Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    May 2014
    S M T W T F S
    « Apr   Jun »
  • Email Subscription

  • About Us

    Archive for May, 2014

    Targeted attacks are known to use zero-day exploits. However, old vulnerabilities are still frequently exploited. In fact, based on cases analyzed in the second half of 2013, the most exploited vulnerability in this time frame was CVE-2012-0158, a Microsoft Office vulnerability that was patched in April 2012. This shows how important applying the latest patches and security updates are in mitigating the risks posed by these threats.

    Figure 1. Most commonly exploited vulnerabilities related to targeted attacks


    Our findings (based on cases that we have analyzed) indicate that 80% of targeted attack-related incidents affect government institutions. This is followed by the IT sector (both hardware and software) and the financial services (banks).  In terms of countries affected, Taiwan and Japan are the two most hit by targeted attacks.

    In addition, we also monitor the locations of various IP addresses that accessed known C&C servers associated with targeted attacks. Our data show that Taiwan, Japan, and the United States were the most targeted countries.

    Figure 2. Countries with the most number of users who accessed C&C servers related to targeted attacks

    Tools of the Trade

    Nearly 60% of malware used in targeted attacks are Trojans or Trojan spyware. These types of malware steal user credentials that provide the gateway for threat actors to exploit other areas of a penetrated network. This is followed by backdoors (22%) employed to establish C&C communications and lead to the next stages of targeted attacks. It is also interesting to note that almost 10% of malware related to targeted attacks run only on 64-bit platforms.

    Figure 3. Non 64- and 64-bit malware distribution

    Spear phishing is still the most seen entry point for targeted attacks. These email messages use relevant-sounding subjects that trick users into opening it and the file attachments therein that serve as malware carriers.  In our 2014 prediction, we noted that mobile devices will also be leveraged by threat actors to gain entry to networks.

    Custom Defense against Targeted Attacks

    Although targeted attacks are difficult to detect, this task can be made easier with solutions that use advanced threat detection technology that can detect, analyze, and respond to attacks that traditional antivirus signature-based solutions and blacklisting are not capable of.

    Targeted attacks often leave traces that can serve as indicators of compromise. As such, enterprises and large organizations are encouraged to build their own threat intelligence capability, which they can incorporate into their own existing security solutions.

    For more details on the trends in targeted attacks in the second half of 2013, read the full report here.

     To get the latest news on targeted attacks, visit Threat Intelligence Resources – Targeted Attacks. 

    Posted in Targeted Attacks | Comments Off on Targeted Attack Trends: A Look At 2H 2013

    VOBFUS malware is known for its polymorphic abilities, which allow for easy generation of new variants. We recently came across one variant that replaces these abilities for one never seen in VOBFUS malware before—the ability to “speak” several languages.

    Infection in Different Languages

    Just like other VOBFUS variants, this new variant, detected as WORM_VOBFUS.JDN, propagates by dropping copies of itself in removable drives. Previously, variants used these eye-catching file names in order to convince users to click on the dropped file:

    • passwords.exe
    • porn.exe
    • secret.exe
    • sexy.exe

    WORM_VOBFUS.JDN, on the other hand, takes it one step further by dropping files with files name that depend on the infected computer’s OS language and location. For example, a computer with English as the OS language may receive any of the following files:

    • I love you.exe
    • Naked.exe
    • Password.exe
    • Sexy.exe
    • Webcam.exe

    Whereas a computer that uses Bahasa Indonesia may receive the following files:

    • Aku mencintaimu.exe
    • kata sandi.exe
    • seksi. exe
    • Telanjang.exe

    This variant also uses file names written in these languages:

    • Arabic
    • Bosnian
    • Chinese
    • Croatian
    • Czech
    • French
    • German
    • Hungarian
    • Italian
    • Korean
    • Persian
    • Polish
    • Portuguese
    • Romanian
    • Slovak
    • Spanish
    • Thai
    • Turkish
    • Vietnamese

    While the languages may differ, they all translate to I love you, Naked, Password, and Webcam.

    Malware Going Local

    Infection by way of “localized” threats could be seen as one way for cybercriminals to transform unsuspecting users into victims. Seeing a file or a notification written in their language might pique users’ interest more than seeing one written in English. Users may also find a false sense of security in these “localized” files and notifications as they might view these as less suspicious than other files.

    Police ransomware is one threat that uses this particular technique. These malware pose as the local law enforcement agency of the victim’s country to urge users to pay the fee for their locked computers. For example, a French victim will receive a notification from Gendarmerie Nationale, while a US-based one will likely receive a message from the FBI. There have even been instances wherein the ransomware will use an audio clip in the victim’s language.  Posing as local law enforcement agencies adds a sense of legitimacy to the claim and may further convince victims to pay the fee.

    We have also seen file-encrypting ransomware use this approach. These malware locks computers and encrypts files until the victim pays a fee. We came across two incidents that targeted Turkish and Hungarian users. The spam containing the malware and the notification were written in their language.

    Cybercriminals will do anything or use any technique possible to gain new victims. We advise users to avoid clicking links or files unless these can be verified. For ransomware incidents, since the files cannot be decrypted (aside from perhaps paying the fee), it’s also good practice to constantly back up files in case of instances such as this one. Trend Micro blocks all threats mentioned in this entry.

    Posted in Malware | Comments Off on VOBFUS Evolves, Adds Multiple Languages

    Patch-Tuesday_grayThis month’s Patch Tuesday features eight bulletins, the most number of bulletins released for the year so far. Out of the eight bulletins, two are rated as ‘critical’ and the remaining, ‘important.’ While Microsoft may have released an out-of-band update for Windows XP to address a (then) zero-day vulnerability, updates for that OS are noticeably absent for this rollout.

    Aside from the eight bulletins, this Patch Tuesday also includes the out-of-band security patch that was released two weeks ago addressing an Internet Explorer zero-day vulnerability. But that isn’t the only update concerning Internet Explorer. One of the two ‘critical’ updates, MS14-029, addresses two privately reported vulnerabilities in Internet Explorer that could allow remote code execution if a user views a specially crafted webpage using Internet Explorer.

    The second ‘critical’ update (MS14-022) addresses multiple vulnerabilities in Microsoft Office server and productivity software. According to Microsoft, “[t]he most severe of these vulnerabilities could allow remote code execution if an authenticated attacker sends specially crafted page content to a target SharePoint server.”

    Two updates address vulnerabilities concerning Microsoft Office. MS14-023 resolves vulnerabilities that could allow for remote code execution if a user opens an Office file in the same network directory as a specially crafted library file. MS14-024, meanwhile, resolves a vulnerability that could security feature bypass if a user “views a specially crafted webpage in a web browser capable of instantiating COM components, such as Internet Explorer.” The remaining updates address vulnerabilities that could allow elevation of privilege and denial of service if exploited.

    Users are advised to apply these security updates as soon as possible, as well as visit the Trend Micro Threat Encyclopedia page for further information. Two rules for Trend Micro Deep Security and Trend Micro Intrusion Defense Firewall plugin for OfficeScan have also been created and are available for use by system administrators:

    • 1006034 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-0310)
    • 1006056 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-1815)

    Update as of 7:26 PM, June 12, 2014

    Adobe has also released security updates to address vulnerabilities affecting Adobe Flash Player. Once these vulnerabilities are successfully exploited, remote attackers can potentially control the system. We highly advised users to update their Adobe Flash Player to version

    Trend Micro Deep Security and Office Scan with Intrusion Defense Firewall (IDF) plugin protect user systems from threats that may leverage these vulnerabilities via the following DPI rules:

    • 1006062 – Adobe Acrobat And Reader Use-after-free Vulnerability (CVE-2014-0527)
    • 1006070 – Adobe Flash Player Buffer Overflow Vulnerability (CVE-2014-0515) – 1
    • 1006066 – Adobe Reader Unspecified Security Bypass Vulnerability (CVE-2014-0512)
    Posted in Vulnerabilities | Comments Off on May 2014 Patch Tuesday Rolls Out 8 Bulletins

    The first quarter of the year saw cybercrime hit targets that may not have been considered worthwhile in previous quarters. Multiple Bitcoin exchanges found themselves the victims of various attacks and were forced to close shop. The most high-profile victim Mt. Gox, which had been, at one time, the leading Bitcoin exchange in the world.

    Exchanges were not the only target. With more than 12 million Bitcoins in existence – with a value of 6-8 billion US dollars – it was only a matter of time before Bitcoins were targeted for theft in the same way that real-world currencies are. Multiple malware families targeted the Bitcoin wallets of users in order to steal their contents.

    Despite the best intentions of the creators and many users of Bitcoin, its perceived anonymity and privacy has meant that many cybercriminal elements have adapted the cryptocurrency as well. For example, CryptoLocker ransomware frequently asks for payment in Bitcoin. In many cybercrime marketplaces, underground tools are also bought and sold with Bitcoin as the form of payment.

    This shouldn’t be taken to mean that ordinary cybercrime threats have gone away. Take conventional online banking malware: it is up over the same period last year, with the United States, Japan, and India the three most affected countries.

    Figure 1. Countries Most Affected by Online Banking Malware

    Ransomware in the form of CryptoLocker also continued to affect users. As has been the case with previous ransomware threats (like the Police Trojan), CryptoLocker and similar threats have become “regional”, with variants specifically targeting users in Hungary and Turkey. Only 28% of ransomware victims are in the United States, so these tactics make perfect sense.

    Figure 2. Countries Most Affected by Ransomware

    Large-scale cybercrime threats continued as well. Multiple large-scale incidents of malware affecting point-of-sale (POS) terminals resulted in millions of credit card credentials being stolen, resulting in millions of dollars of losses. These attacks used techniques that would not be out of place in a more sophisticated targeted attack; they highlighted the importance of custom defence strategies.

    Mobile malware continued its inexorable growth, with the total number of mobile malware and high-risk apps exceeding two million. More than 647,000 apps of these were found in the first quarter alone. Adware surpassed premium service abusers in number, in part due to pushback from cellular service providers. In addition, security vulnerabilities were also found in Android that could leave users in an infinite boot loop.

    For more details about these and other security threats in the first quarter, check our security roundup titled Cybercrime Hits the Unexpected.


    From a security perspective, phishing attempts are pretty much old hat. In most cases, phishing attempts or attacks focus on getting one particular credential, such as those for credit cards or user accounts. We are now seeing cybercriminals attempt to get more credentials by using phishing pages that allow for multiple email logins.

    Multiple Logins Allowed

    We came across some shortened URLs that lead users are lead to phishing pages that mimic popular sites, including Facebook, Google Docs (now known as Google Drive), OneDrive, and several property websites. In order to proceed, users must log in using their email address.

    Figure 1. Log in page featuring different email providers

    The unique feature about these phishing pages is that they include options for several email providers. Users can log in using any of their accounts in Yahoo, Gmail, AOL, and Windows Live. There is even an “other emails” option, in case the user’s preferred email provider is not given. It’s interesting to note that the pages accept any words or even gibberish typed in—a sure sign that the pages are more concerned with collecting data.

    Figure 2. “Other emails” gives users more options to supposedly log in

    After signing in, users may encounter a “loading” or “server error” notification before they are led to the actual site. For example, users who visit the “Google Docs” site are led to a shared document about intentions for prayers.

    Figure 3. Document hosted in Google Docs

    Phishing Steps Up

    This particular phishing scheme shows that cybercriminals are still refining their techniques. In this case, the cybercriminals took the extra steps to make sure the scheme appears as legitimate as possible (e.g., the redirection to legitimate sites, the use of an actual document for Google Docs).

    Users should be wary of clicking shortened URLs, especially if they come from unverified sources. It’s recommended that they simply use bookmarks or type in the site’s URL directly into the address bar to avoid phishing pages. They should also double-check a site’s URL before they give out any user information; it has become all too easy for bad guys to create login pages that are near-identical to legitimate ones.

    Trend Micro blocks all threats related to this incident.

    Posted in Bad Sites | Comments Off on Phishers Cast Wider Net, Now Asking for Multiple Emails


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice