I was prompted into crafting this post by a Scientific American blog post which stated that many experts in various scientific studies are sometimes “blinded” by — in fact — their focused studies of a particular subject, missing some of the finer aspects of the larger picture, so to speak.

This reminds me of the many of the various efforts over the course of the past five or so years to connect-the-dots on Eastern European cyber crime — something which I have spent a great deal of time and effort, with reasonable success — Trend Micro customers get protected as a direct byproduct of this research.

Of course, this leads me to the reason for this post — there are certainly “gray areas” of cyber crime where we have yet to identify. It’s an ongoing research project, so to speak, and realistically it is a never-ending quest.

This is where I provide kudos to Dmitry Samosseiko of Sophos, for his excellent paper he presented at Virus Bulletin 2009 in Geneva, entitled “The PARTNERKA – What Is It and Why Should You Care?” [.pdf]

We’ve also been closely following  these “parnterka” relationships, or affiliate programs, for several years — including “installs for cash”  or “pay-per-install” programs that Dancho Danchev has written about on many occasions, and several other “business network” relationships between several entities in Russian, The Ukraine, Estonia, and elsewhere in Eastern Europe.

The bottom line here is that there are very organized, sophisticated, and professional criminal organizations operating out of Eastern Europe, and Trend Micro researchers are very much engaged on this front.

It is a very shadowy, nefarious cyber crime landscape of fraud & theft, and is not always as it appears on the surface — it requires much digging, verifying, connecting-the-dots, and other research that requires may hours, days, and even months of research. There is much that we still don’t know, and that holds true for everyone trying to expose these criminal enterprises.

But we’re on it.

My threat research group does “Threat Intelligence X” and “Threat Intelligence Y”, where “X” is the operational threats that exist now, and 15 minutes from now. Threat Intelligence “Y” is what we can expect to see in 6 months, a year, two years, etc., on the threat landscape.

And all of the threat landscape that exists now (and 15 minutes from now) get represented in the Trend Micro Smart Protection Network, which provides our customers protection against threat from three threat vectors — e-mail, web, and malicious files themselves.

I’m very proud of our efforts here.

Paul Ferguson
Threat Research

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!

Trend Micro threat analysts were alerted to the discovery of a not-so-common file infector. Unlike usual file infectors that only do simple modifications to the files they infect, PE_XPAJ.A does complex modifications to hide its malicious code.

Though it shares some characteristics with other PE variants, it is considered more than the average file infector. For instance, security experts will have a harder time finding its malicious code by ensuring that affected files do not exhibit any obvious sign of infection.

The file infector infects .DLL, .EXE, .SCR, and .SYS files in the following folders:

• %Program Files%
• %Windows%

It uses a polymorphic-entry point obscuring (EPO)-cavity type of infection, which is capable of moving some of the host file’s codes to another location. The malware encrypts its signature in a different way every time it executes as well as the instructions for carrying out the encryption. It hides its entry point in order to avoid detection. Instead of taking control and carrying out its actions as soon as an application is used or run, it allows it to work correctly for a while before taking action.

The file infector also connects to the following URLs to download encrypted files:

• http://{BLOCKED}huy.com/plugin/plugin.dat
• http://{BLOCKED}ios.com/stamm/stamm.dat

If that is not troublesome enough, it also copies and hides legitimate files in the %UserTemp% folder as {random HEX value}.tmp.

Trend Micro Smart Protection Network already protects product users from this file infector. Non-users, on the other hand, can use HouseCall to clean their infected systems.

US President Barack Obama officially declared October as the National Cybersecurity Awareness Month. Now in its sixth year, the said campaign promotes increased awareness with its theme, “Our Shared Responsibility.” It also calls for everyone to do their fair share in securing the nation’s digital infrastructure. Furthermore, it stressed out the need for people to familiarize themselves with best computing practices to protect them against threats plaguing the Web today.

Threats are continuously evolving and increasing. In fact, Trend Micro Smart Protection Network blocks at least 1 billion threats per day. Cybercriminals are incessantly employing new tactics such as SEO poisoning where search results on current news are rigged to redirect users to malicious websites that serve FAKEAV and other malware. This year, we also saw the full-blown rise of KOOBFACE botnet that leverages on the popularity of social networking sites. ZBOT variants are still prominent threats that come via spam attachments.

With that in mind, it is crucial for law enforcement, government, and security researchers to maintain their collaboration to fight cybercrimes. In the past, such collaboration was able to take down McColo, a spam mogul. McColo is known for hosting malicious operations like credit card theft and fraud to name a few. Advanced Threats Researcher Paul Ferguson along with other security researchers worked with HostExploit.com Cyber Crime Report, providing research and intelligence on the criminal activities of McColo.

Users can also help in the battle against cybercrimes by equipping themselves with knowledge on best practices. For tips on safe computing, users can visit the Trend Micro Internet Safety for Kids and Family website. They can also use free tools like HouseCall, TrendProtect, and Transaction Guard to secure themselves from threats lurking in the Web.

Trend Micro commends the United States for this cybersecurity initiative and encourages other countries to actively promote security awareness. After all, cybercrime is a global concern that involves everybody. In addition, let us not forget that security is a long-term campaign that goes beyond this month. Every month should be treated as cybersecurity awareness month.

A quick heads-up to all users of Microsoft’s Windows Live Hotmail email service: a list of at least 10,000 user names (and the corresponding passwords) of the second-largest email service after Yahoo has been leaked online. The list first appeared on the Pastebin website, which is normally used by programmers to share source code.

Microsoft has confirmed that the list is authentic. They have also said that their databases were not actually breached; if this is correct this means the list was gathered using conventional phishing attacks. Users who believe their accounts have been compromised may fill out this online Microsoft form to recover their account.

Windows Live Hotmail users are strongly advised to change their passwords immediately, as the scale of the overall problem is unknown. As a preventive measure, users should be very careful about entering user credentials in untrusted websites. The Microsoft page above also contains other security recommendations that users should consider.

Phishing sites like the ones that were apparently involved in collecting these credentials are blocked by the Trend Micro Smart Protection Network.

Update as of 6 October 2009, 12:00 PM:

It turns out that this attack is bigger than previously thought, as new lists of compromised email accounts were found posted on the same site where the thousands of Hotmail credentials were initially posted. However the newly posted information were not only consisted of Hotmail accounts, but Gmail, Yahoo!, Comcast, and Earthlink accounts as well. The said information are said to have been acquired in the same way as the previous attack.

The email account credentials were posted at pastebin.com, a website designed as a platform for developers to share code. The website was taken down temporarily by its owner to remove the information. The website is online again as of this writing, but not without a note for its likely very concerned users: Concerned about Hotmail? If you’ve come here after reading about the hotmail leak, see this blog post.

Trend Micro analysts have come across a new variant of the BEBLOH family of information stealers that goes well beyond the traditional tactic of logging keystrokes and sending it to another server for exploitation. Instead, this particular variant steals user information, uses it right away, and cleverly disguises it from users.

This particular variant, detected as TSPY_BEBLOH.AE, immediately connects to a command and control (C&C) server when it is executed. It downloads an encrypted configuration file from the said server, as seen below:

Figure 1. Captured traffic between affected system/C&C server

The configuration file contains key information, most importantly the name of the bank being targeted. If the user logs into the secure banking website of the target bank, their user name and PIN are both captured by the malware.

Instead of sending the account information to cybercriminals via e-mail or a website, however, it uses this to steal money from the account. If prompted by the central C&C server (which it contacts periodically), it transfers money from the user’s bank account to an account specified in the configuration file (The amount is also based on several parameters included in the said file; the values of these parameters are chosen to minimize the possibility of detection). Very good technical details can be read here.

Lastly, it also disguises its malicious transactions from the user. When the user attempts to view static pages that contain information such as remaining account balance(s), balance sheets, and previous transactions, the malware rewrites these pages on the fly, disguising any previous thefts from the user. Victims would not know they had been robbed unless they attempted to access the online banking site from an uninfected machine, or used separate facilities such as ATMs.

The Trend Micro Smart Protection Network detects and removes this malicious threat.

Update as of 5 October 2009:

TSPY_BEBLOH.AE has been renamed and will now be detected as TSPY_BEBLOH.SMJ.

Update as of 6 October 2009:

The RSA FraudAction Research Lab has published an extensive analysis of this, and they’ve turned up more proof of this malware’s sophistication. According to their research, it checks first if the infected machine is “valid” by checking a unique ID code that is assigned by the central C&C server. If the machine is not valid, instead of showing the accounts under their control, it displays the bank accounts of other victims. This was done in order to make shutting down the “mules” these cybercriminals use as conduits for their money more difficult to track and shut down.