Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    April 2013
    S M T W T F S
    « Mar   May »
     123456
    78910111213
    14151617181920
    21222324252627
    282930  
  • Email Subscription

  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Archive for April, 2013




    Last week, a rather interesting complaint was filed before the Federal Trade Commission. In a 16-page complaint, the American Civil Liberties Union described the lack of updates for many Android devices as “unfair and deceptive business practices”. The complaint went on to ask the respondents (the top four wireless carriers in the United States) to let customers with unpatched (and vulnerable) devices out of their contracts early.

    We will note that recently the FTC settled with HTC just two months ago over the Carrier IQ controversy. Unpatched vulnerabilities were a key part of the settlement; HTC agreed to patch the vulnerabilities within 30 days. While the action of ordering the patches fixed was laudable, it wasn’t exactly timely: Carrier IQ came into the limelight in late 2011.

    What the lawsuit does do is highlight the Android update problem beyond just tech industry circles and into the hands of regulators. Two years ago, at Google I/O, the Android Update Alliance was unveiled. Google promised to work with both carriers and device manufacturers to keep devices updated for 18 months after they were released. Unfortunately, almost nothing has not been heard from the alliance since then.

    Let’s consider Google’s own statistics. The most common version of Android in use is… Android 2.3 (Gingerbread), which was last updated in September 2011. The percentage of users on the latest version, Android 4.2 (Jelly Bean), is… 2%. It is rumored that the next version of Android, codenamed Key Lime Pie, will be released as soon as this May. It’s quite possible that 4.2 will not even hit double digit percentages by the time its successor is released.

    Read the rest of this entry »

     
    Posted in Mobile | Comments Off



    There’s a saying in journalism: report the news, don’t be the news.

    Unfortunately today the Associated Press (AP) ran afoul of that rule by having their Twitter account hijacked.

    In good journalistic fashion, they’re telling their own story quickly and with as much facts as possible. It sounds that they saw a phishing attack against their network just before the account was hijacked. While they don’t connect the two, it’s certainly a possibility that this is how the attackers got control of AP’s credentials.

    Once the attackers had control, they used it to send a bogus tweet out claiming there had been explosions at the White House that injured President Barack Obama. Proving that social media and twitter hacking has real-world consequences, the Dow Jones average dropped 143 points on the news (but later recovered). The account and other AP accounts have been suspended while AP works with Twitter to verify they have control of the accounts.

    Read the rest of this entry »

     
    Posted in Social | Comments Off



    Evasion is always a goal of cybercriminals. They are not above misusing legitimate sites and services to hide malicious activities. One recent example would be BKDR_VERNOT.A, which tried to use Evernote to hide its activities. Another variant of this malware was recently spotted, but this variant uses a Japanese blogging platform as its command-and-control (C&C) server, in which it was able to log in successfully.

    Network activity of BKDR_VERNOT.B

    BKDR_VERNOT.B logs in and creates a draft where it uses the affected machine’s computer name as its title.  It then adds the text “$_$Today is a very important day for me.$” and the date and time the malware was executed to the created draft.

    It may use the drafts as a drop-off point of stolen information, as well as its C&C server where it gets its backdoor commands. Some of the stolen information includes the computer’s OS information, time zone, and user name.

    After getting commands from the blog account, the malware may execute the following backdoor commands:

    • Download files
    • Execute files
    • Rename files
    • Extract archive files

    Read the rest of this entry »

     
    Posted in Malware | Comments Off


    Apr22
    9:10 pm (UTC-7)   |    by

    Looking back at the first quarter of the year, the highlight – or, perhaps more appropriately, lowlight – was clear. Popular software packages like Reader/Acrobat, Flash, and Java all had to deal with multiple zero-day exploits in the month – exploits that became widely available in underground circles long before any patches were made available by the vendors.

    Having one high-profile incident like that in a quarter is significant in and of itself, but having multiple ones that affect different applications is even more unusual. Users were put at increased risk of downloading malicious files – without them having done anything wrong – multiple times in the quarter. In the absence of an official patch from vendors, home users didn’t have an effective way to protect themselves. Such was the scale of the problem that the US Department of Homeland Security urged users to remove Java if they didn’t need it.

    These exploits were soon incorporated into exploit kits, which became something of a growth industry in the quarter as well. In addition to the familiar Blackhole Exploit Kit, we saw new ones like Whitehole and Cool emerge as well.

    The spectre of destructive attacks (as we outlined in our 2013 predictions) was raised, too, when a large-scale attack took many computers in South Korea offline by deleting their Master Boot Record (MBR), rendering them unable to boot. The identity of those responsible behind these attacks remain unclear.

    For full details about these and other threats encountered in the first quarter of 2013, you may consult our just-published 1Q Security Roundup. An online version has also been made available for more convenient viewing.

     
    Posted in Bad Sites | Comments Off



    In the past few weeks, many WordPress blogs have been under a large-scale brute force attack. These attacks use brute-force techniques to log into WordPress dashboards and plant malicious code onto compromised blogs and websites.

    It’s important to note what these attacks aren’t. They are not compromising WordPress blogs using known vulnerabilities in unpatched versions; if anything this current attack is less sophisticated than that – it merely tries to log into the default admin account with various passwords. If it is successful in logging in, it adds code for Blackhole Exploit Kit redirection pages to the blog.

    We have been monitoring these attacks, and we can confirm that they are indeed taking place. Because they add distinctive URLs to the blogs they have compromised, we can identify the scale of this attack, as seen by the Smart Protection Network.

    Over a one-day period, we identified more than 1,800 distinct sites that had been compromised by this attack. This represents a significant increase over the typical number of compromised WordPress sites that we encounter over the same period, highlighting the increased activity related to this particular campaign.

    Read the rest of this entry »

     
    Posted in Bad Sites | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice