TrendLabs | Malware Blog - by Trend Micro

Beta Version of Spytool App for Android Steals SMS Messages

Yoshikawa Takashi (Threats Analyst) — Mon, 21 May 2012 08:24:15 +0000

During my investigation of mobile threats in the wild, I discovered a spytool, which is currently available on Google Play, that is actively being discussed on certain hacker forums. This tool’s beta version is available on the site since March 11. An estimated 500 – 1000 users have already downloaded the said spytool, which Trend Micro detects as ANDROIDOS_SMSSPY.DT.

Based on our analysis, this spytool gathers SMS messages from an infected mobile device and sends these to a remote FTP server at regular times set during the app’s installation. Below is the particular code embedded in the malicious app that executes the FTP Upload task that sends the stolen messages to defined FTP servers.

Affected users are at risk of having their personal and sensitive information stolen by potential attackers, who may use these for malicious purposes.

As the app is still in its beta testing, spying on a mobile device using this tool poses certain challenges. First, it should be installed onto the target device without the victim knowing about it. Second, potential attackers would need to setup their own FTP servers, which may be difficult for those with less advanced IT knowledge. However, the developers behind this tool are likely to release an updated version that may include features and improvements to make it easier to use.

Trend Micro users need not worry as their mobile devices are protected from this threat via Mobile Security Personal Edition. Users are advised to activate the lock function of their mobile devices for added security. When installing an app, users should always double-check the required permissions of the app, specially if it requests for permissions beyond its supposed function.

To know more on how to better protect yourself from threats related to your mobile devices, you may read our comprehensive e-guides below:

With additional input from Noriaki Hayashi

Post from: TrendLabs | Malware Blog - by Trend Micro

Beta Version of Spytool App for Android Steals SMS Messages

Bogus Pinterest Pins Lead to Survey Scams

Paul Pajares (Fraud Analyst) — Fri, 18 May 2012 20:18:23 +0000

The continuing increase in visitors to the Pinterest site may be a primary reason why it’s becoming a hit for cybercriminals’ scams and schemes. In March, we spotted scammers using popular brands to lure users into “pinning” fake posts that led to surveys scams. This new wave of survey scams I found came from my search using “pinterest” as keyword.

Users who re-pin the posts from the sample above will most likely spread the post.

In addition, I also spotted posts using URL shorteners such as bit.ly and goo.gl. When clicked, the shortened URLs/the fake posts lead to any of the following URLs:

http://pinterest.co{BLOCKED}t.info/?419
http://pinterest.com-{BLOCKED}key.info/Thank-You/fb/
http://pinterest.co{BLOCKED}s.info
http://pinterest.{BLOCKED}one.info
http://pinterestgift.{BLOCKED}hing.info
http://pinterests.{BLOCKED}onus.info

Upon clicking the link, users are redirected to a Pinterest-like webpage offering prizes, vouchers, gift cards and others:

Made to resemble like a typical Pinterest webpage, the fake site features a search field, add+, an about. However, these are mere images and are not clickable. The clickable links are those that redirect to survey scams such as Body Age Quiz.

After a user fills out the fields required in the scam page, users are also required to enter their mobile numbers. Users who do provide their numbers will receive a code on their mobile phones and will continue to receive unwanted messages, charges and other scams via text message.

And Via Email, Too

Another thing I’ve noticed is that the fake site requires an email address:

Users entering their email addresses are brought to complete several steps to get the supposed offer. Users receive an email claiming to be from Pinterest. The email urges the user to click on the link found in the message body to confirm the subscription. Clicking on the link redirects the user to a Pinterest-like scam page. Again, all the clickable links lead to the same scam pages.

Upon closer investigation of these attacks, I noticed that before users are redirected to the fake Pinterest sites, the connection passes through ad-tracking sites. This way, the number of visitors are tracked, determining the supposed earnings of the scammers. Based on our data, the fake Pinterest URLs are being visited since May 2. Fake Pinterest posts hosting scams are likely to spread within Pinterest via users who re-pin the posts. The “offers” in these fake Pinterest posts look enticing after all. Plus, some users would want to ask the rest of the Pinterest community to verify such offers, like this user.

Pinterest has since removed some of the fake Pinterest posts. Trend Micro users are also protected from these scams by the web reputation technology in our Smart Protection Network™.

Post from: TrendLabs | Malware Blog - by Trend Micro

Bogus Pinterest Pins Lead to Survey Scams

Cloud-based Services Vulnerabilities Also Used in Targeted Attacks

Nart Villeneuve (Senior Threat Researcher) — Fri, 18 May 2012 10:50:56 +0000

Recently, Trend Micro researchers encountered a potential vulnerability that affected users of Yahoo! Mail. We discovered several emails used in targeted attacks that contained JavaScript in the “From” field that attempted to launch a Document Object Model (DOM)-based cross-site scripting attack against the recipients of the email. However, we were not able to replicate the attack successfully. We have been in touch with Yahoo! about this problem.They, too, were unable to replicate this attack successfully at that time. However, to protect users against any such problems Yahoo! has strengthened their filters that sanitize user emails in order to protect against these kinds of attacks.

This is not the first time that vulnerabilities have been found in popular webmail providers. We discussed almost a year ago that some of the major webmail providers – Gmail, Hotmail, and Yahoo! Mail – were all found to have some sort of vulnerability that compromised either the user’s email account or their system. It shouldn’t be a surprise that they’ve become targets as well: just about everyone uses these free services, and users don’t expect these services to have security problems of their own.

As we’ve highlighted before, vulnerabilities like these are used in targeted attacks. Whether it’s vulnerabilities in user software or cloud-based services like free webmail, vulnerabilities allow attackers to compromise systems without the target being aware that anything has happened. This is extremely useful to attackers as the content compromised email accounts can be stolen by attackers and the account can be used to launch further attacks against the victim’s contacts.

Post from: TrendLabs | Malware Blog - by Trend Micro

Cloud-based Services Vulnerabilities Also Used in Targeted Attacks

Worm Spreads via Facebook Private Messages, Instant Messengers

Cris Pantanilla (Threat Response Engineer) — Thu, 17 May 2012 08:42:00 +0000

We recently received reports about private messages found on Facebook and distributing a link, which is a shortened URL pointing to an archive file “May09-Picture18.JPG_www.facebook.com.zip”. This archive contains a malicious file named “May09-Picture18.JPG_www.facebook.com” and uses the extension “.COM”.

Once executed, this malware (detected as WORM_STECKCT.EVL) terminates services and processes related to antivirus (AV) software, effectively disabling AV software from detection or removal of the worm. WORM_STECKCT.EVL also connects to specific websites to send and receive information.

Another noteworthy routine is that this worm downloads and executes another worm, one detected as WORM_EBOOM.AC. Based on our analysis, WORM_EBOOM.AC is capable of monitoring an affected user’s browsing activity such as message posting, deleted posted messages and private messages sent on the following websites such as Facebook, Myspace, Twitter, WordPress, and Meebo. It is also capable of spreading through the mentioned sites by posting messages containing a link to a copy of itself.

Facebook and IM applications are tools to share and connect. Cybercriminals’ use of these tools is nothing new, but there are users who fall prey to these schemes. We recommend users to be conscious with their online behavior, in particular on social media sites. To know more on how you can prevent these threats targeting Facebook and other social media sites, you may read our comprehensive e-guide A Guide to Threats on Social Media.

Furthermore, with our recent partnership with Facebook, Trend Micro™ protects users via Smart Protection Network™, which blocks access to the related malicious link. The file reputation technology in Smart Protection Network™ detects and deletes both WORM_STECKCT.EVL and WORM_EBOOM.AC.

Post from: TrendLabs | Malware Blog - by Trend Micro

Worm Spreads via Facebook Private Messages, Instant Messengers

Rogue Farm Frenzy 3 for Android Unearthed

Maela Angeles (Fraud Analyst) — Wed, 16 May 2012 15:44:34 +0000

Not long after we found sites offering rogue versions of Instagram and Angry Birds Space, another malicious site hosted in Russia was found to peddle fake Farm Frenzy 3 versions. The perpetrators behind this fake app are hoping that users who are not discriminate enough may download their malicious version, which is detected by Trend Micro as ANDROIDOS_FAKE.DQ.

If users would try to play the said app, the malware displays the image below:

Clicking the first button on the image triggers an SMS message to be sent to the premium numbers listed below:

8883
8887
6151
1
2855
9151
9685
9684

In turn, affected users incur unnecessary charges for the said message. Unfortunately, paying fees for unauthorized messages is only half the problem for users. Choosing the said button also changes the display on the screen (see below), wherein choosing the top button may lead users to a malicious website.

This incident is just one of the several Android malware we’ve seen spoofing popular apps. Aside from the previously mentioned bogus Instagram and Angry Birds Space, we recently uncovered a malware that masquerades itself as an Adobe Flash Player app for Android OS.

Trend Micro protects your Android OS phones via Mobile Security Personal Edition app, which prevents access to these malicious sites and blocks the download of malicious .APK files into mobile devices.

To know more on how to better protects yourself from these rogue apps and other threats hovering Android OS, you may read our comprehensive e-guide “5 Simple Steps to Secure Your Android-Based Smartphones” .

Post from: TrendLabs | Malware Blog - by Trend Micro

Rogue Farm Frenzy 3 for Android Unearthed

Info Stealer Poses as Google Chrome Installer

Brian Cayanan (Threats Analyst) — Tue, 15 May 2012 23:57:46 +0000

We recently found some suspicious looking URLs which suggest that a malicious file named ChromeSetup.exe is hosted in domains like Facebook and Google.

The finding, which we were able to flag during our analysis of data processed by the Trend Micro™ Smart Protection Network™ definitely caught our attention.

Looking at data from the Smart Protection Network™, we were able to find 3 different binary files that appear to be downloaded from the following URLs:

hxxp://br.msn.com/ChromeSetup.exe
hxxp://www.facebook.com.br/ChromeSetup.exe
hxxp://www.facebook.com/ChromeSetup.exe
hxxp://www.globo.com.br/ChromeSetup.exe
hxxp://www.google.com.br/ChromeSetup.exe
hxxp://www.terra.com.br/ChromeSetup.exe

When we took a closer look at the downloads, we identified that all downloads are being redirected to two different IPs, instead of the legitimate IPs of the accessed domains. What’s more noteworthy is the fact were seeing access in clients from the Latin American region, mostly in countries Brazil and Peru.

An analysis of the file ChromeSetup.exe done by my colleagues Roddell Santos and Roland dela Paz verified that it is a multi-component BANKER malware detected as TSPY_BANKER.EUIQ.

Once running on a system, TSPY_BANKER.EUIQ sends information such as the infected system’s IP address and operating system name to a specific IP address. It also downloads a configuration file that contains information it uses to redirect access to fake banking pages whenever a user attempts to visit certain banking websites.

When a user opens a targeted bank’s site, TSPY_BANKER.EUIQ intercepts the page request and displays the following message, tricking users into thinking that the website is loading security software where in fact it is already redirecting users to the spoofed banking website:

It then opens Internet Explorer to go to the new link depending on the browser’s title. Screenshot of a fake site is below. Notice the “_” before the name in the window title, as well as the URL of the banking site:

TROJ_KILSRV.EUIQ, a component of this TSPY_BANKER.EUIQ, on the other hand, uninstalls a software called GbPlugin–a software that protects Brazilian bank customers when performing online banking transactions. It does this through the aid of gb_catchme.exe–a legitimate tool from GMER called Catchme, which was originally intended to uninstall malicious software. The bad guys, in this case, are using the tool for their malicious agendas.

Further Investigation

A more in-depth investigation allowed us to gain access on the page index where TSPY_BANKER.EUIQ downloaded configuration files from. The same index page hosted the three binary files that the malware used aside from the configuration file that we saw in the same location.

Roland analyzed the IP to where TSPY_BANKER.EUIQ sends the infected system’s IP address and operating system name, and found a panel that appears to show logs related to the attack.

During the time the C&C panel was analyzed, we have observed an abrupt increase on the registered logs. In fact, the phone home logs jumped from around 400 to nearly 6000 in a span of 3 hours. These logs are comprised of 3000 unique IP addresses which translates to the number of machines infected by the malware.

The server, unfortunately, soon became inaccessible. However, the abrupt increase in the malware C&C logs could either mean that there was an outbreak of the malware or they might be migrating their C&C server at the time. It also appears that the attack is targeting Brazilian users and it is targeting Brazilian banks.

Since the start of this analysis, we have also been seeing variations of the BANKER malware we analyzed during this investigation in the wild. The first few samples that we got installed the three components separately, but now we are getting new samples that are able to install the different components in one package. It looks like this malware is still under development and we may still see improvements in future variants. Roland also mentions that he came across a likely related C&C that surface last October 2011 which indicates that the perpetrators behind this threat aren’t new in the scene.

Missing Piece

While we may have a complete picture of this particular attack, the one missing piece now is the same thing that made us notice this malware from the millions of data that we have from our threat intelligence – how it is able to redirect user accesses from normal websites like Facebook or Google to its malicious IP to download malware. We will continue our investigation related to this incident and will update this blog with our findings.

Online threats will continue to evolve and find ways into systems. As such, traditional web blocking technologies may fail to block access to malicious URLs, especially when these are masked with the use of legitimate domains like those of Facebook or Google.

This is where a telemetry such as the Trend Micro™ Smart Protection Network™, which provides intelligence derived from a global network of threat data, becomes vital. This technology not only allows us to identify and correlate emerging attacks worldwide, but also lets us instantly deploy the proper threat mitigation solutions on customer environments.

Post from: TrendLabs | Malware Blog - by Trend Micro

Info Stealer Poses as Google Chrome Installer

[INFOGRAPHIC] Mapping Out Your Digital Life

Jonathan Leopando (Technical Communications) — Tue, 15 May 2012 21:16:42 +0000

As we do more and more things online and with our digital devices, one thing is sure: we accumulate more and more digital junk. Movies we don’t watch, songs we don’t listen to, apps we don’t use.

How much digital clutter do users have? Quite a lot, as it turns out. On average, people have far more data – in the form of music, movies, and files – than they can use or consume. On average, they use only about a fifth of what they actually have. They have enough music for almost two full weeks of non-stop music listening.

The digital clutter extends to the mobile space and social media, too. If you’re on Facebook or Twitter chances are many of your friends and followers aren’t people you know, if they’re even people at all! Our full findings are in latest infographic Mapping Out Your Digital Life, which was featured on Mashable.

Now that you know how much digital clutter you have, what should you do about it? For that, you can consult our previous e-guide, Putting an End to Digital Clutter.

Post from: TrendLabs | Malware Blog - by Trend Micro

[INFOGRAPHIC] Mapping Out Your Digital Life

News of Beastie Boy Adam Yauch’s Death Leads to Malware

Gelo Abendan (Technical Communications) — Fri, 11 May 2012 22:15:05 +0000

The demise of Beastie Boys’ Adam Yauch (also known by his moniker MCA) have resonated among hip hop fans these past days. Sadly, we have seen a particular attack that targets specific recipients and used this news item as a social engineering lure.

We have found an email sample that leverages Yauch’s death to entice users to download and open the malicious attachment. The message appears as a news item from a non-profit organization that features the late musician’s recent passing. It also contains a .DOC file attachment, which is supposed to contain the complete story. Users who download and open the .DOC attachment are actually executing a malware detected by Trend Micro as TROJ_DROPPR.JET. This Trojan file drops another malicious file, detected as particular TROJ_SWYSYN.SME, that connects to possibly malicious URLs.

Celebrity news items, whether factual or not, have been a staple bait in cybercriminal attacks. Adam Yauch’s death is just one of the several web threats that took advantage of the death of famous music icons. Similar threats include the string of clickjacking attacks that used the demise of Whitney Houston, Amy Winehouse, and even Lady Gaga‘s supposed death.

Trend Micro users need not worry as they are protected via the Smart Network Protection™, which detects and deletes the related malware and blocks spam with malicious attachments with its file and email reputation technology. To know more about how attackers take advantage of noteworthy news items e.g. celebrity gossips and news and other social engineering tricks, you may read our comprehensive e-guide “How Social Engineering Works”.

Post from: TrendLabs | Malware Blog - by Trend Micro

News of Beastie Boy Adam Yauch’s Death Leads to Malware

Diablo 3 Scams Preempt Game Release

Christopher Talampas (Fraud Analyst) — Fri, 11 May 2012 16:16:00 +0000

While gamers from North America and Europe are still waiting for the release of Diablo III this coming Tuesday (May 15), cybercriminals have already gone ahead and started taking advantage.

We found a search result for the string “diablo 3 free download” leading to a survey scam — a scheme frequently seen deployed through Facebook.

The search result below (highlighted in yellow) directs to the a page which appears to be the download page for Diablo III:

However, clicking the download button only leads to the following survey page:

Another result, one supposedly leading to a YouTube page (highlighted in red in Figure 1), leads to the following page:

Entering the site, the visitor is met with instructions that they need to follow in order to be able to download the beta version of Diablo III. Interestingly, the steps involve sharing a link through Facebook three times — once on the users’ wall and twice on game pages.

Of course, following the instructions do not really lead to a file download, instead only directing to yet another survey page:

As enticing as it is to be able to download a very popular game right before everyone else does, users should keep in mind that such shady offers are widely used as bait by cybercriminals.

Diablo 3 is not the first game used by cybercriminals for schemes, we’ve seen other popular games such as World of Warcraft and Grand Theft Auto being used in the past.

Trend Micro users are protected from the schemes reported above through the Trend Micro™ Smart Network Protection™.

Post from: TrendLabs | Malware Blog - by Trend Micro

Diablo 3 Scams Preempt Game Release

Malware Masquerades as Flash Player for Android

Karla Agregado (Fraud Analyst) — Fri, 11 May 2012 06:08:28 +0000

Last month, we have seen cybercriminals use the popularity of apps like Instagram and Angry Birds Space to deliver malware on Android phones. This time, we spotted the same social engineering tactic using Adobe‘s name.

This webpage is also found to be hosted on Russian domains, similar to the fake Instagram and Angry Birds Space apps that we previously reported. To further entice users into downloading the fake Adobe Flash Player app, the text on the webpage claims that it is fully compatible with any Android OS version:

When users opt to download and install the said fake app, the site connects to another URL to download malicious .APK file, which Trend Micro detects as ANDROIDOS_BOXER.A. ANDROIDOS_BOXER.A is a premium service abuser, which means it sends messages to premium numbers without the user’s permission, thus leading to unwanted charges. This type of Android malware is just one of the types we were able to identify in our infographic, A Snapshot of Android Threats.

Upon further investigation, we have seen a bunch of URLs that are hosted on the same IP as this particular website. Based on the naming alone used in these URLs, it appears that Android is a favorite target for cybercriminals behind this scheme.

Trend Micro protects your Android phones from accessing these malicious sites and from downloading malicious .APK files on your phones via the Mobile Security Personal Edition app. Apart from blocking access to malicious sites, our app scans each app you install to ensure your safety.

For your reference, Adobe Flash Player from Adobe Systems can be downloaded via the Google Play store.

Post from: TrendLabs | Malware Blog - by Trend Micro

Malware Masquerades as Flash Player for Android