Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    March 2015
    S M T W T F S
    « Feb    
  • Email Subscription

  • About Us

    In monitoring the ransomware TorrentLocker, we noticed a new development in its arrival vector. In previous entries, we noted that a particular wave of the crypto-ransomware was using spammed messages that were designed to evade spam filters. Our research now shows that TorrentLocker malware are using emails that are designed to pass spam filters and also collect information.

    Using SPF to DMARC

    Previous spammed messages were authorized by the Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). SPF provides a mechanism to allow receivers to check that incoming mail from a domain is being sent from a host authorized by that domain’s owner. The list of authorized IP addresses for a domain is published in the domain’s DNS records.

    The new TorrentLocker emails use Domain-based Message Authentication, Reporting and Conformance (DMARC), which is an email acceptance method. DMARC leverages SPF and DKIM, and sends reports to email senders, allowing them to:

    • Collect statistics about messages using their domain from DMARC receivers
    • See how much of this traffic is passing/failing email authentication checks
    • Request that messages using their domain that fail authentication be quarantined or rejected
    • Receive data extracted from failed messages such as header information and URIs from the message body, if the receiver provides this service

    Using DMARC Reports

    The DMARC reports are intended for senders to gain “insight into the operation of your own infrastructure, those operated on your behalf by third parties, and the attacks on your domain or brand by bad actors.” Unfortunately, cybercriminals are using the same reports for gaining insights into the operation of their malicious schemes.

    One spam campaign was sent by  We noted that the SPF and DMARC record were as follows:

    ;; ANSWER SECTION:     3600    IN      TXT     “v=spf1 ip4: a mx ~all”     3600    IN      TXT     “v=DMARC1\; p=reject\;”

    It appears that the threat actors are collecting information from “rejected” emails, emails that do not pass the acceptance process performed in spam filters.

    Note that each DMARC report contains information such as ISP information, mailbox provider name and contact details, IP addresses, SPF and DKIM authentication results.

    For cybercriminals, the information can be used as feedback for their spam runs. If a DMARC report is sent back to a domain owned by cybercriminals, they can check the number of spammed emails that passed SPF and DKIM. The report will indicate which ISPs have considered their emails as “authenticated” and gives the ability to refine future spam runs.

    A Persistent Presence

    Based on SPN data starting from November 2014, we find that Australia remains the top country affected by this malware, whose family detection is CRYPTED.

    Figure 1. Top countries affected by TorrentLocker

    Using the number of detections in November 2014 as our baseline, we find that December experienced a noticeable spike. The number of detections dropped in January this year but soon rocketed in mid-February.

    Figure 2. TorrentLocker activity since November 2014

    Protection Against Spoofed Emails

    Techniques like this show that while spam filters can help weed out junk or malicious messages, they aren’t foolproof. Cybercriminals will always try to find ways to bypass or dodge filters or authentication methods.

    We advise users to remain cautious when dealing with legitimate-looking emails; they might be well-crafted spoofed emails. Avoid clicking links or opening attachments without confirming the email in question.

    With additional insight from Doug Otis.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    The recent Superfish incident has raised more concerns that SSL/TLS connections of users can be intercepted, inspected, and re-encrypted using a private root certificate installed on the user system. In effect, this is a man-in-the-middle (MITM) attack carried out within the user’s own system. We believe that site owners adopting extended validation (EV) certificates would help warn users about possible MITM attacks.

    Here’s how a MITM interception works:

    Figure 1. Man-in-the-middle attack

    MITM attacks are justified by their creators as providing benefits to users, either by scanning for viruses and malware in encrypted material or by displaying relevant advertising. Whether or not these benefits are valid or not is a separate debate, but certificate authorities like Trend Micro agree that secret MITM interceptions are not appropriate. These can invade the privacy of the user without express notice or consent, and they may also open attack vectors that attackers can use to gain access to the user’s information.

    MITM interception is frequently carried out within corporate networks to check incoming encrypted content for malware, web threats, and other potential risks. This is a legitimate security technique. However, in a corporate network the users (employees) are presumably aware that their internet usage can be monitored by their employer, and so they have effectively given consent.

    More significantly, the rules governing browser trusted root programs bar CAs from issuing unconstrained sub-CA certificates to corporate customers that could then be used in MITM interceptions to “mimic” the real certificates of websites (as Superfish did).  Use of such a sub-CA certificate from a commercial CA would mean the user could never know that their secure connections had been decrypted, viewed, and then re-encrypted. Corporate networks must provide their own self-signed certificates to perform MITM interception.

    Superfish and PrivDog were particularly troubling because they installed their own untrusted private root certificates in the client’s trusted root store, sometimes without the user’s explicit knowledge or informed consent. Once the certificate is in the trusted root store, future MITM interception will not generate any warnings about the certificate coming from an untrusted root, as the MITM certificate is now explicitly trusted.

    How can EV certificates help in this situation? Connections made with valid EV SSL certificates adds information about the identity of the site, which is then shown to the user in a distinct “green bar”. Below is an example of how it is shown to the user in Mozilla Firefox (other browsers use similar displays):

    Figure 2. Browser loading a SSL site using an EV certificate

    The identity of the site owner is explicitly displayed here. In contrast, typical SSL connections show that the connection is encrypted but do not say anything about the site’s identity:

    Figure 3. Browser loading a SSL site without an EV certificate

    In addition, EV certificates include safeguards not used in other certificates such as Domain Validation (DV) and Organization Validation (OV) certificates. These safeguards will likely cause warning messages to be shown to users affected by MITM interception. These safeguards include:

    • An EV certificate will display some version of the “green bar” as well as the site’s owner. This only occurs because the EV certificate includes a unique EV Object Identifier (OID) that is linked to the specific CA and trusted root that issued the EV certificates. This is hardcoded into the browser itself.
      A MITM interception can copy the EV OID from the real certificate and insert it into the fake certificate, but the EV OID won’t match the issuing CA identity of the untrusted certificate (the MITM interceptor).  The fake EV certificate will not display the “green bar” to the user and may even display an issuer mismatch warning.  If a user visiting his or her normal banking website notices that the “green bar” is gone, that serves as a warning that their “secure” connection may not be as secure as they’d think, putting their information at risk.
    • The fake MITM certificates will not include required certificate revocation checking information, such as an OCSP or CRL pointer. (Including this information will likely result in a “no such certificate” warning being shown to users.) Some browsers no longer check for certification revocation on DV and OV ceritificates. However, all browsers check for revoked EV certificates by using the certificate’s OCSP and CRL pointer information. This check must return with a positive result (“found but not revoked”) before the “green bar” is shown to the user, verifying that an EV certificate is in use. This is another reason that a MITM attack will result in the absence of the EV information.
    • Stringent regulations and audit requirements enforced on legitimate commercial CAs by browser vendors prevent CAs from issuing MITM-capable EV certificate to customers. A CA that would do so would face removal of its certificates from browser stores, which is essentially a death sentence for its business.

    EV certificates cannot prevent a MITM interception from taking place, but it does provide users with a clear indicator that something unusual is taking place: the sudden lack of the EV information would be a clear sign. Websites that adopt EV certificates would be able to provide their users with peace of mind in two ways: by verifying the identity of the site they are visiting, and identifying whether or not MITM interception is taking place.

    If your enterprise would like to use or expand the use of your EV certificates, contact us about how we can help you expand your use of EV SSL through Trend Micro’s unlimited SSL licensing model.

    Chris Bailey is general manager for Trend Micro SSL Certificates. Previously Bailey served as the CEO and co-founder of certification authority AffirmTrust, which was acquired by Trend Micro in 2011, and as co-founder and CTO of GeoTrust, a major world Certification Authority acquired by VeriSign in 2006.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    The malware UPATRE was gained much prominence following the demise of the Blackhole Exploit kit. It was since known as one of the top malware seen attached to spammed messages and continues to be so all throughout 2014 with particularly high numbers seen in the fourth quarter of the year. We have released our annual roundup where we talked about the different trends related to spam, and this entry offers a closer look.

    Looking back at 2014: Notable Spam Trends

    Based on our backend honeypot data for 2014, UPATRE stood out as the most prevalent threat that arrives via spammed messages. UPATRE is commonly distributed by the Cutwail botnet, which has been in the wild since as early as 2007 and was considered one of the biggest spam botnets in 2009.

    2014 also saw a significant rise in spammed emails with attached Microsoft Word documents that come with malicious macro codes that eventually lead to downloading various information stealing malware like VAWTRAK, DRIDEX, and ROVNIX malware. One example is the DRIDEX chain of infections seen in Q4 of 2014, in which we observed an uptick in spammed emails that lead to malicious .DOC and .XLS files that carry the malware.

    Yearly Spam Volume

    Figure 1. Year on year growth trend of spam
    Source: Honeypot data

    Results from our honeypot data show around 1.9 billion spammed emails in 2014. The numbers slightly rose from the one that of 2013 (1.6 billion). While this is no way represents the entire spam landscape it does give us an idea of the overall trends when it comes to spam. It also matches the trends from Trend Micro messaging products in our annual roundup. Note that the spam spike in 2011 can be attributed to a rise in .ZIP file attachments in spammed emails that led to the malware BREDOLAB.

    Spammed Messages Carrying UPATRE

    While there are bulk mail like those that sell pharmaceutical drugs or advertise replica watches, a certain percentage of spam carry malware. We will refer to these as “mal-spam” in the rest of this entry.

    Similar to our 1H blog post on spam trends, UPATRE takes the lead as the top malware distributed via spam, followed by TSPY_ZBOT and BKDR_KULUOZ. In our 1H 2014 post, we wrote that the number of spam campaigns related to UPATRE went down in June due to the Gameover takedown that same month. Come July we observed a gradual increase, which can be attributed to the use of the Cutwail botnet.

    Our honeypot data shows that UPATRE made up almost 30% of all mal-spam seen in 2014.

    Figure 2. Top 10 malware from spam mails seen in 2014
    Source: Honeypot data

    Figure 3. TROJ_UPATRE vs. total mal-spam seen in 2014
    Source: Honeypot data

    The overall mal-spam decline toward the end of the year (Figure 3) can be attributed to the continuous decline of UPATRE spam samples seen in Q4. UPATRE spreading via attachments drastically declined in Q4. ecline in Q4, it still remains the most distributed malware via spam in 2014. Here’s a rundown of the blog entries we wrote about in 2014 that talk about UPATRE attached to spam.

    Top Social Engineering Lures of 2014

    Social engineering plays a vital role in carrying out spam attacks. We found that the holidays and any type of breaking news are still effective ways to carry out social engineering attacks in spam. Here are some notable social engineering lures we wrote about in 2014, whose topics range from celebrity deaths to popular sporting events.

    Mixing Old and New Spam Techniques in 2014

    Spammers have and continuously will blend old techniques with new ones in order to avoid detection to successfully victimize users. Some new techniques we’ve noted in 2014 include spam attached to spam, which is similar to backscatter email.

    The blending of spam techniques is seen mostly in commercial spam. For instance,  newborn domain spam often use the salad words technique mixed with invisible ink, character padding and newly registered domains.

    With the prevalence of UPATRE and malicious macro downloaders on the rise, we can predict that spammed emails that carry these type of malware may soon bear more complex techniques. The social engineering aspect in spam, for one, is starting to veer away from social networking spam (Facebook and Twitter notifications) and instead uses templates known couriers and banks.

    More in-depth information about the spam that dominated the threat landscape in 2014 can be found in our upcoming report, TrendLabs 2014 Annual Security Roundup – Magnified Losses Amplified Need for Cyber-attack Preparedness.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    operation-arid-viper-advtravel_thumbLast week, we released a research paper titled “Operation Arid Viper: Bypassing the Iron Dome” where we detailed two related campaigns. To recall, here are our key findings related to the two campaigns:

    • Palestinian threat actors have staged a targeted attack, Operation Arid Viper, to exfiltrate data from high-profile targets in the Israeli government and have been doing so since mid-2013. The attacks are still on-going, coinciding with the political tension between Israel and Palestinians.
    • Investigation of the Germany-hosted server used in Arid Viper revealed a group of Egyptian hackers (Advtravel) that have less technical knowhow and are attacking other Egyptians in less purposeful attacks.
    • Both groups have strong Arab ties, and the same server and site registration details suggest the existence of a supra-organization, a forum or an influential sponsor could be providing various hacking groups with the means to pursue their ends.

    Since the report was released, we have continued our investigation and have a number of updates:

    • None of the C&C domains have moved to other hosting providers or had other major changes since the publishing of our report. Although we have not seen newly compiled samples being spread – we have seen 2 recent attempted infections with existing binaries from Arid Viper on the 15th and 19th of February against a target in Israel and Kuwait respectively. For reference, our paper went public on the 16th.
    • Interestingly, a number of the people linked to the C&C servers in the paper have made changes to their public profiles since the paper went live. To date none of these individuals have contacted us to dispute the details we outlined in the paper:
      • The Facebook account we mentioned in the paper for Fathy Mostafa is now no longer active.
      • Quite a number of the accounts we related to Ebrahim Said El-Sharawy (aka Dev_Hima) have been modified or removed.  Upon inspection today, his accounts on Blogspot, Facebook, Twitter, and are no longer active. His main webpage ( which had hosted two questionable tools we outlined in the report has been changed to remove all of that content and has been replaced with the words “Closed by DevHima”:

    Screen Shot 2015-02-24 at 21.18.17

    •  Some of his other accounts such as his LinkedIn, SoundHound, and YouTube (which is hard to remove without deleting your personal Gmail account) are still live at the time of writing.
    • After further investigation, we now believe that the email used to register the C&C pstcmedia[dot]com ,, actually belongs to the Web hosting provider that registered this domain on a client’s behalf – and is not an individual involved in the campaign itself. We have updated our paper to remove reference to Mr. Samraa with the exception that the email address was used to register this site.

    Trend Micro will continue to research more on these campaigns over the coming months and post updates as we find them.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    2014 was a year where cybercriminal attacks crippled both likely and unlikely targets. A year rife with destructive attacks, 2014 proved to be a difficult one for individuals and companies who were victimized by these threats.

    Massive data breach disclosures came one after another in 2014 in much more rapid succession than past years. The Sony Pictures breach in December, along with the other big breaches of the year illustrated the wide spectrum of losses that can hit a company that has failed to secure its network.

    Point-of-sale (PoS) RAM scrapers were almost a cybercrime staple in 2014, as several high-profile targets lost millions of customer data to attackers. The Ponemon Institute reports a significant increase in the cost of stolen records in 2014 from the previous year, which shows that using PoS RAM scrapers to target retailers is a thriving business. For the entire 2014 we observed that most PoS malware hit retailers in the United States, followed by Canada and the United Kingdom.

    Software and platforms previously considered secure proved otherwise in 2014- this was made evident by high-profile vulnerabilities Heartbleed and Shellshock that affected Linux systems. Security holes were also found in various commercial software like Windows®, Adobe®, and Java™ all throughout the year.

    Figure 1. Timeline of Major Zero-Day Vulnerabilities in 2014

    Online banking was still a major problem for last year. Operation Emmental added to this growing problem and proved that two-factor authentication was no longer enough to secure sensitive transactions. According to data from the Trend Micro™ Smart Protection Network™, we observed around 145,000 computers infected by online banking malware by the tail end of 2014. Mobile users were also hit by online banking threats with as much as 2,069 mobile banking/financial malware seen in 3Q alone.

    2014 Annual Security Roundup Cover

    Ransomware made the headlines early in the year with CTB-locker infections, but we’ve been seeing ransomware victimize users all throughout 2014. Traditional ransomware like REVETON and RANSOM dominated 2013 with a 97% share, crypto-ransomware took the stage in 2014, as their share increased 27.35%.

    Threat actors and cybercriminal economies continued to thrive last year. With Operation Pawn Storm. threat actors used next-level spear-phishing tactics to obtain the email credentials of primarily military, embassy, and defense contractor personnel from the United States and its allies.

    2014 also saw campaigns like Regin target victims in Belgium and Plead in Taiwan.

    As cybercrime becomes more attractive to the unscrupulous and as targeted attack campaigns become much easier to mount, the pressure to reassess the breadth and quality of cybersecurity investments must only intensify.

    For more details about these and other security threats in 2014, check our security roundup titled Magnified Losses, Amplified Need for Cyber-Attack Preparedness.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice