Another swine flu-related spam run was recently reported, this time targeting Japanese users. Aside from using the swine flu as its social engineering method, which has already been used in earlier spam runs, this spam run also uses a technique where the sender of the message appears to use the .yahoo.co.jp domain. This serves not only as a means to evade spam filters, but also to further fool the users that the message is legitimate, thus convincing them to open an attached malicious file.
Spammed messages with the subject Warning of Swine Flu claiming to be from the National Institute of Infectious Diseases, encourages users to open an attached .ZIP file, to “learn” more about the pandemic (detection available as TROJ_PIDIEF.UA and TROJ_PIDIEF.TY). Our engineers have verified that TROJ_PIDIEF.TY drops and executes BKDR_KUPS.G.
The real National Institute of Infectious Diseases issued a warning of the fake spam messages on their website to alert users who may get the deceiving message.
Here is a translation of the text contained in the spam message:
________________________________________________
From: National Institute of Infectious Diseases address@yahoo.co.jp
Subject: Warning of Swine Flu!
Attached file name: Information on the swine flu
Everyone,
The swine flu has been spreading. Infection cases in UK were reported, following the cases in Mexico, US, Canada and Spain. Although the measures against the flu have been conducted globally, possible infection cases are reported from many countries. One such report has been heard from Korea on 28th. The infection has likewise been ongoing for weeks in Mexico. Some experts say that there is a possibility that the flu has already arrived in Japan. We should protect ourselves by learning more on the swine flu.
National Institute of Infectious Diseases
________________________________________________________________________________________
Koobface Tries CAPTCHA Breaking
Early this week, we’ve encountered a new Koobface spam campaign which involved links that eventually led users to this Youtube copycat web page.
 |
 |
 |
The scheme uses the old flash player trick (see Figure 1) where the user is told that they need to download the latest version of Adobe Flash Player to view a certain video. In this case, the Flash Player in the page is an actual Flash .SWF file, which will redirect users to a file named setup.exe detected by Trend Micro as TROJ_KOOBFACE.DU through the Smart Protection Network.
A short while after running setup.exe, Koobface fetches a picture file from a remote server which is actually a CAPTCHA image. The user is then presented with the Windows prompt as shown in Figure 2.
The panic-inducing screen displays the time before the system will shutdown as shown in Figure 3, while the image (blurred) in the middle is the downloaded CAPTCHA image. The above prompt is essentially telling the user that the system will shutdown in 2 minutes and 29 seconds unless they enter the CAPTCHA correctly!
After the user correctly solved the CAPTCHA image, Koobface promptly reports the solved CAPTCHA code to a remote server. This Koobface strategy creates a low-cost, distributed CAPTCHA breaking service. This time though, instead of using cheap labor, Koobface is now using the infected users themselves to break CAPTCHAs.
_____________________________________________________________________________________
After spam runs related to UPS, FedEx, and Western Union, another form of invoice spam strikes again!
We caught a new invoice spam that is purportedly from WorldPay, a division of the Royal Bank of Scotland that specializes in handling secure online payments from all over the world.
The spammed email message informs users that their transaction with Amazon Inc. has been successfully processed by WorldPay.
The said email contains a .ZIP file, which holds a malicious file named WorldPay_NR9712.exe. This file is detected by Trend Micro as TSPY_ZBOT.BEO through the Smart Protection Network.
TSPY_ZBOT.BEO downloads a configuration file from a remote site. This file contains a list of bank-related Web sites, which the spyware monitors in the Internet browser address bars.
The URLs listed in the downloaded configuration file may change at any time. As of this writing, the file contains links to the legitimate sites of Bank of America.
When a user accesses any of the listed URLs, the spyware logs keystrokes to capture data entered in login boxes, including sensitive banking information such as user names and passwords. The gathered information is saved in a file, which is then sent to a remote site through HTTP post.
Here are previous reports of invoice spam:
- UPS Spam: Trojan Courier of Choice
- Bogus FedEx Notifications: New Malware Courier of Choice
- Invoice Spam Shifts to Western Union
- Certificated Invoices – Exploiting LNK extension
- iTunes Invoices and Valentine’s Ads Conceal Pharma Spam
Read more: "TrendLabs | Malware Blog - by Trend Micro" - http://blog.trendmicro.com/#ixzz0EYzZUQDH&A
