It’s been weeks now since we’ve watched the destructive effects of Hurricane Sandy to the environment and to the folks living in affected areas. Trend Micro and the security industry have been in the lookout for scams and threats using Sandy as a social engineering ploy to infiltrate targets.

During our tracking of targeted attacks and cybercrime, we have uncovered such a campaign. It seems that during the commotion caused by Sandy, some groups used this event as a social engineering bait to target NATO Special Operations Headquarters (NSHQ) last October 31.

The email message we spotted has the subject “Did Global Warming Contribute to Hurricane Sandy’s Devastation” and contains a .DOC file with the same title. The people behind this scheme appears to have used the title of a recent New York Times blog post about Hurricane Sandy. The sender IP seen ({BLOCKED}.{BLOCKED}.241.144) is found in at least 3 blacklists.

The said attachment, which Trend Micro detects as TROJ_ARTIEF.SDY, exploits the RTF Stack Buffer Overflow Vulnerability (CVE-2010-3333) which was addressed by Microsoft in November 2010 in MS10-087  to drop the backdoor BKDR_DLDR.A. If you can recall, this vulnerability was the top vulnerability exploited this April. Despite being patched last 2010, attackers have been using this MS Word software bug hence. This proves that attacks need not use zero-day exploits to be effective.

The dropped malware, BKDR_DLDR.A, connects to its command-and-control (C&C) server, domain.{BLOCKED}2.us to send and receive commands from remote attackers. Some of the commands that it can execute include downloading, copying, modifying, creating files and folders, stealing file information, and acquiring time zone information among others. According to senior threat researcher Nart Villeneuve, this backdoor is an Enfal/Lurid variant, which we have documented in the past to have been or is still being used in targeted attack campaigns.

Read the rest of this entry »

Smartphone users in Japan are able to download a wide variety of apps, many of which are either inexpensive or free. Not all of these actually meet what users expect in terms of features, and some of these even introduce risks that users may not fully understand. In this series of blog posts, I will try to show how to evaluate the risks of these apps, focusing on the threats usually seen in Japan. In the first of the three blog entries,  I will examine the current situation of info-stealing apps targeting Japanese users.

What is an “Ego App”?

Some apps have unwanted routines which we consider high-risk; for example some violate the user’s privacy by accessing the user’s personal information. Frequently, this is done by apps which display ads (i.e., adware). (In Japanese English, these are referred to as “ego apps.”) Examples of routines that may cause an app to be classified as such include:

• Consuming system resources
• Displaying pop-up advertising
• Violating the user’s privacy

Users who continue to use these apps may encounter unexpected behavior, and may suffer problems without any notice. These apps have both been getting plenty of attention lately.  We will discuss the case of aggressive mobile adware in part 2 of this series of blog posts.

Law enforcement actions

On October 30, 2012, several police agencies in Japan arrested a number of suspects for violating the newly implemented cybercrime law. The Japan National Police Agency announced the arrest of five suspects, including an IT company executive for creating malicious apps. (Trend Micro detects these as ANDROIDOS_DOUGALEK variants and are known as  ”the movie virus.”) In another case, the Kyoto Prefectural Police together with its Fushimi Police Station announced the arrest of one company executive who allegedly created the malicious apps Longer Battery Life, Signal Improvement, Sma Solar, Power Charge, or Solar Charge. We detect these as ANDROIDOS_CONTACTS variants.

In both of these incidents, the suspects targeted smartphone users in Japan. We hope that these arrests will act as an effective deterrent to these kind of cybercrimes. In this entry, I will look at the apps used in these attacks.

Read the rest of this entry »

The Police Ransomware is not a new threat but has been evolving at a tremendous pace. Here we are talking about Trojans which don’t let the victims use their computer until they pay a “fine” for doing naughty things. To do this, they impersonate local police forces by using the infected user’s regional settings – in other words, they use the victim’s local language and the logos of their country’s police.

Last October, I published a new paper on the subject that touched less on the technical part of the attack and more on the financial side. When I talk about this topic, a lot of people often ask me: how are these Eastern European cybercriminal outfits able to keep using the same fancy payment methods? Can’t we follow the money trail? Well, not really.

The use of online vouchers as a method of payment for the scam has allowed these gangs to completely hide any money trail. This is an intriguing topic in itself, so I recommend you to check it out whether you’re a techie or just interested in the evolution of cybercrime. I wrote the paper for Virus Bulletin, which was held in Dallas last September, although my colleague Loucif Kharouni covered for me for the actual presentation. I finally did present it at B-Sides Sao Paulo in October, and you can find a video recording of that talk here. We have previously released paper on this particular series of attacks, which you can read here.

If you think this is something interesting and want to know more about it, why don’t you download the paper and give it a read?

Earlier, we talked about how ordinary users can use NFC securely. However, truly widespread adaptation of NFC is only going to happen if businesses adopt it for their own use. How can businesses safely use NFC for their own purposes?

For one of the most popular uses of NFC – mobile payments – businesses really aren’t in a position to use their own solution; what’s more likely is that businesses will adapt some sort of existing mobile payment system. Both credit card and mobile providers are trying to enter this space, but both groups will support NFC. In such a situation, what businesses can do is ensure that their solution is from a reputable vendor, and to keep themselves informed about any potential security loopholes in the solution they adopt.

However, payment systems are far from the only use of NFC in businesses. At the simple end, it can be something like letting people visit a website without typing a URL or scanning a QR code. However, as the standard develops, something like this becomes possible: a shop wants to offer free WiFi to its customers, but doesn’t necessarily want to expose it to the entire world. What they can do is put an NFC tag at the entrance that customers entering can swipe to set their phone’s WiFi settings.

NFC tags could also be used to automatically update someone’s social media – it’s easy to imagine a tag for Twitter, another for Facebook, and another for Foursquare (just to cite three popular social networks that one might be interested in using on the go). All of this can be done either now, or are quite likely to become possible in the near future.

Read the rest of this entry »

We recently documented an attack that leveraged the publicly available Xtreme RAT on targets in Israel and was widely reported in the media. Our friends at Norman were able to link the attack to a yearlong campaign against both Israeli and Palestinian targets. We have found that the attacks are still on-going and that the target set is broader than previously thought.

We discovered two emails sent from {BLOCKED}a.2011@gmail.com on Nov 11 and Nov 8 that primarily targeted the Government of Israel. One of the emails was sent to 294 email addresses. While the vast majority of the emails were sent to the Government of Israel at “mfa.gov.il”, “idf.gov.il,” and “mod.gov.il,” a significant amount were also sent to the U.S. Government at “state.gov” email addresses. Other U.S. government targets also included “senate.gov” and “house.gov” email addresses. The email was also sent to “usaid.gov” email addresses.

The target list also included the governments of the UK (fco.gov.uk), Turkey (mfa.gov.tr), Slovenia (gov.si), Macedonia, New Zealand, and Latvia. In addition, the BBC (bbc.co.uk) and the Office of the Quartet Representative (quartetrep.org) were also targeted.

Read the rest of this entry »