Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    December 2012
    S M T W T F S
    « Nov   Jan »
     1
    2345678
    9101112131415
    16171819202122
    23242526272829
    3031  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Archive for December 27th, 2012




    Throughout 2012, we investigated a variety of targeted attacks including several APT campaigns such as LuckyCat and Ixeshe, as well as updates on some long running campaigns such as Lurid/Enfal and Taidoor. There was a lot of great research within the community related to targeted attacks published this year, and I’ve clustered the research I found to be the most interesting into six themes that I think also encapsulate the trends in targeted attacks of 2012:

    • Targets and Tools – While targeted attacks were largely equated with APT during 2011, 2012 saw the emergence of a variety of attacks especially those in the Middle East including Shamoon in Saudi Arabia, the Mahdi Campaign, GAUSS and Wiper/Flame which were all well documented by Kaspersky. There were other attacks related to the conflict in the Middle East most notably Syria and Israel and Palestine (also see Norman’s analysis here). APT activity remained a significant concern in 2012, and Dell SecureWorks published a paper on clustering various APT campaigns as well as papers on Mirage and SinDigoo that illustrated the scope of the problem. Bloomberg published a series of articles about the “Comment Crew” that detailed the breadth and impact of an APT campaign.There was also considerable activity targeting Russia, Taiwan, South Korea, Vietnam, India and Japan. In addition to expanded geographic targets, we also saw the expansion of the technologies that were targeted, including Android mobile devices and the Mac platform. Seth Hardy from the Citizen Lab gave a great presentation at SecTor that provides an overview of the various Mac related RATs (SabPub, MacControl, IMULER/Revir and Dokster) that emerged this year. And although we have seen smartcard related attacks in the past, thanks to some great analysis of Sykipot from AlienVault we saw technical details around smartcards that were deliberately targeted.
    • Read the rest of this entry »

     
    Posted in Targeted Attacks | Comments Off



    Malware like BKDR_JAVAWAR.JG prove that web servers are viable targets by cybercriminals, as they store crucial data and can be used to infect other systems once unwitting users visit affected websites.

    We recently spotted a Java Server page that performs backdoor routines and gains control over vulnerable server. Trend Micro detects this as BKDR_JAVAWAR.JG. This malware may arrive as either a file downloaded from certain malicious sites or as a file dropped by other malware.

    For this attack to be successful, the targeted system must be a Java Servlet container (such as Apache Tomcat) or a Java-based HTTP server. Another possible attack scenario is when an attacker checks for websites powered by Apache Tomcat then attempts to access the Tomcat Web Application Manager.

    Using a password cracking tool, cybercriminals can access and gain manager/administrative rights allowing the deployment of Web application archive (WAR) files packaged with the backdoor to the server. The backdoor will be automatically added in the accessible Java Server pages. To execute its routine, the attacker can access the Java Server page using the following:

    Error! Hyperlink reference not valid. sub-directory inside Tomcat webapps folder}/{malware name}

    Read the rest of this entry »

     
    Posted in Malware | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice