Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    November 2013
    S M T W T F S
    « Oct   Dec »
  • Email Subscription

  • About Us

    Archive for November 8th, 2013

    While Ross Ulbricht, the accused operator of the first Silk Road Marketplace, remains in trial in New York, a new version of the deep web site, named Silk Road 2.0, has been launched yesterday. The launch was announced through the Twitter account of Dread Pirate Roberts, the pseudonym Ulbricht allegedly used while operating the site.

    Figure 1. Twitter announcement of the new Silk Road

    The new site has a new login page which parodies the FBI seizure page of the old Silk Road site.

    Figure 2. Login page of the new site

    According to its new front page, the new Silk Road offers users the additional option of being able to use their PGP keys to secure their communications.

    Figure 3. Silk Road main page

    In an official announcement published on the Silk Road Forums, a separate site hosted in the TOR network, Dread Pirate Roberts explains that the launch will take place over several days, starting with an initial launch on the 5th of November, and ending on the 9th of November, when the marketplace is supposed to regain full functionality.

    Figure 4. Silk Road announcement.jpg

    News of the resurrection of Silk Road has been immediately picked up by the mainstream media, with some speculation that the newly launched site may be just a honeypot setup to catch the remaining user base of the old Silk Road.

    More Deepweb Marketplaces Online

    However, relaunched Silk Road is not alone, as other marketplaces have also sprouted online. A new marketplace, named Pandora, was spotted. According to its creator, Pandora features better security for customers because it has a stronger verification process for sellers and high fees for first time vendors, discouraging possible scammers. Pandora currently has more than 2,000 active users, with most activity revolving around narcotics.

    Figure 5. Pandora home page

    The Black Market Reloaded, a Silk Road competitor, is also back online after being shut down after the Silk Road arrest. Currently, there are more than 6,000 posts related to narcotics and more than 1,000 posts about services such as coding, hacking, and counterfeiting money or documents.

    Figure 6. Black Market Reloaded home page

    These marketplace launches and relaunches show just how active and vibrant the deep web is. Such activity is the reason why Trend Micro is actively involved in analyzing and monitoring activities related to the deep web.

    Our Forward Looking Threat Research Team recently published a detailed report covering all the technologies related to deep web sites and the kind of transactions that take places, focusing on the kind of goods such as credit cards, counterfeit moneys or e-crime services. You may read the paper, Deepweb and Cybercrime: It’s Not All About Tor.

    Posted in Bad Sites | Comments Off on The Boys are Back in Town: Deep Web Marketplaces Back Online

    The past few weeks have seen the ransomware CryptoLocker emerge as a significant threat for many users. Our monitoring of this threat has revealed details on how it spreads, specifically its connection to spam and ZeuS. However, it looks there is more to the emergence of this thread than initially discovered.

    We have identified one possible factor in this growth: the arrest of Paunch, the creator of the Blackhole Exploit Kit. Paunch’s arrest led to a significant reduction in spam campaigns using exploit kits. Clearly, this caused a vacuum in the spam-sending world – spammers would not all of a sudden stop sending spam. So they would need to send something out; what would this be?

    One of those replacements has turned out to be UPATRE. We’ve found that the Cutwail botnet responsible for the major Blackhole Exploit Kit spam runs started sending out runs carrying UPATRE (which ultimately leads to CryptoLocker) right around October, the same month of Paunch’s arrest. In fact, we have monitored multiple IPs involved in the transition – sending Blackhole Exploit Kit spam shortly before the arrest and sending CryptoLocker spam after the arrest.

    The Cutwail-UPATRE-ZEUS-CRILOCK infection chain we spotted on October 21 may be the most common infection chain used to spread CryptoLocker. The Cutwail botnet has the capability to send very high numbers of spam messages, which explains the high incidence of this recent spin in ransomware. It also highlights, somewhat perversely, how resilient cybercrime can be: the response to Paunch’s departure was remarkably quick and may have ended up affecting more people than they had before.

    We’ve discussed in the previous CryptoLocker entries how to avoid becoming a victim. We reiterate that users should absolutely not open attachments that they were not expecting to receive. This will help minimize the exposure of users to this threat.

    Posted in Malware, Spam | Comments Off on CryptoLocker Emergence Connected to Blackhole Exploit Kit Arrest

    Further analysis by Trend Micro researchers on the reported defacement of the Singapore Prime Minister Office website revealed that the website was not actually defaced  — attackers abused the search function of the Singapore PMO website to display an image that looks like a hacked version of the site.


    Figure 1. Image shown from within the PMO website that falsely claims the site was hacked

    The attackers exploited an XSS vulnerability in the website’s search page by entering the code triggering the display of the image as the search string. This caused the web page to execute the code and display the image, along with text that said “ANONYMOUS SG WAS HERE BIATCH~”, giving the impression that the website was defaced.

    We’d like to point out that the Singapore PMO website remains intact, and was not compromised in any way. Visitors of the site will not be able to see the image, since it is only accessible if the URL with the injected script embedded is accessed. The attackers drove users into the link with the displayed image by distributing the URL through social media.

    This attack is a form of cross-site scripting or XSS and has been seen in many attacks in the past, including those that affected other government websites. XSS vulnerabilities are low-hanging fruits for attackers since the likelihood of a website having them is very high, thus it is seen as one of the easier routes in terms of attacking a website.

    This ease in execution for hackers, however, is paralleled by great risks for the potential targets. While the attack on the PMO website only triggered the display of an image, we have seen other attacks that triggered redirections to malicious sites, leading visitors to malware.

    We strongly recommend website developers to make sure that their sites are fully secure against XSS attacks through the following means:

    1. Review the website code regularly to make sure that it is configured to prevent code injection. This can be done by setting up limitations for input contents in order to reject special characters, as well as sanitizing output byHTML-encoding user input/strings.
    2. Scan for web application vulnerabilities to identify possible attack vectors and address them immediately.


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice