Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2013
    S M T W T F S
    « Jul   Sep »
  • Email Subscription

  • About Us

    Archive for August, 2013

    Google Code is Google’s official open source site meant for developers to host their program’s source code and related files, mostly in text format. However, using our sourcing system in Brazil, we were able to capture a malware written in Java that downloads BANKER malware from a recently created project called “flashplayerwindows”. Of course, this bogus project has nothing to do with Adobe.

    The said file (detected as JAVA_DLOAD.AFJ) is a compiled file that downloads and execute the “AdobeFlashPlayer.exe”, which we have verified to be malicious (detected as TSPY_BANKER.VIX, renamed from TROJ_BANLOAD.JFK). Once executed, this Trojan connects to Google Code to download other files. The people behind this threat may have uploaded these files to the said Google Code page, which notably include BANKER variants. These malware are notorious for stealing banking and email account information. Typically, they perform their data stealing routine by using phishing sites spoofing banking sites to lure users into disclosing information. Once they gather these data, they can use these to initiate unauthorized transactions such as money transfers.

    Previously, BANKER malware were seen hosted on compromised Brazilian government sites, which affected users from Brazil, the United States, and Angola. Another fraud project containing malware was also discovered, which goes to show that similar threats might still be out there.

    Besides the danger of the BANKER malware, this use of a well-known site like Google Code provides a good cover-up for cybercriminals. The malware being hosted in an official Google website means that downloading the malware will be encrypted with valid SSL certificates, which can bypass traditional security technologies. Because Google is a legitimate and reputable domain, traditional reputable services may not prevent the downloading.

    If this threat seems familiar, it’s because this abuse of open-source project sites has been done before. Last June, we blogged about GAMARUE variants being hosted on SourceForge, which like Google Code, is popular among developers and users alike.

    This incident shows that as we have predicted for 2013, legitimate cloud providers like Google Code are likely to come under attack this year. With services like Google Code are likely to increase traction among users, we can expect that similar cases will appear (and increase) in the coming days. Trend Micro protects users from this by detecting and deleting these BANKER variants.

    As of this writing, the said files are no longer available on Google Code.

    Posted in Malware | 1 TrackBack »

    Though the bulk of mobile threats are in the form of malicious or high-risk apps, mobile devices are also troubled with other threats. Take for example the bugs found in Samsung Galaxy devices and the OBAD malware that exploits vulnerabilities to gain elevated privileges. Unfortunately, these are not the only vulnerabilities that mobile users should be wary of.

    Just recently in BlackHat USA,  three vulnerabilities were discussed :  “master key” vulnerability in Android, the SIM card, and the iPhone charger vulnerability.

    The “master key” vulnerability was initially reported affecting 99% of Android mobile devices. This is related to how Android apps are signed and may allow an attacker to update an already installed app without the developer’s signing key. Taking advantage of this flaw, the attacker can then replace legitimate apps with malicious ones. We saw first-hand just how big its impact can be when our researchers got hand of an attack that used the vulnerability to update and trojanize a banking app.

    The second mobile device vulnerability, on the other hand, stems from the use of old encryption system in most SIM cards today. To abuse the vulnerabilty, the attacker only needs to send an SMS message crafted to intentionally generate error. As a result, the SIM card responds with an error code containing a 56-bit security key. The key can then be used by the attacker to send a message to the device in order to trigger the downloading of malicious Java applets, which may be designed to perform several malicious routines such as sending text messages and spying on the phone’s location.

    Unlike the “master key” vulnerability, the SIM card vulnerability can affect a far bigger set of users since it is not OS- dependent. Furthermore, because the said threat stems from the use of an old decryption method, updating SIM cards with a newer decryption feature can be seen as impractical and expensive by GSM operators and telecommunication firms.

    There are other ways to prevent attacks targeting this vulnerability. Filtering SMS messages can be a good start, but may not be possible with very basic handsets. Some telecommunication providers also offer in-network SMS filtering, but is highly dependent on the mobile carrier.

    The third vulnerability confirms that even the iPhone is not immune from vulnerabilities. Researchers from the Georgia Institute of Technology were able to create a a malicious charger (also called Mactan) that contain mini computers that can initiate USB commands. Presented during the recent BlackHat US, the researchers demonstrated how the malicious charger was able to infect the iPhone and execute commands. Apple has then announced that the vulnerability used to execute the attack will be addressed in their next software update.

    Read the rest of this entry »

    Posted in Exploits, Mobile, Vulnerabilities | Comments Off on Exploiting Vulnerabilities: The Other Side of Mobile Threats

    The annual gathering in the Las Vegas heat known as DEF CON is always… interesting. Newly discovered potential threats that are talked about in DEF CON are always intriguing, to say the least. There were plenty of good talks, but there were several common threads that piqued my interest.

    Unconventional Threats

    By “unconventional” I mean threats against devices that people outside of the security community  and even some inside it  would not consider to be targets. Charlie Miller and Chris Valasek talked about how cars could be “hacked” if an attacker gained access to the car’s internal networks. Another talk, smartly called “Home Invasion 2.0″, discussed how many networked devices – like home automation systems, baby monitors, and even toilets  are insecure. This has been discussed by our researchers before, as well as by our CTO in our 2013 predictions. The insights they’ve shared then are similar to the concerns raised in the talks I mentioned earlier: the fact that these systems were not designed with attacks in mind.

    Designing secure systems  as opposed to systems that “just work”  is hard. It takes more time, it takes more resources, and it takes more money. It also requires awareness on the vendor’s part that their system needs to be secured in the first place.

    These unconventional threats will be a significant problem moving forward. We are seeing devices connected to the Internet that have few good reasons, if any, to be online. Hopefully it wouldn’t take long before the importance of securing these devices will be realized.

    Conventional Threats Still Ripe Targets

    Don’t mistake that conventional threats have gone away. Chema Alonso’s talk discussed the serious risks of IPv6 in existing networks  thanks in part to OSes enabling it by default. There was also a release and demo of a new tool called Evil FOCA . Said tool enabled ordinary man-in-the-middle attacks.

    BYOD was under fire, too. Problems with WPA2-Enterprise wireless access were the subject of two separate talks  and were punctuated by DEF CON itself shutting down its own secure wireless network midday on the last day of the conference! In some ways, the problem is less broken protocols and more broken processes. Secure protocols exist, but aren’t used because they’re more difficult to use.

    In short: just because “unconventional” threats are increasing does not mean “conventional” threats will go away. But I’d like to make the point that in so many cases, security “problems” are of a human nature, not always a technical one.

    The Snowden Factor

    Of course, you couldn’t talk about DEF CON without talking about the issues raised by Edward Snowden’s revelations. After all, DEF CON founder Jeff Moss (known by his handle, The Dark Tangent) asked “feds” to stay away this year. Attendees expressed just how they felt about the matter with (multiple) Snowden cutouts making the rounds of the hallways and by attending talks by the American Civil Liberties Union (ACLU) on this matter. No one paying attention to the ACLU’s position will be surprised by what was said today, but the depth of concern (to say the least) among attendees should not be underestimated. Whatever one feels about Snowden, the impact will be felt for quite some time.

    It’s quite a turnaround from just last year, where NSA head General Keith Alexander actually had a well-attended talk. (Alexander was also present at Blackhat this year.) Privacy against government surveillance has always been a worry with the DEF CON audience, but the concern this year was, without doubt, unprecedented.


    What DEF CON 21 boils down to is this: good security is hard. For new, Internet-enabled gadgets, we’re finding out what happens when unsecured systems are targeted by smart people trying to break them. In the “post-PC era”, it will only become harder as more and more targets come online. Things could get interesting  in all senses of the word.

    Posted in Bad Sites, Internet of Things, Mobile | Comments Off on DEF CON 21: Where We Learn That Good Security Is Hard

    The research on browser-based botnets presented during the recent Blackhat conference in Las Vegas touches on our previous study on the abuse of HTML5. Most importantly, it shows how a simple fake online ad can lead to formidable threats like a distributed denial of service (DDoS) attack.

    In their briefing, Jeremiah Grossman and Matt Johansen showed that it is possible to initiate a massive distributed denial of service (DDoS) attack via a browser-based botnet. To create the botnet itself, the potential attackers need only to invest on fake online ads which are inexpensive. Because networks serving ads on websites allow the execution of JavaScript, the attackers craft the JavaScript to make hundreds or thousands of users connect to a targeted site simultaneously, which may be enough to make the victim site inaccessible. Unfortunately, this scenario is likely to come to fruition, given that ads are staple on sites and basically a driving force behind the Web.

    In 2011, we’ve looked into similar threat scenario, wherein we researched on the possibility of browser-based botnets by way of HTML5. In the said paper, we cited the developments done in HTML5 and how attackers could harness these improvements to their advantage. In particular, with HTML, attackers can create a botnet that will include systems of different operating systems, even mobile devices. The botnet will be memory-based, thus it will be difficult to detect by traditional anti-malware software.

    Below are some important points that I raised in the research, specifically on how attackers can use HTML5 for their attacks.

    • Compared to traditional botnets, browser-based ones are not deemed as persistent. The malicious code will stop running once users close the browser tab. With this in mind, attackers can instead use persistent XSS and site compromise or a combination of clickjacking and tabnabbing or disguise the malicious page as an interactive game.
    • Besides DDoS attacks, this abuse of HTML5 can lead to spamming, bitcoin generation, phishing, internal network reconnaissance, proxy network usage, and spreading of worm via XSS attacks or SQL injections.

    This misuse of HTML5 represents a method by which an attacker can infiltrate or initiate an attack against their targets. As browsers and apps (essentially stripped-down browsers) are the likely default way to connect online in this age of consumerization and increasing Internet-connected devices and appliances (Internet of everything), the idea of browser-botnet is an alarming prospect. With the use of HTML5 expected to take off in mobile apps as recently exemplified by Amazon, we can expect this threat to be an increasing reality anytime soon.

    For users, the best way to prevent this attack is to study and understand the risks involved. User education, in particular for companies, can come along way in protecting the organizations’ business operations and important information. For more information about the research and how Trend Micro can help users combat this attack, you may refer to the paper HTML5 Overview: A Look At HTML5 Attack Scenarios.

    Posted in Botnets | Comments Off on The Reality of Browser-Based Botnets

    roundupCheck out the TrendLabs 2Q 2013 Security Roundup.

    Threats on mobile platforms, devices, and applications have been swelling up over the past years; but this quarter, they have finally gone full throttle. Cybercriminals have found more sophisticated ways to bypass mobile security, and it’s not just through malicious applications anymore.

    Android Updates Lag, Users Suffer Critical Flaws

    Proof of the Android “Master Key” vulnerability rose with the discovery that cybercriminals can exploit the flaw to update original apps with malicious ones. The multicomponent OBAD malware, on the other hand, exploits an administration flaw to run complex stealth and propagation routines.

    Patching these critical vulnerabilities is proving to be a problem given the sluggish Android update process. Android’s fragmentation issue pushes security patches through slow manufacturer-developer paths before reaching users.

    To add to these, the malicious and high-risk Android app total continues to break records with this quarter’s 718,000 count. Users of the OS can expect that cybercriminals will continue in pursuit knowing that in just six months, malware apps have increased by 350,000—a feat that once took three years to achieve.

    PC-Mobile time comparison
    Timeline comparison of Android and Windows malware

    This quarter’s mobile events are sure to cause lasting security problems. It doesn’t help that the mobile experience involves a large human factor involvement, from which many disastrous insecure habits are formed.

    Online Banking Malware Up, More Threats Revamped

    This quarter’s online banking threat count increased by nearly a third compared to last quarter. These threats claimed most of their victims from the United States, Brazil, Australia, and France.

    Many of the big threats known to the industry return with revamped schemes and tricks. Looking at the underground market, experts saw malware kits pricing decrease over time. Some, like SpyEye, are even being bundled free if you buy other known kits. The Blackhole Exploit Kit (BHEK) uses a new FAREIT malware variant which is known to steal file transfer protocol (FTP) credentials and any personal information on a target computer. Targeted campaigns, like Safe, continue to attack enterprises. Server-side applications, Plesk, Ruby on Rails, and ColdFusion®, had vulnerabilities exploited. Social engineering threats now target multiple account access services, as Digsby, and use numerous blogging platforms as fake streaming pages.

    These changes in the threat landscape call for proactive, clear-cut, and custom defense solutions. Find out more about this quarter’s mobile, cybercrime, APT, and other threats through our TrendLabs 2Q 2013 Security Roundup, Mobile Threats Go Full Throttle: Device Flaws Lead to Risky Trail. Check out key findings from all the research done in Q2, and learn more about all the details in our full report.

    Trend Micro CTO Raimund Genes further discusses important points about the Security Roundup below.

    Don’t forget to join our Facebook and Twitter discussions using the hashtags, #trendlabsroundup and #2Qlabnotes!

    Posted in Bad Sites, CTO Insights, Malware, Mobile, Vulnerabilities | Comments Off on 2Q Security Roundup: Mobile Flaws Form Lasting Security Problems


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice