This copy of Temple Run (or so it claims) is seen as available on the Android Market. But if you’ll check the information on the game developer, you’ll see that it is not the same developer as the one in indicated in the iOS version, which is Imangi Studios.

It also is capable of displaying ads using the mobile notification.

The usage of popular games is not really new, as we’ve already encountered other Android malware that have used them to hide their malicious activities:

• New Android Malware on the Road: GoldDream “Catcher”
• Trojanized Android App Checks for Keywords in SMS Messages

Imangi Studios, the developer of Temple Run, announced that they will release the Android version of the game this February 2012. Users can monitor updates about the release via the apps legitimate developer/fan page.

With more than 10 billion app downloads  last year from the Android Market, the Android  OS is undoubtedly one of the most popular mobile platforms around. Naturally, its popularity makes it a likely target for cybercrime. In our 12 Security Predictions for 2012, we are expecting that smartphones, tablets and particularly the Android OS will suffer more attacks this year.

Users need not worry as their mobile devices are protected from this threat with Trend Micro Mobile Security via pattern 1.187.00. Trend Micro Mobile Security is powered by the Trend Micro™ Smart Protection Network™.

On the other hand, to avoid being tricked into downloading fake apps, users may follow the tips we shared in our post, Checking the Legitimacy of Android Apps, as well as the information in our Mobile Threat Information Hub.

Post from: TrendLabs | Malware Blog - by Trend Micro

Fake Version of Temple Run Unearthed in the Android Market

Sendspace was recently used for dropping stolen data but wasn’t done automatically by malware. As reported late last year, hackers used Sendspace for rounding up and uploading stolen data.

However, this is the first time we’re seeing malware being used to upload stolen data to the file hosting and transfer site.

In this attack, the infection starts off with a malicious file, Fedex_Invoice.exe, detected as TROJ_DOFOIL.GE. The file name used for this particular malware suggests that it is being used for a spam campaign, specifically one that uses messages disguised as a FedEx shipment notification. We are currently trying to find a sample of the mentioned spammed message.

Once executed, TROJ_DOFOIL.GE downloads and executes  TSPY_SPCESEND.A.

TSPY_SPCESEND.A is a “grab and go” Trojan that searches the local drive of an affected system for MS Word and Excel files. The collected documents are then archived and password-protected using a random-generated password in the user’s temporary folder. Here’s an example of an archive of collected documents:

Malware utilizing free online services are definitely not unheard of. Utilizing a public file hosting site is yet another clever way for cybercriminals to store stolen data as they do not need to set up a server that will store large amount of data.

Trend Micro Solutions Evangelist Ivan Macalintal shared that this technique of posting stolen/exfiltrated data to ‘extended networks’ or external file storage infrastructures can fast become a trend with the criminals. “We’ve seen dropsites/dropzones for stolen/exfiltrated data that are hosted also within domains owned by the cybercriminals. Now, we’re seeing legitimate ‘clouds’ being used by criminals where they can drop and pickup their loot,” he explained.

In addition, this highlights a serious concern for the security industry and users alike. Document theft and exfiltration are now not only seen in targeted attacks, but in mass campaigns as well.

Trend Micro Smart Protection Network™  protects users from this threat by blocking the malicious files, and the C&C URL. We will update this entry once we’ve gained more information about the related spammed messages.

Post from: TrendLabs | Malware Blog - by Trend Micro

Malware Uses Sendspace to Store Stolen Documents

We thought that there was nothing much to see when we looked at the downloader’s sample at first glance. It’s a VB-compiled executable file which does nothing but perform an HTTP GET request to an HTML page.

When accessed using via a browser it looks like a harmless web page until you decode it.

As pointed out by Microsoft, this downloader turns out to be different from others. Instead of downloading another binary to execute, it merely executes the downloaded code in the harmless-looking file’s context. To do this, the malware converts it to functional code, then executes it via DllFunctionCall.

The executed shellcode is actually a variant of the BKDR_POISON malware family which was used in a number of targeted attacks last year.

A Brief Background on BKDR_POISON

Also known as PoisonIvy, the BKDR_POISON family has been rampant for years. This could be attributed to the fact that its builder is easy to use and is freely available for download from their website. Its auto-start mechanism, as well as the mutex and file names of the malware copy is configurable via the builder, so each generated sample does not necessarily have exactly the same behaviors.

Its backdoor functionalities include keylogging, monitoring audio/video, capturing screenshots, managing processes and services, accessing or uploading files, and many more. In other words, it basically gives the person on the client side full access of the infected system.

Integrating BKDR_POISON with another malware is easy, since the backdoor’s builder gives the user an option to generate the shellcode instead of an entire executable file.

In the case of the downloader we mentioned above, once it executes BKDR_POISON’s shellcode, it inherits the backdoor’s behaviors as a result.

As opposed to downloaded binary files that can be detected and analyzed independently, a shellcode needs to be analyzed with the executable file which inherits its behaviors. If security researchers don’t get the right pair of shellcode and executable (e.g., if the executable file is hidden or encrypted), then the shellcode might be left undetected.

According to Threat Research Manager Jamz Yaneza, another difference between the two files is the way they are executed. “The Poison Ivy builder outputs either: a Windows executable binary, or a Windows shellcode. The only difference between the two outputs is that the shellcode version needs to be injected directly into memory using a separate process (ex. via an exploit) versus having it activated using the regular file execution flow of a full binary file.”

He also added that “because shellcode does not require a full file download, it can instead be used directly in an attack, and can even sport some of the usual obfuscation tricks used in a full executable format such as encryption — all of this in memory and bypassing many of the more traditional file-based scanners.”

BKDR_POISON Poses A Bigger Risk In the Future

Here’s what we know so far about the downloader:

• It accesses a plain text file from a certain URL which contains shellcode. This is then converted by the downloader to become a functional code
• Shellcode is NOT saved
• Trojan downloader executes the malicious code

Here’s what we know about BKDR_POISON:

• It is easy to integrate with other threats
• It has backdoor functionalities that have been used in targeted attacks in the past

With the downloader’s dynamic behaviors and the fact that it is still currently in its simple version, cybercriminals may still improve on it and turn it into something more problematic. Mixing it with BKDR_POISON, which we know is notorious for being related to targeted attacks, could pose challenges for the security researchers’ side. Here are some of the possible scenarios which could make this combination a noteworthy threat:

Scenario 1: If HTML is encrypted or shellcode is hidden in pictures, such as in steganography. From a threat analyst point-of-view, a security researcher might find the URL as unnecessary as it only points to a picture. By not blocking the said URL, users are left unprotected. In fact, steganography was actually already used by TDL4.

Simply encrypting the shellcode itself may give this malware a greater chance of making analysis harder. If the decryption routine is placed in the downloader, then a security researcher will not be able to analyze the shellcode without a copy of the downloader.

This technique is already being done by cybercriminals in ZBOT. ZBOT’s configuration files are encrypted and can only be analyzed properly if done so with its corresponding binary file.

Scenario 2: Server side checks user IP address or location which returns different payloads depending on the location. In a situation that an infected user is in China and the malware analyst is from the US, they could end up getting different shellcodes. The analysis would not match with infection, making it difficult to clean a system if the user and analyst yields two types of infection chains. For example, if they see that the malware is accessing the URL via Trend Micro’s IP, the malware may not reveal its actual payload.

Scenario 3: The customer is already infected, but the related URL becomes inaccessible. The threat analyst may end up having no idea what really happened since the shellcode is no longer available. This type of downloader may keep us in the dark.

Surely, there are still ways to get around these routines, but doing so may not be easy. The fact that the downloaded binary is NOT saved as a physical file makes it even more challenging. However, using technology such as reputation and cloud can definitely help remedy this situation. Trend Micro users are protected via the Smart Protection Network™ with Web Reputation Technology which blocks malicious URLs. File Reputation Technology detects the related malicious file BKDR_POISONDLD.A

Post from: TrendLabs | Malware Blog - by Trend Micro

BKDR_POISON: More Challenges Ahead

The said attack begins with a post on affected users’ wall inviting other users to install a Valentine’s theme into their Facebook profile.

It also installs itself on the users’ browsers as an extension named  Facebook Improvement |Facebook.com.

Once this malicious browser extension is installed, it will monitor the users’ browsing activities and redirect their page to a survey page asking them for their mobile number. Users who clicked on the post using Internet Explorer (IE) will be redirected to the same survey, without them being asked to download anything.

Upon further analysis, we discovered that the attack is much more effective if the users are employing either Google Chrome or Mozilla Firefox. It resembles a legitimate extension download, thus requiring less user interaction than in the case where Internet Explorer is used (in which case the user is redirected to surveys).

With the focus of the attack mainly built around the concept of pretending to be a valid Chrome extension, we can reasonably conclude that Chrome users are the main target of this particular attack, with the IE redirection as more of an afterthought. But while there may be browser activity monitoring involved, TROJ_FOOKBACE.A does not seem to have any information theft techniques.  It fits the criteria of a clickjacking attack more, where it automatically ‘likes’ several Facebook pages as well as automatically posts a message on the affected user’s wall.

The fact that the attack itself is focused on Chrome and Firefox may mean that cybercriminals are targeting extension-compatible browsers, as well as going after more popular browser choices. This is not the first attack of its kind, but considering that extension-capable browsers are coming to the forefront now, it serves as a warning to all of us that this may be a continuing a trend that the malicious entities of the Internet are going to follow in the foreseeable future.

Trend Micro protects users from this attack via Trend Micro™ Smart Protection Network™  that detects the malicious file and blocks all related malicious URLs.

Post from: TrendLabs | Malware Blog - by Trend Micro

Facebook Valentine’s Theme Leads to Malware

The said vulnerability is triggered when Windows Multimedia Library in Windows Media Player (WMP) fails to handle a specially crafted MIDI file, consequently allowing remote attackers to execute arbitrary code.

In the attack that we found, the infection vector is a malicious HTML which we found hosted on the domain, hxxp://images.{BLOCKED}p.com/mp.html. This HTML, which Trend Micro detects as HTML_EXPLT.QYUA, exploits the vulnerability by using two components that are also hosted on the same domain. The two files are: a MIDI file detected as TROJ_MDIEXP.QYUA, and a JavaScript detected as JS_EXPLT.QYUA.

HTML_EXPLT.QYUA calls TROJ_MDIEXP.QYUA to trigger the exploit, and uses JS_EXPLT.QYUA to decode the shellcode embedded in HTML_EXPLT.QYUA’s body. Below is a screenshot of HTML_EXPLT.QYUA’s code. Notice the highlighted parts where it calls the MIDI and JavaScript components:

Meanwhile, as the routines stated above happens in the background, the affected users remains unsuspecting and sees the following:

Microsoft has already issued an update to address this vulnerability during the last patch Tuesday, so our first advice to users is to patch their system with the Microsoft security update here. It affects Windows XP SP2 and SP3, Server 2003 SP2, Vista SP2, and Server 2008 SP2. We’d like to reiterate that this is a publicly disclosed exploit. As such, we can expect similar attacks in the future.

On the other hand, Trend Micro customers are already protected from this by the Trend Micro™ Smart Protection Network™, which blocks the related malicious files and URLs.

We will update this blog entry once more information is available.

Update as of January 26, 2012, 7:50 a.m. (PST)

Trend Micro Deep Security shields this vulnerability using the specified rules. For more information on the Deep Security rules, users can visit our vulnerability page here.

Trend Micro Deep Security customers are protected by the rule 1004899 – Microsoft Windows Media Player MIDI Remote Code Execution Vulnerability (CVE-2012-0003). This rule prevents download of MIDI files, containing bad records, which could allow an attacker to execute arbitrary code if the user opens a link to a midi file or visits a page with embedded MIDI file.

Update as of January 27, 2012, 2:55 a.m. (PST)

Upon further processing, we found that TROJ_DLOAD.QYUA uses two other components for its routines. It drops RTKT_MDIEXP.QYUA for its rootkit capabilities, and connects to a certain URL to download its main payload — BKDR_EAYLA.QYUA. Currently, we are analyzing this threat and we will update this blog post once analysis is complete.

Update as of January 27, 2012, 8:15 p.m. (PST)

Further analysis of BKDR_EAYLA.QYUA revealed that it is not a backdoor, but an info stealer which we now detect as TSPY_ONLING.KREA. This particular malware steals credentials related to certain Korean online game sites. Once credentials are captured, they are sent to the attacker’s C&C.

Update as of January 30, 2012, 12:30 a.m. (PST)

Below is a behavior diagram on how this particular threat works.

Post from: TrendLabs | Malware Blog - by Trend Micro

Malware Leveraging MIDI Remote Code Execution Vulnerability Found

We’ve recently spotted samples of spammed messages posing as a notice from Fidelity Investments, a well-known American financial institution.

The email, which is in a newsletter-format, contains the subject “Your statement is ready for your review“. It informs recipients that his/her tax statement is attached and ready for review.

Users should watch out for such spam campaigns, specially with the tax season already ongoing. We saw attacks similar this one during the tax season last year, so it’s almost a given we’ll see more of it again this time around.

Spam emails such as those shown above are already blocked through the Trend Micro Smart Protection Network.

Post from: TrendLabs | Malware Blog - by Trend Micro

Tax Season Opens, Tax Spam Follows

But even though methodologies may change, whether through reverse engineering or analysis of the botnet infrastructure, the goal of understanding what the threat is all about is the number one priority.

Trend Micro is fortunate enough to have several experts under its fold who are able to attack the challenge using different means. And we are proud to say that our technical analysis and due diligence in monitoring Koobface activities made us understand the botnet intimately, and enabled us to respond and apply the appropriate solution to protect our customers.

Koobface at Its Peak

At its peak, Koobface was popularly known as the malware propagating through the (then) steeply rising social network Facebook, but of course, it was more than that.

Back in 2008-2009, Facebook was just becoming the dominant social network that it is now, and was just starting to distance itself from the likes of Myspace, Twitter, Friendster, myyearbook, etc.

Our first research paper about Koobface provided detailed overview that Koobface was not only exclusively propagating on Facebook, and that it also utilized the other social networks popular during that time. We also presented that once a system is infected by the Koobface malware, additional pieces of malware are installed into the system, which are then used to either monetize infected user traffic, or use the affected machine as part of the Koobface C&C infrastructure.

Our findings led us to the second research paper, which delved deeper into the C&C infrastructure and communication. Here, we were able to discover the various levels of control available for the Koobface gang – from the fine grained control of social engineering messages to be spammed by the infected user, to the various components, accounts, infrastructure and commands available to the Koobface gang.

But we couldn’t consider our research done if we weren’t able to figure out what this is all about. Nobody gives that much time and effort for nothing, so the question that remained was – what’s in it for the Koobface gang?

The Monetization of Koobface

We found out the answer to this question and presented our findings through the third part of our research paper, as we were able to gather proof that the Koobface gang is involved in criminal activities such as FakeAV installation, clickfraud, information stealing and online dating.

The Evolution of Koobface

During all these years, we are proud to say we here at Trend Micro has shown the effort and diligence to keep Koobface on our radar. Our fourth report on Koobface details how the Koobface gang changed the C&C architecture, modified the malware binaries, and improved the backend services in order to become more resilient to takedowns and evade simplistic blocking/detection solutions.

As further evidence of Trend Micro’s commitment to this effort, we released our fifth installment of our Koobface research just last month, detailing how the Koobface gang adjusted to strict security checks by Facebook, by making use of Twitter and Blogspot (instead of Facebook) and TDS (Traffic Direction Systems) to divert and monetize user Internet traffic and maintain the gang’s cash flow.

We did these things while working with the appropriate channels and withholding ourselves from revealing sensitive information that will interfere with on-going operations by various law enforcement.

However, this sensitive information regarding one of the Koobface operators were prematurely published by a blogger without coordination with the community involved. This happened before any of the desired results (i.e. arrests) happened. The slow pace of the LE investigation is understandable – the standards of evidence are much higher for LE that they eventually have to go to court. This necessarily takes time.

Let’s hope that the current situation would serve as a ‘last push’ for LE, so that this whole “Koobface saga” will end up with the arrests of the perpetrators, and the dismantling of their infrastructure – a success story like what happened in Operation Ghost Click.

Trend Micro researchers Jonell Baltazar, Ryan Flores, Joey Costoya and Nart Villenueve all devoted significant amounts of time and effort in tracking the Koobface threat.

You may also check this report developed by our friends from Sophos together with independent security researcher Jan Droemer.

Post from: TrendLabs | Malware Blog - by Trend Micro

The Koobface Saga

As we prepare for the year ahead, let us take a look at some of the Trend Micro 2011 predictions that came true and how we contributed to the security industry’s wins against the continuing war against cybercrime.

 

Though we didn’t foresee hacktivism coming to the fore in 2011, we witnessed a slew of mass compromises result from AntiSec and LulzSec attacks against various entities. Armed with politically charged agendas and disgruntled with varying issues, hacktivist groups continued to fling attacks at users.

2011, however, wasn’t all bad, as we also garnered some wins in our never-ending battle against cybercrime. In close collaboration with our industry partners and law enforcement authorities, Trend Micro was at the forefront in what has been dubbed the “Biggest Cybercriminal Ring Takedown”—Operation Ghost Click—to date. As individuals and organizations alike embark on the cloud journey, we at Trend Micro, along with our fellow cybercrimefighters in law enforcement and the security industry, will continue to serve our customers by providing data protection from, in, and for the cloud.

For more details on what 2011 was like, take a look at the 2011 security roundup report, A Look Back at 2011: Information Is Currency.

Post from: TrendLabs | Malware Blog - by Trend Micro

2011: The Year of Data Breaches

The website was said to have an iframe that redirected users to another compromised site in Brazil. The site executed a malicious Java applet detected as JAVA_DLOAD.ZZC. JAVA_DLOAD.ZZC leverages a vulnerability in Java CVE-2011-3544 to install TROJ_PPOINTER.SM, which in turn drops BKDR_PPOINTER.SM. BKDR_PPOINTER.SM connects to a certain URL to send and receive commands from the attacker. It is also capable of gathering certain information about the affected system.

Based on our investigation, it seems that the initially reported affected organization is just one of the targets in this attack and that the attack itself is fashioned specifically for the targets. We studied the related files and URLs, and found that the string related to the human rights organization was used as the name for both the inserted folder and file in the compromised Brazilian website:

• hxxp://{BLOCKED}.com.br/cgi-bin/ai/ai.html
• hxxp://{BLOCKED}.com.br/cgi-bin/ai/ai.jar

Furthermore, the code of the file retrieved from the URLs above indicate that it was a payload specifically intended for the said human rights organization, as it has related strings mentioned in its code:

Trend Micro Researcher Nart Villenueve checked on this, and found other folder and file combinations hosted on the same compromised website, but with different strings. This strongly suggests the existence of other targets.

• hxxp://{BLOCKED}.com.br/cgi-bin/hk/hk.html
• hxxp://{BLOCKED}.com.br/cgi-bin/hk/hk.jar
• hxxp://{BLOCKED}.com.br/cgi-bin/so/so.html
• hxxp://{BLOCKED}.com.br/cgi-bin/so/so.jar
• hxxp://{BLOCKED}.com.br/cgi-bin/OM/om.html
• hxxp://{BLOCKED}.com.br/cgi-bin/OM/om.jar

The files retrieved from these URLs also had the same strings in their code, similar to the AI case we’ve explained before. The said malicious files are now also detected as JAVA_DLOAD.ZZC and BKDR_PPOINTER.SM.

Trend Micro products provide protection against this type of attack through the Trend Micro™ Smart Protection Network™ infastructure. Also, Deep Security and OfficeScan™ with Intrusion Defense Firewall (IDF) plug-in protects users through the rule Oracle Java SE Rhino Script Engine Remote Code Execution Vulnerability. Meanwhile, Threat Discovery Appliance (TDA) detects the traffic related to the forwarding of the information obtained by BKDR_PPOINTER.SM as HTTP_REQUEST_PPOINTER.

The home page of the affected human rights organization has been a target at least a couple of times within the past several months, showing how determined cybercriminals are to target the frequent visitors of this site. As of this writing, the site is clean of the malicious code. Site owners of special interest sites catering to particular demographics, organizations or groups of like-minded individuals should be just as cautious about these kinds of attacks as corporations and businesses.

Post from: TrendLabs | Malware Blog - by Trend Micro

NGOs Targeted with Backdoors

The attack involves domains that display replicated eBay posts for iPhone 4S units. The screenshots below show a sample of the fake page, and the original eBay post from which the content was copied.

There are some differences between the two pages. For example, the real post uses US dollar as its currency, while the fake post uses Euro. The price in the fake one is also dramatically cheaper. You’ll also notice that the post the cybercriminals chose to replicate is one by a seller with a good reputation, to gain the trust of potential victims.

The fake eBay pages are hosted on domains that are followed by /www.ebay.ie/ in order to trick users into thinking that it is the real eBay domain. All the links in the fake page will lead to the legitimate one, except for the “Buy It Now“. Clicking “Buy It Now” leads to a fake login page that asks users to enter personal information.

After filling out the form, users are directed to a page that says they must contact the seller via email in order to proceed with the transaction.

We’re pretty sure that this is not how transactions go when buying something over eBay. This is most likely a scam that aims to steal money and personal information from its victims. The iPhone 4S is one of the top smartphones in this year’s holiday sales, and clearly the cybercriminals taking advantage of its demand.

This iPhone 4S scam is just one of the many attacks that people might encounter this season. Cybercriminals often leverage holiday activities—such as sending holiday greetings, shopping online, and looking for deals and promos—to launch attacks targeting unsuspecting users.

Well-wishers might wish to send out holiday cheer and love through e-cards or social networking sites. However, some e-cards instead send out malware. Worse still, these email greetings may be used to steal information. Social networking sites, on the other hand, are home to survey scams that wind up charging victims for premium services.

Online shopping is a big convenience for shoppers who want to avoid the crowds. However, cybercriminals often leverage in-demand items, such as the iPhone 4S, to create scams like this one. And since it is the season for shopping, people are also most likely to take advantage of promotions and deals. Cybercriminals respond by churning out fake promos and deals, all to steal information and to spread malware.

For more information on these holiday-related threats, and on ways to how to keep yourself safe, please check our e-book, Season’s Warnings, and our entry Beware of Holiday-Themed Multi-component Online Threats. For more information on online shopping, please read our entry, Online Shopping Made Easy.

Additional text by Abigail Pichel

Post from: TrendLabs | Malware Blog - by Trend Micro

Season’s Warnings: iPhone 4S Scam and Other Holiday Threats