In August, we noted how Trend Micro Smart Surfing for iPhone protected users against a potential iOS vulnerability. Today, we have word of another potential problem that Trend Micro Smart Surfing for iPhone is able to protect against.

An independent security researcher noted that in certain cases the Safari browser hides the address bar after a website has finished loading. This can be used to add an added layer of believability to phishing attacks. The legitimate URL of the phished site can be placed in a fake address bar. If the real address bar has hidden itself, the fake bar would be seen, leading the users to think they are on the legitimate page.

To demonstrate this proof-of-concept (POC) attack, the researcher created a fake Bank of America page. A keen-eyed user would note that while the page is loading, two address bars could be seen but once loaded, the real address bar hides itself.

However, when the said POC page is loaded through Trend Micro Smart Surfing for iPhone, the address bar can always be seen—not just when the page is being loaded.

Because Trend Micro Smart Surfing for iPhone always displays the system’s address bar, users are immediately warned of any site that uses this POC attack. In addition, phishing sites that use this as part of their techniques will be blocked as well.

Trend Micro Smart Surfing for iPhone is a completely free application offered to all iPhone users and is available via the App Store or the Trend Micro Free Tools portal.

This blog post is based on my talk last November 17 at the “Information Security Summit 2010” in Hong Kong.

Cloud computing is one of the biggest trends in the computing world today. However, security concerns about the cloud make up one of the major reasons why companies are hesitant to migrate their operations to the cloud. Let’s discuss an important puzzle in cloud computing, that is, the problem of authentication.

Many authentication schemes are done via the traditional user name-password combination. Problems with relying on these are well-known but, as companies move to the cloud, these become even more important.

Cybercriminals have known the importance of user credentials for a long time now and have worked hard to develop techniques to steal them. The top 2 online banking Trojan families in recent history—ZeuS and SpyEye—both employ a wide range of techniques to steal user credentials. One of the most ingenious of these is the use of screenshots to counter on-screen keyboard safety measures online banks use as an anti-keylogging mechanism.

Saying that ZeuS and SpyEye are scary would be an understatement. Corporations should worry about two particular things—first, any website can be targeted, including those that provide confidential services in the cloud and second, even login pages protected by SSL are not safe.

To make matters worse, account-stealing Trojans account for the majority of malware types Trend Micro has discovered so far, as documented in our first half report. We can only see this trend continuing in the foreseeable future.

Aside from malware, however, employees themselves are also part of the problem. They may unwittingly give out critical information on social networking and social media sites. Answering quizzes that virally spread on social networks may reveal information that an attacker may find useful when answering security questions on password-recovery features or when impersonating legitimate personnel.

One of the appeals of cloud computing is that users can access services in the cloud from anywhere in the world, even when out of the office. This, however, presents new risks for corporations that use cloud services. Users may be tempted to use unsecure access points such as free Wi-Fi.

Read the rest of this entry »

Recently our CTO, Raimund Genes, talked about how spam was still a problem today, even if users “know not to click on them”:

Let’s talk about what spam is, why it’s still a problem today, and what Trend Micro is doing to help solve this threat.

Spam is what we call unsolicited e-mail message sent in bulk. They come in different types, namely:

• Adult/Sexual: Pornographic content, sexual enhancers, online dating
• Commercial: Selling products/services, web hosting, OEM
• Education/Degree: Online degree offers
• Financial: Bank loans, financial counseling, mortgage/debt reduction, credit card offers
• Health: Online pharmacy, herbal, drugs
• Others: Malware-related, phishing messages, racial
• Scam: Lottery, money mules, job offers
• Spiritual: Religious
• Stock: Stock promotion, pump and dump campaigns

Some of these e-mail messages are just meant to advertise their wares by flooding users’ inboxes. However, some of them can also cause real problems for their recipients. Some spammed messages are used for phishing attacks and spreading malware, which allows the attacker to collect sensitive information (such as bank accounts, credit card numbers, passwords) or even use the infected system for their crimes.

Read the rest of this entry »

In late October of this year, it was reported that the “rivalry” between the ZeuS and SpyEye malware families was ending with a merger of the two families. It was reported that ZeuS author Slavik or Monstr has gone underground and has given his toolkit’s source code to SpyEye author Gribodemon or Harderman.

This has prompted a lot of speculation about what will come next. Many researchers are waiting for a new malware family that will combine the features of SpyEye and ZeuS.

Based on our underground research, we discovered that SpyEye’s development ground to a halt. One feature of SpyEye will be included in future versions of ZeuS to add features that are not part of the latter’s “core” functionality (e.g., more sophisticated information theft routines). SpyEye uses plug-ins that can be added after the main toolkit has been purchased. In contrast, ZeuS previously used modules that had to be included when the toolkit was sold. Newer ZeuS versions will use plug-ins, much like SpyEye currently does. If a cybercriminal wants to add a new feature to his existing SpyEye toolkit, all he has to do for SpyEye and future ZeuS versions is to purchase a new plug-in. This previously required ZeuS users to purchase a new version.

For now, however, SpyEye and ZeuS remain separate malware families. Whether the merger pushes through or not, however, SpyEye is still growing as a threat. According to the information gathered by the Trend Micro™ Smart Protection Network™, the number of SpyEye infections has grown since July of this year to as much as 20 times to date.

What about ZeuS’ author? We have heard rumors that he is not really retiring. He will instead create new malware (either ZeuS or entirely new families) that he will then primarily sell to high-value clients. When we do see these variants, will they be more targeted in terms of infection routine? And what are the chances that we will be able to determine that they actually came from the ZeuS author? Only time will tell.

Since news of this “merger” first came out, many security analysts rushed to gather intelligence on SpyEye. In anticipation, Gribodemon went through many underground forums and deleted his posts to cover up what he has been doing.

Trend Micro and the rest of the security industry are ready to respond to this threat. One of the more public signs of this is Roman Hüssy, the administrator of the respected ZeuS Tracker, who has opened the SpyEye Tracker, which fulfills the same function for SpyEye. This will aid both law enforcement agencies and security companies in taking down and investigating SpyEye command-and-control (C&C) servers. We at Trend Micro are also proactively monitoring the SpyEye threat and will continuously work hard to protect our product users.

Yet another zero-day vulnerability recently reared its ugly head in the threat landscape. Discovered by Marco Giuliani at Prevx, the proof of concept (POC) shows that a vulnerable application programming interface (API) in Windows can be manipulated by changing its input to cause an overflow in the kernel that will allow arbitrary code to run in kernel mode. As proven in our internal testing, the POC described by the author is capable of elevating system privileges without the user’s knowledge even in more recent Windows OS versions that utilize user account control (UAC).

The timing of the POC’s release is particularly crucial, considering the upcoming Thanksgiving holidays. With users spending more time online in search of discounts and Black Friday deals, it may become easier for cybercriminals to spread malware exploiting the zero-day vulnerability. Users are thus advised to exercise caution when conducting their usual online activities.

Analysis and screenshot provided by threat analyst Edgardo Diaz, Jr.