Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    April 2014
    S M T W T F S
    « Mar   May »
  • Email Subscription

  • About Us

    Archive for April, 2014

    5:54 am (UTC-7)   |    by

    The Russian Underground has been around (in an organized manner) since 2004, and has been used both as a marketplace and an information exchange platform. Some well-known centers of the Russian underground include zloy.orgDaMaGeLab, and XaKePoK.NeT. Initially, these forums were used primarily to exchange information, but their roles as marketplaces have become more prominent.

    Many parts of the Russian underground today are now highly specialized. A cybercriminal with ties to the right people no longer needs to create all his attack tools himself; instead he can buy these from sellers that specialize in specific products and services. For example, you see groups that do only file encryption, or DDoS attacks, or traffic redirection, or traffic monetization. Groups are able to specialize in each of these items do what they do best and produce better, more sophisticated products. 

    Perhaps the most popular product in the Russian underground economy today is traffic and various traffic-related products. Examples include traffic detection systems (TDSs), traffic direction, and pay-per-install (PPI) services. This purchased Web traffic not only increases the number of cybercrime victims; it may also be used to gather information about potential targeted attack victims.

    Like any other economy, the laws of supply and demand are followed in the Russian underground. As we mentioned last week, the prices of underground goods have dropped across the board. This is generally because of the increased supply for these goods available – for example, stolen American credit cards are widely available; as a result the price has fallen. This is evident in the following chart of stolen credit card prices:

    Figure 1. Prices for stolen credit cards

    The same is true for stolen accounts:

    Figure 2. Prices for hacked accounts

    With falling prices, however, comes a loss in reliability: goods or services are not always as high-quality as advertised. Sometimes, escrow providers (known as garants) are used to try and give both parties (buyer and seller) reassurances that neither party is scamming the other.

    Today, we released our updated look at the Russian Underground titled Russian Underground RevisitedThis is an update to our earlier paper discussing the items which are bought and sold in various parts of the Russian underground. For this edition, we have clearly outlined the products and services being sold and what their prices are. In addition, we discuss the changes since the original paper to highlight the continued evolution of the cybercrime threat landscape.

    This is part of the Cybercrime Underground Economy Series of papers, which take a comprehensive view of various cybercrime markets from around the world.


    Over the weekend, Microsoft released Security Advisory 2963983 which describes a new zero-day vulnerability found in Internet Explorer. (It has also been assigned the CVE designation CVE-2014-1776.)

    This remote code execution vulnerability allows an attacker to run code on a victim system if the user visits a website under the control of the attacker. While attacks are only known against three IE versions (IE 9-11), the underlying flaw exists in all versions of IE in use today (from IE 6 all the way to IE 11).

    Serious as this vulnerability is, it’s not all bad news. First of all, the vulnerability is only able to run code with the same privileges as the logged-in user. Therefore, if the user’s account does not have administrator rights, the malicious code will not run with them either, partially reducing the risk. (Of course, this is only true if the user’s account isn’t set up as an administrator.)

    Secondly, some workarounds have been provided by Microsoft as part of their advisory; of these enabling Enhanced Protected Mode (an IE10 and IE11-only feature) is the easiest to do. In addition, the exploit code requires Adobe Flash to work, so disabling or removing the Flash Player from IE also reduces the risk from this vulnerability as well.

    We will continue to monitor this threat and provide new information as necessary.

    Update as of April 28, 2014, 12:30 P.M. PDT

    End of support for any software, OS or not, leaves users and organizations more vulnerable to threats. However, there are some solutions that can help address or mitigate this dilemma. Virtual patching can complement traditional patch management strategies as it can “virtually patch” affected systems before actual patches are made available. Another benefit is that it can “virtually patch” unsupported applications. For example, Trend Micro Deep Security has been supporting Windows 2000 vulnerabilities even beyond its end of support.

    It should be noted that the Enhanced Mitigation Experience Toolkit (EMET) can also help mitigate attacks that may exploit this particular vulnerability. This toolkit prevents software vulnerabilities from being exploited through several security mitigation technologies. According to the Microsoft advisory, “EMET helps to mitigate this vulnerability in Internet Explorer on systems where EMET is installed and configured to work with Internet Explorer.”

    Trend Micro Deep Security and OfficeScan Intrusion Defense Firewall (IDF) have released a new deep packet inspection (DPI) rule to protect against exploits leveraging this vulnerability:

    • 1006030 – Microsoft Internet Explorer Remote Code Execution Vulnerability (CVE-2014-1776)

    They also have a rule that restricts the use of the VML tag. This rule is already available to customers:

    • 1001082 – Generic VML File Blocker

    Update as of April 28, 2014, 6:10 P.M. PDT

    As we mentioned earlier, this vulnerability is now designated as CVE-2014-1776. It is due to the way Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated (a use-after-free condition). Successful exploitation allows an attacker to execute arbitrary code in the context of the current user.

    To mitigate this threat, Microsoft suggests to unregister VGX.DLL, which is responsible for rendering of VML (Vector Markup Language) code in webpages.

    The vulnerability is exploited when victim opens specially crafted webpages using Internet Explorer. Users can be convinced to open these sites via clickable links in specially crafted emails or instant messages. An Adobe Flash file embedded in these malicious sites is used to bypass Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) protections on the target system.

    As we mentioned earlier, we provide two rules that protect users against this threat. Not only will these rules help reduce the threat until a patch is provided by Microsoft, it will also protect unsupported OSes, such as Windows XP.

    Additional analysis by Pavithra Hanchagaiah.

    Update as of April 30, 2014, 4:25 AM PDT

    To further protect users from this threat, we have released the following additional heuristic solutions for this threat:

    • For Deep Discovery, NCIP 1.12083.00 and NCCP 1.12053.00 provide additional protection as well.
    • Our browser exploit prevention technology (present in Titanium 7) has rules that detect websites that contain exploits related to this vulnerability.

    To help administrators investigate if this threat is affecting their networks, products with  ATSE (Advanced Threats Scan Engine), such as Deep Discovery,  have heuristic rules which detect attacks using this vulnerability. These attacks are detected as HEUR_SWFHS.A and HEUR_SWFJIT.B in the ATSE pattern 9.755.1107 since April 22.

    Update as of May 1, 2014, 5:33 AM PDT

    We have also released the following additional solution for this threat:

    • OPR 10.767.00 provides additional heuristic capabilities to help detect malicious scripts that take advantage of this vulnerability.

    Update as of May 1, 2014, 7:15 AM PDT

    The original version of this post mentioned modifying the ACL for VGX.DLL, based on recommendations from Microsoft. Microsoft has modified their guidance, and the blog post has been modified accordingly.

    Update as of May 1, 2014, 11:03 AM PDT

    The original version of this post mentioned that Windows XP will not be receiving a patch for this vulnerability. Microsoft has just released a security update (MS14-021) for this vulnerability, including one for Windows XP. This blog post has been modified accordingly.


    A few days ago, America Online, or AOL, confirmed that their mail service – AOL Mail – had been hacked, with the email addresses (allegedly only 1% of their entire customer base) either compromised and/or spoofed to send spam with links leading to phishing pages.  We combed through the Internet to look for samples of the phishing spam being sent, and they popped up readily in our searches.

    Figure 1. AOL Mail spam sample

    Figure 2. Second AOL Mail spam sample

    The spammed messages themselves are simple and to the point – just a sentence or two, written to seem like a casual, quickly-written email by the recipient’s contacts. The link is presented right after the bait text, typed out in full. When clicked, they lead to fake pages pertaining to online health magazines as well as online cooking recipe websites, which then lead to a landing/phishing page. The phishing page masquerade as a sign-up form that asks for the user’s personal information – their phone number, email address, and so on.

    Figure 3. Final landing and phishing page

    Using data gathered from the Trend Micro Smart Protection Network, we saw that 94.5% of the users who visited the final landing page came from the United States. Other top countries affected include Japan, Canada, France, and the United Kingdom. Analysis also shows that these phishing pages are hosted in different countries, including Russia, the United States, Hong Kong, and Germany.

    While this may seem to be a relatively minor attack as far as hacking attacks go – with the compromised mails only used to send spam messages leading to phishing websites rather than something more obviously damaging, such as sending malicious files or mining the email address itself for personal information – the fact is that the culprits could easily have done so is enough for this to be a serious security incident.There’s also the fact that even if only 1% of AOL Mail’s 24 million total user base was indeed compromised – that’s still 240,000 emails under the control of cybercriminals, to do with whatever they want.

    A day after the attack itself was revealed, AOL came out with another announcement, saying that they’ve modified their DMARC policy to combat the spoofed mail spam.This modification ensures that all mailbox providers will reject bulk AOL mail if it doesn’t come from an AOL server.

    While this does alleviate the spoofed email spam issue somewhat, it does also affect bulk AOL mail that has been previously authorized, and does not really begin to address the compromised emails. For that, AOL has linked victims to their Mail Security page, instructing users how to secure their hacked accounts as well as to recognize scam/spam emails.

    We once again remind users to always be vigilant when it comes to their mail, whichever email service you use. Always think before you click that sent link. Verify first before doing anything.

    Trend Micro security offerings already detect and block all the spammed mails and phishing URLs related to this attack.

    With additional analysis from Gideon Hernandez, Paul Pajares, and Ruby Santos.

    Posted in Bad Sites, Spam | Comments Off on AOL Mail Service Hacked, Compromised Emails Used To Send Spam

    Two weeks ago, we talked about how many sites in the top 1 million domains (as judged by Alexa) were vulnerable to the Heartbleed SSL vulnerability. How do things stand today?

    Sites vulnerable to Heartbleed as of April 22-01

    Figure 1. Sites vulnerable to Heartbleed as of April 22

    Globally, the percentage of sites that is vulnerable to Heartbleed has fallen by two-thirds, to just under 10 percent. Only three TLDs we looked at have percentages above the global number: Brazil (.BR), China (.CN), and Russia (.RU).

    The only TLD with a 100% cleanup record was the .gov domain, reserved for the use of US government sites.The Australian (.AU), British (.UK), German (.DE), and Indian (.IN) TLDs also had rates that were significantly lower than the global average.

    Overall, the numbers leave room for optimism when it comes to addressing Heartbleed. Most system administrators have paid attention to the warnings and patched their servers accordingly. The question is now whether the remaining 10% of vulnerable domains will be patched sooner rather than later, or if we will be stuck with a non-trivial portion of the Internet that will be left at risk.

    For users who want to test if the sites they use are at risk, a Trend Micro heartbleed detector app may be found in the Google Play store, the Google Chrome store, and the web.

     For other posts discussing the Heartbleed bug, check our previous entries:

    Posted in Vulnerabilities | Comments Off on Number of Sites Vulnerable to Heartbleed Plunges by Two-Thirds

    Since news about Heartbleed broke out earlier this month, the Internet has been full of updates, opinions and details about the vulnerability, with personalities ranging from security experts to celebrities talking about it. Being as opportunistic as they are, cybercriminals have taken notice of this and turned the furor surrounding Heartbleed into lure for a spam attack.

    Figure 1. Heartbleed spam

    The spammed mail is a simple-looking one, as far as spam goes. The body is plain text, notifying the user about the ‘big security concern on the internet’ that is Heartbleed and gives advice as well as a link to an alleged CNN report about the matter. The spam purports itself to be from an individual named ‘Dexter’ who appears to reside in Riyadh, Saudi Arabia.

    The link doesn’t lead to the CNN website at all, or any website in its domain. As with all spammed links, it leads to a different URL that, as of this moment, seems to have been taken down or rendered inaccessible. Of course, it’s a good bet that it was malicious in the first place.

    Cybercriminals are ready and willing to use all newsworthy topics for their social engineering schemes, including big security incidents/advisories. With the Heartbleed Bug being as big and as serious a security issue can get – not only does it affect some of the most popular websites on the Web today, but can also strike from mobile apps as well – users need to anticipate that threats may strike in a way that they never really expect.

    Always be vigilant, alert and skeptical – especially when it comes to what you get in your e-mail. It may be a spammed mail you’re looking at. Clicking links in email is generally not a good idea; it’s more secure to go directly to the relevant site instead.

    Trend Micro customers are of course defended against this particular attack, with the spammed mail and the URL blocked.

    As for Heartbleed itself, we’ve released some tools you can use to protect yourself against this threat – namely our Trend Micro Heartbleed Detector App for Android (which notifies you of vulnerable apps and uninstalls them for you) and our Trend Micro OpenSSL Heartbleed Scanner App for Chrome (which checks specific sites for Heartbleed vulnerability). We’ve also got our Trend Micro Heartbleed Detector Website if you wish to use that instead.

    Posted in Bad Sites, Spam | Comments Off on Cybercriminals Take Advantage Of Heartbleed With Spam


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice