Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    April 2014
    S M T W T F S
    « Mar   May »
     12345
    6789101112
    13141516171819
    20212223242526
    27282930  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Archive for April, 2014




    For users who are not system administrators, the biggest impact of the Heartbleed vulnerability has been all the passwords that they have had to change. This, together with improvements in alternative authentication methods (like the fingerprint scanners now embedded in flagship smartphones), have caused some rather bold statements about passwords to be made.

    Passwords are out of fashion? Obsolete in the short term, I hear some people say? Not so fast! While it’s true that passwords are not the most convenient way of authenticating yourself and they are inherently insecure, we should not be so quick to dismiss them.

    The main advantage of passwords is that everybody can use them straight away. There is no need to tie yourself to a specific authentication token (“I could swear it was in my bag this morning!”), location (“I can’t log in from the hotel, I forgot I enabled that security feature!”), or smartphone (“I let my phone’s battery go dead!”). It might seem odd to some, but forcing users to own a smartphone – or asking a company to provide their employees with one – might be too costly.

    Even if passwords are supplemented by other authentication methods, passwords will still be around as a secondary method. What would happen otherwise when your phone or hardware token gets stolen? We are simply not ready for a world without passwords, much as we’d like to get rid of them.

    If that’s the case, we might as well learn how to use them properly. It’s not that difficult:

    First, use a different password for each online service. If you’re trying to do this manually, it becomes difficult – which is why the best way to do this is to use a password manager. There are multiple options available, many of which are free.

    Secondly, once you are using a password manager, use a long, hard-to-guess master password for it. If it’s anywhere in a dictionary, it’s not a good  password. Here’s one way  to come up with a secure master password: use the initials of a very long sentence. Imagine there’s no heaven; It’s easy if you try; No hell below us; Above us only sky. Add commas and other punctuation for added difficulty and bonus points: Itnh,ieiyt;nhbu,auos! That’s a better password than what most people use.

    Thirdly, don’t rely on passwords alone. Yes, we said that passwords won’t be going away soon – but if you can, use what second factor of authentication is available. A smartphone is a good choice, as many services can use one to authenticate – whether it’s via an app or text messages.

    I don’t think passwords are going to fall out of fashion anytime soon, if only for the ease of use. This isn’t to say that they will be the only authentication method used – and they shouldn’t be. Complementing them with more factors (two or three!) is the way to go, in my opinion.

     
    Posted in Data | Comments Off



    The promise of easy money remains the biggest motivation for cybercrime today. Cybercriminals thus make it their main objective to steal information that would lead them to the money, like online banking information. Once stolen, the information can be used to transfer funds illegally from victims’ accounts.

    In 2013, the total amount of money stolen through this exact method in Japan has amounted to 1.4 billion yen. This is purportedly the biggest amount to date, and it seems 2014 is well on its way to catching up, with 600 million yen already stolen, according the publication of the National Police Agency (NPA). We have reason to believe that those numbers will continue to climb, which poses a challenge on how to stop cybercrime once and for all.

    As part of our efforts to stop cybercrime, our dedicated team of researchers, the Forward-Looking Threat Research Team have been doing research about what it takes to prevent financial losses from online account theft by cybercriminals. Moreover, we have identified some methods to track down and identify these cybercriminals responsible, such as command-and-control (C&C) server analysis, analyzing stolen information, and malware analysis.

    For instance, cybercriminals behind the recent popular banking Trojan called Citadel (TSPY_ZBOT) use WebInjects to display fake screen displays needed to carry out online banking logging theft. By analyzing the WebInject modules, it is possible to find out more about the server where the stolen information has been sent to.

    Because any information from victims which victims input in the fake screen will be stored in the server, we can immediately pinpoint the existence of victims by monitoring the server’s stored information. As a result, we can quickly prevent actual financial loss through reactionary methods, such as freezing the compromised bank accounts before the money is transferred to the cybercriminals.

    Figure_banking _trojan_140415

     

    Figure 1. Webinject Banking Trojan’s Infection Chain

    These kind of measures, of course, can’t be pulled by just a security vendor such as TrendMicro. It is absolutely necessary to collaborate with concerned organizations such as the police and the bank involved. Trend Micro’s TM-SIRT, which is a contact point of cooperation for security-raising activities in Japan, provides concerned organizations with information obtained from internal research groups such as the FTR (forward-looking threat research) team in order to help combat this kind of theft by cybercriminals.

    Taking down the server involved in the financial theft is another method of combating such cybercriminal activity, but it is a temporary solution at best. This is because it may not affect the cybercriminal’s efforts as much as we would like it to be, and it may even motivate them to more sophisticated attacks.

    Server monitoring is a more preferable. It allows security experts to grasp the picture of attack and control the situation better. Moreover, it may help to identify the cybercriminals by simply waiting for them to log into the server to obtain their stolen information. Server monitoring can then be expected to prevent new attacks by the same cybercriminals and also to prevent other attacks.

    On April 28, Trend Micro received a certificate of appreciation from the Japan Metropolitan Police Department. This commendation was awarded for providing useful information in combating online financial theft in Japan. Trend Micro will continue to study and provide a holistic and fundamental approach to security, as well as cooperate with law enforcements around the globe for our company vision: a world safe for exchanging digital information.

     
    Posted in Malware | 1 TrackBack »



    Sometime near the start of the year, we noticed that the old malware family TSPY_USTEAL resurfaced. This information stealing malware now includes new routines including malicious packers, obfuscation, and bundling ransomware.

    TSPY_USTEAL variants were seen in the wild as early as 2009, and is known to steal sensitive information like machine details and passwords stored in browsers. It can act as a dropper, dropping plugins or binaries in its resource section. The stolen information is stored in an encrypted .bin file, which is uploaded to a C&C server via FTP. This was part of the behavior of the previous variants, and continues on in newer variants.

    A newer variant that we detect as TSPY_USTEAL.USRJ, drops ransomware—detected as TROJ_RANSOM.SMAR—on affected systems. These ransomware files are created by a new toolkit builder that gives the attacker full control over the ransomware’s behavior, from the types of files it will encrypt to the ransom note to be displayed.

    We detect this toolkit as TROJ_TOOLKIT.WRN. Below are the features translated from Russian to English. Included are the file types to be encrypted, the ransom note, the appended extension to encrypted file, and the name of the dropped copy of the encoder.

    Figure 1. Translated ransomware toolkit
    (Click image above to enlarge)

    The ransomware, TROJ_RANSOM.SMAR, drops a copy of itself in the user’s machine. It then encrypts certain files with the same icon and extension name. For example, it can add the extension .EnCiPhErEd on selected extension names like .LNK, .ZIP, etc., as marker. Next, it drops an image file containing the ransom details.


    Figure 2. Ransom note

    When encrypted files are accessed, it shows the ransom note along with the contact details to retrieve the password. The retrieval method may either be through a text message or an email. Next, it displays a message asking for the password. If password given is correct, it decrypts and restores the encrypted files to its original form. Consequently, the ransomware file deletes itself. On the other hand, if the password is incorrect and the number of attempts has reached the pre-set limit, it displays the error message shown below. It then searches for files to encrypt (besides the already-encrypted files) and deletes itself afterward.


    Figure 3. Error message

    This particular combination of threats is worrisome because it steals your credentials and information while the ransomware extorts additional money from the victim by encrypting their files. It’s highly probable that the malware author wanted to wring a fortune out of the victim, extorting any leftover funds from the same victim with the use of ransomware.

    Feedback from the Trend Micro Smart Protection Network shows that there was a spike mid-April for TROJ_RANSOM.SMAR, with the United States as the affected country . Trend Micro protects users from all threats releated to this attack.

    With additional analysis from Adremel Redondo and Nazario Tolentino II

     
    Posted in Malware | Comments Off



    The recent Internet Explorer and Flash zero-days were not the only zero-day threats that hit recently. Last Friday, the Apache Struts group released an advisory (S2-021) detailing two vulnerabilities (CVE-2014-0112 and CVE-2014-0113), and potential mitigation steps until an official patch is issued.

    Apache Struts is a framework used to build and deploy Java-based web applications. In Apache Struts2, most of the core functionality is implemented as Interceptors. These can execute code before and after an Action is invoked and each Interceptor can be mapped to one or more Actions. Two security issues exist in Struts 2 due to improper handling of user supplied parameter values to ParametersInterceptor and CookieInterceptor.

    • CVE-2014-0112 was due to incomplete security fix for another recent vulnerability : CVE-2014-0094, which was reported in early March and discussed in S2-020. The vulnerability is caused due to improper handling of class parameter values of the ParametersInterceptor class, which is directly mapped to the getClass() method. Successful exploitation will allow remote attackers to manipulate the ClassLoader objects used by the application server and leads to arbitrary code execution. ParametersInterceptor is one of the in-built Struts interceptors which set all parameters on the value stack and gets them evaluated.
    • CVE-2014-0113 is similar to the previous vulnerability. CookieInterceptor is another in-built Interceptor used to set values in the stack/action based on cookie name/value. The Java ClassLoader objects can be manipulated via CookieInterceptor, similar to ParametersInterceptor, when it is configured to accept all cookies (when “*” is used to configure cookiesName param).

    Both these vulnerabilities affect Apache Struts versions from 2.0.0 until 2.3.16.2. It is strongly advised that Strust users upgrade to Struts 2.3.16.2. Otherwise, the user can exclude the class parameter from the default configuration as given below.

    <interceptor-ref name=”params”>

    <param name=”excludeParams”>(.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</param>

    </interceptor-ref>

    We have released the following new deep packet inspection (DPI) rules to protect against exploits leveraging these vulnerabilities:

    • 1006015 – Restrict Apache Struts ‘class.classLoader’ Request
    • 1006029 – Restrict Apache Struts ClassLoader Manipulation Via HTTP Cookie Header
     
    Posted in Vulnerabilities | Comments Off



    Adobe has released a security advisory regarding a zero-day vulnerability (CVE-2014-0515) found in the program Adobe Flash. According to the advisory, the updates pertain to “Adobe Flash Player 13.0.0.182 and earlier versions for Windows, Adobe Flash Player 13.0.0.201 and earlier versions for Macintosh and Adobe Flash Player 11.2.202.350 and earlier versions for Linux.”

    Adobe has also acknowledged that an exploit for this zero-day exists, targeting Flash players on the Windows platform. If exploited, the zero-day could allow a remote attacker to take control of the system.

    Users should install the update as soon as they can. They can check out the version of Flash installed through a page in the Adobe website. Updates for Flash via Internet Explorer and Google Chrome will be done automatically but you may require restarting the browser. For users who rely on browsers other than Internet Explorer, they will need to install the update twice (one for IE and another for the other browser). Microsoft has also released a security advisory related to this vulnerability. For downloading updates, we encourage users to rely on Adobe’s official site as “Adobe updates” are often used by bad guys to deliver malware and other threats to users.

    We will continue to monitor this threat and provide new information as necessary.

    Update as of May 2, 2014, 4:00 AM PDT

    We have obtained samples of this attack in the wild. We detect these malicious files as SWF_EXPLOIT.RWF. We believe that this is being used in targeted attacks, as a specific version of Cisco MeetingPlace Express has to be installed for this attack to work.

    In addition to detecting these malicious files, our browser exploit prevention technology (present in Titanium 7) has rules that proactively detect websites that contain exploits related to this vulnerability. Products with the ATSE (Advanced Threats Scan Engine), such as Deep Discovery,  have heuristic rules which detect attacks using this vulnerability. These attacks are detected as HEUR_SWFJIT.B with ATSE pattern 9.755.1107 since April 22.

    Update as of May 07, 2014, 10:48 P.M. PDT

    Trend Micro Deep Security and OfficeScan Intrusion Defense Firewall (IDF) have released a new deep packet inspection (DPI) rule to protect against exploits leveraging this vulnerability:

    • 1006031 – Adobe Flash Player Buffer Overflow Vulnerability (CVE-2014-0515)
    • 1006044 – Restrict Adobe Flash File With Embedded Pixel Bender Objects
     


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice