Japanese Earthquake Disaster Scams Exploit at Record Pace

It is astounding how far malware attackers will go to to victimize people by taking advantage of the misfortune of others.

Today, Noriyaki Hayashi reports from Trend Micro's blog that they've discovered a phishing site that poses as a donation site to help the victims of the recent Japanese earthquake. The site http://www.japan{BLOCKED}.com was found to be hosted within the U.S. and was still active as of the time of this writing.

Phishing site posing as donation site

Site shown after clicking 'join now'
Additionally, the same authors of this site abused the blog function to insert advertisement-look-alike posts, presumably to increase the search engine rankings.

Abused blog function on phishing site
Attacks  like this aren't uncommon. (Think back to Hurricane Katrina in 2005, Hurricane Gustav in 2008, the Chinese Sichuan earthquake in 2008, and the Haiti earthquake in 2010.)

Norman Ingal -- threat response engineer at Trend Micro -- also reported on March 11 that immediately after the news broke of the 8.9 Richter scale magnitude earthquake and subsequent tsunami in Japan, several websites popped up with keywords relating to the quake.

One of the sites with the keyword 'most recent earthquake in Japan' led to FAKEAV variants that were identified by Trend Micro as MalFakeAV-25 and later identified as TrojFakeAV.PB.

These blackhat SEO attacks that lead to rogue antivirus downloads continue to be very common.

Many new domains are being created and parked with keywords similar to earthquake and tsunami in Japan. Key words such as help, earthquake, japan, tsunami, relief, disaster, fund, and donations were used.

Perhaps the message here is to be careful when searching for media content by using known trusted media sites.

Facebook pages are being utilized as well.  One claims to contain video footage and lure the visitors to a site called hxxp://www.{BLOCKED}u.fr/view.php?vid=Le-plus-gros-Tsunami-du-Japon-depuis-20-an.

The facebook page is titled  “Japanese Tsunami RAW Tidal Wave Footage!" and a script auto-directs  visitors  to a fake video page where the video is actually a hyperlinked image. Users that click on this get led to a page asking for their cell phone number.

The script also implements a 'Like' and posts a link to the user's wall. Trend Micro Antivirus Software detects this script as HTML_FBJACK.A.

Spammed email messages are being exploited as well. They ask for personal information first with promises of instructions on how to send your donations once the user responds.

Readers should use long-established avenues such as the Red Cross (http://www.redcross.com) and Medical Teams International (http://medicalteams.org) if you wish to donate.

Symantec's Samir Patel (with thanks to Dylan Morss, Christopher Mendes, and Sujay Kulkarn) in a Symantec piece on Japan relief scams says over 50 new domain names have been registered that use the keywords 'Japan tsunami' or 'Japan earthquake'.

These sites are either parked, for sale, or linked to other earthquake websites.

Some example sites include:

  • 3-11-2011-[removed].com
  • 3-11[removed].com
  • earthquake-[removed].com
  • earthquaketsunami[removed].com
  • earthquakerelief[removed].com

Symantec has observed a a 419-type message that capitalizes on the disaster. It is a fake "next of kin" story that purports to settle millions of dollars owing to an earthquake and tsunami victim:

Japan scam message

Attachments and .zip files can be embedded in such emails so beware if the source is unknown.

Activities such as these underscore the importance of keeping antivirus software updated along with a healthy dose of caution when browsing the Internet.


Antivirus Software: What's Real? What's Fake?

One of the growing concerns for many security and antivirus professionals is the dramatic growth of fake antivirus software.

The idea behind fake A/V software is to trick unsuspecting consumers into downloading and installing their fake software in an effort to get trojans, viruses, spyware, and other malware installed onto PCs in the process.

There's nothing real about the fake software, except the threat it poses.

The process works like this:

  1. Trick consumer with a real looking, real sounding ad on an (often unsuspecting) legitimate website
  2. Get consumer to install the phony (but very real looking) antivirus application
  3. Stuff any number of trojans, keyloggers, spyware, and other evil applications into the fake antivirus program
  4. Use the newly infected computer to do their bidding, including (among other things):
    1. identity theft
    2. credit card fraud
    3. bank theft
    4. infecting other computers
    5. spamming

Solution to the Fake Antivirus Software Problem

Word is filtering out today about a way to tell fake antivirus software from legitimate ones.

A new site from security and SSL vendor Comodo of a project they're backing called, "Common Computing Security Standards Forum," aims to help consumers figure out what's real and what's not.

In their list of all known legitimate antivirus software vendors, they hope to help put an end to the dummy antivirus programs out there and to help consumers stay clear of the crap.

In addition to thanking them for their efforts, here is a complete list of current antivirus vendors known to Comodo to be the real deal:

Legitimate Antivirus Software Vendors
  • AhnLab
  • Aladdin
  • Antiy
  • Authentium
  • AVG Technologies
  • Avira GmBH
  • BitDefender (BitDefender Antivirus & Internet Security)
  • BullGuard
  • CA Inc (CA Anti-Virus)
  • Checkpoint
  • Cisco
  • ClamAV
  • Comodo
  • CSIS Security Group
  • Drive Sentry
  • Dr.Web
  • Emsi software
  • ESET
  • F-Secure
  • Fortinet
  • Frisk Software
  • G Data Software
  • GFI/Sunbelt Software (VIPRE Antivirus & Internet Security)
  • Ikarus Software
  • Intego
  • iolo
  • IObit.com
  • Kaspersky Lab (Kaspersky Anti-Virus & Internet Security)
  • Kingsoft
  • Malwarebytes
  • McAfee McAfee VirusScan Plus & Internet Security)
  • Norman
  • Panda (Panda Antivirus Pro & Internet Security)
  • PC Tools
  • Prevx
  • Rising
  • Sophos
  • SuperAntispyware
  • Symantec (Norton AntiVirus & Internet Security)
  • Trend Micro (Trend Micro AntiVirus & Internet Security)

  • You'll note, every one of the programs (reviews linked above) are included in our antivirus reviews since day one of our site are included on the list.

    If you know of other legitimate A/V software not on the list, please contact us so that we can share your insight with the folks at Comodo.


    Sunbelt Software Joins Fight Against Malware

    We came across some great news today on darkREADING.com: Sunbelt Software, makers of VIPRE, our top-rated best antivirus program for 2012, is joining Trend Micro and others in contributing data to StopBadware.org. 

    StopBadware, which has its home at Harvard University's Berkman Center for Internet & Society, is described in the article on darkREADING's efforts to fight malware as a,

    "collaborative initiative to combat viruses, spyware, and other bad software...."

    The process StopBadware uses is perhaps the largest of its kind. The idea behind it is simple:

    "...[collect] the URLs of these badware websites, whether malicious or compromised, from its data partners.

    "It uses the information to support and encourage site owners and web hosting companies in cleaning up and protecting their sites.

    "The initiative also conducts analysis of infection trends, offers independent reviews of its partners' findings, and operates a community website, BadwareBusters.org, that provides help to people who have been victims-or wish to avoid becoming victims-of badware."

    Obviously, we're happy to see any collaborative effort to thwart and stop any viruses or other malware, but this one garners special attention for several reasons, including who's involved:

  • Trend Micro (maker's of Trend Micro AntiVirus)
  • GFI/Sunbelt Software (makers's of VIPRE antivirus)
  • Harvard's Berkman Center
  • Paypal
  • Mozilla (maker's of Firefox and Thunderbird)
  • AOL
  • ...and last and not least:
  • Google

  • As for Sunbelt's role in the project, they will be contributing,

    "...research data via ThreatTrackT, a comprehensive array of malicious url and malware data feeds.

    "The data in these feeds is derived from multiple sources including: research from Sunbelt Labs; ThreatNetT, Sunbelt's VIPRE user community that anonymously sends information on potential threats to Sunbelt Labs"

    What this means to users like you and me is that by sending malware and viruses that your Trend Micro AntiVirus and Sunbelt VIPRE catch to the respective companies, you're helping the project to ensure someone else doesn't get nailed with that same--or a similar--virus.

    In turn this means that when many people across the globe are sending in their samples to the project, too, they're helping you.


    Conficker / Downandup Active? Or...

    Most everyone in Windows security is watching Conficker, not the least of which is Trend Micro, whose antivirus product we cover in our Trend Micro Antivirus Review.

    Let's start with a look at what Trend says:

    "Some interesting things (well at least in our perspective) found are:
    1. (Un)Trigger Date – May 3, 2009, it will stop running
    2. Runs in random file name and random service name
    3. Deletes this dropped component afterwards
    4. Propagates via MS08-067 to external IPs if Internet is available, if no connections, uses local IPs
    5. Opens port 5114 and serve as HTTP server, by broadcasting via SSDP request
    6. Connects to the following sites:
      • Myspace.com
      • msn.com
      • ebay.com
      • cnn.com
      • aol.com
    It also does not leave a trace of itself in the host machine. It runs and deletes all traces, no files, no registries etc."

    The question we (and everyone watching Conficker) has had is: why?

    What plans do its creators have in store?

    Well, it may be a ruse or just part of the picture, of course, but as we guessed earlier in covering Conficker, it looks like it might be for spamming. Here's what Paul Ferguson of Trend says,

    "In the latest activity, we see infected Downad.KK/Conficker.C nodes pulling down new Waledac binaries (perhaps for spamming, as Waledac has been known to do)from a fast-flux domain infrastructure, but also now it is also installing Fake/Rogue AntiVirus (AV) malware, too."

    Now there's a connection to Waledac? If true, it would sure lead us to believe Conficker might be a spam network. Imagine a network of say 10 million computers. Each of which would send just four or five spams a day. Now you're talking about 120,000,000 spams a month. 

    That's an impressive number, and easy to do if they were all coming from one spamhaus (i.e. a known spammer or network friendly to spammers) but try blocking just four or five emails from 10 million different computers all in different parts of the world.

    Good luck.

    The Conficker story is just getting started to be sure, but for now at least we feel like we're beginning to understand it.

    For instance, at the The IT Security Networks Blog (TITSSN for short), in their latest Conficker coverage they make mention that,

    "..researchers are analyzing the code of the software that is being dropped onto infected computers and suspect that it is a keystroke logger or some other program designed to steal data from the machine."

    Interesting. By the way, as for detecting the latest variants of Conficker, Trend Micro's Antivirus + AntiSpyware detects it as, WORM_DOWNAD_E.


    Worms in Samsung Digital Picture Frames??

    Contrary to some reports that some Samsung 8-inch digital photo frames had worms, the frames themselves don't have worms but the installer discs do. (How's that for an unwanted Christmas present?)

    As far as consumers are concerned, there's no difference.

    A virus is a virus, and this is an unfortunate black eye for Samsung with their vast electronics / computer empire.

    Trend Micro discusses this digital picture frame virus at their blog, and what we've learned now is that the Samsung's SPF-85H 8-Inch digital photo frame disc was infected with the W32.Sality.AE / Sality worm straight from the factory.

    The bad news isn't that it's just infected with the worm, but that it's infected with a particularly nasty variant that includes a keylogger according to the folks at Sophos antivirus.

    From what we've learned so far, this looks like, while definitely a nasty virus, it's one that all the best antivirus software already detects, so just make sure your definitions are up-to-date and that your software is running, and that should keep your computer safe.

    Samsung has posted a clean version here: Samsung SPF-85H drivers.

    If you purchased this frame (or got it as a gift), you can find more details here: Amazon Samsung picture frame advisory.


    Free Antivirus Software Security Problems

    ComputerWorld.com brings notice today of problems with Trend Micro's free online antivirus scanner. Turns out there's a nasty little bug in the service that crackers can use to take over Microsoft Windows PCs via Internet Explorer.

    The service, called HouseCall, is made available via ActiveX and exploits a particular vulnerability in the ActiveX control HouseCall uses.

    '"The vulnerability is caused due to a use-after-free error in the HouseCall ActiveX control (Housecall_ActiveX.dll)," said Secunia's warning.

    "This can be exploited to dereference previously freed memory by tricking the user into opening a Web page containing a specially crafted 'notifyOnLoadNative()' callback function."'

    Trend Micro, in typically speedy fashion, has fixed the flaw, but we were very disappointed to read this in Trend Micro HouseCall ActiveX Control advisory,

    '"This hot fix was developed as a workaround or solution to a customer-reported problem. As such, this hot fix has received limited testing and has not been certified as an official product update," Trend Micro said in its own advisory, published last Thursday.

    "Consequently, this hot fix is provided 'as is'. Trend Micro makes no warranty or promise about the operation or performance of this hot fix nor does it warrant that this hot fix is error free."'

    For a company like Trend Micro, who makes Trend Micro AntiVirus, who knows full well the issues with computer security, we were disappointed in them. They can do better.

    We know they can. They know they can.