Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    March 2012
    S M T W T F S
    « Feb   Apr »
     123
    45678910
    11121314151617
    18192021222324
    25262728293031
  • Email Subscription

  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Archive for March, 2012




    Concerns about privacy on the Internet have always been out there, but news events of late seem to be bringing this problem more and more into the public eye.

    Earlier this month, Google began implementing its “new” privacy policy – despite opposition from many parties, including French and European Union regulators. The new privacy policy allows Google to consolidate what it knows about users across all of its services, something it had never done before. According to Google, this makes for a “simpler, more intuitive Google experience.”

    It’s not just search engines themselves falling under watch for privacy problems. Early in February, the popular Path and Hipster apps were discovered to be uploading user address books to their servers. Later on, it was discovered that both iOS and Android suffered from problems that allowed apps access to user photos even if they had not granted that particular permission.

    So far, there really hasn’t been a good set of guidelines that companies holding our data could be held accountable to and asked to follow. Essentially, companies with access to our private data were left to their own devices when it came to treating that data – with predictable consequences to our privacy.

    In February, it was announced that many advertising networks and leading Internet companies such as AOL, Google, Microsoft, and Yahoo have all agreed to implement the Do Not Track feature: essentially, it stops websites (and advertising networks) from tracking users. This blocks certain practices used by advertisers, such as personalized advertising.  (We discussed personalized advertising earlier on our ebook Be Privy to Online Privacy.)

    This was in line with a White House blueprint for what it called a “Consumer Privacy Bill of Rights”. The set of principles that the white paper includes are all sound and, frankly, common sense: they give user’s online data the same set of protections that they should have offline. Fundamentally, the US approach calls for Internet companies and industries to voluntarily adopt regulations which are then enforced by regulatory agencies.

    Does this mean that users no longer have to worry about their privacy, that advertisers and website owners will no longer abuse what they know about users? Sadly, that is far from being the case

    The Do Not Track announcement was not about anything that could be immediately implemented. How Do Not Track will actually be implemented – and thus, whether it actually works – is not yet entirely clear. In short, it will take some time for Do Not Track to actually be something that users can turn on.

    What these steps do mean is that regulators are finally paying attention to privacy as an issue, and companies are realizing that they have to start paying some attention, instead of just issuing blanket statements that said nothing. European privacy regulators have already launched a probe into Google’s new privacy policy. As a result of a settlement with California authorities, app store operators like Apple and Google have agreed in principle to make app developers include privacy policies if their apps gather user information.

    User concern about tracking and personal privacy is very real. A Pew Research poll found that almost two-thirds of American search engine users disapproved of personalized search results. A similar number had negative views on targeted advertising. A separate study by the University of Queensland found similar attitudes among Australian users. Clearly, users have serious concerns about what kind of information is gathered about them, and how this information is being used.

    The debate over privacy in the digital age will, no doubt, continue. Different people will have different standards for what they consider the acceptable trade-off between convenience and privacy is. Users should be free, however, to make that decision for themselves – and to have the information and tools to decide where their data will end up going.

     
    Posted in Mobile | Comments Off



    We were alerted to reports of a mass compromise of WordPress sites that lead to CRIDEX infection. To lure users to these compromised sites, the cybercriminals behind this employed spammed messages purporting to come from known legitimate sources such Better Business Bureau and LinkedIn, just to name a few. These spam use social engineering tactics to entice unsuspecting users to click the link found in the email.

    Click for larger viewClick for larger viewClicking this link leads to a series of compromised WordPress sites, which ultimately point users to the Blackhole Exploit kit that targets vulnerabilities cited in CVE-2010-0188 and CVE-2010-1885. This is detected by Trend Micro as JS_BLACOLE.IC.

    Once users click on any of the URLs seen on Figure 3, users are redirected to sites that host the said exploit kit.

    Based on our analysis, this exploit results to the installation of WORM_CRIDEX.IC on the affected system. When executed, this worm connects to a remote site http://{Random URL}.ru:8080/rwx/B2_9w3/in/ to download its configuration files.

    WORM_CRIDEX.IC was also found to generate several random domains using domain generating algorithms (DGA). This is a well-known technique used by cybercriminals to evade law enforcement and to prevent botnets from being shut down. The malware also uses DGA to download its configuration file. As of this writing, the exact behavior of the sample is dependent on the configuration file. Based on static analysis, however, it is capable of executing a file, deleting a file/folder, and retrieving certificates in a certificate store. During our testing, we were unable to download the configuration file as this was no longer available.

    Trend Micro protects users from this threat via its Trend Micro™ Smart Protection Network™ that blocks malicious URLs related to this attack as well as detecting the related malware. To avoid encountering these compromised sites, users should think twice before clicking those links found on dubious-looking messages. Always verify the validity of received messages, specially those that claim to be from well-known sources.

    With additional text and analysis by security evangelist  Ivan Macalintal.

     



    There is welcome news today of the arrests of 8 individuals in Russia by the Russian MVD, or Ministry of Internal Affairs (Ministerstvo Vnutrennikh Del). Gary Warner (University of Alabama at Birmingham) has a great write-up of the arrests over on his blog, “Cybercrime and Doing Time”, so I will not reproduce the details here.

    Having said that, I just wanted to point out that this is yet another great example of international collaboration between both private industry research and international law enforcement. I certainly hope that we see more of this in the future, such that serious Internet criminals do not think that they are outside the reach of the “long arm of the law”.

    Cybercriminals should not think that they can successfully hide in any particular country or jurisdiction and avoid prosecution due to differences in international laws. This – and other recent arrests in Eastern Europe – shows that the international reach of law enforcement can also reach them.

    As mentioned in Professor Warner’s blog, Trend Micro Threat Research did quite a bit of research into CARBERP a couple of years ago, especially into the area of enumerating targeted victims. We saw victims in Government, Industry, and Academia all targeted, showing the wide swath of victims who unwittingly had funds stolen from their bank accounts.

    CARBERP is a particularly nasty banking Trojan, with the capability to to install itself without Administrator Privileges, effectively defeating Windows 7 and Vista’s User Account Control (UAC) feature.

    While we have not seen the same volume and popularity of CARBERP as we have with ZeuS and SpyEye, since CARBERP’s appearance in the latter half of 2009 we seen steady increase in numbers (see Figure 1).

    Click for larger view

    Also, our telemetry shows that almost a quarter of Carberp infections were in Germany (see Figure 2).

    We applaud the efforts and actions of the Russian authorities in this case, and we hope to see more international cooperative efforts to bring cybercriminals to justice around the world.

     
    Posted in Bad Sites, Botnets | Comments Off



    Dutch users were recently targeted in a website compromise that involved a popular news site in the Netherlands, nu.nl. The site was compromised and modified to load a malicious iframe that resulted to visitors’ systems being infected with a SINOWAL variant.

    Trend Micro researcher Feike Hacquebord says that considering the different characteristics of this attack, it seems like it was specifically designed to affect Dutch users. Aside from the affected site being one of the most popular sites in their country, the scripts inserted in the website were activated right before lunch time in the Netherlands — a time when Dutch users usually utilize to check the news and other sites while in the office.

    According to nu.nl’s released statement, they believe that attackers exploited a vulnerability on the news group’s Content Management Systems (CMS), allowing them to insert 2 scripts — g.js and gs.js — in nu.nl’s subdomain.

    Investigation reveals that the scripts, detected by Trend Micro as JS_IFRAME.HBA, are highly-obfuscated scripts that when executed lead users to yet another script, specifically one that loads various exploits.

    This exploit kit, detected as JS_BLACOLE.HBA, was found to be the Nuclear Pack exploit kit. Upon execution, it checks the affected system for any vulnerable software, and then downloads any applicable exploit that can run successfully.

    Based on the analyzed code of the exploit pack, systems with the following unpatched application versions could be possibly infected with this threat:

    • Adobe Reader versions in between 8 and 9.3
    • Java versions in between 5 and 6 and between 5.0.23 and 6.0.27

    Aside from the software above, Nuclear Pack Exploit Kit is also capable of exploiting vulnerabilities in Windows components like Microsoft Data Access Components (MDAC), Help and Support Center (HCP), and Microsoft Office Web Components (OWC) Spreadsheet.

    A successful exploit will then lead to the download of the downloader TROJ_SMOKE.JH, which then downloads the SINOWAL variant, TROJ_SINOWAL.SMF. At the time of the infection, Trend Micro already detected this SINOWAL variant.

    TROJ_SINOWAL.SMF collects information about the affected system such as:

    • System’s hard disk serial number
    • Running processes
    • Software registered in the HKLMSOFTWAREMicrosoftWindowsCurrentVersionUninstall registry key

    TROJ_SINOWAL.SMF is also said to download another component that is capable of infecting the MBR of an affected machine.

    Data gathered from the Trend Micro™ Smart Protection Network™ reveals that most of the users who attempted to access the URL used by JS_BLACOLE.HBA when the site was loading malicious files were indeed from the Netherlands:

    Hours after the compromise was discovered, nu.nl was clean again. Sadly, this compromise had already exposed some of the site’s visitors to SINOWAL infection. Thus users are advised to check their system for possible infection and perform the necessary removal instructions that are available on the Internet. As for us, Trend Micro products detect the related files used in the attack, as well as block all the malicious domains used, all through the Trend Micro Smart Protection Network. The command-and-control (C&C) servers to which this SINOWAL variant sends information to are also blocked by Trend Micro.

    Hat tip to security evangelist Ivan Macalintal for additional insights and analysis.

     
    Posted in Malware | 1 TrackBack »



    2011 has been dubbed as the year of specialized attacks. This fact has been very prominent in this year’s RSA Conference held this month in San Francisco, where we saw the different leading security companies shifting focus from protecting the traditional enterprise architecture to its next evolutionary stage, which is more susceptible to targeted attacks.

    New advances in technology have initiated big changes on how people work in the enterprise world. These changes are also bringing in new security challenges in the workplace. What does consumerization, BYOD, and cloud computing bring to the enterprise security scene and how should we approach these new challenges?

    The New Workforce Generation

    Enrique Salem’s (President and CEO of Symantec) keynote discussing the differences of today’s workforce (which he termed “digital natives”), as opposed from earlier generations, is a good way of describing the current situation being experienced by enterprises today.

    Salem describes this new workforce generation as the people born during and after the Internet boom of the 1990s. They have been raised in a world where everything is connected through the web and everything is done through the web. They are natural networking people that do everyday things in ways that were never done before, using tools such as social media and cloud computing. They are mobile, able to do anything, anywhere, any time, but exhibit continuous partial attention due the volume of information that they consume every day.

    This whole new generation has just started entering the workplace in the last few years. They have brought with them demands to change the traditional enterprise architecture to fit their own working methodologies.

    Blurring the Lines

    As more and more people start embracing new technologies from the “digital native” mindset, they are slowly integrating these technologies into their own lifestyles. Mobile, always connected, always informed… these are all very helpful capabilities to have for our everyday tasks; more and more people are applying these same concepts in the workplace. Consumer devices–which is how most people are first introduced to mobility and connectivity–start finding their way into enterprise networks. People start bringing them in and demanding their network administrators to support them because they make their work easier and faster. More and more systems are being integrated into the cloud in order to give people access to their data wherever and whenever.

    New technologies and devices are starting to blur the lines between people’s personal and professional lives. RSA Chairman Art Coviello even said that we are already past the tipping point of separating the two. The end result is that IT organizations end up having to learn how to manage things that they cannot directly control; security organizations end up having to learn how to protect things that they cannot directly control.

    Read the rest of this entry »

     
    Posted in Bad Sites | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice