Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    September 2012
    S M T W T F S
    « Aug   Oct »
     1
    2345678
    9101112131415
    16171819202122
    23242526272829
    30  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Archive for September, 2012




    The way we are held accountable for ourselves in public gatherings such as events and celebrations are very much similar to how we should be when it comes to our online presence in social networks. The number of participants, the level or engagement, and the variety of activities done are just some of the ways that make both settings similar. And a good example to show this similarity is an event that had just recently began: Oktoberfest.

    Much like the web, Oktoberfest is a very chaotic but fun place. First held in 1810, Oktoberfest continues to attract visitors by the millions. In fact, 6.9 million visitors went to Oktoberfest last year, consuming 7.5 million liters of beer.

    And though enjoyment is the goal for most in both settings, it is also important to keep in mind that they are also prone to incidents such as loss of items and theft. In real life, this may translate to precautions such as keeping valuables in a safe place, but on the web it is a little more complicated. In social networks, users are strongly advised to manage their privacy settings and keep the visibility of their personal information to a minimum, so as to avoid unauthorized access and the possibility of information theft.

    For additional tips on making the most out of your Oktoberfest experience, read our infographic, “Off to Oktoberfest!

     
    Posted in Social | Comments Off



    Mainstream media have repeatedly described the threat landscape as constantly evolving, that attacks are becoming more sophisticated and the people behind these are more equipped. This assertion, though certainly true, elicits questions on how sophisticated these targeted attacks are, how a digital insider stays hidden, and how to mitigate these threats.

    By now, we are all aware that traditional defences are no longer effective in addressing these threats. In fact, based on a Trend Micro research, over 90 per cent of enterprise networks contain malware with one new threat created every second. Enterprises are also besieged by other challenges such as:

    • Increasing cloud-based IT environments hounded by the increase use of employee-owned mobile devices in the workplace.
    • Availability of cybercrime tools on the Internet, in turn making the accessible to any potential attacker.
    • Cyber attacks initiated by organized crime gangs are also becoming more sophisticated and precise than ever before.

    The big problem, however, is not just that a digital intruder will attempt to control the network, but that it will propagate, exfiltrate data and maintain its activities hidden. Its ability to evade detection, ultimately, is what makes these targeted attacks more problematic.

    Digital Insiders: One Step Ahead of IT Admins

    Digital insiders are aware on how IT administrators would respond to a possible data breach. Typically, they scout for possible exploitable vulnerabilities and signs of communication with an unknown IP address. To circumvent their efforts, attackers may patch vulnerabilities. This serves another purpose: patching vulnerabilities prevents other hackers to piggy back on their efforts.

    Digital insiders also moves their communication and control inside the ecosystem and impose a ‘sleep cycle’ to avoid easily detectable communication. They may attempt to reach out to an outside IP address once in a while such as with the recent Ixeshe campaign. In the case of the recent Flashback Mac malware, the bad guys may use specialized technique that prevents security researchers from doing malware analysis.

    Thwarting Digital Insiders

    This is a new breed of sophisticated threats that require an advanced persistent response from organizations. To gain an upper hand, firms must be able to spot the unwanted intruder and constantly foil their efforts through:

    1. Correlating and associating cybercrime activities in the wild with what is happening on an enterprise’ network using big data analytics. This enables organizations to spot possible correlations between the two and giving them the needed information to create a concrete action plan.
    2. Multi-level rule-based event correlation such as featured in Trend Micro’s Deep Discovery. Given that these guys are experts in keeping their activities hidden, this is a useful tool to identify any dubious activity inside an organization’s network and point out possible threat actors and monitor their activities.

    In other words, this may require organization to increase their awareness of the activities on their networks and the ability to correlate events to thwart the digital insider’s malicious activities.

    Read the full report How to Thwart the Digital Insider – an Advanced Persistent Response to Targeted Attacks.

     
    Posted in Targeted Attacks | Comments Off



    Microsoft has released MS12-063 to address vulnerabilities affecting Internet Explorer versions 6, 7, 8, and 9. The most severe of the vulnerabilities was found able to allow arbitrary code execution when exploited. It was the said vulnerability which was earlier reported being used in attacks and leading to remote access tools (RAT). Here’s an in-depth analysis of one of the vulnerabilities:

    The use-after-free vulnerability arises when a deleted object is referenced. For instance, by calling function document.write() to replace the whole page, while an event queued through execCommand method is still pending. When the execCommand method is called, CmshtmlEd object is created. However, when the object is deleted, Internet Explorer releases the CmshtmlEd object. Later, mshtml!CMshtmlEd::Exec() tries to access the released CmshtmlEd object, without verifying if it is still valid, leading to use-after-free vulnerability.

    In the samples we’ve seen, the execCommand is invoked with action “selectAll”. At the same time, the body has another action triggered on selection. This action replaces the whole page with some text, forcing IE to free body objects. After the objects have been deleted, execComamnd will try to use those objects, leading to the vulnerability. A flash object is used to spray the heap with controlled data to alter the execution flow.

    Zero-day Exploit in the Wild

    The exploit for the above-mentioned vulnerability, detected by Trend Micro as HTML_EXPDROP.II, was seen used in several attacks. In one instance, the exploit was found loading SWF_DROPPR.II, which in turn downloads a PoisonIvy variant detected as BKDR_POISON.BMN. The second attack spotted leads to TROJ_PLUGX.ME, which executes malicious files on the infected systems.  This malware is a variant of PlugX remote access tool (RAT) recently blogged here.

    Users are advised to update their systems with the latest patch from Microsoft. Trend Micro Smart Protection Network™ protects users by detecting the exploit and other malicious files and blocking access to the malicious servers. Moreover, Trend Micro’s Deep security protects users through IDF rule 005194 – Microsoft Internet Explorer ‘execCommand’ Use-After-Free Vulnerability. Lastly, Titanium 2013 safeguards user systems via their browser exploit prevention feature.

    Update as of Sept. 25 4:57 AM PDT

    There seems to be no stopping attackers from targeting this vulnerability, as we saw more attacks leveraging this software bug. In particular, several compromised websites were found hosting exploits aimed at this vulnerability. Users who visit these sites are served with the exploit, which ultimately lead users to download PlugX variants onto their computers.

    Below are some of these compromised sites and attacks.

    Compromised Site Exploit Malicious .SWF File Component Payload
    everich2.{BLOCKED}ft.tw.rar HTML_EKSPLOYT.AE, HTML_EXPDROP.II SWF_DROPPR.II BKDR_PLUGX.AQ
    get.{BLOCKED}ks.com.rar HTML_EXPDROP.II SWF_DROPPR.II BKDR_PLUGX.AR
    www.{BLOCKED}enews.in.rar HTML_EKSPLOYT.AE, HTML_EXPDROP.II SWF_DROPPR.II BKDR_PLUGX.AP
    www.{BLOCKED}in.com.tw.rar HTML_EKSPLOYT.AE, HTML_EXPDROP.II SWF_DROPPR.II BKDR_PLUGX.AQ
    www.{BLOCKED}gameshow.com HTML_EXPDROP.SMA, HTML_EXPDROP.SMB SWF_DROPPR.II BKDR_PLUGX.AT

    With these developments, it is imperative for users and IT administrators to update their systems with the security patch released by Microsoft. Trend Micro users need not worry as they are protected from these threats.

     
    Posted in Vulnerabilities | Comments Off



    We often debate who the most sophisticated hackers in the world are. I firmly believe that there is a direct correlation between the chess-playing community and hacking. To this point, I would tip my hat to the Eastern European hacker crews of 2011 and 2012.

    There are three historical factors that distinguish Eastern Europe hackers from those in the rest of the world:

    • An educational culture which has long emphasized mathematics and chess
    • A robust underground economy
    • A well-developed “tradecraft’’ of criminal activity that has adapted well to the Internet age

    The obfuscation techniques and nano-malware we have seen deposited in the financial sector illustrate the evolution of capabilities which are being sold in the arms bazaar of Eastern Europe. In today’s era of professional cyber hacker crews, we must acknowledge that the APT has been privatized and that spinning the cyber chess board is an imperative. Beyond a healthy respect for the stratagems utilized by our adversary, we must move away from over-reliance on perimeter defenses.

    As we spin the chess board within our networks, let us acknowledge that a “knights folk” in cyber security begins with situational awareness and ends with hindering exfiltration. Thus, the fundamentals of cybersecurity in 2012 are: specialized threat detection, threat intelligence, file integrity monitoring, and virtual shielding.

    More on my thoughts regarding Eastern European cyber hacker crews are published in this paper.

     
    Posted in Targeted Attacks | Comments Off



    Note:

    Some of the apps discussed in this blog entry were developed with an older adware SDK that did not contain opt-in provisions, particularly regarding the ability to collect information and display ads outside of the original app. The adware SDK has since been updated to this capability to comply with Google’s developer policies; apps that use this newer version are no longer considered high-risk.

    More details about this change can be found in our December 2012 Monthly Mobile Review: The Hidden Risk Behind Mobile Ad Networks.

    We uncovered four Android mobile apps on Google Play and certain third-party app stores, which when installed, gain access to specific device information that can be used without users’ consent and may lead to data leakage. One of these apps was already removed from Google Play but remain available on third-party ones. These apps are crafted to take advantage of the upcoming 2012 US Presidential Election and its two candidates, Mitt Romney and Barack Obama. Users can download these apps for free.

    The first app called “Obama vs Romney”, an ANDROIDOS_AIRPUSH variant found to connect to airpush.com, a mobile ad network site. The app’s description page also indicates that it may contain ad notifications. We found that this app has more than 300 downloads from third party stores and an estimated 500-1000 downloads from Google Play so far.

    This app was designed as a polling service in which users can choose between the two candidates. It is supposed to display an overall result of the poll immediately. However, during our testing, it ends up showing the message “you probably want to start clicking as soon as possible”. This particular app also displays potentially annoying ads served from airpush.com that are displayed outside of the app itself.

    It also contains ACCESS_COARSE_LOCATION among others, that can access information that includes the device’s GPS location.

    Read the rest of this entry »

     
    Posted in Mobile | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice