Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:


  • Targeted Attacks

  • Recent Posts

  • Calendar

    March 2015
    S M T W T F S
    « Feb    
    1234567
    891011121314
    15161718192021
    22232425262728
    293031  

  • Email Subscription

    • About Us
    blog.trendmicro.com Sites > TrendLabs Security Intelligence Blog > Exploits > Blackhole Spam Run Evades Detection Using Punycode

    The Blackhole Exploit Kit (BHEK) spam run has already assumed various disguises during its course. Some variants have taken various forms, such as official bank notice, cable provider email update, social networking email, and fake courier notification.

    Lately, we have seen a slew of spam crafted as a notice from the popular retail chain Walmart. However, this spam run offers something different.

    mail-sample-walmart
    Figure 1. Notice supposedly from Walmart

    In this campaign, some of the URLs lead to Cyrillic domain names.  These domains were translated into the English alphabet through punycode. Punycode is a way to convert Unicode characters into a smaller character set. URLs in punycode have to be decoded first in order to see its original format.

    The use of international domain names (IDNs) can pose additional security risks to users. Users can be redirected to a phishing page that appears to have the same URL as a legitimate site. IDNs also allow spammers to create more spam domains not limited to English characters. This can make blocking malicious sites more difficult.

    This technique is not new, but seeing punycode used in a BHEK email campaign is unusual. Users who click the links are redirected to several sites, until they are lead to the site hosting a malware (detected as TROJ_PIDIEF.SMXY), which exploits a in Adobe Reader and Acrobat (CVE-2009-0924) to download and execute other malware onto the vulnerable system.

    This attempt at evading detection is not surprising, given how 2013 is shaping up to be the year of refining existing tools. In our 1Q 2013 Security Roundup, we already noticed how dated threats like Asprox and banking Trojans like CARBERP were returning to the scene with new and improved features. We can expect this trend to continue this year, though new threats can always appear anytime soon.

    Whether facing old or newly-improved threats, several computing practices can provide your best defense. Always be cautious of email messages before clicking the links or downloading attached files. Always verify with the vendor to check if these emails are legitimate. Regularly install the latest security updates from software vendors to avoid threats targeting dated vulnerabilities.

    We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.





    Share this article
    		 Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon



    This entry was posted on Monday, May 20th, 2013 at 8:25 am and is filed under Exploits, Malware, Spam . Both comments and pings are currently closed.



    Comments are closed.



     

    Other Trend Micro blogs
    CTO Insights
    CounterMeasures Blog
    Cloud Security Blog
    Consumerization Blog
    Fearless Web
    Internet Safety for Kids & Families
    Simply Security News
    Trend Micro Blog [German]
    TrendLabs Security Blog [Japan]
    Cloud Security APAC
    Trend Micro Free Tools Threat Encyclopedia Trend Micro Videos
    Do you have a product-related question? Visit our eSupport website.

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice