Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    May 2014
    S M T W T F S
    « Apr   Jun »
     123
    45678910
    11121314151617
    18192021222324
    25262728293031
  • Email Subscription

  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Archive for May, 2014




    When we said as part of our 2014 predictions that there would be one major data breach per month, we actually hoped we’d be wrong. Unfortunately, so far, we’ve been proven right: the latest victim of a massive data breach is the well-known auction site eBay.

    To recap, earlier this week eBay disclosed in a blog post that they had suffered a breach that compromised a database containing “encrypted passwords and other non-financial data”. While they said there was no evidence of unauthorized activity or access to financial information, as a best practice they asked all users to change their passwords.

    The scale of the attack is difficult to understate. In a separate FAQ, eBay stated that all 145 million of their users would be affected. By any standard, this represents one of the largest data breaches (by number of affected users) of all time.

    The breached information included the following details of users:

    • Name
    • Encrypted password
    • Email address
    • Physical address
    • Phone number
    • Date of birth

    There’s really only one thing that end users of eBay can do: change their passwords. If you’re an eBay user and you haven’t changed your password yet – open a new tab and do it right away. If you have difficulty remembering a password, use a password manager. (We’ve previously given out tips on password security.)

    System administrators may look at this incident and think: how do I make sure this doesn’t happen to me? After all, if a large, presumably well-funded organization like eBay could be attacked and breached, what more a smaller company with fewer resources?

    We have created a special report on data breaches, which looks at the overall data breach threat. Looking at this specific incident, some things stand out that other organizations can learn from. First of all, let’s remember how the attack started: with compromised employee credentials. It is quite likely that these were compromised via some form of spear-phishing. We had earlier discussed the entry points of targeted attacks.

    Some technical and non-technical solutions are possible to improve a network’s defenses at this stage. For example, internal usage of two-factor authentication systems can lessen the risks associated with any single password being compromised. Training staff to identify and avoid potential spearphising attacks may also be useful.

    As for the data itself, all organizations should consider the increased (and correct) use of encryption. Items that people would consider as sensitive information (like those compromised in this data breach) may or may not be stored in an encrypted format.

    Just as importantly, the encryption has to be used correctly. Best practices have to be followed throughout the entire process – from what algorithms are used, to how the encryption is carried out, to how keys are generated, etcetera. In the best of circumstances, cryptography is hard, let alone when it is not done correctly.

    There’s no single solution that can remedy all potential security problems. That, however, is the point of a layered security solution: there are various ways that an attack can enter a network, and various ways that it can be detected as well. A properly designed custom defense solution will provide the best opportunity to detect and mitigate these threats.

     
    Posted in Bad Sites | Comments Off



    In the recent 2H-2013 Targeted Attack Roundup Report we noted that we have been seeing several targeted attack campaign-related attacks in Taiwan.

    We are currently monitoring a campaign that specifically targets government and administrative agencies in Taiwan. We are naming this specific campaign PLEAD because of the letters of the backdoor commands issued by the related malware.

    The point of entry for this campaign is through email. In the PLEAD campaign, threat actors use the RTLO (right to left override) technique in order to fool the target recipient into thinking that the file extension of the unpacked file is not suspicious, i.e., not an executable.

    In some cases related to the PLEAD campaign, the RTLO technique was implemented correctly, as seen in a case targeting a particular ministry in Taiwan, purporting to be reference materials for a technical consultant conference:

    Figure 1. Email sent to Taiwanese government agency

    When the .7z attachment is unpacked, the recipient will see two files, what seems to be a PowerPoint document and a Microsoft Word file. The RTLO technique, which basically takes advantage of a Unicode character that was created to support languages that are written right to left, is evident in the first file. By inputting the unicode command for RTLO before the P in PPT, the appearance of the complete file name makes it look like the file is a PowerPoint document, even if it is, in fact, a screen saver file.

    The threat actor included an additional decoy document, the second file in figure 2, a .DOC file, whose only function is to add to the believability of the email.

    Figure 2. Unpacked attachment shows RTLO trick at work with the .SCR file

    To further make the victim believe that the .SCR file is a .PPT file, the .SCR file actually drops the following .PPT which only serves as a decoy.

    Figure 3. The .SCR drops this .PPT file as decoy

    The RTLO trick in the above case was successful, but in some cases, it was not, as in this spear phishing email belonging to the same campaign. This time the email pretends to be about statistical data about Taiwanese business enterprises:

    Figure 4. Second email sample, this time sent to a different Taiwanese government agency

    Figure 5. Unpacked attachment reveals that the file is an executable

    We also observed the use of an exploit using the CVE-2012-0158 vulnerability, which had long been patched by MS12-027 in 2012. The vulnerability exists in Windows common controls, could allow an attacker to execute malicious code, and is a common vulnerability found in targeted attacks.

    Figure 6. Third sample email uses exploit

    The payloads in the PLEAD campaign are usually backdoors that first decrypt their code and inject themselves into another process. Installation differs from one sample to the next, but typically, the related backdoors will acquire the following information from the victim’s computer:

    • User name
    • Computer name
    • Host name
    • Current Malware Process ID

    This is often a way for threat actors to keep track of its specific victims when it is monitoring its operations. Once a connection has been established with remote servers, the backdoor executes its commands:

    • Check installed software/proxy setting
    • List drives
    • Get file
    • Delete file
    • Remote shell

    These commands are typical of reconnaissance activities.

    We are still conducting research about the related C&Cs and malware tools in the PLEAD campaign and will be providing technical details about the breadth of this campaign. It appears that the attacks related to this campaign have been around since 2012.

    For more details on various targeted attacks, as well as best practices for enterprises, you may visit our Threat Intellgence Resources on Targeted Attacks.

     


    May22
    8:59 am (UTC-7)   |    by

    We’ve recently seen multiple arrests and take downs of cybercriminals and their infrastructure. Here is another one to add up. Law Enforcement in England has arrested and prosecuted a cybercriminal called Jam3s in cooperation with Trend Micro. His real identity is James Bayliss. James ran some SpyEye command-and-control servers and also coded a SpyEye plugin named ccgrabber. More than four years after the investigation started, this cybercriminal has been successfully prosecuted.

    James worked closely with Aleksandr Andreevich Panin, a.k.a Gribodemon in coding the ccgrabber plugin for SpyEye. This plugin was used to collect credit card numbers, CVV’s by analyzing the POST request made by the infecting machine.

    One of James’s SpyEye servers was installed on the IP address 91.211.117.25 that was active during September 2010. Below is the SpyEye configuration file we decrypted:


    Figure 1. SpyeEye configuration file

    Jam3s had many connections in the underground scene and friends he has made during his online criminal career. They mostly appear to be criminals that run botnets and/or write botnet code. He communicated frequently with Mr Panin, a.k.a Gribodemon and has made friends with Hamza Bendelladj, a.k.a bx1. Trend Micro has also participated in the arrest of Mr Panin as well as Mr Bendelladj. These arrests were part of a global investigation that involved the SpyEye malware and several associated cyber criminals.

    Other accounts from ICQ that he associates with are SpyEye notify, Death/Cripter, Criminal, and Parabola, just to name some.


    Figure 2. Associated accounts

    This arrest shows how security companies, working closely with law enforcement agencies, can deliver results. By going after the cybercriminals themselves instead of their servers, we ensured that permanent damage was done to the whole underground, instead of relatively quick and easily repairable damage caused by takedowns. We believe that this is the way to attack cybercrime and make the Internet safer for all users.

    Malware associated with the IP address 91.211.117.25:

    • 91.211.117.25/se/bin/621430spyeyecrypted.exe 91.211.117.25 179d5d6c506a785d0f700468bf8ac97c Mon, 30 Aug 2010 12:44:07 UTC
    • 91.211.117.25/se/bin/build.exe 91.211.117.25 df30623d3c1aab7321ac0653cb09f2b7 Mon, 30 Aug 2010 12:38:00 UTC
    • 91.211.117.25/sp/admin/bin/build.exe 91.211.117.25 8904d483008d6284a8f76fb5b9a7cb39 Sat, 11 Sep 2010 02:06:27 UTC
    • 91.211.117.25/sp/admin/bin/upload/gbotout.exe 91.211.117.25 87a5f7c496975c778d8c866195c9a7a5 Sat, 11 Sep 2010 02:06:42 UTC
    • 91.211.117.25/sp/admin/bin/upload/out1.exe 91.211.117.25 143fdd161c7360060d30f540d7a86b27 Sat, 11 Sep 2010 00:59:16 UTC
    • 91.211.117.25/sp/admin/bin/upload/out.exe 91.211.117.25 143fdd161c7360060d30f540d7a86b27 Sat, 11 Sep 2010 00:58:58 UTC
    • 91.211.117.25/sp/admin/bin/upload/pedoout.exe 91.211.117.25 c35e406871df034041d5a92bcb01c85b Sat, 11 Sep 2010 02:07:08 UTC
    • 91.211.117.25/spy/bin/621430spyeyecrypted.exe 91.211.117.25 179d5d6c506a785d0f700468bf8ac97c Sat, 11 Sep 2010 02:07:27 UTC
    • 91.211.117.25/spy/bin/build.exe 91.211.117.25 ed3a6cdca7d3d6f22b0232fe5fabe3b1 Wed, 18 Aug 2010 12:15:19 UTC
    • 91.211.117.25/spy/bin/build.exe 91.211.117.25 f4ec7689e35c396f16e4d035f56fb391 Mon, 26 Jul 2010 19:19:04 UTC
    • 91.211.117.25/spy/bin/build.exe 91.211.117.25 fbbdbc7a18ea27b571c1a58e5c38aa6c Mon, 30 Aug 2010 18:26:34 UTC
    • 91.211.117.25/spy/bin/out.exe 91.211.117.25 143fdd161c7360060d30f540d7a86b27 Mon, 06 Sep 2010 00:22:32 UTC
    • 91.211.117.25/spy/bin/spyeye.exe 91.211.117.25 d69b970afe781b385b9c4856dd1690ea Sat, 11 Sep 2010 00:44:12 UTC
    • advertisement1.com/spy/bin/build.exe 91.211.117.25 78a9d665c854873d7c4221935558f8ab Sat, 25 Sep 2010 00:22:29 UTC
    • advertisement1.com/spy/bin/build.exe 91.211.117.25 fbbdbc7a18ea27b571c1a58e5c38aa6c Tue, 14 Sep 2010 03:24:30 UTC
    • hvavac.com/spy/bin/build.exe 91.211.117.25 fbbdbc7a18ea27b571c1a58e5c38aa6c Mon, 30 Aug 2010 01:08:47 UTC
     
    Posted in Malware | Comments Off



    As the 2014 FIFA World Cup Brazil draws near, we are seeing more threats using the event as bait. We recently talked about cybercriminals in Brazil taking advantage of the event to spread malware, but we’ve found that the threats have gone beyond that: we’ve spotted fake FIFA websites selling game tickets.

    One of the sites we found even have different subdomains for different countries, as shown in the diagram below:

    Figure 1. Multiple subdomains of scam site

    (Click above image to enlarge)

    For the site meant for visitors from Brazil, would-be fans can buy a ticket for the final Game for  8,630.20 reais (or just under 3,900 US dollars). This price is almost 4000% higher than the official price on FIFA’s website.

    At a Brazilian complaints site, a user reported that he bought three tickets for the Portugal versus Germany match from this site, but hadn’t received any tickets yet. The victim also claims that this scam site left no phone number to be contacted. Another complaint on the same site says the only way for the scammers to be contacted is via chat or email.


    Figure 2. Screencap of the complaint

    The domain name was registered last May 27, 2013, with no clear owner. However, it was registered in Spain. As for its hosting, it is hosted on a major cloud service provider. The Brazilian site accepts payment via a legitimate online payment service with offices in São Paulo, Brazil.

    This scam is an example of how different legitimate services (hosting, domain registration, online payment system) can be used fraudulently to scam victims around the globe.

    We protect our customers by blocking the fraudulent sites we encountered here. We also would like to remind users not to visit scam sites like these, and remember that only FIFA is authorized to sell tickets for the World Cup games.

    The Race to Security hub contains aggregated TrendLabs content on security stories related to major sporting events. We’ll soon be featuring the 2014 FIFA World Cup.

     
    Posted in Bad Sites | Comments Off



    We’ve previously discussed how difficult it is to safely connect to networks when on the go. This is particularly true on vacations and holidays, where the availability of Internet access is one of the most important factors when looking for a place to stay. In fact, many holiday lodges and hotels today have made Wi-Fi access an integral part of their offered amenities. With all the fun and relaxation set before you, it is easy to take secure Internet access for granted.

    The story below took place in exactly such a situation. While I was on vacation, using the provided Internet access, the Facebook app on my smartphone refused to connect. Other apps and websites worked fine, however.

    Trying to access Youtube using the mobile browser resulted in this:

    Figure 1. Fake Youtube alert

    Obviously, the above warning made no sense on an Android device. What would happen if I tried to access Facebook on a PC, then? The same issue occurred – and an off-guard user might not find it suspicious at all:

    Figures 2-3. Fake Facebook alerts

    If the user actually clicked the OK button on either of the two messages the following pages would appear:

    Figures 4. Fake Internet Explorer update

    Figures 5. Fake Adobe Flash Player update

    In both pages, there is fine print that says that the sites are not official download pages. However, because of the professional look of these pages, one could be forgiven for being misled.

    Clicking on any part of the site results in a malicious file, detected as TSPY_FAREIT.VAOV, being downloaded and run on the affected system. FAREIT malware is typically used to download other threats onto an affected system.

    So, how was this done? A little investigation found that the DNS settings had been modified so that DNS queries went to a malicious server, that redirected users trying to visit the facebook.com and youtube.com domains to malicious sites:

    Figure 6. DNS replies and settings

    The IP address of the malicious DNS server is known to be involved in distributing fake Adobe Flash updates. The IP addresses involved in this attack are hosted across multiple ISPs located in France, Canada, and the United States.

    The router of the network was a TP-Link TD-W8951ND all-in one modem/router, which combined a DSL modem and a wireless router in just one device. However, this router contains a fairly serious vulnerability: an external user can access the page where the router’s firmware can be upgraded or backed up. However, this firmware file can be easily decoded; once decoded it contains the root password in the very first line.

    This particular vulnerability has not received much media attention, although it is very similar to “The Moon” attack that hit Linksys routers earlier this year. It appears to have been disclosed publicly at least twice: once in January and a second time several days later. However, DNS poisoning attacks are not new. In fact have been around for many years.

    I was able to verify that the settings of the device were modified by the attackers. Google’s free DNS server at 8.8.8.8 was also set as the secondary address, explaining why the requests for non-targeted websites worked.

    Figure 7. Router DNS settings

    The list of targeted sites was fairly extensive, with more than 600 domains being targeted. Some of the sites targeted (aside from Facebook and Yahoo) include Ask, Bing, Google, Linkedin, Pinterest, and SlideShare. All of these sites used the .com top-level domain. There were also aimed at users visiting local sites with specific TLDs, such as:

    Poland:

    • allegro.pl
    • gazeta.pl
    • interia.pl
    • otomoto.pl
    • tablica.pl
    • wp.pl

    Italy

    • google.it
    • libero.it
    • repubblica.it
    • virgilio.it

    Turkey:

    • google.com.tr
    • hurriyet.com.tr
    • milliyet.com.tr

    How do you prevent yourself from becoming a victim of this attack? One suggestion is to explicitly use public DNS servers, such as those of Google (8.8.8.8 and 8.8.4.4). (This can usually be done in the operating system’s network settings, and is applicable to both mobile and non-mobile systems.) One can also consider the advice we provided earlier about using open wi-fi networks, which include the usage of VPNs.

    What about the likely targets of attacks like these? The most likely targets of these attacks are either homeowners or small businesses that use consumer-grade routers. In such cases, we highly recommend that consumers keep the firmware of their devices up to date. (For this particular router, for example, updated firmware is available for some versions.)

    Two settings can also help in reducing the risks from these attacks: first, port 80 should be forwarded to a non-existent IP address. In addition, the web management interface of the router should not be accessible from the WAN side of the network.

    Update as of May 26, 2014, 02:25 A.M. PDT

    Based on our further analysis, we found out that TSPY_FAREIT.VAOV downloads BKDR_NECURS.BGSJ, which drops RTKT_NECURS.B. NECURS is known for disabling security features on affected systems. In this case, BKDR_NECURS.BGSJ disables the Windows firewall, and RTKT_NECURS.B also disables other security-related services.

    Aside from the function aforementioned, since starting of 2014, we have seen that NECURS malware is associated with banking trojans such as ZBOT.

    We detect the malicious files that are part of this attack.

     
    Posted in Malware, Vulnerabilities | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice