Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Jessa De La Torre (Senior Threat Researcher)

    The Mariposa botnet made headlines when three of its alleged operators were arrested in Spain prior to its supposed shutdown. This was followed by a sudden and drastic decrease in Mariposa-related incidents, which was very understandable because the botnet was reported to have already been taken down.

    Lately, however, we’ve been seeing a strange increase in activity related to WORM_PALEVO—the Trend Micro detection name for malware related to the Mariposa botnet. The increase started late in the fourth quarter of 2010.

    It seems that despite the Mariposa botnet takedown in early 2010, some of its command-and-control (C&C) servers are still very much alive. Our findings were further verified, as according to, there are currently 89 active Mariposa C&C servers. This number is also steadily growing, as we’ve found 116 active C&C servers as of this writing. The list even includes the infamous URL that was responsible for the botnet’s name—Mariposa.

    Read the rest of this entry »


    It has been said that 2011 is the year of sequels in the movie industry and it seems that malware authors are also taking cues from their Hollywood counterparts. It is only the first quarter of the year but we have already seen a number of revamps of previous well-known malware. The new year started off with the Waledac spin-off Kelihos then ZeuS followed suit with its multiplatform mobile version. Now, recent reports also point to the comeback of a reluctant malware celebrity—QAKBOT.

    QAKBOT never had the same level of notoriety that ZeuS managed to reach. Nevertheless, the damage it inflicted made a great impact on several multinational companies. An RSA report (in PDF) on the impact of attacks involving QAKBOT may be viewed here.

    Our engineers got hold of a new QAKBOT variant in early 2011. Even though its core payload remained the same, several changes were evident. QAKBOT used to be known as a multicomponent malware. Each of its components performs specific routines like information theft, rootkit , anti-emulation, backdoor, and blockage of access to antivirus websites.

    Read the rest of this entry »


    Several reports have been recently released on a certain spam run that bears a resemblance to the infamous WALEDAC worm, which wrought havoc in 2008. According to ShadowServer who first reported the threat, the attack was similar to WALEDAC attacks due to the use of spam, fast-flux domains, and changing binaries, among other reasons. This led to the conclusion that this attack was conducted by the very same people behind WALEDAC.

    It’s not yet clear if these attacks are really tied to the same individuals behind WALEDAC. What we found, however, is that the threat used tactics similar to those used by WALEDAC.

    We first encountered this threat on December 29 last year when we received and blocked spam messages with a short yet very timely message.

    Click for larger view

    This type of attack was used by WALEDAC several times. The use of e-cards and the holidays as social engineering ploys are also not unusual.

    The messages contained a URL that varied and leads to yet another simple page that asks the recipients to download a fake Adobe Flash Player, which is actually a Trojan detected as TROJ_KELIHOS.DLR. The said Trojan downloads another file detected as WORM_KELIHOS.SM.
    Read the rest of this entry »


    Analysis of the PE_LICAT.A file infector (first discussed in File Infector Uses Domain Generation Technique Like DOWNAD/Conficker) has revealed further information on this emerging threat.

    We have been able to isolate a copy of the main file infector, which we detect as PE_LICAT.A-O. (A main file infector is one that triggers the process of infecting files but is not infected itself.) It injects itself into the Explorer.exe process, which has two effects. First, it becomes memory-resident. Second, any file executed afterward becomes infected with malicious code and is detected as PE_LICAT.A.

    We looked into the pseudo-random domains that LICAT accesses to download files. Every time PE_LICAT.A is executed, it attempts to download files from these domains, trying to do so a maximum of 800 times.

    The following top-level domains are used by these created domains:

    • biz
    • com
    • info
    • org
    • net

    Our monitoring indicates that most of these domains have not been registered. A small number have been registered. Although some of the sites these actually lead to are currently inaccessible, some are still alive and active. As a precaution, all related sites have now been classified as malicious and blocked by Trend Micro.

    These domains appear to link PE_LICAT and ZeuS. Several of the domains that PE_LICAT was scheduled to download files from in late September have been confirmed to be known ZeuS domains in that period. One of these domains, {BLOCKED}, was registered approximately one week before it would have been used by PE_LICAT. Another domain was hosted on an ISP that has seen significant levels of ZeuS-related activity in the past and is a known haven for cybercrime.

    We were able to obtain a sample from these LICAT-related domains, which we currently detect as TSPY_ZBOT.BYZ.  The downloader file shows certain behaviors often associated with ZeuS.  However, the capability to act as a downloader is not a functionality seen in ZeuS to date. As such, further analysis is taking place for this file.  The file drops a copy of the main file infector, PE_LICAT.A-O. Files exhibiting similar behavior to the downloader will be proactively detected as TSPY_ZBOT.SMEQ.

    PE_LICAT infections appear to have hit the North American and European regions hardest, with Latin America the lightest hit according to our Smart Protection Network™ feedback.

    Trend Micro protects product users from this attack via the Trend Micro™ Smart Protection Network™. CTO Raimund Genes talks more about this protection in How Analyzing a New Virus Can Lead to Multiple Protections. The domains generated by PE_LICAT are being analyzed in real-time and blocked as necessary. In addition, infected files are being detected and cleaned as well.

    Update as of October 11, 2010 2:28 p.m. UTC

    Upon analysis of the dropped file TSPY_ZBOT.BYZ, it was found that this ZeuS variant is actually both the starting point and final payload of this infection chain. Studying TSPY_ZBOT.BYZ reveals that it decrypts and drops PE_LICAT.A-O onto an affected system. As such, it can be inferred that this was, indeed, a ZeuS-driven attack, with the file infection and URL generation technique used to prolong its lifespan.

    Below is an image describing the whole infection chain:

    Infection Chain


    A fake Malicious Software Removal Tool (MSRT) has been found circulating in the wild. Senior threats analyst Edgardo Diaz stumbled upon a sample that Trend Micro detects as TROJ_FAKEAV.MSRT.

    From the onset, it looks like the real MSRT based on the icon it uses. Similar to other FAKEAV variants, it also displays a fake scanning alert that the user’s system has been supposedly infected by malware.

    Click for larger view

    However, keen-eyed users will notice that this tool is fake due to the following reasons:

    1. File size: It is relatively small, making up only 412,672 Bytes.
    2. Digital signature: The real tool is digitally signed, this isn’t.
    3. Antivirus product: It scans for installed antivirus products on the system and informs users that the recommended software (Shield EC Antivirus) can only remove the malware.
    Click for larger view

    However, the clincher comes at the end. Like its predecessors, it entices users to purchase the recommended rogue antivirus—Shield EC Antivirus. It points users to the billing page, http://{BLOCKED} where they are asked to pay US$99.90 for the product.

    Click for larger view

    Trend Micro product users are already protected from this attack via the Trend Micro™ Smart Protection Network™, which detects the said FAKEAV variant. Non-Trend Micro product users, on the other hand, can use the free cleanup tool, HouseCall.

    Posted in Malware | 1 TrackBack »


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice