Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2012
    S M T W T F S
    « Jul   Sep »
  • Email Subscription

  • About Us

    Archive for August, 2012

    This is part of a series of blog posts discussing the Chinese underground. The previous parts may be found here:

    The full paper can be found here.

    The third value chain – Internet resources and services abuse – has a somewhat unique role, in that it facilitates all the other value chains. Without malicious servers and bots at their disposal, the theft of both real money and virtual assets would be more difficult.

    The architecture of this value chain can be seen here:

    Broadly speaking, many similarities exist with other underground economies, although some aspects are unique to the Chinese underground. In particular, the concept of “hanging on” software is unknown outside of China. “Hanging on” software allows people to in effect, voluntarily lend their systems to botnets in exchange for promised payment.

    Similarly, there are monetization schemes that are unusual in other countries as well. The sale of fake professional certifications in China is commonplace; the arrests of a gang engaged in this behavior netted 165 people. Other profit methods such as DDoS attacks, spam, malware selling, click fraud, and PPI (pay-per-install) affiliates are already known from other underground communities.

    Terminology and Example

    An example of these sorts of schemes and attacks was demonstrated in 2009. Two defendants were arrested for carrying out DDoS attacks against an unidentified online game. They were able to blackmail 500 million units of in-game currency, which they sold in the underground for 18,750 renminbi (approximately 3000 US dollars).

    The DDoS – referred to as a “swordsman stress test” (剑客压力测试) – was carried out using software purchased in the underground market. The software was purchased for the price of 788 renminbi (approximately 125 US dollars), but came with 500 compromised machines to carry out DDoS attacks. The suspects then bought more compromised machines (which they referred to as “chickens”), to add to the power of their DDoS attack.

    Coming Soon: The TrendLabs Security Intelligence Blog will be the new Malware Blog

    Posted in Malware | Comments Off on The Chinese Underground, Part 4: Internet Resources And Services Abuse


    Some of the apps discussed in this blog entry were developed with an older adware SDK that did not contain opt-in provisions, particularly regarding the ability to collect information and display ads outside of the original app. The adware SDK has since been updated to this capability to comply with Google’s developer policies; apps that use this newer version are no longer considered high-risk.

    More details about this change can be found in our December 2012 Monthly Mobile Review: The Hidden Risk Behind Mobile Ad Networks.

    Last week, we monitored three popular Android app stores – Google Play, Nduo and GFan – and found several adware on these app providers. When installed, adware typically display annoying advertisements.

    The chart below shows the adware that were still available online from August 12-18. Based on our findings, GFan had the most number of unique apps detected as adware. This might be possibly due to its popularity in the Chinese market. Developers might have created these apps, which display multiple ads on an infected device, in an attempt to target more users and generate more profit.

    We also found out that the most number of adware available on these websites are variants of ANDROIDOS_ADWIZP, ANDROIDOS_AIRPUSH, ANDROIDOS_ADSWO, ANDROIDOS_LEADBOLT, and ANDROIDOS_TOUCHNET. Except for TOUCHNET, all the adware mentioned have been detected previously.

    Once installed, TOUCHNET not only shows ads but also displays ads in notifications. It does not show which particular app displays the ad. The latter is possibly a technique to prevent users from determining the app to be removed.

    Trend Micro protects Android mobile users from this threat via Trend Micro Mobile Security Personal Edition, which detects malware disguised as apps. To know more about how to protect your Android devices from being infected, you may refer to the following Digital Life e-guides:

    Coming Soon: The TrendLabs Security Intelligence Blog will be the new Malware Blog

    Posted in Malware, Mobile | Comments Off on 164 Unique Android Adware Still Online

    We recently encountered ANDROIDOS_SMSZOMBIE.A, an Android Trojan targeting China Mobile subscribers that takes control of a device’s SMS functionality. It can send, forward, and drop SMS messages. What makes this more troubling for users is the fact that this malware is difficult to uninstall. A dedicated removal tool will be released to Google Play and Chinese app stores next week.

    As other researchers have noted, this Trojan takes advantage of a vulnerability in the China Mobile SMS payment process to generate unauthorized payments, steal bank card numbers and money transfer receipt information.

    How does this threat arrive on user devices? It is usually wrapped by a wallpaper app. Once installed, it can be enables by clicking Menu > Wallpaper > Live Wallpapers.

    After the live wallpaper has been enabled, the user is asked to install the Trojan (which is described instead as a “game”, complete with 100 free points).

    Once installed, the malware will ask to activate itself as a device administrator. The malware claims that by doing this, it will save power. If the user clicks the cancel or return buttons, the alert appears again. Only after the Trojan has been activated as a device administrator, will it let the user return to their main screen.

    As previously mentioned, this particular Trojan is quite difficult to uninstall. Using Android’s own uninstall function simply redirects the user to their home screen, without an opportunity to select the app to be uninstalled. Even if a third-party app is used in an attempt to uninstall the Trojan, it can’t be removed because it’s still active as a device administrator. If the user pushes through with the attempt to deactivate it as an administrator, the Trojan will say that deactivating it will cause system errors. If the user deactivates it, the Trojan will keep prompting the user to reactivate it again.

    App Payload

    What does this app do once it is installed on the user’s device? When first run, it sends the app version and device information (model, OS, language, network) to a “control number” via SMS.

    Once running, it has the following capabilities:

    • Forward every received SMS message
    • Drop SMS which contains words in a configurable list
    • Send SMS messages
    • “Write” an SMS message into the inbox

    All of these capabilities are controlled via SMS messages sent by the attacker to the device. These instructions are all in the following XML format:

    TAG Description
    S change the currently configuration
    J write the currently to phone.xml
    M send SMS with value specified by tags con and rep
    con set SMS content
    rep set SMS number
    E write a SMS to inbox with value specified by xgh and xgnr
    xgh set sms number
    xgnr set sms content

    For example, if the attacker wants to send a SMS from the infected device to China Mobile, he can send the following content to the device:


    Configuration files are in XML format as well:

    This particular file shows the default control number, default content keywords (转, 卡号, 姓名, 行, 元汇, 款, hello), and default number keyword of “10″.

    TAG Description
    D control number
    n keyword in SMS content, if it contains the keyword, this Trojan will drop the message
    zdh keyword in number, if an SMS is from this number, the message will be dropped and not received by the user.

    How does this app prevent itself from being uninstalled? It does the following actions to do this:

    • The wrapper app will check the Trojan’s state. If the Trojan is uninstalled the wrapper app will ask the user to install the Trojan. Alternately, if the Trojan is stopped, the wrapper will restart the service.
    • If any of the Trojan’s service are stopped, it will start the service again.
    • If any of the following are opened, the user will be returned to their home screen:
      • Device administrator settings
      • Trojan’s application detail
      • The app 360safe
    • If the Trojan is not active as a device administrator, it will keep asking to be activated as such.
    • When the Trojan is deactivated from being a device administrator, the user is led to believe that deactivating it will cause errors.

    Here are the steps you need to perform to manually uninstall this malware:

    1. First of all, uninstall the wrapper wallpaper app.
    2. Use a third-party app to terminate
    3. Deactivate the Trojan from being a device administrator. Ignore any warnings by pressing the home button.
    4. Terminate again.
    5. Uninstall the Trojan normally.

    To automate the above process, Trend Micro will release a dedicated detection and removal app. We will update this post with a link to the said tool once it has been released.

    Coming Soon: The TrendLabs Security Intelligence Blog will be the new Malware Blog

    Posted in Mobile | Comments Off on Android Malware Exploits China Mobile SMS Payments

    We were alerted to reports of a Crisis/MORCUT malware that supposedly spreads on VMware virtual machines. Our previous post about Crisis/MORCUT cites that it is a backdoor found to specifically target Mac OSX systems. This time around, the Crisis/MORCUT we have on our hands runs in Windows, and interestingly, mounts virtual disks. It does this by checking VMware configuration files for the locations of any installed virtual machines on the host system.

    Currently, the arrival mechanism for this variant is still to be fully determined. However, it appears to have have started from the downloading of a malicious Java applet (detected as JAVA_AGENT.NTW). The Java applet is packaged with two files: mac – the backdoor OSX_MORCUT.A, and win – a worm detected as WORM_MORCUT.A. The win file is executed in a Windows operating system. This file then drops the following component files:

    • IZsROY7X.-MP – (32-bit DLL) currectly detected as WORM_MORCUT.A
    • t2HBeaM5.OUk – (64-bit DLL) currently detected as WORM_MORCUT.A
    • eiYNz1gd.Cfp
    • WeP1xpBU.wA – (32-bit device driver) detected as TROJ_MORCUT.A
    • 6EaqyFfo.zIK – (64-bit device driver) detected TROJ_MORCUT.A
    • lUnsA3Ci.Bz7 – (32-bit DLL) a non-malicious file

    Based on our initial analysis, WORM_MORCUT.A has the ability to spread through USB devices and VMware virtual disks. It uses the device driver component TROJ_MORCUT.A to mount on virtual disks. While these capabilities may suggest it should be spreading aggressively, we are not seeing a lot of infections for both WORM_MORCUT.A and TROJ_MORCUT.A as of this writing.

    As we earlier reported in our Cloud Security blog post, our initial analysis reveals this Crisis/MORCUT variant may affect Type 2 Hypervisor deployments. The protection provided by both Trend Micro™ Deep Security™ or Trend Micro™ OfficeScan™ ensures that Trend Micro customers are safe from Crisis/MORCUT malware.

    Analyses on both WORM_MORCUT.A and TROJ_MORCUT.A are underway. Watch this space for updates on those. In the meantime, OfficeScan users should update to the latest patterns. All patterns are available in our Download Center.

    Update as of August 24, 2012, 10:50 AM PST

    The Java file that downloads WORM_MORCUT.A is now detected as JAVA_MORCUT.A. The files dropped by WORM_MORCUT.A are now known as RTKT_MORCUT.A . Both are cleaned by the latest pattern files.

    Coming Soon: The TrendLabs Security Intelligence Blog will be the new Malware Blog

    Posted in Malware | Comments Off on New Crisis/MORCUT Malware Mounts in Virtual Machines

    The more things change, the more they remain the same. Cybercriminals are still using various news events as bait to get users to read their emails and install malware. Proof: we received email samples that used the Ramadan and an upcoming conference — all to lure users into downloading and executing the malicious attachments.

    Ramadan-Themed Message Carry Malicious Files

    With the recent observation of Eid ul-Fitr marking the end of the Muslim holy month of Ramadan, certain attackers crafted Ramadan-themed messages to take advantage of the event. We found two email variants that contain .XLS attachments verified to be malicious (detected by Trend Micro TROJ_MDROP.AIG).

    The sender address contains the word “Uyghur”, which is likely a spoofed email address created by its perpetrators to make it appear that it came from the World Uyghur conference. The malware associated with this email is under analysis.

    Read the rest of this entry »

    Posted in Malware, Spam | Comments Off on Ramadan-Themed Email, Spoofed Event Invitation Lead to Malware


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice