When Julius Caesar arrogantly proclaimed “Veni. Vidi. Vici.” (I came. I saw. I conquered.) to describe his swift and total victory in the Battle of Zela, he must have been sitting atop his horse and looking over his spoils, contemplating the lethal brilliance of his planning. Sitting atop its Trojan spyware, one of this year’s most prevalent file infectors, PE_LOOKED, can lay claim to that same arrogance. To know why, read an in-depth article about PE_LOOKED’s routines and payloads here: PE Came, LOOKED, and Conquered.
続きを読むOn December 20, Trend Micro detected the 879th TSPY_QQPASS variant in the wild. This variant joins the almost 1,200 members of the ever-growing QQPASS family that includes spyware, worms, backdoors, Trojans, and even scripts. In recent months, QQPASS has consistently been one of the most prevalent Trojan spyware (TSPY) around based on actual customer submissions.
This information-stealing threat family targets Tencent QQ, an instant messaging application hugely popular in Mainland China and South Africa. It hooks an infected computer’s keyboard and mouse to steal QQlogin information.
Proof of its notoriety is the news-grabbing event it stirred in Japan last October. One of QQPASS’ worm variants was found to be infecting more than 10,000 MP3 players given away by McDonald’s Japan as prizes. The event prompted a public apology and a mass recall operation from the fast-food chain.
In an article, Miray Lozada, Associate Engineer at Trend Micro, documents QQPASS’s behavior and describes how stolen information can be used by the malware author. The writer further infers that monetary reward is the motive pushing this threat family to stay in the wild for so long and evolve with the changing threat landscape.
Read the article here: QQ Me… But TC :(.
続きを読むThis Christmas, malware authors still seem to be pretty busy spreading malicious codes instead of holiday cheers.
Trend Micro discovered today a new virus that is infecting 64-bit Windows Operating Systems (AMD64). Detected as W64_ABUL.A, this virus infects 64-bit systems by injecting its codes to all executable (.EXE) files in drive C and its subfolders.
To date, W64_ABUL.A is probably the third known file infector to target 64-bit systems, and the second to target the AMD64 platform. First seen was W64_RUGRAT.A, discovered on May 2004. Followed by W64_SHRUGGLE.A, which came out on August 2004. Both of these viruses were considered proof-of-concept viruses created by an author (who calls himself “roy g biv”) to prove that new systems are penetrable to virus attacks.
Well, that much is true nowadays, and we all know that the current trend is to attack new and different platforms as much as possible for profit.
However, with W64_ABUL.A, seems the malware authors of this virus are just out to taunt the AV industry, as you can probably notice in the malware code. This file infector creates the following mutex to mark its presence on a system:
64_absolute by tM & SH,a nice gift for all the AV
community, Marry X.mas to all the AV
Since this file infector targets 64-bit systems, it is not able to infect 32-bit files. It also cannot run on 32-bit processors without software that enables these processors to support 64-bit programs. Clearly, there is no intention to make this virus widespread.
A warning or just pure mockery, whatever is behind this “holiday greeting”, this just shows that malware authors can and will always try to use all available means in spreading their malicious codes.
続きを読むClearly the holidays are far from over.
Just days after the 64-bit malware W64_ABUL.A was detected, news regarding the sudden surge of Christmas-themed malware suddenly came out. Prolific STRATION did not miss out on the celebration, as Trend Micro detected TROJ_STRAT.IG on Christmas Day, allegedly being spammed via holiday-themed email messages.
Users should thus be wary when opening cute, warm-and-fuzzy holiday greetings, especially if they come from unexpected sources. In these times when even a seemingly harmless PowerPoint presentation or Word document could exploit vulnerabilities to drop malicious files into a recipient’s system… well, let’s just say these are the “gifts” we definitely do not want to receive.
続きを読むVista receives the first potshot on its supposedly impenetrable armor as Microsoft confirms the existence of a PoC code that targets the Client Server Run-Time Subsystem. This PoC affects Windows 2000 SP4, Windows Server 2003 SP1, Windows XP SP1, Windows XP SP2, and Windows Vista. It reportedly allows the local elevation of privilege. Initial analysis, however, shows that in order for the attack to be successful, the attacker must already have authenticated access to the target system.
As can be expected, Microsoft still maintains that Vista is their most secure platform to date. Que sera, sera. Happy patching in 2007!
続きを読むNews of a threat that supposedly propagates via the popular VoIP application Skype zoomed through the security industry earlier this week. Its supposed spreading capability classified the threat as a worm. However, based on its analysis, Trend Micro saw only an information theft routine characterizing the Skype threat as a Trojan spyware and detected it as thus ( TSPY_SKPE.A).
After working with the Skype security team, Websense, who first raised the alert, confirms that the threat is indeed a Trojan attempting to use the Skype API for its malicious activities.
Note that, as of this writing, Skype has no known vulnerability and that the Web sites where the Skype code and copies of the Trojan can be downloaded from are all unavailable.
続きを読むThe security industry was recently abuzz with the discovery of a worm supposedly targeting users of the popular VoIP telephone application Skype.
According to Websense’s Threat Blog, this worm uses Skype’s Chat feature to download and execute a file named sp.exe. The said file, in turn, appears to drop a password-stealing Trojan. The entry further notes that this possible worm is packed using NTKrnl Secure Suite— a relatively rare (if not unknown) compression — and that infection reports originated in the APAC region, specifically Korea.
Two things come to mind in light of this event. One is that despite the fact that this worm’s propagation technique is still… well, common, VoIP as a new malware vector is obviously becoming a good prospect for malicious authors to sink their teeth into. Two, well… again it’s obvious: password-stealing routine, polymorphic compression to avoid easy detection, and a specific country of origin? Sounds like a localized/targeted attack geared — once again— for profit, doesn’t it?
The (sort of) good news is that no widespread outbreak has been reported yet. That doesn’t mean that Skype users should just go ahead and click the links they receive while chatting, though.
Trend Micro currently detects the malware’s password-stealing component as TSPY_SKPE.A. Keep posted for updates.
続きを読むFree MP3 anyone? Advertisements like this has been scattered through out the internet, only on most sites, like the one shown below, give more than just mp3s. Instead, they give you a bucket load of malware downloaders.
Here is a snapshot of the website as promised…I won’t show any of the URLs for obvious reasons…
Upon viewing the site and searching for mp3s like the ones in the snapshot above, the site would say that you need their plug-in (Fastmp3_Setup.exe) in order to download mp3s from their site.
Once Fastmp3_Setup.exe is executed, the cycle of “download and execute” begins until the system has been infected with a bunch of malware. Fortunately for Trend Customers, most of the files that are being used here are already detected including the one who started it all, Fastmp3_Setup.exe. See below for a list of malware downloaded and their corresponding detection names.
- http://[blocked]com.ar/Fastmp3_Setup.exe TROJ_DLOADER.GXW
- http://[blocked]com.ar/1.exe TROJ_MONDO.AF
- http://[blocked]com.ar/inst.exe TROJ_SMALL.DTH
- http://[blocked]com.ar/install.exe TROJ_DLOADER.FYG
- http://[blocked]com.ar/vig.exe TROJ_HIDEPROC.G
- http://[blocked]fic.com/loadadv559.exe TROJ_SMALL.DTI
- http://[blocked]fic.com/vv815.exe TROJ_ADLOAD.RU
- http://[blocked]fic.com/install.exe TROJ_DLOADER.FYG
- http://[blocked]s.com/si.exe TROJ_REQLOOK.AE
These files aren’t detected, not yet anyways…But I have already given them to the service team and will soon be given their detection.
- http://[blocked]fic.com/inst.exe
- http://[blocked]com.ar/Fastmp3_Setup1.exe
- http://[blocked]fic.com/1.exe
Update(Jhoevine Capicio, Fri, 15 Dec 2006 07:30:35 AM)
Files below will be detected as
- http://[blocked]fic.com/inst.exe TROJ_DLOADER.EXJ
- http://[blocked]com.ar/Fastmp3_Setup1.exe TROJ_DLOADER.ELU
- http://[blocked]fic.com/1.exe BKDR_SMALL.EIS
Checking more on this site, this is slowly becoming another LinkOptim thing…
More and more trojans are being downloaded.
Ultimately, the goal of this site, came clear as pretty soon, I was seeing SPAM on the network environment.
Below is a sample email.
Like I said above, malware authors just love the users easily fooled by their social engineering tactics. They see them as paychecks waiting to be cashed in!
We’ll update this blog as more information is found.
続きを読む
Today we received via our systems numerous samples of TROJ_STRAT. These samples are detected by Trend Micro as TROJ_STRAT.IC in the latest OPR 4.121.00, thus, users are advised to update their pattern files to the latest release.
The samples we have, comes in two files with different MD5 hashes. Here are the md5 hashes:
- 4ed79f2f9180235069782067999ab548
- f8d2c08cf1cf57d5b2fb28099a6cfe14
For network administrators you may want to block emails with the following details:
続きを読む
Earlier this week, Trend Micro EMEA has received reports of a Trojan malware being spammed. The e-mail containing the Trojan malware is apparently written in German, as below…
Bestellung # 67321 von EUR 391.00 ist angenommen.
Sony RX-F18 8.0 MP Digital Camera
Ihre Bestellung # 67321 von EUR 391.00 ist angenommen.
Ihre Karte wird mit dem faelligen Betrag belastet. Danke fuer Ihren Kauf.
Als Anlage finden Sie die Rechnung.
Which roughly translates to…
Subject:
Order # 67321 of EUR 391.00 was accepted
Body:
Sony Rx-F18 MP digital camera
Your order # 67321 of EUR 391.00 was accepted.
Your credit card will be charged with the pyable amount. Thank you for your puchase.
Attached you’ll find the bill.
The attachment filename is of the form rechnung_?????.exe where ????? is the order number found on the e-mail subject.
This particular incident seems to be a seeding attempt where the target users are, of course, those who read and understand German. The malicious attachment is a downloader Trojan detected by Trend Micro as TROJ_DLOADER.FWM, which downloads other Trojan malwares from the site idite-nahiy-abusery.com.
The downloaded malwares are variants of TROJ_BZUB and TROJ_AGENT, both Trojans serves as proxy servers that waits for commands posted on idite-nahiy-abusery.com.
続きを読む