• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Bad Sites   »   FIFA and Gaza Attack Tweets Dump Backdoors

FIFA and Gaza Attack Tweets Dump Backdoors

  • Posted on:June 4, 2010 at 9:33 pm
  • Posted in:Bad Sites, Malware, Spam
  • Author:
    Carolyn Guevarra (Technical Communications)
7

What do the “FIFA World Cup” and Gaza attack have in common? They are both currently being used as social engineering ploys by a couple of malware campaigns seen on Twitter. TrendLabsSM senior threat researcher Ivan Macalintal spotted several malicious programs being distributed via the popular microblogging site. These malware campaigns take advantage of noteworthy events to lure users into clicking malicious links in Tweets.

The first malware run makes use of the upcoming “FIFA World Cup” (set to see record levels of global interactivity according to CNN) by sending the following Tweet:

Clicking the link leads users to download a copy of a backdoor detected as BKDR_BIFROSE.SMK, which connects to IP addresses that allow a remote user to perform malicious activities on affected systems. These activities include sending and receiving files, keylogging, and retrieving user names and passwords. It also has rootkit capabilities, which enable it to hide its processes and files from its victims.

The second campaign, on the other hand, sends out the following Tweet related to the Gaza attacks:

This time, the malware that is downloaded from the link is BKDR_BIFROSE.PAB, which opens a hidden Internet Explorer (IE) window and opens TCP port 788 to listen for commands from a remote malicious user who may initiate a denial-of-service (DoS) attack to target systems using specific flooding methods.

Trend Micro™ Smart Protection Network™ protects users from these threats by detecting and deleting BKDR_BIFROSE.SMK and BKDR_BIFROSE.PAB via the file reputation service. Users must also be wary of and double-check shortened links in microblogging site updates.

The “FIFA World Cup” is an incredibly popular global event that has already moved opportunistic cybercriminals into action as seen in the following previous posts:

  • Latest Online Scam Targets FIFA Fans
  • 2010 FIFA World Cup Spam Strikes Again
  • Scammers Attempt to Score Through the FIFA World Cup

The past couple of months proved to be no safer for microblogging (i.e., Twitter) users either as seen in:

  • Your Tweet Is My Command
  • Search for News on Moscow Subway Explosions Result in FAKEAV
  • Diet Twitter Spam (on the) Run
Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»

Featured Stories

  • Following the Trail of BlackTech’s Cyber Espionage Campaigns
  • Android Backdoor GhostCtrl can Silently Record Your Audio, Video, and More
  • Linux Users Urged to Update as a New Threat Exploits SambaCry
  • Erebus Resurfaces as Linux Ransomware
  • The Reigning King of IP Camera Botnets and its Challengers

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Business Email Compromise

  • How can a sophisticated email scam cause more than $5.3 billion in damages to businesses around the world?
    See the numbers behind BEC

Latest Ransomware Posts

  • Locky Ransomware Pushed Alongside FakeGlobe in Upgraded Spam Campaigns
  • Android Mobile Ransomware: Bigger, Badder, Better?
  • Cerber Ransomware Evolves Again, Now Steals From Bitcoin Wallets
  • New WannaCry-Mimicking SLocker Abuses QQ Services
  • LeakerLocker Mobile Ransomware Threatens to Expose User Information

Recent Posts

  • ZNIU: First Android Malware to Exploit Dirty COW Vulnerability
  • EITest Campaign Uses Tech Support Scams to Deliver Coinhive’s Monero Miner
  • OptionsBleed – The Apache HTTP Server Now Bleeds
  • a-PATCH-e: Struts Vulnerabilities Run Rampant
  • New RETADUP Variants Hit South America, Turn To Cryptocurrency Mining

Ransomware 101

  • This infographic shows how ransomware has evolved, how big the problem has become, and ways to avoid being a ransomware victim.
    Check the infographic

Popular Posts

  • iXintpwn/YJSNPI Abuses iOS’s Config Profile, can Crash Devices
  • The Crisis of Connected Cars: When Vulnerabilities Affect the CAN Standard
  • USB Malware Implicated in Fileless Attacks
  • BankBot Found on Google Play and Targets Ten New UAE Banking Apps
  • Locky Ransomware Pushed Alongside FakeGlobe in Upgraded Spam Campaigns

Latest Tweets

  • ICYMI: A #dataleak involving a database on tracking information for over 500,000 vehicles was leaked online:… twitter.com/i/web/status/9…
    about 14 mins ago
  • #EITest campaign used tech support to con victims into running a JavaScript #cryptocurrency miner: bit.ly/2ht3lXl
    about 6 hours ago
  • Three #ApacheStruts vulnerabilities actively exploited, including the one that was used against #Equifax: bit.ly/2xUSDmS
    about 14 hours ago

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.