Pick Your Poison: KOOBFACE or FAKEAV?

The Koobface botnet is widely known to install FAKEAV or rogue antivirus malware onto a victim’s PC. It has a dedicated component which actually installs the FAKEAV onto the user’s system. However, the Koobface gang has added a new twist to its fake Facebook page.

 

When the user closes the window/tab with the fake Facebook page, a popup window appears. Whatever button the user clicks, this new Koobface variant is downloaded onto the affected system. Here’s a video that illustrates this behavior:

 

This is the script used by cybercriminals to perform this new routine; it only works for users who used Internet Explorer to visit the fake page:

 

Figure 1. Koobface Script

 

The scripts above leaves the user with very little choice – closing the browser window downloads a FakeAV variant (detected as TROJ_FAKEAV.FGR), while clicking anywhere on the web page will download a Koobface loader (detected as WORM_KOOBFACE.AZ).

“See Who Blocked You on MSN” Phishing Attacks

We have received samples of a new phishing mail targeting users of MSN Messenger inviting them to see who deleted or blocked them from their contact list. Users would be interested to know who among their friends have deleted them from their lists.

 

Figure 1. Phishing email

Clicking on the link displays the following fake login page asking the user to input his or her password:

Figure 2. Phishing website

It is obvious that the intention of the cybercriminals is to harvest the user’s MSN Messenger login credentials. Afterwards, they can then continuously sends spam messages to the account or, worse, they can use the account for their malicious intent.

 

Getting in touch with friends is now much easier than before. Because of the growth of social networking sites, we can stay connected with our old friends, or even find new ones. This may include reading the profile pages of other members, sending and receiving invitations to fun games, videos and other applications. However, users must be on guard when interacting within online social networks. Spammers are now abusing these in their phishing attacks.

 

Always be mindful in accepting “invitations”, especially when it concerns your personal information. This particular spam message, and the associated website, are already blocked by Trend Micro products via the Smart Protection Network.

 

by Merianne Polintan (Anti-spam Research Engineer)

TROJ_SPAYKE.C Trojan Targets Skype Users

TrendLabs researchers were alerted of a newly released Proof-of-Concept (PoC) that listens and records voice calls carried out via Skype. Trend Micro detects this as TROJ_SPAYKE.C. Skype is a popular application used for making voice over IP (VoIP) calls.

Upon execution, the DLL component (also detected as TROJ_SPAYKE.C) intercepts Skype traffic and hooks the send and recv APIs. This is done before Skype encrypts the traffic it sends to other users. This enables the Trojan to save all gathered information as audio files, which could then be sent to a malicious user. Here’s a screenshot of the captured information:

Figure 1. Sample of intercepted traffic

This poses no threat as of the moment; it only collects information but does not decrypt the said information and consequently send it to a remote user. However, future attacks that do engage in information theft cannot be ruled out.

Users are advised not to give away any crucial information when conversing online to prevent info theft. Trend Micro protects users from this attack through the Trend Micro Smart Protection Network.

Source: trendmicro.com

BKDR_REFPRON in New Mass Compromise

Trend Micro threat analysts were alerted to another mass compromise attack affecting around 55,000 consumer-oriented sites spread throughout Canada, China, the United Kingdom, and India as of the first report.

This incident is a painful reminder of the persisting risk of unprotected Web-surfing. In this particular case, the malicious scripts injected in the legitimate sites lead to other sites that eventually resolve to the download of the following backdoor programs and components:

• axa0727.exe-1 (BKDR_REFPRON.FH)
• d.binaxa072776988 (TROJ_REFPRON.FI)
• ms.binaxa0727588773 (TROJ_REFPRON.FJ)
• so.binaxa0727737721 (BKDR_REFPRON.FH)

The backdoors drop other components and connect to other IP addresses to download other malware with further the risk for users.

Trend Micro Web Threat Protection-enabled products have already been blocking the infection chain starting with the injected scripts’ related domains and URLs down to the URLs hosting the malicious binaries.

As of this writing, searching for the offending script yields 99,000 results.

Source: trendmicro.com

TrendProtect™ Version 1.2 FREE browser plug-in (IE Only)

Facebook Applications Used For Phishing

It would be easy to think that once someone has logged in successfully to Facebook—and not a phishing site—that the security threat is largely gone. However, that’s not quite the case, as we’ve seen before.

 

Earlier this week, however, Trend Micro researcher Rik Ferguson found at least two—if not more—malicious applications on Facebook. (These were the Posts and Stream applications.) They were used for a phishing attack that sent users to a known phishing domain, with a page claiming that users need to enter their login credentials to use the application. The messages appear as notifications in a target user’s legitimate Facebook profile, as shown below. The links to the malicious site are highlighted:

 

Figure 1. Facebook notifications page

After entering the credentials, users would then be redirected to Facebook itself. (The posts detailing these findings can be found at the Counter Measures blog; the initial report is here and a follow-up was posted here.)

 

While Trend Micro has informed Facebook of these findings, users should still exercise caution when entering login credentials. They should be doubly sure that these are being entered into legitimate sites, and not carefully crafted phishing sites. The particular site involved in this phishing attack is already blocked by the Smart Protection Network.

 

Image credits: thanks to Rik Ferguson, Countermeasures blog.

The New Version of Swizzor Trojan Not Detected Yet and How to Remove it Manually

Today I found new version of  trojan (Swizzor Trojan) the damage that Trojan do is slowing down IE and maybe it send personal information to remote server, therefore it can be a real threat to your privacy.

Swizzor can also try to download and install malicious software such as adware.

 

How did I detect it :

I saw 2 IExplore.exe processes is running without seeing any IE windows even if I closed any of them it will run again saw I tracked whitch software is running IE without any permission and I found it in Startup tab at Msconfig the file name is : admin dumb.exe with other files @ “C:\Documents and Settings\”Administrator”\Application Data\Extra 16″ .

I copied the folder that have the trojan and uploaded the files to virus total some of them have been detected from kaspersky but admin dumb.exe not detected from kaspersky,Mcafee,Symantec,Nod32,Sophos,….etc. to see the result from virustotal.com Click Here .

How to remove Swizzor Trojan Manually :

1- Open Msconfig from Start>Run and click on startup tab the uncheck from admin dumb.exe .

2- Go to admin dumb.exe path like “C:\Documents and Settings\”Administrator”\Application Data\Extra 16″ and rename the folder that include trojan file .

3- End admin dumb.exe process from Task Manager if its running.

3- Restart your PC then go back to the folder that you renamed before and delete it with all contects.

4- Your PC is clean now, Enjoy.

For any help please comment or contact us.

1H 2009: Malware Threat Grows Ever Larger

Malware threats have undergone many, many stages of evolution over the years. First it was DOS viruses, then macro viruses, then mass-mailers, then botnets, then Web threats… the only constants seem to be that these are growing both in number and in danger.

TrendLabs has seen this continued growth of malware. The effects on users is clear: in the first six months of 2008, the Trend Micro World Virus Tracking Center (WTC) recorded that 253.4 million systems were infected with malware. The comparable volume for 2009 is almost double at 491.2 million.

Read more

PayPal Fraud with CAPTCHA

It’s about time this technique comes in.. Content Security’s forecast that phishing with captcha would be an emerging fraudulent techniques.

 

CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) used to protect web sites against abusive automated softwares that can register, spam, login, or even splog. However, now a days that isn’t the case anymore.

 

Just like the traditional PayPal phish, the web page http://{BLOCKED}www.security-paypal.citymax.com/paypal_security.htmlasks the user to provide feedback from their Shopping by asking for their Name, E-mail Address and PayPal password as seen in Figure 1.

 

Figure 1: Screenshot of bogus PayPal phishing Feedback page

After which, a CAPTCHA image is shown and requires the user to enter the code indicated for spam prevention. However, after entering the user’s personal information, this could be used to create bogus mail accounts, among other things.

 

The phishing URL is already blocked by Trend Micro’s Smart Protection Network.

Source : trendmicro

The Real Face of KOOBFACE

A year after its first discovery, Koobface is still generating a lot of noise, no thanks to its high activity level over the past several weeks. But one year is a long time for a malware to stay alive. Storm didn’t make it out of its first year. Waledac has been around for a while, but it sleeps and wakes up only when it wants to. But Koobface? It has continued to maintain its success and just seems to keep on improving.

 

Although not as large and widespread compared to Storm or Waledac during their heydays, Koobface is a revolutionary malware in the sense that it is the first Web 2.0 threat to enjoy continuous success, which is significant in a time when social network sites reign supreme.

 

This is why we see it as important that we understand this threat, because the computing landscape is evolving and user behavior is changing, and with a malware like Koobface threatening the computing landscape, it is a Trend Micro duty stay on top of these threats.

 

If you want to know more about Koobface, feel free to read our research here: The Real Face of KOOBFACE.

 

Next Page »