Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    February 2013
    S M T W T F S
    « Jan   Mar »
  • Email Subscription

  • About Us

    Archive for February, 2013

    In our Security Predictions for this year, Trend Micro CTO Raimund Genes predicted that the evolution of conventional malware will only gradually evolve. Instead of distributing new threats, malware authors will focus more on refining tools and how these attacks are conducted.

    In particular, we will be seeing certain developments in their stealth tactics to avoid efforts done by security researchers and vendors. The perfect example of these developments is the release of Blackhole Exploit Kit (BHEK) 2.0, which was a direct response to successful efforts to block previous BHEK versions.

    These past days, we were alerted to the following string of incidents, in which old malware variants and threats incorporate certain tricks in an attempt to prevent detection.

    • Certain versions of Kelihos (detected as BKDR_KELIHOS.NAP) recently surfaced in the wild. Reports indicate that this Kelihos variant initiates a SleepEx function. With this sleep function, the malware becomes inactive during a particular time frame, which in effect can prevent automated detection to capture its malicious routines. Both Kelihos and extended sleep calls routines are not new in the threat landscape, however, when combined can be a potent threat that users should be wary of.
    • Read the rest of this entry »

    Posted in Malware | Comments Off on Same Old Brand New Malware Tricks


    Some of the apps discussed in this blog entry were developed with an older adware SDK that did not contain opt-in provisions, particularly regarding the ability to collect information and display ads outside of the original app. The adware SDK has since been updated to this capability to comply with Google’s developer policies; apps that use this newer version are no longer considered high-risk.

    More details about this change can be found in our December 2012 Monthly Mobile Review: The Hidden Risk Behind Mobile Ad Networks.

    Valentine’s Day is here, and once again, we remind users to be careful online during this special occasion, whether or not you have a reason to celebrate it. Several entries in this blog should have already established Valentine’s Day (or love in general) as a favorite topic used by cybercriminals, and this year is no exception. Granted, with today’s more digitally connected lives, other love- and relationship-related issues come to mind—online privacy and reputation management (do you share passwords with your loved ones?) and inappropriate content (sexting), to name a few—but looking at the data gathered through the global sensors of our Smart Protection Network™, the more, shall we say, “old-school” web threats are still getting some traction.

    Below is a 30-day snapshot of hits to malicious sites and detected files with keyword “valentine” in it:


    Figure 1. Malicious URL hits related to “valentine” from January to Feb. 14


    Figure 2. Malware detections related to “valentine” from January to Feb. 14

    The increasing trend as February 14 approaches is not surprising. Nor does the correlation between the file and web reputation; indeed, it seems that majority of the Valentine-related threats that affected users are Trojans that usually arrive via malicious sites. We can assume here that these users were searching for something Valentine-related, clicked a link, and the Trojan was downloaded automatically.

    But what are these users actually looking for? “My Bloody Valentine” (which refers to pirated copies of both the movie and the music band) aside, several of the URL keywords we’ve seen still reflect the commercial side of Valentine’s Day. These range from coupons, to e-cards, to “last-minute gift ideas.” What is more interesting to note, though, is that some of these keywords reflect the user’s “post-PC” behavior: terms like “free download happy valentine day 2012 love quotes funny sms text” and the several “wallpaper backgrounds” or “animated gifs” were seen, indicating the shift of user behavior towards something more social (posting images and gifs in Facebook or Tumblr) and mobile (sending texts, MMS, etc.).

    Read the rest of this entry »


    The new zero-day vulnerability in Adobe Reader may have some people wondering if there’s a way to use Portable Document Format (PDF) files more safely. The answer is yes: you can reduce your risk in using PDF files. Here’s how.

    First of all – and this can’t be stressed enough – keep your PDF reader up to date. Many popular PDF readers incorporate some sort of autoupdate function to make this easier for you. Be careful about downloading “updates” from unknown download sites, as frequently these turn out to be malicious. Use the built-in autoupdate feature or download directly from the developer’s website instead.

    In addition, we won’t mention the usual bits of advice like don’t open suspicious files or websites, etcetera. Let’s assume that if an attack does occur, it will be by a reasonably non-obvious method, like Blackhole spam runs.

    You can be exposed to malicious PDF files in many ways, but broadly speaking they can be categorized as either in the browser or out of it. In the browser attacks are just that – PDF files opened within browsers using either external add-ons or the browser’s own capabilities. Exploit kits are an example of how users can be exposed to PDF files in their browser.

    By contrast, here is an example of out of the browser attacks: files which are saved onto the computer from a mail client or the browser and then opened in the PDF reader itself.

    What you can do in the first case is reduce your usage of plug-ins to open PDF files. Both Google Chrome and Mozilla Firefox can use integrated PDF readers that make relying on external apps unnecessary. (For Chrome, it comes built-in; for Firefox it has to be downloaded as a separate add-on. To use these, it may be necessary to disable any plugins installed by PDF readers. The way to do this differs from browser to browser.

    Read the rest of this entry »


    11:52 pm (UTC-7)   |    by

    Zero-day season is far from over as reports indicate that an exploit was found targeting zero-day vulnerabilities for certain versions of Adobe Reader. This discovery came on the heels of the recent Adobe Flash Player incident that occurred last week.

    In the related samples we gathered, the exploit is disguised as a .PDF file (detected by Trend Micro as TROJ_PIDIEF.KGM), which is crafted to target still unpatched vulnerabilities (CVE-2013-0640, CVE-2013-0641) in Adobe PDF Reader versions 9, 10, and 11. Once executed, it drops the .DLL file TROJ_INJECT.CPX along with the non-malicious file %User Temp%\Visaform Turkey.pdf. The said file is dropped as a way to hoodwink users into thinking that the specially crafted .PDF file is non-malicious.

    However, in the exploit sample we analyzed, we noticed that it also drops malicious .DLL file designed for 64-bit machines (detected by Trend Micro as TROJ64_INECT.CPX). The people behind this threat may have included this 64-bit malware in an attempt to evade detection by anti-malware programs.

    To address this issue, Adobe is currently working on a security advisory. The software vendor promises to release updates to address this issue. For the latest developments regarding this incident, readers may check Adobe’s blog.

    Read the rest of this entry »

    Posted in Exploits, Vulnerabilities | Comments Off on Zero-Day Vulnerability Hits Adobe Reader

    Ransomware is a nasty scam that infiltrates your computer and tricks you into thinking that you’ve done something wrong. Police ransomware in particular informs users that they need to pay their local police a fine.

    We have written detailed reports about these attacks in the past, including multiple blog posts as part of our investigations into this ongoing threat.

    Trend Micro threat researchers have been studying this scam throughout 2012 and have collaborated very closely with law enforcement authorities  in several European countries, especially in Spain. Today, we are very happy to report that the Spanish Police has put the information to good use, and they have just announced in a press conference the arrest of one of the head members of the cybercriminal gang that produces the Ransomware strain known as REVETON.

    Read the rest of this entry »



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice