Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    January 2014
    S M T W T F S
    « Dec   Feb »
  • Email Subscription

  • About Us

    Archive for January, 2014

    Early December last year, Microsoft –  in cooperation with certain law enforcement agencies –  announced their takedown of the ZeroAccess operations. However, this also unexpectedly affected another well-known botnet, TDSS.

    TDSS and ZeroAccess

    ZeroAccess is one of the most notable botnets in the world, with its malware known for rootkit capability. This malware is typically downloaded from peer-to-peer (P2P) networks disguised as pirated movie titles. Similarly, TDSS is known for its rootkit technology to bypass and is noted for distributing other malware such as FAKEAV, DNS changers. Both botnets are involved in click fraud operations.

    In our previous blog entry, we mentioned how certain ZeroAccess variants redirect to URLs associated with TDSS, suggesting that the two botnets share portions of their command-and-control (C&C) infrastructure. As we monitored the connection between the two botnets, we found that the number of ZeroAccess customer infections and communications significantly dropped the day after the takedown. Among those systems with ZeroAccess infections, only 2.8% attempted (but failed) to communicate with its C&C servers.

    Figure 1. ZeroAccess activity from Nov. – Dec. 2013

    During the same period, we observed that the click fraud operations of TDSS were noticeably affected. The number of TDSS communications related to click fraud dropped days after December 5, the date when Microsoft announced their takedown of the ZeroAccess botnet. These activities, however, suddenly picked up before the year ended, suggesting that the click fraud side of TDSS is still active and the takedown’s impact may be temporary.

    Figure 2. TDSS click fraud activity from Nov. – Dec. 2013

    However, the number of TDSS infections and communications were not impacted by the takedown, which indicates that only its click fraud side was affected.

    Figure 3. TDSS activity from Nov. – Dec. 2013

    The Botnet Connection

    This significant decrease in TDSS click fraud operations has something to do with its connection to ZeroAccess’s own click fraud. As we noted in our previous research, since both botnets perform click fraud, they may have exchanged URL lists with each other to generate more money. Proof of this nefarious deal between these two notorious botnets can be seen in the redirection URLs used by ZeroAccess.

    When initiating click fraud, we noticed several ZeroAccess variants redirecting to URLs related to TDSS. These redirections in turn, increase the number of clicks gathered by TDSS thus creating more profit for its perpetrators. We also noticed that TDSS malware, in particular versions DGAv14 use the old ZeroAccess domain generation algorithm (DGA) module, while new ZeroAccess variants has adopted DGAv14 features.

    Though the ZeroAccess takedown was disruptive to TDSS money-making schemes, its infections and communications remained business-as-usual, which means the TDSS botnet is likely profiting from other botnets.

    Trend Micro users are protected from this threat by detecting both TDSS and ZeroAccess variants andblocks access to the related URLs. As an added precaution, we advise users to refrain from downloading files from unverified sites and peer-to-peer (P2P) networks, where ZeroAccess variants are known to be downloaded from.

    Posted in Malware | Comments Off on ZeroAccess Takedown and the TDSS Aftermath

    Reports have surfaced that ZeuS/ZBOT, the notorious online banking malware, is now targeting 64-bit systems. During our own investigation, we have confirmed that several ZBOT 32-bit samples (detected as TSPY_ZBOT.AAMV) do have an embedded 64-bit version (detected as TSPY64_ZBOT.AANP). However, our investigation also lead us to confirm other noteworthy routines of the malware, including its antimalware evasion techniques.

    Below is a screenshot of the extracted code of TSPY_ZBOT.AAMV, which is injected with the 64-bit ZBOT:

    Figure 1. Screenshot of 32-bit ZBOT

    Going through the code, the 64-bit version can be seen as a part of the text section (executable code) of the malware.

    Figure 2. Screenshot of injected 64-bit ZBOT

    Like any ZBOT variant, TSPY_ZBOT.AAMV injects its code into the normal process explorer.exe. If the running process is 64-bit, the malware then loads the 64-bit version of the malware. If not, it will continue to execute the 32-bit version.

    The other notable feature of this ZBOT variant is its Tor component, which can hide the malware’s communication to its command-and-control (C&C) servers. This component is embedded at the bottom part of the injected code, along with the 32-bit and 64-bit versions. To initiate this component, the malware suspends the process svchost.exe and injects it with the Tor component’s code then resumes the process. In doing so, the execution of Tor is masked. It is launched using the following parameters:

    “%System%\svchost.exe” –HiddenServiceDir “%APPDATA%\tor\hidden_service” –HiddenServicePort “1080{random port 1}” –HiddenServicePort “5900 {random port 2}”

    These parameters specify how the Tor client will run. In this case, the Tor client runs as a hidden service and specifies the location of the private_key and hostname configuration. TSPY_ZBOT.AAMV then reports to its C&C server the said configuration, which is then relayed to a remote malicious user. The Tor client redirects the network communications in ports 1080 and 5900 to randomly generated ports, which the remote user can now access.

    The Tor component will act as a server, which the malicious remote user will use to access an infected system. This ZBOT variant contains Virtual Network Computing (VNC) functionality, which the remote user can then use to execute its desired commands. This functionality of certain ZBOT variants was reported as early as 2010 , effectively creating a remote-control capability for these malware, similar to how a backdoor controls an infected system.

    64-bit ZBOT Levels Up Antimalware Evasion Tricks

    Aside from these functionalities, we found new routines added to this ZBOT. One is the execution prevention of certain analysis tools such as OllyDbg, WinHex, StudPE, and ProcDump among others.

    Another noteworthy addition is this ZBOT’s user mode rootkit capability, which effectively hides the malware processes, files, and registry.

    The said variant also hides its dropped files and autostart registry. As the images below show, the malware’s created folders can be seen using the dir command in CMD, but are hidden when browsed via File Explorer.

    Figure 3. ZBOT hidden folders visible in CMD using dir command

    Figure 4. ZBOT files hidden in File Explorer

    As for the TSPY_ZBOT.AAMV autostart registry, created folders and files, users can view this by restarting in Safe mode. Because the malware only has a user mode rootkit capability, which only hides malware-related files and processes as opposed to  a kernel mode rootkit, users can delete these while in Safe Mode.

    This 64-bit version for ZeuS/ZBOT is an expected progression for the malware, especially after ZeuS source code was leaked back in 2011. Since then, we have seen several reincarnations of the malware, most notably in the form of KINS and its involvement with other malware such as Cryptolocker and UPATRE. Adding other functionalities such as rootkit capability and the use of a Tor component are further proof that we can see more modifications in the future, particularly those that help circumvent or delay antimalware efforts.

    Trend Micro protects users from this threat by detecting  ZBOT variants if found in a system. It also blocks access to known C&C sites of the malware.

    Additional information about Tor may be found in the paper “Deepweb and Cybercrime: It’s Not All About TOR.”

    Posted in Malware | Comments Off on 64-bit ZBOT Leverages Tor, Improves Evasion Techniques

    2013 was a year of change in the spam landscape.

    The volume of spam increased from 2012. We witnessed the decline of a previously-successful exploit kit. The old became new again, thanks to different techniques used by spammers. While we still saw traditional types of spam, we also saw several “improvements” which allowed spammers to avoid detection and victimize more users. We also saw spam utilized more to carry malware since the start of the year.

    Figure 1. Spam volume from 2008

    The Slow Death of the Blackhole Exploit Kit

    The Blackhole Exploit Kit (BHEK) is a notorious exploit kit that was widely used in numerous spam campaigns.  This exploit kit was highly adaptive, incorporating vulnerabilities, current “hot topics,” and even social networks into several campaigns.

    In 2013, we saw 198 BHEK spam campaigns, a smaller number compared to the previous year. The volume may have lessened but this didn’t make such campaigns less effective. For example, we saw spammed messages just hours after the official announcement of the birth of the “Royal Baby.”  In this particular spam run, the volume of spammed messages reached up to 0.8% of all spam messages collected during the time period.

    Figure 2. Number of BHEK campaigns from March 2012 to December 2013

    The end of the third quarter was marked by the arrest of Paunch, a person believed to be the creator of the BHEK. We noted that in the two weeks after his arrest, we found no significant BHEK spam runs. The number of BHEK spam runs dwindled until there was none in December.

    Health Spam Spikes

    Entering the third quarter, we noticed an increase in the number of health-related spam. At one point, this type of spam constituted 30% of all spam we saw, with over two million samples spotted daily. The content of these messages ran the gamut from weight loss tip to pharmaceutical products.

    What’s notable about this particular spam run is that these messages have evolved from using traditional “direct” approaches (with an image of the product and call-to-action to buy) to more “subtle” methods. Health spam now uses a newsletter template to peddle products. The purpose of the newsletter template may be two-fold: to avoid detection by anti-spam filters and to appear more legitimate to users. Several messages even claimed to be from reputable news sources such as CBS, CNBC, CNN, the New York Times, and USA Today.

    Figure 3. Sample health-related spam

    These messages were sent from computers in various countries, including India (10%), Spain (8%), Italy (7%) and the United States (6%).

    The spike wasn’t the only notable health spam we saw this year. We also saw several spammed messages that leveraged the controversial Affordable Care Act or Obamacare, even before it was officially launched. Once users click on the links in these messages, they were led to survey scam sites.

    The Change in Malware Attachments

    Aside from advertising and selling pharmaceutical products, spam is also used to distribute malware. Even though there may be more complex ways of infecting systems, the use of malware attachments remains constant in the threat landscape. This suggests that there are users who still fall prey to simple techniques (such as urging users to click on an attachment). We noticed that the number of spam with malicious attachments fluctuated throughout the year, before it steadily increased in the latter months.

    Figure 4. Volume of spam messages with malicious attachments

    From the first to third quarter of the year, ZBOT/ZeuS was the top malware family distributed by spam. This family is known for stealing financial-related information. Halfway into the third quarter, however, we noticed that TROJ_UPATRE unseated ZBOT and became the top malware attachment. In November, about 45% of all malicious spam with attachments contained UPATRE malware.

    UPATRE became notorious for downloading other malware, including ZBOT malware and ransomware, particularly CryptoLocker. This type of attack is doubly risky for users because not only will their information be stolen, their files will also become inaccessible.

    Spam, 2014 and Beyond

    We anticipate that the 2013 spam landscape will set a precedent for the threats we’ll see in the upcoming year:

    • Spammers will blend old spam techniques in order to avoid detection and successfully victimize users.
    • Spam will still be used to spread malware.
    • Social networking spam will experience a drastic increase in terms of spam volume.

    You may read our upcoming annual year-end report for more information and insights about spam and other elements about the threat landscape in 2013.

    Posted in Exploits, Malware, Spam | Comments Off on A Year of Spam: The Notable Trends of 2013

    In late November, Microsoft revealed that a zero-day vulnerability was in use in targeted attacks against Windows XP and Server 2003 systems. From samples of the exploit examined, it has a backdoor payload that possesses sophisticated anti-analysis techniques.

    Further research of this earlier attack – discussed in the blog posts above – has revealed that the exploit was deployed via email to at least 28 embassies in a Middle Eastern capital.  The malicious payload arrived as an attachment to a blank email sent to the target embassies. The subject line of the email and the name of the attachment referred to the ongoing conflict in Syria, to induce its recipients to open the email.

    Apart from the targeting and the anti-analysis techniques, there does not appear to be other particularly unusual or unique behaviors in this attack. The anti-analysis techniques in the backdoor (detected as BKDR_TAVDIG.GUD) were designed to hide from or freeze debuggers, making analysis and attribution more difficult.

    Whoever was responsible for this attack had the means, motivation and opportunity to carry out a targeted attack across multiple targets. This suggests a level of organization and available resources beyond ordinary cybercriminals. Beyond that, we are unable to draw any other conclusions. We do not know if the embassies were indeed affected by the malware mentioned or if there are other sets of targets, only that the samples received strongly suggest that the embassies were the intended recipients.

    As part of our 2014 predictions, we mentioned that obsolescent and unpatched operating systems and applications may cause issues in the coming year. This incident highlights that problem, particularly if used in targeted attacks. Similarly, zero-days are frequently first used in targeted attacks; earlier this year another Internet Explorer zero-day was first used in targeted attacks. Malicious attachments are a favored infection vector for targeted attacks; the same technique was used to target Asia-Pacific governments and G20 meeting attendees earlier this year.

    It is also important to remember that all is not lost when it comes to defending against targeted attacks. In his paper Suggestions to Help Companies with the Fight Against Targeted Attacks, Trend Micro researcher Jim Gogolinski stated that there is much that can be done to defend a company against targeted attacks. Trend Micro also participated in the development of the guide System Design Guide for Thwarting Targeted Email Attacks along with  Japan’s Information Technology Promotion Agency (IPA), which provides in-depth strategy for helping deal with email attacks.

    For more details on various targeted attacks, as well as best practices for enterprises, you may visit our Threat Intelligence Resources on Targeted Attacks.

    Posted in Targeted Attacks, Vulnerabilities | Comments Off on Recent Windows Zero-Day Targeted Embassies, Used Syria-related Email

    The “Internet of Everything” (also known as the Internet of Things) became one of the biggest technology buzzwords of 2013, as can easily be seen in Google Trends. This term refers to the increased digitisation of everyday objects – any new technology device is being designed with connectivity in mind, whether that device is a smart TV, or a smart toaster. With more and more devices coming online, securing these devices becomes one the next big security challenge.

    Gamers and Augmented Reality

    2014 already has a glittering array of interesting technologies lined up for launch. Gamers have a lot to look forward to: not only has the latest console war started, but Valve will also bring Linux gaming to the fore with the Steam Machine, The Oculus Rift may revolutionize interactive gaming. Gaming has already been a lucrative target for criminals, with gaming accounts regularly traded in criminal forums. If the Steam Machines proves popular, a rise in Linux malware may be on the cards.

    2014 could also be the year that augmented reality (AR) starts to become more common in everyday life. There are already many AR apps that you can play with on your smartphone; however a phone is not well suited for AR. You need to take it out of your pocket, unlock it, open an app, aim it at the object you are interested – and even after all that you are working with a relatively small 4 or 5-inch screen.

    AR works best with full immersion – and that’s where wearable technology like Google Glass and SpaceGlasses come in. There are many interesting technical and even psychological attacks that can be carried out against such devices. For example, owners of these devices are (almost literally) walking around with a camera attached to their head. It’s not a major leap for a criminal specializing in banking malware to realize that this an excellent way to capture banking PINs and passwords.

    SCADA under fire

    Since the discovery of Stuxnet the ICS/SCADA community has come under intense scrutiny from the security industry. Most security conferences now feature at least one talk on SCADA security. Trend Micro’s Forward Looking Threat Research team released a series of papers on the topic in 2013 and proved that SCADA attacks are not just theoretical, but are taking place in reality.

    In 2014 this will certainly continue, especially in targeted attacks or cases of blackmail and extortion. A new area is really starting to heat up for security researchers and attackers alike – the whole area of radio-based communications. Because radio uses no wires and is sent “magically” through the air, many people assume (wrongly) that it is secure.

    This year, Trend Micro showed that the AIS standard used for ship tracking has many issues – and other researchers showed similar issues with ADS-B (which is used in aviation). We expect to see more such research released in 2014. More technology that were never designed with security in mind, or to be easily accessible remotely – are suddenly being connected to the Internet, leaving their security holes for everyone to see.

    No “killer app”

    With all of these interesting and emerging technology on the horizon, will attacks on the Internet of Everything become a major issue in 2014? No, we don’t think so. While we certainly think that attacks on IoT devices and the underlying architecture will be a major area of attack in the future, that future will not be until 2015 and beyond.

    As discussed further in our 2014 security predictions, what is missing right now is the “killer app” that will drive mainstream adoption of IoT. There are many innovative devices, but no massive breakthroughs. Google Glass (or something like it) may be the closest to finding its “killer app”, but even then it will take time to become fully mainstream. It’s only at that point – when there’s a critical mass of users that can be targeted – that it makes sense for criminals to go after it.

    However, once such a device does reach mass appeal – cybercriminals of this world will not be slow to act.

    Posted in Exploits, Internet of Things, Malware, Mobile | Comments Off on Is the Internet of Everything Under Attack?


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice