Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Zero-Day Alerts

  • Hacking Team Leak

  • Recent Posts

  • Calendar

    July 2015
    S M T W T F S
    « Jun    
  • Email Subscription

  • About Us

    Author Archive - Trend Micro

    5:12 am (UTC-7)   |    by

    TrendLabs experts are regularly asked what—in their opinion—are the most dangerous malware of all time. While the question begs more questions, TrendLabs experts give out recurring answers based on high-level assessments of malware effectiveness in endangering users’ online experiences relative to the technologies available during the time the malware reached peak prevalence. As MSBLAST celebrates its sixth year anniversary of plaguing the Internet, we’ve highlighted the worst we’ve seen so far, along with the runners-up, of which MSBLAST is one.

    1. DOWNAD: Multiple Propagation, Multiple Damage – Found in November 2008, this massive threat took advantage of the MS08-067 vulnerability. It spawned several other variants, each new variant an improvement over the last. It impacted LAN traffic in several corporate networks.
      The attack was also notable for generating up to 50,000 domains and connecting to 500 of these, strategically evading efficient domain takedown (or even monitoring potentially malicious sites) and taking advantage of low-cost domain name registration.
    2. KOOBFACE: The Scourge on Social Networks – Initially found in August 2008, KOOBFACE leveraged on the connectivity serviced by social networking sites like Facebook and MySpace. It infects user profiles so that cybercriminals are able to break into users’ circle of trust, increasing chances of propagation (infected user’s contacts assume posted links are harmless because they trust the profile owner)
      KOOBFACE possesses a dynamic update capability, allowing it to spread to other social networking sites and perform more malicious routines
    3. ZBOT: Organized Information Theft – Also known as variants of Zeus malware, ZBOT Trojan spyware are usually delivered via the Web either by email or Web exploits. Underground research and documented cases reveal it is a thriving business where infected computers give up their owners’ personal information (credit card info) to remote servers / cybercriminals.
      ZBOT variants are especially damaging due to their ever-changing social engineering techniques that are often understated (not sensational)
    4. SQL Slammer: Single-Handed Internet Sabotage – This attack is notorious for drastically slowing down general Internet traffic in the early morning of January 25, 2003 (UTC). Noteworthy is the fact that this was achieved despite it being a solitary packet worm in memory, attacking without a file system component, and exploiting an already patched buffer overflow bug in MS SQL Server and Desktop Engine (MS02-039).
      However, what is more notable is that trickling effects of this threat are still being seen in present-day Internet.
    5. VBS_LOVELETTER: Internet Love Bug – This attack with a remarkably simple yet effective social engineering (the string “ILOVEYOU” in the subject heading) that triggered curiosity of recipients first plagued email inboxes in May 4, 2000. It infected 10% of computers worldwide, with each harboring an average of 600 infected files.

    Here are other notable attacks that though not as severely as the ones listed above, affected users from around the globe with their remarkable routines:

    • Melissa Virus – The first mass-mailer (started in March 1999); shut down entire Internet mail systems clogged with infected emails
    • MSBLAST – One of the more memorable network worms to take advantage of system vulnerabilities. It was first triggered around this time in the year 2003.
    • SDBOT/AGOBOT – Pioneered modular IRC-based botnets; current IRC bots still use the same codebase; still alive today
    • Web Toolkits – Collective term for commercial-grade software that aid cybercriminal activity; allegedly responsible for high-profile web compromises like the “Italian Job”
    • ILOMO – Trojans arriving via Web-based exploits that stay active in memory even after the binary has been deleted from the system resulting to multiple, recurring reinfections (first appeared March 2009)

    Each of the top threats were the most dangerous during their time and within their respective fields. Notably, all of them are attacks that gained momentum via the Internet.

    The most dangerous is still likely the newest one to come out of the malware underground markets. In the majority there can only be better versions of already detected variants so users should be most involved in keeping their personal information safe from theft. Companies likewise should safeguard company information and assets with the same vigilance as a country at war.

    These days the most likely way threats come in is the Internet. Thus we consider that the most obvious and effective way to stop them is to control/proof the URL being recalled by the browser or applications. For your safety we hope you already had switched on the Web Reputation Service in your Trend Micro product. In case you are still uncertain you may test it for free by using TrendProtect Toolbar with your Internet Explorer browser or install try our Web Protection Add-On which may work along with your existing security solution.


    8:28 pm (UTC-7)   |    by

    TrendLabs researchers have recently published their research on two of the most prevalent botnets in the threat landscape to date:

    Infiltrating WALEDAC Botnet’s Covert Operations

    waladec_spamSpam is not a mere inbox annoyance anymore but is the first step toward executing more dangerous kinds of system infiltration. Malware are no longer discrete executables but a motley group of related components and files that work together to surreptitiously get inside systems. The technologies malware crime fighters are using are—in some cases—being used against us. The people behind these cybercrimes are no longer fame-seeking script kiddies, they are now professional criminals who have created robust cybercrime businesses.

    This paper provides a comprehensive view of the WALEDAC botnet—its activities, methodology, involved technologies, purpose, and business model—in order to paint a picture of the complex and intricate nature of the threats that we see today.

    Pushdo / Cutwail Botnet

    pushdo_spamThe Pushdo botnet has been with us since January 2007, and while it does not grab as many headlines as its attention-seeking peers such as Storm or Conficker, it is the second largest spam botnet on the planet – sending approximately 7.7 Billion emails per day, making it single-handedly responsible for about 1 out of every 25 emails sent.

    There are several reasons for Pushdo’s lack of notoriety – the authors have actively used several techniques to help keep its activity “under the radar.” Not only is Pushdo responsible for a huge amount of spam activity, it also is one of the primary conduits for other criminal gangs to spread their malware creations.

    The two abovementioned papers, as well as other previously released white papers can be downloaded from this page.


    All around the world, April 1st has already passed. The DOWNAD/Conficker April 1st hype has kept most, if not all, of us in the security industry and in the Conficker Working Group busy in the past few weeks. The day may have ended quietly, but follow-up question still linger as a new day begins:

    Q: Did anything happen?
    A: There has been no significant developments or updates in the DOWNAD/Conficker botnet. At least not yet. There is still the expected accessing of websites during the time check routines of DOWNAD malware, as well as the expected P2P chatter/traffic between peers. These routines, however, were already seen happening even before April 1st. As of this writing, there are no new binaries, no new malicious domains, and no new payloads.

    Our engineers observed some instances of DOWNAD seemingly changing its network behavior, but this appears planned and not intended to be an attack. This behavior underlines the theory by security researchers that the creators of this botnet have shown themselves to be determined, slow, and measured in how they introduce changes into the botnet infrastructure.

    Q: Did the Conficker Working Group succeed in its endeavors?
    A: Yes. The group did a phenomenal job in getting the engagement of various security researchers, Internet service providers, domain name registries, as well as members of the the academe, law enforcement agencies, and other cross-industry stakeholders.

    But the battle is not yet over. The DOWNAD network is a very capable platform. We need to remain vigilant in monitoring this botnet. A code change could easily change the balance of power.

    Q: What do you think will the DOWNAD authors do next after April 1st?
    A: There is evidence that the botnet is evolving from an HTTP-based infrastructure into one using a complex Peer-to-peer (P2P) Command and Control communications model. The latter is slower but harder to track, detect, decode, or interrupt. Researchers believe that the operators of the DOWNAD botnet will begin some form of campaign designed to generate income.

    Analysis by security engineers reveal that the P2P channel is as of the moment being used to transmit replacement code modules.

    Q: There were reports that a couple of high-profile organizations were seriously affected by the April 1st DOWNAD/Conficker activation date. There were reports as well of a confession from the DOWNAD/Conficker worm author himself. Are these reports accurate?
    A: Both untrue. These would be April Fool’s jokes. More information on this page:

    Q: Do we stop worrying after April 1?
    A: April 1st is an activation date in one milestone of the evolution of the DOWNAD/Conficker botnet. To ensure that we are not caught off-guard, monitoring and investigations will be ongoing. Web users likewise need to be aware of the threat and to make sure that they have all the necessary solutions in place to protect their PCs.

    Trend Micro’s DOWNAD/Conficker landing page with links to solutions could be accessed using this link:

    The main support portal, meanwhile, is on this page:

    One prominent routine of DOWNAD worms is blocking user access to certain websites. Infected sysems can reach these domains (usually security-related sites) initially blocked by DOWNAD by following the steps provided on this page:

    Microsoft also offers steps on disabling client-side DNS caching here. Fellow researchers at F-Secure has also posted another Q&A here.

    Trend Micro is part of the Conficker Working Group, which has posted a visual Conficker infection test here and here.


    2:21 am (UTC-7)   |    by

    Much has been said about the DOWNAD worm (a.k.a. Conficker) and its enigmatic payload that will supposedly be unleashed on April 1st. There are two days to go until the moment of truth and the hype isn’t expected to die down. But online threat history tells us that trigger/activation dates of equally hyped malware have come and gone without much fanfare. Whether or not April 1 will play out to be D-Day indeed, the security industry will be keeping an eye out for any malicious activity—like it should.

    What we do know at this point is that the latest variant, which we detect as WORM_DOWNAD.KK (first detected on March 4, 2009), includes an algorithm to generate a list of 50,000 different domains. Five hundred (500) of these will be randomly selected to be contacted by infected PCs beginning April 1, 2009 to receive updated copies, new malware components, or additional functional instructions.

    Figure 1. Routines that WORM_DOWNAD.KK will start performing beginning 1 April 2009

    Trend Micro is part of the Conficker Working Group, also called the Conficker Cabal. As part of this group, we must continue to set straight misconceptions surrounding DOWNAD/Conficker and what it’s set to do on the anticipated date. Allow us to reiterate some facts:

    Q: What will happen on April 1, 2009?
    A: Based on our collective technical analysis, we’ve determined that systems infected with the latest version of Conficker will begin to use a new algorithm to determine what domains to contact. We have
    not identified any other actions scheduled to take place on April 1, 2009.

    Q: Will an updated version of Conficker go out to already-infected systems on April 1?
    A: It is possible that systems with the latest version of Conficker will be updated with a newer version of Conficker on April 1 by contacting domains on the new domain list. However, these systems could
    be updated on any date before or after April 1 as well using the “peer- to-peer” updating channel in the latest version of Conficker.

    Q: Should the general public be alarmed? Why or why not?
    A: No, the general public should not be alarmed. Most home users have been protected by Microsoft Security Update MS08-067 being applied automatically.

    Q: Are there any other changes in the latest version of Conficker?
    A: The latest version of Conficker also introduces a new “peer-to-peer” (P2P) updating capability. This capability could enable a system infected by the latest version of Conficker to receive a new version or
    new instructions by contacting another system infected by Conficker rather than by contacting a domain determined by the domain generation algorithm.

    Q: We hear talk of an impending second phase of attacks from Conficker. What do you anticipate happening next?
    A: There may be a second phase of the threat at some point in time. However, we believe that with a situation like this—which has similarly taken place many times in the past—and given the tremendous
    amount of attention that this worm has received, as well as industry and law enforcement monitoring, these efforts will be a deterrent to a large second wave of attacks. At the end of the day, we can’t
    speculate on the intentions of criminals, but what we can do is work to limit the impact of any second phase.

    Q: Why does Conficker continue to spread even though Microsoft issued the update in October?
    A: There is always some percentage of customers who don’t apply an update at any given time, due to a variety of reasons. While most home users have been protected by the patch being applied automatically, once the worm gets a foothold inside an enterprise, it’s difficult to remove and this is where people are having problems.

    Q: Why is Conficker using domain names? Is this a new trend?
    A: It is trying to download malware from these domains and it also uploads infection counts to these domains, but this is not a new trend.

    Q: What is the Conficker Working Group doing about this new algorithm?
    A: The Conficker Working Group has been working continuously to block access to domains that systems infected by Conficker attempt to contact. We are continuing this work and have expanded this effort to include those domains that will be contacted by the latest version of Conficker starting on April 1, 2009.

    Q: What should people who are worried about April 1 and Conficker do?
    A: We recommend that home users who have not yet enabled automatic updates do so and ensure their security software is up to date with the latest signatures.

    We recommend that enterprises continue to focus on the guidance from experts in industry, academia and governments worldwide and continue to deploy the security update MS08-067, ensure their security software have the latest signatures, clean any systems that are infected with any version of Conficker using the tools and guidance we’ve provided, and evaluate additional security best practices in accordance with their organizations’ policies and procedures.

    Update as of March 31, 2009 8:30 AM, PST:
    Aside from the threat itself, cybercriminals are also leveraging on infected users’ attempts to clean their machines by poisoning searches related to DOWNAD’s removal. Trend Micro Solutions Architect Rik Ferguson reported that searches for strings like nmap conficker and remove conficker generate malicious links. Connecting to these links result to the download of malicious files related to fake AV. The said files are now detected by Trend Micro as TROJ_DLOADER.CXV, TROJ_FAKEAV.AVS, and TROJ_FAKEALER.ES.

    Update as of March 31, 2009 4:00 PM, PST:
    Trend Micro researchers have found a way for users to be able to reach the domains blocked by DOWNAD, especially the security-related ones. This prevention from accessing certain websites is done by cybercriminals through poisoning the DNS cache or modifying the system’s HOSTS file. In order to restore access to sites rendered inaccessible by malware, the user needs to stop the client-side DNS cache service through the procedure given below. Please refer to this page for more details.

    1. Click Start and then Run. (If Run is not in the menu, Right click Start, then choose Properties. Hit Customise, then click on Advanced. Scroll down in the Start Menu Items until you see the check box for Run Command, check the corresponding box then click OK.

    2. Now click the Start button again and choose Run. In the Run window, type CMD then click OK.

    3. In the command prompt that appears, type net stop dnscache then press Enter. Exit the command prompt by typing exit then pressing Enter.

    4. Again, click Start then Run. This time, type services.msc in the window then hit OK.
    5. In the listed services, search for DNS Client then check its status. If it states Started or Automatic, double click on it.

    6. Click the Stop button in the Service status portion.

    4:03 pm (UTC-7)   |    by

    Earlier this week, we realized that part of our public online Virus Encyclopedia (VE) was altered via external hacking.  The redirect placed on our site didn’t work properly so nobody visiting the hacked pages was at risk of infection.  In response to this incident, we shut down the VE for several hours, patched the systems, removed the inserted code, and brought it back to life again.  We have already taken interim measures to further harden the VE system against future attacks.  This incident was part of a wider attack on Web sites around the world.

    InformationWeek, quoting Mike Sweeny, publishes a report on this incident.

    Posted in Malware | 1 TrackBack »


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice