Over the past month we’ve been investigating several high-volume spam runs that sent users to websites compromised with the Black Hole exploit kit. Some of the spam runs that were part of this investigation used the name of Facebook, and US Airways. Other spam runs involved LinkedIn, as well as USPS. The most recent campaign we’ve seen that was part of this wave of attacks used the name of CareerBuilder:

We’ll look at the campaign that used Facebook specifically, but our conclusions about these each of these attacks are broadly similar:

• Phishing messages using the names of various organizations spread via email to targets predominantly in the United States. The content of these phishing e-mails were practically indistinguishable from legitimate messages.
• Links in these messages led to multiple compromised websites that redirected the user to various malicious sites. Collectively, these compromised sites numbered in the thousands.
• Users were eventually directed to sites containing the Black Hole exploit kit.

Now, let’s discuss the spam attack that used Facebook as the lure. This particular spam run consists of a fake friend request sent to the victim, as can be seen below:

The link goes to various compromised web sites. We have identified more than 2,000 distinct URLs used in this attack, distributed over 374 domains. On average, each compromised domain hosted 5 separate malicious landing pages.

As we mentioned earlier, this particular campaign was not the only spam run we investigated. We found clear evidence that all these attacks were linked. In many cases, the same sets of compromised URLs were used by multiple spam runs. This suggests that at least some of the parties responsible for these attacks were identical, if it was not the same group altogether.

Read the rest of this entry »

Mobile security researchers reported the emergence of an Android malware called Tigerbot. The said malware is actually an app called Spyera, which we detect as ANDROIDOS_TIGERBOT.EVL. The said app was found in third party Chinese app stores.

We tried to analyze this app to check if it is indeed malicious. Below are our findings:

Installation

When installed, ANDROIDOS_TIGERBOT.EVL shows a different icon, usually that of a legitimate application. Some malware use the same routine to trick users into thinking that it is a harmless file. The fact that Tigerbot uses the same installation routine raises questions on the intention of this application.

Capabilities

Tigerbot is controlled via either SMS or phone calls. It is capable of recording phone calls, tracking the device via GPS, or rebooting a device. Digging deeper into its routines, we found several commands that are of dubious nature:

• DEBUG – initially checks running processes and the configuration of the Spyera app, and connects to a URL to send check network status
• CHANGE_IAP – changes the phone’s APN (Access Point Name)
• PROCESS_LIST_ADD – adds a phone process name to a list (the list is used to kill processes)
• PROCESS_LIST_DELETE – deletes a phone process name that is in the list
• ACTIVE – activates the copy of Tigerbot
• DEACTIVE – deactivates the copy of Tigerbot

The above-listed capabilities can be maliciously used to send over private information to an attacker. These are among the reasons why we are detecting the application as malware.

The following details the 4 different command sets used by Tigerbot:

Command Set A
The following commands may be used by an attacker to gather information from the device:

DEBUG

Upon receiving the DEBUG command, Tigerbot will:

1. Immediately return the currently running process names. This gives us a way to identify the victim
   
2. After 12 seconds, return the Tigerbot’s configuration if the copy is not yet activated
   
3. After 20 seconds, check the network status by connecting to a URL and return network status to SMS sender
   

Read the rest of this entry »

Today, Trend Micro is proud to announce that we are taking part in Facebook’s new security initiative to help protect its more than 900 million users against the wide variety of threats that target users of the world’s most popular social network.

As part of this initiative:

• Facebook and Trend Micro will work together to leverage the latter’s threat intelligence capabilities, particularly its knowledge of malicious websites, to protect Facebook users. This means even non-Trend Micro users of Facebook will also be protected by the enhanced capabilities of the Trend Micro™ Smart Protection Network™ against threats commonly found on the social network like survey scams.
• Users in the US, Canada, Britain, and Australia can download a free copy of either Titanium™ Security Essentials (for Windows users) or Smart Surfing (for Mac users). This free copy will be valid for six months, and all users have to do is like the Fearless Web page and visit the new AV Marketplace section to download a copy.

Among the threats that users face on Facebook are survey scams, which frequently leverage the latest viral trend du jour. In the most recent example we’ve seen, fake news of Justin Beiber supposedly stabbing a fan was used to lure users onto malicious sites that kept going to various survey sites.

Upon completing the win an iPad 2 UK offer, viewers are redirected to several other pages where more videos (and survey scams) are hosted:

Read the rest of this entry »

Clutter is something that appears harmless in small amounts, but can be a hassle if it accumulates. That’s why it’s a good idea to devote time into clearing it out – not just from our houses and living spaces, but also from our digital lives. Doing so not only improves our overall image, it also eliminates the possibility of any embarrassing moments when company comes over to visit (or in our digital life’s case, when someone visits our profile). Just like how a clean house is always better to live in than a messy one, a digital life that’s free from electronic rubble not only benefits us, but also those around us.

To help you on your way, we’ve put together an e-guide containing handy tips in taking out the clutter of your digital life. Specifically this guide focuses on the three main aspects of your digital life: your desktop (or laptop, whichever applies), your mobile device, and your digital reputation.

We also included some pointers that you can take to heart not just with those three aspects, but also in whatever you do. These can be helpful not only to keep what’s important at bay from cybercriminals, but also to ensure that those crucial data never gets lost.

You can check out our guide in full. For additional tips, you can also check out the relevant article posted at Fearless Web here.

I presented Trend Micro’s Threat Research groups observations on Tuesday (24 April 2012) at Usenix LEET 2012 in San Jose, California. This was an invited industry position paper, so it was not a difficult task for me to collect several observations from my team which reflect significant developments in the current threat landscape, submit a position paper, and subsequently present the rationale for those observations.

Trend Micro’s Threat Research group is specially tasked with looking forward on the threat landscape and working with technology and/or various product development groups inside the company to ensure that, as a company, we deliver the appropriate security solutions to address emerging threats to our customers. To accomplish this requires our threat research group to understand, explore, and deconstruct various malicious technologies, campaigns, vulnerabilities, and exploits which are currently being perpetrated on victims today.

Our esteemed director, Martin Roesler, likes to compare us to Army Scouts — we go out ahead of the troops to assess enemy troop strength, location, capabilities, etc., so that our  commanders can formulate an effective battle plan.

Briefly, I’d like to share the highlights of these emerging threats observations here. These issues represent what we consider to be significant developments on the emerging threats landscape, warranting mention insofar as the threat they represent from a security perspective.

Evolution, Commoditization, Professionalism of Exploit Kits

Exploit kits, such as the ever-popular Black Hole Exploit Kit, have skyrocketed in both popularity and volume as the “weapon of choice”. We observe that this phenomena has served to increase the attack surface enormously for victimization, and see this trend increasing. The ongoing life-cycle support and development factors, and the fact that these these kits have become commoditized (being bought, sold, and bartered in the criminal underground) indicate that we will see a continual use of them by cybercriminals.

Increasing Sophistication of Traffic Direction Systems (TDS)

Traffic Direction Systems (TDS) are used to (as the name implies) direct victim traffic to various landing pages, such as exploit kits, Rogue AV, fake pharmaceuticals, etc., depending on the pay-per-click or pay-per-install campaign, in essence to track traffic, browser referrers, affiliate campaigns, and manage the monetization of these campaigns. They are quite efficient and useful for the groups using them (from a “business” perspective) and we see that these TDS systems, like the popular Sutra TDS, growing in usage and popularity.

Smaller, Diversified Botnets

We are also seeing that cybercriminals are shifting to smaller, more diversified botnets as opposed to larger, more monolithic botnets simply to avoid losing all their infrastructure due to a “take-down”, whether it be simply a domain registrar suspending domains involved in the campaign, disconnection of communication services, or law enforcement seizure of assets. This follows the “all your eggs in one basket” rule-of-thumb, and cybercriminals are simply moving to blend with the noise as much as possible. It stands to reason that it is much harder to take-down 600 botnets of 1,000 bots each than it it is to take-down one botnet of 600,000 bots.

Modularization

Modularization is a phenomena we are seeing especially with Banking Trojans such as ZeuS, SpyEye, Carberp, etc., wherein special-purpose plug-ins are being developed which can be “snapped in” at will. For example, plug-ins for screen-grabbers, back-connects, web injects, etc., allow simplified feature sets to purchased and used individually. This further commoditizes specialized Trojans and creates a market for specialized crime. We are already seeing this development elsewhere in the threat landscape with exploit kits, so there is reason to believe that this an area of concern which needs to be monitored.

Evolution of Mobile Threats

Regardless of the sheer numbers of mobile threats appearing currently on various marketplaces, for the most part we see most of these are simply “proof-of-concept” – while they may indeed be malicious, steal victim information, hijack accounts, send premium SMS, and so on, they do not reflect what we consider to be “significant crime” at this point – there is no real concerted effort to target e-commerce or banking applications. We expect that to change dramatically with the next generation of handsets that fully support NFC (Near Field Communications) functionality in firmware, when a dramatically much larger percentage of the consumer market will begin to adopt more e-commerce and financial applications. Once there is significant profit to be made, we expect a much larger, more serious targeting of the mobile landscape by “professional” cybercriminals.

Read the rest of this entry »