Security Response

Analysis by: Hiroshi Shinotsuka

Recent malware campaigns that used Tibet-related issues as bait have been well documented and it should come as no surprise that we have seen another Tibetan-themed attack using a malicious Word document. The emails involved in the attack are in English and were sent to a clothing company in the United States.

While they appear to come from Tibet-related organizations, the email headers revealed that they were sent from a mail server in Russia.

Recently, we discovered a file that differs to other malware in that it uses a well-known graphics card manufacturer’s legitimately signed program as an attack vector.

After opening the attached...

For anti-spam software, it is quite easy to prevent spam by using content-based filters. So spammers come up with different obfuscation techniques to bypass URL-based filters such as inserting “shy characters”, as we have discussed previously. Recently, spammers have been trying to cash-in on the smallest of gaps that they could find in conventional anti-spam technologies. Spammers are now attempting to obfuscate the URLs in spam messages, either by inserting white space characters of varying sizes or by replacing the conventional “.” (dot) character by “。” (An ideographic full-stop, mostly used in Asian languages)

How did they do it? Let’s take a look at both of these techniques.

Using different size white space characters is allowed in HTML. All languages use spaces to separate words. However, the size of the white space characters...

Today sees the highly-anticipated IPO (Initial Public Offering) of the social-networking site Facebook. The IPO is expected to be several times oversubscribed as the demand for shares greatly exceeds the number of shares being issued.

The high-profile nature of this IPO has not escaped the attention of the “419” or the “advance fee fraud” scammers. As a brief reminder, these scams typically promise vast sums of money in exchange for assistance. However, before said sums of money can be received, several increasingly-inventive up-front charges and fees must be paid. The fees keep coming and the promised money never materializes.

We recently spotted a 419 scam message offering a "FACEBOOK (IPO) SUBSCRIPTION PARTNERSHIP PROPOSAL". The use of an all uppercase heading is a common hallmark of such 419 scams.

The scam claims to be sent from a finance firm with offices in multiple locations around the world. The exact nature of the...

Pre-dating many of the mobile platforms it currently targets and outlasting several of the mobile platforms where it originated from, Android.Opfake has a tendency for survival on the mobile threat landscape not unlike roaches in the aftermath of a nuclear holocaust. Combing business savvy through a strong black market affiliate network and quick reaction time to adapt itself to thwart efforts by security vendors, Opfake has not only managed to stay in business for several  years, the Opfake family has come to define the evolution of mobile malware.

Like many traditional Trojan horses, on the surface Android.Opfake purports to be a legitimate application. In fact, we have observed several variants of the Trojan masquerading as various apps and content, including an installer for the Opera Web browser and a pornographic movie. Analysis of the code behind the malicious program,...