Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    December 2012
    S M T W T F S
    « Nov   Jan »
     1
    2345678
    9101112131415
    16171819202122
    23242526272829
    3031  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Archive for December, 2012




    Developers at the xda developers forum have discovered a vulnerability in Android devices using the Exynos family of System-on-Chip (SoC) processors. Our researchers have independently verified the vulnerability and as a result, we have released the relevant protection for Trend Micro Mobile Security users.

    The vulnerability allows any installed app to access the entirety of the phone’s memory. An attacker could trivially use this vulnerability to gain root access, thereby gaining complete control over the device. Potentially, this is as serious as remote code execution vulnerability on Windows.

    The underlying cause is because Samsung’s memory device driver has no protection, making it open to all installed app with default privilege. Thus, all processes can read and write the whole system memory that may compromise the device.

    Currently, the following devices and their variants are known to be vulnerable to this problem:

    • Samsung Galaxy Note
    • Samsung Galaxy Note 2
    • Samsung Galaxy Note 10.1
    • Samsung Galaxy S2
    • Samsung Galaxy S3
    • Samsung Galaxy Tab Plus

    However, it is possible that any device running an Exynos SoC and running newer versions of Android (Ice Cream Sandwich or later) could be at risk. (Earlier versions of Android did not have the kernel device which was called in newer versions, so they are not at risk from this issue.)

    As a practical matter, there are no good steps users can take to mitigate this threat. (It is possible to download apps that disable access to system memory, but this also breaks key functions like the phone’s camera.) It is up to Samsung to patch this threat permanently.

    In the meantime, we have released a pattern which will detect apps that attempt to exploit this vulnerability. Users whose devices have Trend Micro Mobile Security are encouraged to update their devices with the latest pattern for protection until the said vulnerability is fixed.

     
    Posted in Mobile | Comments Off



    As the WORM_VOBFUS story unfolds, new variants are surfacing, including one that connects to a new site and uses the names of Google and MSN to label its dropped files.

    We recently reported on the wave of WORM_VOBFUS variants that emerged in the wild last November. We have been monitoring the said threat and found out that its latest variant (detected as WORM_VOBFUS.SMIS) accesses a new URL (http://{random number}.noip.at:443/{random string}) to drop a downloader file that leads to ZBOT and CINJECT malware.

    When executed, WORM_VOBFUS.SMIS drops any of these files (porn.exe, secret.exe, and sexy.exe), which in turn downloads the file msn.com (detected as WORM_VOBFUS.SMIT). Note that the filenames of the dropped files use enticing keywords or names of popular sites like Google and MSN to trick users that these files are harmless.

    WORM_VOBFUS.SMIT is capable of downloading any of the following files, which leads to ZBOT and CINJECT malware:

    • 1pom.exe
    • 2pom.exe
    • 3pom.exe
    • 4pom.exe
    • 5pom.exe

    Read the rest of this entry »

     
    Posted in Malware | 1 TrackBack »



    There is one thing stronger than all the armies in the world, and that is an idea whose time has come.” – Victor Hugo

    The world has reached a point of inflection in cybercrime. As cyberspace abounds with cyber privateers, and many nations of the world become havens for these modern-day pirates, it appears that 2013 is the year of hacking for criminal gain.

    In our recently released predictions for 2013, our CTO Raimund Genes illustrated his strategic vision per the future of cybercrime. The predictions highlight improvements in threats we will encounter in 2013, more specifically on the attack vectors used by cybercriminals. Raimund predicts that attackers will shift their strategy from developing sophisticated malware to focusing on the means to infiltrate networks and evade detection.

    As we move to Web 3.0, it is important for us to acknowledge the risk we will face when it comes to our business and digital lifestyles in general. It is also fundamental that we begin to increase our situational awareness per the tactics employed by these actors so as to sustain commerce and finance.

    Read the rest of this entry »

     
    Posted in Bad Sites, Malware, Mobile, Targeted Attacks | Comments Off



    Using social engineering tricks, a developer can create an app that tricks users into tapping a specifically-crafted app popup window (called toast view), making it a gateway for varied threats.This attack, dubbed tapjacking, takes advantage of a specific vulnerability in Android user interaction (UI) component.

    This technique is not very complicated but has serious security implications to Android users.

    But before we get into the details of tapjacking, let me explain briefly where this UI vulnerability is stemming from.

    Introduction to app activity

    Android displays UI elements in the unit of activities. An activity is a system component that takes up the whole screen size and can hold many different views, which is a rectangle area shown on the device’s screen.

    Below is an example of an activity that contains two views namely (1) text view, which is where a user can encode a text and (2) button that a user clicks (or taps). As seen below, an activity may take up the whole screen even if a large part of it is empty (or black). Below is a screenshot* of an activity in the app WarGames:

    An app has several activities with each activity representing a UI element that may consume the whole screen. The OS manages different activities using a data structure called stack, with the most recent activity shown on top of the stack while the older ones are situated below it. The currently displayed activity is always shown on top and is the only one that can respond to a user’s tap or swipe.

    Read the rest of this entry »

     
    Posted in Mobile | Comments Off



    Reports are circulating that a fake installer for Mac OS has surfaced, proving that Mac OS is still fair game when it comes to web threats.

    Our friends from Dr. Web have uncovered a fake installer for Mac OS X. Detected as OSX_ARCHSMS.A, users may encounter this threat by downloading from websites peddling supposed legitimate software. Once installed, it shows an image that looks like an installation wizard window.

    The curious aspect of this threat is that OSX_ARCHSMS.A asks users for their cellphone number and for the verification code to be sent via SMS. When done, users are prompted to agree with the terms and conditions of the program, which include being charged regularly via their mobile phone account. Needless to say, no program is installed and users end up being charged for a fake (and non-existent) program.

    Read the rest of this entry »

     
    Posted in Mac | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice