Anti-Malware

Advanced threats researcher Jonell Baltazar recently spotted an instant message that contains a link to a malicious page.

The use of instant messages to spread malware is no longer new; neither is the use of URL shorteners. What is somewhat unusual is how these URL shorteners were used.

The URL shortener used in this attack, ow.ly, shortens long URLs using the format http://ow.ly/(5 alphanumeric characters). Note that the spammed URL was padded with the query string ?=www.facebook.com/photo.php. This can lead users to believe that they are going to a Facebook page to see a picture, as the instant message says. Unwitting users, failing to see the entire URL, are led to believe that they will land on a Facebook page instead of a malicious page.

Users should always exercise caution in clicking strange links, regardless of source—social media, email messages, or instant messages.

The malicious link downloads a worm detected by Trend Micro as WORM_YIMBOT.A. Smart Protection Network^TM already protects Trend Micro product users from this attack. In addition, the site the shortened link targets has also been blocked.

Continue Reading

Sun JVM and Adobe Acrobat Reader Vulnerabilities Top List with Infection Rates of 36 percent

Melbourne, 23 July 2010 – AVG (AU/NZ) today announced that AVG Technologies’ Web security research team has discovered a network of 1.2 million malware-infected computers controlled by cybercriminals who were using the Eleonore exploit toolkit – commercial attack software which enables cyber criminals to infect and monitor compromised PCs.

The two month long study by AVG researched 165 Eleonore toolkits in use by cyber criminals and concluded that those using the Eleonore exploit toolkit were experiencing a 10 percent success rate in infecting the more than 12 million users visiting their compromised web pages. All 165 domains experienced high volumes of traffic which the cyber criminals managed to compromise.

Although you may assume that the cyber criminals making and using these toolkits are software experts, the reality is that even malicious code writers leave vulnerabilities in their code. Taking advantage of one of the weaknesses in the Eleonore toolkit, AVG researchers were able to collect statistics that allowed them to gain a better understanding of the magnitude of such attacks and the average success rate in infecting PCs by these toolkits.

The research was built using AVG LinkScanner® product data, identifying URLs that the product blocked when it identified a threat.

“The accessibility and sophistication of easy-to-use cyber criminal toolkits proves that cyber gangs are raising the bar to monetise their criminal activities,” said Lloyd Borrett, Security Evangelist at AVG (AU/NZ). “That is why it’s more important than ever for families, corporations and other computer users to protect their computers from being targeted by this kind of increasingly popular cyber attack by using AVG anti-virus and web security tools like LinkScanner that AVG offers for free.”

The first step to silently infecting a user’s machine with malware is to exploit a vulnerability in their browser or other applications running on their machine. Successfully exploiting a vulnerability enables the cyber criminal to load and install the actual malware that can steal data and enable the criminal to later auction the PC online as a DDoS bot or a spam sending machine.

Eleonore exploit toolkit utilises the following vulnerabilities to exploit PCs:

• Sun JVM vulnerabilities
• Adobe Acrobat Reader vulnerabilities
• Various IE6 vulnerabilities
• Various IE7 vulnerabilities
• Various FireFox vulnerabilities

Continue Reading

Source:-http://www.computerworld.com.au/article/354036/dell_warns_malware_server_motherboards/

Continue Reading

Just recently, reports were released about a new kind of malware propagating through removable drives. The said malware exploits a newly-discovered vulnerability in shortcut files, which allows random code to be executed on the user’s system. Microsoft has officially acknowledged the vulnerability and released a security advisory.

Our engineers were able to take hold of a sample of this malware, which is now detected as WORM_STUXNET.A, and analyze its routines. Here is a summary of their findings:

Propagation

Instead of dropping an AUTORUN.INF file and a copy of itself into removable and fixed drives, WORM_STUXNET.A drops a .LNK file—a shortcut file that points to an executable file—into the drives instead. The dropped .LNK file exploits this vulnerability to drop a new copy WORM_STUXNET.A onto other systems. Trend Micro detects these .LNK files as LNK._STUXNET.A.

Stealth Capabilities

Apart from dropping copies of itself onto removable drives, this worm also drops a rootkit, which is now detected as RTKT_STUXNET.A, which it uses to hide its routines. This enables the worm to remain unnoticed by the user and to make analysis harder for researchers.

Football Connections

WORM_STUXNET.A was also found attempting to connect to certain websites, which were, interestingly enough, related to football. The purpose of the said routine remains undetermined, as our engineers found no trace of malicious activities on the said sites.

This new method of dropping .LNK files is yet another development in terms of how worms propagate through removable drives. Just recently, we reported about the use of the AUTORUN.INF Action Key to automatically execute malicious files.

Despite the numerous potential techniques for proliferation being offered by the Web, USB malware continue to be distributed by cybercriminals, which only proves their effectiveness. This type of malware was further discussed in the article “Understanding USB Malware.”

Because the vulnerability has to do with how Windows processes the shortcut icons, one suggested workaround is to disable displaying icons for all shortcuts. Procedures on how to do this are contained in the Microsoft security advisory.

Continue Reading

Using search engines and watching videos are two of the top Internet activities that users do on a daily basis. In the threat landscape, this usually translates to threats such as blackhat SEO attacks, malicious pages crafted to look like YouTube pages, and, as we recently found out, attacks that use both blackhat SEO and malicious YouTube-like pages.

In the recent attack that we saw, query results for strings such as videos of reality TV celebrity Teresa Guidice, British actress Holly Davidson, and the BP oil spill were found to initially lead to YouTube-like pages before displaying the all-too-familiar fake malware infection warnings.

The results are most likely to be compromised sites, all injected with search keywords that will lure users into visiting them.

Another change that we’ve seen is yet another combination of blackhat SEO and a well-known malware technique. Search results for the string “Mel Gibson tapes” were found redirecting not to pages with fake malware infection warnings, but to a prompt to download an Adobe Flash Player installer.

The said page may trick the user into thinking that the link that they’ve clicked leads to a video, and that they need to install Adobe Flash Player to view it. According to Threat Response Engineer Marco Dela Vega, who also analyzed this threat, the cybercriminals behind this attack have a keen eye for detail; not only did they use a convincing interface for the fake Adobe installer, they also used a URL that strongly suggests that it is an Adobe-related site.

This is a very notable change, since blackhat SEO attacks have been known to bring about FAKEAV variants specifically.

These changes are just a few that we’ve seen. Blackhat SEO attacks no longer just ride on the popularity of big news, as it did before. SEO poisoning attacks are being deployed every day, tainting searches and bringing forth malware.

For the above-mentioned attacks, the related malware are detected as TROJ_FAKEAV.MVA and WORM_UTOTI.Y respectively.

Our researchers and engineers have been continuously investigating these attacks and released several reports on their findings:

• Why Do People Create Internet Hoaxes?
• Doorway Pages and Other FAKEAV Stealth Tactics
• Emerging Blackhat SEO Techniques
• Unmasking FAKEAV

With the continuing rampancy of blackhat SEO attacks, users are advised to be extremely cautious when conducting searches.

Trend Micro^TM Smart Protection Network^TM provides multilayered protection for users when it comes to blackhat SEO attacks, as malicious links and files are blocked and detected by the Web and file reputation services, respectively.

Update as of July 15, 2010 10:09 a.m. (UTC)

WORM_UTOTI.Y has been renamed to TROJ_MONDER.RON.

Continue Reading

The infamous KOOBFACE botnet is sending direct messages (DMs) on Facebook. If this sounds familiar… it should be, as this tactic was previously discussed here in the Malware Blog back in March.

The hook is somewhat similar to a ZBOT attack also spotted in March. That attack claimed that someone posted pictures of the user; this one uses a video instead. The text and link in the message are:

Someobdy uplaod a vdieo wtih you on utbue. you shuold see.

http://www.facebook.com/l/ae2d7CYBUtLFPs-LAKPMtRXKpBA;www.{BLOCKED}rotherz.ca./19mai/”

As is frequently the case in these kinds of attack, the English used in the message is comically bad. The URL, however, is somewhat disguised—the first domain name the user sees belongs to Facebook. This is because the link does legitimately go to Facebook first. Any URL with the format http://www.facebook.com/l/{random character};{redirected URL} brings up the Facebook preview page for external links. Apparently, cybercriminals are betting that users will ignore the warnings and proceed to their site anyway.

If users do go on to visit the malicious site, this is what they see:

This malicious site is actually hosted on multiple IP addresses (from Facebook, users go to a redirection script that point them to different IP addresses. They all have a common payload though—a new KOOBFACE variant detected as WORM_KOOBFACE.IC. (The script that redirects users to the various KOOBFACE hosting pages is detected as JS_REDIR.EB.)

Like many previous KOOBFACE variants, this is used to download malware onto the user’s system. At least one of these—TROJ_JORIK.D—installs what appears to be a webserver, possibly restarting the KOOBFACE infection chain.

Trend Micro™ product users should not worry, however, as Smart Protection Network™ protects them from this attack by blocking access to the malicious sites through Web reputation service and by preventing the download of the related malicious files through file reputation service.

Continue Reading

Trend Micro has reported a new suspicious application running on the older S60 mobile platforms (which make up around half of the smartphones sold in 2009) classed ZvirOK. The application had only one primary payload which sends the text message “mumym xxx joker90″ to the phone number 7250.

Although the intent is a grey area it may be related to pay services often offered by mobile operators which cost the user money, particulary is the fees are high.

For more information, see the Trend Micro website.

Continue Reading