Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Author Archive - Karla Agregado (Fraud Analyst)

    We were alerted to reports of a mass compromise of WordPress sites that lead to CRIDEX infection. To lure users to these compromised sites, the cybercriminals behind this employed spammed messages purporting to come from known legitimate sources such Better Business Bureau and LinkedIn, just to name a few. These spam use social engineering tactics to entice unsuspecting users to click the link found in the email.

    Click for larger viewClick for larger viewClicking this link leads to a series of compromised WordPress sites, which ultimately point users to the Blackhole Exploit kit that targets vulnerabilities cited in CVE-2010-0188 and CVE-2010-1885. This is detected by Trend Micro as JS_BLACOLE.IC.

    Once users click on any of the URLs seen on Figure 3, users are redirected to sites that host the said exploit kit.

    Based on our analysis, this exploit results to the installation of WORM_CRIDEX.IC on the affected system. When executed, this worm connects to a remote site http://{Random URL}.ru:8080/rwx/B2_9w3/in/ to download its configuration files.

    WORM_CRIDEX.IC was also found to generate several random domains using domain generating algorithms (DGA). This is a well-known technique used by cybercriminals to evade law enforcement and to prevent botnets from being shut down. The malware also uses DGA to download its configuration file. As of this writing, the exact behavior of the sample is dependent on the configuration file. Based on static analysis, however, it is capable of executing a file, deleting a file/folder, and retrieving certificates in a certificate store. During our testing, we were unable to download the configuration file as this was no longer available.

    Trend Micro protects users from this threat via its Trend Micro™ Smart Protection Network™ that blocks malicious URLs related to this attack as well as detecting the related malware. To avoid encountering these compromised sites, users should think twice before clicking those links found on dubious-looking messages. Always verify the validity of received messages, specially those that claim to be from well-known sources.

    With additional text and analysis by security evangelist  Ivan Macalintal.


    The Android Market was just recently renamed to Google Play and yet there are already cybercriminals taking advantage of this. We’ve spotted newly created domains that imitate the Google Play site and contain malicious apps.

    The malicious URL http://{BLOCKED} displays a fake Russian Google Play site. When translated to English, the text reads: “ Download Google Play for Android Google Play is formerly known as the android market but now a vast and influential old android market combined with a store of books google ebookstore multi-format films and world music google music.

    Upon trying to select the clickable images in the site, I was led to another malicious Russian domain that offers suspicious Android apps. I tried to download the Google Play application, google-play.apk, from the URL http://{BLOCKED} but it just points to malicious file detected as ANDROIDOS_SMSBOXER.AB. This leads to another malicious URL, http://{BLOCKED} 

    ANDROIDOS_SMSBOXER.AB is a premium abuser type of mobile malware. Such malware subscribes affected devices to premium services without the permission of the user, thus leading to unwanted charges.

    This particular malware is very similar to ANDROIDOS_OPFAKE.SME — an Android malware that made news last month for its ability to polymorph. However, similar to ANDROIDOS_OPFAKE.SME, the server that hosts ANDROIDOS_SMSBOXER.AB simply inserts unnecessary files into the APK in order to evade detection. According to Threats Analyst Kervin Alintanahin, the said routine technically can not be considered polymorphic behavior, especially since no significant change is done to the APK’s source code. Due to this, security software can still easily detect the malicious files.

    Aside from detecting the malicious .APK files, all of the related malicious URLs are already blocked through the Trend Micro Smart Protection Network. Trend Micro customers need not worry as ANDROIDOS_ SMSBOXER.AB is currently detected by Trend Micro Mobile App Reputation.

    If anything, this attack shows just how quick cybercriminals can adapt to the fast-changing mobile landscape. Users are strongly advised to practice extreme caution when dealing with apps and app stores in general. For more information on mobile threats, please check our Mobile Threat Information Hub.


    For some time now we’ve been reporting about Facebook scams involving surveys that ask for victims’ mobile numbers. These have become rampant, and have used many different lures like Google+ invites
    and free Breaking Dawn Part 2 movie tickets.

    Another good example is a Facebook page we recently encountered, one claiming to be a Starbucks promo page, and offering people free coffee. Clicking the link on the page opens a new browser window, which connects to a site that triggers a series of redirections.

    Click for larger view Click for larger view

    The user is then finally led to a survey site, which asks for the user’s mobile number.

    Read the rest of this entry »

    Posted in Spam | TrackBacks (2) »

    The recent rise of mobile computing is further signaling the need for users to have good reliable mobile browsers such as Opera Mini installed in their smartphones or in any mobile device. We believe that this is why cybercriminals are currently using Opera Mobile as a mobile malware disguise.

    We encountered a website that seems to have been designed to be viewed on a mobile device. The site, which is in Russian, looks like the Opera site. It immediately informs visitors that they need to upgrade their versions of Opera Mini.

    Read the rest of this entry »


    Hurricane Irene surely turned New York City into the “city that never sleeps,” as it brought floodwaters, knocked out power for more than 4 million people, and was even responsible for at least 15 deaths in six states.

    What’s worse is that cybercriminals are taking advantage of the incident by spamming a fake video on Facebook.

    The page, which contains the alarming title “VIDEO SHOCK – Hurricane Irene New York kills All,” displays a clickable image of a fake video player.

    The text displayed on the succeeding pages is written in Italian, which suggests that the attack specifically targets Italian users. Clicking the image of the video displays a prompt that says, “Per Vedere il video devi prima condividere,” which translates to “To see the video you must first share,” as well as two options that say “Share” and “See the video.”

    Read the rest of this entry »



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice