Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    July 2013
    S M T W T F S
    « Jun   Aug »
  • Email Subscription

  • About Us

    Archive for July, 2013

    Since the first official announcement in early December last year, the world has eagerly awaited for the birth of the firstborn child of Prince William and Kate Middleton. After months of anticipation, the Duchess of Cambridge has given birth to a son, the new Prince of Cambridge, a couple of days ago.

    But amid the celebrations, an old threat resurfaced. We spotted spammed messages related to the royal baby birth. The speed of these messages is remarkable, considering the official announcement was given July 22nd at 4:24pm (BST).

    Figure 1. Sample spam email about the royal baby


    Figure 2. “Royal Baby” related threats started appearing half a day after the official announcement

    These messages appear to be from ScribbleLive, a service that provides real-time engagement platforms. The offer, of course, is false, and clicking on links in the email will only trigger multiple redirections that are typical among Blackhole exploit kit (BHEK) spam runs. BHEK is a page that cybercriminals use to determine what software versions are used by a victim so that the page can deliver the “correct” exploit.

    In this case, the script that triggers the redirections is detected as JS_OBFUSC.BEB. Based on initial reports, US, Japan, and Australia were the top countries that accessed the final URL in the infection chain. As more users from the UK go online during their morning, looking for news about the royal baby, we can expect to see more infection hits from this area.

    Figure 3. More than half of the hits came from the US

    Exploit kits such as the Blackhole Exploit Kit offers cybercriminals great convenience in terms of deploying spam runs. It becomes much easier for them to modify the different aspects of a spam run: its social engineering lure, the exploits it uses, and its payloads.

    These social engineering lures often come in the form of recent events, such as the Boston Marathon incident and the election of Pope Francis.

    This particular BHEK run is not limited to the royal baby alone. Other spammed messages took advantage of the controversy surrounding the upcoming sci-fi film Ender’s Game. While these messages are made to look like an article from CNN, clicking on links will trigger the same redirections as that of the royal baby spam.

    Figure 4. Sample spam email about Ender’s Game

    Additional analysis by Maela Angeles and Ruby Santos

    Update as of July 25, 8:00 PM PDT

    We have found another spam run using this theme. This one pretends to be a CNN news story discussing what the US president would give as a gift to mark the birth:

    Figure 2: Fake CNN news report

    The exploit kit code is detected as JS_OBFUSC.BEB, with the Java exploit detected as JAVA_EXPLOYT.RO. This particular exploit targets two vulnerabilities in Java: CVE-2013-1493 and CVE-2013-2423. Both of these vulnerabilities have been patched by Oracle. The ultimate payload is a Trojan detected as TROJ_MEDFOS.JET.

    Additional analysis by Hadden Xiao, Mark Tang, Mark Aquino and Adrian Cofreros

    Posted in Spam | Comments Off on The Birth of the Royal Baby Blackhole Exploit Kit Run

    The original Plants vs. Zombies game enjoyed a lot of popularity back then when PopCap Studios released it on the iOS in 2010, and on the Android in 2011. Now, with the approaching release of its sequel (soft-launched in New Zealand and Australia), cybercriminals have already begun taking advantage of the hype.

    The first trickle of threats came at around July 16, 2013. We discovered a survey scam website, hosted by Blogger, and linked from a YouTube video page. The website was found to be a typical survey scam with no malware tied to its bait.



    More PvZ2-related threats popped up in our radar after that. Up to July 22, we discovered no less than seven of them in Google Play alone, either as a fake app download or a ‘downloader’ for the app itself. One of them was detected to be a fake app that pushed malicious ads to the user. This is detected as ANDROIDOS_FAKEZOMB.A. We expect to find more in the coming days.



    Google has been commendably quick in handling the threats found in Google Play, however. As of this writing, all of the fake apps have been stricken from the site itself, and the fake ‘developers’ offering them up for download suspended. Similar scams and frauds have also been found to be suspended within 24 hours of being put up in the app market.

    The existence of these threats and the social engineering behind them is nothing new – we’ve reported incidents such as these in the past, with them targeting games like Candy Crush, Bad Piggies and Temple Run. But what’s to take note here are the patterns emerging with each fake app download scam we see in Google Play.  These are:

    • The usage of popular, up-and-coming sequels to high-profile game apps already available in the iOS App Store but not yet in Google Play
    • The fake apps asking for 5-star ratings and reviews before they could be ‘played’
    • The fake apps are free of charge, in contrast to the legitimate apps which cost money

    The first two are self-explanatory – they are designed to make the app more attractive for users to download. The third could also be considered as a similar tactic, but there is another  reason for this – and that’s due to app developers needing to register a Google Wallet account first before they can set their app as a paid app, a compulsory rule in Google Play’s set of policies and agreements. This could be construed as cybercriminals trying to avoid having their fraudulent developer accounts to be traced back to them.

    This could mean that Google could possibly make the Google Wallet registration compulsory for all developers wishing to release apps on Google Play. This can serve as identification and proof of legitimacy for legitimate developers, and also a deterrent to cybercriminals.

    Android may still be plagued with malware, but Google is certainly stepping up their efforts in helping combat its continuous rise. However, users should not become complacent, as the safety of their mobile devices is their main responsibility as owners. The standard rules of safe app downloading still applies – only download from verified first-party sources. Avoid sideloading or downloading from suspicious ‘developers’ or unauthorized parties.

    For more information about the latest on mobile threat and security, you may visit Mobile Threat Information Hub. Trend Micro Mobile Security Personal Edition also provides protection for your Android device by detecting malicious and high-risk apps.

     Additional analysis by Paul Pajares, Karla Agregado, Veo Zhang and Yang Yang

    Posted in Bad Sites, Malware, Mobile | Comments Off on Cybercriminals Capitalize on Plants vs. Zombies 2 Hype

    As more and more users entrust parts of their digital lives to the cloud, they’re increasingly running into a problem: it doesn’t always last forever. More specifically, cloud services that people have relied upon are just like any other business: they can close their doors.

    Just in the past few weeks, here are some cloud services that have shut down or drastically changed their offerings:

    But some changes to these services resulted to significant “birth pains”. Take for example MySpace, which has been rolling out new features for some time and relaunched a new branding last June. Some commended this relaunch, but its remaining loyal users became upset as this restart deleted their content.

    The rapid pace of innovation when it comes to mobile and cloud services means that, unfortunately, services which fail to succeed and become profitable quickly shut down as well – even if they have many users who depend on them. So, what can you, as a user do, to minimize the risk if this does happen to you?

    There’s not much you can do about services that use data that isn’t yours (like, say, video and music streaming services). However, for your own data – like documents, pictures, and news feeds – there are steps you can take.

    Remember the traditional 3-2-1 rule about backups: at least three copies, in at least two different media, with at least one copy off-site. Storing your data in the cloud fulfills the last two requirements, but it also means that you should keep copies of your data outside of any particular service’s own closed cloud.

    This means, for example, storing a copy of your movies and pictures on your device (or even another cloud service). For every cloud service you use, the procedure would be different, but the concept is the same: make sure your data exists in some form outside of any app or service’s own servers.

    Preparing for a cloud service going offline may seem like an extreme precaution. Aside from a service going completely away, there are many other scenarios where you’d like to access data in a cloud offline: you’re in a location with non-existent/insecure/expensive Internet access, or the service goes down due to maintenance and/or a security breach.

    For cloud services provider, it is best if they announce any major changes (or shutdown) months ahead. The recent shutdown of Google Reader was a good example of effective announcement, as it resulted to minimal effect to the users (other than searching for an alternative service, of course). The MySpace gaffe, unfortunately, shows that changes or improvements can turn awry.

    The underlying fact: “going to the cloud” is not an excuse to manage your data poorly. You still have to be responsible for your data and avoid putting all your eggs in one basket. For more information on how to protect your data in the cloud, you may read our Digital Lifestyle E-Guide Keeping Your Cloud Data in Check.

    Posted in Social | 1 TrackBack »

    When attacks against companies are described, frequently the targets are said to be either individual end users or large enterprises. Many targets of cybercrime, however, are small businesses. In this post, we’ll look at how small business in Taiwan are attacked and what lessons others can take from these events.

    Many small businesses in Taiwan run their Web server from inside their own networks, without much awareness about how to secure them properly. They’re primarily concerned with running their business, which makes their insecure servers a prime target for attacks.

    Let’s look at a recent case which is a good example of how these attacks work. On May 30, our assistance was requested after an unidentified company (which we’ll call Company A) was hit by denial of service attacks that interrupted access to their servers.

    What we found was another problem entirely. We found that their web server had been compromised, using a vulnerability in their web server. Because, as noted earlier, this web server also had access to Company A’s internal network, the attackers had taken control over the company’s Active Directory servers as well. We were also able to confirm that at least two separate attackers were at work: one was active before April 24, the other after that date.

    Figure 1. Timeline of Attacks

    The behavior of this threat was not particularly unusual – these behaviors are all commonplace when a network has been breached. In addition, the attackers keep adding tools through their backdoors continuously.

    Many businesses would simply reinstall and rebuild their systems so they can get back to work, but this wouldn’t solve the problem. Because the root of the problem – the vulnerable and insecure web server – has not been addressed, the attacker can simply go ahead and plant backdoors into the target’s networks again and again.

    Figure 2: Continuing attacks

    There are many ways to plant backdoors onto a network. One can use either remote access tools (legitimate or otherwise), vulnerabilities, and embedded scripts (for starters). Many of these can be difficult to detect and remove. In this case, we even found that uploaded images (for user avatars) could be used to inject scripts that the web server would then run.

    This attack was made possible because of some rather insecure procedures that some SMBs use. Hosting a web server within your own network exposes a business to serious risks (as happened here). It’s much safer for a small business to use some sort of managed hosting for their sites.

    However, on one level, this insecurity is understandable. Businesses see the opportunities of new technology, but are often blind to the security risks. They feel the need to compete with larger enterprises when it comes to the tools they use – but don’t have the resources to match their competitors. Efficiency and cost-effectiveness are the order of the day – and, unfortunately, security can fall by the wayside.

    While the specific lessons of this attack may only apply to some businesses, the larger is lesson is clear: tempting as technological improvements can be, security has to be considered as well. It’s dangerous – and irresponsible – to put in place new tools without considering how they can be secured. Otherwise, businesses expose themselves to being compromised repeatedly.


    Advances in spam detection meant that spam operators had to find ways to circumvent new technologies. For instance, Asprox made significant improvements in their spam and module architecture whereas Pushdo made use of decoy network traffic.

    Recently, we have discovered a new simple method used by a spam botnet we named StealRat. It consists of 3 essential things:

    • Compromised website for sending spam
    • Compromised systems for harvesting and delivering the spam data
    • Compromised website for delivering the payload


    Figure 1. StealRat method

    In this set up, the actual spam server is hiding behind three layers of unsuspecting victims: two compromised websites and an infected machine. The infected machine acts as a liaison between the spam server and the compromised website. As there is no interaction between the spam and server, it will appear the email have originated from the infected machine. The spam mail itself does not spread the malware, so there is no visible link between the two as well. In essence, they have separated the core functions and minimized interactions among them to cut-off any threads that could link them to each other.

    A compromised website has the payload link and a spamming script. The payload is typically porn or an online pharmacy webpage. The spamming script is coded in PHP and waits for data from an infected machine (malware victim). The infected machine connects to the malicious spam server to collect the spam data which includes the following:

    1. backup mail server
    2. “sender” name
    3. recipient address
    4. email template

    A compromised website will typically have a randomly named folder with several PHP scripts.


    Figure 2. Sample of a compromised website

    Another interesting behavior is that it uses the compromised website’s domain as its email service domain. For instance, if is hosting the spamming script, the email will appear to have come from [sender name]

    In a compromised system (infected machine), the malware component also exhibits some conspicuous traits. For instance, some variants attempt to cloak its network traffic by modifying the host name to while receiving its instructions from its C&C server. If the C&C is, instead of directly connecting to it, it queries for the domain’s mail server (eg. and connects there instead. The network traffic won’t show an established connection to either or, the hostname would appear to be instead.

    connection-google-stealrat copy

    Figure 3. Connection to

    During the course of our investigation, we have identified the following:

    • about 85,000 unique IPs/domains that sent out spam emails in 1 month
    • each IP/domain contains an average of two spamming scripts
    • each infected machine sends at least 8,640 spam data to compromised websites per day
    • they are currently rotating around seven million email addresses to send spam to

    While exploiting vulnerable websites to send out spam has already been exhausted by other botnets, StealRat stood out because it used simple yet subtle methods to improve the botnet’s resiliency. Its operators set very clear boundaries. They used compromised sites to send out spam. They also made use of compromised machines but only as mediators between the compromised sites and the spam server.

    This allowed them to cover their tracks, as they left no clear evidence of a connection between the sites and their server. They also used legitimate mail servers and modified hosts to mask their traffic. This operation certainly proves that cybercriminals are always out looking for ways to evade the security defenses.

    For more details about StealRat, you may read the full paper Stealrat: An In-Depth Look at an Emerging Spambot.

    Posted in Botnets, Spam | Comments Off on Compromised Sites Conceal StealRat Botnet Operations


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice