Threat Spotlight

For the week of 29 Sep 2011
Threat 1

Mac attack hides in malicious PDF

Threat Name:

OSX/Revir-B

Users at Risk:

Mac OS X users

Also Known As:

AVP Trojan-Dropper.OSX.Revir.a
McAfee OSX/Revir
Microsoft TrojanDropper:MacOS_X/Revir.A
Trend OSX_REVIR.A

Removal Instructions:

Please follow the instructions for removing Trojans

About:

OSX/Revir-B is a Trojan targeting Mac OS X that hides behind a malicious PDF disguise.

Unsuspecting users who download the Trojan see a Chinese PDF file about a dispute between the the Diaoyu or Senkaku Islands. The Trojan then drops a file as /tmp/host (also detected as OSX/Revir-B).

This file then downloads a backdoor Trojan from:

http:// tarmu . narod . ru/cdmax as /tmp/updtdata

The backdoor Trojan, which we detect as OSX/Imuler-A, allows the attacker to download and run additional malware from a remote server and delete files on the infected Mac machine.

Threat 2

HP Officejet spam links to Java malware

Threat Name:

Mal/JavaJar-A

Users at Risk:

Windows users

Also Known As:

AVP Exploit.Java.CVE-2010-00840.db
Microsoft Exploit.Java/CVE-2010-0840.EW

Removal Instructions:

Please follow the instructions for removing generically detected files

About:

Mal/JavaJarA is a Trojan for the Windows platform that exploits a Java vulnerability.

We've spotted this malware recently in spam messages claiming to be a scanned document from HP Officejet. Links in the messages lead to webpages containing a malicious javascript.

The spam messages in this campaign use random Officejet model numbers and device numbers. The Sent by name varies as well.

Subject:
Scan from a HP Officejet #568256

Content:
A document was scanned and sent to you using a Hewlett-Packard HP Officejet 63794A.
Sent by: CASSEY
Images : 9
Attachment Type: Image (.jpg) Download
Hewlett-Packard Officejet Location: machine location not set
Device: OFC588AA3BSX7587406

Subject:
Scan from a Hewlett-Packard Officejet 89624765

Content:
A document was scanned and sent to you using a Hewlett-Packard HP Officejet 71594A.
Sent by: GERTIE
Images : 9
Attachment Type: Image (.jpg) Download
Hewlett-Packard Officejet Location: machine location not set
Device: OFC520AA3BSX6848533

Subject:
Fwd: Scan from a HP Officejet #50358665

Content:
A document was scanned and sent to you using a Hewlett-Packard HP Officejet 9713A.
Sent by: Amare
Images : 9
Attachment Type: Image (.jpg) Download
Hewlett-Packard Officejet Location: machine location not set
Device: OFC651AA0BSX13242048

Two links in the message—one at the name of the purported sender, the other on the word Download—direct to a page main.php with names hp-fax-service[random digits].info. This page contains a malicious javascript that loads a .jar file to exploit Windows vulnerability CVE-2010-0840.

The php pages have the following text near the top:

<applet archive="main.php_files/worms.jar" code="support.ForMail.class"
width="1" height="1">

The code loads ForMail.class in the java archive file worms.jar. In addition, the page also contains a highly obfuscated javascript that exploits a privilege escalation vulnerability disclosed in CVE-2010-0840.

We detect the .jar file in this campaign as Mal/JavaJar-A. The malicious class files are detected as Mal/JavaMl-Gen and Exp/20100840-A.

Threat 3

Phony remittance sends you a fake antivirus

Threat Name:

Troj/Invo-H

Users at Risk:

Windows users

Also Known As:

AVP Trojan-Downloader.Win32.Injecter.grw
K7 Riskware ( 0015e4f01 )
Trend Micro TROJ_AGENT.LQK

Removal Instructions:

Please follow the instructions for removing Trojans

About:

Troj/Invo-H is a Trojan for the Windows platform.

Lately we've caught Troj/Invo-H in a spam campaign that tricks users into believing they have received a money transfer from Western Union or DHL. In reality, the attachment is a fake antivirus malware attack.

Some sample subject lines from this spam include:

DHL Attention (random number)
Western Union: Transfer of Money
Western Union: You have Money Transfer

The messages inform recipients that they should download the malicious attachment to receive their money transfer:

ATTENTION!

Dear Consumer,
You have receive a remittance, more information about the money transfer is in the attached file.
Money Order can be cashed at any branch or bank in Your city We are looking forward to Your early reply,
WU

The attachments have names such names as:

dhl-invoice-[random number].zip
WESTERNUNION_invoice-[random number].zip

Troj/Invo-H includes functionality to access the Internet and communicate via HTTP with the following remote servers:

66.228.60.196
96.126.105.21

When run, Troj/Invo-H downloads a fake antivirus Trojan, which we detect as Troj/FakeAV-EPC, into the following location:

<User>\Application Data\bemizti.exe
© 1997 - 2013 Sophos Ltd. All rights reserved. Legal Privacy Cookie Information