Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2013
    S M T W T F S
    « Jul   Sep »
  • Email Subscription

  • About Us

    Archive for August 27th, 2013

    Reports of an active exploit targeting an unpatched vulnerability in Java 6 recently surfaced. Upgrading to the latest version of Java is the prescribed solution, though for some users, this is easier said than done.

    The said exploit, detected by Trend Micro as JAVA_EXPLOIT.ABC, targets CVE-2013-2463 which Oracle addressed last June. Java 6 is also affected by this vulnerability, but Oracle no longer supports the version since April this year. What is more alarming is that the said exploit has been confirmed integrated into the Neutrino exploit kit threat. Previously, the said exploit kit was found to serve users with ransomware variants, which are known to lock important files and often the system itself until affected users pay a fee or “ransom”.

    Since Oracle no longer supports the said version, they have not stated any intention to patch the said flaw. With more than 50% of users still using Java 6, this can lead to serious implications. Because no patch is (or will be) available, the exploit provides cybercriminals and other attackers an effective vehicle to launch attacks targeting users and organizations using Java 6. This may include the aforementioned Neutrino exploit kit and ransomware variants, which may cause serious business disruption and in some cases, actual money loss (due to users paying the ransom).

    The impact of this threat may be less for usual Internet users than for organizations/entities, who may not be quick to migrate to the latest software version due to business and/or operational continuity issues.

    This incident can also be a sneak peak at what might happen once Microsoft halts its support for Windows XP. Last April, the company reiterated their intention of ending its support for the said OS and Office 2003 by April 2014 and encourage its users to migrate to the more modern Windows 7 and 8.

    For users, the best way is to migrate to the latest version of Java. If not yet started, organizations are strongly encouraged to start migrating to the latest software version, to avoid this and other attacks that might take advantage of the unpatched vulnerability. Trend Micro detects and deletes the exploit and blocks access to sites hosting the malware.

    Update as of 8:00 PM, PDT

    Existing Trend Micro solutions – including our Web Reputation Service and the browser exploit prevention integrated into Trend Micro™ Titanium™ 2013 already provide protection to users out-of-the-box, without requiring any updates to be downloaded.

    Update as of 9:00 AM, PDT Sept. 2, 2013

    Trend Micro Deep Security protects users from the exploits targeting vulnerability cited in this blog via rule 1005652 – Oracle Java SE Remote Code Execution Vulnerability (CVE-2013-2463).

    Posted in Exploits, Malware, Vulnerabilities | Comments Off on Java 6 Zero-Day Exploit Pushes Users to Shift to Latest Java Version

    By now, most users can easily detect spammed messages, particularly those that attempt (and fail) at looking like legitimate notifications. But some can look convincing, which is why a good social engineering education can be beneficial in the long run.

    We recently found an email sample pretending to be from the courier service UPS. The email poses as a package delivery notification, containing links to the tracking site and .PDF copy of the shipping invoice. This is definitely not the first time we received such an email. However, what makes this spam stand out is the way it hides its malicious intent.


    As seen in the email screenshot above, the malware-hosting site is linked to a supposed legitimate UPS URL where the PDF version of the shipping invoice can be downloaded. For users, this URL may seem safe; however when clicked, the URL leads to a malicious ZIP file. To further convince users it is legitimate, the sender’s email address was forged to closely resemble an actual UPS email address.

    The ZIP file contains a malicious file which Trend Micro detects as BKDR_VAWTRAK.A. This backdoor steals stored information from several FTP clients or file managers. In addition, BKDR_VAWTRAK.A also steals credentials from mail clients including Outlook, PocoMail, IncrediMail, Windows Live Mail, and The Bat. In order to avoid detection on the system, this backdoor deletes certain registry keys related to software restriction policies.

    According to Trend Micro Software Architecture Director Jon Oliver, this attack was moderate in number, constituting approximately 1 in every 300-400 thousand email messages on the day of the outbreak based on the estimate. To give this a baseline of comparison, the recent royal baby spam outbreak consisted of 1 in every 200 email messages on the days of that outbreak.

    This email campaign also appears to be targeting specific organizations, which stresses the importance of social engineering training and how to make it effective in a workplace setting. This includes trainings like “social” penetration training, which is basically having someone play an attacker and attempt to lure employees via social engineering.

    Trend Micro Smart Protection Network protects users from this threat by blocking the related email message, malware and access to the site.

    Posted in Malware, Spam | Comments Off on Convincing UPS Email Scam Delivers Backdoor

    The concern on ICS/SCADA security gained prominence due to high-profile attacks targeting these devices, most notably Flame and Stuxnet. However, we noted recent findings, which prove that the interest in ICS/SCADA devices as attack platforms is far from waning.

    We’ve all read about how insecure ICS/SCADA devices are and how certain threat actors are targeting these systems. As proof, we noted numerous attempts aimed at the dummy ICS and SCADA devices we created during our initial research. The insights gathered from this were the basis of my talk during the Blackhat Europe 2013 last March, which later became the paper Who’s Really Attacking Your ICS Equipment?.

    More importantly, this study gave us a look at the possible consequences that may occur once these devices are attacked successfully.

    This time around, my latest research The SCADA That Cried Wolf: Who’s Really Attacking Your ICS Devices takes the issue of ICS/SCADA attacks further. While in my first paper we saw several threat actors attempt attacks on these fake ICS systems, this time we are now seeing several noteworthy trends. One of these is the increase in “targeted” attacks – i.e., attacks that appear to be looking into ICS devices more closely prior to executing the attack. During the study, we found malware targeting very specific applications, which can be considered more “targeted” as threat actors are now Trojanizing valid applications traditionally seen as “proprietary”.

    Continuing in the same vein, we saw several attacks listed below that are interesting. The following graph shows the the origins of attack against our ICS honeypots.

    Figure 1: Percentage of attacks per country

    This new research also includes new details and architecture into the virtualized installments worldwide; to eight different countries and 12 different cities. I also cover the in-depth usage of Browser Exploitation Framework (BeEF) for use in attribution of attackers.

    We expect that attack trends will continue to increase in the ICS arena, with increased motivation and aim. In addition, we expect that possible ransomware may start to affect the ICS arena, possibly holding devices hostage in return for payment (or ransom). With continued diligence and utilizing secure computing techniques, your ability to deflect and defend these attacks will help secure your organization. To know more about how to defend these devices, you may refer to my previous posting Protecting Your ICS/SCADA Environment.

    The findings on this research provide great insight into the world of ICS/SCADA attacks. You may read the full report here.

    Posted in Targeted Attacks | Comments Off on The SCADA That Cried Wolf: Who Is Really Attacking Your ICS Devices Part 2


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice