Online Virus / Malware News

Due to their ever-growing popularity, social networks have been a continuous target of cybercriminals to proliferate their malicious schemes. TrendLabs^SM received samples of another Facebook spam, this time also taking advantage of the popular micro-blogging site, Twitter.

The mail, which poses as a Facebook notification message, uses adult-themed strings to lure users into opening the attachment. The .ZIP file attachment, Twitter.zip, contains the file twitter.html, which has an embedded malicious script that Trend Micro detects as JS_REDIR.AE.

Social networks are still on the verge of reaching their peak, as an increasing number of users spend more time on managing their accounts. According to the latest findings by Nielsen, social networking and blogging account for one in every four-and-a-half minutes people spend online.

With Facebook still remaining as one of the world’s most popular social media sites and Twitter not far behind, cybercriminals will most likely use these sites more and more to propagate malicious codes.

In fact, Twitter itself is also becoming a means of spreading spam. As discussed by Trend Micro researcher Rik Ferguson, malicious Tweets now lead to malicious .PDF and .EXE files detected as TROJ_PIDIEF.JCS and TROJ_SMALL.LEC, respectively.

Fortunately for Trend Micro product users, Smart Protection Network blocks the malicious files from running on user systems.

Additional text by Carolyn Guevarra and Jonathan Leopando

Post from: TrendLabs | Malware Blog - by Trend Micro

Spammers Target Facebook and Twitter at Once

With the underground economy still thriving, cybercriminals will surely use any method such as Canadian pharma spam runs to facilitate their information theft operations.

Canadian pharmacy sites are known to be used by scammers to sell a wide range of fake medicines usually for impotence and other serious medical conditions at much lower prices compared with regular pharmacies. These sites employ various techniques to fool users into believing that their sites are legitimate and secure. For instance, when you purchase from their site, they claim to take your credit card information on a secure connection. However, this is not exactly the case.

For cybercriminals, this is another opportunity to profit and steal personal information from users. This is why pharma site scams have also been associated with big malware campaigns, including the infamous Storm worm a couple of years back.

At present, there is still a very high demand for user information in the underground economy because of the amount of money that cybercriminals can make from it. Trend Micro advanced threats researcher Joey Costoya has been monitoring underground activities and reports that email addresses can range from US$7–30 per bulk, depending on the mail servers used. Another report shows a much higher rate than that.

Recently, cybercriminals have once again been seen targeting customers of antivirus firms by using the name and reputation of antivirus companies in their social engineering ploys. We received reports of a spoofed Trend Micro notification that redirected users to a Canadian pharmacy website. As in previous spam runs, cybercriminals sent spammed messages to target recipients, claiming to be from a legitimate source. In this case, these claimed to be from an administrator of Trend Micro.

The email messages notified recipients that their accounts have been hacked and were thus temporarily inaccessible. These then advised users to open the .HTML file that came attached to the email for instructions on how to enable their accounts. Opening the attachment, of course, redirected users to a Canadian pharmacy website.

Trend Micro detects the file attachment as JS_REDIR.VIAG. Through email and Web reputation services, Trend Micro™ Smart Protection Network™ protects users from this threat by blocking the spammed messages along with user access to the spam sites. Smart Protection Network also detects and deletes files detected as JS_REDIR.VIAG via the file reputation service.

This is not the first time that Trend Micro has been used in Web attacks. In fact, in 2007, a fake Trend Micro website was used to phish sensitive information from customers. Customers and users alike are thus advised to be very wary of email notifications and to ensure the authenticity of the emails they receive and the websites they visit before giving out any information. Note that Trend Micro does not send unsolicited emails to its customers, especially ones that redirect users to suspicious-looking sites.

As cybercriminals continue performing attacks like these, they increase their chances of successfully stealing information by sending such an email to people they know who are from Trend Micro. Such is the nature of threats today—they are getting more personal and thus more “real.”

Special thanks to Anti-Spam Research Engineer Mary Aquino for initially reporting this incident.

Update as of June 14, 2010, 12:30 a.m. (UTC -8:00)

This particular campaign is not limited to fake notifications. The ongoing “World Cup” is being used as well.

Post from: TrendLabs | Malware Blog - by Trend Micro

Spoofed Trend Micro Alert Leads to Canadian Pharma Site

Spammers seem to be on something of a Twitter rampage of late. They have sent out a wide variety of spammed messages recently that all appear to be from Twitter:

The first mail sample shows a phishing attack mounted against users. The second contains links to a malicious file that is already detected as TROJ_FAKETWT.A.

Even pharmaceutical spammed messages are exploiting Twitter:

All of these attacks are dealt with by Trend Micro products via the Smart Protection Network™. The spammed messages and the phishing pages are already blocked. The malicious file is already detected as well.

For users without Trend Micro products, the usual warning about links in email messages applies—clicking links in emails is a very bad idea. Twitter does not send links to a secure module. Similarly, legitimate Twitter emails changing the email address of user accounts include the new email address in the message body and do not describe nor promote any new service, as many of these phishing emails do.

Of course, Twitter itself, beyond being a social-engineering bait, has something of a spam and phishing problem. On their official blog, they have announced that later this year, all links in Tweets will pass through Twitter’s own internal link shortener, which is located at http://t.co. This particular service turns out shortened links with a fixed length of 20 characters.

What’s more important, however, is how these links will be presented. On text messages, the shortened version will be shown. On the Web or on applications, however, either the full URL, the page title, or a shortened version that does not hide the domain might be shown. As Twitter says in its blog:

Ultimately, we want to display links in a way that removes the obscurity of shortened links and lets you know where a link will take you.

It will be interesting to see how both Twitter and the many available applications make use of this information. Some clients have similar features already but as this tends to be reliant on the shortening service used it is not always available. When this feature is finally implemented, it can only be a good thing for users.

Post from: TrendLabs | Malware Blog - by Trend Micro

Bogus Twitter Spam Hits Inboxes

What do the “FIFA World Cup” and Gaza attack have in common? They are both currently being used as social engineering ploys by a couple of malware campaigns seen on Twitter. TrendLabs^SM senior threat researcher Ivan Macalintal spotted several malicious programs being distributed via the popular microblogging site. These malware campaigns take advantage of noteworthy events to lure users into clicking malicious links in Tweets.

The first malware run makes use of the upcoming “FIFA World Cup” (set to see record levels of global interactivity according to CNN) by sending the following Tweet:

Clicking the link leads users to download a copy of a backdoor detected as BKDR_BIFROSE.SMK, which connects to IP addresses that allow a remote user to perform malicious activities on affected systems. These activities include sending and receiving files, keylogging, and retrieving user names and passwords. It also has rootkit capabilities, which enable it to hide its processes and files from its victims.

The second campaign, on the other hand, sends out the following Tweet related to the Gaza attacks:

This time, the malware that is downloaded from the link is BKDR_BIFROSE.PAB, which opens a hidden Internet Explorer (IE) window and opens TCP port 788 to listen for commands from a remote malicious user who may initiate a denial-of-service (DoS) attack to target systems using specific flooding methods.

Trend Micro™ Smart Protection Network™ protects users from these threats by detecting and deleting BKDR_BIFROSE.SMK and BKDR_BIFROSE.PAB via the file reputation service. Users must also be wary of and double-check shortened links in microblogging site updates.

The “FIFA World Cup” is an incredibly popular global event that has already moved opportunistic cybercriminals into action as seen in the following previous posts:

• Latest Online Scam Targets FIFA Fans
• 2010 FIFA World Cup Spam Strikes Again
• Scammers Attempt to Score Through the FIFA World Cup

The past couple of months proved to be no safer for microblogging (i.e., Twitter) users either as seen in:

• Your Tweet Is My Command
• Search for News on Moscow Subway Explosions Result in FAKEAV
• Diet Twitter Spam (on the) Run

Post from: TrendLabs | Malware Blog - by Trend Micro

FIFA and Gaza Attack Tweets Dump Backdoors

Cybercriminals have found yet another way to grab users’ attention. This time, they posed as members of the Federal Bureau of Investigation (FBI) from Washington D.C. to scam users with a spammed message.

As in any other scam, the email sender posed as someone from a legitimate body in this attack. The sender claims to be from the FBI. The spam, meanwhile, informs the recipient that he/she is the beneficiary of US$10.5 million. The fake FBI representative then gives the recipient instructions to contact the head of the “Online Transfer Department” of the United Trust Bank London. The said head, urges the email, is the only person who can take responsibility for giving out the promised millions. It even advises the email recipient to strictly follow the instructions in order to make the claim.

This, of course, is a hoax. For greater irony and to prove that cybercriminals will go for desperate measures to trick their victims, a note has even been added at the end. This informs the recipient of possible fraudsters who might attempt to deal with him/her.

To avoid becoming a victim of such a scam, always pay attention to every detail in email messages you receive. One can easily distinguish what is real and what is fake via careful observation. All you need to do is to carefully observe.

Trend Micro™ Smart Protection Network™ protects users from this and similar attacks by preventing the spammed messages from even reaching their inboxes via the email reputation service.

Post from: TrendLabs | Malware Blog - by Trend Micro

419 Scam Resurfaces with FBI Spam

Early this year, the SASFIS Trojan became notorious in relation to spoofed email messages supposedly from Facebook. SASFIS infections usually result in tons of other malware infections, as this particular family makes systems susceptible to botnet attacks, particularly from ZeuS and BREDOLAB, and is affiliated with various FAKEAV variants, usually those associated with pornographic sites.

TrendLabs^SM engineer Shih-Hao Weng came across a new SASFIS variant that uses the right-to-left override (RLO) technique, which was more commonly associated with spamming in the past, but has now become a new social engineering tactic.

This SASFIS Trojan arrives via a spammed message with a .RAR file attachment, which contains an .XLS file. Upon extraction to the desktop, the supposed .XLS file looks like an authentic MS Excel document. In reality, however, the file is a screensaver detected by Trend Micro as TROJ_SASFIS.HBC. This Trojan drops BKDR_SASFIS.AC, which allows threads to be injected to the normal svchost.exe process.

While the file may appear at first to be an Excel worksheet, it possesses a Win32 binary header, which only executable files have. Its real file name (minus the Chinese characters) is phone&mail).[U+202e}slx.scr, wherein U+202e is the Unicode control character that tells the system to render succeeding characters from right to left. Thus, to the user, the file will appear to be named phone&mail).xls.scr. This could lead them to believe that the file is indeed an Excel file and thus “safe” to open, when in reality it is an executable .SCR file.

This technique also uses other file names for the same purpose, such as BACKS[U+2020e]FWS.BAT and I-LOVE-YOU-XOX[U+2020e]TXT.EXE to be rendered as BACKSTAB.SWF and I-LOVE-YOU-XOXEXE.TXT instead. In the former case, a batch file is disguised as an Adobe Flash file; in the latter an executable file is disguised as a text file.

Users can, however, prevent this attack from affecting their systems by employing the usual best practices—not opening suspicious-looking email messages and not downloading and executing attachments.

Trend Micro™ Smart Protection Network™ protects product users from this threat by preventing the spammed messages from even reaching their inboxes via the email reputation service. Trend Micro products also detect and delete the malicious files TROJ_SASFIS.HBC and BKDR_SASFIS.AC from affected systems via the file reputation service.

Update as of June 2, 2010, 12:30 a.m. (GMT – 7:00)

In related news, JPCERT/CC has issued an alert warning users in Japan that spam messages with a malicious attachment are now using this very tactic. (A translation of the alert into English can be found here.) Trend Micro detects this malicious attachment as TROJ_UNDEF.QC.

Post from: TrendLabs | Malware Blog - by Trend Micro

SASFIS Malware Uses a New Trick

The upcoming “2010 FIFA World Cup” in South Africa is one of the most highly anticipated events in sports history today. As expected, cybercriminals have been using this event as another means for their endless string of profiteering schemes.

TrendLabs^SM engineers discovered two separate spam runs leveraging the said event. The first spam sample (see Figure 1) had a .DOC file attachment that informs recipients of a supposed new contest called “Final Draw” organized in part by the FIFA Organizing Committee. It also tells the recipient of a US$550,000 prize. To claim this, however, the “winner” must immediately coordinate with the releasing agent via the contact information indicated in the email. The email also asks the recipient to give out personal information.

Another sample (see Figure 2) related to this scam is a poorly written email with an equally poorly worded letter attachment in PDF. This asks recipients to divulge specific information in relation to a fund transfer transaction amounting to a whopping US$10.5 million. Upon agreeing to the proposal, the recipient should supposedly get 30 percent of the said amount.

Note that this tactic is reminiscent of the infamous 419 or Nigerian scam, which persuaded users to send cash by promising them a large amount of money in return for their cooperation.

A typical 419 or Nigerian scam is a type of fraud wherein victims are promised a sum of money such as lottery prizes, inheritances, etc. in exchange for something minor like giving out information or a small donation via spam (see Figure 3). The letter starts off by (1) introducing the sender from a supposedly reputable organization. It then implores help from the email recipient. The FIFA-themed spam we obtained (see Figure 4) uses the same technique—(2) promising the recipient a sum of money.

Both scams do not directly ask for cash. Instead, they request for information or for the recipients to (3) coordinate with a fake contact accompanied by a (4) call to action to send in their contact details. Simply put, the cybercriminals behind these scams are malicious users that use the Internet to commit crimes such as identity theft, spamming, phishing, and other types of fraud. In fact, FIFA sternly warned fans of similar online scams such as those featured in the following blog posts:

• 2010 FIFA World Cup Spam Strikes Again
• Scammers Attempt to Score Through the FIFA World Cup

Trend Micro is committed to always being a step ahead of internal and external threats to digital information and reputation. As such, Trend Micro™ Smart Protection Network™ protects product users from this kind of attack by blocking the spammed messages even before they reach inboxes via the email reputation service.

