Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2013
    S M T W T F S
    « Jul   Sep »
  • Email Subscription

  • About Us

    Archive for August, 2013

    Tax-themed spam, particularly in the United States, is already considered a staple in the threat landscape. However, a recent spam run targeting taxpayers in the United Kingdom shows that this threat is never exclusive to a region. Besides being timely, these messages contain TSPY_FAREIT, which download a ZeuS/ZBOT variant, notorious for stealing information related to online banking sites.

    We found sample of an email message that appears to be from HM Revenue and Customs in the UK. It notifies users of their VAT return receipt, something that might appear timely to unsuspecting users since the deadline for VAT returns and payments was last August 7. To further convince users of its validity, the message states that the email was “scanned for viruses”.


    Sample spam with alleged VAT return “receipt”

    The message contains an attachment, which is supposed to be the receipt for the VAT return. But based on our findings, the attachment is (expectedly) a malware detected as TSPY_FAREIT.ADI. Once executed, the malware steals varied information from the system, such as those related to: FTP clients,file managers, and email. It also attempts to steal information stored in the following browsers:

    • FastStone Browser
    • Flock Browser
    • Google Chrome
    • Internet Explorer
    • K-Meleon
    • Mozilla Firefox
    • Opera Browser
    • RockMelt

    The data stealing does not stop there. TSPY_FAREIT.ADI downloads another malware, specifically TSPY_ZBOT.ADD. As expected of any ZeuS/ZBOT variant, the malware downloads configuration file(s) from randomly generated IP addresses. The said file also contains list of targeted online banking and finance-related sites and the URLs where it sends the gathered information.

    The cybercriminals behind this threat are obviously taking advantage of the recent tax return deadline in the UK. But the real concern here is the severity of the information to be stolen. Aside from the email and FTP credentials, which are profitable in the underground market, the bad guys are also gunning for the victims’ online banking accounts. Once they got hold of users’ banking and financial credentials, they can either sell them on the digital underground or use these to initiate unauthorized money transfers leading to actual financial loss.

    In our 2Q Security Roundup report, we noted the increase of online banking malware in the past quarter and how the CARBERP’s “leaked” source code may lead to more variety for this threat. Thus, it is important for users to double-check the messages they receive and to be careful in opening any attachments from unverified sources. As an added precaution, always implement your systems with the latest security updates from vendors.

    For more information on how to avoid threats using social engineering lures, you may refer to our Digital Life e-Guide How Social Engineering Works. Trend Micro blocks these email messages and detects the related malware.

    With additional insights from Threat Response Engineer Anthony Joe Melgarejo

    Posted in Malware, Spam | Comments Off on UK Tax-Themed Spam Leads to ZeuS/ZBOT

    ONLINEG, a spyware known to steal online gaming credentials, appears to be adding backdoors to its resume. We found a variant (specifically TSPY_ONLINEG.OMU) that aside from the usual data theft routine, also downloads a backdoor onto the infected system, making it vulnerable to more damage.

    TSPY_ONLINEG.OMU was recently found on certain South Korean websites, which were compromised to host the said malicious file. Based on our analysis, the spyware is possibly an updated version of an old variant detected as TSPY_ONLINEG.ASQ, which first existed about a year ago.

    Like any online gaming spyware, TSPY_ONLINEG.OMU steals user accounts and credentials of specific online games. But in addition to this, if the user visits the login pages for the administrator consoles of websites that are part of certain industries, it downloads a keylogger/backdoor (BKDR_TENPEQ.SM). This allows the attacker to steal the credentials used for these portals.

    The companies targeted by these attack are all based in South Korea and belong to the following industries:

    • News
    • TV
    • Radio
    • Finance
    • Shopping
    • Gaming
    • Advertising

    Online gaming’s popularity in South Korea is well-known, thus it is no surprising that the people behind this attack used TSPY_ONLINEG.OMU. However, the use of ONLINEG may also have been an attempt to disguise the actual intent of the malware. Because this particular malware family is “known” to be focused on online gaming theft, without looking into the actual code people may underestimate its potential threat.

    This incident is also another example of the online bad guys’ continuous efforts to revamp and improve old but reliable threats. Thus it is important for users to stay updated with the latest developments in online security.

    As of this writing, the affected South Korean sites are now clean and no longer host the said malware.

    With additional insights from Threat researcher Eruel Ramos

    Posted in Bad Sites, Malware, Targeted Attacks | Comments Off on Online Gaming Spyware Downloads Backdoor

    About a month ago, the Apache Software Foundation released Struts, an update to the popular Java Web application development framework. The patch was released because vulnerabilities in older versions of Struts could allow attackers to run arbitrary code on vulnerable servers.

    Since then, we’ve found that hackers in the Chinese underground have created an automated tool that exploits these problems in older versions of Struts. We first confirmed the existence of these tools on July 19; this was only three days after the vulnerabilities were disclosed to the public.

    Figure 1. Advertisement for hacking tool

    A hacking tool like this serves multiple uses in a targeted attack, such as:

    • Acquiring information about the target
    • Gaining and maintaining access onto the target’s system and network
    • Stealing information
    • Removing evidence of an attack

    We have observed attacks against Asian targets using this specific hacking tool, which indicates these Struts flaws are being actively exploited by potential threat actors in the wild.

    The Hacking Tool Itself

    The hacking tool targets several different flaws in Struts. These are identified both by their Apache-issued bulletin numbers and their CVE numbers:

    • S2-016 (CVE-2013-2251)
    • S2-013 (CVE-2013-1966)
    • S2-009 (CVE-2011-3923)
    • S2-005 (CVE-2010-1870)

    All of these vulnerabilities, if exploited, allow arbitrary commands to be run on the target server by an attacker. To demonstrate the capabilities of this tool, we ran it against a test environment which was running a vulnerable version of Struts.

    Figure 2. Hacking tool user interface

    Some specific commands can be run on the target server by the tool automatically. One of the pre-programmed commands is whoami, which displays information about the target server’s current account.

    Figure 3. The generated TCP Stream.

    The full list of commands that it can run is as follows:

    Table 1. Integrated commands

    Setting Up A Backdoor

    An attacker’s goal in targeting a vulnerable server is to set up a backdoor. These backdoors allow an attacker to gain and maintain access to the server and use it as they see fit; this tool allows an attacker to do just that with relatively little effort.

    The hacking tool contains a “WebShell” feature, which allows the attacker to easily plant a backdoor and a web shell onto the target. These web shells make issuing commands to the backdoor much easier, as it can be done directly from a browser window.

    A variety of web shells are available for servers using various frameworks like PHP and ASP.NET; however in this particular case because Struts itself is an app framework that supports Java, the attacker can install JspWebShell, a web shell/backdoor combination that is coded using JavaServer Pages (JSP).

    Figure 4. Hacking tool with WebShell feature

    The screenshot below shows how JspWebShell has access to the server’s file system.

    Figure 5. User interface of JspWebShell

    Web shells with more powerful capabilities are easily available in the underground, such as searching for and stealing information and data from the backdoored server.


    In summary, what do we know about this hacking tool?

    • It was published three days after the publication date of vulnerability.
    • It allows for the easy execution of operating system commands on the targeted server.
    • It is possible with just a few clicks of the mouse to establish a backdoor/web shell on the target server to acquire and maintain access.
    • Web shells are evolving, and features are being added to these as necessary.

    As we noted earlier, this vulnerability has been patched and a new version of Struts released ( Some applications may break because of the removal of several vulnerable features in the current version, but despite this Apache has said the update is “strongly recommended”. The potential risks from a successful attack outweigh the inconvenience of modifying any deployed apps.

    We provide a variety of solutions against these threats. Users of Deep Security have various rules which help block Struts exploits and drop the related malicious packets. In addition, we detect the backdoors planted on affected sites as HKTL_ACTREDIR and JS_SPRAT.SM.

    The hash values of the hacking tool sample are as follows:

    • MD5: 4674D39C5DD6D96DFB9FF1CF1388CE69
    • SHA1: 9C6D1700CF4A503993F2292CB5A254E4494F5240
    Posted in Exploits, Malware, Targeted Attacks, Vulnerabilities | Comments Off on Chinese Underground Creates Tool Exploiting Apache Struts Vulnerability

    Early this August, we wrote about cybercriminals using a well-publicized vulnerability in Android to launch an attack against users who do their online banking on their mobile devices through an app. This time, we discovered a mobile phishing attack that not only attempts to steal users’ login details, but also asks victims to upload an image file copy of their government-issued ID.

    This particular phishing campaign resembles the typical scenario: it involves a spoofed website of the bank’s mobile online banking login site, with a URL that closely mimics the original banking site.

    Despite the similarities, though, there are some noticeable differences, such as the support for SSL protocols. Thus, the phishing site does not have the usual security symbol nor the HTTPS:// protocol that usually identifies a secure website. There are also graphical differences between the two:


    Figure 1. Legitimate site vs. spoofed page

    The phishing page asks for the user’s login details – but it doesn’t stop there. After entering their login details, the user will be sent to another spoofed page that then asks for their e-mail address and password. This is presumably so that when the user tries to recover their account by changing their login details, the cybercriminals responsible will be notified and thus still be able to access the said account.


    Figure 2. Phishing page asking for email credentials

    Not yet satisfied with all of this stolen information, the scam goes on to lead the user to another spoofed website that then asks the user to upload a scanned image file of their government-issued ID.


    Figure 3. Phishing page that asks for an image of a government ID

    Assuming that the user does supply such a file, they will be asked to continue to their account via a link – but the link, of course, only leads to a dead website.

    This is an unprecedented level of phishing here, as not only does the cybercriminal get access to the victim’s bank account and email account, but they also get the victim’s identification card – which could be used for all sorts of scams and fraud involving identity theft.

    While phishing attacks that actually ask for scanned copies of real-world identification is new, the barter of such material isn’t. In our paper about the cybercriminal underground in Russia, Russian Underground 101, we talked about how copies of victims’ identification documents s are bartered and sold not only for profit but also for use in identity theft, with prices that range from US$2 to US$25, depending on the type of document. These documents could be identification cards, passports, to working VISAs.

    Mobile phishing is on the rise. We’ve reported as much early this year, as well as how the cybercriminals dabbling in it are using the limitations inherent in the platform to carry out their deeds (such as the small screen size hiding URL discrepancies and security symbols). With smartphones being as popular as they are and being powerful enough to do most tasks we usually devote a desktop to, it’s not surprising that cybercriminals are taking advantage of the platform to nab more victims and milk them dry for personal information.

    Thankfully, users can protect themselves from this kind of cybercriminal activity. Some practices the user can keep in mind:

    • Bookmark frequently-visited websites. This eliminates the chance of being routed to a phishing website through typographical errors in the URL bar.
    • Always verify first. Users should verify first with the institutions involved (such as their bank) whenever encountering strange and unexpected procedures in their transactions.
    • Use a security solution. Security solutions immediately block phishing websites, preventing users from mistakenly accessing them.

    Trend Micro users are protected from all the elements involved with this phishing threat, with the URLs of the fake website blocked.


    Posted in Mobile | Comments Off on Mobile Phishing Attack Asks for Government IDs

    Patch-Tuesday_grayIn today’s Patch Tuesday, users and administrators everywhere are advised to immediately update their systems with the latest security updates from Microsoft, with critical updates for Internet Explorer taking the spotlight.

    For the month of August, Microsoft releases eight bulletins, three of these rated Critical while the rest are tagged Important. Similar to previous Patch Tuesdays, fixes for Internet Explorer may get the most attention. The bulletin addresses eleven vulnerabilities and affects IE versions 6 to 10, the most severe of which may enable an attacker to execute malware once users visit a maliciously-crafted website using Internet Explorer.

    The other critical bulletins include the updates for Exchange server and Windows OS vulnerabilities. Similar to IE, these vulnerabilities may allow a remote attacker to execute a malware onto the system.

    The bulletins rated as Important may not give an attacker the chance to execute malware, but not implementing these can lead to serious repercussions. The vulnerabilities in Windows and Windows Kernel may to an attacker gaining same privilege as current users. The other cited software bugs found in Windows NAT, ICMPv6, and Active Directory Federation Services may result to denial of service (DoS) attack and unwanted data disclosure respectively.

    Microsoft’s update for the browser is a good reminder of the reality of the risks of browsers. In the recently concluded Blackhat Conference, researchers Jeremiah Grossman and Matt Johansen demonstrated the possibility of browser-based botnets and how this can be done using fake online ads. In a previous research, Trend Micro researcher Robert McArdle showed how a similar threat can be done by abusing HTML5.

    On the topic of browsers, Mozilla also released Firefox 23 for Mac, which addresses 13 security issues. Similar to IE, exploiting these Firefox vulnerabilities may also lead to malicious file being executed in a vulnerable system.

    With browsers being the default way to connect to the Web and the growing number of devices dependent on browsers, this continuous attention to IE and browser security shows that we may see more assaults to the browsers in the near future.

    Users are advised to apply these security updates the soonest possible. You may also visit our Trend Micro Threat Encyclopedia page to know more about how Deep Security solution.

    Posted in Bad Sites | Comments Off on August 2013 Patch Tuesday Features Three Critical, Five Important Bulletins


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice