Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    March 2012
    S M T W T F S
    « Feb   Apr »
     123
    45678910
    11121314151617
    18192021222324
    25262728293031
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Archive for March 20th, 2012




    There is welcome news today of the arrests of 8 individuals in Russia by the Russian MVD, or Ministry of Internal Affairs (Ministerstvo Vnutrennikh Del). Gary Warner (University of Alabama at Birmingham) has a great write-up of the arrests over on his blog, “Cybercrime and Doing Time”, so I will not reproduce the details here.

    Having said that, I just wanted to point out that this is yet another great example of international collaboration between both private industry research and international law enforcement. I certainly hope that we see more of this in the future, such that serious Internet criminals do not think that they are outside the reach of the “long arm of the law”.

    Cybercriminals should not think that they can successfully hide in any particular country or jurisdiction and avoid prosecution due to differences in international laws. This – and other recent arrests in Eastern Europe – shows that the international reach of law enforcement can also reach them.

    As mentioned in Professor Warner’s blog, Trend Micro Threat Research did quite a bit of research into CARBERP a couple of years ago, especially into the area of enumerating targeted victims. We saw victims in Government, Industry, and Academia all targeted, showing the wide swath of victims who unwittingly had funds stolen from their bank accounts.

    CARBERP is a particularly nasty banking Trojan, with the capability to to install itself without Administrator Privileges, effectively defeating Windows 7 and Vista’s User Account Control (UAC) feature.

    While we have not seen the same volume and popularity of CARBERP as we have with ZeuS and SpyEye, since CARBERP’s appearance in the latter half of 2009 we seen steady increase in numbers (see Figure 1).

    Click for larger view

    Also, our telemetry shows that almost a quarter of Carberp infections were in Germany (see Figure 2).

    We applaud the efforts and actions of the Russian authorities in this case, and we hope to see more international cooperative efforts to bring cybercriminals to justice around the world.

     
    Posted in Bad Sites, Botnets | Comments Off



    Dutch users were recently targeted in a website compromise that involved a popular news site in the Netherlands, nu.nl. The site was compromised and modified to load a malicious iframe that resulted to visitors’ systems being infected with a SINOWAL variant.

    Trend Micro researcher Feike Hacquebord says that considering the different characteristics of this attack, it seems like it was specifically designed to affect Dutch users. Aside from the affected site being one of the most popular sites in their country, the scripts inserted in the website were activated right before lunch time in the Netherlands — a time when Dutch users usually utilize to check the news and other sites while in the office.

    According to nu.nl’s released statement, they believe that attackers exploited a vulnerability on the news group’s Content Management Systems (CMS), allowing them to insert 2 scripts — g.js and gs.js — in nu.nl’s subdomain.

    Investigation reveals that the scripts, detected by Trend Micro as JS_IFRAME.HBA, are highly-obfuscated scripts that when executed lead users to yet another script, specifically one that loads various exploits.

    This exploit kit, detected as JS_BLACOLE.HBA, was found to be the Nuclear Pack exploit kit. Upon execution, it checks the affected system for any vulnerable software, and then downloads any applicable exploit that can run successfully.

    Based on the analyzed code of the exploit pack, systems with the following unpatched application versions could be possibly infected with this threat:

    • Adobe Reader versions in between 8 and 9.3
    • Java versions in between 5 and 6 and between 5.0.23 and 6.0.27

    Aside from the software above, Nuclear Pack Exploit Kit is also capable of exploiting vulnerabilities in Windows components like Microsoft Data Access Components (MDAC), Help and Support Center (HCP), and Microsoft Office Web Components (OWC) Spreadsheet.

    A successful exploit will then lead to the download of the downloader TROJ_SMOKE.JH, which then downloads the SINOWAL variant, TROJ_SINOWAL.SMF. At the time of the infection, Trend Micro already detected this SINOWAL variant.

    TROJ_SINOWAL.SMF collects information about the affected system such as:

    • System’s hard disk serial number
    • Running processes
    • Software registered in the HKLMSOFTWAREMicrosoftWindowsCurrentVersionUninstall registry key

    TROJ_SINOWAL.SMF is also said to download another component that is capable of infecting the MBR of an affected machine.

    Data gathered from the Trend Micro™ Smart Protection Network™ reveals that most of the users who attempted to access the URL used by JS_BLACOLE.HBA when the site was loading malicious files were indeed from the Netherlands:

    Hours after the compromise was discovered, nu.nl was clean again. Sadly, this compromise had already exposed some of the site’s visitors to SINOWAL infection. Thus users are advised to check their system for possible infection and perform the necessary removal instructions that are available on the Internet. As for us, Trend Micro products detect the related files used in the attack, as well as block all the malicious domains used, all through the Trend Micro Smart Protection Network. The command-and-control (C&C) servers to which this SINOWAL variant sends information to are also blocked by Trend Micro.

    Hat tip to security evangelist Ivan Macalintal for additional insights and analysis.

     


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice