• 8883
• 8887
• 6151
• 1
• 2855
• 9151
• 9685
• 9684

Unfortunately, paying fees for unauthorized messages is only half the problem for users. Choosing the said button also changes the display on the screen (see below), in which choosing the first button may lead users to a malicious website.

Trend Micro protects your Android OS phones via Mobile Security Personal Edition app, which prevents access to these malicious sites and from downloading malicious .APK files on your phones. Apart from blocking access to malicious sites, our app scans each app you install to ensure your safety.

To know more on how to better protects yourself from these rogue apps and other threats hovering Android OS, you may read our comprehensive e-guide “5 Simple Steps to Secure Your Android-Based Smartphones” .

Post from: TrendLabs | Malware Blog - by Trend Micro

Rogue Farm Frenzy 3 for Android Unearthed

The finding, which we were able to flag during our analysis of data processed by the Trend Micro™ Smart Protection Network™ definitely caught our attention.

Looking at data from the Smart Protection Network™, we were able to find 3 different binary files that appear to be downloaded from the following URLs:

• hxxp://br.msn.com/ChromeSetup.exe
• hxxp://www.facebook.com.br/ChromeSetup.exe
• hxxp://www.facebook.com/ChromeSetup.exe
• hxxp://www.globo.com.br/ChromeSetup.exe
• hxxp://www.google.com.br/ChromeSetup.exe
• hxxp://www.terra.com.br/ChromeSetup.exe

When we took a closer look at the downloads, we identified that all downloads are being redirected to two different IPs, instead of the legitimate IPs of the accessed domains. What’s more noteworthy is the fact were seeing access in clients from the Latin American region, mostly in countries Brazil and Peru.

An analysis of the file ChromeSetup.exe done by my colleagues Roddell Santos and Roland dela Paz verified that it is a multi-component BANKER malware detected as TSPY_BANKER.EUIQ.

Once running on a system, TSPY_BANKER.EUIQ sends information such as the infected system’s IP address and operating system name to a specific IP address. It also downloads a configuration file that contains information it uses to redirect access to fake banking pages whenever a user attempts to visit certain banking websites.

When a user opens a targeted bank’s site, TSPY_BANKER.EUIQ intercepts the page request and displays the following message, tricking users into thinking that the website is loading security software where in fact it is already redirecting users to the spoofed banking website:

Further Investigation

A more in-depth investigation allowed us to gain access on the page index where TSPY_BANKER.EUIQ downloaded configuration files from. The same index page hosted the three binary files that the malware used aside from the configuration file that we saw in the same location.

During the time the C&C panel was analyzed, we have observed an abrupt increase on the registered logs. In fact, the phone home logs jumped from around 400 to nearly 6000 in a span of 3 hours. These logs are comprised of 3000 unique IP addresses which translates to the number of machines infected by the malware.

Since the start of this analysis, we have also been seeing variations of the BANKER malware we analyzed during this investigation in the wild. The first few samples that we got installed the three components separately, but now we are getting new samples that are able to install the different components in one package. It looks like this malware is still under development and we may still see improvements in future variants. Roland also mentions that he came across a likely related C&C that surface last October 2011 which indicates that the perpetrators behind this threat aren’t new in the scene.

Missing Piece

While we may have a complete picture of this particular attack, the one missing piece now is the same thing that made us notice this malware from the millions of data that we have from our threat intelligence – how it is able to redirect user accesses from normal websites like Facebook or Google to its malicious IP to download malware. We will continue our investigation related to this incident and will update this blog with our findings.

Online threats will continue to evolve and find ways into systems. As such, traditional web blocking technologies may fail to block access to malicious URLs, especially when these are masked with the use of legitimate domains like those of Facebook or Google.

This is where a telemetry such as the Trend Micro™ Smart Protection Network™, which provides intelligence derived from a global network of threat data, becomes vital. This technology not only allows us to identify and correlate emerging attacks worldwide, but also lets us instantly deploy the proper threat mitigation solutions on customer environments.

Post from: TrendLabs | Malware Blog - by Trend Micro

Info Stealer Poses as Google Chrome Installer

How much digital clutter do users have? Quite a lot, as it turns out. On average, people have far more data – in the form of music, movies, and files – than they can use or consume. On average, they use only about a fifth of what they actually have. They have enough music for almost two full weeks of non-stop music listening.

The digital clutter extends to the mobile space and social media, too. If you’re on Facebook or Twitter chances are many of your friends and followers aren’t people you know, if they’re even people at all! Our full findings are in latest infographic Mapping Out Your Digital Life, which was featured on Mashable.

Post from: TrendLabs | Malware Blog - by Trend Micro

[INFOGRAPHIC] Mapping Out Your Digital Life

Celebrity news items, whether factual or not, have been a staple bait in cybercriminal attacks. Adam Yauch’s death is just one of the several web threats that took advantage of the death of famous music icons. Similar threats include the string of clickjacking attacks that used the demise of Whitney Houston, Amy Winehouse, and even Lady Gaga‘s supposed death.

Trend Micro users need not worry as they are protected via the Smart Network Protection™, which detects and deletes the related malware and blocks spam with malicious attachments with its file and email reputation technology. To know more about how attackers take advantage of noteworthy news items e.g. celebrity gossips and news and other social engineering tricks, you may read our comprehensive e-guide “How Social Engineering Works”.

Post from: TrendLabs | Malware Blog - by Trend Micro

News of Beastie Boy Adam Yauch’s Death Leads to Malware

We found a search result for the string “diablo 3 free download” leading to a survey scam — a scheme frequently seen deployed through Facebook.

The search result below (highlighted in yellow) directs to the a page which appears to be the download page for Diablo III:

Diablo 3 is not the first game used by cybercriminals for schemes, we’ve seen other popular games such as World of Warcraft and Grand Theft Auto being used in the past.

Trend Micro users are protected from the schemes reported above through the Trend Micro™ Smart Network Protection™.

Post from: TrendLabs | Malware Blog - by Trend Micro

Diablo 3 Scams Preempt Game Release

This webpage is also found to be hosted on Russian domains, similar to the fake Instagram and Angry Birds Space apps that we previously reported. To further entice users into downloading the fake Adobe Flash Player app, the text on the webpage claims that it is fully compatible with any Android OS version:

When users opt to download and install the said fake app, the site connects to another URL to download malicious .APK file, which Trend Micro detects as ANDROIDOS_BOXER.A. ANDROIDOS_BOXER.A is a premium service abuser, which means it sends messages to premium numbers without the user’s permission, thus leading to unwanted charges. This type of Android malware is just one of the types we were able to identify in our infographic, A Snapshot of Android Threats.

Upon further investigation, we have seen a bunch of URLs that are hosted on the same IP as this particular website. Based on the naming alone used in these URLs, it appears that Android is a favorite target for cybercriminals behind this scheme.

Trend Micro protects your Android phones from accessing these malicious sites and from downloading malicious .APK files on your phones via the Mobile Security Personal Edition app. Apart from blocking access to malicious sites, our app scans each app you install to ensure your safety.

For your reference, Adobe Flash Player from Adobe Systems can be downloaded via the Google Play store.

Post from: TrendLabs | Malware Blog - by Trend Micro

Malware Masquerades as Flash Player for Android

Trend Micro Solution for Black Hole Spam Runs

Focusing on the black hole exploit kits at the infection point when the malware begins to download may not be enough. We focus instead at the start of the attack. Because the email is where the threat starts, detection is needed at the beginning, for the phishing email is sent to lure users into clicking the URL that will ultimately lead to the site that downloads the malware.

We created a system that uses big data analysis and the power of Trend Micro™ Smart Protection Network™, for a unique view of these attacks as they occur, so solutions can be quickly created. Once the details of the attacks are correlated and mapped out, solutions are released to the cloud to protect customers via Smart Protection Network™.

Insight into Black Hole Exploit Attacks as the Attacks Occur

The initial challenge for this threat came from the compromised websites. Owners of these compromised websites need to constantly clean up the sites that get compromised. However, the compromised websites that are still vulnerable may still be used in the next attack.

In the past weeks, black hole exploit-related activities employed social engineering lures using well-known companies like LinkedIn, US Airways, Facebook, American Express, PayPal, and Careerbuilder. The messages we’re seeing are highly intelligent and well-crafted phishing messages that gain the trust of users. The format and wording of these email messages were made to look exactly the same as the legitimate messages from these companies. This is why these messages are difficult to detect using traditional methods.

Trend Micro continues to investigate these attacks to strengthen our solutions. We will be updating this story in the coming days to provide more insight into our protection strategy.

Post from: TrendLabs | Malware Blog - by Trend Micro

Protecting Customers From Black Hole Exploit Kit Spam Runs

Taking data from exploit documents gathered last April, we can see that the most exploited MS Office software is MS Word.

The big reason for this is that two of the most reliable exploits used by attackers targeted CVE-2010-3333 and CVE-2012-0158, which are MS Word vulnerabilities.

Coming in at third place as the most common vulnerabilities exploited is CVE-2009-3129, which is an MS Excel software bug. This graph fits in perfectly with the first one as Excel is the second most exploited Office software.

For the past two years, exploit documents have extensively used CVE-2010-3333 to install malware. However, just last April, it was quickly surpassed by CVE-2012-0158. Its rise as the exploit of choice by attackers are well-documented by Trend Micro researches on two blog entries found here and here.

From these graphs, we can easily deduce that:

• Reliable exploits have long lifespans. Attackers would rather use old reliable exploits such as CVE-2010-3333 that are proven to work instead of experimenting with new, but unreliable exploits.
• A lot of organizations do not update their software. The wide use of a two year old vulnerability just shows patch levels in many industries are not updated.
• Rapid adoption and use of a new reliable exploit. Within a span of two weeks, CVE-2012-0158 went from zero to actually surpassing CVE-2010-3333 as the preferred exploit of attackers. This just shows that the time window for patching critical vulnerabilities is small, which requires due diligence and discipline on patch management by organizations.

Trend Micro Deep Security protects users this threat, specifically via the following rules:

• 1004973 – MSCOMCTL.OCX RCE Vulnerability For Rich Text File (CVE-2012-0158)
• 1004977 – Restrict Microsoft Windows Common ListView And TreeView ActiveX Controls
• 1004978 – MSCOMCTL.OCX RCE Vulnerability For Office Binary File (CVE-2012-0158)

Post from: TrendLabs | Malware Blog - by Trend Micro

Snapshot of Exploit Documents for April 2012

In the latest batch of C&C servers we have analyzed, not only has the list of countries increased but also their targets are now more specific. For instance, UKash vouchers are not available in the U.S., thus the U.S. fake police notification that spoofs the Computer Crime & Intellectual Property Section of the U.S. Department of Justice, only mentions PaySafeCard as the accepted payment method. The criminals also took the time in adding plenty of logos of local supermarkets and chain stores where the cash vouchers are available.

What is becoming crystal clear is that the same Eastern European criminal gangs who were behind the fake antivirus boom are now turning to the Police Trojan strategy. We believe this is a malware landscape change and not a single gang attacking in a novel way. We also found C&C consoles that suggest a high level of development and possible reselling of the server back-end software used to manage these attacks. Police Trojan attacks are here to stay – until they are done milking this cow and have to look for a fatter one, that is.

You can read our full report on the Police Trojan in Security and Intelligence section of the Trend Micro website.

Post from: TrendLabs | Malware Blog - by Trend Micro

Police Trojan Crosses the Atlantic, Now Targets USA and Canada

As elaborated in the Microsoft blog post, MS12-034 lists down several versions of affected software as the TTF vulnerability also directly or indirectly affects these software.  Trend Micro Deep Security users can apply rules 1005009 – Win23k TrueType Font Parsing Vulnerability (CVE-2012-0159) and 1005009 – .NET Framework Buffer Allocation Vulnerability (CVE-2012-0162) to ensure protection from attacks that might use these vulnerabilities. More information on patched MS vulnerabilities this month are found here in the Threat Encyclopedia.

In other vulnerability news, Oracle issued a security alert that brings to attention a vulnerability in TNS listener, which is found in several versions of the Oracle Database Server. Oracle recommends to its customers to apply workarounds found in their customer portal. The vulnerable component also affects other Oracle products such as the Oracle E-Business Suite. Trend Micro Deep Security users are protected from attacks that might use this particular vulnerability by applying rule 1004995 – Oracle Database TNS Listener Poison Attack Vulnerability.

Lastly, Adobe released a security update for Adobe Flash Player for Windows, Macintosh, Linux, and Android operating systems. As of this writing, Trend Micro is investigating attacks that are actively using CVE-2012-0779, which is addressed by Adobe’s security update. Applying rule 1005000 – Adobe Flash Player Object Confusion Vulnerability (CVE-2012-0779) ensures protection from exploits using CVE-2012-0779.

Update as of May 11, 2012, 7:55 AM PST

The following additional Deep Security rules have been issued to ensure protection against attacks using some of the aforementioned vulnerabilities:

• 1005019 – Restrict Microsoft Office File With Linked SWF has been added to protect against attacks using the vulnerability in CVE-2012-0779
• 1004997 – Detected Too Many Oracle TNS Service Register Requests has been added to protect again attacks using the vulnerability in CVE-2012-1675

Post from: TrendLabs | Malware Blog - by Trend Micro

Microsoft Releases an Update Covering DUQU; Oracle and Adobe Vulnerabilities Patched, Too