• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Exploits   »   Blackhole Spam Run Evades Detection Using Punycode

Blackhole Spam Run Evades Detection Using Punycode

  • Posted on:May 20, 2013 at 8:25 am
  • Posted in:Exploits, Malware, Spam
  • Author:
    Emmanuel Nispersos (Anti-Spam Research Engineer)
0

The Blackhole Exploit Kit (BHEK) spam run has already assumed various disguises during its course. Some variants have taken various forms, such as official bank notice, cable provider email update, social networking email, and fake courier notification.

Lately, we have seen a slew of spam crafted as a notice from the popular retail chain Walmart. However, this spam run offers something different.

mail-sample-walmart
Figure 1. Notice supposedly from Walmart

In this campaign, some of the URLs lead to Cyrillic domain names.  These domains were translated into the English alphabet through punycode. Punycode is a way to convert Unicode characters into a smaller character set. URLs in punycode have to be decoded first in order to see its original format.

The use of international domain names (IDNs) can pose additional security risks to users. Users can be redirected to a phishing page that appears to have the same URL as a legitimate site. IDNs also allow spammers to create more spam domains not limited to English characters. This can make blocking malicious sites more difficult.

This technique is not new, but seeing punycode used in a BHEK email campaign is unusual. Users who click the links are redirected to several sites, until they are lead to the site hosting a malware (detected as TROJ_PIDIEF.SMXY), which exploits a in Adobe Reader and Acrobat (CVE-2009-0924) to download and execute other malware onto the vulnerable system.

This attempt at evading detection is not surprising, given how 2013 is shaping up to be the year of refining existing tools. In our 1Q 2013 Security Roundup, we already noticed how dated threats like Asprox and banking Trojans like CARBERP were returning to the scene with new and improved features. We can expect this trend to continue this year, though new threats can always appear anytime soon.

Whether facing old or newly-improved threats, several computing practices can provide your best defense. Always be cautious of email messages before clicking the links or downloading attached files. Always verify with the vendor to check if these emails are legitimate. Regularly install the latest security updates from software vendors to avoid threats targeting dated vulnerabilities.

We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: BHEKblackhole exploit kitexploit kitsExploitspunycodewalmart

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.