Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    August 2012
    S M T W T F S
    « Jul   Sep »
     1234
    567891011
    12131415161718
    19202122232425
    262728293031  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Archive for August 17th, 2012




    Reports of Disttrack/Shamoon malware, which overwrites files and infects the Master Boot Record (MBR) of infected systems, have recently surfaced. Trend Micro detects the said malware as WORM_DISTTRACK.A. Currently, its arrival method is still undetermined. It is found to spread to other computers by dropping copies of itself in administrative shares. Its dropped copy may use file names such as clean.exe or dvdquery.exe.

    It drops two primary components: TROJ_WIPMBR.A and TROJ_DISTTRACK.A. TROJ_WIPMBR.A gathers the files to be infected in the computer. The files it overwrites are those with the following strings in the file name or code:

    • document
    • picture
    • video
    • music

    Once overwritten, these files can no longer be restored or opened. On the other hand, TROJ_DISTTRACK.A serves as the communicator. TROJ_WIPMBR.A passes the list of files it infects to TROJ_DISTTRACK.A. TROJ_DISTTRACK.A then creates a connection to an IP and sends the list of files, along with the IP address of the infected computer.

    Trend Micro is continuously investigating this threat. Watch this space for updates.

    Update as of August 20, 2012 11:13 PM

    Further analysis of TROJ_WIPMBR.A reveals that it overwrites disk partitiions with a damaged .JPEG file using its component file DRDISK.SYS. It also creates a file containing the number of files to be compromised. TROJ_DISTTRACK.A also uses TROJ_WIPMBR.A to communicate with its C&C Server.

    Update as of August 21, 2012 02:43 AM

    We also found a 64-bit version of the malware that exhibits similar behavior. Trend Micro detects the malware as WORM_DISTTRACK.A and its components as TROJ_WIPRMBR.A and TROJ_DISTTRACK.A.

    With additional analysis from Christopher Daniel So


    Coming Soon: The TrendLabs Security Intelligence Blog will be the new Malware Blog

     
    Posted in Malware | 1 TrackBack »


    Aug17
    10:30 am (UTC-7)   |    by

    If there’s one thing I’ve learned about the threat landscape today, it’s this: it’s always growing, and it’s always changing. Both mobile computing and the cloud are changing the threat landscape, while old threats like malware and spam continue to grow and proliferate.

    Every day, we receive 430,000 files for analysis, of which 200,000 are unique. That results in 60,000 new signatures for detection every day.

    However, we don’t stop there in order to protect our customers. Starting in 2005, we began looking into e-mail reputation in order to address the spam problem. As we did this, we realized that we have a goldmine of potential threat intelligence: unwanted e-mail is also used to spread malware and launch targeted attacks.

    We not only stopped spam fron reaching our customers, but we also did in-depth analysis on the spam runs we did see. This allowed us to discover new threats, as well as patterns within these threats.

    More and more e-mails didn’t contain the malware as an attachment, but pointed to a malicious website instead. Based on this we started to invest heavily in web reputation, and this technology is now one of our main weapons against cybercriminals today.

    We receive almost 8 billion URL queries per day from our customers – and we reply immediately what the queried URL is about, whether it’s malicious or not, and its category. Our products use this to block URLs; but we also use this to gather more information about attacks. Because of this, we’re able to find out about new attack models, command and control servers, and targeted attacks.

    These three elements have made up the foundation of the Smart Protection Network, but as the threat environment evolves, so too must Trend Micro’s response.

    We have now added mobile application reputation to our capabilities. The number of mobile malware we’re seeing is skyrocketing. Last year, mobile malware for Android was under the radar, but we predicted that we’d see 120,000 mobile malware samples by the end of 2012. For that, we have been called scammers and charlatans. Today, with over 30,000 Android malware already detected, our prediction is likely to be proven correct.

    In addition, the Smart Protection Network is now able to protect against vulnerabilities/exploits and malicious network traffic. By correlating our global threat intelligence across all the threat vectors, we see more, correlate more, detect more and protect our customers better against the wide variety of attacks.

    This rising number of threats also means the risk of false positives is growing; because of this we have added whitelisting to the Smart Protection Network. Our database of over 140 million known good applications helps us to find the right balance between aggressive malware detection and false positive avoidance.

    Thanks to our leadership in the reputation and correlation area, we get many requests from law enforcement to help them identify and jail criminals. This is something that is very satisfying for our team of threat researchers.

    In addition to our customers and law enforcement, we also provide threat intelligence to our partners like RSA, helping protect millions of users around the world.

    The correlation provided by the Smart Protection Network has helped us to deliver better security. Thanks to our threat expertise and our investment into the Smart Protection Network, we are able to provide improved protection for our customers.

    The infographic below illustrates how Smart Protection Network works to protect our customers from threats:

    Click for larger view

    And below is a link to our CTO Raimund Gene’s video blog, talking about the expanded Smart Protection Network:

    Raimund Gene's video blog
    Coming Soon: The TrendLabs Security Intelligence Blog will be the new Malware Blog

     


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice