Computer News & Safety – Harry Waldron Rotating Header Image

December 10th, 2012:

Christmas 2012 – Malicious Word document circulated in targeted email

Trend Labs warns of a malicious Word document circulating in targeted attacks

QUOTE: Once again cybercriminals take advantage of the Holidays in what seem like a targeted attack against businesses and government organizations. We spotted samples that bore the filename, PROPOSED CHRISTMAS PARTY 2012.doc. Trend Micro detects this as TROJ_ARTIEF.RTN. When executed, this malware drops a file (temp.doc) that acts as decoy to trick recipients into thinking this is a legitimate document. In the document file we spotted, it looks like a supposedly invitation to a certain government office’s upcoming Christmas party.   Moreover, TROJ_ARTIEF.RTN takes advantage of (MS12-027) Vulnerability in Windows Common Controls Could Allow Remote Code Execution (2664258) to drop a backdoor which we detect as BKDR_GAMFRIC.A.  This backdoor also checks what web browser is used, and creates a hidden process in order to inject its malicious codes. We speculate that this attack uses email message as delivery mechanism in order to penetrate the network of the targeted entity.

Fake Google Chrome update circulating

Barracuda Networks warns of exploit kits planted on malicious websites, which are disguised as a Fake Google Chrome browser update.

QUOTE: Exploit kits are pre-packaged sets of malicious code that scammers install on websites.  The scammers try to steer visitors to the URL of the exploit kit so that their code can attack your web browser and ultimately install malware on your computer. Exploit kit URLs are often distributed via spammed messages with enticing HTML links in them.

The most frightening thing about these kits is that a click on one of these links can cause malware to be downloaded and run without any indication that anything is happening. But sometimes the target computer isn’t easy to attack, and the scammers have to fall back on their social engineering skills to get what they want. We recently saw this at Barracuda Labs when we followed a spam link to an exploit kit that behaved quite differently than usual when it detected the Google Chrome browser.

These are a favorite of spammers and should always be considered suspicious. In this case all of the links point to a hacked website hosting a Blackhole exploit kit. Following the link with Internet Explorer gave us a typical chain of events – malicious javascript set up a PDF exploit resulting in a Zeus download.  But when we followed the same link with the Google Chrome browser, the kit shifted gears. Since Chrome uses it’s own internal PDF engine that is not as vulnerable, a different attack was presented in the form of a fake Chrome update page.