Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    January 2013
    S M T W T F S
    « Dec   Feb »
     12345
    6789101112
    13141516171819
    20212223242526
    2728293031  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Archive for January, 2013




    In our 2013 predictions, we noted how malware would only gradually evolve without much in the way of significant change. This can be seen in the use of some (otherwise legitimate) hacking tools in APT attacks.

    How is this a problem? Hacking tools are grayware which are not always detected by anti-malware products or at least ethico-legal issues are keeping them from doing so. Unfortunately, this means less visibility in APT forensic investigations. In addition, it also saves attackers the trouble of writing their own tools. Some of the common hacking tools we see are:

    • Password recovery tools – tools for extracting passwords or password hashes stored by applications or the operating system in the local drive or in registry entries. These are typically used to clone or impersonate user accounts for obtaining administrator rights. Pass the hash technique is one common method for attackers to gain administrator rights via stolen password hashes.
    • User account clone tools – used to clone a user account once password has been obtained by the attacker. Upon acquiring enough privileges, the attacker can then execute malicious intent while bypassing the system’s security measures.
    • File manipulation tools – tools for manipulating files such as copying, deleting, modifying timestamps, and searching for specific files. It is used for adjusting timestamps of accessed files or for deleting components to cover tracks of compromise. It can also be used for searching key documents for extraction where the attacker can search for files with specific file extensions.
    • Scheduled job tools – software for disabling or creating scheduled tasks. This can help the attacker to lower the security of the infected system by disabling scheduled tasks for software updates. Likewise, it can also be used maliciously. For instance, the attackers can create a scheduled task that will allow them to automatically steal files within a certain timeframe.
    • FTP tools – tools that aid in FTP transactions like uploading files to a specific FTP site. Since FTP transactions would look less suspicious in the network, some APT threat actors prefer to upload stolen data to a remote FTP site instead of uploading them to the actual C&C server. It should be noted that there are several legitimate FTP applications, which may also be utilized by cybercriminals.
    • Data compression tools – these tools are neither malicious nor considered as hacking tools. In most cases, these are legitimate file compression tools, such as WinRAR, being utilized by attackers to compress and archive multiple stolen files. This aids the attacker in the data exfiltration phase where they can upload stolen documents as a single archive. In a few cases, however, we have seen these applications being packaged and configured to compress a predefined set of files.

    Read the rest of this entry »

     



    In 2012 small businesses globally were making the shift towards cloud-based applications and smart mobile devices, impacting the way they do business. These trends towards greater consumerization of IT and cloud adoption look likely to continue and pick up momentum in 2013.

    Our experts here at Trend Micro have looked at these changes through the lens of our SMB customers to predict the security implications these developments bring. The goal is to help smaller businesses understand what these predictions mean for them in terms of threats in the coming year and what they can do to prepare and protect against these threats.

    Our new report, 5 Predictions for 2013 and Beyond: What Should SMBs Look Out For? boils our predictions down into areas that SMB customers should specifically focus on and outlines specific steps they can take today to protect themselves against threats this 2013.

    Read the rest of this entry »

     
    Posted in Bad Sites | Comments Off



    The perpetrators of targeted attacks want to maintain a persistent presence in a target network in order to extract sensitive data when needed. To maintain this, attackers seek to blend in with normal network traffic and use ports allowed by firewalls.

    Frequently, the malware used in targeted attacks uses HTTP and HTTPS to appear like ordinary web traffic. However, while these malware tools do give attackers full control over a compromised system, they are often simple and configured to carry out few commands.

    Some attackers prefer to use remote access Trojans (RATs), sometimes as “second stage” malware, which typically have graphical user interfaces (GUIs) and remote desktop features that include directory browsing, file transfer, the ability to take screenshots, and activate the microphone and web camera of a compromised computer. Publicly available RATs like Gh0st, PoisonIvy, Hupigon, and DRAT, and “closed-released” RATs like MFC Hunter and PlugX are both in common use. However, the network traffic these RATs produce is well-known and easily detectable, although attackers still successfully use them.

    To get around this, attackers are always looking for ways to blend their malicious traffic with legitimate traffic to avoid detection. We found a family of RATs that we call “FAKEM” that makes their network traffic look like various protocols. Some variants attempt to disguise network traffic to look like Windows® Messenger and Yahoo!® Messenger traffic. Another variant tries to make the content of its traffic look like ordinary web traffic. The FAKEM RAT appears to have been actively used in attacks since September 2009.

    Read the rest of this entry »

     



    Just a word of caution those who will update their systems with the recent Java zero-day security patch: make sure to get it from a reliable source or else face the possibility of a malware infection.

    Oracle has recently released its fix to the much talked-about Java zero-day (CVE-2012-3174) incident though with lukewarm reception from certain sectors, which include the US Department of Homeland Security. However, we encountered a malware under the veil of a Java update.

    We were alerted to reports of a malware that poses as Java Update 11 created by an unknown publisher. The said fake update in question is javaupdate11.jar (detected as JAVA_DLOADER.NTW), which contains javaupdate11.class that downloads and executes malicious files up1.exe and up2.exe (both detected as BKDR_ANDROM.NTW). Once executed, this backdoor connects to a remote server that enables a possible attacker to take control of the infected system. Users can get this fake update by visiting the malicious website, {BLOCKED}currencyreport.com/cybercrime-suspect-arrested/javaupdate11.jar.

    fake_java_update_site

    Read the rest of this entry »

     



    In passing, I recalled talking to my neighbor where I mentioned working in the area of information security. His next question quickly came out- “Why do these scammers want my information?” The more I’m asked this question, the more apparent it becomes that user information is highly valuable.

    Would it be surprising to know that it would merely cost $5 (USD) to buy all of your personal information on underground forums and sites? Some of you may also be surprised to find out the information for sale isn’t just your name and address-it’s far more than that.

    “Fullz”, as it is referred to in underground forums contain not just credit card numbers, names, and date of births. “Fullz” are typically delivered in one of several methods. First, it could be a text or .CSV file containing all of the information in a comma separated file. All of the details of the compromised individuals would be included in the file for easy perusal. In addition, “fullz” could be delivered via a portable database format, like a .MDF file for easy local database import. You can also find personal questions asked during account registrations as well as driver’s license information, social security number, and other information.

    figure1_WH_edited

    Just because these scammers are nefarious, it doesn’t mean they’re not entrepreneurial. For instance, one seller offers bulk discounts for orders as seen in figure 2.

    figure2_WH

    These scammers also offer the sale of “dumps”, which is the raw data off the magstrip of your credit cards. In addition to dumps, they sell “plastics”, which are blank cards that are used for writing dumps too.

    And finally, to make scamming even easier, attackers are selling direct logins for bank accounts as well as the transportation of high-end electronics. Bank accounts are being sold for direct access to the money- no more buying dumps and plastics, just use your bank login information and transfer the money.

    High-end electronics are also peddled on the black market for reasonable prices. These scammers buy devices at retail price using stolen credit card information, and proceed to sell it at discounted rates online for cash.

    figure3_WH

    Read the rest of this entry »

     
    Posted in Data | TrackBacks (4) »


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice