Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    June 2012
    S M T W T F S
    « May   Jul »
     12
    3456789
    10111213141516
    17181920212223
    24252627282930
  • Email Subscription

  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Archive for June, 2012




    Early this month, we reported about a technique used by an Android malware detected as ANDROIDOS_BOTPANDA.A, which involved modifications to the affected device that make the malware hard to remove. To help affected users, we’ve released a special tool that reverts modifications done by ANDROIDOS_BOTPANDA.A, and ultimately removes the said malware from the system. The said tool, called the BotPanda Cleaner, is now available for download in Google Play.

    48 Utility Apps Contain libvadgo

    Upon further probing, we’ve found 55 malicious files packaged as 48 separate utility apps that contain libvadgo, 28 of which are still available online. Users may typically encounter these on third-party app stores and can be downloaded for free. Based on the estimated number of downloads, these apps have at least 31,000 downloads so far.

    Below are some of these apps repackaged with the malicious library file:

    App Name Package Name
    FMR Memory Cleaner com.fantasmosoft.new
    SuperSU eu.chainfire.newsupersu
    签名点ME com.qianming.new
    Move2SD Enabler com.iozhu.zyl
    Chainfire3D eu.chainfire.new
    Squats com.northpark.newsquats
    无线探测器 net.szym.barnacle
    Sit Ups com.northpark.new
    程序隐藏器 ccn.andflyt.new
    Screenshot UX com.nyzv.shotux

     

    Once installed, these apps function properly and do not overtly exhibit any unusual behavior to users. In reality, these are Trojanized apps modified to include malicious code and libvadgo, repackaged and then distributed by malicious developers.

    ANDROIDOS_BOTPANDA Noteworthy Behavior

    To make removal and cleanup difficult, ANDROIDOS_BOTPANDA.A replaces files, hooks important system commands, and kills certain processes in the infected device. What’s more, the malicious behavior is low level, different from most mobile malware that use Android SDK. In the near future, it is likely that we might see more malicious and Trojanized apps employing this trick, making analysis problematic for security researchers.

    ANDROIDOS_BOTPANDA.A through libvadgo, communicates with malicious C&C servers controlled by possible malicious users. This enables the remote user to perform commands onto the device without the user’s knowledge, which includes stealing information.

    Based on our analysis, the malware was found to run on rooted device. By running on rooted device, the malware and malicious user easily gain root privileges to an infected device. The diagram below gives an overview of the noteworthy behavior of ANDROIDOS_BOTPANDA.A.

    For mobile devices already installed with ANDROIDOS_BOTPANDA.A, merely detecting and deleting the Trojanized app may not address the changes already done by the malware.

    Trend Micro Fix Tool for ANDROIDOS_BOTPANDA.A

    Trend Micro has released a fix tool called BotPanda Cleaner to remove the excess files and restore modifications created by ANDROIDOS_BOTPANDA.A. This fix tool specifically runs on Android OS devices, particularly on Android 2.3 and Android 4.0. It needs root privilege in order to properly reverse the effects of the malware, which runs only when the device is rooted. On its own, the tool will not root the device.

    To be more specific, this tool performs the following:

    1. Scans all files under every package install directory to find file libvadgo
    2. Checks whether system files were modified by the malware
    3. Checks existence of other files generated by the malware
    4. Shows the result to user based on the above 3 steps
    5. Advises user to choose Delete to remove the infected apps and files and reboot the device after clean up.

    If user clicks the Delete button:

    1. Removes all files generated by virus under /system/bin/ and /system/lib
    2. Removes all apps that contain libvadgo.
    3. Recovers two files modified by the virus /system/bin/svc and /system/build.prop

    As an added precaution, users are advised to be cautious before downloading any app, specially those coming from third-party app stores. To help users decide what’s safe, Mobile Security Personal Edition detects apps that contain this malicious lib file.

    To know more about how to enjoy your mobille devices safely and securely, you may refer to our comprehensive Digital Life e-guides below:

    Below is our infographic about the current Android OS threat landscape.

