Online Virus / Malware News

What do the “FIFA World Cup” and Gaza attack have in common? They are both currently being used as social engineering ploys by a couple of malware campaigns seen on Twitter. TrendLabs^SM senior threat researcher Ivan Macalintal spotted several malicious programs being distributed via the popular microblogging site. These malware campaigns take advantage of noteworthy events to lure users into clicking malicious links in Tweets.

The first malware run makes use of the upcoming “FIFA World Cup” (set to see record levels of global interactivity according to CNN) by sending the following Tweet:

Clicking the link leads users to download a copy of a backdoor detected as BKDR_BIFROSE.SMK, which connects to IP addresses that allow a remote user to perform malicious activities on affected systems. These activities include sending and receiving files, keylogging, and retrieving user names and passwords. It also has rootkit capabilities, which enable it to hide its processes and files from its victims.

The second campaign, on the other hand, sends out the following Tweet related to the Gaza attacks:

This time, the malware that is downloaded from the link is BKDR_BIFROSE.PAB, which opens a hidden Internet Explorer (IE) window and opens TCP port 788 to listen for commands from a remote malicious user who may initiate a denial-of-service (DoS) attack to target systems using specific flooding methods.

Trend Micro™ Smart Protection Network™ protects users from these threats by detecting and deleting BKDR_BIFROSE.SMK and BKDR_BIFROSE.PAB via the file reputation service. Users must also be wary of and double-check shortened links in microblogging site updates.

The “FIFA World Cup” is an incredibly popular global event that has already moved opportunistic cybercriminals into action as seen in the following previous posts:

• Latest Online Scam Targets FIFA Fans
• 2010 FIFA World Cup Spam Strikes Again
• Scammers Attempt to Score Through the FIFA World Cup

The past couple of months proved to be no safer for microblogging (i.e., Twitter) users either as seen in:

• Your Tweet Is My Command
• Search for News on Moscow Subway Explosions Result in FAKEAV
• Diet Twitter Spam (on the) Run

Post from: TrendLabs | Malware Blog - by Trend Micro

FIFA and Gaza Attack Tweets Dump Backdoors

While conducting blackhat search engine optimization (SEO) investigations, I stumbled upon an SEO attempt hosted in the popular document-sharing site Scribd.

The document that contains the SEO strings and links was actually a .PDF file that has been uploaded to Scribd.

Further investigation revealed that the user account that uploaded this SEO .PDF file has been very actively uploading .PDF files designed for blackhat SEO attacks. As of this writing, 3,003 such .PDF files have been uploaded to Scribd since the creation of the account 26 days ago.

Clicking any of the links leads to a site that has been specifically designed to host or link ads. The site itself is not malicious, as it does not instigate drive-by downloads nor cause automatic redirections but a link that leads to a spammy Viagra site and outright malicious FAKEAV links, in the end, reveal its true nature.

This SEO trail reveals two alarming blackhat SEO trends—the use of document formats apart from HTML to create SEO pages and the use of document-sharing sites, particularly Scribd, to host non-HTML blackhat SEO attacks.

Trend Micro product users need not worry, however, as Smart Protection Network™ protects them from blackhat SEO-related attacks.

Post from: TrendLabs | Malware Blog - by Trend Micro

Emerging Blackhat SEO Techniques

We regularly blog about how cybercriminals misuse newsworthy events in order to gain profit for themselves. In the past 24 hours, TrendLabs^SM has tracked multiple FAKEAV attacks that try and trick users searching for help following the recent McAfee update 5958 incident.  This determination by cybercriminals to cause further problems and inconvenience to innocent end users and businesses is, in many respects, not surprising.

We at Trend Micro are keen to help users identify these FAKEAV scams before they can be affected.

In a recent post on how blackhat SEO leads to FAKEAV, “Doorway Pages and Other FAKEAV Stealth Tactics,” advanced threats researcher Norman Ingal described important telltale signs of malicious search results, specifically that their URLs follow this pattern:

This can help users spot malicious results. Ingal further adds that the title of the page (the text that appears in bold heading style in search results lists) is generally the same as the keywords used. The same pattern has appeared time and again in our investigations related to blackhat SEO attacks.

Only this week, the search results to the following keywords were also found to carry redirections leading to rogue antivirus software:

• who got voted off american idol april 21
• dancing with the stars elimination april 2010
• goldman sachs sec filings
• boston marathon results
• april 20th weed day

The following is a demonstration of what our engineers found when they began to track search results leveraging the recent security incident:

These results lead to redirections that end up in now-usual extortion schemes where users are presented with fake infection signals to convince them to pay for software they do not actually need. Trend Micro detects variants and components of these attacks as FAKEAV.

Trend Micro™ Smart Protection Network™ already protects product users from blackhat SEO attacks of this kind by preventing access to malicious sites and domains via the Web reputation service.

Web reputation is a much faster option for blocking new threats than waiting for signatures. With this attack, we could be looking at thousands of new malicious files that have to be processed versus a single domain.

Users should, by now, be aware that trusting results from search engines is no longer as safe as previously thought. The clues we mentioned above can help users weed out legitimate results from suspicious ones.  For users who are concerned about being infected, Trend Micro HouseCall is a free tool that scans for malware infections and other security threats.

Other blackhat SEO attacks in the recent weeks from the Malware Blog include:

• Kids’ Choice Awards Used for FAKEAV
• Moscow Subway Explosions Result in FAKEAV
• Another Earthquake, Another FAKEAV

Post from: TrendLabs | Malware Blog - by Trend Micro

Cybercriminals Ride on the Back of Security Woes with FAKEAV

Cybercriminals employ different but complementary techniques when it comes to propagating FAKEAV. Ultimately, however, their goal is to entice users to click malicious links that led to the download of different FAKEAV variants.

TrendLabs^SM observed that cybercriminals typically employed blackhat engine optimizaton (SEO) to create poisoned pages that serve as  doorways for FAKEAV distribution. These doorway pages, which primarily redirect unknowing users, are cross-linked with other doorway pages and well-known legitimate sites. This technique allows malicious pages to appear as top search results.

To further entice users to click malicious links, these doorway pages also contain content copied from various other websites. Cybercriminals also leverage trending topics, which can easily be found in Google Trends or through Twitter’s search page. These doorway pages often use the following format in search results:

Doorway pages are frequently contained in individual websites or in compromised Web hosting providers’ sites. Clicking malicious links redirected users several times until they reach a fake scanning page. These redirections help hide the actual URLs of the final landing pages and of the pages hosting the fake scanning results.

More than simple redirections, however, cybercriminals also use other techniques to redirect users to malicious pages. These include a combination of the following stealth tactics:

• Geo-targeting or IP delivery, which utilizes a user’s IP address to determine his/her geographic location and to deliver different content specific to his/her location.
• Blog scraping, which refers to regularly scanning blogs to search for and copy content using an automated software.
• Referer page-checking, which ensures that only users arriving via search engines will be included in the infection chain and prevents security analysts or system administrators to see anything malicious when they arrive via direct access to a doorway page.
• User-agent filtering, which refers to distinguishing between browsers to enable the OS-specific download of payloads.

After successfully employing any of these techniques, cybercriminals then lead users to a page hosting a bogus message prompt. These messages urge users to check the fake scanning results, which have been designed to scare them into purchasing the fake antivirus program.

Through these techniques, FAKEAV has become a recurrent theme in the threat landscape, as evidenced by another FAKEAV variant detected as TROJ_FAKEAV.QIEA. Trend Micro engineer Roland de la Paz notes that this new variant employs the same blackhat search engine optimization (SEO) technique that leverages man’s innate curiosity. As long as users turn to search engines like Google, Yahoo!, and Bing for more information, we can expect cybercriminals to carry on with their effective modus operandi.

Trend Micro product users need not worry, however, as Smart Protection Network™ already protects them from FAKEAV-related attacks by preventing access to malicious sites and domains via the Web reputation service. It also blocks the download and execution of related malicious files like TROJ_FAKEAV.QIEA on users’ systems.

Post from: TrendLabs | Malware Blog - by Trend Micro

Doorway Pages and Other FAKEAV Stealth Tactics

In recent years, the music and movie industries have become more aggressive in suing users accused of illegally sharing content. Large-scale mass lawsuits, previously used largely in Britain and Germany, have now made their way to the U.S. shores.

Given a climate wherein some users are afraid of legal threats, it is no surprise that cybercriminals have adapted this technique for their own scams as well. A new file detected as ADW_ANTIPIRACY uses this technique and combines it with methods similar to those used by rogue antivirus malware.

Like countless other FAKEAV variants, ADW_ANTIPIRACY displays a fake pop-up window. This one, however, states that information will be passed on to the courts for the appropriate lawsuits.

A larger alert window is also used by this spyware, which states the copyright violations the user allegedly carried out and contains an offer for a pretrial settlement. This step is analogous to offers to purchase a product for FAKEAV malware.

Like particularly troublesome FAKEAV variants, ADW_ANTIPIRACY also changes the user’s desktop wallpaper and displays fake warnings in the taskbar.

ADW_ANTIPIRACY offers to “solve” the user’s legal problems if he/she settles the lawsuit for a fixed amount of money, in this case, US$399.85. Again, this is similar to FAKEAV malware, which offers to “sell” a user an antivirus to “remove” the infections found.

The pop-up windows of the spyware say that a group known as the ICCP Foundation is responsible for the threatened lawsuits. In fact, a legitimate-looking website for the said (fictitious) group was also set up, although this has since been blocked as a malicious site by Trend Micro. Given the similarity in techniques, however, it is possible that the cybercriminals behind this particular scheme had previous “experience” with FAKEAV attacks.

In the past, we have encountered other attacks that leveraged worries over copyright-related lawsuits as social engineering techniques. Just last month, a spam run using this technique was found. In August and September 2008, spammed messages threatening to cut off users’ Internet access were also encountered.

Trend Micro™ Smart Protection Network™ protects users from this kind of threat by blocking access to all related malicious URLs and preventing the download and execution of the malicious file.

Post from: TrendLabs | Malware Blog - by Trend Micro

“Copyright Violations” Used for a FAKEAV-Like Scam

Mass compromises have not been in the news of late but a new wave recently hit the headlines. According to news reports, users running the popular blogging platform WordPress have been hit with an attack that modifies a setting within the application that contains the URL of a blog.

In compromised sites, this setting is changed to point to a malicious website. This redirects all would-be blog readers to the said website, which contains scripts leading to a malicious file detected by Trend Micro as TROJ_BUZUS.ZYX.

TROJ_BUZUS.ZYX, in turn, leads into an infection chain that leads to various malware, including a rogue antivirus that was already detected by Trend Micro as TROJ_FAKEAV.ZZY.

It is not yet clear how this attack is being carried out. However, many of the affected blogs were hosted on Network Solutions, which stated on its own blog that it is aware of the issue. In addition, Network Solutions stated that it was investigating the issue and checking to see if a WordPress theme or plug-in was responsible.

This represents a change in the behavior of the BUZUS malware family, as it traditionally spreads via instant-messaging programs, as documented in two separate posts here in the Malware Blog:

• Shortened URLs in IM Apps Lead to a Worm
• “Obama Accident” Instant Messages Used to Spread Malware

Trend Micro™ Smart Protection Network™ protects users from these threats by blocking the malicious website used in this attack as well as by detecting and removing associated malware like TROJ_BUZUS.ZYX and TROJ_FAKEAV.ZZY.

Update as of April 12, 2010, 11:30 p.m. (GMT +8:00):

Network Solutions has released its official word that the root cause of the mass compromise has been addressed by changing its password to the WordPress database. Users are likewise advised to log in to their administrative accounts to change their passwords and to delete accounts they do not recognize.

Post from: TrendLabs | Malware Blog - by Trend Micro

WordPress Blogs Suffer from a Mass Compromise

TrandLabs engineers recently discovered that cybercriminals now use shortened URLs to spam malware via instant-messaging (IM) applications like Yahoo! Instant Messenger and MSN. As we all know, URL-shortening services are used to compress long and unreadable URLs into short, bite-sized ones. Short URLs are more portable and are now preferred over the (normally long) actual URLs when one wishes to share news within networks using their own websites, blogs, Tweets, and other social media tools.

The bad guys seem to have changed their strategy. We have gotten used to seeing malicious URLs like http://{BLOCKED}img.com/IMG-004592.com?=, http://www.{BLOCKED}ok.com/view.php?=PHOTO1598526.JPG?, and http://www.{BLOCKED}-photos.com/view.php?=PHOTO23032010.JPG? in instant messages. Now, we see a slew of instant messages containing shortened URLs like http://{BLOCKED}.com/pict04042010jpg and http://{BLOCKED}.com/va98d.

Shortening URLs may mean two things. First, this makes it harder for antivirus companies to block malicious URLs, as it would take them longer to get the landing link. Second, URL-shortening services can be used by cybercriminals to trick users into clicking suspicious links.

Malware that spread via IM applications based their messages on the OS a computer uses. Cybercriminals have also been known to use shortened URLs for spamming purposes as shown in the following screenshots.

Clicking the shortened URLs in the sample instant messages lead to the download of {BLOCKED}082010-jpg-www-facebook-com.scr detected as WORM_BUZUS.AG, which propagates via physical/removable/floppy drives and peer-to-peer (P2P) networks by spoofing the names of some popular applications, games, and movies. It is also capable of launching a denial-of-service (DoS) attack using SYN floods.

Trend Micro™ Smart Protection Network™ protects users from this kind of threat by blocking access to all related malicious URLs and preventing the download and execution of the malicious file.

Update as of April 12, 2010, 3:00 p.m. (GMT +8:00):

The links were also found to download a new KOOBFACE variant detected as WORM_KOOBFACE.ZD.

Post from: TrendLabs | Malware Blog - by Trend Micro

Shortened URLs in IM Apps Lead to a Worm

News of a twin bombing attack in Russia shocked the world on Monday morning as two female suicide bombers blew themselves up in Moscow subway stations. According to news reports, the attacks killed at least 38 and wounded more than 60 people. Jumping at the chance to make profit from terrible events, cybercriminals quickly picked the news up and used it for their own malicious attacks.

Shortly after the news broke out, cybercriminals once again employed their blackhat search engine optimization (SEO) tactics to make their malicious links the top-ranking search results in Google. Their links achieved the top 2 spots for about 2 hours for the keywords Moscow subway explosion and are now placing within the top 11 spots for the keywords Moscow bombing. Apparently, this news topic has made Moscow a popular trending topic not only in Google but in social networks as well. In Twitter, searching for Moscow also showed results with embedded malicious URLs within Tweets.

The links, of course, will not direct users to news sites but instead open a fake scanning page. It then reports that the computer is vulnerable to malware attacks and recommends that the users proceed with checking for infections.

Agreeing to install the rogue antivirus downloads the FAKEAV file detected by Trend Micro as TROJ_FAKEAV.SMDY onto affected systems.

If there is one thing every user should now know, it is that cybercriminals will use whatever topic is most popular to make their attacks successful. As always, please be mindful not to click any link even if it is one of the top-ranking results in Google or if it has been sent by your supposed friends in Twitter.

Trend Micro product users are protected from this threat by the Smart Protection Network™, which blocks user access to related malicious sites and prevents malware from being downloaded onto users’ systems.

Post from: TrendLabs | Malware Blog - by Trend Micro

Search for News on Moscow Subway Explosions Result in FAKEAV

Advanced threats researcher Ivan Macalintal spotted a fresh wave of spammed messages that were used to spread another ZBOT variant of the infamous ZeuS botnet. These messages warned users that a “jerk” posted photos of them and contained a link to the said images.

Note that the spammed messages appear to be from innocent users that the recipients presumably knew. In addition, they were also signed or at least had the sender’s name at the end of the message. In the sample above, the sender’s name has been blurred to protect his/her identity. Combined, this may lead users to believe the message is legitimate.

However, the link does not go to any legitimate social-networking or photo-hosting site. Users were instead prompted to download a “photo archive.”

The photo archive is actually a ZBOT variant detected by Trend Micro as TROJ_KRAP.SMDA. Like all ZBOT variants, it steals users’ personal banking information and sends the stolen data to cybercriminals. A summary of the ZBOT/ZeuS malware family’s behavior can be found here.

In addition, the download page also contains a malicious iframe, which leads to a website that previously hosted the Phoenix Exploit’s Kit, which was designed to take advantage of vulnerabilities in several popular applications like Adobe Flash, Internet Explorer (IE), Microsoft Office, and Mozilla Firefox.

Trend Micro™ Smart Protection Network™ protects product users from this threat by preventing the spammed messages from even reaching users’ inboxes via the email reputation service. It also blocks access to the malicious sites via the Web reputation service and prevents the download and execution of the malicious files via the file reputation service.

Non-Trend Micro product users may also benefit from using free tools like eMail ID, a browser plug-in that helps users identify legitimate email messages in their inboxes. Users can also call upon HouseCall, Trend Micro’s highly popular and capable on-demand scanner that identifies and removes viruses, Trojans, worms, unwanted browser plug-ins, and other malware from affected systems.

Post from: TrendLabs | Malware Blog - by Trend Micro

Spam with “Pictures” Used to Spread ZBOT

TrendLabs observed an increase in malicious medical advertisements spammed to users’ e-mail inboxes. Two of the samples our engineers obtained looked legitimate, even had professional-looking graphics (see Figures 1 and 2). Another was just the normal, everyday, plain-text spam (see Figure 3).

The spammed messages enticed recipients to purchase the medicines the scammers were selling. These lured recipients with supposed huge discounts, ranging from 70–80% off of all products. The messages also sported links that when clicked redirected users to a spoofed online store that sold male organ-enhancing pills.

More recently, a spam run that uses a new feature was discovered. Instead of asking recipients to click an embedded link or an image, it asked them to open the .JPG file attachment—an image of Viagra and Cialis—along with the line, “DO NOT CLICK, JUST ENTER (a particular URL) IN YOUR BROWSER.” The spammed messages also contained a series of salad words to avoid being filtered (see Figure 4).

Trend Micro™ Smart Protection Network™ protects product users from this threat by preventing the spammed messages from even reaching users’ inboxes via the email reputation service. It also blocks access to malicious sites via the Web reputation service.

Non-Trend Micro product users may also benefit from using free tools like eMail ID, a browser plug-in that helps users identify legitimate email messages in their inboxes.

Additional text by Trend Micro anti-spam research engineer Gedrick Lacson

Post from: TrendLabs | Malware Blog - by Trend Micro

Malicious Medical Ads Flood Users’ Inboxes