Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    January 2014
    S M T W T F S
    « Dec   Feb »
     1234
    567891011
    12131415161718
    19202122232425
    262728293031  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Archive for January, 2014




    2013 was the year that the Android malware not just grew, but matured into a full-fledged threat landscape. Not only did the number of threats grow, the sophistication and capabilities associated with these threats grew as well.

    As we noted earlier, the number of mobile malware threats has crossed the one million mark, and as of the end of 2013 stood at almost 1.4 million malicious and high-risk apps. We believe that by the end of 2014, this number will be at over 3 million.

    Figure 1. Volume of malicious and high-risk apps

    Not only are there more threats, the threats are becoming more diverse. No longer are mobile-centric cybercriminals content with just premium service abuse; the proportion of mobile malware with some sort of information-stealing ability grew from 17% at the start of 2013 to almost a quarter by year’s end. Overall, about a fifth of all mobile malware had some sort of information theft capability.

    Figure 2. Mobile malware threat type distribution

    New threats and problems also reared their head in 2013. We saw a tenfold growth of one-click billing fraud apps; these apps attempt to register users for paid services that they would normally not be interested in. In addition, we also saw a serious vulnerability – the “master key” vulnerability - which put almost all Android users at risk of installed apps being modified by attackers to include malicious code. Malicious mobile sites also made an appearance in 2013.

    Looking forward to 2014

    These developments will continue into 2014 and make the mobile threat landscape more closely resemble the PC landscape, which is already well-developed and sophisticated. Mobile threats will continue to grow in number and become, in effect, “mass-produced”. In addition, we expect to see more obfuscated and native code in an attempt to evade detection by anti-malware solutions.

    Our complete look back at the 2013 mobile threat landscape, and our view of what 2014 may turn out to be, can be found in our latest Monthly Mobile Report, titled Beyond Apps.

     
    Posted in Malware, Mobile | Comments Off



    The presence of a security product is normally seen as a deterrent or challenge for cybercriminals. However, that is not the case with this banking Trojan, specifically, a BANLOAD (also known as BANKER or BANBRA) variant. This malware actually limits its range of victims to online banking clients of Banco do Brasil. It does so by checking for the presence of a specific security product before it executes its malicious routines.

    Infection Through Security 

    BANLOAD malware often uses several techniques that allows them to avoid detection and spread within Latin America, specifically Brazil:

    • Deletion of anti-fraud software like the G-buster Plugin (GbPlugin) and anti-virus products
    • Limiting targets to systems with Portuguese (the official language of Brazil) as the default system language
    • Disguising itself as anti-fraud software, specifically GbPlugin

    Most Brazilian banks encourage their online banking customers to install the G-buster Plugin onto their computers. G-buster Plugin prevents malicious code from running during a banking session.

    Typically, banking malware will attempt to disable or delete this plugin. However, this new BANLOAD malware, detected as TROJ_BANLOAD.GB, actually checks for this plugin before performing any routines. It goes so far as to check that the installed version of GbPlugin is meant to protect Banco do Brasil customers.

    This variant uses the plugin as an indicator that the targeted system is being used for online banking. If a system does not have the plugin installed, it will simply delete itself, leaving no trace of infection.  In this particular case, GbPlugin does not stop the malware from downloading and executing malicious files; the downloaded malware is detected as TSPY_BANKER.GB. This attempts to get information from certain banks and financial institutions.

    The Brazilian and Latin American Connection

    Online banking Trojans like BANLOAD and BANCOS have been hitting Latin American users for more than a decade. One major reason behind the presence of banking Trojans in the region is that online banking is quite popular in the region. Physical constraints—like a shortage of brick-and-mortar branches—have contributed to the adoption of online banking.

    Brazil has been in the forefront of online banking in the region. While the country may enjoy advanced online banking systems, that doesn’t necessarily mean it is technologically prepared for it. A recent report shows that the country suffers heavily from DOWNAD, a malware associated with unpatched systems and pirated software. This implies users who may not be as vigilant with their computer’s security as they should be—perfect victims for cybercriminals.

    We’ve  noticed several improvements in banking Trojans, such as testing for the PC’s system language, and phishing sites using IP address and browser user-agent tests. These are used to check if the affected computer is in Brazil.

    If these tests determine that that the user may not be from Brazil, the phishing site may instead redirect users to a legitimate banking site. Banking Trojans also use proxy auto-config (PAC) proxy scripts and phishing pages to filter out their intended victims.

    Trend Micro protects users by detecting all threats related to this attack.

    With additional insights from Fernando Merces

     
    Posted in Malware | Comments Off



    Patch-Tuesday_gray
    The first Patch Tuesday of the year is relatively light, with Microsoft rolling out only four bulletins for the month. Despite the small figure, users must update their systems immediately to avoid possible  threats leveraging software vulnerabilities.

    Included in this month’s release are updates for three privately reported vulnerabilities found in Microsoft Office. If exploited, these vulnerabilities could allow an attacker to gain the same user rights as the current user. Such access could prove damaging, especially to those with administrative user rights.

    This month’s release also addresses two vulnerabilities that deal with elevation of privilege. The last bulletin addresses an issue affecting Microsoft Dynamics AX that can allow denial of service if the vulnerability is exploited.

    January 2014 marks one of the last months that Windows XP will receive patches.  As previously reported, Microsoft is ending its support of this particular OS on April 2014, a good few months away. Users and enterprises should seriously consider migrating to later versions of Windows to continue receiving patches for vulnerabilities.

    Two other tech companies have also released patches and updates. Oracle has rolled out a Critical Patch Update containing 144 new vulnerability fixes for multiple products. Adobe, meanwhile, released fixes for Adobe Flash Player, Adobe Reader, and Adobe Acrobat.

    Users are advised to apply these security updates as soon as possible, as well as visit the Trend Micro Threat Encyclopedia page.

     
    Posted in Vulnerabilities | Comments Off



    Over the holidays, it was reported that malicious ads had appeared on various Yahoo sites and affected users in Europe. Two claims about this attack have been made: first, that it affected “millions” of users, and secondly, that it was used to plant Bitcoin miners on affected computers. Some of these claims may be a bit overstated, and the coverage may not have been able to give a more complete picture of the threat.

    We can’t say for certain just how many users were exposed to this attack. However, it’s worth noting that users with up-to-date versions of Java would have been protected. We identified two Java vulnerabilities – CVE-2012-0507 and CVE-2012-4681 - that were used in this attack to plant various malicious payloads on user systems. (It is believed that these vulnerabilities were delivered by the Magnitude Exploit Kit, one of the successors to the infamous Blackhole Exploit Kit.) However, both of these vulnerabilities have been patched for a fairly long time: the first vulnerability was patched in February 2012; the other was patched in August 2012.

    Similarly, while Bitcoin miners may have been part of the potential payloads, it was far from the only one. We identified multiple malware threats as payloads. These included DORKBOT and GAMARUE variants, as well as TROJ_OBVOD.AY, which is used in click fraud schemes. The payloads that were delivered to users were quite diverse.

    Aside from keeping their software patched, well-designed security products can help keep users safe. For example, the browser exploit technology that is part of our existing products is able to protect users against this particular attack.  This technology analyzes scripts and other web objects that runs in the browser and uses heuristic analysis to determine if these are malicious. This protects users even if the updated software is not present on a user’s system. It is not a replacement for keeping software up to date, but well-thought out endpoint security is very useful in increasing the available “defense in depth” for users.

    While the infection vector may have been out of the ordinary, the attack itself was not. Basic good computing practices – such as keeping software updated and using a well-built security product – would have helped reduce the risk for end users tremendously. It’s an excellent reminder for users to practice safe computing practices.

    With additional analysis from Kai Yu.

     



    Last December, I spoke at a cybersecurity summit sponsored by the International Telecommunications Union (ITU) in Baku, Azerbaijan. I was there to discuss one thing that Trend Micro will focus on in 2014 and beyond: how we can we work together with law enforcement to stop cybercrime.

    One may ask, why does law enforcement and the security community need to work together to stop cybercrime? It’s because neither group, working alone, can protect users and stop cybercrime.

    For various reasons, police agencies don’t always deal well with cybercrime. For one, the scale of cybercrime is larger than physical crime. A gang of pickpockets stealing wallets can only target so many people in a day; a cybercriminal can victimize thousands of users in a matter of seconds.

    In addition, many police agencies don’t have the skills to effectively track down and investigate cybercrime. Tracking down cybercriminals requires a very different skill set from traditional policing, which limits the abilities of law enforcement to go after cybercriminals. It also takes resources and trained personnel, which are, in many cases, in very short supply.

    Trend Micro has spent considerable energy in building excellent working ties with law enforcement agencies such as Interpol. This allows us to work in direct partnership with these agencies and become a key part of investigations. Our role in these investigations is beyond just passively handing over information to police; instead we work actively with investigators to figure out what information they need as part of their investigation.

    In some ways, it’s as if our researchers have been deputized to work side by side with police. The investigations are no longer the responsibility of police themselves; to combat cybercrime effectively requires the private industry and police to work side by side. For that to happen, there has to be large amount of trust between us and agencies, and I am proud to say that in many cases we have built up that trust and effectively conduct investigations together.

    Both our researchers and police have to be on the same page when it comes to the objective. Our goal is the same: to put cybercriminals behind bars. We do not focus on “technical” solutions such as shutting down servers, or taking down botnets, or seizing domains. One might even argue this is counterproductive in the long term, as it means that cybercriminals will be pushed to use more sophisticated tactics and more concealed infrastructure, making investigations more difficult. This is something we noted in our 2014 predictions.

    We believe that in order to fully protect our customers, efforts have to be focused on arresting cybercriminals. Taking down their infrastructure is, at best, a short-term solution: cybercriminals can easily rebuild their infrastructure and recover from any “takedown” relatively easily. To really stop cybercrime, the “threat actors” – cybercriminals – have to be the ultimate target.

    This is not always an activity which makes the headlines or spawns press releases. However, we do believe that moving forward, this is the best way to protect our customers and the Internet as a whole.

     
    Posted in Malware | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice