Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - JM Hipolito (Technical Communications)

    Adobe released an out-of-band security update to address six critical vulnerabilities, all affecting Adobe Flash Player.

    One of the six, a cross-site scripting (XSS) vulnerability identified as CVE-2011-2444, is reportedly being exploited in the wild. The bug is reportedly being used in targeted attacks that involve malicious links sent out to targets via email.

    Adobe attributed the discovery of CVE-2011-2444 to Google, who, in response to finding the vulnerability, issued an update for the Google Chrome browser to prevent attackers from exploiting the security hole.

    Users are strongly advised to apply the patches as soon as possible, especially since exploiting any of the addressed vulnerabilities can lead to either remote code execution or to information disclosure.

    Note that users who utilize multiple browsers may need to separately update their other browsers. Users can visit this page for all of their browsers to check if they have the latest version of Adobe Flash Player installed and this page to update. Here is the list of Adobe Flash Player versions affected by vulnerabilities addressed by this update:

    • Flash Player and earlier
    • Flash Player and earlier for network distribution
    • Flash Player and earlier for Android
    • Flash Player and earlier for Chrome

    We will update this post once we find more information about the exploit.


    We were recently made aware of attacks leveraging the recent data breach that involved Epsilon.

    According to reports, the attack involves a Web page that looks very similar to the press release issued by Epsilon concerning the breach. The page also instructs the recipients to click a link at the bottom of the post in order to download and run a tool that will supposedly help them determine if their personal information was among those disclosed during the attack.

    We were able to analyze the details of the attack and found that the link  downloads an .EXE file now detected as TROJ_MSPOSER.ASM. Running TROJ_MSPOSER.ASM displays the following GUI, which seems to suggest that the system is being checked. 

    Of course, the graphic is really just there in an attempt to convince the victims that what they downloaded was really a tool that will help them determine if their information is still secure. In the background, however, another malicious file is being installed into the system.

    Read the rest of this entry »


    We’re currently monitoring a still-ongoing mass compromise involving a great number of websites. The compromised sites have been injected with a malicious script that triggers redirects to certain URLs that lead to malware such as FAKEAV.

    Based on Google searches, there is no common denominator in terms of the industry to which the compromised sites belong. We saw compromised websites related to astronomy, clubs, hospitals, sports, funeral homes, electronics, and others.

    More URLs Involved

    Investigations revealed that five URLs were used for the attack and were inserted into the compromised sites through SQL injection. The said URLs all resolve to a single IP server—a known malicious IP Trend Micro researchers are monitoring. Thus, the related URLs have been proactively blocked by Trend Micro as early as March 25, 2011:

    • {BLOCKED}
    • {BLOCKED}
    • {BLOCKED}
    • {BLOCKED}
    • {BLOCKED}

    New developments are currently being observed. We’re seeing compromised websites that were previously inserted with a script leading to {BLOCKED} already modified to connect to {BLOCKED} The said URL also resolves to the same IP server as the four previously mentioned URLs. It is possible that the cybercriminal behind this attack is updating the compromised sites with new URLs to connect to since the previous ones are already being blocked.

    Read the rest of this entry »


    We got hold of an exploit targeting the vulnerability Adobe reported in its most recent security advisory.

    The exploit, detected as TROJ_ADOBFP.B (now detected as TROJ_ADOBFP.SM), takes advantage of the referenced vulnerability to drop another malicious file detected as TROJ_DROPPER.ADO.

    TROJ_ADOBFP.B arrives in users’ systems as a malicious .SWF file that has been embedded into an .XLS file. This .SWF file contains the code for the exploit. TROJ_DROPPER.ADO, on the other hand, drops another malicious file detected as BKDR_COSMU.KO. BKDR_COSMU.KO connects to a URL to execute certain commands. It also retrieves information from the affected system such as drive information, OS, file or directory list, as well as a list of existing processes and services.

    The vulnerability related to this threat affects the following software and their corresponding versions:

    • Adobe Flash Player for Windows, Macintosh, Linux, and Solaris OSs
    • Adobe Flash Player and earlier versions for Android
    • Adobe Reader and Acrobat X (10.0.1) for Windows and Macintosh OSs (specifically the Authplay.dll component)

    Adobe posted a schedule for the release of security updates that will address this vulnerability. All affected versions, except Adobe Reader X, will be patched on March 21. The update for Adobe Reader X will be released on June 14. Until the updates are released, users are advised to be extra careful, especially when dealing with .XLS files coming from unknown users.

    Update as of March 22, 2011, 12:50 AM Pacific Time

    Adobe released the security updates for Adobe Flash Player and Adobe Reader and Acrobat. More information on the said updates can be found in the following pages:

    Users are strongly advised to apply the said updates as soon as possible.


    Online transactions offer great convenience to both vendors and customers alike. It provides a means to conduct transactions that are better suited to most users’ current lifestyle, which increasingly involves the Internet.

    Unfortunately, this increased dependency on online banking and e-commerce is directly proportional to cybercriminals’ interest on how to leverage this to their advantage. Recently we’ve seen certain technologies used in online financial transactions that are being abused:

    Session IDs

    As detailed in a Trusteer report, a new banking Trojan, detected by Trend Micro as TSPY_ODDJOB.SMA, has been found to be capable of hijacking customers’ online banking sessions. Session IDs, which give users a temporary identity, are meant to be short-lived and expire after a predetermined time of inactivity. TSPY_ODDJOB.SMA effectively keeps sessions open even after customers have logged off, thus enabling cybercriminals to commit fraud.

    The capability may be noteworthy, but Trend Micro Smart Protection Network has so far detected and blocked only one instance of the  Trojan.  However, this new technique could prove to be greatly attractive to those criminals using ZeuS and SpyEye, especially because it is relatively simple to incorporate.

    In the next few months, session hijacking could easily become a default functionality in banking Trojans.

    Read the rest of this entry »



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice