Easter, like any other holiday, will not pass without cyber criminals attempting to exploit the occasion for their own malicious operations.

Trend Micro Advanced Threats Researcher Paul Ferguson discovered websites that seem to be related to Easter, except they are malicious and were created to spew malware onto PCs. He adds that there is evidence again pointing to well known Russian/Ukrainian cybercrime organizations which are most probably behind these ongoing malicious SEO (Search Engine Optimization) campaigns, in an attempt to boost the page rankings of booby-trapped websites.

Unwitting victims are led to these sites through “poisoned” search results. Queries in popular engines for keywords related to Easter yield results that point to the malicious sites mentioned above.

Analysis by our engineers reveals that one of the dangerous sites is rigged with a script detected by Trend Micro as JS_DLOADER.WKQ. This malicious JavaScript redirects victims to another page, a Fake AV download site, where a rogue antivirus program detected as TROJ_FAKEAV.BAF is downloaded.

Rogue software continues to plague Web users. The most recent development in this malware category involved cybercriminals incorporating ransomware elements, encrypting users’ files so they’d have to pay to install a software that would supposedly “fix” the corrupted files.

Our engineers are analyzing this threat further. Updates will be posted as soon as more information becomes available.

Update: 13 April 2009, 10:00 PM PST

Analysis reveals that TROJ_FAKEAV.BAF displays the following fake malware infection warnings to convince affected users into paying for a supposed “security software” that in actuality is also the malware itself.

Figure 1. Fake malware infection warnings

Figure 2. Prompt to install the trial version of rogue antivirus program

Figure 3. Rogue antivirus program GUI

Figure 4. The affected user is asked to purchase the “full version” of the rogue antivirus in order to remove the supposed malware affecting their system.

The Waledac gang continues to improve on Storm’s tried and tested spamming technique. Fake news and alarming headlines are standard Storm email contents since the botnet’s most notorious variant, NUWAR, started sending out messages warning users of looming nuclear wars.

Waledac recently started a new spamming operation using that same old social engineering technique:

Figures 1, 2, and 3. Sample spammed messages.

The links in these messages lead to malicious websites where Waledac variants are eventually downloaded. What’s new here is that these websites are engineered to vary according to the location of the email recipient. Users are explicitly told that an explosion happened in their respective cities:

Figure 4. A user in the Philippines would see this localized malicious website.

Trend Micro Advanced Threats Researcher Paul Ferguson explains that this is done by using GeoIP to determine the location of the victims who surf to a booby-trapped server hosting the bogus news website. The spammed messages themselves have generic content, but the sites they point to modify the city names in the headline depending on the IP location of the user. This serves as an effective social engineering technique in an attempt to sow fear and paranoia.

However, this is not the first time Waledac attempted to use this localization technique, according to Advanced Threats Researcher Joey Costoya, Waledac has been using this GeoIP functionality back in February, when the botnet sent fake coupons. A user from Manila would see the following:

Figure 4. Malicious website.

Users from other regions would see another. Because the threat is localized and is made to look more personal, the possibility of users actually believing the content of the sites is increased.

Trend Micro’s current detections include WORM_WALEDAC.NYS and WORM_WALEDAC.CRV. The Waledac family is known for harvesting email addresses and sending then to several IP addresses.

The Smart Protection Network also blocks Waledac websites. Our engineers are analyzing this threat further. We will update this post as soon as more information becomes available.

Other Waledac entries:

• WALEDAC Spreads More Malware Love
• WALEDAC Loves (to Spam) You!
• Fake Obama News Sites Abound

Trend Micro detects yet another variant of the infamous DOWNAD family, WORM_DOWNAD.KK. DOWNAD (also known as Conficker) is one of the more destructive outbreak worms in the Web threat era, with numbers matching that of giant botnets Storm and Kraken.

WORM_DOWNAD.KK closely follows the trail of WORM_DOWNAD.A and WORM_DOWNAD.AD (which just late last month was discovered to have updated functionalities). With this new variant, the entire DOWNAD mess is getting a lot uglier.

The two earlier DOWNAD worms, as of this month, have already infected a million PCs based on Trend Micro’s World Virus Tracking Center, which scans only infections detected by HouseCall and other Trend Micro related products. Security researchers estimate the global infection at around nine million PCs.

Among WORM_DOWNAD.KK’s added features include the increased number of generated domains, from the earlier the 250 generated by the earlier variants to 50,000. While the worm only attempts to connect to around 500 randomly selected domains at a time, this modification is seen as an effort to add survivability to the DOWNAD botnet.

Trend Micro Advanced Threats Researcher Paul Ferguson says that blocking these domains is almost impossible not only because of the daily volume, but also because there is a high possibility of legitimate domain collisions where DOWNAD generates domains already in use by legitimate entities.

Like the other DOWNAD worms, this new variant also blocks access to antivirus-related sites, as well as terminates security tools.

Trend Micro users are already protected by the Smart Protection Network, which blocks WORM_DOWNAD.KK and prevents it from running in systems. Infected systems could be cleaned by following the instructions in this page.

Trend Micro researchers discovered that warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files.

Figure 1. Crack sites are being used for malware distribution.

Besides the search results, quick links in these sites also lead to malicious files. Ads and banners are also infection vectors. Ad placeholders are commonly found in legitimate websites, and it only takes a nifty social engineering technique to trick unknowing users into clicking. Embedded in these ads are IFrames with encypted links that lead to dangerous websites.

The downloaded malware include variants under the FAKEAV, TDSS, and VUNDO families. Infection chains, however, are notable for the presence of VIRUT and VIRUX malware. VIRUX and VIRUT attacks were initially about the volume of infected PCs. The numbers are massive enough to worry Web users and security researchers: around 20,000 PCs are infected per day.

Trend Micro’s earlier blog post on the rising number of VIRUX-related cases describes the complicated infection chain triggered when VIRUX infects a system. But this current threat reveals that more than the information stealing payload associated with these infectors, they also download malware with with rogue antivirus routines.

Our engineers are still analyzing this threat further. Updates will be posted as soon as more information becomes available. Users are advised to not click links in suspicious ads and to refrain from downloading installer files.

Xbox Live users, specifically winning players, are being targeted by hackers. Researchers believe that the attacks are done so other Xbox Live users could get back at the players who beat them in a game.

A BBC report explains that the tools used in this hacking attack do not target the Xbox Live network but the IP addresses of players hosting games. Hackers first try to find out what a target user’s IP address is, and when successful doing this, they are able to stage attacks commonly done on websites.

Denial of service is an infamous line of attack where hackers flood sites to make it inaccessible to visitors.

This attack again presents an opportunity for cybercriminals to offer their services, for certain amounts of money of course. That is, if they were not already involved in the first place. Sniffing for IP addresses is the hard part of this operation. Imagine irate users paying money to get that information so they could get their revenge.

It is interesting to note that more than a year ago several Xbox Live accounts were hacked, where the goal appeared to be information theft.

Microsoft, which operates Xbox Live, is already investigating this online threat. The company has also made it clear that malicious activities like this violate the Terms of Use of the gaming and digital media service. Users caught participating in this attack could thus be banned.