Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    October 2013
    S M T W T F S
    « Sep   Nov »
  • Email Subscription

  • About Us

    Archive for October, 2013

    Apple will once again take center stage on October 22, when they (probably) unveil new versions of the iPad, iPad mini, MacBook Pro, and the Mac Pro. We will be once again on the lookout for scams and malware that will exploit this event, as they did with the iPhone 5s.

    The threats mentioned above also reiterate what we’ve said before: Mac users are not immune to cybercrime. In today’s landscape where information can be accessed practically anywhere, threats to data are no longer dependent on the type of device or operating system one is using.

    One example is the continued—and even growing—exploitation of vulnerabilities found in cross-platform applications like Adobe or Java, which had several bouts of zero-day incidents during the first quarter of this year. For end users who have access to both a PC and a Mac, protecting themselves from these exploits would mean, at the very least, installing security updates for each of these platforms once it becomes available.

    For enterprises, this task is compounded ten- or even hundred-fold, especially because they have to manage not just PCs and Macs, but also Android, iOS, and other endpoints that connect to their networks. With consumerization and bring-your-own device trends happening, the endpoint “ecosystem” is getting fragmented further.

    This mixed bag of devices and OSes can pose several challenges for IT administrators. Controlling these devices and maintaining visibility over events is more difficult. Again, we are not just talking about PC and Mac threats here: our researchers have so far uncovered threats that affect both desktops and mobile, too.

    Another challenge is the deployment of preventive measures like patches and security updates. As such, organizations should have an endpoint strategy that is composed of not only the appropriate solutions and technologies, but also of a well-thought out data security policies. More information about the can be found in our latest Security In Context Primer: Managing Multiple Devices: Integrated Defense Against Cross-Platform Threats.

    Posted in Bad Sites | Comments Off on On Macs, Cross-Platform Threats, and Managing Multiple Devices

    Trend Micro researchers have discovered that flaws in the AIS vessel tracking system can allow attackers to hijack communications of existing vessels, create fake vessels, trigger false SOS or collision alerts and even permanently disable AIS tracking on any vessel.


    Figure 1. 300 ton ships should not drive down the main street of a city

    In our previous blog post, we gave a brief introduction of the Automatic Identification System (AIS), a mandatory vessel tracking system for all commercial (non-fishing) ships over 300 metric tons, as well as passenger ships (regardless of size and weight). AIS works by acquiring GPS coordinates and exchanging a vessel’s position, course and information with nearby ships and offshore installations. It is currently installed in around 400,000 vessels.

    As the world becomes more connected to the “Internet of Things”, Trend Micro’s Forward Looking Threat researchers continue to look into technologies that could be abused by attackers in the near future. Earlier today at the HITB security conference in Kuala Lumpur, , two researchers from this team (Kyle Wilhoit and Dr. Marco Balduzzi), together with independent researcher Alessandro Pasta, presented a series of experiments that showed AIS is comprehensively vulnerable to a wide range of attacks that could be easily carried out by pirates, terrorists or other attackers. Trend Micro took care to carry out responsible disclosure to all of the major standards bodies involved in AIS, as well as major online providers of AIS tracking information.

    The attacks can be divided into two parts. Firstly, we discovered that the main AIS Internet providers that collect AIS information and distribute them publicly have vulnerabilities that allow an attacker to tamper with valid AIS data and inject invalid AIS data, such as:

    • Modification of all ship details such as position, course, cargo, flagged country, speed, name, MMSI (Mobile Maritime Service Identity) status etc.

    • Creation of fake vessels with all the same details e.g. having an Iranian vessel with nuclear cargo show up off the coast of the US
    • Create and modify Aid to Navigations (AToN) entries, such as buoys and lighthouses. This leads to scenarios such as blocking the entrance to a harbor, causing a ship to wreck, etc.
    • Create and modify search and rescue marine aircraft such as helicopters, and light aircraft e.g. having a stationary search and rescue coast guard helicopter “take off” and travel on a set course.

    Secondly, we have also discovered flaws in the actual specification of the AIS protocol used by hardware transceivers in all mandatory vessels. In addition to the above threats, we have proven additional scenarios:

    • Impersonate marine authorities to permanently disable the AIS system on a vessel, both forcing the ship to stop communicating its position, and stop getting AIS notifications from all nearby vessels (essentially a denial of service attack). This can also be tagged to a geographical area e.g. as soon as ship enters Somalia sea space it vanishes of AIS, but the pirates who carried out the attack can still see it.
    • Fake a “man-in-the-water” distress beacon at any location that will also trigger alarms on all vessel within approximately 50 km.

    • Fake a CPA alert (Closest Point of Approach) and trigger a collision warning alert. In some cases this can even cause software on the vessel to recalculate a course to avoid collision, allowing an attacker to physically nudge a boat in a certain direction.

    • Send false weather information to a vessel, e.g. approaching storms to route around.
    • Cause all ships to send AIS traffic much more frequently than normal, resulting in a flooding attack on all vessels and marine authorities in range.

    All of this is made possible because the AIS protocol was designed with seemingly zero security considerations. In particular, we noted the following major issues:

    • Lack of Validity Checks. It is possible to send an AIS message from any location for a vessel at another location e.g. you can send a message from a location near New York for a vessel that claims to be in the Gulf of Mexico, and it will be accepted without question. No geographical validity checks are carried out.
    • Lack of Timing Checks. It is also possible to replay existing (valid) AIS information, because no timestamp information is included in the message e.g. you can replicate the position of a vessel.
    • Lack of Authentication. There is no authentication built into the AIS protocol. That means that anyone who can craft a AIS packet can impersonate any other vessel on the planet, and all receiving vessels will treat the message as fact.
    • Lack of Integrity Checks. All AIS messages are sent in an unencrypted and unsigned form, making them trivial to intercept and modify.

    While all the attacks we described above were carried out in our dedicated test lab setup – where we used specific software defined radio equipment – we have also proven that an attacker is able to carry out such attacks using a modified standard, easy to obtain VHF radio which costs approximately €150, or approximately US$200.

    We are preparing a white paper describing our research in detail, which will be released at an upcoming security conference, but the slides from our talk at HITB are now available on Trend Micro’s SlideShare page:

    Fixing the flaws in AIS is not trivial, as they exist right down to the core of the protocol. Even if the AIS internet providers altered their sites, the underlying protocol is still open to lots of abuse. At a minimum, a new version of AIS would need to incorporate defenses for the three core issues outlined: validity, authentication and encryption. We are fully aware that the costs to update AIS on all vessels is high – but in light of threats such as piracy and terrorism, there really are no alternatives.

    AIS is only one example of a critical radio based system that was designed in a world before the Internet or Software-defined radio. The problem is bigger than marine traffic alone. Other systems such as ADS-B (used by airplanes), or soon to be released systems around car communication suffer from some of the same limitations and vulnerabilities.

    Trend Micro’s Forward Looking Threat Research team are actively investigating this area as part of Trend Micro’s mission to secure the world for the exchange of digital information.


    In recent years, automated identification systems (AIS) have been introduced to enhance ship tracking and provide extra safety to marine traffic, on top of conventional radar installations. AIS is currently mandatory for all passenger ships and commercial (non-fishing) ships over 300 metric tons. It works by acquiring GPS coordinates and exchanging vessel’s position, course and information with nearby ships, offshore installations, i.e. harbors and traffic control stations, and Internet tracking and visualization providers.

    Installed in an estimated 400,000 vessels, AIS is currently the best system for collision avoidance, maritime security, aids to navigation and accident investigations.

    As the world becomes more connected to the “Internet of Things”, Trend Micro’s Forward Looking Threat researchers continue to look into any technologies that could be abused by attackers in the near future. Given its importance in marine safety, we conducted a comprehensive security evaluation of AIS, tackling it from a software, hardware, and radio frequency perspective.

    This Wednesday myself, my colleague Kyle Wilhoit, and independent researcher Alessandro Pasta will be presenting at the Hack in the Box conference in Kuala Lumpur, Malaysia, one of the most well-known security conference in the industry. We will discuss how we were able to hijack and perform man-in-the-middle attacks on existing vessels, take over AIS communications, tamper with the major online tracking providers and eventually fake our own yacht and search and rescue vessels. We will release more details after the conference later this week.

    Figure 1. Attacked AIS system


    In our 2013 Security Predictions, we anticipated that cybercriminals would focus on refining existing tools, instead of creating new threats. Two threats that both represent refinements of previously known threats show this effectively.

    CryptoLocker: Latest Ransomware Wave

    Aside from using freebies, contests, or spoofing popular brands, cybercriminals can use other, similarly effective lures from their social engineering toolbox. This includes intimidating or even downright scaring users to coax them into purchasing bogus products or just giving away their data or money. Such tactic is obviously manifested in threats like FAKEAV and now, ransomware.

    Earlier, ransomware had taken a new form – namely, police Trojans. These malware typically block access to the system and show a spoofed local enforcement agency notice to users. This accuses the victims of doing something illegal on the Internet and that they should pay a fine.

    However, the latest ransomware variants (known as cryptolockers) now encrypt files besides locking the system. This is to ensure that users will still pay up even if the malware itself was deleted. A recent cryptolocker (detected as TROJ_CRILOCK.AE) also displays a wallpaper with a warning to users. The warning tells users that even if they delete the malware from their system, the encrypted files will remain inaccessible.

    The private key which supposedly unlocks the encrypted file will be deleted should users choose not to purchase this key for $300 (or 300 euro). Apart from this routine, this malware shows similar routines to other reported cryptolock variants.

    How to Keep a Low Profile, SHOTODOR style

    Another way to make an attack successful is to remain unnoticed by users and even antimalware software. We’ve encountered BKDR_SHOTODOR.A which use garbage code and randomly named files to take obfuscation to the next level. (Note that the perpetrators of this attack are completely different from the previous one.)

    Currently, the infection vector is yet to be determined. Based on our analysis, the threat starts with a dropper component, which drops multiple files onto the affected system. Looking closely into these files, most files contain some numeric values, while other files contain data that is harmless. However, one file stands out because of its large file size. It also contains numeric “garbage” strings. In reality, these codes hide the actual malicious code, which is an obfuscated AutoIt script.

    The question then is, how will the malicious code be executed? One of the dropped files contains an AutoIt script interpreter that loads the obfuscated script mentioned earlier. Once done, it triggers the said script to build the rest of malicious codes by collecting the information in the other dropped files. In doing so, this code creates an executable file in the memory and inject it in a normal process. This malicious executable performs the backdoor routines (e.g. communicating to C&C server, executing of malicious commands etc.).

    By opting to “disperse” the malicious code and building them afterwards to create a malicious executable file, the threat actors are obviously attempting to prevent detection and remain hidden. All the related files are detected by Trend Micro as BKDR_SHOTODOR.A.

    These threats highlight how instead of attackers creating completely new kinds of threats, attackers are opting to modify existing threats which are still effective. While not completely “new”, they still pose a significant threat to users today.

    To protect your systems from this threat, always observe best computing practices such as avoiding visiting unverified sites, clicking links from unknown sources, and avoiding executing/opening attachments from dubious email messages. Trend Micro protects users from this threat by detecting the malware cited in this blog.

    With additional analysis from Alvin Bacani and Lenart Bermejo.


    Recently, Twitter made public financial statements related to its upcoming initial public offering (IPO). Part of these statements including how many active users it has: Twitter said it has 218 million monthly active users, three-quarters of which have accessed the site from a mobile device.

    It’s not a surprise that some of these users are malicious. What is uncommon is that some of these malicious accounts do try to “engage” with other accounts – even those of security vendors like Trend Micro. Too bad for these users – we are one step ahead of them, as we have previously blocked the dubious sites they offer.

    Recently, we came across four accounts that added the @TrendLabs Twitter account to various lists. This would not have been unusual, except all four accounts were clearly malicious:

    Figure 1. Accounts/lists added

    Upon further investigation, these accounts led to more malicious sites offering a variety of hacking tools targeting sites like Facebook and Twitter, as well as a scam site offering free iPhone 5ses.

    Figure 2. Hacking tool website

    It’s highly likely that these malicious sites are scam sites, offering none of the supposed “tools” that are on offer. Cybercriminals are not below stealing from other would-be online crooks and attackers as well.

    Unfortunately, this is not the first (or the last) threat that we can encounter on popular social networking sites. Previously, incidents like survey scams, rogue apps, and other threats  were frequent, although recent improvements by these sites were able to keep these threats at bay. However, as the popularity of mobile devices grew, cybercrmininals have found a new platform to use in their schemes. Just recently, we found a fake Facebook mobile page that asks users to disclose credit card details. Cybercriminals may either sell or use these to initiate unauthorized transactions.

    We advise would-be “curious” users to avoid these sites and profiles completely, and if possible to report these accounts to site administrators (if possible, using the automated block/report features of these services).

    The sites are already blocked by Trend Micro web reputation services.

    Additional analysis by Karla Agregado and Paul Pajares.

    Posted in Bad Sites, Social | Comments Off on Twitter Still Being Used By Shady Hackers


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice