Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    May 2013
    S M T W T F S
    « Apr   Jun »
  • Email Subscription

  • About Us

    Archive for May, 2013

    Last week’s OpUSA attacks resulted with no high-profile sites knocked offline, and damage limited to relatively unknown sites compromised and defaced. Still, the attack did show how hackers operate and “claim” their results in high-profile hacking “operations” like OpUSA. Using information provided both by the Smart Protection Network and the attackers themselves (via Pastebin), we were able to see, in part, how these attacks happen. What we found was that the attackers likely “stockpiled” an arsenal of compromised sites ahead of time to enable them to initiate a broad attack without warning.

    We first looked at the sites that hackers had compromised as part of the OpUSA campaign. It quickly became apparent that there were patterns in the compromised URLs: the attackers had frequently uploaded files with names like islam.phpmuslim.htm, jihad.htm, and usa.htm to the compromised site. A legitimate visitor would never visit or see these particular URLs, as they were completely separate from the main site and, in effect, “hidden”.

    Looking at the feedback data provided by the Smart Protection Network, we found something very curious. We found that the URLs that fit the pattern had been accessed the day before the alleged attacks, on May 6. Legitimate users would not be visiting these sites, as we said above. So who was visiting these URLs?

    Based on other evidence, we were able to determine that the sites had been compromised at least two days before May 7. This indicated that the traffic we saw was probably malicious – the attacker, perhaps, checking that the (compromised) site was still up.

    Figure 1. Near-identical lists of compromised sites

    However, the attacker was not doing so directly. We believe that the attacker was doing so via an infected machine that he was using as a proxy; one particular machine that was used this way had detected 89 malicious or suspicious files and accessed 173 malicious websites in the past 30 days. This indicates this particular machine had already been extensively affected by malware, and was in use by cybercriminals for all sorts of purposes – including as a proxy “service”.

    Figure 2. Number of malicious files detected

    What can users learn from this event? Primarily, it’s to treat the damages claimed in these sort of “campaigns” with some skepticism. Based on what we saw, attackers can “stockpile” compromised sites and release them when a major “campaign” like this is conducted, to make their claims of damage more impressive.

    For security professionals, it’s a reminder that campaigns like OpUSA are not always a good indicator of when threats are likely to escalate. Preventing infection ahead of time can ensure you’re not caught up when attackers “flip the switch” on these high-profile campaign.

    We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.


    Patch-Tuesday_grayIT administrators and the likes are expected to have a long day today, as Microsoft releases its security bulletin for May that resolves 33 vulnerabilities. Though this is not Microsoft’s biggest release (April 2011’s 17 bulletins 64 vulnerabilities come to mind), it is crucial for users to apply these security updates, which include a resolution to the zero-day incident involving the US Department of Labor webpage.

    This roster of updates include two Critical bulletins addressing Internet Explorer (IE). The first one resolves around a vulnerability found on IE versions 6 to 10 on all Windows OSs, from Windows XP to Windows 8. It also addresses the vulnerability in IE 10 uncovered during the Pwn2Own contest last March.

    The other critical IE bulletin deals with a vulnerability limited to IE 8, which made the headlines recently because of a related zero-day exploit found in a US Department of Labor webpage. Based on our own investigation, users visiting this compromised site are lead to a series of redirections until their systems are infected with a BKDR_POISON variant.

    Even before this month’s release, Trend Micro Deep Security has been protecting users from this vulnerability via rule 1005491 – Microsoft Internet Explorer Use-After-Free Remote Code Execution Vulnerability (CVE-2013-1347).

    The rest of the bulletins were tagged as Important, which includes a security flaw in Windows that may lead to a denial of service (DoS) attack.

    Just like last month, Adobe also released their security bulletins today, which include fixes for Adobe Reader and Acrobat, Flash Player. The software vendor also issued a “security hotfix” for a ColdFusion vulnerability, which is reportedly being exploited in the wild.

    Users are advised to implement these bulletins as soon as possible to avoid exploits similar to the US DoL incident. For more details about how Trend Micro can protect users, you may refer to this Threat Encyclopedia page.

    We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

    Posted in Vulnerabilities | Comments Off on May 2013 Patch Tuesday Includes Critical IE 8 Zero-Day Issue

    App developers often include ads on their applications to increase revenue. These ads feature enticing titles or blurbs to surge more user hits. Typically, clicking these ads either prompt users to download an app or be redirected to a web page. However, cybercriminals who never run out of new ways to spread their deeds, could also use this as a venue to steal user information.

    We recently spotted a fraudulent website which is pushed by ads found in multiple Android apps. (Some of these apps were downloaded from the Google Play store, while others were found from third-party stores.) These ads use popular brands as hooks like “iPhone 5” and “Samsung Galaxy Note II” and supposedly selling these items for a ridiculously low price. Once users click the ad, it will lead them to a website which shows many means to buy the said phones.

    Figure 1. Ad for Samsung Galaxy Note II


    Figure 2. Ad for iPhone 5

    In reality, these sites are just scam sites that try to defraud users out of their money. They do not actually sell the devices they are promoting.

    Figure 3. Fraudulent website advertising Samsung Galaxy Note II

    Figure 4. Fraud website with iPhone 5 ad

    These ads are being delivered by a large, mainstream ad network, which claims to be used by more than 90,000 apps. While this attack is currently limited to Chinese users, because of the large number of apps on this particular ad network it is possible that similar attacks will be delivered to other users in the future.

    Last March, we blogged about Google’s decision to remove apps that block ads and the potential risks this may pose on unsuspecting users. No doubt the insufficient audit of ads on the Android platform may lead to more fraud, phishing attacks or even malware distribution. We recommend ad providers to provide more powerful audit mechanisms to protect users from attacks leveraging ads.

    Trend Micro protects users from this attack by blocking the said malicious website. We also advise Android users to be cautious in clicking ads on their devices as this may potentially lead to information and identity theft. For better protection of your devices, users should also be wary of other mobile threats like malicious URLs and mobile phishing sites.

    We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

    Posted in Bad Sites, Mobile | Comments Off on Mobile Ads Pushed by Android Apps Lead to Scam Sites

    Last April 23 – 25, I attended the seventh Counter eCrime Operations Summit (CeCOS VII) initiated by the Anti-Phishing Working Group (APWG). This year, the conference was held in Buenos Aires, Argentina. Security experts from Japan, Paraguay, Brazil, North America, Russia, and India flew to the South American city to discuss about the developments in the cybercrime arena. Together with 8 other participants from Japan, I arrived in Buenos Aires after a 38-hour flight. However, the talks and the level of energy in the conference definitely made the whole trip worth it.

    Overall, CeCOS featured 23 sessions divided into eight tracks, including two panel discussions. Aside from attending interesting talks, I also participated as a speaker at the event.

    I was very much interested in attending two talks: the National Field Reports and Mobile Attack Sessions. The National Field report particularly intrigued me, as it argues that the threat landscape of a particular country is a reflection of what’s happening globally.

    By now, it’s pretty much established that the mobile platform is the latest cybercrime battlefield, so I think it’s crucial to know what’s happening in the mobile threat front.

    As I mentioned earlier, I also participated as a speaker. As the representative of the anti-phishing council of Japan (CAPJ), I gave the talk Finding the Banking Trojan in Eastern Asia.

    Speaking at CeCOS VII

    Japanese-language phishing emails were first spotted in 2004 and since then, these mails have poured in and caused serious damage. As technology developed, these emails took more subtle forms, which made detection more difficult. In addition, instead of direct links to phishing sites or a malicious attachment, phishing sites instead contain links to compromised sites that eventually lead users to malicious sites that contain exploit kits.

    As we all know, attackers are already expanding their threats to other platforms, particularly mobile. Thus, I presented my analysis of ANDROIDOS_CHEST, which targets Android OS and was reportedly found affecting South Korea. Users would receive text messages offering free coupons for either movie tickets, fast food, or coffee if the user downloaded an app, which was actually ANDROIDOS_CHEST.

    The malware monitors and gathers text messages in order to defeat two-factor authentication done via text messaging. ANDROIDOS_CHEST then sends the gathered messages to the attacker.

    The most important question though is, how can users protect themselves from the threats of phishing? The CAPJ has these tips:

    1. Keep your computer safe.
    2. Beware of suspicious emails.
    3. Access and bookmark legitimate URLS.

    Another helpful advice is to always keep your systems updated with the latest security patches for your system. As Banking Trojans are usually delivered through exploit kits (by way of phishimg emails), users are protected from exploits that target old vulnerabilities.

    Trend Micro provides tools and technologies that help protect users against security breaches and data theft. Trend Micro DirectPass manages your passwords so that using and remembering unique passwords for multiple accounts is no longer difficult. Trend Micro Mobile Security protects against threats like ANDROIDOS_CHEST that are on mobile devices. The Smart Protection Network provides both email and web reputation, blocking these threats before they arrive on user systems.

    We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

    Posted in Malware, Mobile, Spam | Comments Off on Finding Banking Trojans in Eastern Asia – Report From CeCOS VII

    Recent incidents highlight how frequently – and creatively – cybercriminals try to steal data. From “homemade browsers” to million-user data breaches, to the daily theft carried out every day by infostealers and phishing attacks, every day.

    All this stolen information ends up for sale in the underground to the highest bidder. From there, it can be used in many uniformly illegal ways – from identity theft, to credit card fraud, to launching attacks on other users. They can also be used to buy either expensive goods (which are then shipped to the cybercriminals), or pay for “bulletproof” web hosting that is frequently used for malicious sites. These may not cost that much individually, but the losses to users can be significant.

    It’s not just the fruits of cybercrime that are bought and sold in the underground – so are the tools, like exploit kits, vulnerabilities, and malware toolkits as well. Price tags here can reach the thousands of dollars, particularly for more advanced and sophisticated tools.

    There is so much money in the underground that it has become organized and systematic, much like real-world businesses. While the specifics of how the underground has organized itself varies from region to region, the mere fact that it has organized itself is noteworthy – both to allow for more information and tools to be sold, as well as reducing the risks of getting caught.

    Our new infographic – The Cybercriminal Underground: How Cybercriminals Are Getting Better At Stealing Your Money – explores what items are being sold and bought in the cybercrime underground, how the underground is organized, and how users are directly affected. It’s an excellent way to understand what users are up against in securing their information online. It may be viewed by clicking oh the thumbail below:

    To view all infographics from TrendLabs, visit

    We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice