Throughout 2011, I am sure that you have heard of the compromise of RSA, in which the stolen data regarding RSA’s Secure ID appears to have been used in subsequent attacks and that there were many more victims other than RSA. You’ve probably also heard of ShadyRAT, which demonstrated the longevity of command and control infrastructure as well as Nitro and Night Dragon which showed that some attackers focus on specific industries.

You’ve probably also heard of Trend Micro’s research of the Lurid attacks which showed that the attackers are interested in non-US targets but more importantly,  such attacks should be seen as “campaigns” and not isolated attacks.

But what about all the great APT related research that you probably haven’t heard about?

Here is my personal Top 10 11:

1. The “Contagio Dump” and “Targeted Email Attacks” Blogs – Mila Parkour and Lotta Danielsson-Murphy have been posting information that fuels much of the research in this area. While malicious binaries are often available for analysis, the content of the socially engineered email is often elusive. These blogs have been providing a unique insight into the realm of targeted attacks.
2. The CyberESI Blog – The team at CyberESI has been posting detailed analysis (and I mean detailed) of some of the most prolific malware families. In my view, their analysis has set the bar for reverse engineering in this area.
3. Htran –Joe Stewarts research on Htran was over shadowed by the ShadyRAT report but I think it was the most innovative research papers this year because it tackled the attribution problem by looking behind the source IP’s of attacks to reveal the actual location of the attackers.
4. Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains – Hutchins, Cloppert, and Amin explain how to track the phases on an attack and group multiple incidents into a “campaign”. This is a must-read for anyone tracking APT.
5. “1.php” – This report by Zscaler on a particular campaign thoroughly maps out and analyzes the command and control infrastructure (C&C) and presents the results in a way that is actionable for defenders. Moreover, it contains insightful commentary on information disclosure in this area.
6. APT Secrets in Asia – Xecure’s presentation at this year’s BlackHat demonstrated their research in clustering malware into groups based on common attributes. I really like the clustering technology they are working on as well as the term they introduced “NAPT” (Non-Advanced Persistent Threat).
7. M-Trends – This report by Mandiant is an excellent overview of the attackers’ methodology as well as remediation strategies. In addition, it contains Mandiant’s work on investigating persistence mechanisms, particularly “DLL search order hijacking.”
8. Sykipot – AlienLabs documented the trends in targeting (UCAVs) surrounding the Sykipot campaign as well as exploits, malware and command and control infrastructure used by the attackers.
9. “What is an APT without a sensationalist name?” – Seth Hardy’s presentation at SecTor provided a much needed critical look at the hype surrounding APT along with a detailed technical analysis of a particular malware “SharkyRAT”.
10. “Moli Hua” – Greg Walton documented an attack on journalists that leveraged Facebook and an MHTML exploit for Gmail that allowed attackers to add their own email addresses as “delegated accounts”.
11. “My Lovely Wood” – This paper by Frankie Li provides a detailed technical analysis of malware used in a targeted attack.

Earlier today, we encountered a malware that exploits a recently (and publicly) disclosed vulnerability, the MIDI Remote Code Execution Vulnerability (CVE-2012-0003). (Ed. Note: addressed in MS12-004)

The said vulnerability is triggered when Windows Multimedia Library in Windows Media Player (WMP) fails to handle a specially crafted MIDI file, consequently allowing remote attackers to execute arbitrary code.

In the attack that we found, the infection vector is a malicious HTML which we found hosted on the domain, hxxp://images.{BLOCKED}p.com/mp.html. This HTML, which Trend Micro detects as HTML_EXPLT.QYUA, exploits the vulnerability by using two components that are also hosted on the same domain. The two files are: a MIDI file detected as TROJ_MDIEXP.QYUA, and a JavaScript detected as JS_EXPLT.QYUA.

HTML_EXPLT.QYUA calls TROJ_MDIEXP.QYUA to trigger the exploit, and uses JS_EXPLT.QYUA to decode the shellcode embedded in HTML_EXPLT.QYUA’s body. Below is a screenshot of HTML_EXPLT.QYUA’s code. Notice the highlighted parts where it calls the MIDI and JavaScript components:

Upon successfully exploiting the vulnerability, it decodes and executes the decoded shellcode. This shellcode then connects to a site to download an encrypted binary:

This binary is then decrypted and executed as a malware detected as TROJ_DLOAD.QYUA. We’re still conducting further analysis on TROJ_DLOAD.QYUA, but so far we’ve been seeing some serious payload, including rootkit capabilities.

Meanwhile, as the routines stated above happens in the background, the affected users remains unsuspecting and sees the following:

Microsoft has already issued an update to address this vulnerability during the last patch Tuesday, so our first advice to users is to patch their system with the Microsoft security update here. It affects Windows XP SP2 and SP3, Server 2003 SP2, Vista SP2, and Server 2008 SP2. We’d like to reiterate that this is a publicly disclosed exploit. As such, we can expect similar attacks in the future.

On the other hand, Trend Micro customers are already protected from this by the Trend Micro™ Smart Protection Network™, which blocks the related malicious files and URLs.

We will update this blog entry once more information is available.

Update as of January 26, 2012, 7:50 a.m. (PST)

Trend Micro Deep Security shields this vulnerability using the specified rules. For more information on the Deep Security rules, users can visit our vulnerability page here.

Update as of January 27, 2012, 2:55 a.m. (PST)

Upon further processing, we found that TROJ_DLOAD.QYUA uses two other components for its routines. It drops RTKT_MDIEXP.QYUA for its rootkit capabilities, and connects to a certain URL to download its main payload — BKDR_EAYLA.QYUA. Currently, we are analyzing this threat and we will update this blog post once analysis is complete.

Update as of January 27, 2012, 8:15 p.m. (PST)

Further analysis of BKDR_EAYLA.QYUA revealed that it is not a backdoor, but an info stealer which we now detect as TSPY_ONLING.KREA. This particular malware steals credentials related to certain Korean online game sites. Once credentials are captured, they are sent to the attacker’s C&C.

At a time when the web is flooded with user information and entire platforms are built and run on sharing just about every piece of information about oneself, you have to wonder, “Are we really living in the post-privacy era?”

For 2012, we believe that the new social networking generation will redefine privacy. Our concept of online privacy constantly changes along with various shifts in technology. Providing information has become so convenient that most people no longer know how much information they reveal and to whom.

With Data Privacy Day coming up, it’s high time that people all over the world become aware about best online privacy practices. Though most of you may already know, social networking sites track your movements and store valuable information such as photos, links, videos, and everything else they make public. As you increasingly go online for personal transactions like shopping and banking, you’re bound to wonder just how much information you actually expose online.

The end of online privacy and an era of extreme openness may be the only inevitable conclusion unless you know the implications that the cyberlinked world brings. You should realize that along with the convenience that the Internet brings comes great responsibility. Despite the fact that Data Privacy Day is currently only observed in the United States and Canada, this should not hinder raising awareness on online privacy on a global level.

For more information on online privacy, please read our latest TrendLabs Digital Life e-Guide, Be Privy To Online Privacy.

Trend Micro is an official data privacy champion for this year’s Data Privacy Day.

ICS (Industrial Control Systems) Networks have been really big news lately, due to a spate of vulnerabilities, high-publicized breaches, and various other security concerns.

ICS Networks are defined as networks or collections of networks that consist of elements that control and provide telemetry data on electromechanical components. Such components include valves, regulators, switches, and other electromechanical devices that one may find in various industries such as oil and gas production, water processing, environmental control, electrical power generation and distribution, manufacturing, transportation, and many other industrial settings.

Without getting into detail for each particular industry segment, each of these ICS environments share a common fate —- they are not “traditional” IT network environments and should not be treated as such. Most ICS networks share similar security challenges because of this uniqueness. These challenges are made more complex by the interaction of ICS elements with physical industrial components.

Failure to properly control or restrict access to these elements can lead to catastrophic accidents. Many of the industrial systems managed by these elements are considered “critical infrastructure (CI)” and require a much more specialized security architecture than traditional IT environments.

Supervisory Control and Data Acquisition (SCADA) networks can be defined as the network layer that immediately interfaces with ICS networks as well as host systems that control and monitor elements of ICS networks.

SCADA/ICS networks differ from other networks only in the network elements, management platforms, and sensitivity. All-in-all, they suffer from exactly the same threats as other networks, but with even more potentially catastrophic outcomes.

The biggest issue with SCADA/ICS security is that the ICS community has (for the most part) enjoyed living in a “bubble” for many years – they used proprietary protocols, on specialized & proprietary platforms, on dedicated slow-speed communications infrastructure (even some dial-up), and were completely disconnected from other networks (e.g. the Internet).

Now, the SCADA/ICS community is grappling with the security issues of using commodity hardware and software (e.g. Microsoft Windows), being connected to other external networks (enterprise networks and ultimately the Internet), a chaotic & uncontrolled vulnerability disclosure regime (ICS vulnerabilities being targeted for exploitation), and all other manner of threats that the rest of the general IT security industry has been dealing with for many years.

Yes, some ICS network operators are behind the curve, and yes, some are overwhelmed by these circumstances. But the overall SCADA/ICS community is improving it’s security posture more and more every day.

I have put together a tech note white paper Entitled “Towards a More Secure Posture for Industrial Control Systems“ which briefly discusses some basic beneficial security architecture elements for this environment.

This paper illustrates what I believe should be considered required elements in every ICS network integration effort. It also covers best practices when integrating with SCADA and existing organizational networks as well as the rationale for and importance of each component of the suggested architecture. It is not intended to be an all-inclusive guide for ICS/SCADA security, but rather just a high-level overview of some basic architectural elements which can increase the security posture of an ICS deployment.

The IRS officially kicked off the beginning of tax season in the US, and just right in time for it are the cybercriminals who are already taking advantage and using tax-related messages as a social engineering lure.

We’ve recently spotted samples of spammed messages posing as a notice from Fidelity Investments, a well-known American financial institution.

The email, which is in a newsletter-format, contains the subject “Your statement is ready for your review“. It informs recipients that his/her tax statement is attached and ready for review.

The attachment, however, is a .ZIP file containing an executable file, which was found to be malicious. Trend Micro detects it as TSPY_ZBOT.TYR.

Users should watch out for such spam campaigns, specially with the tax season already ongoing. We saw attacks similar this one during the tax season last year, so it’s almost a given we’ll see more of it again this time around.

Spam emails such as those shown above are already blocked through the Trend Micro Smart Protection Network.