Blackhole exploit kit (BHEK) spam attacks remain to be a prevalent threat up to this day. In fact, it is one of the top five consumer threats for 2012 due to its use of software vulnerabilities and social engineering tactic of leveraging companies like Verizon, Citibank AT&T, and Western Union among others. Furthermore, there are reports that BHEK recently released updates, which made this threat stealthier than before.

We have continuously monitored this threat and spotted several BHEK campaigns during the holidays. However, we noticed that the perpetrators behind these campaigns took a ‘holiday break’ so to speak since there weren’t any BHEK spam runs from Dec 30 until January 7.

And now that the holidays are over, cybercriminals behind BHEK campaigns are back again, this time spoofing companies like HP, Federal Reserve Bank, and Better Business Bureau. In particular, the Better Business Bureau BHEK spam claims to be a complaint report and urges its recipients to click a link pointing to the said claim letter report. The links eventually lead to sites that host the Blackhole Exploit Kit, which we detect as JS_BLACOLE.TPY.

Read the rest of this entry »

The upcoming London Olympics is undoubtedly one of the most highly-anticipated sporting events of the year. It is also a favorite social engineering ploy among cybercriminals. Just recently, we found an Olympics scam in the form of a lottery that promises a free travel package to the event. Some online crooks, however, played it differently this time. Instead of the typical Olympic-related scams wherein users supposedly won tickets to the event, this scam arrives as spam disguised as an email advisory.

As mentioned, this scam comes in the form of email messages that warn recipients of fake websites and organizations selling tickets to the London Olympics 2012. These mails contain the official logo of the event to possibly deceive users of its legitimacy. Included in the message is an attached .DOC file that lists these bogus ticket sellers. The attachment, however, is actually a malicious file detected by Trend Micro as TROJ_ARTIEF.ZIGS. The malware takes advantage of the RTF Stack Buffer Overflow Vulnerability (CVE-2010-3333) to drop the backdoor BKDR_CYSXL.A. This backdoor may perform several malicious routines, including deleting and creating files and shutting down the infected system.

Readers who frequently visit this site surely know that this is just one of the many Olympic-related scams that we have seen in the past. As early as October 2008, spam messages were found masquerading as Olympic 2012 lottery notifications. Other sports events like the Beijing Olympics in 2008 and the FIFA World Cup were also no strangers to this type of ruse.

As the London Olympics 2012 draws near, we are expecting this type of threats to proliferate. Thus, users should make it a habit to check the legitimacy of any message before downloading the attachment or clicking the links included in it.

Trend Micro users are protected from this threat via Trend Micro™ Smart Protection Network™, which detects and deletes all the related malware. Trend Micro Deep Security also shields systems from being exploited via Rule 1004498 – Word RTF File Parsing Stack Buffer Overflow Vulnerability.

To know more about previous threats that took advantage of the Olympics, World Cup and other major sporting events, you may read our entry Sports as Bait: Cybercriminals Play to Win.

We’ve been seeing a particular social engineering lure in spam runs in the past, where spammers leverage the death of a known celebrity or political figure. Recent examples of this include the death of Steve Jobs, and Amy Winehouse. In this spam run using Gadhafi’s death, however, a more compelling lure is being used to trick users into downloading malicious files.

We found several spammed messages that claim to lead to videos of Gadhafi’s death. It is important to note that videos of Gadhafi’s death do exist, and legitimate news sites like Reuters and The Washington Post tell of the graphic content in the video and even host the said videos on their websites. This existence of real videos of Gadhafi’s death relatively makes it a more compelling lure.

The first sample disguises itself as a CNN newsletter in Spanish. It tells the user to download the video footage of Gadhafi’s death through the link provided. However, the supposed video file, Video-Gadhafi.mpeg.exe, that the user is led to turns out to be malware which we detect as BKDR_IRCBOT.DAM.

BKDR_IRCBOT.DAM connects to a certain IRC server and waits for commands from a remote user. So far, the only command we’ve seen being triggered by this connection is the downloading and execution of a file from a certain IP address. The said file is another copy of BKDR_IRCBOT.DAM. We believe that this routine is this malware’s way of updating itself.

Read the rest of this entry »

Our team recently came across a spam run that leads to the download of a ZBOT variant that uses a domain-generation technique. The spam run involves messages that arrive in users’ inboxes as Facebook friend request notifications.

The message bears a link that the users must click to approve the friend request. Clicking the said link, however, will only lead to a page informing the users that they need to install the latest version of Adobe Flash Player in order to proceed. Unsurprisingly, the downloaded file is not the Adobe Flash Player installer but a malicious file detected as TSPY_ZBOT.FAZ.

TSPY_ZBOT.FAZ, like most ZBOT variants, accesses a certain site in order to retrieve a configuration file. The said configuration file contains the list of URLs that the malware will monitor in order to steal related credentials. What makes this particular variant noteworthy, however, is that it employs a domain-generation technique. This means that unlike other ZBOT variants that already have a preset URL to access in order to download the configuration file, TSPY_ZBOT.FAZ randomly generates URLs to access through a randomizing function that is computed based on the system’s current date.

Read the rest of this entry »