Post from: TrendLabs | Malware Blog - by Trend Micro

Latest Online Scam Targets FIFA Fans

Italian bank Banca Popolare di Sondrio has become phishers’ new target with the discovery of a spammed message containing a link to the supposed bank’s Internet banking site, SCRIGNO.

As with previous bank-related phishing attempts, clicking the link leads users to a site that looks very much like the legitimate Internet service’s login page. The site asks users to enter their user codes and personal identification numbers (PINs). After giving out the requested information, they are redirected to another site that asks for a control code, which is indicated in every Scrigno client’s card.

Once users have provided all the necessary information, they are redirected to the real SCRIGNO site. Unfortunately, by this time, the phishers have already acquired the data they need.

Phishing attacks, regardless of vector—spamming or site spoofing—are already a staple in the current threat landscape. As in this most recent attack, cybercriminals often send out spammed messages purporting to come from various banks to users in an attempt to trick them into clicking embedded malicious links, as shown in the following previous posts:

• Phishers Send Out Standard Chartered Spam
• Phishers Hit the Bank of Nevada
• Caisse d’Epargne Customers, Beware!

Cybercriminals also spoof legitimate banking sites for their profiteering schemes. In such an attack, they leverage users’ trust on the latest banking technologies, as in the following previous attacks:

• Public Bank of Malaysia Phished
• Phishing Pages Pose as Secure Login Pages
• Phishing in the Guise of Enhancing Security

To avoid becoming victims of phishing scams, the best solution is still user vigilance. Users must continue to be wary of suspicious-looking email messages and must refrain from clicking dubious links. Being familiar with the full addresses of banking sites users access can also prevent them from unwittingly giving out critical information in phishing sites. Of course, using an effective security solution will also help.

Trend Micro™ Smart Protection Network™ protects product users from this threat by preventing the spammed messages from even reaching users’ inboxes via the email reputation service. It also blocks access to the said phishing site via the Web reputation service.

Post from: TrendLabs | Malware Blog - by Trend Micro

Phishing Scam Targets Italian Bank

TrendLabs^SM engineers recently discovered a new Skype spam campaign. The spam arrives as a message from a user’s list of contacts. It contains a list of links with the domain {BLOCKED}4.171.116, most of which are already inactive.

One of these links has been found to lead to the download of a malicious file detected by Trend Micro as WORM_PALEVO.AZA. This appears as a TinyURL link that resolves to http://{BLOCKED}4.171.116/suspended.page/slika.exe. The file slika.exe terminates Windows Update Service and attempts to establish connections to the remote servers {BLOCKED}.97.166 and {BLOCKED}.77.59 using TCP ports 80 and 1234, respectively.

Trend Micro™ Smart Protection Network™ protects product users from this threat by preventing the spammed messages from even reaching users’ inboxes via the email reputation service. It also blocks access to malicious sites and domains that host malware-ridden files via the Web reputation service and prevents the download and execution of WORM_PALEVO.AZA via the file reputation service.

Post from: TrendLabs | Malware Blog - by Trend Micro

Spam Sends Malicious Links to Skype Users

A new spam campaign has been discovered spoofing job-application-related emails. While most spammed messages have been known to take advantage of a specific occasion, a holiday, or even a currently newsworthy item, spammers have hit a new low with this scheme.

The sample in Figure 1 contains a short body text that says “Please review my CV, Thank you!” The email also comes with a .ZIP file attachment. Once opened, the .ZIP file executes a malicious .EXE file named Resume_document_589.exe, detected by Trend Micro as TROJ_OFICLA.AB. When executed, it drops its component file, TROJ_DLOADR.SMVE, onto users’ systems. This was found to be the same downloader found in a similar spam run.

Job spam is no longer a novel enticement to lure users into malicious tactics. While the one-liner in the body text may be far from convincing to the more experienced user, first timers who chance upon the spam may still unwittingly open the attachment out of mere curiosity. Recipients are thus advised to constantly exercise caution when opening email messages and when executing file attachments.

Trend Micro™ Smart Protection Network™ protects product users from this attack by preventing the spammed messages from even reaching users’ inboxes via the email reputation service and by blocking access to malicious sites and domains that host malware-ridden files via the Web reputation service. It also prevents the download and execution of the related malware, TROJ_OFICLA.AB and TROJ_DLOADR.SMVE, on affected systems via the Trend Micro file reputation service.

Non-Trend Micro product users can also stay protected from similar attacks by using eMail ID, a free tool that uses a two-step verification process to help users quickly find legitimate messages in their inboxes.

Post from: TrendLabs | Malware Blog - by Trend Micro

CV Spam Comes with a Malicious Attachment