     
    Posted in Malware, Mobile | Comments Off



    Last week, we talked about how users can improve their passwords. However, there’s a reason why we’ve been talking about password security and best practices for some time, but we’re still seeing problems with passwords today. Simply put, good password security is hard.

    Password security has always been a tradeoff between what people can remember and what’s difficult for attackers to guess. At the best of times, this was never an easy balance to get right. However, today’s computing environment is making that balance even harder.

    While passwords themselves have been in use for millenia in various forms, in computers their usage has been – until recent years – largely been in one form: something typed into a keyboard on a desktop or console. In a setup like that, entering long and secure passwords is perfectly acceptable, as a large keyboard is a good input mechanism for text.

    However, in mobile usage (i.e., smartphones and tablets), it’s not nearly as feasible to enter long passwords. Mobile keyboards – physical or virtual – are not as good as desktop ones. Users are far more likely to make errors in a situation like this – encouraging them to use shorter, insecure passwords. As more and more computing is done via these devices, this becomes a serious problem.

    There’s also the problem of sheer number of passwords that the typical user has to manage nowadays. Our study earlier found that users have to manage, on average, at least 10 different accounts. That is a lot of accounts to manage without some form of memory aid – whether that’s in the form of software such as password managers (like DirectPass) or some other memory aid. In short, this is why Post-it notes with passwords are so common.

    These multitude of passwords are being used in very different environments at work and at home. Enterprise IT practices include such well-worn password practices like mandatory inclusion of special characters or numbers, password changes after some fixed duration of time, and forbidding the user of previous passwords. In isolation, each of these policies can be justified. Taken together, though, all they do is make life miserable for end users – who find a way around these policies anyway. The ultimate goal of password security ends up being subverted anyway. Of course, these weak “work” passwords are still better than what users are using at home.

    For consumers, the best advice we can offer is what we said last week on how to create secure passwords. Inconvenient as they may be, passwords exist for a reason. Almost everything done online is protected with a password, making these tempting targets for attackers.

    IT administrators, however, can adapt new and “smarter” policies, to reflect modern users and technology. Research has taught us which bits of advice work and which don’t: many traditional tips are in the “don’t work” category, but are quoted as gospel truth anyway. Technology, too, offers solutions: password managers and two-factor authentication offer possible ways to lessen the burden on users and improve security.

    However, passwords have to be considered in the context of a broader data protection strategy as well. Stored passwords themselves constitute data that has to be protected. Traditionally, these have been protected by cryptographic hashes like MD5 and SHA-1, but these – even with salts – are proving to be insufficient. New algorithms such as SHA-2 and PBKDF2 should be considered to store passwords securely, if system overhead is not an overwhelming problem.

    In short: Password security is a difficult, but not intractable problem.

     
    Posted in Bad Sites | Comments Off



    Cybercriminals are known opportunists. They will take advantage of anything newsworthy and craft their schemes around (for example) sporting events like FIFA and the Olympics. As the London 2012 Olympics opening event draws near, we can expect a surge of spammed messages that leverage this event.

    Below are some spammed messages we’ve spotted using the 2012 Olympics as bait, one involved an email that says “winning notification”, another message asks for personal details in exchange for a prize, and another that asks users to notify a specific contact person. Users who fall for any of these traps are at risk of having their information stolen or their machines infected with malware. Some spam may even lead to monetary loss.

    Prize, Free Tickets in Exchange for Your Information

    The first Olympic-related spam we’ve seen is an email that asks for personal information. For users to willingly give these details, the message inform recipients that they won free tickets. However to claim their prizes, users must divulge personal information such as home address/location, marital status, and even occupation. The message also stretches the truth further by informing users they won a big amount of cash prize.

    The scammers behind this spam may use the gathered information in their future malicious schemes. They may also sell data to other cybercriminal groups.

    Malware Disguised as Prize Notification

    We have also encountered several messages supposedly related to London Olympics 2012 that arrive with attachments disguised as “winning notifications” and contain the details of the prize. Curious users who download and open the attachments are actually executing malicious files. Below is a sample email:

    In a different spam run, we noticed a message with an attached file that is actually a Trojan (detected as TROJ_ARTIEF.ZIGS) that exploits RTF Stack Buffer Overflow Vulnerability (CVE-2010-3333). Once exploit is successful, the malware drops the backdoor BKDR_CYSXL.A. Based on our analysis, this backdoor connects to remote user who may perform commands onto the infected system. What’s more alarming is that systems infected with backdoors are vulnerable to other threats, which may include malware that steal online banking credentials (passwords, usernames etc.).

    Spam Asking Users to Contact Specific People

    The third type of spam may look legitimate at first. To look authentic, the messages may spoof well-known entities like Visa and contain contact details of a supposed coordinator or contact person affiliated with the fake promo.

    In the message, recipients are instructed to contact the supposed “coordinator” indicated in these messages. Once users send replies to the addresses, they will receive a reply from the scammer with instructions on how to claim their prizes. Eventually, users would be asked to disclose personal information. The scammers behind this threat may ask users for account details or deposit money to specific bank accounts, in order to get their prize.

    Why These Spam Remain

    These types of scams are nothing new. Some of its previous incarnations include spam claiming to be associated with the Beijing Olympics 2008 and the Torino Winter Games. So why is this still a threat to users? Cybercriminals are still earning money from this threat. Senior Threat Researcher Robert McArdle believes that “…attackers are still using these because these scams are still giving them successful margins. Social engineering has worked for years and there are little signs of that changing.” Thus, so long as users are still falling for this trap, scammers will continue to create new spam runs using events like the London Olympics to make a quick buck.

    Trend Micro protects users from this threat via Smart Protection Network™, specifically web reputation service that blocks these messages from even arriving to users’ in-boxes. File reputation service, on the other hand, detects and deletes the related malware.

    Users can also prevent these threats by doing some simple checking of emails. They should be wary of these tell-tale signs:

    • Sloppy/unprofessional email format
    • Obvious grammar mistakes
    • Claim of an unbelievable amount of cash prize

    For the latest news about the upcoming Olympics and related contests, users should rely on credible news sources/sites. To know more about how to better protect yourself from this threat, you may read our Digital Life e-guide How Social Engineering Works and our FAQ article Sports as Bait: Cybercriminals Play to Win.

     
    Posted in Malware, Spam | Comments Off



    The ongoing 2012 UEFA European Championship is the latest sporting event used by cybercriminals to lure users into their malicious schemes. So far, we have uncovered a malicious site with a domain name that copies the official UEFA Euro 2012 site and web pages leading to survey scam pages and ad tracking sites.

    Malicious Domain Hosts Multiple Threats

    While conducting proactive research, we spotted the site {BLOCKED}uro2012.com, which tried to mimic the official site http://www.uefa.com/uefaeuro/. Upon our investigation, this site actually hosts several malware, once of which is the FAKEAV variant TROJ_FAKEAV.HUU. Once executed in the system, this malware displays a supposed scan result of the infected system. This may prompt users to purchase the bogus antivirus program and activate the said product.

    Read the rest of this entry »

     
    Posted in Bad Sites, Malware, Social, Spam | Comments Off



    Last June 13, Microsoft released its security update for Cumulative Security Update for Internet Explorer (2699988) (CVE-2012-1875), which is exploited by a malware detected by Trend Micro as JS_DLOADER.SMGA. The attack code for this vulnerability has also been made public. There are few cases where that attack code is released simultaneously with Microsoft’s security update. In general, malware exploiting such vulnerabilities don’t show up quickly. Since the affected software is Internet Explorer, this attack has significant impact among millions of IE8 users.

    By exploiting CVE-2012-1875, JS_DLOADER.SMGA poses a bigger threat to users as it also downloads the backdoor BKDR_AGENT.BCSG, disguised as a .JPG file. This backdoor is capable of communicating with a command-and-control (C&C) server via port 80. In effect, this communication compromises an infected system’s security, making it exposed to further infection.

    Read the rest of this entry »

     
    Posted in Exploits, Malware, Vulnerabilities | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice