Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    July 2014
    S M T W T F S
    « Jun    
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Maria Manly (Anti-spam Research Engineer)

    DOWNAD , also known as Conficker  remains to be one of the top 3 malware that affects enterprises and small and medium businesses.  This is attributed to the fact that a number of companies are still using Windows XP, susceptible to this threat.

    It can infect an entire network via a malicious URL, spam email, and removable drives. It is known to exploit MS08-067 Server service vulnerability in order to execute arbitrary codes. In addition, DOWNAD has its own domain generation algorithm that allows it to create randomly-generated URLs.  It then connects to these created URLs to download files on the system.

    During our monitoring of the spam landscape, we observed that in Q2, more than 40% of malware related spam mails are delivered by machines infected by DOWNAD worm.  Spam campaigns delivering FAREIT , MYTOB , and LOVGATE  payload in email attachments are attributed to DOWNAD infected machines.   FAREIT is a malware family of information stealers which download ZBOT .  On the other hand, MYTOB is an old family of worms known for sending a copy of itself in spam attachments.

    Malware Family-01

    Table 1. Spam sending malware

    Based on this data, CUTWAIL (Pushdo) botnet together with Gameover ZeuS (GoZ) are the other top sources of spam with malware. Interestingly, CUTWAIL was previously used to download GoZ malware. However, now UPATRE employs GoZ malware or variants of ZBOT which have peer-to-peer functionality.

    In the last few weeks we have reported various spam runs that abused Dropbox links to host malware like NECURS and UPATRE.  We also spotted a spammed message in the guise of voice mail that contains a Cryptolocker variant. The latest we have seen is a spam campaign with links that leveraged CUBBY, a file storage service, this time carrying a banking malware detected as TSPY_BANKER.WSTA.  Cybercriminals and threat actors are probably abusing file storage platforms so as to mask their malicious activities and go undetected in the system and network.

    As spam with malware attachment continues to proliferate, so is spam with links carrying malicious files. The continuous abuse of file hosting services to spread malware appears to have become a favored infection vector of cyberciminals most likely because this makes it more effective given that the URLs are legitimate thereby increasing the chance of bypassing Antispam filters.

    Although majority of the above campaigns are delivered by the popular GoZ, it is important to note that around 175 IPs are found to be related with DOWNAD worm. These IPs use various ports and are randomly generated via the DGA capability of DOWNAD. A number of machines are still infected by this threat and leveraged to send the spammed messages to further increase the number of infected systems. And with Microsoft ending the support for Windows XP this year, we can expect that systems with this OS can be infected by threats like DOWNAD.

    Trend Micro protects users from this threat via its Smart Protection Network that detects the malicious files and spam emails and blocks all related IPs. Users are also advised to upgrade their Windows OS and be cautious in opening email messages even though the source is seemingly legitimate.

    With additional insights from Maydalene Salvador

    Posted in Malware, Spam |

    Last April, we reported a KULUOZ spam campaign using the South Korean ferry sinking tragedy, one that came hot at the heels of the actual event itself.

    KULUOZ, as we tackled during that blog entry, is a malware that is distributed by the Asprox botnet. It can download certain strains of FAKEAV and ZACCESS malware onto the affected system, as well as have the potential to turn that system into a part of the Asprox botnet itself (by installing certain components). This can result in the system not only being infected by malware, but also turn into a spam distributor. We discovered the existence of the spam campaign itself around the tail end of March.

    Now it appears that the spam campaign is still going strong, with the cybercriminals behind the attack leveraging headlines from major news outlets. Some of these headlines include:

    • ‘Misunderstood son’ returns
    • ‘Vampire’ burial keeps myth alive
    • ,000 to spare? Take a road trip
    • Asia stocks mixed after ECB action
    • Centenarians ‘are outliving disease’
    • Company seeks more approval for clot blocker
    • Dozens killed by Baghdad bombings
    • Driving ex-soldiers back to work
    • E3: Video games ready for action
    • EU diplomatic dance around Juncker
    • Father’s plea over baby feed death
    • Football: Ribery ruled out for France
    • GOP chairman: Chris Christie should remain at RGA
    • Hollywood pays tribute to Jane Fonda
    • Horse racing: Australia’s day in Derby
    • Inside a political storm
    • Knife attack at South China Station
    • Links to UK political websites
    • Living with bound feet
    • Many missing as South Korea Ferry sinks
    • Meteors streak through night sky
    • Npower to change bill-chasing method
    • Poland’s mini desert
    • Police quiz kids over online abuse
    • Political editors across England
    • Q&A: Why is slurry so dangerous?
    • Russian proton rocket fails
    • S. Africa’s Zuma admitted to hospital
    • Saved by an illegal, homemade radio
    • Sen. Ted Cruz sidesteps question about 2016 plans
    • Sheeran clinches number one spot
    • Smashed Hits: Another Star
    • SpaceX unveils new spacecraft to take astronauts to space station, back to Earth
    • Spacey denies Bond baddie rumours
    • Sudan woman clings to Christian faith despite death sentence, husband says
    • Teenage star of cancer diagnosis
    • Thai coup prompts warnings to tourists
    • Turning highways into power plants?
    • U.N.: Chemicals damaging health and environment
    • U.S. ‘hypocrisy’ in cybertheft charge
    • U.S. : Jihadi featured in suicide bombing video in Syria grew up in Florida
    • UK ‘second best education in Europe’
    • Ukraine President
    • VIDEO: Climate change to cause flash floods
    • VIDEO: House of Commons
    • VIDEO: The 2014 World Cup in numbers
    • Vodafone reveals direct wiretaps
    • Watch lightning strike moving car
    • What do young Harvard graduates believe?

    How they leverage the headlines themselves is relatively simple, and typical of a spam attack: they copy the headline and part of the news article from the news website and implement it into the mail itself, in order to make itself look legitimate to the user as well as bypass spam filters. It seems that this malware also used CNN and BBC News as sources of news clip snippets, incorporated in their spam runs.

    Figure 1. KULUOZ spam sample with “Knife attack at South China (Guangzhou) Station”

    Analyzing the samples we found of these campaigns (specifically the one with news of the Thai coup), we found that the spam email itself retains the previous template of shipping notifications, including that of Fedex and United States Postal Service.

    Figure 2. KULUOZ spam sample with “Thai Coup news item”

    Similarly to previous spam runs, it notifies the reader that a parcel has been received in the local post office and that they need to print out a shipping label in order to receive said parcel.

    The mail then presents a link where the user can indeed print out the shipping label, but as it turns out, the link is malicious and leads to a download of a malware that we detect as BKDR_KULUOZ.ED.


    Figure 3. The file “”  is downloaded and detected as BKDR_KULUOZ.ED

    While this may seem like a typical spam run that takes news headlines in order to bypass spam filters (as well as trick users into reading them), it’s to note that the malware being used can compromise the security of unsecured systems should it be allowed to take root.

    The continued use of news headlines is also something to bear in mind, in that it is proof that as long as there is news to talk about, there will be threats that take advantage of them. No doubt we’ll be seeing this spam campaign continue as time goes on; readers can be sure that we’ll post updates in the Security Intelligence blog as necessary.

    Trend Micro customers are protected from this threat and the malicious files involved.

    Posted in Bad Sites, Malware, Spam |

    Threats like UPATRE are continuously evolving as seen in the development of the techniques used so as to bypass security solutions. UPATRE malware are known downloaders of information stealers like ZeuS that typically spread via email attachments. We recently spotted several spam runs that use the popular file hosting service Dropbox. These use embedded links lead to the download of UPATRE malware variants. What is noteworthy in these spam attacks is that it is the first instance we saw TROJ_UPATRE being deployed via URL found in an email message.

    In one of the spam samples we saw, it poses as an eFax notification mail with a Dropbox link in the message body.  Once unsuspecting users click on the link, it will redirect to a Dropbox URL, leading to the download of a malicious file detected as TROJ_UPATRE.YYMV. When executed, it downloads a ZBOT variant, detected as TSPY_ZBOT.YYMV, which, in turn, drops a rootkit detected as RTKT_NECURS.MJYE. The NECURS variants are known to disable security solutions on infected systems, causing further infection.


    Figure 1. Sample of these spam emails


    Figure 2. Legitimate copy of email message from eFax

    The other spam sample we saw pretended to be an email with a Dropbox link that came from NatWest Bank containing a supposed NatWest Financial Activity Statement, but is actually a TROJ_UPATRE malware. Similarly, it follows the UPATRE- ZBOT- NECURS infection chain.  Based on our investigation, this spam run also uses names of legitimate companies, such as Lloyds Bank, eFax, Intuit, ADP, BBB, and Skype, among others. We also came across spammed messages with embedded Dropbox links but redirects to Canadian pharmacy websites.

    We have been monitoring this spam campaign since it started last May 23 and began to increase a week later. Dropbox was already informed of this incident as of posting.  We have also notified and submitted the current list of affected accounts that seem to be hosting malware in Dropbox.

    Last April, we reported tax-themed spammed messages that also follow the same infection combination of UPATRE, ZBOT, and NECURS.  Based on our data, UPATRE remains as the top malware distributed via spam from January to May 2014.


    Figure 2. Top 5 distributed malware via spam mail, Jan-May 2014

    Cybercriminals often go with what’s hot and popular for their social engineering lures. In this case, the bad guys abused legitimate Dropbox links in order to trick users into downloading various malware, which can lead to system infection and information theft.

    Trend Micro protects users from this threat by detecting all spam-related samples and malicious files.

    Special mention to Maydalene Salvador for finding this new spam samples, and to Mark Manahan for analyzing this malware

    Update as of 12:15 AM, June 13, 2014

    A few days after we discovered the UPATRE malware that abuse Dropbox links, we found another spam mail that downloads a malicious file from Dropbox.


    Figure 3. Sample of the spam mail leading to a CryptoLocker’s variant, Cryptowall

    Here, the spam mail is disguised as a voice mail and the final payload is a CryptoLocker‘s variant, Cryptowall, detected as TROJ_CRYPWALL.D. TROJ_CRYPWALL.D directly opens a Tor website that asks for payment; previous CryptoLocker has its own GUI for payment. Trend Micro protects users from this threat by detecting all spam-related samples and malicious files.

    With analysis from Maydalene Salvador and Rhena Inocencio

    Posted in Malware, Spam |

    A few days ago, America Online, or AOL, confirmed that their mail service – AOL Mail – had been hacked, with the email addresses (allegedly only 1% of their entire customer base) either compromised and/or spoofed to send spam with links leading to phishing pages.  We combed through the Internet to look for samples of the phishing spam being sent, and they popped up readily in our searches.

    Figure 1. AOL Mail spam sample

    Figure 2. Second AOL Mail spam sample

    The spammed messages themselves are simple and to the point – just a sentence or two, written to seem like a casual, quickly-written email by the recipient’s contacts. The link is presented right after the bait text, typed out in full. When clicked, they lead to fake pages pertaining to online health magazines as well as online cooking recipe websites, which then lead to a landing/phishing page. The phishing page masquerade as a sign-up form that asks for the user’s personal information – their phone number, email address, and so on.

    Figure 3. Final landing and phishing page

    Using data gathered from the Trend Micro Smart Protection Network, we saw that 94.5% of the users who visited the final landing page came from the United States. Other top countries affected include Japan, Canada, France, and the United Kingdom. Analysis also shows that these phishing pages are hosted in different countries, including Russia, the United States, Hong Kong, and Germany.

    While this may seem to be a relatively minor attack as far as hacking attacks go – with the compromised mails only used to send spam messages leading to phishing websites rather than something more obviously damaging, such as sending malicious files or mining the email address itself for personal information – the fact is that the culprits could easily have done so is enough for this to be a serious security incident.There’s also the fact that even if only 1% of AOL Mail’s 24 million total user base was indeed compromised – that’s still 240,000 emails under the control of cybercriminals, to do with whatever they want.

    A day after the attack itself was revealed, AOL came out with another announcement, saying that they’ve modified their DMARC policy to combat the spoofed mail spam.This modification ensures that all mailbox providers will reject bulk AOL mail if it doesn’t come from an AOL server.

    While this does alleviate the spoofed email spam issue somewhat, it does also affect bulk AOL mail that has been previously authorized, and does not really begin to address the compromised emails. For that, AOL has linked victims to their Mail Security page, instructing users how to secure their hacked accounts as well as to recognize scam/spam emails.

    We once again remind users to always be vigilant when it comes to their mail, whichever email service you use. Always think before you click that sent link. Verify first before doing anything.

    Trend Micro security offerings already detect and block all the spammed mails and phishing URLs related to this attack.

    With additional analysis from Gideon Hernandez, Paul Pajares, and Ruby Santos.

    Posted in Bad Sites, Spam | Comments Off

    Spammers are constantly trying new ways to bypass filters to deliver spam. One of the more typical methods is the use of word salad spam, wherein spammed messages are filled with random words. We recently noticed a spike in salad spam that’s circulating in the wild. Aside from the sudden increase, what’s interesting about this particular spam run is that it uses exact sentences copied from Wikipedia articles.

    For example, in the spammed message below, the first sentence is “Knipe taught his Hawkeye team 75 new plays in one week.” That sentence comes from the Wikipedia article about the American football player and coach Alden Knipe. The second sentence, “As a result, wine consumption in Australia has greatly increased as of 2006.,” comes from the article about cleanskin wine. The last sentence, referring to the House of Blues and the Theatre of the Living Arts, comes from the article about the Verizon VIP Tour.

    Figure 1. Sample spammed message

    This seemingly normal content may ensure the delivery of the message alone.  However, the spammers took it one step further by forging the From form field, making it appear that the email was sent from the recipient’s email account. This adds a layer of legitimacy to the spammed messages.

    Further analysis of the email samples show that this spam run is distributed by computers infected by the Kelihos botnet. This botnet is known for spamming and Bitcoin theft.  Our research indicates that these messages were sent from a variety of countries, including Argentina (18%), Spain (17%), Germany (11%), Italy (11%), and the United States (10%).

    Even though the Wikipedia salad spam may not be malicious—it can be described as a “nuisance” at best—the technique shows that bad guys are still refining known spamming techniques. While there was no malicious payload for this particular spam attack, the same could not be said for future spam runs. Users are advised to be cautious when opening emails. A good rule of thumb would be immediately deleting emails from unknown senders.

    Trend Micro protects users from these threats.

    Posted in Spam | Comments Off


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice