Zero-day season is far from over as reports indicate that an exploit was found targeting zero-day vulnerabilities for certain versions of Adobe Reader. This discovery came on the heels of the recent Adobe Flash Player incident that occurred last week.

In the related samples we gathered, the exploit is disguised as a .PDF file (detected by Trend Micro as TROJ_PIDIEF.KGM), which is crafted to target still unpatched vulnerabilities (CVE-2013-0640, CVE-2013-0641) in Adobe PDF Reader versions 9, 10, and 11. Once executed, it drops the .DLL file TROJ_INJECT.CPX along with the non-malicious file %User Temp%\Visaform Turkey.pdf. The said file is dropped as a way to hoodwink users into thinking that the specially crafted .PDF file is non-malicious.

However, in the exploit sample we analyzed, we noticed that it also drops malicious .DLL file designed for 64-bit machines (detected by Trend Micro as TROJ64_INECT.CPX). The people behind this threat may have included this 64-bit malware in an attempt to evade detection by anti-malware programs.

To address this issue, Adobe is currently working on a security advisory. The software vendor promises to release updates to address this issue. For the latest developments regarding this incident, readers may check Adobe’s blog.

Read the rest of this entry »

Ransomware is a nasty scam that infiltrates your computer and tricks you into thinking that you’ve done something wrong. Police ransomware in particular informs users that they need to pay their local police a fine.

We have written detailed reports about these attacks in the past, including multiple blog posts as part of our investigations into this ongoing threat.

Trend Micro threat researchers have been studying this scam throughout 2012 and have collaborated very closely with law enforcement authorities  in several European countries, especially in Spain. Today, we are very happy to report that the Spanish Police has put the information to good use, and they have just announced in a press conference the arrest of one of the head members of the cybercriminal gang that produces the Ransomware strain known as REVETON.

Read the rest of this entry »

Recently, ISACA surveyed more than 1,500 infosec professionals as part of their 2012 Advanced Persistent Threat (APT) Awareness Study. The findings are an interesting mix of the good and the bad.

The ISACA survey results indicate that a majority of professionals are familiar or strongly familiar with APTs, with almost all (96.2%) being at least “somewhat” familiar. This means that at the very least, APTs are already “on the radar” of security professionals and are a known risk.

Many professionals believe that their organizations are at risk from APTs. Almost two-thirds – 63.0% – believe that their organization are likely or very likely to be the targets of an APT in the future. More than a fifth (21.6%) of those surveyed belong to organizations that have been hit with an APT.

The risks of APTs are also correctly identified. The top three risks identified by those surveyed were:

• Loss of intellectual property
• Loss of personal information of employees or customers
• Damage to the company’s reputation

However, the other findings also bring up some serious concerns. For example, more than half – 53.4% – of those surveyed said that APTs are “similar” to conventional threats. While this may be true on the surface, there are fundamental differences between APTs and conventional threats. They have different goals and capabilities; understanding these is important to defending against either type of threat. The number may also suggest that majority still believe that traditional security solutions will identify an APT, which is simply untrue.

Read the rest of this entry »