Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    June 2014
    S M T W T F S
    « May   Jul »
  • Email Subscription

  • About Us

    Archive for June 10th, 2014

    Patch-Tuesday_grayTwo out of seven bulletins in today’s Microsoft Patch Tuesday are tagged as critical while the rest are marked as important. The critical bulletins addressed a number of vulnerabilities found existing in Microsoft Office and Internet Explorer, which when exploited could allow remote code execution, thus compromising the security of the systems.

    Perhaps the most interesting bulletin here is MS14-035, which resolves flaws in Internet Explorer versions 6 to 11, can be abused via a specially crafted web page and can possibly lead to attackers gaining more user rights on the affected systems. The bulletin only patches the vulnerability for Server 2003, but the vulnerability almost certainly exists in the now-unsupported Windows XP as well.

    This is the sort of problem what we warned about earlier this year: newly discovered vulnerabilities will now be wide-open for use by attackers. This particular problem will only get worse over time.

    Another critical bulletin, MS14-036, also fixes flaws existing in Microsoft Windows, Microsoft Office, and Microsoft Lync or a platform for video messaging and conference. Any specially crafted webpage or file could possibly compromise the system.

    MS14-032 also addresses vulnerabilities in Microsoft Lync or a platform for video messaging and conference, which can lead to information disclosure when exploited. Another notable bulletin is MS14-031, which also addressed vulnerabilities in Microsoft Windows and can possibly lead to denial of service when exploited by cybercriminals.

    On the other hand, Adobe also rolls out one security bulletin to resolve issues in Adobe Flash Player, covered under the following CVEs. This brings the current version of Adobe Flash Player to

    • CVE-2014-0531
    • CVE-2014-0532
    • CVE-2014-0533
    • CVE-2014-0534
    • CVE-2014-0535
    • CVE-2014-0536

    We highly recommend users to apply these security patches and upgrade their Adobe products to its latest versions. This is to prevent their systems from being infected with threats leveraging vulnerabilities discussed in these security bulletins.

    Users may also visit our Trend Micro Threat Encyclopedia page to know more about the appropriate Deep Security solutions.

    Posted in Vulnerabilities | Comments Off on June 2014 Patch Tuesday Resolves Critical Flaws in Internet Explorer, Microsoft Office

    knowyourenemies2We recently wrote about the difference between cybercrime and a cyber war, which narrows down to the attack’s intent. With the same intent of gaining information to use against targets, cybercriminals and attackers tend to stress less importance in their choice of “tools”, as these campaigns are all about who carries out the attack. Ultimately, a simple equation can be drawn from these observations, in which a highly successful attack is composed of the attack’s intent and the right tools.

    Our newest research paper Cybercriminals Use What Works: Targeted Attack Methodologies for Cybercrime sheds more light on reasons why cybercriminals adopt certain targeted attack methodologies. The paper discusses two case studies that show how cybercriminals continuously learn to make the most of these attack methodologies in “traditional” cybercrime for better financial gain. For cybercriminals, the more financial gain they get, the better it is.

    Case studies: “Arablab” and “Resume.doc”

    The “arablab” case study deals with an attack exploiting the CVE-2010-3333 vulnerability using a maliciously crafted document. Using our gathered information, we believe the perpetrator named “arablab” may be residing in the United States and may have been part of a gang known for launching  419 scams.

    The second case study, “Resume.doc”, shows how cybercriminals used specially crafted documents that executed malicious macros, an infection method that is far from advanced but works to the cybercriminals’ advantage. The majority of the victims who accessed the (then) compromised site related to this attack were mostly from the United States, Canada, and Great Britain.

    As targeted attack methodologies have not changed much over the years, an onslaught of targeted attacks confirm that the similar threats are becoming more prevalent. With that, we recognize that these methodologies are just as effective as they are prevalent. In the end, we can conclude that an attacker’s goals and game plans are based on, simply put, whatever works.

    Read the full paper here: Cybercriminals Use What Works: Targeted Attack Methodologies for Cybercrime.

    Posted in Malware, Targeted Attacks | Comments Off on Targeted Attack Methodologies for Cybercrime

    Last April, we reported a KULUOZ spam campaign using the South Korean ferry sinking tragedy, one that came hot at the heels of the actual event itself.

    KULUOZ, as we tackled during that blog entry, is a malware that is distributed by the Asprox botnet. It can download certain strains of FAKEAV and ZACCESS malware onto the affected system, as well as have the potential to turn that system into a part of the Asprox botnet itself (by installing certain components). This can result in the system not only being infected by malware, but also turn into a spam distributor. We discovered the existence of the spam campaign itself around the tail end of March.

    Now it appears that the spam campaign is still going strong, with the cybercriminals behind the attack leveraging headlines from major news outlets. Some of these headlines include:

    • ‘Misunderstood son’ returns
    • ‘Vampire’ burial keeps myth alive
    • ,000 to spare? Take a road trip
    • Asia stocks mixed after ECB action
    • Centenarians ‘are outliving disease’
    • Company seeks more approval for clot blocker
    • Dozens killed by Baghdad bombings
    • Driving ex-soldiers back to work
    • E3: Video games ready for action
    • EU diplomatic dance around Juncker
    • Father’s plea over baby feed death
    • Football: Ribery ruled out for France
    • GOP chairman: Chris Christie should remain at RGA
    • Hollywood pays tribute to Jane Fonda
    • Horse racing: Australia’s day in Derby
    • Inside a political storm
    • Knife attack at South China Station
    • Links to UK political websites
    • Living with bound feet
    • Many missing as South Korea Ferry sinks
    • Meteors streak through night sky
    • Npower to change bill-chasing method
    • Poland’s mini desert
    • Police quiz kids over online abuse
    • Political editors across England
    • Q&A: Why is slurry so dangerous?
    • Russian proton rocket fails
    • S. Africa’s Zuma admitted to hospital
    • Saved by an illegal, homemade radio
    • Sen. Ted Cruz sidesteps question about 2016 plans
    • Sheeran clinches number one spot
    • Smashed Hits: Another Star
    • SpaceX unveils new spacecraft to take astronauts to space station, back to Earth
    • Spacey denies Bond baddie rumours
    • Sudan woman clings to Christian faith despite death sentence, husband says
    • Teenage star of cancer diagnosis
    • Thai coup prompts warnings to tourists
    • Turning highways into power plants?
    • U.N.: Chemicals damaging health and environment
    • U.S. ‘hypocrisy’ in cybertheft charge
    • U.S. : Jihadi featured in suicide bombing video in Syria grew up in Florida
    • UK ‘second best education in Europe’
    • Ukraine President
    • VIDEO: Climate change to cause flash floods
    • VIDEO: House of Commons
    • VIDEO: The 2014 World Cup in numbers
    • Vodafone reveals direct wiretaps
    • Watch lightning strike moving car
    • What do young Harvard graduates believe?

    How they leverage the headlines themselves is relatively simple, and typical of a spam attack: they copy the headline and part of the news article from the news website and implement it into the mail itself, in order to make itself look legitimate to the user as well as bypass spam filters. It seems that this malware also used CNN and BBC News as sources of news clip snippets, incorporated in their spam runs.

    Figure 1. KULUOZ spam sample with “Knife attack at South China (Guangzhou) Station”

    Analyzing the samples we found of these campaigns (specifically the one with news of the Thai coup), we found that the spam email itself retains the previous template of shipping notifications, including that of Fedex and United States Postal Service.

    Figure 2. KULUOZ spam sample with “Thai Coup news item”

    Similarly to previous spam runs, it notifies the reader that a parcel has been received in the local post office and that they need to print out a shipping label in order to receive said parcel.

    The mail then presents a link where the user can indeed print out the shipping label, but as it turns out, the link is malicious and leads to a download of a malware that we detect as BKDR_KULUOZ.ED.


    Figure 3. The file “”  is downloaded and detected as BKDR_KULUOZ.ED

    While this may seem like a typical spam run that takes news headlines in order to bypass spam filters (as well as trick users into reading them), it’s to note that the malware being used can compromise the security of unsecured systems should it be allowed to take root.

    The continued use of news headlines is also something to bear in mind, in that it is proof that as long as there is news to talk about, there will be threats that take advantage of them. No doubt we’ll be seeing this spam campaign continue as time goes on; readers can be sure that we’ll post updates in the Security Intelligence blog as necessary.

    Trend Micro customers are protected from this threat and the malicious files involved.

    Posted in Bad Sites, Malware, Spam | Comments Off on Cybercriminals Steal News Headlines for KULUOZ Spam Campaigns


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice