Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    April 2014
    S M T W T F S
    « Mar    
  • About Us

    The year so far has been a particularly stressful one for enterprise IT staff. Early in the year, concerns over data breaches and point of sale POS malware gave retailers something to worry about.

    The long-simmering headache of Windows XP migration came to a head when support for the venerable OS ended in April. That would normally have been the security headline of the month, but a vulnerability in OpenSSL known as Heartbleed reared its less than welcome head.

    All in all, then, IT security personnel can be a bit excused if they’re tired and just a bit weary of patching holes as they happen. Hopefully, these teams are able to properly recuperate from these rather stressful times, as the importance of trained and empowered security personnel cannot be underestimated.

    While the role of technical solutions gets more attention (and, frequently, funding), these solutions are worthless without trained personnel that know how to use them. Dealing with today’s attack environment is not just about using more sophisticated tools; it is also about trained IT security people making decisions, with the best information provided by their tools as well as threat intelligence at their disposal.

    Unfortunately in many organizations, these teams get the short shrift and are viewed as nothing more than a cost center. This sounds good until a major breach or other security failure happens – which ends up costing an organization far more.

    So how exactly can organizations take care of their information security personnel? Here are four areas where organizations can help.

    Give them the tools they need – and let them experiment, too. 

    First of all, the information security teams must have the resources they need. This can include hardware, software, and headcount.  Teams should be able to do their job without having to worry that they don’t have the resources to do it. Yes, this can be expensive, but: so are attacks and data breaches.

    In addition, organizations should let teams have some leeway to experiment. If they want to try new tools, or use new methods to gather or analyze threat information – let them experiment. These ideas don’t have to be production quality right out of the gate, all that’s needed is a proof of concept to check if the idea will work.

    Let them learn and make mistakes.

    New threats and problems are always emerging. As we just saw in rather lurid detail this year, things we thought were secure sometimes aren’t. Learning has to be a key part of a team’s goals. in order to stay in front of the threats encountered in day-to-say usage.

    Information about threats is not always precise; things that appear to be threats may turn out to be completely harmless, and the reverse is also true. Mistakes happen; trying to reduce them is obviously desirable, but it shouldn’t turn your security team into an overcautious group that is afraid of pointing out an obvious attack.

    Ensure data is freely accessible

    This ties in with our first statement. If an organization really wants their teams to experiment, it should ensure that its logs and databases should be in easily accessible and open formats. All files being archived should be stored in plain text files such as comma separated values (CSV) rather than a proprietary binary format.  Plain text can be easily processed by many viewers and scripting languages.

    Why is this important? This allows for searches to be performed in a relatively quick and efficient manner. This provides an organization security professionals the best possible access to potential threat information. Depending on the information an organization logs and archives, it also offers intriguing possibilities for data correlation. The available threat intelligence to an organization’s defenders may improve as a result.

    Listen to them.

    In many organizations the security professionals are not listened to, either by other IT staff or by upper management. That is a mistake, as security professionals know what they’re talking about and can provide helpful insights if asked. It’s true for any profession, but in the security field it is of particular importance that its practitioners be engaged and considered by the rest of the organization.

    All in all, the lesson is simple: the foundation of any organization’s security posture is the individuals actually putting that posture into force on the ground. To ensure the success of any policies, the individuals implementing them must receive the proper support and resources necessary to do their job.

    Are you an information security professional? Let us know what you think in the comments.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Facebook users are once again the target of a malicious scheme—this time in the form of a notification about “Facebook Chat”.

    The spammed notification pretends to come from the “official Facebook Chat Team.” A notification shows users of a tagged comment to a Facebook Note containing a fake announcement about a Facebook Chat verification requirement.

    Figure 1. Facebook Chat verification notification

    The spam tries to sound urgent to convince users to verify their accounts. To do so, they are first asked to to go to a Pastebin URL and are instructed to copy a specific code. The set of instructions differ depending on what browser is being used (Google Chrome, Mozilla Firefox, or Internet Explorer).

    Users are then directed to a shortened link and are asked to press a particular function key (F12 for Google Chrome users, for example).  After clicking on the console tab, users are supposed to paste the provided Javascript code into the address bar, then press Enter. This actually gives bad guys access to the user’s account, giving them the capability to auto-tag anyone in the users’ friends list and start the cycle of victimizing other account users.

    Figure 2. Console where the Javascript code is supposed to be entered

    From the get-go, users should know that there is no product called “Facebook Chat,” let alone a team that sends out a supposed “advisory” to its users. The social media site’s official instant messaging feature is called Facebook Messenger, which also the name of its stand-alone app. Earlier this month, Facebook announced that Android and iOS users will be required use this stand-alone app by eliminating the chat features of the traditional app versions of the site.

    Facebook has taken action against threats like this by releasing an official announcement.  The official Facebook warning notes, “This is a variant on the self-XSS attack. By pasting the code in the browser console, the user gives the code access to their account. The code usually posts the same scam on other people’s walls, and subscribes the user to pages controlled by the attacker – but it could do much worse things.”

    In 2013, a mobile phishing page disguised as a legitimate Facebook mobile page has been used to victimize users by stealing their credit card details. In the same year, the Facebook Security Check page has been spoofed by phishers leading to a number of stolen account credentials.

    Protecting your online accounts from different threats requires constant vigilance. Always check and verify links that are sent your way, even if they come from a friend or contact. In the same light, sift through the number of contacts you add to your network and only add those you know personally to minimize risks of compromising your accounts and harming your computer.

    Since April 2012, Trend Micro has worked hand in hand with Facebook to secure and shield users from attacks such as this. We already block all threats associated with this attack.
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    4:59 am (UTC-7)   |    by
    500x1500 web

    How the Heartbleed bug works

    In previous blog entries, we’ve discussed various aspects of the Heartbleed vulnerability in OpenSSL. Last Tuesday, our first blog post covered an analysis of the vulnerability itself, as well as some steps that IT administrators of affected systems could do in order to protect themselves. Later entries looked at how popular websites and mobile apps were, in their own ways, vulnerable to the threat.

    To help deal with the Heartbleed vulnerability, we’ve released several tools that can be used to detect possible exposure to the risks:

    We have released into the Google Play app store the Trend Micro Heartbleed Detector. This tool is designed to help users tell if they are vulnerable to any aspect of this threat. In particular, it checks for three things:

    • It checks whether the version of OpenSSL used in the device’s version of Android may be vulnerable.
    • It checks whether any OpenSSL libraries embedded in the user’s installed apps may be vulnerable.
    • It checks whether the user’s installed apps communicate to any unpatched (and therefore, vulnerable) servers.

    Main Page

    Figure 1. Detector application

    If any vulnerable apps are detected, the detector offers to uninstall the app for the user:

    Summary marked

    Figure 2. Vulnerable app detected

    We don’t recommend for users to immediately uninstall all vulnerable apps, but this is something everyone should consider for applications that handle critical information, such as mobile banking applications. In addition, it’s a good idea for users to contact the companies that maintain these vulnerable apps to update their apps or websites as soon as possible.

    For Chrome users, we’ve also released the Trend Micro OpenSSL Heartbleed Scanner app. The scanner allows for users to check if specific sites are vulnerable to Heartbleed. The tool can be downloaded from the Chrome Web Store.

    For other users who want to check if a site is vulnerable or not, you may also do so through our Trend Micro Heartbleed Detector website.

    We will continue to monitor this issue and release more information as needed.  For other posts discussing the Heartbleed bug, check our entries from the past week:

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Out with the old, in with the new? When it comes to cybercrime, that’s rarely the case. We often seen old malware get upgrades with new techniques, payloads, and even targets. This is certainly the case for an old Java remote access Trojan (RAT) detected as JAVA_OZNEB.B.

    Users may encounter this threat as an attachment to spammed emails. These emails are often financial in nature. One such email pretends to be from American Express, informing recipients that their accounts have been suspended due to suspicious activity. To reactivate, they must fill out the attachment and send it back to American Express. The attachment is actually the malware in disguise. Users may also encounter the malware online pretending to be catalogues, product lists, or receipts.

    Figure 1. Sample spammed message

    Once it infects the computer, the RAT can perform a variety of routines, such as take screenshots, display messages, and load additional plugins, including one for mining Litecoins. The option for additional plugins makes the malware a high risk threat as cybercriminals can update and tweak routines as they wish. Making the malware a bigger threat is the fact that it can run on multiple platforms. It should be noted that this is not the first Java RAT that affects multiple platforms; we first spotted one in 2012.

    JAVA_OZNEB.B was previously known as Adwind then later renamed to UNRECOM (Universal Remote Control Multi-Platform). Aside from the new name, the malware also experienced an upgrade: it can now run on the Android platform. The inclusion of Android in the set-up is highly notable because aside from running in Android, this malware now also works as an APK binder. Put simply, the malware can be used to Trojanize legitimate apps, like an Android malware we’ve previously discussed.

    The inclusion of a Litecoin miner plugin is highly notable, given the slew of threats targeting cryptocurrencies we’ve seen recently. Litecoin is a cryptocurrency that’s often considered as a popular alternative to Bitcoin. The Litecoin plugin can allow a remote malicious user to use an infected computer to mine Litecoins. Mining digital currencies requires a lot of computing power so victims may experience sluggish performance from their infected computers.

    Feedback from the Smart Protection Network that affected countries includes the United States, Turkey, Australia, Taiwan, Singapore, and Japan. We advise users to be cautious when opening emails, even if they appear to come from reputable senders. For matters related to finance, it’s best to call the financial institution involved to resolve potential issues.

    With additional insights from Lala Manly.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    In an earlier blog post, we mentioned that mobile apps are also affected by the Heartbleed vulnerability. This is because mobile apps may connect to servers affected by the bug. However, it appears that mobile apps themselves could be vulnerable because of a bundled OpenSSL library.

    OpenSSL Library Present in Android 4.1.1 and Certain Mobile Apps

    We have information that although the buggy OpenSSL is integrated with the Android system, only the Android 4.1.1 version is affected by Heartbleed vulnerability. For devices with that version, any app installed with OpenSSL which is then used to establish SSL/TLS connections is possibly affected and can be compromised to get user information from the device memory.

    However, even if your device is not using the affected version, there is still the matter of the apps themselves. We have found 273 in Google Play which are bundled with the standalone affected OpenSSL library, which means those apps can be compromised in any device.

    In this list, we see last year’s most popular games, some VPN clients, a security app, a popular video player, an instant message app, a VOIP phone app and many others. As you may well know, the OpenSSL library is used by apps for secure communications. Lots of apps are from top developers. We also found the vulnerability in the older versions of Google’s apps.


    Figure 1. Apps vulnerable to Heartbleed include those that are highly popular

    These apps statically link to the vulnerable OpenSSL library as shown below:



    Figure 2. Vulnerable OpenSSL Library

    A reverse client-side Heartbleed attack is possible if the remote servers those apps connect to are compromised. A reverse Heartbleed can of course also expose user device memory to a cybercriminal. The memory may contain any sensitive information stored in these apps locally. If you use a vulnerable VPN client or VOIP app to connect to an evil service, you may lose your private key or other credential information, then the hacker may forge your identity and do other bad things from there.

    We advise the app developer to hasten the speed to upgrade the OpenSSL library, and publish them to end-users. For general users, you need to be aware of the fact that your clients are able to leak information, no matter how secure the remote server is, or the good reputation or trustworthiness of the app developer. You should also update your apps as soon as a fix is made available. Google is currently distributing patching information for the affected Android version—you should also check if an update is made available for your device.

    We will also be creating a tool very soon to check if your apps are vulnerable.

    An Update on Apps Connecting to Servers Vulnerable to Heartbleed

    After we disclosed about the mobile apps connecting to vulnerable servers, we continued to monitor them. We have seen up to 7,000 apps at the time of monitoring that are connecting to Heartbleed-vulnerable servers, while in our latest verification, around 6,000 apps are still affected. Let’s see what types of mobile apps they are:

    Hearbleed Chart

    Figure 3. Distribution of Mobile Apps Vulnerable to Heartbleed, by Category

    For discussion purposes, we highlight only the app categories that we consider possibly sensitive in that they may store users’ private information on the server, which means users may be leaking information by using these apps. We see that a large portion of these kinds of apps are Lifestyle apps. These apps include anything from ordering food, grocery items, equipment, reading books, couponing, clothing, furniture, etc. This also means that if a user for instance orders food or supplies through one of these affected apps, information about their order, including user credentials, their home address—or worse, their credit card information—can be leaked.

    Note that we have informed Google about this issue.

    For other posts discussing the Heartbleed bug, check these other posts:

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice