Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    August 2014
    S M T W T F S
    « Jul    
  • About Us

    In an earlier article, we talked about the ongoing smartification of the home – the natural tendency of households to accumulate more intelligent devices over time. While this has its benefits, the residents of smart homes also need to invest their time and energy to maintain these devices. These requirements will only grow as more and more devices are added to the homes of the ordinary consumer.

    Managing a household full of smart devices calls for the skills of both a multi-user IT administrator and a handyman. Let’s call this role the Administrator of Things (AoT). Ordinary users are being asked to take on this role despite scant evidence that they are ready for it.

    This emerging role is something that should be looked into, as how well people can actually perform it has a huge impact on their daily lives, which includes the security of their household. The degree of work that is required by this role is dependent on factors, which include:

    • The number of smart devices in the household
    • How well these devices are able to operate autonomously
    • How secure these devices are
    • Whether these devices use consumables, such as batteries
    • How many family members use these devices
    • How often they are updated by the manufacturer
    • How often they are attacked – physically or virtually

    Consider the previous staple of home computing: the PC. It is an impressively powerful and capable machine, but it’s also a very complex one. How many of us have relatives or friends with computers that are old and full of insecure software? I’d bet we all know someone like that.

    Think of the last time you had to fix a smart device in your household – for instance, your router or IP camera. Consider: how did you find what the problem was, what the solution was, and how long the fix took. If we considered this as a job, the listing for it would look something like this:

    Role Summary

    Implement and maintain the ongoing deployment and operation of intelligent devices (IoT devices) within the household. Required to be on-call 24 hours a day, seven days a week.

    Qualifications Desired

    • Administrative knowledge of smart devices and appliances, including:
      • Security and monitoring devices – security and baby monitoring cameras, smart locks
      • Smart hubs – including smart hubs, and connected peripherals
      • Appliances – including smart fridges/washers/dryers
      • Wearables – including fitness monitors and smart glasses
      • Security sensors – including smoke detectors/CO2 sensors/thermostats
      • Smart AV equipment – including surround sound receivers, game consoles, smart TVs, smart speakers, smart radios
      • Automotive – including smart cars, and connected peripherals
      • Traditional devices – including PCs/notebooks/tablets/readers/smartphones
    • Knowledge of “convenience cases” – typical and emerging use cases for the deployment of smart devices in the household for increased convenience and security


    • Ensure that smart devices are secure – (ex: Username/password)
    • Regularly change smart device access credentials
    • Check/replace batteries in devices and sensors
    • Diagnose and Resolve device operational issues
    • Monitor device manufacturer notifications (ex: web sites, feeds, e-mail, devices) for notifications of device operational issues and firmware updates
    • Perform firmware updates, as required to ensure continued device security and operation
    • Perform device management app updates on smart phones/tablets of family members
    • Reconfigure existing devices to grant additional access by other family members
    • Identify new household convenience scenarios and configure/test devices accordingly
    • Assist other members of the household with smart device related issues

    Figure 1. Solution loop for smart devices

    This eye-opening array of responsibilities would be a significant challenge for the average non-techie user. One can imagine increased business opportunities for traditional support services like Geek Squad, Staples, QuickFix, and others who are willing to expand into supporting smart devices deployed in the household. It’s less of a stretch than you’d think – for example, many of these services will calibrate the high-definition TV that you bought from them or their parent company.


    As a result of smartification, there will be an increased administrative burden of maintaining smart devices within the household over time. This will put more pressure on members of the household whose current mindset might be locked into performing these tasks themselves. These trends will likely result in (amongst other things) expanded commercial opportunities for home smart device technical deployment and support services.

    If you’re already cringing at the thought of all of this, I have some good news: eventually, things will get better. The companies that make and design smart devices will learn how to create devices that are both secure and easy to use. Even today, some devices already do a good job of balancing these requirements while others…. don’t. If a smart device is built with security in mind, it will make the life of the person who has to maintain it much easier.

    We’ve created an Internet of Everything buyers guide entitled What to Consider When Buying a Smart Device. This guide discusses the things you need to know, from a security perspective, about buying smart devices. Doing your homework now may save you much grief down the road.

    For more information on security risks and how to secure smart devices, visit our Internet of Everything hub which contains materials that talk about this emerging field.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    With the ostensibly harmless nature of adware, we are constantly tricked into believing that they are nothing but online nuisances. But underneath, they are marketing-engineered software that could potentially carry malicious programs to target your browsing behavior and spy on your other online activities.

    What is adware and why does it exist?

    Upfront, adware are just annoying ads that pop up every now and then. They come in an assortment of freeware such as toolbars and plugins, icons, wallpapers, advanced search engines, and other lifestyle widgets and work in conjunction with these software and other programs to spy, collect data, and integrate itself into your web browser. While online ads originally exist on the context of yielding revenue based on impressions (frequency of visits on ads), adware could harm your online privacy and security. Most adware companies operate on the fringe of ethical practices and use underhanded tactics to ensure customer loyalty.

    How does adware affect your computer?

    Because adware covertly piggybacks on the freeware you download, you don’t know that your system is running adware when you begin to install these free programs. Adware can have various routines such as bombarding you with pop-up ads, leading you to harmful or fake websites, offering bogus adware removal or antivirus software or gaining full access to your computer. Adware could run in the background of your programs and as well of your computer, causing your network to slow down and become unstable. It spies on your browsing behavior and gathers private information about you to be sold to third parties or other cybercriminals. Adware could hijack clicks without your knowledge or without having to run the freeware you downloaded, prompting your computer to become unbearably slow and unstable. Additionally, adware also mines bitcoins which results in unexpected high electric consumption. Bitcoin mining gives remote attackers illegal commission from processing transactions, making you an indirect tool of cybercrime.

    Top 3 Adware, 2Q 2014

    This quarter, we’ve collated the top 3 adware that have been around and active for years based on the large portion of the total number of combined adware and malware.


    This adware is downloaded from the Internet and can arrive as a file is dropped. It is used to boost marketing revenues by       means of black hat SEO. This potentially unwanted program exhibits plenty of malicious traits and generally interferes with user experience. Cybercriminals can remotely access the user’s computer via malware and exploit systems vulnerabilities.


    ADW_OPENCANDY can be acquired from the Internet and downloaded by the user. It executes dropped files, thus allowing malicious routines of the dropped files to run.


    Just like ADW_INSTALLCORE, this adware can be downloaded from the Internet or could arrive via dropped malware. Like most adware, ADW_DOWNWARE is furtively bundled with malware or grayware packages and is manually installed by the user. It uses the Windows Task Scheduler to execute the dropped file. This adware deletes the initially executed copy of itself and does not exhibit propagation routines.

    How can you protect yourself against adware?

    Think twice before immediately downloading and installing any software, particularly freeware. Read everything rigorously before digitally signing up or agreeing to terms and conditions to prevent the download of adware. Make sure to routinely check up your computer and regularly scan your systems. Take basic preventive measures like using a security solution software that will enable constantly updated protection.

    For more information on how to secure your system against the risks that adware may pose, watch our video below:

    You can also watch the first part of the Cybercrime series, which tackles the security risks of phishing.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    A recent report published by Amtrak’s Office of the Inspector General revealed that an employee of the passenger rail company had been selling passenger data for two decades. The buyer of this data was none other than the Drug Enforcement Agency, which paid the employee $854,460 over the period. Iowa’s senior senator, Check Grassley, sent a letter to the DEA raising serious concerns over the incident.

    The most significant part of this security breach is the fact that this former employee was able to sell personally identifiable information of Amtrak passengers since 1995. In other words, this misconduct was being carried out without being noticed by even a single person for two decades. Through this unauthorized sale of customer data, the employee received $854,460 in total from DEA.

    The DEA was supposed to be able to receive the customer data in question upon request, and for free, via a joint taskforce that included both Amtrak and the DEA. In short, the American taxpayers paid for information that they should have received free. After the incident came to light, instead of being punished, this employee chose to retire.

    How the security breach was identified in the first place is not included in the OIG report. Considering the fact that one employee was able to carry out a series of misconduct for such a long time, serious questions need to be asked – what kind of internal control and audit were in place? What kinds of security measures were implemented to prevent such breach?

