At first glance, the ads may seem like the typical Web browser nuisance. However, random ads were proven to be vectors for downloading malware onto users’ systems. In one instance, an ad pointed to a URL containing exploits that download and execute several files on affected systems. The downloaded files include a malicious Java file (detected by Trend Micro as JS_BYTEVER.BG) and .PDF files (detected as TROJ_PIDIEF.GBA and TROJ_PIDIEF.GBB), among others.

According to advanced threats researcher Jonell Baltazar, these .PDF files exploit known vulnerabilities found in Adobe Reader (Collab.collectEmailInfo, Collab.getIcon, and util.printf) to download a file if the user’s application remains unpatched. Furthermore, Baltazar explains, the malicious .PDF files use getPageNumWords() and getPageNthWords() Adobe JavaScript application programming interfaces (APIs). The files also used the app.info.Author field of the .PDF document to store the encoded payload URL, which enables them to defeat automated PDF and JavaScript analysis tools.

As discussed in the 2010 Threat Predictions by Trend Micro CTO Raimund Genes, drive-by infections are the norm and one Web visit is enough to get infected. Users are thus advised to disable JavaScript on their Web browsers and to practice vigilance, verify URLs, and update browsers to avoid being redirected to malicious URLs.

Trend Micro™ Smart Protection Network™ protects product users from this threat by detecting and preventing the execution of the malicious files via the file reputation service. It also protects customers by blocking user access to malicious websites.

Non-Trend Micro product users can also stay protected from such threats via free tools like Web Protection Add-On, which prevents user access to potential malicious websites.

Update as of March 17, 2010, 4:23 P.M. (GMT +8):

Senior threat response engineer Vincent Cabuag adds that this relatively new encryption technique renders standard analysis tools useless in detecting the malicious script inside the .PDF file. The malicious script is obfuscated in a way that it requires the usage of certain APIs to be decrypted. Thus, it would require manual analysis to be able to emulate the embedded script.

Update as of March 18, 2010,7:54 P.M. (GMT +8):

According to further research by Baltazar, the attack used the “Liberty Exploit Kit”, which exploits known vulnerabilities found in IE (like MS06-014 (MDAC) and MS DirectShow). The exploit kit also includes exploits targeting Flash 9 (this is the most probable vector for malicious ads) and the mentioned PDF exploits.

Thus, no user-click is needed for the attack to be successful. Users must keep their Flash, Adobe Reader, and IE browser updated with latest available security patches in order to be protected from this attack.

Post from: TrendLabs | Malware Blog - by Trend Micro

Malicious Ads Lead to PDF Exploits

The text before the links are in French and tells users to click the link that follows. Some of these links made users believe that they were viewing a photo related to an accident that supposedly killed U.S. President Barack Obama. Others used domain names similar to legitimate sites like Facebook and YouTube.

In reality, however, the links lead to malicious BUZUS variants detected by Trend Micro as TROJ_BUZUS.BTA and TROJ_BUZUS.BTB.

Malware attacks using Barack Obama as social-engineering bait date back to his 2008 campaign for the U.S. presidency. Previous attacks were seen both around his election (both for pharmaceutical spam and spreading malware) as well as around his inauguration.

Trend Micro™ Smart Protection Network™ protects customers from this threat by blocking user access to the malicious websites that host the malicious files. It also detects and prevents the download of TROJ_BUZUS.BTA and TROJ_BUZUS.BTB via the file reputation service.

Post from: TrendLabs | Malware Blog - by Trend Micro

“Obama Accident” Instant Messages Used to Spread Malware

Clicking these links led to another FAKEAV variant detected as TROJ_FAKEAV.PAQ.

Users should always be wary of clicking unknown links in search results. This is particularly true if they are searching for items of dubious legality, as is the case here.

Trend Micro™ Smart Protection Network™ protects customers from this threat by blocking user access to the malicious websites that host the malicious FAKEAV files. It also detects and prevents the download of TROJ_FAKEAV.PAQ via the file reputation service.

Post from: TrendLabs | Malware Blog - by Trend Micro

Pacquiao-Clottey Live Streams Lead to FAKEAV

Using blackhat search engine optimization (SEO) techniques, a simple Google search for news on Corey Haim’s funeral gives out malicious links in the top search results, which redirect users to sites that eventually lead to the download of a FAKEAV.

A fake scan page convinces users that their computers were affected by several harmful files and that they should download and install the fake antivirus application.

Trend Micro detects the downloaded file as TROJ_FAKEAV.DBB. After installation, the program loads a scan page with fake scan results and offers to remove the harmful files from the users’ machines.

There is, of course, a slight catch since the product requires activation. We advise users to be wary of such tactics since they may unwillingly divulge sensitive information. In this case, the attackers ask for credit card information.

Trend Micro™ Smart Protection Network™ protects customers from this threat by blocking user access to the malicious websites that host the malicious FAKEAV file. It also detects and prevents the download of TROJ_FAKEAV.DBB via the file reputation service.

Post from: TrendLabs | Malware Blog - by Trend Micro

Search for News on Corey Haim’s Death Leads to FAKEAV

Security researchers recently unveiled findings about malware that came preinstalled on a Vodafone mobile phone handset. Its memory card was also believed to carry malware. A leading mobile telecommunication company, Vodafone, has been taking the heat for packing malware straight out of the box on their HTC Magic Android smartphones. The recipient of one of the malware-laden phones was, fortunately, an employee of the Spanish antivirus firm, Panda Security. Plugging the phone in via USB into any PC quickly led to an infection by WORM_SILLY.QT. Vodafone has already released an official statement saying that the infected phone problem was an isolated one.

Trend Micro threat researcher, Ryan Flores, believes it is likely that a computer in Vodafone’s production line has been infected by WORM_SILLY.QT. And, because of the worm’s capability to propagate through removable drives, somehow SD cards in a certain batch of smartphones were infected.

This is a perfect example of one of the many threats presented in Trend Micro’s “Future of Threats and Threat Technologies” report.

While it may be a rare occurrence for the mobile giant, Vodafone, this type of off-the-shelf malware has already made one too many appearances mainly due to the common practice of syncing phone and music devices to one’s PC. Here is a rundown of past off-the-shelf malware reports:

• Digital Photo Frames FrameUp?
• Out of the Factory, into the USB
• Get Your IPOD Now—And Get a Free Worm!
• McDonald’s Japan Recalls Promotional MP3 Players

Trend Micro™ Smart Protection Network™ protects product users from this threat by detecting and preventing the file’s execution on affected systems via the file reputation service.

Post from: TrendLabs | Malware Blog - by Trend Micro

Malware Gets Smart with Vodafone Smartphone

On February 16, Adobe released a security advisory describing a vulnerability in Adobe Reader and Acrobat 8.X and 9.X. Once the vulnerability is exploited, attackers gain the capability to perform denial-of-service (DoS) attacks on affected systems. Doing so can cause applications and even systems to crash. Attackers can also execute arbitrary code on affected systems.

Trend Micro detects the exploit binary as TROJ_PIDIEF.EXP, a specially crafted .PDF file. It belongs to a family of known exploits that target Adobe Acrobat and Reader vulnerabilities. This family is also capable of dropping other malicious files such as spyware and backdoors onto affected systems.

Users are advised to update to the latest versions of the aforementioned Adobe products to secure their systems from attacks related to this vulnerability.

Trend Micro™ Smart Protection Network™ protects product users from this threat by detecting and executing the malicious file via the file reputation service.

Post from: TrendLabs | Malware Blog - by Trend Micro

More Adobe Exploits in the Wild

This vulnerability primarily affects IE 6 and 7. Internet Explorer 8 is not affected. Users using the affected browsers are advised to follow the workarounds in Microsoft’s advisory until the applicable patches are released. Systems using the latest Windows versions—Windows 7 and Server 2008 — are automatically immune from this threat since the said OS versions are shipped with IE 8. Those using earlier versions, however, would benefit from upgrading their browsers to IE 8.

In relation to this vulnerability, Trend Micro currently detects a malicious JavaScript file as JS_SHELLCODE.CD, which exploits CVE-2010-0806 and allows unauthorized download of files onto affected machines.

Trend Micro™ Smart Protection Network™ protects customers from this threat by blocking user access to the malicious website the JavaScript connects to via the Web reputation service. It also detects and prevents the download of JS_SHELLCODE.CD via the file reputation service.

Trend Micro Deep Security™ and Trend Micro OfficeScan™ likewise protect business users via the Intrusion Defense Firewall (IDF) plug-in if their systems are updated with the IDF10-011 release, rule number IDF10011.

Post from: TrendLabs | Malware Blog - by Trend Micro

New IE Zero-Day Exploit (CVE-2010-0806)

As part of its regular Patch Tuesday schedule, Microsoft released two security fixes to address vulnerabilities found in certain versions of Windows Movie Maker and Office Excel. This is the first time in almost two years that Microsoft did not include any critical patch in its release.

Both vulnerabilities allow remote code execution when a user opens a specially crafted Movie Maker or Microsoft Producer project file and a specially crafted Excel file. More information on the security advisories can be found in this Trend Micro Security Advisory page.

While this may be good news, this was somewhat balanced out by the discovery of a new zero-day exploit found in Internet Explorer (IE). This exploit is the second found in the last 60 days. The previous one was discovered in January. This exploit takes advantage of an invalid pointer reference vulnerability to execute arbitrary code. Only IE 6 and 7 are vulnerable. Users of IE 8 are safe from this threat.

The exploit code is now available publicly and some related attacks are being tracked.

But Microsoft is not alone in being hit by vulnerabilities this week.

Alternate browser, Opera, was also found to have a flaw in the way it handles the Content-Length HTTP header. At the very least, this can cause the browser to crash.

Server applications also came under fire. The popular spam blocker, SpamAssassin, was also found to have a security flaw. This flaw can allow code contained in a specially crafted email that was processed by the application to be executed with administrative privileges on an email server. However, as the specially crafted email would have an invalid recipient, it is unclear if properly configured servers are also vulnerable.

Patching vulnerable applications sounds like a solution but that may not be ideal, particularly for enterprise users. Restarting servers is often not as simple for them as it is for home users. In addition, some individuals who discover vulnerabilities believe, wrongly or not, that software vendors take a long time to issue patches as well as downplay the severity of any known flaw. Because of this, some prefer to reveal the flaws publicly to force vendors to release patches as soon as possible.

Trend Micro advises users to keep their security programs up to date and to immediately apply patches once they are released by their vendors. Users can download this month’s Microsoft patches from the official Microsoft Security Bulletin page or run Windows Update to automatically download and apply the patches.

For business users, Trend Micro Deep Security™ and Trend Micro OfficeScan™ users with Intrusion Defense Firewall (IDF) plug-in can be shielded from vulnerabilities, often even before vendor patches are available.

Post from: TrendLabs | Malware Blog - by Trend Micro

Multiple Vendors Affected by New Vulnerabilities

In fact, Trend Micro anti-spam research engineers have already seen a number of spammed messages that promise free iPads to lure unwitting users into their scams. In one such spam sample, recipients are being invited to test the iPad at no cost by simply applying to be part of a “word-of-mouth” marketing campaign. They may not have to shell out a single cent but the price they have to pay will be their identities.

The spammed messages instruct users to reply to the email with their personal information, which spammers could easily use for further malicious activities. As Trend Micro anti-spam research engineer, Argie Gallego, recommends, “Users should be suspicious of any freebies offered online, particularly those requiring sensitive personal information such as full name and contact numbers. We have only seen a number of iPad-related spam so far but we expect the numbers to rise as April 3 draws near.”

This recent spam run is no different from how cybercriminals leveraged the iPad launch in January, which led to a FAKEAV variant. Users should thus continue exercising caution in opening email messages from unknown senders. It is also important to be cautious in conducting Web searches on hot topics such as the iPad, as these are often used for blackhat search engine optimization (SEO) attacks as seen in the past. Interestingly, Apple does not own any iPad-related domain names so users should really pay close attention to URLs before they click.

Trend Micro™ Smart Protection Network™ prevents spammed messages from reaching users’ inboxes via the Web reputation service.

Non-Trend Micro product users can also stay protected by using eMail ID, which prevents fake messages from reaching their inboxes. It also helps users quickly find legitimate messages.

Post from: TrendLabs | Malware Blog - by Trend Micro

iPad Giveaway Gives Users’ Identities Away

This time around, users searching for news on the Oscars fell prey to the latest blackhat search engine optimization (SEO) attack that uses the search terms “oscar winners 2010 live.” Almost 80 percent of the results on the first page alone leads to the download of a FAKEAV binary detected by Trend Micro as TROJ_FAKEAV.ZZH.

The said variant has been observed to connect to a remote website to send and receive information. It is also able to download other malware, including Mal_Xed-22 and TROJ_VUNDO.SMAT.

With the continued proliferation of blackhat SEO attacks leading to FAKEAV, it is apparent that cybercriminals intend to continue riding on top Web searches. Users are thus reminded to exercise extreme caution when visiting sites, especially with the Oscar fever still running high.

Trend Micro™ Smart Protection Network™ protects customers from this and similar threats by blocking user access to all related malicious sites via the Web reputation service. It also detects and prevents the download of TROJ_FAKEAV.ZZH, Mal_Xed-22, and TROJ_VUNDO.SMAT via the file reputation service.

Non-Trend Micro product users can also stay protected from such threats via free tools like Web Protection Add-On, which prevents user access to potential malicious websites.

Post from: TrendLabs | Malware Blog - by Trend Micro

FAKEAV Rides on Oscars 2010 Buzz

The Energizer DUO is a charger for two AA or AAA batteries that can be plugged into USB ports. While no software is needed to use the charger, Energizer did provide an application that would display the charge level of the batteries inserted into the charger.

However, the said application goes far beyond that. It also includes a backdoor detected by Trend Micro as BKDR_ARUGIZER.A. This particular backdoor opens port 7777 to incoming connections, allowing it to receive various commands from remote users. Among the possible commands are to:

• Download and execute files
• Delete files on affected systems
• Upload files from affected systems to a server

While this backdoor does have routines that could cause significant problems, it is not yet clear if these were actually used. Energizer already released an official statement on the issue, announcing the discontinued sale of the charger in question. It is likewise currently working with the US-CERT and U.S. government officials to understand how the code was inserted into the software.

Trend Micro™ Smart Protection Network™ already protects product users from these threats by detecting and preventing the file’s execution on affected systems via the file reputation service.

Non-Trend Micro product users, on the other hand, can use free tools like Housecall, which identifies and removes various viruses, Trojans, worms, unwanted browser plug-ins, and other malware from affected systems.

Post from: TrendLabs | Malware Blog - by Trend Micro

USB Battery Chargers with Malware?

Compromised Twitter accounts post Tweets that tell their followers to click the shortened link to try out a new diet/weight loss plan.

Clicking the given link redirects users to possibly malicious websites that promote Acai Berry.

Compromised accounts were possibly infected from previous Twitter spam runs previously featured in the following blog entries and are being used again for this new attack:

• Twitter DM Spam Collects Mobile Numbers
• Job Spam Uses Twitter
• A New Twitter Worm Is Making the Rounds

As of this writing, Twitter is already aware of this latest spam attack and has taken the necessary corrective actions to prevent the spam from spreading further.

Users are strongly advised to refrain from clicking the links contained in Tweets with similar messages even if they come from a known or a trusted user. On the other hand, users who think their accounts may be one of those that have been compromised should change their passwords as soon as possible.

Trend Micro™ Smart Protection Network™ protects product users from this kind of attack by blocking user access to the malicious domains and other related sites.

For Twitter users, follow @TrendMicro to get the latest security information and updates on how to stay protected from new and upcoming threats.

Post from: TrendLabs | Malware Blog - by Trend Micro

Diet Twitter Spam (on the) Run

One of the hot topics during the meeting was related to the initiative to review reports published by testing and certification organizations/companies.

How was this process designed? The Review Analysis Board (RAB) of the AMTSO receives initial requests, makes a decision to conduct a review, and coordinates the work of the Review Analysis Committee (RAC). The RAC comprises volunteer members that analyze reports against the organization’s existing nine principles. The AMTSO’s principles were agreed upon by its members—testers and antivirus vendors—and supported by the AMTSO’s academic advisors. The testing principles mainly refer to how published reports could be presented to their audiences.

The review process does not, however, intend to prove if the right things were done but rather to review whether the things done were done right.

As such, as long as a test report included an accurate description of how threat samples were gathered and validated, how tests were conducted, and how conclusions were made (including correct and fair communication among all parties involved in the testing), then the report may be deemed compliant with the AMTSO’s testing principles. The actual testing methodology used by a testing lab was not, itself, the subject of the review.

Take, for instance, a highly innovative test like the one conducted by NSS Labs last year. This was reviewed based on how well the testing methods and conditions were described and whether the conclusions did follow the test results, regardless of the way the test was designed and its methodology.

The AMTSO’s reviews neither intend to promote nor constrain innovation in anti-malware product testing methodology but to improve output quality.

Post from: TrendLabs | Malware Blog - by Trend Micro

Insight: AMTSO’s Reviews

The Mariposa botnet was one of the largest botnets to date. It was reportedly responsible for attacking millions of businesses around the world, including Fortune 1000 companies, in a mission to steal online banking, business, and personal information from compromised systems.

Mariposa was discovered in 2009 by the Mariposa Working Group, an informal group of volunteers from the security industry and law enforcement agencies, formed to specifically investigate and to eventually eliminate the said botnet. The group was also responsible for giving out pertinent information on the botnet, which led to the arrest of three of its perpetrators.

Throughout its lifetime, Mariposa was able to launch several bot variants that were able to compromise up to 12.7 million computers from all over the world. Trend Micro detects  malware related to this botnet as WORM_AUTORUN.ZRO. This worm spreads copies of itself through physical and removable drives as well as through the popular instant-messaging application, MSN Messenger. It also propagates via known peer-to-peer (P2P) file-sharing applications, particularly Kazaa, BearShare, iMesh, Shareaza, DC++, Emule, and LimeWire. It can also perform denial-of-service (DoS) attacks against targeted systems.

The take-down of the Mariposa botnet may mean less zombies for cybercriminals to operate with. However, there are still other infamous botnets that have not been caught yet and even new ones that are gaining notoriety once again such as ZeuS, SDBOT IRC, Chuck Norris, and DOWNAD/Conficker botnets.

Trend Micro™ Smart Protection Network™ already protects product users from these threats by detecting and preventing the file’s execution on affected systems via the file reputation service.

Non-Trend Micro product users, on the other hand, can use free tools like RUBotted, which monitors computers for suspicious activities and regularly checks with an online service to identify behaviors associated with bots. Upon discovering potential infections, it prompts users to scan and clean their computers.

Post from: TrendLabs | Malware Blog - by Trend Micro

Mariposa Botnet Perpetrators Captured

ZeuS: A Persistent Criminal Enterprise

ZeuS has been entrenched in the cybercriminal business for a long time now and has continuously evolved and improved. Given the vast number of toolkit versions readily available in the underground, the features ZeuS possesses to thwart both antivirus and other security solutions, as well as efforts by the security industry, ZeuS will continue to be used by cybercriminals to steal personal information and even people’s identities.

The paper provides an extensive view of the ZeuS botnet. From a thorough discussion of its usual routine up to the possible criminal organizations involved, the research is a must read for users who want to get the rundown on this persistent online threat.

For more information on the above-mentioned subject and other previously released white/research papers, you may download the reports from this page.

Post from: TrendLabs | Malware Blog - by Trend Micro

What’s the Juice on ZeuS?