Malicious intent may be involved as malware authors use the Brazilian telecom carrier TIM in their latest scam to deliver malware. Trend Micro researchers have come across the following sites, supposedly from the telecom company:

• http://{BLOCKED}rfilho.sites.uol.com.br/___
• http://www.{BLOCKED}m.com.br/downloads/MMS/VideoMensagens/VideoMensagem.html

The sites invite the user to see a video clip sent to him/her by the video message service offered by TIM. However, the sites try to download an ActiveX component that most probably contains malicious code. The source of the downloaded file is deeply buried within obfuscated code.

After further analysis, it has been discovered that the malware connects to an FTP server where it downloads files having a .MOD extension. The downloaded files are then modified and installed on the infected system.

What’s even more surprising is that an HTML file included in the download contains an iFrame connecting to http://{BLOCKED}rrychristmasdude.com/ind.php — one of the URLs previously associated with the infamous Storm botnet. Surprise, surprise!

It is not excluded that, the Storm botnet has been rented out to some Brazilian Trojan Bancos group, as one may argue. Christmas-themed URLs may be way out of season but its spirit lives on, –especially for malware creators– in any part of the world, in any time of the year, ready to serve and deliver malicious content. And its guise of an innocent-looking legitimate telecom site may be just to reach out to more unsuspecting victims.

Roderick Ordoñez