Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Author Archive - Paul Oliveria (Technical Communications)

    Many have watched the U.S. presidential debate last week, and while whether Barack Obama or Mitt Romney won the discussion is still up for debate among netizens, one thing is certain: the presidential campaign is on its last stretch towards the November 6th elections. One other thing that’s certain? Scammers exploiting this to the very end.

    Our researchers have been looking into the data gathered through the global sensors of our Smart Protection Network. Below is a snapshot of election-related keywords that got several hits to malicious sites:

    Keywords # of Hits
    Obama      26,559
    Romney        4,519
    Elections          806
    2012 Elections          358

    Note that these hits are just for the past three months, and we expect it to increase as Election Day draws near. But what stood out for us is the number of hits for both candidates: apparently, when it comes to the number of failed attempts to access a malicious site, Obama gets the users’ vote. And cybercriminals agree: when we checked the number of unique domains blocked since January, there were 4 Obama-related domains for every 1 Romney domain.

    This shouldn’t come as a surprise, given the incumbent President has had at least four years of pop-culture mindshare under his belt compared to Romney. Remember that as early as right after he won the 2008 elections up to his inauguration, Obama was used in several social engineering baits. Going back to the three-month snapshot, it can be seen that hits to Obama has seen its share of highs and lows, while the increase in Romney was consistent around the period when his candidacy was officially announced in August.

    But looking at the type of threats and who the eventual victims were, both candidates are pretty much neck-to-neck. While it is quite obvious that most victims are from the United States and Canada, interestingly, the other top countries include those in Asia and Europe.

    Majority of the hits are from disease vector URLs (i.e., those that eventually download malicious files on computers or host phishing sites) and spam-related, which was consistent with previous election-related threats.

    Several malware have also taken advantage of these two candidates, as we’ve seen file names that range from the curious (Drunken Obama.exe, which we detect as ADW_MARKETSCORE), to the somewhat serious (several PDF files like Romney V. Obama Tax Policies.pdf, which we heuristically detect as HEUR_PDFEXP.E). And apart from the malicious mobile apps we’ve seen several weeks ago, based on our feedback, we’ve also seen infections from a relatively old SOHANAD worm, as well as from other AUTORUN malware (those that usually spread via removable drives) with backdoor capabilities, including the following:

    So what do these tell us? This reinforces the fact that the bad guys have all the bases covered when it comes to exploiting popular events. Whoever wins come November 6th, end users will end up losing in one way or another if they’re not careful. So keep yourself informed. Get your news only from trusted sources, and make sure to have an Internet security solution installed on your devices.

    Update as of October 11, 2012 7:30 AM PDT

    We’ve found a spam run using the election as social engineering bait as well. The email is supposedly from CNN and contains news stories about the election:

    However, instead of news articles, the links lead users to a variant of the ZeuS banking Trojan, delivered by the Blackhole exploit kit. We detect this variant as TSPY_ZBOT.NTW; in addition to blocking the malware we also block the malicious sites that were used by the Blackhole exploit kit in this incident.

    Posted in Bad Sites | Comments Off on Obama vs. Romney: Political (Online) Threats

    In January this year, Trend Micro chairman and co-founder Steve Chang was quoted as saying that Android-based devices are less secure than those running on iOS. While his comment caused quite a stir back then, today’s threat landscape seems to agree. Since Steve’s statement, our researchers saw a whopping 1410 percent increase in the number of Trojanized Android apps and actual malware targeting fans of the little green robot.

    Our researchers opine that we have yet to reach a tipping point where malware become the biggest security issue for Android-based device users. The fact that these malicious apps are out there to invade one’s privacy, to take control of a device, and to cost users money because of unnecessary billing charges are some things that should be taken seriously though. Add to that the fact that these threats heavily rely on user interaction to initiate. Like most information security threats, awareness is the first step toward prevention.

    So in—for lack of a better term—”commemoration” of the discovery of first Android Trojan, below is an infographic that gives users a snapshot of Android threats—how much these have grown, how these work, and how users can protect themselves.

    Click here to view a bigger version of the infographic below.

    For more information on keeping your Android-based mobile devices safe from threats, check out our e-book, “5 Simple Steps to Secure Your Android-Based Smartphones.”


    India is emerging as one of the growing unwitting participants in the global threat landscape. As a country, it consistently ends up in top 10 lists of bad actors whether as a source of spam or malicious URLs or as the country with most number of system infections.

    TrendLabs’ recent half-year report supports this, citing that “the country is second to the United States as top spam sender (and top source of botnet activity) and one of the top 20 victims of malicious URLs.” Major malware threats have hit the country as well. Two years after it first became a problem, DOWNAD/Conficker infections are still commonplace in the region. STUXNET was also a major problem in India with a significant number of infections present.

    Like other developing countries, India’s growth means it is becoming part of the global cybercriminal economy. In 2008, it was reported that India hosted the majority of CAPTCHA-breaking contact centers, among others.

    India’s top-level domain (TLD) .IN is also being heavily abused by cybercriminals. While the domain registrars offering .IN domains are quick to act when malicious domains are reported, abuse of the TLD is still a significant problem.

    There are several environmental reasons why India is becoming a significant segment in the world of cybercrime. These include:

    1. Language: English may not be the official language in India but it is considered important for most types of “official” national, political, and commercial communications. The current Internet users in India are also said to prefer consuming their online content in English. Since a large chunk of threats such as spam (now at 83 percent as of Q3) are in English, they are more likely to succumb to these threats than their non-English-speaking Asian neighbors.
    2. IT infrastructure: There are approximately 160 ISPs in India but the top 6 account for almost 90 percent of all the users. The varying levels of security that the said ISPs are willing to provide their customers may very well be the main factor that causes a certain set of users to be affected by a certain threat and be protected from another. Another reason why the Indian IT environment severely suffers from security issues is piracy. As of 2009, almost two-thirds of all the software in the country was pirated. Pirated software has a twofold effect on security. First of all, cybercriminals frequently use pirated software as bait in their attacks. Second, users of pirated software frequently do not update their applications, leaving themselves open to potential vulnerability exploits.It’s not surprising then that India continues to be plagued by DOWNAD/Conficker. Many systems have not yet been patched to close the security hole that was exploited.
    3. User behavior: User studies of Indian Internet users indicate that the majority are young men. These users go online primarily to look for jobs and, more recently, to visit business and finance websites. These activities can easily be leveraged in social engineering attacks. How Indian users access the Internet is also relevant. Many users do so from Internet cafes and not by using their own systems. The burden of system maintenance is thus passed on to business owners who may not have the knowledge nor resources to perform this task. Other user behaviors that increase risks are:
      • 80 percent of users have clicked banner ads at least once. This makes malvertisements a more enticing ploy for cybercriminals.
      • Facebook has surpassed Orkut as the top social media network in India. This means that users are now more exposed to social media threats such as KOOBFACE.
      • 72 percent are willing to exchange personal information in return for “something of value.” This means that social engineering ploys may well be more successful since this is the very tactic that users rely on. Given that personal use of office Internet connection is also commonplace, confidential information from organizations are also put at risk.

    Taken together, all this information indicates that India is emerging not just economically but in the world of cybercrime as well. Several unique aspects of the region also differentiate the threats in it from other regions.


    Our researchers at TrendLabs have discovered a new set of rogue antivirus software circulating in the wild. Based on initial analysis, these threats arrive mainly via spammed email messages that contain a link to a bogus celebrity video scandal. We have also received reports that the said link is circulating in instant messaging applications and private messages in social networking Web sites, too.

    Once the said URL link is clicked, the Web threat infection chain begins and ultimately leads to the download of a Trojan detected by Trend Micro as TROJ_FAKEAV.CX. This Trojan is a rogue antivirus that displays very convincing (and for some, alarming) messages, such as the following:

    Note that since users are only using the “trial version,” TROJ_FAKEAV.CX even convinces users to get the full version so that they are always supposedly protected:

    TROJ_FAKEAV.CX also drops another malware, detected as TROJ_RENOS.ACG. RENOS Trojans are known to have very visual payloads that may further alarm users — for example, they modify the system’s wallpaper and screensaver settings to display BSOD (Blue Screen of Death/Doom). Thus, users may be more convinced that something’s wrong with their system, not knowing that their new software is the one causing it.

    Rogue antispyware isn’t entirely new, although our researchers have been seeing an increase in activity for the past couple of months (the Anjelina spam being one of the more recent examples).

    Perhaps it’s because this is also the time of the year when the more legitimate security suites are releasing their latest software updates, and cyber criminals are riding on this season to ramp up their profits. Bad news for the infected users, though, as their latest versions of “antivirus software” are actually adding more threats to their system.

    Trend Micro is still investigating this spam run. Updates will be posted when more information becomes available.


    Rumors about the Internet as we know it dying by 2012 have been circulating for some time now, so it’s not really that surprising when the TrendLabs Content Security team was alerted that a Trojan is taking advantage of this conspiracy theory in order to trick users into running it.

    Then again, spammed email with sensational headlines do make even the most cautious computer users take a peek (the latest NUWAR/Storm run being a prime example). What more when the said headlines tell them that the Internet, which has been practically their extra limbs since the last century, will suddenly be up for…TV-like subscriptions?

    The malware involved in this spam run is detected by Trend Micro as TROJ_PIDIEF.JT, a Trojan that arrives as a PDF file named DOC.PDF. This file promises more information regarding the alleged Internet death, and based on the email subjects and details it arrives with (see sample messages below), it’s not easy NOT to double-click on it:

    PIDIEF Trojans are known malware droppers or downloaders, so once users click on the attached PDF file — and whether or not they believe the theory — another malware is already up and running on their systems and doing malicious routines. The death of the Internet is going to be the least of their problems after that…

    Trend Micro already blocks this spam with its Smart Protection Network. Other users, as always, are advised to keep their systems and applications up to date with the latest security patches and to be wary when opening suspicious email, no matter how interesting they appear to be.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice