Online Virus / Malware News

Packt recently published a new book- IPhone Applications Tune-up. The book is of course about programming for the iPhone. But there is one chapter on maintainability that is far broader applicability than just the iPhone. This review was written by Wes Boudville. Read more about the book or download a free Sample Chapter here: Sample [...]

The Pentagon has approved a version of Android running on Dell hardware to be used by DoD officials, along with the BlackBerry. The approval of Android by the DoD is a major setback for Apple’s iPhone. The military approval is quite specific. Android can only be used on Dell’s hardware running Android 2.2. Dell is [...]

The game is over for Aaron Barr. HBGary Federal’s CEO, who was targeted by Anonymous, announced his resignation on Monday during an interview with Kaspersky’s news portal, Threatpost. Barr said he would step down to focus on his family and rebuild his reputation. Aaron Barr has rarely given interviews to the media since the events [...]

Cybercriminals have once again used a not-so-new but still a seemingly promising medium for their malware campaigns. Earlier today, ZDNet reported a “new” exploit that targets Skype users. This exploit takes advantage of a vulnerability in a Skype component—EasyBits Extras Manager. While the vulnerability was found and fixed as early as October 2009, many users are still running older, vulnerable versions.

The vulnerability is being used to download malicious files, among them a ZBOT variant, TROJ_ZBOT.COC. As is typical of ZBOT variants, it steals a user’s personal information, particularly those related to online banking.

Good thing that Trend Micro already had coverage for these payloads many months before the cyber-criminals actually made use of this Skype vulnerability described above as a means to deploy these malicious codes!!

Over the years, Skype has been targeted and used as an infection vector by several malware families, including STRAT, KOOBFACE, and, more recently, PALEVO, due to its growing user base.

Skype currently hosts more than 500 million registered users and is still adding 300,000 users per day. Skype CEO John Silverman aims to have about 100 million PCs shipped preloaded with the popular VoIP software in 2011. This January, TeleGeography reported that Skype’s traffic growth has soared over last year while the international phone traffic declined, proving that more and more users are preferring Skype as a medium for international voice communications.

Unfortunately, Skype vulnerabilities have been found and exploited in the past:

• New Skype Vulnerabilities
• Skype Releases Security Bulletin to Address CrossZone Scripting Vulnerability
• SkypeFind Still Flawed!

This attack highlights how important it is to keep applications updated. Nowadays, many popular applications have auto-update capabilities. Users should use these to ensure that all their commonly used applications, particularly those that run whenever their systems start—are updated.

On a similar note, the popularity of Skype is also now being used in spam campaigns. Trend Micro engineers received the following spam message targeting Skype users:

As expected, the link in the message does not go to a legitimate Skype page although this site is currently down.

All threats discussed in this post are already covered by Trend Micro products.

Additional text by Jonathan Leopando, Merianne Polintan and Threat Research Manager Ivan Macalintal. Thanks Ivan for the heads-up!

Post from: TrendLabs | Malware Blog - by Trend Micro

Months-Old Skype Vulnerability Exploited in the Wild

Heads-up for users still running Windows XP: The unpatched Help Center flaw revealed last week is now out in the wild and being used to launch malware attacks against target users.

This new zero-day exploit takes advantage of the vulnerability that exists in the Microsoft Windows Help Center, a default Microsoft application that allows users to access online documentation for Windows. This vulnerability could allow remote code execution if a user views a malicious website.

Based on the analysis of TrendLabs^SM threat analyst Joseph Cepe, there are two ways in which a user can get infected as shown below.

The first method yields a prompt, which when clicked, redirects users to a compromised website that downloads a malicious JavaScript file. In this case, the compromised page is detected as TROJ_HCPEXP.A while the malicious script is detected as JS_HCPDL.A. This then downloads another file detected as TROJ_DROPPR.TEJ. This last malicious file drops multiple downloaders onto the affected system. In turn, these download a wide variety of malware onto affected systems (including, unsurprisingly, FAKEAV malware.)

The second method uses a more stealthy approach wherein the malware automatically performs the download without prompting the users to click anything. It instead runs Windows Media Player and automatically downloads a malicious Advanced Stream Redirector (.ASX) file, simple.asx. This .ASX file contains a link that references to another Web page. However, as of this writing, the URL that it redirects to is currently inaccessible.

The disclosure of this vulnerability has been controversial to say the least. Microsoft learned about the flaw on June 5 from its discoverer, Tavis Ormandy. Ormandy released the full details to the public on the Exploits Database site five days later. Microsoft was not particularly happy with Ormandy, as its blog post confirming the vulnerability makes clear. Despite the fact that Ormandy works for Google, it should be noted that he was doing this as a personal project and not as a Google employee.

However one feels about Ormandy’s disclosure, the fact is that the vulnerability is out in the wild for cybercriminals to exploit and causing damage.

Microsoft updated its advisory earlier today saying that it is aware of the “limited, targeted active attacks that use the exploit” and is actively monitoring the situation. Microsoft also added via its Security Response team’s Twitter account that Server 2003 users are currently not at risk based on the seen attacks. (It would be a mistake, however, for Server 2003 users to think that will always be the case.) It is not clear if an out-of-bound patch is forthcoming although that is something that cannot be ruled out.

Until a patch does arrive, however, users are left to apply workarounds for the issue. “The best workaround is to unregister the hcp:// protocol handler. Doing so will prevent the chain of events that leads to the code execution,” Cepe advises. Microsoft has provided an online tool to help users do this.

Additional text by Jonathan Leopando. Thanks to Ivan Macalintal for giving the heads-up on the exploit.

Post from: TrendLabs | Malware Blog - by Trend Micro

Microsoft Help Center Zero-Day Exploits Loose

Last week, we had two major mass compromises. The first one hit more than 100,000 websites, including major news sites like the Wall Street Journal and the Jerusalem Post. The second campaign was much smaller, hitting only around 1,000 pages, and also lacked similarly high-profile victims although the casino firm Ameristar was on the victim list.

The first attack directed users to http://www.{BLOCKED}nt.us/u.js. Once users go to this URL, they inadvertently download a Trojan detected by Trend Micro as TROJ_DLOAD.VAC. This downloads a malicious file detected as TSPY_GAMETHI.QJB. A very similar payload was used by the second wave.

Target: Online Gamers

What is worth noting here is that TSPY_GAMETHI.QJB stole information related to online gaming sites such as Aion Online, Dungeon Fighter, and World of Warcraft. It is tempting to think that the potential fallout from these are minor but it is not. As pointed out in a late-2008 white paper, the “virtual worlds” in online games pose real security risks.

It is also quite likely that the stolen information are not just related to online games. Last week, an interesting paper was presented at the Workshop on the Economics of Information Security. Written by two University of Cambridge researchers, the paper analyzed how 150 various websites use passwords. The researchers found that many sites used passwords less for security (which was not always consistently implemented) and more for demographic information.

The researchers cited the website of the New York Times, which requires users to state their income, job title, industry, and company size. None of these are particularly needed to deliver news to readers but advertisers would find this information very useful.

With so many sites requiring registration (and thus, a password), this resulted in an overuse of passwords. Unfortunately, the human ability to remember these are limited. The end result? Users recycle passwords for different sites, some of which may use passwords less securely than the rest.

Passwords Matter

The end lesson is actually simple—passwords are passwords, regardless of whether they are used in the way they were intended (for security) or as a means for collecting personal information. Users should know this and behave accordingly. Do not reuse passwords (if needed, use freely available password managers) and change them as needed.

Post from: TrendLabs | Malware Blog - by Trend Micro

Passwords Matter—The Hidden Risks “Minor” Info Stealers Pose

Spammers seem to be on something of a Twitter rampage of late. They have sent out a wide variety of spammed messages recently that all appear to be from Twitter:

The first mail sample shows a phishing attack mounted against users. The second contains links to a malicious file that is already detected as TROJ_FAKETWT.A.

Even pharmaceutical spammed messages are exploiting Twitter:

All of these attacks are dealt with by Trend Micro products via the Smart Protection Network™. The spammed messages and the phishing pages are already blocked. The malicious file is already detected as well.

For users without Trend Micro products, the usual warning about links in email messages applies—clicking links in emails is a very bad idea. Twitter does not send links to a secure module. Similarly, legitimate Twitter emails changing the email address of user accounts include the new email address in the message body and do not describe nor promote any new service, as many of these phishing emails do.

Of course, Twitter itself, beyond being a social-engineering bait, has something of a spam and phishing problem. On their official blog, they have announced that later this year, all links in Tweets will pass through Twitter’s own internal link shortener, which is located at http://t.co. This particular service turns out shortened links with a fixed length of 20 characters.

What’s more important, however, is how these links will be presented. On text messages, the shortened version will be shown. On the Web or on applications, however, either the full URL, the page title, or a shortened version that does not hide the domain might be shown. As Twitter says in its blog:

Ultimately, we want to display links in a way that removes the obscurity of shortened links and lets you know where a link will take you.

It will be interesting to see how both Twitter and the many available applications make use of this information. Some clients have similar features already but as this tends to be reliant on the shortening service used it is not always available. When this feature is finally implemented, it can only be a good thing for users.

Post from: TrendLabs | Malware Blog - by Trend Micro

Bogus Twitter Spam Hits Inboxes

We recently received a report of a new phishing attack that originated from Mexico. It takes advantage of the controversial news about an allegedly missing four-year-old girl, Paulette Gebara Farah, who was later found dead in her own bedroom.  On investigation we found that this attack came from a Mexican botnet and that it was trying to steal banking / financial related information from users.

Online banking is widely used in Latin America, and this attack is another example of Cybercriminals targeting the online banking community in an effort to extort money and sensitive financial information. 

Users who are following the said news may fall prey to this attack by visiting the page http://www.knijo.{BLOCKED}0.net/fotografias-al-desnudo-de-la-mama-de-paulette.htm, which contains an article about Paulette and claims to show nude photos of her mother. When a user accesses this page, a fake dialog box pops up and requests the user to download and install Adobe Flash Player.

Clicking Run leads to the download of the file video-de-la-mama-de-paulette.exe, which is actually the client program of a bot detected by Trend Micro as TSPY_MEXBANK.A.

During our investigation, we were able to access the botnet’s command-and-control (C&C) interface and to learn about its management functions. We were able to enter the management interface and to see for ourselves the complete capabilities of this new botnet.

The bot menu shows the total number of zombies and a list of the compromised computers. The list of zombies displays the ID number, name of the client, and the action executed on a bot. It has options to disable or enable a bot, to start netcat (a powerful networking utility that can be used as a backdoor) on a bot, and to remove the bot from the botnet.

This newly discovered botnet has a fairly comprehensive feature set that can be compared with other older, more established botnet families. Each feature is placed in its own “module,” which the botnet herder can configure one by one.

It should be no surprise that a pharming module is part and parcel of its available features. As can be seen in the screenshot of the phishing module, this particular botnet targets Mexican users, particularly PayPal’s local site and the largest bank in the country, Bancomer.

Aside from this, the Tequila botnet can also download files from various malicious URLs, either via HTTP or FTP. Both ZBOT info stealers as well as FAKEAV malware have been spotted being dropped by this new family.

However, consumers are not the only ones the cybercriminals behind this botnet are ripping off, the AdSense module allows a site to be repeatedly loaded along with that site’s advertisements. In effect, cybercriminals use this to raise the traffic to their own sites, increasing the payments made by advertising networks such as Google’s AdSense.

In addition to being found on malicious websites, the Tequila botnet can also arrive via USB devices as well as via MSN Messenger. It sends messages that either contain the file itself (as an attachment of sorts) or links that go to copies of the malware.

The location of the C&C server appears to be no longer available, in effect taking this particular botnet down. However, if the developer starts a new campaign and distributes new files, the number of bots may increase again, thus encouraging the developer to create new modules for the botnet in the future.

Hat tip to Juan Castro of Trend Micro LAR for initially bringing this botnet to light.

Post from: TrendLabs | Malware Blog - by Trend Micro

“Tequila Botnet” Targets Mexican Users

The KOOBFACE botnet continuously evolves to keep on generating profit for its perpetrators. The fact that the botnet is still alive shows that the cybercriminals behind it are making a fortune off it.

In our effort to conduct research on and to monitor the latest developments made to the KOOBFACE botnet, we have noticed several changes in the way it operates. Some of the major changes the botnet has undergone from when we started unmasking it include the following:

1. Using proxy command-and-control (C&C) servers
2. Encrypting the gang members’ C&C communications
3. Banning IP addresses from repeatedly accessing KOOBFACE-controlled sites
4. Introducing new binary components
5. Employing several layers of binary protection with the use of more complex packers

These changes pose a greater challenge to security researchers in reverse-engineering existing KOOBFACE binaries and in monitoring the gang members’ C&C communications. Though the changes the gang has made to their botnet have made it interesting, someone has to put a stop to their malicious schemes and put the perpetrators where they belong—behind bars.

For more information on the most recent developments on the KOOBFACE botnet based on our latest findings, read “Web 2.0 Botnet Evolution: KOOBFACE Revisited.” You may also find the following papers a good read to learn more about one of the most notorious botnets in existence today—KOOBFACE:

• “The Real Face of KOOBFACE: The Largest Web 2.0 Botnet Explained”
• “The Heart of KOOBFACE: C&C and Social Network Propagation”
• “Show Me the Money!: The Monetization of KOOBFACE”

Post from: TrendLabs | Malware Blog - by Trend Micro

The Evolution of KOOBFACE: A Web 2.0 Botnet

HijackThis is a free tool Trend Micro offers as a courtesy to end users—customers and non-customers alike. It helps users evaluate their machines for possible infections by generating in-depth log reports for Windows operated systems. It also incorporates several useful tools that can help manually remove malware from infected computers.

Over time, HijackThis continuously became more popular, making it hard for malware proponents to waste the opportunity to use the tool to proliferate their malicious creations. TrendLabs^SM engineers recently came across TROJ_DROPPER.QLC, which uses “HijackThis” as product name and “Trend Micro Inc.” as copyright holder.

These deceiving properties may trick HijackThis users into executing the Trojan, which then drops another malware detected as TROJ_UNDEF.QI, allowing the users’ systems to end up being hijacked by malware.

Trend Micro product users need not worry, however, as the Smart Protection Network™ protects them from this threat by detecting and preventing the execution of TROJ_DROPPER.QLC and TROJ_UNDEF.QI on their systems via the file reputation service.

Post from: TrendLabs | Malware Blog - by Trend Micro

Fake HiJackThis Toolbar Serves Malware