Online Virus / Malware News

Last week, we had two major mass compromises. The first one hit more than 100,000 websites, including major news sites like the Wall Street Journal and the Jerusalem Post. The second campaign was much smaller, hitting only around 1,000 pages, and also lacked similarly high-profile victims although the casino firm Ameristar was on the victim list.

The first attack directed users to http://www.{BLOCKED}nt.us/u.js. Once users go to this URL, they inadvertently download a Trojan detected by Trend Micro as TROJ_DLOAD.VAC. This downloads a malicious file detected as TSPY_GAMETHI.QJB. A very similar payload was used by the second wave.

Target: Online Gamers

What is worth noting here is that TSPY_GAMETHI.QJB stole information related to online gaming sites such as Aion Online, Dungeon Fighter, and World of Warcraft. It is tempting to think that the potential fallout from these are minor but it is not. As pointed out in a late-2008 white paper, the “virtual worlds” in online games pose real security risks.

It is also quite likely that the stolen information are not just related to online games. Last week, an interesting paper was presented at the Workshop on the Economics of Information Security. Written by two University of Cambridge researchers, the paper analyzed how 150 various websites use passwords. The researchers found that many sites used passwords less for security (which was not always consistently implemented) and more for demographic information.

The researchers cited the website of the New York Times, which requires users to state their income, job title, industry, and company size. None of these are particularly needed to deliver news to readers but advertisers would find this information very useful.

With so many sites requiring registration (and thus, a password), this resulted in an overuse of passwords. Unfortunately, the human ability to remember these are limited. The end result? Users recycle passwords for different sites, some of which may use passwords less securely than the rest.

Passwords Matter

The end lesson is actually simple—passwords are passwords, regardless of whether they are used in the way they were intended (for security) or as a means for collecting personal information. Users should know this and behave accordingly. Do not reuse passwords (if needed, use freely available password managers) and change them as needed.

Post from: TrendLabs | Malware Blog - by Trend Micro

Passwords Matter—The Hidden Risks “Minor” Info Stealers Pose

Mass compromises have not been in the news of late but a new wave recently hit the headlines. According to news reports, users running the popular blogging platform WordPress have been hit with an attack that modifies a setting within the application that contains the URL of a blog.

In compromised sites, this setting is changed to point to a malicious website. This redirects all would-be blog readers to the said website, which contains scripts leading to a malicious file detected by Trend Micro as TROJ_BUZUS.ZYX.

TROJ_BUZUS.ZYX, in turn, leads into an infection chain that leads to various malware, including a rogue antivirus that was already detected by Trend Micro as TROJ_FAKEAV.ZZY.

It is not yet clear how this attack is being carried out. However, many of the affected blogs were hosted on Network Solutions, which stated on its own blog that it is aware of the issue. In addition, Network Solutions stated that it was investigating the issue and checking to see if a WordPress theme or plug-in was responsible.

This represents a change in the behavior of the BUZUS malware family, as it traditionally spreads via instant-messaging programs, as documented in two separate posts here in the Malware Blog:

• Shortened URLs in IM Apps Lead to a Worm
• “Obama Accident” Instant Messages Used to Spread Malware

Trend Micro™ Smart Protection Network™ protects users from these threats by blocking the malicious website used in this attack as well as by detecting and removing associated malware like TROJ_BUZUS.ZYX and TROJ_FAKEAV.ZZY.

Update as of April 12, 2010, 11:30 p.m. (GMT +8:00):

Network Solutions has released its official word that the root cause of the mass compromise has been addressed by changing its password to the WordPress database. Users are likewise advised to log in to their administrative accounts to change their passwords and to delete accounts they do not recognize.

Post from: TrendLabs | Malware Blog - by Trend Micro

WordPress Blogs Suffer from a Mass Compromise

Less than a month after the so-called “Iranian Cyber Army” reportedly “hacked” the popular micro-blogging site, Twitter, they are back with another attack, this time against another Internet giant, Baidu. Baidu is the China’s most popular search engine, as 62 percent of the total number of Web searches in China are done compared with Google’s 29 percent share, according to research firm Analysys International.

Some days ago, users who tried to access Baidu were instead redirected to the following page:

According to Trend Micro Advanced Threat Researcher Paul Ferguson, this attack was not a defacement. It was actually another Domain Name System (DNS) hijacking attack that the group staged to obtain the login credentials to the target site’s registrar account, quite similar to the DNS hacking they did to Twitter.

However, Advanced Threat Researcher Ivan Macalintal found that some details differentiated this attack from the Twitter DNS attack, which, he adds, may also be tied to a much larger string of other cybercriminal attacks.

Although cybercriminal activities are mostly tied to gaining profit from their malicious exploits, it seems that we are seeing more and more attacks that are not driven by monetary gain. Specifically, we have observed that politically motivated online attacks, which have been in the threat landscape scene since 2007, are slowly increasing worldwide.

We have not even reached half of January but Trend Micro has already noticed a spike in the number of politically motivated cybercriminal attacks on the websites of high-profile political figures and organizations from different parts of the world as evidenced by the following blog posts:

• Official Website of Iran’s President, Ahmadinejad, Attacked by Hackers
• Mr. Bean Comes Out of Retirement, Takes Over Spain
• Pakistani National Response Center for Cybercrimes… Hacked!

As of now, it has been reported that some Chinese hackers have hacked several of Iran’s websites right after the Baidu attack happened, apparently in retaliation to the Baidu DNS compromise. Some comments circulating on Web discussions mentioned that Iranians are blaming the Chinese for interfering with their war with Israel, hence the attack on the Chinese site.

Whatever the reason may be, this kind of cybercriminal attack should not be ignored. Although they may seem to be inconsequential right now because they do not really have a direct payload on the part of users, they can potentially pave the way for a more serious threat to emerge—the kind that we mostly just see on movies—cyber warfare.

Credits:
http://www.thedarkvisitor.com/2010/01/prc-hackers-attack-iranian-websites
http://it.people.com.cn for the screenshots

Post from: TrendLabs | Malware Blog - by Trend Micro

Iranian “Cyber Army” Strikes at China’s Search Engine Giant, Chinese Hackers Retaliate