Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Paul Oliveria (Technical Communications)

    Joining the growing list of Web site compromises is, the “officious” parody site of current U.S. White House administration, and all the colorful punditry that accompanies it.

    According to Trend Micro Advanced Threats Researcher David Sancho, has been compromised to harbor some malicious, obfuscated JavaScript code which “background downloads” code to unsuspecting visitors of the site, where a malicious file is downloaded (which is detected by Trend Micro as TROJ_DELF.GKP).

    Of course, the official White House Web site is, and although it has been reported that some people believe is the real deal, even those looking for this site specifically should be forewarned.

    This incident is yet additional proof that Web threats are no joke (pun intended).

    Additional information provided by Advanced Threats Researcher Paul Ferguson.


    Unsuspecting users who may wish to buy (or simply admire) the new Honda Accord are warned that may fall victim to a drive-by download, leading to the installation of an info-stealing malware. TrendLabs discovered today an attack on the official web site of Honda Cars in Thailand.

    According to Advanced Threats Researcher Jonell Baltazar, who discovered the compromise, the affected page, hxxp://, was injected with a malicious script tag (detected by Trend Micro as HTML_IFRAME.QJ), which loads a page within the cleverly named domain. This page contains a script that looks for vulnerabilities to download and execute a certain file on the victim’s system. The downloaded file (which is named crypt.exe and saved as c:winQZfio771.exe) is detected as TSPY_ZBOT.LA.

    This compromise was discovered due to a feedback technology on our customers’ products. This mechanism allows our systems to monitor and block potential malicious URLs. In this case, a client visit to the compromised site automatically registered the HTML_IFRAME.QJ detection, thereby protecting the user from further infection. Trend Micro Web Threat Protection has prevented access to the compromised site, protecting customers from possible infection.

    Below is a screenshot of the compromised page within the Honda Cars site. Note that the malicious script also affects both the English and Thai landing pages (main.html) after a user accesses any one of them:

    Screenshot of affected Honda Cars page

    The downloaded TSPY_ZBOT.LA, in turn, accesses yet another domain, where possibly more malicious files can be downloaded. As of this writing, our researchers found user names and passwords related stored in this domain, suggesting that it is used either as a phishing page or mere storage in which cyber criminals can easily retrieve stolen information.

    This is not the first time a Thai site has been compromised. In the past couple of months, we have reported similar incidents affecting the sites of the Royal Thai Air Force and Udiya Tours of Northern Thailand, among others.

    Note that this seems to be an isolated incident so as far as the Honda enterprise is concerned, only Honda Cars Thailand site has been injected with the malicious script. As of this writing, Honda Cars Thailand has promptly taken their site offline in order to address the matter.

    Consolidated findings of the Advanced Threats Research, APAC RTL, and Web Threat Protection teams at TrendLabs

    Posted in Bad Sites, Malware | Comments Off on “Drive-by Download” Takes A More Literal Meaning

    Iron Man just made almost a hundred million dollars during its opening weekend in the US. Yes, summer movie season has just kicked in. You know, that time of the year (even if one’s not in the said country) when all the big blockbuster flicks are jockeying for the “box office hit” title. Almost every week there a new highly anticipated film or sequel (or the now-overused term “threequel”) opens in theaters, much to the delight of moviegoers and, in some cases, cyber criminals as well.

    The use of movies as a social engineering bait by hackers is not new; in fact, it has sort of become a tradition that one has to expect every year. So while reading Entertainment Weekly’s “fearless” predictions for the season, we decided to come up with predictions of our own. Only this time we’re calling them “fearful” predictions, mainly because these are the types of predictions we hope would not come true.

    1. Spammers and phishers will lure potential victims with raffle entries for tickets or merchandise. In 2005, Revenge of the Sith became the bait of choice of a Yahoo! phishing attack. Last year, spammers sent a supposedly short survey related to The Simpsons Movie in an attempt to gather email addresses. It will not be surprising if a similar tactic pops up this year, just in time when the anticipation for movies like Sex and the City or the X-Files sequel reaches fever pitch. After all, in the gaming arena, it has already happened with the release of Grand Theft Auto IV.

    2. At least one malware will pose as an “exclusive” trailer, free movie passes for the premiere, or the “uncut version” of a movie. Unfortunately one has to download the “codec” or the “raffle entry form” first.

    3. The official site of one movie will get compromised. Or a high-traffic fan site or blog, for that matter. Users who would want more information about a particular flick (show times, reviews, etc.) will click on the compromised page, where a slew of malware will be downloaded onto the unknowing victim’s computer.

    Then again, with the ongoing trend of SEO poisoning and creating fake pages from scratch (which are laden with spammy links and keywords), users only need to Google a keyword in order to get infected. Speaking of SEO poisoning…

    4. “Heath Ledger” will be once again a good keyword for poisoned pages. As the buzz surrounding the actor’s portrayal of The Joker in the upcoming The Dark Knight grows louder — some already claim it’s his finest role yet worthy of a posthumous Oscar — whose interest won’t be piqued?

    Posted in Bad Sites | Comments Off on Those Lazy Hazy Crazy Days of Summer (Movies)

    Looks like the Storm gang (or at least the Russian/Ukrainian criminals behind it) is expanding its business.

    Is it because of the “arrival” of Kraken, which, following the footsteps of MayDay and Mega-D, is challenging the said gang for the “Biggest Zombie Network” title? Whatever the case, only days after re-professing its love to unsuspecting users via blog pages, the Storm malware is at it again, this time posing as a video codec.

    TrendLabs researchers discovered several sites that offer, what looks like, a YouTube-look-alike streaming video. The infection vector and messaging is actually still the same, that is, users are most likely to access this site via links on specially crafted, love-themed blogs. What is interesting this time is that on the said site, users are required to download the so-called Storm Codec in order to view the said video. Yes, you read that right: the codec is called Storm Codec. Below is a screenshot:

    Storm Codec

    Is that blatant enough?

    Of course, the said “codec” is actually a NUWAR/Storm variant, which Trend Micro already detects as WORM_NUWAR.JQ since April 2.

    If the social engineering tactic of using video codecs is familiar, it’s because it is — ZLOB Trojans became infamous because of it, after all (see some detailed analysis here). Thus, the Storm gang’s attempt to venture into the said codec “business” has our researchers speculating whether they are now in cahoots with the ZLOB authors, or that they are trying to take over ZLOB’s niche, much like they did with STRATION when the two first started battling it out late 2006. Or maybe the gang is just trying to reaffirm to their competition that they’re still the one to beat.

    In the end though, it’s still the unsuspecting users who become collateral damage of all this brouhaha. Users are thus advised to be wary when visiting Web sites or blogs, especially those that require installation or execution of files. Video files — especially those posted online — almost always do not require video codecs anymore, lest they lose the much coveted site traffic to other sites (YouTube, anyone?). Come to think of it, if someone really loves a person that much, he or she won’t have that person go all through the trouble of finding the appropriate codec, right?


    Two months ago, TrendLabs reported of a massive DNS poisoning attack in Mexico. The said incident is believed to be one of the first (if not the first) “drive-by pharming” attacks seen in the wild. Now, we have received reports of a similar incident — and by “similar” we mean that quite literally.

    According to Trend Micro Engineer Juan Pablo Castro, just like the previous attempt, this new attack also takes advantage of a vulnerability in 2wire modems and arrives via spammed email messages. This time, though, the email messages are disguised to trick users into thinking that they have received an electronic postcard from, a popular eCard Web site.

    Once a user clicks on the link where the supposed postcard can be viewed, he or she is then directed to a spoofed Gusanito page:

    spoofed Gusanito page

    Unbeknowst to the user, the said page loads a couple of .SWF files (or Flash controls), including a malicious one that modifies the 2wire modem localhost table. The said routine effectively redirects users to a fraudulent site whenever they attempt to access pages related to — the same banking site targeted two months ago.

    Below is a screenshot of the codes in the fake Gusanito page, calling the malicious Flash controls:

    malicious banner

    It seems that drive-by pharming has indeed “arrived” in the threat scene. One may wonder now who will be targeted next, given the stealth and sophisitication of this threat. User awareness, product/application updates, and in-the-cloud protection are needed more than ever. For its part, Trend Micro will detect the malicious .SWF file as SWF_ADHIJACK.D. All related malicious URLs have also been blocked by Trend Micro Web Threat Protection.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice