Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    July 2013
    S M T W T F S
    « Jun   Aug »
  • Email Subscription

  • About Us

    Archive for July, 2013

    An unusual attack has been spotted in the wild, using an unexpected combination of threats. This attack used exploit kits (in particular Java and PDF exploits) to deliver file infectors onto vulnerable systems. Interestingly, these file infectors have information theft routines, which is a behavior not usually found among file infectors. These malware are part of PE_EXPIRO family, file infectors that was first spotted spotted in 2010. In addition to standard file infection routines, the variants seen in this attack also have information theft routines, an uncommon routine for file infectors. The infection chain goes something like this:

    • The user is lured to a malicious site which contains an exploit kit. Several exploits are used; one of these is a Java exploit (detected as JAVA_EXPLOIT.ZC) which uses CVE-2012-1723. Another Java vulnerability (CVE-2013-1493) is also being used. A PDF exploit is also being used, with the malicious PDF file detected as TROJ_PIDIEF.JXM.
    • Whatever exploit is used, the end result is the same: the mother file infector (either PE_EXPIRO.JX-O, PE_EXPIRO.QW-O, or PE64-EXPIRO-O for 64-bit systems) onto the affected system.
    • Once on the affected system, it seeks out .EXE files in the system to infect. All folders in all available drives (removable, shared, networked) are subjected to this search. The infected files are detected as PE_EXPIRO.JX.
    • It steals system and user information, such as the Windows product ID, drive volume serial number, Windows version and user login credentials. It also steals stored FTP credentials from the Filezilla FTP client.
    • The stolen information is then saved in a .DLL file and uploaded to various command-and-control (C&C) servers.

    Here is a diagram of the above chain, using the Java exploit as an example:

    About 70% of total infections are within the United States. It is possible that this attack was intended to steal information from organizations or to compromise websites, as the specific targeting of FTP credentials suggests either was possible. The combination of threats used is highly unusual and suggests that this attack was not an off-the-shelf attack that used readily available cybercrime tools.

    Since this particular attack used exploits targeting vulnerabilities, we recommend users to update their systems with the latest security patches immediately. Trend Micro blocks the websites associated with this attack, as well as detecting the malware cited in this blog entry.

    Additional Analysis by Dexter To, Kai Yu, and Jethro Bacani


    A later stage of  advanced persistent threats (APT) attacks is the  “lateral movement” stage, where attackers typically use legitimate computer features to move within the network undetected. This takes place after the initial breach and the establishment of command-and-control links back to the attacker. We earlier discussed the steps in an APT attack in the infographic, Connecting the APT Dots.

    As shown below, the impact attackers can have on networks grows larger as APTs go deeper. Upon reaching the lateral stage, attackers are now virtually undetected by traditional security methods. This allows them to gain even more access privileges and move on to the next APT attack stages.

    Figure 1. Graph of APT Stage vs. Impact to Network

    Lateral Movement Tactics

    The lateral movement stage of APT attacks can be further divided into three major steps: reconnaissance, credentials stealing, and computer intrusions.

    The first step allows attackers to collect vital intelligence for their next attacks by using built-in OS tools and other popular utilities. These tools may include the netstat command for connection information and port scanning for open ports.

    Once well-informed, APTs will then steal legitimate credentials to establish control. Attackers can do this in various ways, such as: spoofing ARP protocol packets, using keyloggers, pass the hash attacks or hooking login authentication processes.

    After acquiring legitimate credentials, attackers will target other computers to move closer to their real target. They are more likely to use remote access or administration tools that leave few traces to accomplish this.

    What Enterprises Can Do

    The use of legitimate computer features can defeat basic perimeter-based and blacklisting security methods. However, there are many measures enterprises can still use to fortify their security, including: the use of application control, security and information event management (SIEM), and adapting a custom defense solution.

    Enterprises need to establish solid threat intelligence from internal knowledge of their network and other external indicators. Threat intelligence partnered with the use of custom defense technology will empower IT personnel in detecting anomalous use of legitimate computer features; thus, securing their networks from APT-related activities.
    Find out more about these tools and measures as highlighted in the infographic The Danger of Compromise.

    You can also read more about the steps APTs take during the lateral movement stage in the Security in Context paper, How Do Threat Actors Move Deeper into Your Network.

    Posted in Targeted Attacks | Comments Off on Building Threat Intelligence to Detect APTs in Lateral Movement

    6:49 am (UTC-7)   |    by

    Recently, Trend Micro and INTERPOL announced that Trend Micro will help train law enforcement personnel from participating countries all over the world to help them cope with today’s cybercrime threats. We are honored to help INTERPOL in its fight against cybercrime; this is completely in line with our vision of creating “A World Safe for Exchanging Digital Information.”

    The details of our collaboration are in our press releases, but I want to use this topic to discuss, more broadly, how and why Trend Micro works with law enforcement agencies around the world to stop cybercrime.

    Why is it so important that law enforcement and security companies like Trend Micro work closely together to deal with today’s threats? The answer is: each group brings very different skillsets – and mindsets – to the table. By working together, they are able to work best to become effective against cybercrime.

    Security researchers have a wide variety of information at their disposal. They have threat information from their company’s operations, as well as underground information – frequently from the “social networks” they form while visiting underground forums undercover.

    In addition, researchers typically work as teams which are multinational, have a wide reach of knowledge and specialties available to them, and used to making decisions quickly. All these traits are quite helpful in keeping up with cybercriminals.

    However, security researchers can only go so far. Law enforcement has access to powers that are needed to truly identify those responsible for attacks. Servers can be seized, communications (electronic or otherwise) can be monitored, as provided for by courts. This in-depth information allows for the identification of the actual persons behind online crimes, who can then be arrested and brought to trial.

    In the absence of cooperation, a wide variety of problems can occur. Researchers may release information into the public, which may interfere with in-progress investigations by police. The released information may not even result in anything of significance, as the researchers cannot enforce laws. Meanwhile, law enforcement can’t deal with cybercrime: it moves fast, it’s not clear “where” it actually takes place, and depending on local laws it may not be “crime” in the first place.

    While it is essential for law enforcement to partner with security companies to catch cybercriminals, they also need to be careful in choosing their partners. Some companies are perceived (rightly or wrongly) to be close to certain governments. The partners also need to be discreet in releasing information to the public; prematurely released information can seriously damage long-running investigations and cause promising leads to go cold. Picking the wrong partner can also hurt, not help, the fight against cybercrime.

    As a company, we work very hard to ensure that we have good relationships with law enforcement agencies from all over the world. We meet at conferences, internal meetings, and other events on a regular basis that serve as a way for us to exchange information. An example of the fruits of our cooperation was the recent arrest of a key figure in ransomware gangs. By working closely with Spanish law enforcement, Trend Micro was able to gather actionable information that led to arrests in this case.

    We strongly believe that by working with law enforcement, we are able to go after cybercriminals directly. Instead of targeting their hosting infrastructure – both infected machines and malicious servers can be replaced easily enough – we go after the true suspects, the persons responsible for various attacks. Going after these perpetrators, we believe, is the best way to ensure a safer Internet for everyone.

    Posted in Malware | Comments Off on Law Enforcement Cooperation And Trend Micro

    By now, you’ve likely seen Google’s announcement that they now support a seven-day timeline for disclosure of critical vulnerabilities. Our CTO Raimund Genes believes that seven days is pretty aggressive and that rushing patches often leads to painful collateral damage.

    I agree that with the current environment many firms would have a hard time understanding the vulnerability, creating a patch and running quality assurance in that seven-day window. Hopefully, someday we will look back and wonder why it took us so long to get to a 24 hour patch cycle. Today, fixes are rarely given the level of resource that a new feature would have. But how do we effect a change here?

    I would like to float a proposal to change the social contract. My proposal is simple: when reporting a vulnerability to a vendor, the individual finding the flaw should wait at least until the day after the next Patch Tuesday before releasing their report publicly. There should be a declaration in the initial report indicating the intent to publish based on this protocol. I should add that if there are less than fifteen days to the next Patch Tuesday, one should wait one more cycle. That’s it, clean and simple.

    Note that this suggested timeline is a minimum wait period for unilateral action on the part of the reporting party. Discussion and negotiation with the vendor is encouraged. If the vendor fixes it sooner and clears release earlier, then by all means publish. If the vendor asks for more time, it is up to the reporting party to balance the risks to the public and the concerns of the vendor and decide whether to grant the extension or go ahead with publication.

    Vendors cover a wide spectrum in terms of responsiveness to reported vulnerabilities. Some are super responsive, others do a good job of emulating /dev/null. My proposal aims to level the playing field. Researchers would have the responsibility to provide notice to the vendor and a reasonable time to repair, this would give them the right to publish on a set timeline. Vendors would have the right to expect advanced notice and the responsibility to fix within the agreed timeline.

    One final thought: I used Patch Tuesday because it is well-known and prevalent. If the vendor has an established patch cycle, it would be good form to use their cycle, provided it is reasonable. If the cycle is too long (e.g. updates are released on January 1st every other year), then I suggest falling back to the Patch Tuesday model.

    Posted in Exploits, Vulnerabilities | Comments Off on Is it Time to Add Vulnerability Wednesday?

    Last week, security researchers announced a new vulnerability for Android phones which could allow installed apps to be modified without the user being aware of it. Almost all Android devices are vulnerable, as the vulnerability has existed since Android 1.6 (Donut), and currently only the Samsung Galaxy S4 has been patched to protect against it.

    The vulnerability – known in some quarters as the “master key” vulnerability – has attracted considerable media attention, but it has not always been accurately reported. We have updated Trend Micro Mobile Security to protect our users, but at the same time we wish to clarify what’s going on, what the threat is, and what users can do.

    What’s this “master key” vulnerability?

    The vulnerability is related to how Android apps are signed. All Android apps have a digital signature from their developer, which verifies that the app actually did come from the developer and was not modified en route. An app can only be updated if the new version has a matching signature from the same developer.

    This particular vulnerability is in that last step. What researchers have found is a way for attackers to update an already installed app even if they do not have the original developer’s signing key. In short, any installed app can be updated with a malicious version.

    Note that technically, there is no “master key” that has been breached. Yes, any app can be modified and used for malicious purposes, but there’s no “master key” in the first place.

    What are the risks?

    This vulnerability can be used to replace legitimate apps on an Android device with malicious versions. Apps with many permissions – like those from the phone’s manufacturer or the user’s service provider – are at particular risk.

    Once on the device, they can behave in the way that any malicious app would, except the user would think they were a completely legitimate app. For example, a modified/Trojanized app for a bank would continue to work for the user, but the credentials would have been sent to an attacker.

    What can users do to protect themselves?

    We’ve updated our Trend Micro Mobile App Reputation Service to detect apps that abuse this vulnerability, but so far we have not found any. Nonetheless, for users of Trend Micro Mobile Security, we have released an update to the pattern to ensure that we will detect apps that target this particular vulnerability. (All users with pattern version 1.513.00 or later are covered. Apps found exploiting the vulnerability will be detected as Android_ExploitSign.HRX) This is sufficient to ensure that our users are protected from this threat.

    We strongly suggest disabling the ability to install apps from sources outside of Google Play. This setting can be found under Security in the system settings of Android devices.

    Google has made some steps to protect users. They’ve modified the backend of their online store so that apps that try to exploit this problem are blocked. Thus, users who do not download apps from third-party stores or sideload APK files should not be at risk from this threat. The company also released a fix for the vulnerability and distributed it among OEMs. Hopefully, the importance of this update will prevent delays in its deployment.

    Update as of July 11, 2013 3:43 AM PST

    We were able to find a report that features a different approach for the same attack to bypass Android signature checking, this time using a Java Zipfile implementation vulnerability. We are currently working on the solution, and malicious apps that will be found using this technique will be detected as AndroidOS_ExploitSign.HRXA.

    Posted in Exploits, Mobile | Comments Off on Android Vulnerability Affects 99% of Devices – Trend Micro Users Protected


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice