Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    July 2014
    S M T W T F S
    « Jun    
     12345
    6789101112
    13141516171819
    20212223242526
    2728293031  
  • About Us

    This is the third (and last) in a series of posts looking at the threats surrounding smart grids and smart meters. In the first post, we introduced smart meters, smart grids, and showed why these can pose risks. In the second post, we looked at the risks of attacks on smart meters.

    In this post, we’ll look at the risks when smart grids are attacked. Smart grids pertain to an electric grid with digital information/communication capabilities for recording information on both consumers and suppliers. What differentiates an attack on a smart grid from an attack on a smart meter? Simply put, scale: an attack on a smart grid affects many more users than an attack on an individual meter. The potential for damage is proportionately much more significant.

    However, this also means that the attack surface is different. Not only can the smart meters be attacked, but the servers at the utility that controls the smart meters can also serve as an attack vector. However, these servers can also be defended with tools used to defend against targeted attacks.

    Perhaps the most obvious smart grid attack scenario would be: extortion. An attacker would take control of the smart grid in order to disrupt the provided services. The attacker might even choose to “update” the firmware on the devices if they choose to, making the attack more difficult to completely mitigate. Either way, the goal of the attacker would be to cause disruption in the service in order to get money out of the local utility company or government. Alternately, the chaos itself may be the goal, either for political reasons or to distract local law enforcement from other crimes going on at the same time.

    One slightly more subtle attack against the smart grid would be a denial of service attack. How would the smart grid cope with corrupt data? This data can either be completely corrupt (incorrect format and content), or perhaps the corrupted data could have the correct format, but incorrect or crorrupt data. Either way, like buffer overflows on other piece of software, vulnerabilities in servers may also pose a risk to the grid as a whole.

    Figure 1. Denial of service attack targeting an entire grid
    (A screenshot from our video highlighting attack scenarios)

    An attack with less dire consequences would be meter tampering. It is very possible for smart meters to be tampered with – in fact, it’s already happened in Malta. As all the reading is “electronic”, it’s trivially easy to modify the readings of the meters. Modify the reading too much and the discrepancy becomes too obvious, but a small modification might not raise eyebrows much.

    We raise these scenarios not because we want to frighten people, but to raise awareness against them. It is possible to defend against these attacks – by designing the systems with security in mind, by ensuring that the appropriate custom defense solutions are in place, etcetera. However, these can only be put in place if people recognize that the threat does exist.

    You can read the previous blog posts on smart meters here:

     
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon  

    knowyourenemies3

    Like Swiss Emmental cheese, the ways your online banking accounts are protected might be full of holes. Banks have been trying to prevent crooks from accessing your online accounts for ages. Passwords, PINs, coordinate cards, TANs, session tokens – all of these were created to help prevent banking fraud. We recently come across a criminal operation that aims to defeat one of these tools: session tokens. Here’s how they pull it off.

    This criminal gang intents to target banks that use session tokens sent through SMS (i.e., text messaging). This is a two-factor authentication method that utilizes users’ phones as a secondary channel. Trying to log into the banking site should prompt the bank to send users an SMS with a number. Users need to enter that number along with their regular username and password in order to transact with the bank. By default, this is used by some banks in Austria, Sweden, Switzerland, and other European countries.

    Cybercriminals spam users from those countries with emails spoofing well-known online retailers. The users click a malicious link or attachment and get their computers infected with malware. So far, all this is fairly typical and from a threat perspective, a bit boring.

    But here’s where it gets interesting. The users’ computers don’t really get infected—not with the usual banking malware, anyway. The malware only changes the configuration of their computers then removes itself. How’s that for an undetectable infection? The changes are small…. but have big repercussions.

    Here’s how it works: the users’ computers’ DNS settings are changed to point to a foreign server controlled by the cybercriminals. The malware installs a rogue SSL root certificate in their systems so that the malicious HTTPS servers are trusted by default and they see no security warning.

    Normal two factor

    Figure 1. What happens in the 2-factor authentication process when the PC is infected in Operation Emmental

    Now, when users with infected computers try to access the bank’s website, they are instead pointed to a malicious site that looks like that of their bank. So far, this is just a fancy phishing attack but these criminals are much more devious than that. Once the users enter their credentials, they are instructed to install an app on their smartphone.

    This malicious Android app is disguised as a session token generator of the bank. In reality, it will intercept SMS messages from the bank and forward them to a command-and-control (C&C) server or to another mobile phone number.  This means that the cybercriminal not only gets the victims’ online banking credentials through the phishing website, but also the session tokens needed to bank online as well. The criminals end up with full control of the victims’ bank accounts.

    How’s that for a big malware operation? Localized spam runs, nonpersistent malware, rogue DNS servers, phishing pages, Android malware, C&C servers, and the real back-end servers. You can’t say these criminals are lazy.

    The criminals behind this particular operation target Internet users in Switzerland, Austria, and Sweden. Just this May, they added Japanese Internet users to their list of potential victims. We were able to trace the operators back to online nicknames: -=FreeMan=- and Northwinds. These actors has been active since 2011. Back then, they spread off-the-shelf malware like SpyEye and Hermes. Looking at the binaries that were recently deployed, we think the actors made use of at least two different crypting services. One of these crypting services is run by an individual from Uzbekistan.  We have not been able to identify the other crypting service.

    More information about this attack may be found in our Finding Holes: Operation Emmental white paper, where we discuss this technique in depth. SWITCH.CH, the CERT for Universities in Switzerland, also did research on Emmental and published their findings on their site.

     
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon  

    In our previous post, we looked at how smart meters were being introduced across multiple countries and regions, and why these devices pose security risks to their users.

    At their heart, a smart meter is simply… a computer. Let’s look at our existing computers – whether they are PCs, smartphones, tablets, or embedded devices. Similarly, these smart meters are communicating via understood technologies: cellular connectivity, power-line networking, or the user’s own Internet connection.

    With that in mind, we have to consider the possible threats – what could happen if a smart meter is compromised? Similarly, what are the problems that could result if the connectivity of a smart meter is disrupted? Let us see.

    Perhaps the most obvious risk is simple: meter tampering. If a smart meter can be hacked, inaccurate information can be sent back to the utility, allowing an attacker to adjust the reading and resulting in an inflated bill. Let’s say, for example, that you have an argument with your neighbor. In revenge, if he can access your smart meter, you might see a rather large electric bill.

    Figure 1. Hacking a neighbor’s smart meter
    (A screenshot from our video highlighting attack scenarios)

    Of course, the bill can also change in the opposite direction. Let’s say you’re engaged in certain activities that require high levels of electricity… altcoin mining, for example. The biggest running cost for such an operation would be the electric bill. The smart meter could be hacked to have a lower reading – or, perhaps, in a location with time-varying electric rates, to make it look like the electricity was used at off-peak times?

    What are some other threats at the local, “retail” level when it comes to smart meters? Crime gangs (with smarts) may well find uses for smart meters too. Power savings are frequently promoted as a benefit of smart meter. However, power consumption is also a good way of checking if someone is in a home or not.

    Let’s say that a vulnerability made it easy for somebody other than the homeowner or the utility to see what the power usage was. (It could be as easy as a poorly-designed API, mobile app, or website.) The smart meter would then essentially become a giant “please rob me” sign for properly equipped thieves.

    Alternately, if that smart meter can be controlled remotely, you now have an excellent way to carry out extortion. Such a nice house you have there, it’d be shame if anything bad happened to its power…

    The connectivity of the smart meters can also be a security risk. Some meters use the cellular network to provide the connection to the main servers of their utility. The utility would, of course, be paying for the bills of these meters. A truly determined person could abuse this “free” phone to make calls, send text messages, even connect to the Internet.

    Alternately, the smart meter may use the same Internet connection as the home. This represents a potential risk: if somebody was able to hack the smart meter from the outside, then that attacker would have access to the house’s internal network. This would put your own internal network at risk of attack; it would be as dangerous as letting anyone connect to your home network.

    None of the above attacks are inevitable. You can build defenses against all of them. However, it is inevitable that somewhere, somehow, the defenses will fail. These attacks are possible, and we will have to figure out how to defend against them, especially once smart meters become more prevalent.

    All of the attacks I discussed above are essentially small-scale, however. What happens when you look at the security of not just individual meters, but the smart grid as a whole? That’s what we will discuss in the third post in this three-part series on smart meters and smart grids.

    You can read parts 1 and 3 of this blog series here:

     

     
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon  

    Jul18
    2:01 pm (UTC-7)   |    by

    A few months after the case of the missing Malaysia Airlines Flight 370, the world was shocked again with another tragic news involving the crash of Malaysia Airlines 777 (also known as MH17) over Ukraine that killed nearly 300 passengers and crew members. As with past incidents, cybercriminals are quick to take advantage of the said tragedy that occurred last July 17, 2014.

    During our investigation, just a few hours after Malaysia Airline tweeted at 23:36, July 17 “Malaysia Airlines has lost contact of MH17 from Amsterdam. The last known position was over Ukrainian airspace. More details to follow,” we came across some suspicious tweets written in Indonesian:

    07192014_tweets_01

    07192014_Tweets_02

    07172014_Tweets_03

    Figures 1-3: Screenshots of tweets pointing to malicious domains

    It seems that the URLs are used in a kind of spam where the most talked about topic/hashtag in Twitter is gathered so that it can be easily searched by users. Once clicked by users, their URL count increases. The.TK URLs resolve to the following IPs:

    • 72[dot]8[dot]190[dot]126
    • 72[dot]8[dot]190[dot]39

    Based on our analysis, these two IPs are verified to be webhosting/shared IP located in the US. The said IPs are mapped to multiple domains. Some of these domains are malicious while there are other legitimate normal domains hosting blogs.  We surmise that this spam is for gaining hits/page views on their sites or ads.

    On the other hand, the malicious domains associated with these IPs, are connected to a ZeuS variant detected as TSPY_ZBOT.VUH and SALITY malware. ZeuS/ZBOT are known information stealers while PE_SALITY is a malware family of file infectors that infect .SCR and .EXE files. Once systems are infected with this file infector, it can open their systems to other malware infections thus compromising their security.

    Cybercriminals always ride the bandwagon of tragic news and incidents. In the past, we’ve seen several scams and threats that leveraged news of typhoon Haiyan, the Boston marathon, and 2011 tsunami/earthquake in Japan among others. We expect that as soon as more details of the MH17 crash unfolds, cybercriminals will launch other attacks that may possibly lead to personal information theft and system infection. Users are highly recommended to remain vigilant for threats that could leverage this news.  Trend Micro protects users from such threats via its Smart Protection Network that blocks all-related malicious URLs and detects malicious files.

     With analysis from Jon Oliver,  Rhena Inocencio, Maersk Menrige, and Arabelle Ebora

    Update as of July 18, 2014, 4:05 P.M. PDT:

    The tweets in question used the hashtag #MH17 which was the top trending hashtag on Twitter yesterday.

    Update as of July 22, 2014, 12:29 P.M. PDT:

    We spotted a suspicious message on Facebook that also leverages the said tragic news. When unsuspecting users open the link, http://{BLOCKED}clip.com/MH17crash.php, it will point to sites with scam ads or free download of video installer. Trend Micro this detects as ADW_BRANTALL.  It also allows users to post the link on their Facebook even before they get to view the supposedly video. Note, however that this particular sample is not related to the ADW_BRANTALL that downloads MEVADE/SEFNIT as discussed in this paper. When users open this via mobile devices, it will only redirect to an advertising site.

    FB_img_01

    Figure 4. Screenshot of the Facebook post that takes advantage of the MH17 news

     

    phishing_fbpc_mh17

    Figure 5. Screenshot of the page that users see when they accessed the URL

     

    As of posting,Trend Micro has already informed Facebook and they have suspended all-related accounts.

     
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon  

    After introducing the “isolated heap” in June security patch for Internet Explorer, Microsoft has once again introduced several improvements in the July patch for Internet Explorer. The most interesting and smart improvement is one which we will call “delay free.” This improvement is designed to mitigate Use After Free (UAF) vulnerability exploits by making sure Internet Explorer does not free object‘s heap space immediately when its reference count is zero.

    Take Internet Explorer 11, for example. We randomly selected the class CDivElement. Before the latest Microsoft patch, the class’s operator delete function deletes the object’s heap space immediately. The previous code was as follows:


    Figure 1. Previous code

    After the latest patch rollout, the code has been changed to the following:


    Figure 2. New code

    It calls the function MemoryProtection::CMemoryProtector::ProtectedFree. The function is newly introduced in this patch. In the function , we can see that it saves the object address and length to an array which is a member of CMemoryProtector. The CMemoryProtector instance address is recorded in the thread local storage. Thus, the object heap space doesn’t have to be freed and later codes in the same thread can still access the object heap space.

    When is the object space freed? It happens at two points:

    1. In the beginning of MSHTML!GlobalWndProc, it will call CMemoryProtector::ProtectCurrentThread. The function will call CMemoryProtector::ReclaimMemoryWithoutProtection to really free the all items in the array which is saved in this thread local storage.

      Jul-UAF-3
      Figure 3. Call Stack

    2. When an object deletes and calls CMemoryProtector::ProtectedFree and if the total hold waiting delay free objects size is over a threshold, it will start free process.

    How can the “delay free” mitigate UAF vulnerability exploits?

    In a typical UAF exploit,  it begins when an object’s heap space is freed.  With the “delay free” improvement, attackers will find it difficult to find a timing to occupy the freed object space. As previously mentioned, the current free space timing is located in the MSHTML!GlobalWndProc. If attackers want to occupy the freed object space, they must do it after MSHTML!GlobalWndProc. This function is called when a window or application-defined message is coming. If attackers call alert in JavaScript, it will lead IE to call MSHTML!GlobalWndProc. After this, attackers can write spray heap code to occupy object memory space. I explained the possible attack scenarios in my previous blog entry about isolated heap.

    Will this attack succeed? No, it will not. This is because this call to MSHTML!GlobalWndProc will not really free the object space every time. From the code, we can see that before it frees the space, it will check the current stack location to prevent this condition. Internet Explorer makes sure the object space is freed after the JavaScript execution is over.

    Google Chrome has implementation that does memory protection to mitigate exploits.  It divides the heap in several partitions. The object is allocated in the corresponding partition.  For example, DOM node objects are allocated in a specific partition and Array buffer objects are allocated to another partition. This part can be taken as the corresponding section of “isolate heap.” However, there doesn’t seem to be corresponding section for “delay free.”

    While other types of vulnerabilities exploits (such as type confusion) aren’t addressed by this improvement, we are pleased to see the continuous efforts of Microsoft to address UAF exploits. This new improvement, coupled with the isolated heap, will make it more difficult for attackers to exploit UAF vulnerabilities.

     
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon  



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice