Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    July 2013
    S M T W T F S
    « Jun   Aug »
  • Email Subscription

  • About Us

    Archive for July 30th, 2013

    As July winds down, infection counts for PE_EXPIRO have been trending downwards recently. This file infector can infect Windows files on both 32-bit (detected as PE_EXPIRO.JX) and 64-bit (detected as PE64_EXPIRO.JX) systems. At its peak, we saw thousands of infection counts but then dropped eventually (as seen in our Smart Protection Network feedback).


    Because of the threat’s interesting blend of routines (file infector with info theft routines and exploit kit connection), we think that this is a good opportunity to discuss the various solutions that are available to help users. For more information about the threat, users can read our previous entry here.

    Utilizing Trend Micro Solutions To Stamp Out EXPIRO

    First of all, URLs associated with this attack are already blocked to avoid further damage, re-infection, or information leakage. Here’s an example wherein Trend Micro’s OfficeScan Web Reputation Service (WRS) blocked a URL associated to the EXPIRO malware:

    WRS blocks the C&C URLs associated with the EXPIRO malware
    WRS blocks the C&C URLs associated with the EXPIRO malware.

    The above screenshot was taken from OfficeScan 10.6 Service Pack 2 with the Custom Defense Pack. This enhanced version of Officescan allows administrators to visualize high profile attacks; it uses the Trend Micro Smart Protection Network Global Intelligence list to inform administrators of the activities of any C&C servers and point out which hosts may need immediate remediation.

    More detailed information is available if Deep Discovery Inspector is in use. It allows the administrator to watch the network for such events – even if there is no security software installed on the endpoint. For very large networks, it makes it even easier for administrators to determine which endpoint violated a certain policy as they are able to view information – including  the MAC address – of the offending endpoint.

    The following screenshots show the Deep Discovery Inspector can provide about connections to malicious C&C servers, ranging from DNS queries:

    Deep Discovery Inspector’s detection if a connection to a malicious C&C server has been requested (1 of 2)

    To information about the connection:

    Deep Discovery Inspector’s detection if a connection to a malicious C&C server has been requested (2 of 2)

    Files copied to the affected machine:

    Deep Discovery Inspector’s detection via CIFS/SMB (2 of 2)

    And information about the EXPIRO malware itself:

    DDA giving more information about an EXPIRO-infected file (1 of 2)

    Preventing similar infections in the future

    This unusual attack used several noteworthy methods, with both Java and PDF exploits to deliver the file infectors to potentially vulnerable systems. That being said, there are two things that will help minimize similar attacks in the future:

    • Have effective patch management, even for third party software such as Java and Adobe Acrobat
    • Block unknown or unverified web sites. Web sites that are unknown or unverified may contain malicious files. A web filtering solution – either at the gateway or the endpoint itself – may be useful.

    If third party software patch management is not in use, “virtual patching” may be useful. Deep Security or OfficeScan’s Intrusion Detection Firewall plug-ins can prevent vulnerabilities from being executed, preventing these threats from reaching user systems. For more information on the related Deep Security solution, you may read our previous blog entry here.


    One weakness in the network is all that is needed for this threat to re-occur. EXPIRO is indeed a traditional file infector (with an added twist of data stealing) and cleaning systems that have been infected with this malware is pretty straight forward. The various Trend Micro solutions at the disposal of system administrators allows them to effectively fix, and prevent, these threats in the enterprise environment.

    With additional inputs from Jay Yaneza and Rhena Inocencio.

    Posted in Malware | Comments Off on Trend Micro Solutions for PE_EXPIRO

    We spotted yet another threat lurking around social media sites targeting users of either Google Chrome or Mozilla Firefox. This threat uses fake extensions for both browsers to infiltrate user systems and hijack social media accounts – specifically, Facebook, Google+, and Twitter accounts.

    To install these fake extensions, users would see various lures on social media sites to try to get users to install a fake video player update. In reality, this player update is a malicious file detected as TROJ_FEBUSER.A, installs a browser plugin depending on the browser currently being used.

    One earlier version we saw for Google Chrome, detected as JS_FEBUSER.A, identifies itself as Chrome Service Pack 5.0.0. In the case of Mozilla Firefox, the fake plugin is Mozilla Service Pack 5.0.

    Figure 1. Names used by the malicious plugin

    Google Chrome has since flagged this particular plugin as malicious. An updated version of the plugin, detected as JS_FEBUSER.AB, is identified as F-Secure Security Pack 6.1.0 (for Google Chrome) and F-Secure Security Pack 6.1 (for Mozilla Firefox) .

    Figure 2. Names used by the updated malicious file

    Once installed, it connects to a malicious URL to download a configuration file. It uses the details on that configuration file to hijack the user’s social media accounts and perform the following actions, without any authorization from the user:

    • Like pages
    • Share posts
    • Join a group
    • Invite friends to a group
    • Chat with friends
    • Post comments
    • Update status

    This threat tries to perform the above actions on three different social networks: Facebook, Google+, and Twitter. Because of this, in effect, the attackers are able to hijack the accounts of the users and could, for example, use them to spread links to other malicious sites.

    One more thing to note: the fake video player update is digitally signed. Digital signatures are a way for developers and publishers to prove that a file did come from them and has not been modified. Potential victims may take this to mean that the file is legitimate and harmless.

    Figure 3. Valid digital certificate of the malicious video player update file

    It is not yet clear if this signature was fraudulently issued, or a valid organization had their signing key compromised and used for this type of purpose.

    Users are once more reminded to always be aware and vigilant of such scams. Cybercriminals are getting better at making their lures much more convincing, even resorting to abusing legitimate services and users in order to appear legitimate.

    Trend Micro already blocks all URLs associated with this threat and detects the malicious files.

    Update as of July 31, 2013, 6:38 PM PST
    Both TROJ_FEBUSER.AA and JS_FEBUSER.AA have been renamed to TROJ_FEBUSER.A and JS_FEBUSER.A respectively.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice