Security News Collected by AWSODA-SYSTEMS: 2008-08-10

Here are the latest updates for security-news@awsoda.net

Seems like the bad guys pushing for fake antivirus software are not done yet.

We received several reports from the North American region earlier today about users being victimized by a rogue antispyware, which these users have downloaded after they have somehow been convinced to click on malicious links. These links point to malware that caused overt signs (such as popup balloons and modified wallpapers) to appear in the PC suggesting that the system has indeed been infected. This is not goodwill, though — because downloading the ‘trial version’ only scans the system. To remove the infection the user will have to purchase the entire antispyware for real money. Users may be infected via spammed email messages, spammed instant messages, or even via ads served in social networking sites.

Soon enough, we’ve discovered not one but two fake antivirus software. This time the attack is made possible through a mass SEO poisoning involving several compromised Web sites. This development has certainly upped the chances of the rogue antispyware gaining mileage.

How does this work?

A simple Google/Yahoo! search can lead you to malware-serving site. Search strings such as “changes on the river amazon” or “changes made for mount Pinatubo” will lead you to a malicious Web site. Users who happen to use these strings will find themselves going down the long road of nasty redirections.

Figure 1. Poisoned string leads users to a malware-serving site

Figure 2. Poisoned string leads users to a malware-serving site

The two Web sites hosting the malicious pages are normal by themselves, but the exact URL that it points to will automatically redirect to hxxp:// windows-scanner2009. com.

Figure 3. The PC is redirected several times, during which the user begins to see signs that the PC is infected.

Figure 4. Message boxes suggest that the user might want to get rid of viruses in his/her PC by installing a certain software named Antivirus 2009.

Figure 5. Clicking OK in Figure 4 means the user has agreed to a ‘free scan.’ The message even ends with a comforting note that the file is certified free of malware. Don’t be fooled.

Figure 6. A convincing GUI for Antivirus 2009 performing the system scan might still convince users that they are using legitimate software.

After all the fake notifications, the user will be asked to download AV2009Install_880488.exe.

The other fake antivirus will lead users to hxxp://scan. free-antispyware-scanner. com instead of the earlier example.

Figure 7. Variation on the rogue antispyware scam.

This will ask the user to download setup_100722_3.exe instead of AV2009Install_880488.exe. (Note that the final agenda for both and most rogue antispyware scams is extortion. Users who fall for this scam pay a certain amount of money to the malware writers to purchase the full version of the fake antispyware.)

According to our investigation, there are about several dozen domains involved that are currently compromised. The hackers were able to upload PHP scripts that contain various text strings designed for SEO poisoning (SEO poisoning is manipulating or influencing the natural page rankings of search results in order to get more hits than a page really deserves).

This is not the first time Trend Micro has seen this incident, a previous SEO poisoning of this scale was also discovered December 2007, with SEO poisoning pages hosted on Blogspot. This time around, compromised web sites were used instead.

Digging a little bit deeper, we’ve also found out that the hackers have almost 1 million search phrases at their disposal for SEO poisoning. These search phrases covers the range from free downloads, lyrics, travel, politics and anything in between.

Malicious sites have “CLICK HERE! ALL INFORMATION!” and “CLICK HERE! WANT TO KNOW MORE ABOUT” as their page titles, so it will be best to avoid clicking through Google/Yahoo! results that have those aforementioned site titles.

• Email to a friend • Article Search • Related • View comments • Track comments •

•

Rate 'A Million Search Strings to Get Infected'

July Malware Roundup

Notable Malware

WORM_NUWAR.VQ, TROJ_DROPPER.OAC
These malware took advantage of the Fourth of July celebrations in the United States to increase their chances of distribution. A malicious URL was included in e-greeting cards that were spammed around during this time. The URL pointed to locations from where these malware could be downloaded.

TROJ_PIDIEF.JT
Sometime during mid-July, an email was being spammed around, foretelling the supposed death of the Internet in 2010. The email contained a PDF attachment, which contained "more details" of the news. Users who were tricked into clicking the PDF attachment open would soon find themselves with an unexpected guest on their systems, in the form of TROJ_PIDIEF.JT.

BKDR_POISON.GO, TROJ_FAKECLEAN.A
POISON and FAKECLEAN are two malware that pose as virus cleaning tools. Towards the end of July, these malware were being sent out through email by Chinese hackers. The email claimed that these "applications" were Trend Micro Virus Clean Tools. There is actually a Trend Micro Virus Clean tool but what makes this incident suspicious is that Trend never sends applications as attachments through email.

Exploits and Vulnerabilities

Internet Explorer Vulnerability
As July began, a vulnerability was discovered in Internet Explorer. According to reports regarding the vulnerability, access to an HTML document's frames was not restricted, implying that the frame contents could be replaced, presumably with malicious content. This allows for further potential in browser-based attacks against the user.

TROJ_MDROPPER.ZY, TROJ_PPDROP.M, TROJ_MDROPPER.ZT
Even the 2008 Summer Olympics was not spared as a tool for malware distribution. In the early weeks of July, DOC files with malicious content were spreading around. Users were tricked into opening them since the documents seemed to have some info or news on the Olympic games. These DOC files were actually exploits that took advantage of a vulnerability in Microsoft Word 2002 Service Pack 3. When exploited, the unspecified remote code-execution vulnerability could allow remote attackers to take complete control of an affected system, or cause the application to crash.

Web Incidents

TROJ_AGENT.AYZO
TROJ_AGENT.AYZO is the malware behind the recent wave of compromised Web sites. In July, quite a number of legitimate Web sites were compromised. Additional Web pages were added to the Web sites' domain, usually having the filename START.HTML, BEGIN.HTML or R.HTML. Once accessed, these malicious Web pages, redirects the browser to a location where TROJ_AGENT.AYZO can be downloaded.

• Email to a friend • Article Search • Related • View comments • Track comments •

•

Rate 'July Malware Roundup'

Fake Antivirus Trojans Ramping Up

Our researchers at TrendLabs have discovered a new set of rogue antivirus software circulating in the wild. Based on initial analysis, these threats arrive mainly via spammed email messages that contain a link to a bogus celebrity video scandal, although we have also received reports that the said link is also circulating in instant messaging applications and private messages in social networking Web sites.

Once the said URL link is clicked, the Web threat infection chain begins and ultimately leads to the downloading of a Trojan detected by Trend Micro as TROJ_FAKEAV.CX, a rogue antivirus that displays very convincing (and for some, alarming) messages, such as the following:

Note that since users are only using the “trial version,” TROJ_FAKEAV.CX even convinces users to get the full version so that they are always protected:

TROJ_FAKEAV.CX also drops another malware, detected as TROJ_RENOS.ACG. RENOS Trojans are known to have very visual payloads that may further alarm users (for example, they modify the system’s wallpaper and screensaver settings to display BSOD). Thus, users may be more convinced that something’s wrong with their system, not knowing that their new software is the one causing it.

Rogue antispyware isn’t entirely new, although our researchers have been seeing an increase in activity for the past couple of months (the Anjelina spam being one of the more recent examples).

Perhaps it’s because this is also the time of the year when the more legitimate security suites are releasing their latest software updates, and cybercriminals are riding on this season to ramp up their profits. Bad news for the infected users though, as their latest versions of “antivirus software” are actually adding more threats to their system.

Trend Micro is still investigating this spam run. Updates will be posted when more information becomes available.