Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    April 2012
    S M T W T F S
    « Mar   May »
  • Email Subscription

  • About Us

    Archive for April 25th, 2012

    I presented Trend Micro’s Threat Research groups observations on Tuesday (24 April 2012) at Usenix LEET 2012 in San Jose, California. This was an invited industry position paper, so it was not a difficult task for me to collect several observations from my team which reflect significant developments in the current threat landscape, submit a position paper, and subsequently present the rationale for those observations.

    Trend Micro’s Threat Research group is specially tasked with looking forward on the threat landscape and working with technology and/or various product development groups inside the company to ensure that, as a company, we deliver the appropriate security solutions to address emerging threats to our customers. To accomplish this requires our threat research group to understand, explore, and deconstruct various malicious technologies, campaigns, vulnerabilities, and exploits which are currently being perpetrated on victims today.

    Our esteemed director, Martin Roesler, likes to compare us to Army Scouts — we go out ahead of the troops to assess enemy troop strength, location, capabilities, etc., so that our  commanders can formulate an effective battle plan.

    Briefly, I’d like to share the highlights of these emerging threats observations here. These issues represent what we consider to be significant developments on the emerging threats landscape, warranting mention insofar as the threat they represent from a security perspective.

    Evolution, Commoditization, Professionalism of Exploit Kits

    Exploit kits, such as the ever-popular Black Hole Exploit Kit, have skyrocketed in both popularity and volume as the “weapon of choice”. We observe that this phenomena has served to increase the attack surface enormously for victimization, and see this trend increasing. The ongoing life-cycle support and development factors, and the fact that these these kits have become commoditized (being bought, sold, and bartered in the criminal underground) indicate that we will see a continual use of them by cybercriminals.

    Increasing Sophistication of Traffic Direction Systems (TDS)

    Traffic Direction Systems (TDS) are used to (as the name implies) direct victim traffic to various landing pages, such as exploit kits, Rogue AV, fake pharmaceuticals, etc., depending on the pay-per-click or pay-per-install campaign, in essence to track traffic, browser referrers, affiliate campaigns, and manage the monetization of these campaigns. They are quite efficient and useful for the groups using them (from a “business” perspective) and we see that these TDS systems, like the popular Sutra TDS, growing in usage and popularity.

    Smaller, Diversified Botnets

    We are also seeing that cybercriminals are shifting to smaller, more diversified botnets as opposed to larger, more monolithic botnets simply to avoid losing all their infrastructure due to a “take-down”, whether it be simply a domain registrar suspending domains involved in the campaign, disconnection of communication services, or law enforcement seizure of assets. This follows the “all your eggs in one basket” rule-of-thumb, and cybercriminals are simply moving to blend with the noise as much as possible. It stands to reason that it is much harder to take-down 600 botnets of 1,000 bots each than it it is to take-down one botnet of 600,000 bots.


    Modularization is a phenomena we are seeing especially with Banking Trojans such as ZeuS, SpyEye, Carberp, etc., wherein special-purpose plug-ins are being developed which can be “snapped in” at will. For example, plug-ins for screen-grabbers, back-connects, web injects, etc., allow simplified feature sets to purchased and used individually. This further commoditizes specialized Trojans and creates a market for specialized crime. We are already seeing this development elsewhere in the threat landscape with exploit kits, so there is reason to believe that this an area of concern which needs to be monitored.

    Evolution of Mobile Threats

    Regardless of the sheer numbers of mobile threats appearing currently on various marketplaces, for the most part we see most of these are simply “proof-of-concept” – while they may indeed be malicious, steal victim information, hijack accounts, send premium SMS, and so on, they do not reflect what we consider to be “significant crime” at this point – there is no real concerted effort to target e-commerce or banking applications. We expect that to change dramatically with the next generation of handsets that fully support NFC (Near Field Communications) functionality in firmware, when a dramatically much larger percentage of the consumer market will begin to adopt more e-commerce and financial applications. Once there is significant profit to be made, we expect a much larger, more serious targeting of the mobile landscape by “professional” cybercriminals.

    Read the rest of this entry »

    Posted in Bad Sites, Exploits, Malware, Social | Comments Off on Usenix LEET 2012: Observations on Emerging Threats

    Using global political news as a social engineering hook is a popular cybercrime tool, particularly used to lure users into their malicious schemes. We have recently found a malicious file leveraging a noteworthy incident, one that leads to systems being infected with a backdoor.

    During the second of week of April, the most talked about news was North Korea’s failed attempt to launch a rocket. As expected, the bad guys are on the prowl for the next social engineering bait and the said news item was found the be the fitting choice.

    The file we found was named North Korea satellite launch eclipses that of Iran.doc. The said file, detected as TROJ_ARTIEF.DOC, may arrive as an attachment to an email message. Once executed, this Trojan exploits the vulnerability in RTF Stack Buffer Overflow Vulnerability (CVE-2010-3333) to drop the backdoor BKDR_POISON.DOC onto the system.

    This particular backdoor is able to execute some interesting routines. Based on our analysis, this backdoor communicates to a command and control server on TCP Port 443. The remote user may then command the backdoor to perform several commands, including initiating screen capture, webcam and audio file grabbing. This routine enables a remote attacker to monitor users’ activities in the infected system.

    This attack is reminiscent of similar cases we’ve reported in the past, wherein cybercriminals use messages with important-looking file names, which turn out to be malware that exploits particular vulnerabilities.

    Trend Micro protects users from this attack via products powered by the Trend Micro™ Smart Protection Network™. Moreover, Trend Micro Deep Security and Intrusion Defense Firewall prevents the exploit targeting CVE-2010-33 via rule 1004498 – Word RTF File Parsing Stack Buffer Overflow Vulnerability.

    With additional input from Nart Villeneuve

    Posted in Exploits, Malware, Targeted Attacks | Comments Off on North Korea Rocket Launch Used As Backdoor Lure

    We saw samples of email messages disguised as notifications from popular networking sites, in particular LinkedIn, foursquare, Myspace, and Pinterest. These spam contain links that direct users to bogus pharmaceutical or fraud sites. They also use legitimate-looking email addresses to appear credible to recipients. Using famous brands like these sites are effective in luring users to the scheme as this gives credence to an otherwise obvious scam.

    Fake foursquare Email Notifications

    We uncovered spammed messages masked as notifications from foursquare, a popular location-based social networking site. The first sample we found pretends to be an email alert, stating that someone has left a message for the recipient. The second message is in the guise of a friend confirmation notification.

    Both messages use the address in the ‘From’ field and bear a legitimate-looking MessageID. Similar to previous spam campaign using popular social networking sites, attackers here also disguised the malicious URLs. If users click these, the URLs direct to an empty web page containing another URL, which ultimately leads to a website selling sex-enhancement drugs.

    Read the rest of this entry »



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice