Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    October 2014
    S M T W T F S
    « Sep    
     1234
    567891011
    12131415161718
    19202122232425
    262728293031  
  • About Us

    The competition between mobile OSes is heating up, with Apple’s iOS 8 and Google’s Android Lollipop in tight competition, as the public discovers their features and what these OSs can do for them. There are notable changes and significant improvements in these releases, particularly in their default settings.

    Encryption by default seems to be the primary selling points of both OSs. With rising awareness about data protection and consumers demanding better privacy and security on their devices, both major mobile OSes are in a neck and neck race when it comes to marketing their product’s safety features.

    Apple: TouchID and Encryption

    Apple now allows third-party app developers to use Touch ID, giving them more power to authenticate their users. iPhone users also see a significant modification in how apps can track locations. In older iOS versions, the options were limited to “always on/always off”. Now the option to select “when app is open” for location tracker is added, giving users more freedom and control over apps tracking their whereabouts.

    Eye Candy

    Google, on the other hand, had Android L automatically encrypt data in mobile devices, as opposed to manually configuring this (as was the case in previous Android versions). Any data inside a smartphone running Android L will have to be unlocked with the user’s password, a very similar to Apple iOS 8.

    One can remotely locate and reset to factory settings lost or stolen smartphones. This provides an added security layer to consumers who don’t want strangers capitalizing on their any of the data stored in their devices; users can also render the phone practically useless as phones running Android L can no longer be reset to factory settings without the registered owner’s password, preventing the decide from being sold off.

    There is more to the mobile threat landscape than meets the eye. The multilayered security features in iOS 8 and the Android L more-than-welcome improvements. For more information on the protective measures in mobile operating systems, read our monthly mobile report, “The New Security Features of iOS 8 and Android Lollipop.”

     
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon  

    Despite the availability of fixes related to the Sandworm vulnerability (CVE-2014-4114), we are still seeing new attacks related to this flaw. These attacks contain a new routine that could prevent detection.

    A New Evasion Technique

    In our analysis of the vulnerability, we noted this detail:

    “…[T]he vulnerability exists in PACKAGER.DLL, which is a part of Windows Object Linking and Embedding (OLE) property. By using a crafted PowerPoint document, an .INF file in embedded OLE object can be copied from a remote SMB share folder and installed on the system. Attackers can exploit this logic defect to execute another malware, downloaded via the same means.”

    In this new attack, the malicious .EXE and .INF files are already embedded into the OLE object, rather than downloading the malware in a remote location. One advantage of this approach is that it will not require the computer to connect to the download location, thus preventing any detection from the Network Intrusion Prevention System (NIPS).

    The Infection Chain

    One sample we came across was part of an attack targeting an email provider. The attackers used a spoofed email to convince the recipient to open the attachment.


    Figure 1. Spoofed email message

    The attachment is a .PPSX file—a Microsoft PowerPoint presentation with the embedded file.


    Figure 2. Slide with embedded malicious file

     A Closer Look

    Similar to samples discussed in previous entries, this sample also contains 2 OLE objects, oleObject1.bin and oleObject2.bin. Taking a closer took at the OLE objects will show that the malicious EXE and INF are embedded in the objects.


    Figure 3. oleObject1.bin showing the embedded EXE file


    Figure 4. oleObject2.bin showing the embedded INF file

    Viewing the OLE objects using an OLE viewer will show two streams, the ComObj stream and the Ole10Native stream, where the malicious files are embedded. Looking at the CompObj will tell us that the data Ole10Native stream is written by OLE Packager. This means that the embedded EXE and INF files are treated as packages and can be triggered or installed directly into the system using this vulnerability.


    Figure 5. Ole10Native stream is written by OLE Packager

    When the PowerPoint file is opened, the Packager module (packager.dll) reads the information in the OLE objects then drops the contents slide1.gif and slides.inf to the %Temp% folder.

    It will then invoke InfDefaultInstall.exe to install the file slides.inf. INF files are usually used by Windows to install drivers. In this particular instance, the job of slides.inf is to rename the file slide1.gif to slide1.gif.exe then execute it using the RunOnce registry entry.


    Figure 6. Registry entry

    The following image shows what the process flow looks like:


    Figure 7. Process flow of the attack

    We detect the crafted PowerPoint slideshow file including the slides.inf as as TROJ_MDROP.ZTBJ. The final payload which is the slide1.gif is detected as TROJ_TALERET.ZTBJ-A, a known family of malware used in targeted attacks involving different Taiwanese industries and government organizations.

    Users are strongly advised to patch their systems with the patch for the vulnerability (MS14-060). This incident also highlights the importance of applying all patches as soon as they are available. In this instance, a vulnerability patch from 2012 (MS12-005 patch) can provide a preventive measure against attacks. The presence of this specific patch alone can deter attacks as the message can alert recipients into the suspicious nature of the file before opening said malicious file.  Lastly, it is recommended for users and employees not to open PowerPoint files from unknown sources as this may possibly lead to malware infection.

    SHA1 of the sample mentioned in this entry:

    • c8a9ab7f720b469a31c667fe7dcad09cdf0dbfa1

    Additional insights from MingYen Hsieh, Tim Yeh, Chingo Liao, Lucas Leong, Vico Fang, and Shih-hao Weng.

     
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon  

    Pawn Storm is an active economic and political cyber-espionage operation targeting a wide range of entities, mostly those related to the military, governments, and media. Specific targets include:

    • Military agencies, embassies, and defense contractors in the US and its allies
    • Opposition politicians and dissidents of the Russian government
    • International media
    • The national security department of a US ally

    The cyber criminals behind Operation Pawn Storm are using several different attack scenarios: spear-phishing emails with malicious Microsoft Office documents lead to SEDNIT/Sofacy malware, very selective exploits injected into legitimate websites that will also lead to SEDNIT/Sofacy malware, and phishing emails that redirect victims to fake Outlook Web Access login pages.

    A Closer Look at SEDNIT

    Our investigation into Pawn Storm has shown that the attackers have done their homework. Their choices of targets and the use of SEDNIT malware indicate the attackers are very experienced; SEDNIT has been designed to penetrate their targets’ defenses and remain persistent in order to capture as much information as they can.

    SEDNIT1

    Figure 1. Phases 1 and 2 in an Operation Pawn Storm attack

    The spear phishing emails sent by Pawn Storm attacks can be aimed at very specific targets. In one example, a spear phishing email was sent to only 3 employees of the legal department of a billion-dollar multinational firm. The e-mail addresses of the recipients are not advertised anywhere online. The company in question was involved in an important legal dispute, so this shows a clear economic espionage motive of the attackers. Luckily nobody clicked on the link in the spear phish e-mail and Trend Micro was able to warn the company in an early stage, thus preventing any further damage.

    This attack, however, is just one of the many attacks launched, and there will surely be more. The attackers behind Operation Pawn Storm have been active since at least 2007 and they continue to launch new campaigns. Just in June 2014 they compromised government websites in Poland and in September 2014 the website for Power Exchange in Poland, www.irgit.pl, by inserting a malicious iframe pointing to an exploit server at yovtube[dot]co and defenceiq[dot]us. The exploit server was however very selective in infecting victims with SEDNIT, so that SEDNIT malware only got installed on selected systems.

    Another technique used by the Pawn Storm attackers is a very clever phishing attack that specifically targets Outlook Web Access users. We will discuss that part in another entry that we will release soon. In the mean time, check the full details of our research in our paper: Operation Pawn Storm.

     
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon  

    Microsoft has disclosed that a new zero-day vulnerability is present in Windows, and is exploited via Microsoft Office files. According to Microsoft Security Advistory 3010060, the vulnerability is present in all supported versions of Windows except Windows Server 2003.

    The vulnerability (designated as CVE-2014-6352) is triggered by an attacker sending a specially crafted Microsoft Office file to the user. Currently, attacks using PowerPoint files are known to exist, but all Office file types can be used to carry out this attack.

    The specially crafted files contain a malicious Object Linking and Embedding (OLE) object. This technology is used to share data between various applications; it is in this component of Windows where this vulnerability may be found. Exploiting it allows for malicious code to run with the privileges of the user. To get administrator access, a separate exploit must be used. In addition, under default settings a User Access Control popup is displayed, which may alert the user that something unusual is going on.

    Currently, Microsoft has not indicated whether a patch to solve this issue will be sent outside of the regular Patch Tuesday cycle. Until more definitive information becomes available, we advise users to be careful about opening Office documents that they have been sent, particularly if they come from parties that have not sent you documents beforehand. The Microsoft bulletin also includes several workarounds and temporary fixes, including settings for users of the Enhanced Mitigation Experience Toolkit (EMET) utility.

     
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon  

    We recently observed a new ransomware variant, TorrentLocker, that was targeted at nearly 4,000 organizations and enterprises, many of which are located in Italy. TorrentLocker is similar to an earlier ransomware family (CryptoLocker), and also encrypts various files and forces users to pay a sum of money. TorrentLocker uses the TOR anonymity network to hide its network traffic, which may have been the origin of its name.

    The said threat used spam email written in Italian with several templates as part of its social engineering tactics. Translated into English, these messages read:

    1. Your question has been asked on the forum {day}/{month}/{year} {time}. Detailed answer refer to the following address: {malicious link}
    2. He sent a bill that would have paid before {day}/{month}/{year}. Details found: {malicious link}
    3. Your request has been initiated to revise the payment {malicious link}

    Figure 1. Sample spam email

    All the messages contain a link that points to .ZIP file. Decompressing the archive file yields a file disguise as .PDF document. PDF files are commonly passed around within organizations, and as such, employees who received this spammed message may be trick into thinking that it is legitimate.

    Figure 2. Screenshot of the linked archive file

    Some of the archive files have filenames such as Versamento.zip, Transazione.zip, Compenso.zip, or Saldo.zip. These file names translate to paymenttransactioncompensation, and balance, respectively. However, instead of a PDF file, these files are actually a CryptoLocker variant detected by Trend Micro as TROJ_CRILOCK.YNG.

    Similar to other Cryptolocker variants, it encrypts a wide variety of file types including .DOTX, .DOCX,.DOC, .TXT, .PPT, .PPTX, and .XLSX, among others. All of these file types are associated with Microsoft Office products and are commonly used in enterprises in daily operations.

    In order to receive the decryptor tool to supposedly retrieve crucial files of users, they need to pay the ransom in Bitcoins. One of the samples we found asked for a ransom of 1.375 BTC, which is worth around  $500, a type of digital currency.

    SIB_141021comment01


    SIB_141021comment02

    Figures 3 and 4. Screenshots of ransomware (Click to enlarge)

    Italian users are the most affected by this particular spam run, as just over half of all spam messages identified with this spam run were sent to users in Italy. A quarter came from Brazil, with other countries accounting for the remainder. At its peak, several thousand users were affected per day.

    Figure 5. Distribution of TorrentLocker targets globally

    Figure 6. Number of affected targets per day

    We protect our users against this threat by blocking the different facets of this threat. In addition to blocking the various spam messages, we also block the malicious URLs and detect the malicious files used in this attack.

    The hashes of the file seen in this attack include:

    • 050b21190591004cbee3a06019dcb34e766afe47
    • 078838cb99e31913e661657241feeea9c20b965a
    • 6b8ba758c4075e766d2cd928ffb92b2223c644d7
    • 9a24a0c7079c569b5740152205f87ad2213a67ed
    • c58fe7477c0a639e64bcf1a49df79dee58961a34
    • de3c25f2b3577cc192cb33454616d22718d501dc

    Additional information provided by Grant Chen

     
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon  



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice