Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2013
    S M T W T F S
    « Aug   Oct »
  • Email Subscription

  • About Us

    Archive for September, 2013

    Patch-Tuesday_gray Microsoft Outlook, Internet Explorer are two of the four Critical bulletins (plus ten bulletins rated as Important) in today’s Microsoft Patch Tuesday. Particularly troublesome is the Outlook vulnerability, which is exploitable via preview pane. By not applying these updates, vulnerable systems are at risk of malware infection and unwanted data disclosure among others.

    The four critical bulletins all pose serious risks to users and organizations. If not addressed, the vulnerability in Microsoft Outlook can lead to malware execution once users preview a maliciously crafted email message using Outlook. Applying this patch should be a priority, particularly for organizations who are under the constant threat of targeted attacks by way of spear-phishing.

    For the past months or so, Microsoft has consistenly released Critical security bulletins for Internet Explorer. This month is no different, with security patches for ten privately vulnerabilities affecting several IE 6, including a privately reported IE 10 flaw on Windows 8 and RT. Similar to the Outlook vulnerability, an attacker can exploit this to execute a malware.

    What is interesting is the inclusion of security patches for Windows XP, which Microsoft will stop supporting by April next year. For users and organizations still using the platform, it is important to start or at least seriously consider migrating to later versions of Windows to avoid threats similar to the Java 6 zero-day exploit seen two weeks ago, in which no consumer security updates are available for users as Oracle has already halted its support for that version.

    Security updates for SharePoint, which resolved ten vulnerabilities in the software, rounds up the Critical issues for this month. Those bulletins rated Important include vulnerabilities in MS Office, Excel, FrontPage and Windows, that can lead to varied threats, including an attacker gaining administrative access and risk of information leak among others.

    Users are advised to apply these security updates immediately. For IT administrators, applying certain security updates such as the SharePoint might be tricky, as these might need to be tested for any adverse impact on business operations. You may also visit our Trend Micro Threat Encyclopedia page to know more about how Deep Security solution.

    Posted in Exploits, Vulnerabilities | Comments Off on September 2013 Patch Tuesday Resolves Critical Outlook, IE Flaws

    Firefox OS is Mozilla’s foray into the mobile operating system field and promises a more adaptive mobile OS. But as mobile threats, in particular in the Android platform, has gained momentum, the question in everyone’s mind is – how safe is it?

    About a month ago, Telefonica announced that it had launched the Firefox OS – Mozilla’s mobile operating system – in Colombia and Venezuela. Separately, ZTE is also selling Firefox OS devices via their eBay store directly to end users.

    The Firefox OS uses uses a Linux kernel and boots into a Gecko-based runtime engine, which lets users run apps developed entirely using HTML, JavaScript, and other open web technologies.

    Overall, Firefox possesses good app permission management, but core processes (with more privileges) may become a target for exploits. In addition, HTML5 features may become sources of potential vulnerabilities.

    Firefox OS Architecture Overview

    The Firefox OS has to connect web-based applications to the underlying hardware. It does this using an integrated technology stack consisting of the following levels:

    Figure 1. Firefox OS stack

    Gonk consists of the Linux kernel, system libraries, firmware, and device drivers.

    Gecko is the application runtime layer that provides the framework for app execution, and implements the Web APIs used to access features in the mobile device.

    Gaia is the suite of web apps that make up the user experience (apps consist of HTML5, CSS, JavaScript, images, media, and so on).

    The Gecko layer acts as the intermediary between web apps (at the Gaia layer) and the phone. It also enforces permissions and prevents access to unauthorized requests.

    Application security

    Firefox OS also has its own application layer design. There are three kinds of apps: hosted apps, privileged apps and certified apps.

    Hosted apps can be installed from any website, without any further verification. This doesn’t grant the app any additional permissions besides those already exposed to a web site. Privileged apps are allowed to request more permissions, but they must be verified and signed by a Marketplace (i.e., app store). Certified apps, which have the most permissions, can only be pre-installed on the device by the manufacturer.

    Figure 2. B
    There is a B2G process in the Gecko layer that has high privileges running in the background, and every app will run in a content process with low authority. Every request to the device asked by an app needs to pass to B2G process first, and the B2G process will check the permissions of the app.


    Firefox OS also contains extensive sandboxing. Each app runs in its own worker space and it has access only to the Web APIs and the data it is permitted to access, as well as the resources associated with that worker space (Indexed DB databases, cookies, offline storage, and so on).

    In addition, apps communicate only with the B2G process, not with other processes or apps. Apps do not run independently of B2G, nor can apps “open” each other. The only “communication” between apps is indirect, and is mediated by the B2G process.

    Exploiting the B2G process

    The B2G process is a core process of Firefox OS. It is in the Gecko layer in the Firefox OS technology stack. If this process is exploited, an attacker can obtain high-level privileges (like root access.)

    Approximately a month ago, a vulnerability in Firefox 17 was found which could be used to run arbitrary code. We have confirmed that this vulnerability can also cause the B2G process to crash, and that we can also control the IP (Instruction Pointer). This would allow an attacker to run arbitrary code on the device with the privileges of the B2G process.

    Mozilla’s documentation itself states the exploitation of B2G process is a  possible attack point for Firefox OS. This is because that content process can send dirty data to the B2G process.

    HTML5 vulnerabilities

    Because the apps for Firefox OS are built using HTML5 apps, we can expect that the HTML5 vulnerabilities will be used to exploit Firefox OS in the future. Independent research has said that HTML5 features can be used to do memory fills for heap sprays.

    The HTML5 command Uint8ClampedArray can be used to fill memory with high efficiency and easy to write code. It is easy to find a steady address filled with the payload using Uint8ClampedArray. HTML5 Web workers to fill memory quickly in using multiple threads, reducing the amount of time necessary to fill the memory.

    In our previous study of HTML5, we tackled on how this can be abused and can result to various attacks, including spamming, unauthorized bitcoin generation, phishing and a browser-based botnet. Since these HTML5-based attacks will be memory-based, traditional antimalware solutions will be challenging.

    Though the Firefox OS may not enjoy the market of the Android OS, the use of HTML5 is gradually gaining traction among users (Amazon also accepts HTML5 for its apps). Thus, regardless of OS, we can expect that as more apps and sites will use HTML5, such attacks will increase in the future.


    We believe that Firefox OS will face attack like other mobile OS. The most harmful attack may be exploiting the B2G process. And, resources from browser exploitation would be useful for exploiting Firefox OS because it is Gecko based and its apps are written by HTML5. Users, on the other hand, will benefit from understanding the risks involved in using HTML5 and how they can avoid these. For more information, you may refer to our research paper HTML5 Overview: A Look At HTML5 Attack Scenarios.

    Update as of 5:30 PM PDT, September 12, 2013:

    Mozilla has confirmed that this vulnerability is present in Firefox OS, but it has been patched in the update to version 1.1.

    Posted in Mobile, Vulnerabilities | Comments Off on Investigating the Security of the Firefox OS

    While millions of mobile users are anticipating the launch of the new iPhone (5S and 5C), cybercriminals are already making their move to distribute spam that promise to give away the said devices for free, in the guise of a contest.

    We saw samples of spammed messages that attempted to spoof an Apple Store email notification. The said message informs recipients that they won the latest iPhone 5S mobile phones and iPad.

    Figure 1. Fake Apple email

    To get these prizes, they are asked to go to a specific website and disclose their email address and password. This will obviously result in your credentials ending up in the hands of cybercriminals.

    Figure 2. Phishing page

    The content of the message and the sender’s email address are obviously fake. However, its combination of perfect timing plus popular social engineering hook may cause users to fall into the spammers trap. The most important thing to know is:  “if it’s too good to be true, it probably is” .

    Feedback provided by the Smart Protection Network indicates that this mail is particularly effective in targeting Southeast Asian users:

    Figure 3. Most affected countries

    Trend Micro blocks the said email message and blocks access to the phishing site.

    Posted in Spam | Comments Off on iPhone 5S Phishing Mail Arrives In Time for Launch

    In a previous post, we discussed how the rise in the number of Tor users that was directly attributed to the Mevade malware. In this post, we will look into the details of the Mevade malware and how it first arrived on user systems.

    The first batch of Mevade samples (detected as BKDR_MEVADE.A) we gathered was downloaded by a malicious file named FlashPlayerUpdateService.exe (detected as TROJ_DLOADE.FBV). (The legitimate Flash updater uses the same file name.) The two files can be differentiated by examining the file properties. The legitimate version is signed, while the malicious version is not. In addition, the version numbers are different.

    Figure 1. TROJ_DLOADE.FBV file properties

    Figures 2 and 3. Signed legitimate file

    The backdoor communicates to its C&C server via HTTP to receive commands, which include updating a copy of itself and connecting to a specific location using SSH to secure its communication.

    As for TROJ_DLOADE.FBV, we’ve found that the URLs it uses to access its C&C servers has the following pattern:

    • http://{malicious domain}/updater/{32 random hexadecimal characters}/{1 digit number}

    The IP addresses that host these C&C servers are located in Russia.

    Looking into the feedback data provided by the Smart Protection Network, TROJ_DLOADE.FBV was found in multiple countries, with Japan and the United States being the most affected.

    Table 1. Countries affected by TROJ_DLOADE.FBV

    BKDR_MEVADE.A shows a different distribution, which highlights that TROJ_DLOADE.FBV is not just being used to distribute Mevade:

    Table 2. Countries affected by BKDR_MEVADE.A

    In addition to the Mevade malware itself, we saw that ADW_BPROTECT had also been downloaded onto affected systems. This is expected for Mevade, as we noted earlier that it is linked to cybercriminals responsible for the distribution of adware. This downloading of adware is consistent with our findings that the Mevade botnet is possibly monetized via installing adware and toolbars. Its distribution is more similar to the original downloader malware:

    Table 3. Countries affected by ADW_BPROTECT

    Newer versions of Mevade (BKDR_MEVADE.B and BKDR_MEVADE.C) no longer use SSH; instead they use the Tor network to hide their network traffic. This can help cover their activity online, but otherwise the behavior and propagation is identical.

    Table 4. Countries affected by BKDR_MEVADE.C

    How the malware arrives into the system, however, is still under investigation. We will update the blog should we find more information about the infection vector. Still, users must observe best computing practice and to avoid visiting and downloading files from unverified websites or links from email, social media etc. Always update the system with the latest software security patch. Trend Micro detects and deletes the malware cited in this blog entry.

    With analysis from Eduardo Altares, Alvin Bacani, and Marvin Cruz.

    Posted in Bad Sites, Malware | Comments Off on Adware Spread Alongside Mevade Variants, Hits Japan and US

    Since August 19, 2013, there has been remarkable growth in the number of Tor users, which caused much speculation. Was August 19 the starting date to run en masse from the NSA’s PRISM project? Were European internet users downloading the latest American cable TV series via Tor only, thus overcoming blockades of sites like the Pirate Bay by European ISPs? Neither was very likely, so some thought a botnet abusing the Tor network to hide its command and control server must be the reason of the sudden increase of Tor users.

    Yesterday, Fox-IT published evidence for this plausible explanation. The Mevade malware family downloaded a Tor component, possibly as a backup mechanism for its C&C communications. (We will release a second blog post describing in more detail the behavior of the Mevade variants we have encountered.)

    Feedback provided by the Smart Protection Network shows that the Mevade malware was, indeed, downloading a Tor module in the last weeks of August and early September. Tor can be used by bad actors to hide their C&C servers, and taking down a Tor hidden service is virtually impossible.

    The actors themselves, however, have been a bit less careful about hiding their identities. They operate from Kharkov, Ukraine and Israel and have been active since at least 2010. One of the main actors is known as “Scorpion”. Another actor uses the nickname “Dekadent”. Together, they are part of a well organized and probably well financed cybercrime gang.

    We strongly associate these actors with installations of adware and hijacking search results. Therefore, we suspect that one of the ways the Mevade botnet is monetized is by installing adware and toolbars onto affected systems. In fact, we have seen Mevade downloading adware. Adware and toolbars might seem less harmful than e.g. data stealing malware, but the reality is that there is a lot of money to be made in fraudulent advertising.

    We would also like to point out that Mevade also has a backdoor component and communicates over SSH to remote hosts. Therefore, the risk for data theft is still very high.

    Posted in Bad Sites, Malware | Comments Off on The Mysterious Mevade Malware


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice