FAKEAV file detected by Trend Micro as TROJ_FAKEAV.SMDY onto affected systems.

    Click Click

    If there is one thing every user should now know, it is that cybercriminals will use whatever topic is most popular to make their attacks successful. As always, please be mindful not to click any link even if it is one of the top-ranking results in Google or if it has been sent by your supposed friends in Twitter.

    Trend Micro product users are protected from this threat by the Smart Protection Network™, which blocks user access to related malicious sites and prevents malware from being downloaded onto users’ systems.


    Yesterday, a 6.0-magnitude earthquake shook the Philippine capital, causing a bit of concern among its inhabitants and their relatives from the rest of the country and abroad. As such, many tuned in to the Web for the latest news and updates on this incident. As expected, cybercriminals were one of the first in line to provide information about the earthquake rigged with rogue antivirus applications.

    Trend Micro advanced threats researcher Norman Ingal discovered that some FAKEAV variants already took advantage of this incident as a social-engineering technique. He said this malware also used blackhat search engine optimization (blackhat SEO) tactics to make malicious links the top-ranking search results whenever users used the string, “earthquake manila philippines.”

    Click Click

    These links lead to the download of FAKEAV variants, particularly TROJ_FAKEAV.ENZ, which also used the recent wardrobe malfunction incident of a Philippine TV personality as an attack vector.

    Clicking the links also led to the download of JS_REDIR.SMB, which displays a warning dialog box that tells users that their computers have been infected.

    Click Click

    Clicking OK opens the following message boxes and windows and downloads the malicious file onto users’ computers.

    Click Click

    Earthquakes are natural occurrences and we never really know when or where they will hit next. One thing for sure though is that cybercriminals will most definitely ride on every earthquake or natural calamity news that will hit the press next just as they did during the Haiti and Chile earthquakes.

    Trend Micro product users are protected from this threat by the Smart Protection Network™, which blocks user access to related malicious sites and prevents them from being downloaded onto users’ systems.

    Non-Trend Micro product users can likewise stay protected by using free tools like Web Protection Add-On, a lightweight add-on solution designed to proactively protect computers against Web threats.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice