Spam Speculates Michael Jackson’s Murder
Michael Jackson has been dead for a week already, but there are still a lot of speculations regarding his death. The spam runs are plenty as well — a Michael Jackson-related spam was seen bearing the subject Who killed Michael Jackson?, coming from a sender named x-files.
The spam message suggests that the icon was killed, and that information on who murdered him can be seen on the given URL.
Clicking the said link leads to a website, where the user is asked to execute a file, which supposedly contains secret information, in order to find out who killed Michael Jackson.
But of course, the executable is not at all related to Michael Jackson’s murderer, or to Michael Jackson at all, as the file is really an data-stealer detected by Trend Micro as TROJ_ZBOT.AXY. The Trojan TROJ_ZBOT.AXY connects to a certain URL where it downloads a configuration file containing a list of banking-related websites. Once the user attempts to visit any of the listed sites, a spoofed site is displayed instead of the real one, thus any critical information entered on the spoofed site will be sent to a remote user.
This threat however, doesn’t stand a chance against the Smart Protection Network as of its all components — spam, URL and file — are already either blocked or detected.
Post from: TrendLabs | Malware Blog - by Trend Micro
Spam Speculates Michael Jackson’s Murder
News ::
trendmicro
Povezani zapisi:
09-02-2010 6:44
I recently came across a round of spammed instant messages that arrived via my Yahoo! Messenger account. These messages were supposedly sent from my cousin’s account, and used the following format and were sent to everyone on her friends list:
The familiar message format told me that I was chatting with a bot that wanted me to click the link in the message. Checking where the link went to led me to the following page:
The IQ test had 11 questions that eventually led to a “results” page that asked me to sign up and enter my mobile phone number to get the quiz results:
One may ask why the site would need a mobile phone number just to send IQ test results. Will they use this information to spam me through my mobile phone? Nor is it clear if the answers to the questions actually matter to the IQ “score” given to the user, if they actually receive one.
That may well be the case but the cybercriminals have a more direct approach to earn money. The Summary of Terms at the bottom of the page says that by giving the quiz’s creators one’s mobile phone number means signing up for “mobile content subscription.” Of course, this is not free, as the subscription fee ranges from US$9.99–$19.99 a month. This is stated in the site’s terms and conditions, which are located at the bottom of the page:
This gave me enough reason to close the browser tab and leave the website. The URL of the said “IQ test” is now blocked by the Trend Micro Smart Protection Network™.
Post from: TrendLabs | Malware Blog - by Trend Micro
“IQ Test” Spam Proliferating via Instant Messages
trendmicro
08-25-2010 4:16
A spammed message supposedly from Newegg, a popular online computer hardware/software seller has been found in the wild. It informs users that their online purchase has been charged to their Visa card. It also contains two clickable links that point to the same malicious page, an example of which is http://{BLOCKED}nthenet.net/1.html. Clicking the link leads to a series of redirections that ultimately land users on a FAKEAV-hosting site where TROJ_FAKEAV.FNZ may be downloaded.
In addition to the FAKEAV download, the binary on the landing page constantly changes so users may also end up with TROJ_HILOTI.FNZ and ADWARE_ZANGO infections, too.
Upon further investigation, we discovered that the email is not the only malware vector the cybercriminals behind the attack are employing. They also leveraged compromised Blogspot pages to host the same spam. We believe that the cybercriminals are using Blogspot’s email feature. The secret email addresses set up by the blog owners may have somehow been harvested to send out spam, in effect auto-posting these in Blogspot pages. The followers of compromised Blogspot pages can thus be potentially infected, too, since the malicious spam is hosted on a known source.
Threats analyst Edgardo Diaz adds that one of the download binary connections lead to {BLOCKED}.{BLOCKED}.117.21, which has its own status page. Further analysis of the IP address and the compromised Blogspot pages revealed that some of the compromised pages’ URLs point to domains hosted on the same IP address.
Users are advised to be wary of clicking any link even if it is posted on a trusted source. Furthermore, using a strong password for one’s Blogspot account is recommended, particularly one that you do not use for other sites, can help you stay protected from such an attack.
Trend Micro product users need not worry, however, as they are already protected from this attack via the Smart Protection Network™ , which prevents the spammed messages from even reaching users’ inboxes, blocks access to all malicious URLs, and detects all related malware.
Additional analysis and screenshots provided by threats analysts Patrick Estavillo and Edgardo Diaz.
Post from: TrendLabs | Malware Blog - by Trend Micro
Blogspot Mail2Blogger Secret Email Address Used in Spam Attack
trendmicro
08-24-2010 12:18
TrendLabs received a recent spammed message that uses fake news about the death of Hollywood celebrities and famous athletes.
The spam came in two varieties: one has a .ZIP file attachment that contains the malicious file news.exe that is detected as TROJ_DLDER.AU. TROJ_DLDER.AU connects to a certain URL to, in turn, download TROJ_BREDOLAB.XY.
The other comes with an .HTML file attachment detected as JS_REDIR.BB. It leads to a couple of URL redirects which ultimately lead to the download of the malicious file HTML_REDIR.BA. HTML_REDIR.BA connects to another URL, possibly to download another malware, but the said URL is now inaccessible.
Curiously, the description of the incident that supposedly killed these celebrities is based on a real incident–the 1996 death of United States Commerce Secretary Ronald Brown. All the details cited in the emails were identical to the crash that killed Brown. Using the details from a real-life incident may have been an attempt to make the spam messages more convincing to readers.
Most people have a natural tendency to gravitate toward every bit of news and controversy surrounding celebrities, especially if the news has to do with their death. This has made celebrity deaths one of the most consistently used social engineering ploy used for malware attacks. The attacks seen to use this kind of news range from spam with malware attachments to blackhat SEO attacks. Here are just some of the celebrities and popular figures that have been used for this social engineering tactic:
Heath Ledger
No sooner had the world learned of the untimely death of Heath Ledger than cybercriminals started using the late actor’s name as a social engineering ploy. Within hours of reports, malicious URLs immediately turned up when users key in the search terms “heath” and “ledger.”
Farrah Fawcett
Cybercriminals peppered the Internet with blackhat SEO links that were likely to attract users who were searching for news about the death of “Charlie’s Angels” star Farrah Fawcett, who at age 62, lost her battle with cancer.
Michael Jackson
Being one of the most popular music artists of all time, the King of Pop’s last moments in the hospital prior to his death, led to the proliferation of malicious links in the wild via the instant-messaging (IM) application MSN.
Eminem
Spammed messages recently went around claiming that rapper Eminem died in a car crash. The spam messages tried to trick users by claiming to come from legitimate news sources.
Other attacks seen in the past include those surrounding the deaths of Corey Haim, Brittany Murphy, Philippine President Corazon Aquino.
Trend Micro™ Smart Protection Network™ protects users from these threats by blocking the spam messages and the malicious sites, as well as detecting the related malicious files.
Post from: TrendLabs | Malware Blog - by Trend Micro
Fake Celebrity Deaths Used in Malicious Spam Run
trendmicro
08-14-2010 2:34
Sometimes not cleaning up your own backyard — and responding to abuse requests — can be costly when an ISP ends up on the Spamhaus Block List (SBL), as one particular Latvian hoster, Microlines.LV, has recently discovered.
Chris Williams explains the situation today in The Register.
The Spamhaus SBL generally lists blocks of IP addresses which exhibit long-term instances of hosting malware, exploit kits, DDoS Command & Control servers, spam, etc., where the responsible ISP ignores and dismisses complaints about the abusive nature of the malicious content.
In essence, getting listed by Spamhaus can have a serious impact on any legitimate customers that targeted ISP may have, since Spamhaus block lists are used extensively by other organizations around the world to deny traffic to or from the listed IP addresses.
After reading about how this saga unfolded today, I decided to look a bit further into our own Domain Reputation Systems (DRS) to see if I could validate whether we had also identified malicious content associated with any IP addresses which were allocated to Microlines.LV.
What we have seen is a smaller, concentrated block of IP addresses with Microlines.LV entire allocation that has exhibited long-term hosting of Rogue AV, various exploit kits, ZeuS and Gozi Trojans, and an array of other badness.
And not only that, it appears that the Bad Guys operating out of Eastern Europe are also now also using portions of LATNET’s (the upstream ISP of Microlines.LV) IP address space to host additional malware.
Our research confirms what Spamhaus has made public in it’s SBL listings — we have seen long-term, large-scale criminal activity associated with Microlines.LV, as well as a hodge-podge of hosts in LATNET itself.
Apparently cyber criminals in Eastern Europe are using other Eastern European ISP and data centers to host their criminal enterprises — this is not a new phenomenon, as this has been happening in various places (including hosting providers in the U.S.A, the UK, the Netherlands, Germany, and elsewhere) around the world.
But sometimes the Bad Guys can’t simply “blend into the noise” and hide in the shadow of another ISP — they have to have the light shone brightly to expose the darkness.
Trend Micro’s customers are protected by these threats by the Trend Micro™ Smart Protection Network™ since the network security & domain intelligence that we use in research goes directly towards protecting our customers.
Post from: TrendLabs | Malware Blog - by Trend Micro
Spamhaus Listing Rightfully Lists Latvian Hoster
trendmicro