    Survey: One in five respondents were breached from the inside

    Whether caused by cyber attacks or malicious employees, data breach continues to make headlines worldwide. A Trend Micro survey that was carried out in March 2014 among 1,175 Japanese IT security professionals and decision makers revealed that 233 or 19.8% of them experienced data breaches from internal systems in 2013. In other words, one in five respondents were breached from the inside.

    A total of 778 respondents (almost two-thirds of those surveyed) confirmed that they had experienced security breach of some kind. 28 respondents (3.6%) added that the stolen data that had been used or manipulated elsewhere. These statistics only represent security breaches among businesses in Japan, but it is likely that statistics might be more or less similar elsewhere, even if not the same. Data breach is no longer “someone else’s problem”.

    Organization-wide efforts needed

    We are used to talking about data breaches being caused by cybercriminals or accidents by employees. However, this incident –together with recent data breach done by contractor using smartphones in Japan– highlights how significant the threat can be from malicious insiders.

    Organizations need to invest their efforts into developing security policies and guidelines, and making these understood to their employees. Staff training and awareness efforts can also help in the fight against data breach. These efforts should also be aimed at discouraging employees from even thinking about compromising their company’s data.

    When it comes to targeted attacks, the assumption must be that breaches will happen. Businesses now need to realize and invest in security based upon the assumption that insider threats will happen.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Targeted attacks are designed to circumvent existing policies and solutions within the target network, thus making their detection a big challenge. As we’ve stressed in our previous entry about common misconceptions about targeted attacks, there is no one-size-fits-all solution against it; enterprises need to arm themselves with protection that can provide sensors where needed, as well as IT personnel equipped enough to recognize anomalies within the network and to act accordingly.

    In order to detect anomalies, however, IT administrators will need to know first what to look out for. Since attacks are commonly designed to leave little to no tracks at all, it is important to know where possible indicators of a compromise can be found. In this post, we will list what parts of the network IT administrators need to closely monitor for any signs of a breach.

    Check for Injected DNS Records

    Attackers often tamper with DNS records in order to make sure that connections to their C&Cs are not blocked. IT admins can check for the following signs for records that might have been injected by attackers:

    1. Unknown domains “parked” into IPs like,,,,, and These IPs are typically used by attackers as placeholders for C&Cs that are not yet being used
    2. Unknown domains that were registered very recently, say 3 days ago (can be determined by using whois)
    3. Domains that appear to consist of random characters (examples:, or
    4. Domains that appear to imitate known entities (examples: microsoft-dot .com or

    Audit Accounts for Failed/Irregular Logins

    Once an attacker is able to establish its presence in a network and its communication with the C&C, the next step is often to move laterally within the network. . Attackers can seek out the Active Directory, mail or file server and access them via an exploit using a server vulnerability. However, since admins will have patched and secured important servers against vulnerabilities, attackers can try to brute force administrator accounts. For IT admins, the login record is the best reference for any attempts to do this. Checking for failed login attempts, as well as successful ones made at irregular time periods can reveal attackers’ attempts to move within the network.

    Study Warnings from Security Solutions

    Sometimes, security solutions will flag seemingly non-malicious tools as suspect and users will ignore the warnings since the file may either be familiar to the user or not harmful. However, time and again, we encounter situations where the warning meant that there is an attacker in the network. Attackers may either be using ill-designed hacker tools or sometimes legitimate administrative tools like PsExec or others from the Sysinternals Suite to perform diagnostics on the system or network. Some security solutions will flag these non-malicious tools if these are not preinstalled in the user computer. The IT admin must ask why the user is using this tool and if there is no good reason, the IT admin may have stumbled upon the attacker’s lateral movement.

    Check for Strange Large Files

    Unknown large files found in a system need to be checked as it may contain data stolen from within the network. Attackers often store these files in their targets’ systems prior to exfiltration, often hiding them through “normal-looking” file names and file types. IT administrators may be able to check for these through file management software.

    Audit Network Log for Abnormal Connections

    Consistently auditing the network monitoring logs is critical as it can help identify anomalies in the connections within the network. For this, it would require the IT administrators to be fully knowledgeable of the network and the activities that happen within it at any given time. It is only through having awareness of the network’s “normal” can possible anomalies be identified. For example, network activity found happening within what should be idle hours can be a sign of an attack.

     Abnormal Protocols

    In relation to abnormal connections, IT administrators also need to check for the protocols used in these connections, especially for those coming from inside the network. Attackers often choose the protocol they use based on what is allowed in the network, so it is important to inspect the connections even when they are using normal protocols.

    For instance, we have seen attackers use https (port 443) protocol to connect to the outside, but when we inspected the content, it only contains http data. IT admins will not bother to inspect https connections because they always assume they are encrypted.

    Increased Email Activity

    IT administrators can check the mail logs to see if there are strange spikes for individual users.  Abnormal peaks in email activity should be investigated as that user might be in the midst of a targeted spear-phishing attack. Sometimes, if the attacker does research, the attacker may know that an employee will be going to an important meeting and will send spear phishing emails as early as 3 months before the meeting. This is another clue.

    Reading through this list now, I am pretty sure IT administrators are thinking that they have a tough job ahead of them. I won’t disagree; guarding a network against targeted attacks is a tall order. In the past we talked about ways how organizations can ensure that their IT personnel are empowered enough to do this, and I fully recommend the said steps. The cost of preparing for an attack can easily be overshadowed by the cost of mitigating one, so it is critical that IT administrators — the company’s first line of defense — are fully-equipped.


    Traditional AV blacklisting is no longer enough to secure enterprise network against targeted attacks. In order to mitigate the risks pose by this security threat, enterprises need to implement Custom Defense—a security solution that uses advanced threat detection technology and shared indicator of compromise (IoC) intelligence to detect, analyze, and respond to attacks that are invisible to standard security products.

    For more details on various targeted attacks, as well as best practices for enterprises, you may visit our Threat Intelligence Resources on Targeted Attacks.


    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Sartorial decisions and technology are often considered two separate, distinct items. However, the surge of wearable “smart” devices has blurred the line between the two. Nowadays, it is common to see people accessorized in pieces of equipment that complement their day-to-day activities.

    Some might assume that wearable smart devices are complicated futuristic gadgets. However, they might be surprised to find that a lot of people now own one or two of these devices; smartwatches and fitness trackers are prime examples these..

    According to Senior Threat Researcher David Sancho, wearable devices can be classified under three categories, depending on how they deal with data.

    • “IN” devices – These capture user data via sensors. Fitness trackers are a good example. These capture the number of steps a user has undertaken, distance walked, calorie intake, heartbeat, GPS coordinates, etc. These devices usually store the information locally in the device and synchronize with mobile devices or computers.
    • “OUT” devices – These display data from other gadgets, often from mobile devices. Smartwatches are an example, with their capacity to display texts and other application data.
    •  “IN and OUT” devices – These capture data and use filters to display information in different manners. Display devices, such as Google Glass, are not only capable of capturing data, but they also feed the data to the user by means of retina projection. Simpler devices can also become “IN and OUT” devices by gathering user data (steps, distance, etc.) and by streaming it from their companion mobile phone.

    According to a study, 82% of wearable tech users believe that their quality of living significantly improved with the use of smart devices. And yet, wearable devices can also be a bane. Past examples show that the “smarter” a device has become, the greater the opportunities cybercriminals have on their hands.

    For example, if bad guys manage to compromise the hardware or network protocol of a wearable device, they would gain access to the data stored there and have control of the content being displayed by “OUT” devices. Attackers can also access the user accounts associated with the devices and can abuse the data gathered there.

    Wearables also bring in the issue of privacy and permission. For example, you might not think too much of your smart glasses recording your everyday commute, but the people you run into might find that feature too intrusive. (This scenario might be one of the reasons Google published a Glass etiquette guide that includes the rule, “Ask for permission.”)

    Just like any form of technology, wearables can bring about improvement and enjoyment. However, having wearables doesn’t just mean knowing how to use them; it also means knowing how to secure them. Users should know the ins and outs of their devices, considering most wearable devices are some form of “IN and OUT” devices. Learn more about wearable smart devices in our infographic, The Ins and Outs of Wearable Devices.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice