Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    March 2014
    S M T W T F S
    « Feb   Apr »
  • Email Subscription

  • About Us

    Archive for March, 2014

    While we encounter a wide variety of threats on a regular basis, sometimes we come across those that are truly unusual. This is one of them: it appears to be a PHP backdoor delivered via spammed emails.

    At first glance, this threat appears to be a fairly typical malicious spam email: it pretends to be a notification from Visa that the user’s card has been suspended.

    Figure 1. Fake email notification

    The body of the email itself appears to be blank. Neither a malicious attachment nor a link to a website can be found here. So what is the threat here?

    Figure 2. Embedded PHP code

    The body of the email is actually not blank; instead it contains PHP code. This particular code is actually a well-known website backdoor known as c99madshell, which we detect as PHP_C99SHEL.SMC. C99madshell has been around since at least 2008. It allows an attacker who has compromised a website via FTP to control the said website using an easy-to-use control panel accessible with any browser, as can be seen below running on a test machine:

    Figure 3. c99madshell control panel

    It should be clear right away that something is very off-base here. The control panel is meant to be accessed by the attacker, not the victim. It would make no sense for the victim to see a backdoor to their own server’s control panel!

    That assumes, of course, that the backdoor would even run. It is theoretically possible, but in practice it is very difficult. Anyone reading the email on a non-webmail client – such a desktop email client, or a mobile app – would merely see the blank page. Even then, the webmail client would have to be configured to allow arbitrary embedded PHP code to run in the first place, which is extraordinarily dangerous. Finally, the attacker would then be unable to view the page unless he got access to the email inboxes somehow.

    There are several possibilities as to how this happened. One possible attack scenario is that the attacker was going after a webmail provider or email list archive; however in such a case the attacker would not need to send spam messages with this content. In addition, this would require a server set up so insecurely, it would be insane.

    Other possibilities involve mistakes on the part of the attacker: he could have made a mistake in inserting the contents of the email, or it could be an attacker with faulty knowledge of PHP. However, without getting into the mind of the attacker, we cannot be sure.

    Both the email and file components of this attack are detected and blocked by the appropriate Trend Micro solutions.

    Posted in Malware, Spam | Comments Off on (Failed) PHP Backdoor Via Spam

    Recently, other researchers reported that a new Android malware family (detected as ANDROIDOS_KAGECOIN.HBT) had cryptocurrency mining capabilities. Based on our analysis, we have found that this malware is involved in the mining for various digital currencies, including Bitcoin, Litecoin, and Dogecoin. This has real consequences for users: shorter battery life, increased wear and tear, all of which could lead to a shorter device lifespan.

    The researchers originally found ANDROIDOS_KAGECOIN as repacked copies of popular apps such as Football Manager Handheld and TuneIn Radio. The apps were injected with the CPU mining code from a legitimate Android cryptocurrency mining app; this code is based on the well-known cpuminer software.

    To hide the malicious code, the cybercriminal modified the Google Mobile Ads portion of the app, as seen below:

    Figure 1. The modified Google Mobile Ads code

    The miner is started as a background service once it detects that the affected device is connected to the Internet. By default, it launches the CPU miner to connect to a dynamic domain, which then redirects to an anonymous Dogecoin mining pool.

    By February 17, his network of mobile miners has earned him thousands of Dogecoins. After February 17, the cybercriminal changed mining pools. The malware is configured to download a file, which contains the information necessary to update the configuration of the miner. This configuration file was updated, and it now connects to the well-known WafflePool mining pool. The Bitcoins mined have been paid out (i.e., transferred to the cybercriminal’s wallet) several times.

    Figure 2. Coin pool configuration code

    The coin-mining apps discussed above were found outside of the Google Play store, but we have found the same behavior in apps inside the Google Play store. These apps have been downloaded by millions of users, which means that there may be many Android devices out there being used to mine cryptocurrency for cybercriminals. We detect this new malware family as  ANDROIDOS_KAGECOIN.HBTB. (As of this writing, these apps are still available.)

    Figure 3. Mining Apps in Google Play

    Figure 4. Download count of mining apps

    Analyzing the code of these apps reveal the cryptocurrency mining code inside. Unlike the other malicious apps, in these cases the mining only occurs when the device is charging, as the increased energy usage won’t be noticed as much.

    Figure 5. Cryptocurrency mining code

    The same miner configuration updating logic is also present here. Analyzing the configuration file, it seems that the cybercriminal responsible is switching into mining Litecoins.

    Figure 6. Configuration file, showing switch into LiteCoin mining

    We believe that with thousands of affected devices, cybercriminal accumulated a great deal of Dogecoins.

    Reading their app description and terms and conditions on the websites of these apps, users may not know that their devices may potentially be used as mining devices due to the murky language and vague terminology.

    Clever as the attack is, whoever carried it out may not have thought things through. Phones do not have sufficient performance to serve as effective miners. Users will also quickly notice the odd behavior of the miners – slow charging and excessively hot phones will all be seen, making the miner’s presence not particularly stealthy. Yes, they can gain money this way, but at a glacial pace.

    Users with phones and tablets that are suddenly charging slowly, running hot, or quickly running out of batteries may want to consider if they have been exposed to this or similar threats. Also, just because an app has been downloaded from an app store – even Google Play – does not mean it is safe.

    We have informed the Google Play security team about this issue.


    CryptoLocker and other such ransomware threats have been a significant problem for some time now, but recently we’ve seen a new addition to the ransomware scene. This new threat, which calls itself BitCrypt, adds a unique angle to ransomware: it steals funds from various cryptocurrency wallets as well.

    We have identified two distinct variants of this threat. The first variant, TROJ_CRIBIT.A, appends “.bitcrypt” to any encrypted files and uses an English-only ransom note. The second variant, TROJ_CRIBIT.B, appends “.bitcrypt 2″ and uses a multilingual ransom note, with 10 languages included; these are (in the order they appear in the note):

    • English
    • French
    • German
    • Russian
    • Italian
    • Spanish
    • Portuguese
    • Japanese
    • Chinese
    • Arabic

    The English ransom note reads as follows:


    Your BitCrypt ID: {transaction ID}

    All necessary files on your PC ( photos, documents, data bases and other) were encoded with a unique RSA-1024 key.
    Decoding of your files is only possible by a special programm that is unique for each BitCrypt ID.
    Specialists from computer repair services and anti-virus labs won’t be able to help you.
    In order to receive the program decryptor you need to follow this link {malicious site #1} and read the instructions.

    If current link doesn’t work but you need to restore files please follow the directions:
    1. Try to open link {malicious site #2}. If you failed proceed to step 2.

    2. Download and install tor browser {Tor Project website}

    3. After installation, start tor browser and put in the following address {malicious site #3}

    Remember, the faster you act the more chances to recover your files undamaged.

    The text in other languages is fairly similar, although they appear to have been machine translated. In addition to the above, TROJ_CRIBIT.B changes the wallpaper to a solid black background with white text notifying the user of their current problem.

    Figure 1. Wallpaper

    To make analysis more difficult, this ransomware does not leave a copy of itself in the system, making it hard to acquire a copy in order to study the behavior and identify its infection vector.

    Upon further investigation, we found that a variant of the FAREIT information stealing malware, TSPY_FAREIT.BB, that downloads TROJ_CRIBIT.B. This variant also possesses the capability to steal information from various Bitcoin wallets. It searches and attempts to extract information from the following files, which are :

    • wallet.dat (Bitcoin)
    • electrum.dat (Electrum)
    • .wallet (MultiBit)

    Like CryptoLocker, the users are referred to a professional-looking site in order to unlock their files. The website is actually part of the Deep Web as it is only accessible if you use Tor; however the attackers have thoughtfully provided a link to Tor2Web, a service which allows users to visit Deep Web sites without using Tor. They are asked to enter the BitCrypt ID found in the ransom note.

    Figure 2. BitCrypt ID login

    After logging in, the user is directed to BitCrypt’s homepage (which describes itself as Bitcrypt Software Inc.), which provides the user with instructions on how to recover their data. However, this requires the payment of 0.4 BTC. At current values, this translates to approximately US$240. The cybercriminals even include an FAQ page on their website, as seen below:

    Figure 3. BitCrypt frequently asked questions

    Feedback from the Smart Protection Network indicates that 40% of CRIBIT victims are from the United States, with another 11% from Japan.

    BitCrypt is only the latest in the many Bitcoin-related threats we have seen of late. Even though the value of Bitcoin has declined since its peaks late last year, it is still of large enough values that it is now a valuable target for theft – whether that takes the form of Bitcoin-stealing malware like BitCrypt, or larger attacks which target exchanges like Mt. Gox and Vircurex.


    Note: We have clarified the use of the word “bricking” in this blog post, and added a solution for developers and other power users.

    We recently read about an Android system crash vulnerability affecting Google’s Bouncer™ infrastructure, one that, alarmingly, also affects mobile devices with Android OS versions 4.0 and above. We believe that this vulnerability may be used by cybercriminals to do some substantial damage on Android smartphones and tablets. The device is stuck in an endless reboot loop, or a bootloop. This can render the device unusable, which some may consider “bricking” it.

    How did they do it?

    Our analysis shows that the first crash is caused by the memory corruption in WindowManager, the interface that apps use to control the placement and appearance of windows on a given screen. Large amounts of data were entered into the Activity label, which is the equivalent of the window title in Windows.

    If a cybercriminal builds an app containing a hidden Activity with a large label, the user will have no idea whatsoever that this exploit is in fact taking place. Cybercriminals can further conceal the exploit by setting a timed trigger event that stops the current app activity and then opens the hidden Activity. When the timed event is triggered, the exploit runs, and the system server crashes as a result. This stops all functionality of the mobile device, and the system will be forced to reboot.

    An even worse case is when the malware is written to start automatically upon device startup. Doing so will trap the device in a rebooting loop, rendering it useless. In this case, only a boot loader recovery fix will work, which means that all the information (contacts, photos, files, etc.) stored inside the device will be erased.

    Bug found to crash a series of services. 

    Further research on our part revealed that apart from the WindowManager service, PackageManager and ActivityManager are also susceptible to a similar crashing vulnerability. The critical difference here is that the user’s device will crash immediately once the malicious exploit app is installed. Note that the exploit app in this case does not need any special permission.

    In AndroidManifest.xml, apps’ label names can be set in the “android:label” attribute of the element, and it can be written with a raw string, not only with the reference of the string resource. Normally, apps with very long raw string labels declared in AndroidManifest.xml cannot be installed, due to the Android Binder’s transaction buffer size limit. But through the ADB (Android Debug Bridge) interface, which is used by many third-party market clients, such apps can be installed–which, inevitably, causes an instant PackageManager service crash.


    Figure 1. PackageManager service crash

    In a chain reaction, all other processes that depend upon PackageManager crashes and leaves the Android device completely unusable. Below are notifications of some crashed services, which include Launcher and android.process.acore.


    Figure 2.Crashed services that depend on PackageManager

    The system service ActivityManager is also affected due to the continuous error in the Binder transaction. This may possibly lead to a Binder driver crash, which then results in an automatic rebooting of the device. At this point, users would have no other recourse but to do a hard factory reset on the device while running the risk of erasing all of the stored data.


    Figure 3.Binder driver crash (click thumbnail for full view)

    What should users do?

    As always, we advise users to never download apps from third-party app stores. It’s important to treat third-party apps with a healthy dose of suspicion and skepticism as cybercriminals are always on the lookout to find and exploit every nook and cranny in Android devices. Google has already been notified about the vulnerabilities but users should still take the necessary precautions in order to protect their mobile devices.

    Developers familiar with the use of the Android Debug Bridge can use this as well to remove problematic apps in question. (We would like to thank rmack for pointing out this option for developers and other power users.)

    We have informed Google’s Android security team about this issue.


    Last week, in the previous part of this post, we went over the behavior of Control Panel (CPL) malware before the actual infection. In this second part, we go over what happens after the malware has reached a system. (Note: much of this analysis was carried out with Deep Discovery Advisor, so some of the screenshots will have been taken from this product.)

    This particular CPL malware (detected as TROJ_BANLOAD.ZAA) appears to be targeted at Windows 7 users – specifically, those using the 32-bit version. How do we know this? Based on previous research, we know that CPL malware is frequently used as a downloader for other malware. We see this behavior in 32-bit Windows 7:

    Figure 1. Behavior under 32-bit Windows 7
    (Click above image to enlarge)

    However, on other platforms (like 64-bit Windows 7), we do not see that behavior.

    Figure 2. Behavior under 64-bit Windows 7

    So, let’s look into what this malware does when it is run in its “right” target environment.

    It accesses four URLs, two of which are non-malicious and Microsoft-related. One is the Compatibility View list for Internet Explorer 9; the other is the browser icon (favicon.ico) for Bing. Two are potentially malicious, with Deep Discovery Advisor flagging one as malicious.

    Figure 3. URLs accessed by CPL malware

    Let’s look at the first potentially malicious domain. It is a .com domain; the WHOIS records also identify a Spanish man as both the registrant and the technical contact for the domain. It was first registered in 2010.

    All this site does is return a simple text string: “NTFD!”. It’s possible that this may be used for command-and-control, although no definitive evidence either way is present. However, by itself, there’s nothing here that indicates malicious behavior, so it is not flagged as such.

    The other domain is more interesting. It appears that it is a compromised site belonging to an Israeli company – the domain is under the top-level domain, it is hosted in Israel, and the content clearly belongs to the company as well.

    However, the malware downloaded an executable file directly from this server. While it has a different name – 07-03.exe.exe instead of morph.exe – it has the same hash as the dropped file identified earlier. The file name itself is also intriguing, as if read in a day-month format , it reads “March 7″, which was just days before I actually analyzed this particular attack.

    Once on the system, this particular malware drops multiple copies of itself and proceeds to carry out its information theft routines.

    Figure 4. Analysis of payload
    (Click above image to enlarge)

    From there, the usual information theft routines as discussed in our earlier research proceed, targeting the user’s personal information, as outlined in the threat diagram below. We detect this malware as TSPY_BANKER.ZAA.

    Figure 5. CPL malware threat diagram

    Detection and Prevention

    By providing details on how this attack was able to reach user systems, we hope that this can help others from becoming victims of this threat. Our previous research has indicated that Internet users in Brazil are the most common victims of CPL malware, and that has not changed here.

    Beyond common best practices, this incident allows us to see some possible defenses against attacks like these. For emails, checking the sender IP address is already standard behavior. However, defenses and policies against attachments should be considered – these should be scanned for malicious content, and some potentially risky tile types can be blocked.

    As for the potentially malicious URLs, it may be worth considering to block the download of executable files. In this particular case, doing so would have prevented the download of the main payload by the initial CPL downloader. Failing that, endpoint software should be in place to check the reputation of any downloaded files.

    Trend Micro solutions protect against all aspect of this attack, as well as other similar incidents using CPL malware.

    Posted in Malware, Spam | Comments Off on Anatomy of a Control Panel Malware Attack, Part 2


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice