Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    March 2014
    S M T W T F S
    « Feb   Apr »
     1
    2345678
    9101112131415
    16171819202122
    23242526272829
    3031  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Archive for March 25th, 2014




    Microsoft has released a security bulletin announcing of a zero-day vulnerability affecting Microsoft Word. Furthermore, the company states that there are “limited, targeted attacks directed at Microsoft Word 2010.” If exploited, this vulnerability (CVE-2014-1761) could allow a remote attacker to execute commands remotely via specially crafted files and email messages.

    Microsoft has also released preliminary details of the vulnerability and the exploit code. The vulnerability is exploited if a user opens an RTF file in Microsoft Word or previews or opens an RTF email message in Microsoft Outlook using Microsoft Word as the email viewer. It should be noted that Microsoft Word is the default email reader for Microsoft Outlook 2007, Microsoft Outlook 2010, and Microsoft Outlook 2013.

    Several workarounds were included in Microsoft’s initial bulletin, including disabling opening of RTF files and enforcing Word to always open said type of file in Protected View. A fixtool has also been made available to help address the vulnerability while Microsoft works on a more permanent solution.

    What’s interesting is that Microsoft Word 2003 is listed as one of the affected software for this particular vulnerability—just a couple of weeks before support for Microsoft Office 2003 ends on April 8th.  We advise users to upgrade to later versions of the software to continue receiving security updates.

    We are currently looking into this vulnerability and will provide further information as appropriate. Trend Micro Deep Security has released a new deep packet inspection (DPI) rule to protect against exploits leveraging this vulnerability:

    • 1005990 – Microsoft Word RTF Remote Code Execution Vulnerability (CVE-2014-1761)

    Update as of April 4, 2014, 3:08 P.M. PDT

    Exploits related to this vulnerability are detected by Trend Micro as the following:

    • HEUR_RTFEXP.A
    • TROJ_ARTIEF.NSA
    • TROJ_ARTIEF.NSB
     



    While we encounter a wide variety of threats on a regular basis, sometimes we come across those that are truly unusual. This is one of them: it appears to be a PHP backdoor delivered via spammed emails.

    At first glance, this threat appears to be a fairly typical malicious spam email: it pretends to be a notification from Visa that the user’s card has been suspended.

    Figure 1. Fake email notification

    The body of the email itself appears to be blank. Neither a malicious attachment nor a link to a website can be found here. So what is the threat here?

    Figure 2. Embedded PHP code

    The body of the email is actually not blank; instead it contains PHP code. This particular code is actually a well-known website backdoor known as c99madshell, which we detect as PHP_C99SHEL.SMC. C99madshell has been around since at least 2008. It allows an attacker who has compromised a website via FTP to control the said website using an easy-to-use control panel accessible with any browser, as can be seen below running on a test machine:

    Figure 3. c99madshell control panel

    It should be clear right away that something is very off-base here. The control panel is meant to be accessed by the attacker, not the victim. It would make no sense for the victim to see a backdoor to their own server’s control panel!

    That assumes, of course, that the backdoor would even run. It is theoretically possible, but in practice it is very difficult. Anyone reading the email on a non-webmail client – such a desktop email client, or a mobile app – would merely see the blank page. Even then, the webmail client would have to be configured to allow arbitrary embedded PHP code to run in the first place, which is extraordinarily dangerous. Finally, the attacker would then be unable to view the page unless he got access to the email inboxes somehow.

    There are several possibilities as to how this happened. One possible attack scenario is that the attacker was going after a webmail provider or email list archive; however in such a case the attacker would not need to send spam messages with this content. In addition, this would require a server set up so insecurely, it would be insane.

    Other possibilities involve mistakes on the part of the attacker: he could have made a mistake in inserting the contents of the email, or it could be an attacker with faulty knowledge of PHP. However, without getting into the mind of the attacker, we cannot be sure.

    Both the email and file components of this attack are detected and blocked by the appropriate Trend Micro solutions.

     
    Posted in Malware, Spam | Comments Off



    Recently, other researchers reported that a new Android malware family (detected as ANDROIDOS_KAGECOIN.HBT) had cryptocurrency mining capabilities. Based on our analysis, we have found that this malware is involved in the mining for various digital currencies, including Bitcoin, Litecoin, and Dogecoin. This has real consequences for users: shorter battery life, increased wear and tear, all of which could lead to a shorter device lifespan.

    The researchers originally found ANDROIDOS_KAGECOIN as repacked copies of popular apps such as Football Manager Handheld and TuneIn Radio. The apps were injected with the CPU mining code from a legitimate Android cryptocurrency mining app; this code is based on the well-known cpuminer software.

    To hide the malicious code, the cybercriminal modified the Google Mobile Ads portion of the app, as seen below:

    Figure 1. The modified Google Mobile Ads code

    The miner is started as a background service once it detects that the affected device is connected to the Internet. By default, it launches the CPU miner to connect to a dynamic domain, which then redirects to an anonymous Dogecoin mining pool.

    By February 17, his network of mobile miners has earned him thousands of Dogecoins. After February 17, the cybercriminal changed mining pools. The malware is configured to download a file, which contains the information necessary to update the configuration of the miner. This configuration file was updated, and it now connects to the well-known WafflePool mining pool. The Bitcoins mined have been paid out (i.e., transferred to the cybercriminal’s wallet) several times.

    Figure 2. Coin pool configuration code

    The coin-mining apps discussed above were found outside of the Google Play store, but we have found the same behavior in apps inside the Google Play store. These apps have been downloaded by millions of users, which means that there may be many Android devices out there being used to mine cryptocurrency for cybercriminals. We detect this new malware family as  ANDROIDOS_KAGECOIN.HBTB. (As of this writing, these apps are still available.)

    Figure 3. Mining Apps in Google Play

    Figure 4. Download count of mining apps

    Analyzing the code of these apps reveal the cryptocurrency mining code inside. Unlike the other malicious apps, in these cases the mining only occurs when the device is charging, as the increased energy usage won’t be noticed as much.

    Figure 5. Cryptocurrency mining code

    The same miner configuration updating logic is also present here. Analyzing the configuration file, it seems that the cybercriminal responsible is switching into mining Litecoins.

    Figure 6. Configuration file, showing switch into LiteCoin mining

    We believe that with thousands of affected devices, cybercriminal accumulated a great deal of Dogecoins.

    Reading their app description and terms and conditions on the websites of these apps, users may not know that their devices may potentially be used as mining devices due to the murky language and vague terminology.

    Clever as the attack is, whoever carried it out may not have thought things through. Phones do not have sufficient performance to serve as effective miners. Users will also quickly notice the odd behavior of the miners – slow charging and excessively hot phones will all be seen, making the miner’s presence not particularly stealthy. Yes, they can gain money this way, but at a glacial pace.

    Users with phones and tablets that are suddenly charging slowly, running hot, or quickly running out of batteries may want to consider if they have been exposed to this or similar threats. Also, just because an app has been downloaded from an app store – even Google Play – does not mean it is safe.

    We have informed the Google Play security team about this issue.

     


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice