Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    May 2012
    S M T W T F S
    « Apr   Jun »
  • Email Subscription

  • About Us

    Archive for May 29th, 2012

    5:02 pm (UTC-7)   |    by

    We were alerted to reports about the info stealing malware Flame, which has reportedly been seen in Iran and certain countries since 2010. Dubbed the most sophisticated malware, Flame is capable of performing several information stealing techniques, including capturing screen shots, and recording audio via the affected computer’s microphone. Because of its scope and specific targets, Flame has drawn comparison to other notorious threats such as Stuxnet. Stuxnet, malware that surfaced in 2010, targets SCADA systems.

    Trend Micro detects Flame malware as WORM_FLAMER.A. In our on-going analysis, we’ve found that this worm spreads via removable drives. It is also capable of spreading to other computers in a local network when one machine within that network is infected. Other significant routines of this worm include its ability to terminate running processes that are mostly anti-malware/firewall/security-related, capturing screen shots and audio recording, propagation, and its ability to log and report its activities.

    Trend Micro protects users from WORM_FLAMER.A by detecting and removing it from affected computers. The configuration files, TROJ_FLAMER.CFG, used by this worm are also detected and removed from systems. We will regularly update you in succeeding blog entries as we find more results in our investigation.

    Update as of May 29, 2012, 8:54 PM PST

    In addition to detecting WORM_FLAMER.A and its configuration files, Trend Micro also blocks access to all found related URLs as we move forward with our investigation.

    Update as of June 5, 2012, 1:02 AM PST

    Trend Micro has been covering users from the two vulnerabilities used to deploy Flame since 2010. In particular Trend Micro Deep Security protects users from exploits targeting MS10-061 via rule 1004401 (released on September 2010) and MS10-046 via rule 1004314, 1004293, 1004294, 1004308, 1004304, and 1004302 (released on July and August 2010).

    Moreover, as more components are uncovered in relation to Flame, new findings cite that some of these components might be using certificates issued by Microsoft. To mitigate this risk, Microsoft issued Security Advisory 2718704 to revoke two certificates that are being used by Flame components. Users running Windows XP, Vista, Server 2003, Server 2008 (Server Core Installation included), and 7, as well as Windows Mobile 6, 7, and 7.5 users are advised to run Microsoft Update to download and install the security update from Microsoft.

    Posted in Malware, Targeted Attacks | Comments Off on FLAME Malware Heats Up The Threat Landscape

    We released a new research paper describing the activities of another APT campaign, IXESHE (pronounced “i-sushi”).

    One of the most notable characteristics of the IXESHE campaign is the attackers’ use of compromised servers in target organizations as command-and-control (C&C) servers. This tactic allowed them to hide their presence by confusing their activities with data belonging to legitimate individuals. In one particular case, we saw C&C servers hosted on the compromised machines of an East Asian country, making targeted attacks against that government easier. In another case, we received an error message from a C&C server, which indicated that the front-end servers were merely acting as proxies for the actual back-end servers.

    Our research also showed that attackers utilized dynamic Domain Naming System (DNS) servers and broadly distributed external C&C servers around the world to make detection and takedowns more difficult to do.

    The IXESHE campaign has been underway since at least July 2009 when we first saw samples of this particular malware family. Its primary method of entry into user systems is via malicious .PDF files that exploit Adobe Acrobat, Reader, or Flash Player vulnerabilities. These malicious files are sent as attachments to targeted emails sent to potential victims within target organizations.

    In the process of our investigation, we were able to determine that its victims could be broadly classified into three categories:

    • East Asian governments
    • Electronics manufacturers
    • A German telecommunications company

    For further details, please consult the full paper which you can download from the Security Intelligence section of the Trend Micro website.

    Click for larger view



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice