Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    May 2012
    S M T W T F S
    « Apr   Jun »
     12345
    6789101112
    13141516171819
    20212223242526
    2728293031  
  • Email Subscription

  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Archive for May, 2012



    May31
    2:11 pm (UTC-7)   |    by

    In our recent post about the Flame malware, we promised to update you with information from our ongoing investigation. Today we wanted to give you the latest information on the threat itself, protections available for Trend Micro customers and results from our analysis so far. In a nutshell, while Flame is a very interesting piece of malware, it’s not a broad threat.

    Flame has been noteworthy the past few days. But it’s noteworthy because of the nature of the malware and what appears to be its very limited and specific targets. Flame right now is not a significant threat to users more broadly. Information from our Smart Protection Network™ and working with customers show actual numbers of infections to be extremely low and confined to the Middle East and Africa regions.

    The threat from Flame is lessened even more for Trend Micro customers because they are protected against the attack both through current signatures (which detect the malware as WORM_FLAMER.A and the configuration files as TROJ_FLAMER.CFG) and URL blocking of identified command and control (C&C) servers.

    In terms of analysis, our focus is on protecting Trend Micro customers, so our ongoing analysis is focused on identifying additional C&C servers because these are geographically disbursed and can move. Interestingly, our analysis is showing C&C servers located primarily in Europe and Asia.

    The malware itself is focused on stealing data and is very large, making thorough analysis slow. In this case, the largeness is due to the multi-faceted capabilities of the malware: it has been equipped with a variety of tools to accomplish its mission once it’s made its way into the target network. Some of the components that it includes date back to 2009.

    As Rik Ferguson also noted, the malware is also unusual because it appears to be written in the Lua programming language which is often used as a scripting language by game developers (and not typically used for malware).

    Our analysts are continuing to work to understand all the components in this malware, particularly to continue adding URL blocking as new C&C servers are identified. While Flame itself doesn’t represent a broad risk right now, there is a risk that the malware will be taken up by others and repurposed for broader attacks like we’ve seen in other attacks like this such as Stuxnet. Our worldwide teams are watching for that and if we see that, will add protections and provide information for Trend Micro customers on this blog as soon as possible.

    Update as of June 1, 2012 3:17 AM PST

    Trend Micro protects enterprises from the malicious network packets related to FLAME via Trend Micro Deep Discovery.

    Update as of June 4, 2012 2:49 AM PST

    Trend Micro has been covering users from the two vulnerabilities used to deploy Flame since 2010. In particular Trend Micro Deep Security protects users from exploits targeting MS10-061 via rule 1004401 (released on September 2010) and MS10-046 via rule 1004314, 1004293, 1004294, 1004308, 1004304, and 1004302 (released on July and August 2010).

    Update as of June 4, 2012 7:21 PM PST

    Microsoft issued Security Advisory 2718704 to revoke two certificates that are being used by Flame components. Users running Windows XP, Vista, Server 2003, Server 2008 (Server Core Installation included), and 7, as well as Windows Mobile 6, 7, and 7.5 users are advised to run Microsoft Update to download and install the security update from Microsoft.

     
    Posted in Malware, Targeted Attacks | Comments Off


    May29
    5:02 pm (UTC-7)   |    by

    We were alerted to reports about the info stealing malware Flame, which has reportedly been seen in Iran and certain countries since 2010. Dubbed the most sophisticated malware, Flame is capable of performing several information stealing techniques, including capturing screen shots, and recording audio via the affected computer’s microphone. Because of its scope and specific targets, Flame has drawn comparison to other notorious threats such as Stuxnet. Stuxnet, malware that surfaced in 2010, targets SCADA systems.

    Trend Micro detects Flame malware as WORM_FLAMER.A. In our on-going analysis, we’ve found that this worm spreads via removable drives. It is also capable of spreading to other computers in a local network when one machine within that network is infected. Other significant routines of this worm include its ability to terminate running processes that are mostly anti-malware/firewall/security-related, capturing screen shots and audio recording, propagation, and its ability to log and report its activities.

    Trend Micro protects users from WORM_FLAMER.A by detecting and removing it from affected computers. The configuration files, TROJ_FLAMER.CFG, used by this worm are also detected and removed from systems. We will regularly update you in succeeding blog entries as we find more results in our investigation.

    Update as of May 29, 2012, 8:54 PM PST

    In addition to detecting WORM_FLAMER.A and its configuration files, Trend Micro also blocks access to all found related URLs as we move forward with our investigation.

    Update as of June 5, 2012, 1:02 AM PST

    Trend Micro has been covering users from the two vulnerabilities used to deploy Flame since 2010. In particular Trend Micro Deep Security protects users from exploits targeting MS10-061 via rule 1004401 (released on September 2010) and MS10-046 via rule 1004314, 1004293, 1004294, 1004308, 1004304, and 1004302 (released on July and August 2010).

    Moreover, as more components are uncovered in relation to Flame, new findings cite that some of these components might be using certificates issued by Microsoft. To mitigate this risk, Microsoft issued Security Advisory 2718704 to revoke two certificates that are being used by Flame components. Users running Windows XP, Vista, Server 2003, Server 2008 (Server Core Installation included), and 7, as well as Windows Mobile 6, 7, and 7.5 users are advised to run Microsoft Update to download and install the security update from Microsoft.

     
    Posted in Malware, Targeted Attacks | Comments Off



    We released a new research paper describing the activities of another APT campaign, IXESHE (pronounced “i-sushi”).

    One of the most notable characteristics of the IXESHE campaign is the attackers’ use of compromised servers in target organizations as command-and-control (C&C) servers. This tactic allowed them to hide their presence by confusing their activities with data belonging to legitimate individuals. In one particular case, we saw C&C servers hosted on the compromised machines of an East Asian country, making targeted attacks against that government easier. In another case, we received an error message from a C&C server, which indicated that the front-end servers were merely acting as proxies for the actual back-end servers.

    Our research also showed that attackers utilized dynamic Domain Naming System (DNS) servers and broadly distributed external C&C servers around the world to make detection and takedowns more difficult to do.

    The IXESHE campaign has been underway since at least July 2009 when we first saw samples of this particular malware family. Its primary method of entry into user systems is via malicious .PDF files that exploit Adobe Acrobat, Reader, or Flash Player vulnerabilities. These malicious files are sent as attachments to targeted emails sent to potential victims within target organizations.

    In the process of our investigation, we were able to determine that its victims could be broadly classified into three categories:

    • East Asian governments
    • Electronics manufacturers
    • A German telecommunications company

    For further details, please consult the full paper which you can download from the Security Intelligence section of the Trend Micro website.

    Click for larger view

     



    Recently ZTE acknowledged the existence of a vulnerability in its Android-based smartphone Score M. The said vulnerability, if exploited, can allow attackers to operate with root privileges—a scenario that can mean an attacker will have complete control over the affected phone. We have taken some time to analyze this backdoor in order to help affected users remove it from their Score M handsets.

    This backdoor is an ELF (executable and linkable format) file under /system/bin/ named “sync_agent”. It has a default “setuid” permission which, after it launches, has the ability to set itself as root.

    Upon execution, this backdoor checks the password provided against the password indicated in its code, “ztex1609523” and if verified correct, raises a system call [setuid] with ‘0’ as parameter. Note that since the backdoor has a setuid attribute, even if the user who launched the backdoor does not have root privilege, the system call can still execute successfully. Doing so also sets the backdoor’s EUID (effective UID) to 0, which also means a root privilege.

    The backdoor then launches the program /system/bin/sh to get a root shell.

    We then used strace to trace all the system calls this backdoor’s process made. As seen below, the backdoor was able to set itself as root and execute /system/bin/sh:

    Throughout these calls, the user never sees any prompt that the backdoor has gained root privilege or that any other command is being executed.

    Based on our analysis, it appears this root shell can only be used locally, because this backdoor didn’t open any socket or any other remote communication tunnel.

    However, we believe it can be used by other malicious applications to combine a remote root shell. The only thing the malicious app needs to do is provide a bash script to the backdoor, then the said script will be executed.

    For instance, if we write a shell script as seen below:

    Note that this script does nothing but print a line with several ‘L’s and print its id to announce its root privilege.

    Now we run the backdoor that has been provided our script as a parameter.

    From this screen shot we can see that our script runs successfully.
    We then use strace to print the system call log. See below:

    We can see that the arguments sent to function execve changed to our shell script.

    In conclusion, a malware can easily use this backdoor in combination with a remote backdoor or bot. The preinstalled backdoor need only receive an SMS command or connect to a remote C&C server to receive commands from a remote attacker, and then call the local backdoor with a certain shell script.

    If you own a ZTE Score M you can remove this backdoor by following these instructions:

    1. Run the backdoor on an adb shell: /system/bin/sync_agent ztex1609523
    2. To check which device your /system dir has mounted, use the command: mount. There should be a print out like below, note the device name underlined in red:
    3. Remount the system partition as RW with command: mount –o remount,rw /your/device/name /system.
    4. Remove the backdoor from the system with command: rm /system/bin/sync_agent.
    5. Terminate the backdoor with ctrl+c.

    To keep your mobile device safe from malicious applications, make sure you have a trusty mobile security solution installed like the Mobile Security Personal Edition.

    To know more on how to better protect yourself from threats related to your mobile devices, you may read our comprehensive e-guides below:

    Update as of May 26, 2012 3:31 AM PST Time

    Trend Micro detects this backdoor as ANDROIDOS_GAPUSSIN.CDC.

     
    Posted in Malware, Mobile | Comments Off



    Do standard security solutions work against advanced persistent threats (APTs)? Are APTs crafted to extract specific files from an organization? Are data breaches caused by APTs? IT groups today face the challenge of protecting/shielding their networks against APTs—computer intrusions by threat actors that aggressively pursue and compromise targets. To help organizations formulate strategies against APTs, TrendLabs prepared an infographic that illustrates the different stages of intrusion.

    By analyzing each stage of an attack, IT groups can gain insight on the tactics and operations of an active attack against their networks. This analysis helps build local threat intelligence—internal threat profiles developed through intimate knowledge and observation of attacks against a specific network. It is key to mitigate future attacks by the same threat actors. The stages our researchers have identified are intelligence gathering, point of entry, command-and-control (C&C) communication, lateral movement, asset/data discovery, and data exfiltration.

    Certain realities make dealing with each stage of an APT attack more difficult than dealing with ordinary cybercrimes. For instance, in the asset discovery stage where the attacker is already inside the network enumerating which assets are valuable enough to extract, a data loss prevention (DLP) strategy can prevent access to confidential information. However, according to a survey, while company secrets comprise two-thirds of a company’s information portfolio, only half of security budgets are allocated to protecting these.

    More of these realities are highlighted in the infographic, “Connecting the APT Dots.”

     
    Posted in Exploits, Targeted Attacks, Vulnerabilities | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice