Anti-virus company Trend Micro: Our website has been hacked, risk of Trojan horse infection

Filed Under: Malware, SophosLabs

If you have visited the website of anti-virus company Trend Micro this week there is a chance that your computer has been exposed to malware.

According to reports in the Japanese media, a number of webpages on the firm's Japanese and English-language website were altered by hackers on Sunday 9 March, who used a malicious iFrame exploit to deliver a Trojan horse onto surfers' computers.  Trend Micro is believed to have uncovered the problem on Wednesday 12 March and replaced affected pages with a message saying "This page is temporarily shut down for emergency maintenance" as the following image from the www.trendmicro.co.jp shows:

trend-hack.jpg

It has not yet been revealed how the webpages on the security website were altered by the hackers, although it is likely a software vulnerability on the site was exploited.

According to information posted on Trend Micro's website, the following analysis pages were compromised in Trend's Virus Info section: ADW_BRUNME.A, ADW_ZANGO.A, ADWARE_ADBLASTER, ADWARE_EXACTADVERTISING, ADWARE_EZULA.ILOOKUP, TSPY_AGENT.HS, TSPY_ANICMOO, TSPY_GOLDUN.GEN, TSPY_HUPIGON.ZY, TSPY_Lmir, TSPY_Tiny, ADWARE_BHO_WEBDIR, ADWARE_BHO_WSTART, HKTL_MDBEXP.A, POSSIBLE_OTORUN3, SPYWARE_TRAK_RADMIN, TROJ_ARTIEF-1, TROJ_CLAGGER.D, TSPY_BANKER-2.002, TSPY_BANKRYPT.N, TSPY_GAMANIA.CI,
TSPY_GOLDUN.GEN, TSPY_LINEAGE, TSPY_ONLINEG.DAU, TSPY_ONLINEG.OAX, TSPY_QQPASS, TSPY_SDBOT.BTI, W97M_DLOADER.BKV, WORM_IRCBOT.JK, WORM_NYXEM.E and WORM_SOBER.AG.

Trend Micro reported on its website that web surfers could be infected by the malware, which they named JS_DLOADER.TZE, either by accessing one of the infected webpages or clicking a URL link embedded in the malware's name. They have recommended that visitors to their site check that their computers are not infected. (Please note: At the time of writing we have only found a warning for customers on the Japanese-language version of Trend Micro's website, although we have confirmed that the English-language version was also infected.) The JavaScript attempted to install further malicious code from the web onto visiting Windows computers. 

Sophos detects the malicious software associated with the attack as Mal/Iframe-F, Troj/Drop-I, and the Troj/Portles-E backdoor Trojan horse. Analysts have discovered thousands of other webpages (detected as Troj/Badsrc-A) on other websites that have been infected in the same way.

In a nutshell - what has happened here is a criminal act, and our friends at Trend Micro (and people visiting the hacked pages) are victims of the crime. Sadly it's not an uncommon crime these days - and all kinds of businesses have suffered.

This isn't the time or place to make cheap shots against a competitor. The good news is that Trend Micro took the affected webpages down as soon as they discovered there was a problem, and the problem no longer appears to exist. 

All other companies with a web presence should take this unfortunate incident as an opportunity to check that their own websites are properly secured (see our recently published technical paper on the subject), and ensure that they have web-filtering solutions - like the WS1000 Web Appliance - in place.

Sophos discovers a new infected webpage every 14 seconds. In the past we've found websites as varied as Wedding Photographers, Antiques firms, Pilates Classes, Ice Cream Manufacturers and even the US Consulate General in St Petersburg who have been the unfortunate victims of a malicious web attack. It seems we now have to add anti-virus companies to that list.

PS. Trend Micro aren't the first example of a security company's website being hacked.  For instance, in 1999 hackers changed the home page of Symantec - although in that instance the motivation was apparently to cause mischief rather than to spread malware. 

You might like

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.