Here are the latest updates for security-news@awsoda.net
- Celebrities and Politicians Running Afoul of Hackers
- Certificated Invoices – Exploiting LNK extension
- Clear and Present Danger: Out-of-Band MS Patch
- SMS Spam? Not Quite
- More Recent Articles
- Search TrendLabs | Malware Blog - by Trend Micro
Newsflash: Sarah Palin may no longer be the most famous victim of electronic crime. French President Nicolas Sarkozy found himself a contender for that dubious title following news reports that hackers managed to steal some money from his personal bank account.
While it is not yet clear how Sarkozy’s account information was stolen, some analysts speculate that it was not a classic phishing attack. It's more likely that Sarkozy's credit card information was stolen at some point in time–perhaps during one of his many trips abroad–and sold as just one of the many thousands of similarly compromised accounts. This is known as carding.
If what happened to Sarkozy were indeed a case of carding, it lends some credence to statements by French law enforcement that the hackers didn't know they were stealing from the French president. After all, there are few acts more likely to draw police attention than making a victim out of a national politician–just ask David Kernell, the student accused of breaking into Sarah Palin's email account. Kernell was recently indicted in federal court, and faces several years in prison.
Sarkozy's bank (which was not identified in media reports) may also be in hot water, as government spokesman Luc Chatel says:
When one gives personal information to one's bank, it is not so the information is used for marketing or recruiting purposes, or that it should be divulged here or there.
These recent incidents bring home the point that public figures can now expect to find themselves under scrutiny not just from papparazzi, but from hackers as well. Entertainers have had to deal with crime as well: Miley Cyrus had her own Google Mail account compromised, and the suspect there was the recipient of a not-so-friendly visit visit by the FBI.
Right now it's been nothing more than a nuisance–Palin's email turned up nothing of significance, and Sarkozy probably won't miss too much Euro. However, that may not be true for much longer: it may not be long before more compromising events happen. Cyrus's case may well set the tone: her compromised account resulted in several embarassing photos making their way out to the Internet. It probably won't be the last time a celebrity runs afoul of hackers.
Other celebrity-related incidents:
In Germany we noticed a new massive wave of "Rechnung" malware spammed mails continue today with a special scam inside.
The messages received today have diverse subject lines ("Abbuchung", "Lastschrift", "Amtsgericht"). The email bodies are also differently written, however have the same meaning – the information that money have been debit directly from the user's account.
Figure 1: email sample of spammed message
The malware comes attached in “
Rechnung.zip” archive as "
zertifikat.ssl" (WORM_AUTORUN.PB). Additionally to this the archive includes another file
"Rechnung.txt.lnk". Note that the file has double extensions, unlike
zertifikat.ssl. Due to the default Windows Explorer configuration the extensions of known files are kept hidden so that mostly this file
Rechnung.txt.lnk is displayed as
Rechnung.txt in the archive as after it is extracted on disk.
Only one statement consistently exists in all email samples we’ve found, and is highlighted below:
Figure 1: email sample of spammed message
In the said statement, the initiators point out that the recipient doesn't have to care the “zertifikat.ssl” file since this is only the certificate for the invoice itself. The criminals try to lure users assuring that the file Rechnung.txt.lnk is the only one that needs to be double checked. Indeed… this is true! A file with the .SSL extension, like the malware file zertifikat.ssl, wouldn’t execute on simple double click, but it would when a .LNK file connecting to it is opened, which in this case is “Rechnung.txt.lnk”.
Similar to Autorun.inf and .PIF files, LNK files execute automatically the path inside their code:
Figure 3: Binary code of Rechnung.txt.lnk To make sure that the SSL file is properly executed, this particular “Rechnung.txt.lnk” file calls the system's commandline c:\Windows\System32\cmd.exe to execute the zertifikat.ssl from the current directory. The execution through LNK files is not a special trick. It is one of the usual functionalities and features of Windows operating system, without them our life would be like Internet without Web 2.0.
When an experienced user try to open the LNK file even with an editor, he will be confused by seeing the contents of the file zertifikat.ssl. Actually to view the original file, the user needs to rename it first by using the command line (cmd.exe).
Users are advised to stay vigilant. The optical illusions in Windows operating system are considered to be features - not bad at all if they wouldn’t be exploited by criminals.
Earlier today, Microsoft released a security bulletin regarding a critical vulnerability in the Server Service, which allows an attacker to perform remote code execution by sending a specially-crafted RPC request on a target system. This vulnerability may be used by malicious users in crafting a wormable exploit, which may, should hackers design it so, render corporate networks clogged and virtually unusable. According to Microsoft, they released this security bulletin outside of their monthly release cycle to protect their customers from any attempted attacks related to this flaw.
Not long after the release, TrendLabs received reports of a zero-day exploit that takes advantage of this vulnerability. According to Trend Micro Advanced Threats Researcher Paul Ferguson, this exploit downloads a malicious file from a specific IP address. We now detect the downloaded file as TSPY_GIMMIV.A. Based on initial analysis, this spyware has routines that involves the checking of the registry for entries related to antivirus software, possibly in an attempt to avoid detection.
The span of time between the discovery of the exploits and reports of the vulnerability is much too narrow that researchers have reason to believe that the vulnerability was first known to the hackers. Hackers may have already been actively exploiting this bug days before Microsoft received wind of the vulnerability. Note that patch Tuesday was released just a little over a week ago. But kudos to Microsoft for delivering this immediate solution to prevent more users from becoming victims.
Trend Micro Smart Protection Network already blocks the malicious URL where this spyware is downloaded from. We highly recommend users to immediately update your computers and download the fix patch provided by Microsoft.
Trend Micro is working on an in-depth analysis of this malware and the said exploit. Stand by for more details.
If there's one thing that security experts and spammers share in common, it’s that they both think outside the box. Time and time again, we see spammers come up with new techniques or even recycle old tactics just to effectively lure users.
And this is no exception…
Trend Micro Advanced Threats Researcher Loucif Kharouni discovered a spammed email message supposedly coming from TIM Brazil, a popular mobile company in the country. What's interesting about the message is that appears to be sent via SMS or Short Message Service. Here's a sample email message:
Figure 1. Sample of TIM Brazil spam This message tricks users into clicking a link to view a certain video. Users who click on the said link unknowingly download a CPL file detected by Trend Micro as TROJ_DLOAD.KW or another malicious file detected as TROJ_DLOAD.KY. Both files are hosted on the URL hxxp://{BLOCKED}r.alice.it. Here's a screenshot of the page where the files are hosted:
Figure 2. The link in the email message leads users to this page. Kharouni says this is the first time he has encountered this type of spam. He believes that the messages were just faked to look like they were sent via SMS. This may be a cause of concern as this social engineering technique shows a crossover between the use of both mobile devices and the Web as infection vectors. SMS spam used to propagate only through mobile devices before. Though the spammed messages in this run do not appear to be sent through SMS, spammers may now be going to that direction.
The Trend Micro Smart Protection Network already blocks the email messages involved in this spamming operation. It also detects TROJ_DLOAD.KW and TROJ_DLOAD.KY and provides solution for their cleanup and removal. Users are strongly advised to be wary of clicking links in unexpected email messages, even if they seem to be sent by legitimate sources.
Other threats related to mobile devices:
More Recent Articles
