Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Joseph Pacamarra (Threats Analyst)

    While scouting the Web for the latest threats, Trend Micro threat analysts stumbled upon FAKEAV variants riding on the impending eruption of the Mayon Volcano. Renowned for its “perfect cone” shape, the Mayon Volcano became one of the candidates for inclusion in the New 7 Wonders of Nature list. It is not surprising, therefore, that news of its impending eruption, during the Christmas holidays no less, will attract the attention of both curious onlookers and concerned individuals alike.

    Close on the heels of users seeking out news on the event, of course, are cybercriminals with their usual blackhat SEO tactics. Searching for news on the topic on Google using the string “Mayon Volcano eruption” may lead users to the malicious URL http://{BLOCKED} Clicking the link redirects users to the CNN homepage unless their browser has as referrer, in which case, they are redirected to another malicious URL, http://{RANDOM} Afterward, they will again be redirected to any of the following URLs where FAKEAV variants are downloaded onto their systems:

    • http://{BLOCKED}, which redirects to http://{BLOCKED}, where they will prompted to download install14300.exe (detected by Trend Micro as TROJ_FAKEAV.MVE)
    • http://{BLOCKED}, which redirects to http://{BLOCKED}, where they will be prompted to download setup_build6_195.exe (detected as TROJ_FAKEAV.PTO)
    • http://{BLOCKED} where they will be prompted to download install.exe (detected as TROJ_FAKEAV.XMS)
    Click Click

    Smart Protection Network protects Trend Micro product users by preventing user access to the said malicious sites and detecting and by blocking the download of all related malicious files. As added precaution, however, users are advised to only rely on trusted news sites for updates on the event.


    We have recently found a website that purportedly offers cracks for numerous applications, but in reality serves malicious files to its unknowing users.

    The website, hxxp://{BLOCKED}, is allegedly owned by an organization called China.United Telecom. Corp. The said website supposedly offers a wide collection of cracks for different applications. However, attempting to download any of these files will always lead to the same page (Figure 2.)

    Click Click

    Clicking the Download button downloads a .ZIP file into the user’s system. The .ZIP file contains two files, both of which are malicious:


    Trend Micro detects the files as TROJ_DLOADER.ZTN. TROJ_DLOADER.ZTN downloads TROJ_AGENT.INC and TROJ_DLOADR.AOP which further connects to URLs to download more malicious files.

    The .ZIP file is actually hosted on another domain, hxxp://{BLOCKED}

    Accessing the top domain where the .ZIP file is hosted leads to a landing page informing the user that the website is already suspended for violation of terms of service. However, it seems that directly linking to the file, regardless of the alleged suspension, ensures a successful download of any file hosted on the site.


    Apparently, the suspension did not stop cybercriminals from using the website’s directory as a malware repository for other attacks. Either that, or this might only be a guise used by criminals to hide the website’s real purpose. The Smart Protection Network however, stops this threat from affecting users’ systems through blocking related malicious URLs, and detecting malicious files.


    While monitoring countless sites as part of our current Web threat strategy, we have stumbled upon a legitimate-looking prompt from MSN Live Messenger… or so it would appear (at first).

    As shown from the screen captures below, this prompt bears a close resemblance to the actual prompt being displayed by the MSN Live Messenger instant messaging application (also known as Windows Live Messenger) whenever a friend from the user’s friends list logs in.

    Figure 1. Screenshot of fake prompt seen in this attack.

    Potential victims who unfortunately encounter the site ( via spam or spammed IM is first enticed by the Web site’s description, which promises the capability to view which of their friends have removed them from their friends list, provided they are logged in, of course—a pretty convincing trick to lure users to key in their user names and passwords.

    As the Web site is accessed, a message prompt from MSN Live Messenger appears at the lower-right part of the screen, just below the system tray, where such prompts are known to appear:

    Figure 2. Site that opens when users click on phishing mail.

    Once users click on the prompt, they are diverted to a Flash-based window which also resembles an actual MSN group chat window:

    Figure 3. Real-looking (and functioning) chat window loaded when users click on the prompt in Figure 1.

    This routine is used to attract the users, as well as to build credibility. If the user goes back to the main site and enters their credentials, the site displays a list of users who have allegedly removed the affected user from their contact lists:

    Figure 4. This page is displayed after the user logs in to the fake site.

    What happens under the radar, however, is that the site captures the entered credentials and the accounts are then opened by a remote malicious user and IM messages containing a link to the Borradito phishing site are sent to all contacts on the affected account’s buddy list as shown below:

    Figure 5. IM messages sent to infected users’ contacts.

    This ensures further propagation of this threat. Directly at risk are MSN users and their contacts. The account information harvested in this account may be used to access various Windows Live services such as Windows Live Call (PC-to-phone calls), SkyDrive (file-sharing services), Spaces, and even Hotmail accounts under the same account.

    Today, your email accounts hold many important tidbits on different aspects of your life, job, and personal details many people would prefer not to be divulged to others. Letting your guard down can be be very costly and can lead to exploitation. The worst possible scenarios include identity theft and financial loss. Trend Micro users are protected from this threat (all related URLs are already blocked by the Smart Protection Network).

    Posted in Mobile | 1 TrackBack »

    XSS (Cross-Site Scripting) Very Much Alive and Kicking

    We were about to investigate further on malicious activities related to banner82(dot)com/b.js but the URL was already inaccessible around Tuesday. Soon enough the malicious script in www(dot)adw95(dot)com caught our interest. A rough survey of the sites compromised by this script reveal that the sites involved some cross-site scripting (XSS), or SQL injection vulnerabilities, or a combination of both.

    XSS Holes Endanger Users with Increasing Risks

    I want to shed some light again on XSS because although it has been around for a long time, it has neither become less of an attractive attack method, nor has a fool-proof solution against it has been properly formulated.

    XSS vulnerabilities can cause a variety of problems for the casual web surfer. These problems range in severity from mere annoyance to complete credential compromise. Some XSS attacks incorporate disclosure of the user’s session cookies, allowing an attack perpetrator to have complete control over the victim’s session and to (in effect) take over the account & hijack the HTTP session.

    XSS attacks may also include redirecting the user to some other page or website, and modifying the content of a HTTP session. Other damaging risks include the exposure of the victim’s files, and subsequently the installation of Trojans and other damaging malware — and to what purpose? One can only guess because once the compromise is successful, the criminal’s next actions are open to unlimited possibility.

    An XSS attacker utilizes varying methods to encode the malicious script in order to be less conspicuous to users and administrators alike. There are an unaccounted number of variations for these types of attacks, and XSS attacks can come in the form of embedded JavaScript — one of the more common implementations. But be forewarned — any embedded active content is also a potential source of danger, including: ActiveX (OLE), VBscript, Flash, and more.

    Breaches in the Background

    XSS issues can and do exist as well in the underlying Web and application servers too. Most Web and application servers use error mechanisms to display content access error pages, such as “404 page not found “and “500 internal server error”. If these pages reflect back any information from the user’s request, such as the URL they were trying to access, there are even greater chances that they are vulnerable to an XSS attack.

    The possibility that a website contains XSS vulnerabilities is extremely high. There are countless ways to mislead Web applications into relaying maliciously injected scripts. Developers and website administrators seem to have a knack for missing these vulnerable application areas in their web implementations, but finding these configuration errors seems to be a walk in the park for attackers, since all they need is a browser and time (time which most of the defenders don’t have).

    There are numerous free attack tools available,and worse, the most efficient ones are created by career criminals who happen to be at the disposal of anyone willing to pay for their warez. These tools readily aid in finding these flaws, and are increasing often crafted to inject XSS attacks into a target site.

    XSS Vulnerability in Adw95(dot)com Attack

    Here’s a closer look at the infection chain launched by the injection of malicious JavaScript into victimized websites:

    Mass compromises seem to be all the rage these days, and exploiting XSS vulnerabilities are just one of the methods criminals can employ to silently worm their way into users’ PCs. Please see our Virus Encyclopedia for further details about the malware in this particular infection chain. Trend Micro users with updated patches are protected from these threats as of Pattern 5.305.00.

    (Note: Malware may vary or change at any given time as we are still closely monitoring this incident).

    Posted in Malware, Vulnerabilities | Comments Off on XSS Methods Also Seen Being Used in Mass Compromises

    Thai site

    Research Project Manager Ivan Macalintal reported a few hours ago that another Thailand-based Web hosting site appears to have been compromised to serve malware.

    APAC-Regional TrendLabs Team immediately probed and analyzed the attack layout for the ill-fated and we identified a tricky injection, which was prematurely implemented.

    Based on our analysis, the main site is just about to be heavily laden with scripts when it was first reported. Going further, since it looks like a dead end when we tried a different avenue and since the main page itself is just like a site with a script gone bad, we found this:

      | /*
    (Cloaking with a 404 error still heavily laden with an encrypted script which lead to)
    Host Location Estiona
    Host Location European Union
    [Russian Federation]
    The following malicious files are set to drop at this point namely
    Host Location Ukraine

    These tiers were brought down 20 minutes or less after the probing was done. Too late for the authors of the attack, their tracks were traced back pinpointing the actual file that they were hoping to implement using Obfuscation and iFrame as a drop-off point.

    With coordinated effort from APAC-RTL spearheaded by Oscar R., Trend Micro Thailand Office by Wan K. and Kitisak J. of ThaiCert – the site administrator was advised about the incident and had the site cleaned in no time. Now it’s back to its regular business.

    Trend Micro already detects these files since the release of malware control patch number 5.144.05 using scan engine 8.5001002 or later.

    Posted in Bad Sites | Comments Off on Yet Another Thai Site Compromised by EU Malware Authors


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice