Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    June 2014
    S M T W T F S
    « May   Jul »
  • Email Subscription

  • About Us

    Archive for June, 2014

    Over the past few years, there has been proliferation of intelligent connected devices introduced into homes across the globe. These devices can range from the familiar – such as tablets, smart phones, and smart TVs – to the less familiar, such as utility meters, locks, smoke and carbon monoxide detectors, motion detectors and scales.

    Other devices, like wearable technologies, or wearables, such as fitness and lifestyle monitoring devices, and smart glasses are making an entrance into our regular way of life.

    This effect, known as “smartification” of the home, becomes very apparent, when comparing a visual snapshot of the typical home now, with say one of 5-7 years ago.

    Figure 1. Home networks before

    Figure 2. Home networks today

    Our understanding of the global prevalence of smart devices and their implications to the attack surface of the home is critical, as it allows us to better understand the security demands of the connected home. We had earlier discussed the possibility of threats against the Internet of Everything in our 2014 predictions. Below, we discuss some interesting forces that can influence – for good or bad – the prevalence of these smart devices.

    Market Pressure

    In the United States, there is already a large amount of effort going into marketing around household smart devices with a focus on convenience, security, and energy conservation. It is now fairly common to see smart hubs and smart devices (including home appliances) being sold in electronics, department and hardware stores, such as Home Depot, Lowes, Best Buy and Sears. Online retailers like Amazon, as well as specialty vendors like, are also selling a broad range of smart devices for the home.

    Broadband providers, such as AT&T, Verizon, Comcast, Time Warner, and others are now providing consumer smart home automation packages as well. These are based on a subscription model, and can be added on to the existing Internet service of customers. Independent providers such as Vivint, Iris, Nexia, Savant, and others also provide similar subscription-based services to manage one’s home.

    Non-service based smart hub offerings, such as SmartThings, Revolv, Vera, and Loxone provide equipment bundles that allow the consumer to enhance their home – without having to pay subscription charges. Apple’s upcoming HomeKit, currently slated for fall 2014, appears to make use of the smart phone, as the primary “hub” for orchestrating devices at home.

    It may be surprising to realize that much of the functionality of these smart home offerings have actually existed for many years. However, in the past, these systems had less focus on simplicity, openness, and compatibility. Newer devices that have these characteristics, and as a result tech-averse consumers can deploy and manage these devices over their life span.

    Regional Availability

    Regional availability of smart devices will affect the rate at which homes become smarter over time. In the US and Europe, for example, there are already a significant number of smart devices available on the market. Global companies such as GE, LG, and Samsung, are already providing smart versions of appliances that they have traditionally produced for many years, in many different regions of the globe. Apple is another example of a brand with global outreach potential.

    By contrast, local or regional brands — ones that have historically been focused on one country or region, which may be trusted more by their base of local customers — may be slower to introduce “smart devices” into their product lineup. They may also not have the immediate ability or even local demand to justify competing with global brands. Customers loyal to these brands may not be as keen to embrace smart devices.

    Regional Cost

    The cost of a smart device will affect its availability to the average consumer in different regions of the globe. Though cost is just one factor, as these devices become more affordable in each region, they will likely become more attractive for consumers to purchase, resulting in an increased prevalence of these devices in a given region.

    Typically, costs of smart devices will vary in different regions due to factors such as logistics, local taxes and import duties, This results in regional price differences. In markets where prices are relatively low, adoption will be rapid; expensive markets will see the opposite. It is safe to assume however, that historically as the technology improves and becomes commoditized, the cost of these devices will fall.

    Regional Requirements

    Limiting the prevalence of smart devices globally is the fact that each country or region has their own regulatory requirements, including safety and security codes. For example, devices available in a specific region may need operate on a specific voltage and frequency, and have a specific plug type and also undergo certification by safety groups (such as Underwriters Laboratories in the US).

    Not all competitors in the smart devices space may be willing (or able) to bear the costs of re-engineering and and recertification necessary to meet these needs; this may be particularly true of smaller startups that lack the resources of their better-established competitors.

    In addition, global companies that manufacture and distribute smart home devices, including ad-hoc products and services, may encounter challenges at the political level that set back their products’ market potential in a given region.

    In the next blog post, we will look at some additional factors that may influence the prevalence of smart devices, and the resulting attack surface.

    Stay tuned for our upcoming Threat Intelligence Resource – Internet of Everything hub, which will provide the latest updates and information about the Internet of Everything.

    Posted in Internet of Things, Social, Vulnerabilities | Comments Off on The Smartification of the Home, Part 1

    In our 1Q Threat roundup report, we noted that the number of mobile malware and high-risk applications reached the two-million mark and is rapidly growing. In our monitoring of the mobile threat landscape, we have recently discovered an Android malware that is spreading fast in Taiwan, detected as ANDROIDOS_RUSMS.A.

    Mobile users fall victim via SMS spam attack. Users receive an SMS in order to lure them to install the malicious app. The messages read as follows:

    您正在申請網上支付103年3月電費共計480元,若非本人操作,請查看電子憑證進行取消 (malicious link)

    您的快遞簽收通知單, (malicious link)

    Translated into English, these read as:

    • You are applying to have your March 2014 electricity bill paid online with a total amount of 480 Yuan. If you did not apply for this, please see the electronic certificate to cancel this action (malicious link)
    • Your express delivery notice, (malicious link)

    It’s worth noting that the first message uses security as its social engineering lure. Cybercriminals may have opted to use security warnings as the lure  because users will be more inclined to click links in order to stop the supposed activity.

    The links lead to the malicious app. Once installed, the malicious app may send SMS, as well as intercept incoming ones. To profit from this, the attackers try to use micropayment schemes provided by mobile carriers. These schemes are similar to premium SMS program, however, they require a confirmation message from the user.

    In a normal micropayment scheme, a user who shops online would have to fill out the online site’s electronic information sheet (including phone numbers). Online transactions would then have to be verified and confirmed via SMS with which a confirmation code is included to finalize the entire transaction.

    Because this malware intercepts the SMS confirmation, the victims are not aware of the charges they incur. The malware blocks the SMS if the SMS address contains any of the specific characters listed below:

    • mopay
    • boku
    • bezahlcode
    • holyo
    • 6279
    • 33235
    • 46645
    • 55496
    • 55498
    • 66245
    • 1232111

    The blocked SMS is then forwarded to a specified IP address, allowing the attacker to complete the fraudulent transaction.

    In addition, the malware also sends the contents of the user’s contacts list to a remote server. As part of its social engineering tactic, this malware is disguised as a Google app named Google Service Framework. However, the legitimate app is named Google Services Framework. They are so similar that most people will not notice.

    When installed, this malware starts a service that periodically checks a remote server. If data is returned, the data is parsed to form an SMS, which it sends out immediately. This allows the attacker to sign the victim up for various premium services without their consent.

    The malware has two features to make detection and analysis more difficult. First, it requests the user to give them administrator privileges.

    Figure 1. Requesting administrator privileges

    If the user chooses ‘Activate’, the malicious app cannot be uninstalled directly. Users need to disable it first in the Settings>Security>Device administrators.

    Second, it is designed to check whether it runs inside an Android emulator. It does not perform any of its malicious behavior if it is running inside; this behavior is similar to some techniques we’ve seen done by desktop malware.

    Another malware uses a similar disguise. This one disguises itself as Google Services Framework, the same name as the legitimate app. However, the version is different. The malicious app uses version 1.0, while the legitimate Google application uses part of the Android version (like,for instance, 4.2.2-721232). This was detected as ANDROIDOS_RUSMS.HAT.

    Figure 2. Incorrect version number

    This particular variant also uses techniques to make detection and analysis more difficult. It is protected by an APK packer, which employed a self-modification technology. This means that the original code is encrypted and the unpacker code injected. When the app is launched, the unpacker code is run first.  It then dynamically decrypts itself and recovers the original code in the memory.

    Since the original code cannot be run or analyzed directly, this makes detection and analysis difficult. However, this technique is not limited to malicious apps: legitimate apps also use this to protect their apps. Ironically, this is meant to prevent malicious app developers from acquiring a legitimate app and tampering with it to add malicious code.

    These threats are most prevalent in Taiwan, with more than 97% of all victims being locals. The malicious links leading to ANDROIDOS_RUSMS.A alone have been visited almost 32,000 times.

    To avoid mobile devices being infected by this type of Android malware, we recommend against installing apps from suspicious third-party app stores. Users can protect their devices from being automatically installed with unknown apps by unchecking the option in Setting>Security>Unknown Sources. Trend Micro protects users from this threat with Trend Micro Mobile Security that detects malicious apps.

    Posted in Bad Sites, Malware, Mobile | Comments Off on Taiwan Hit With Micropayment Fraud via Android Malware

    The 2014 FIFA World Cup in Brazil is all but underway, and the fervor of such a prestigious and newsworthy event is already setting competing nations’ populations on fire. Unfortunately, cybercriminals are getting into the mood too.

    Besides recently flooding the internet with phishing scams and the taking down two Brazilian government sites by hacktivists (the Sao Paulo Military Police website  and the official World Cup 2014 Brazil website), cybercriminals are also targeting the mobile scene with scads of World Cup-themed mobile malware  – more than 375 of them already at last count. We found these malicious apps lurking in unauthorized/third party app download stores, just waiting for users to install them on their mobile devices.

    Upon analysis, we found that the bulk of the malware in question are variants of prevalent mobile malware families.

    App Fakery

    One of the malware families detected is ANDROIDOS_OPFAKE.CTD  family. This particular family  first appeared in May, 2013, passing itself off as fake clones of popular apps. Its malicious routines included subscribing the user to premium services, leaking user-critical information (such as contact list/messages) as well as install malicious links and shortcuts on the mobile device home screen. In just one year, the number of detected ANDROIDOS_OPFAKE.CTD variants reached 100,000, faking 14,707  apps.

    We also discovered that that the remote server the apps connect to has 66 different domains, with each domain spoofing famous websites like


    Figure 1 and 2: Fake World Cup game apps

    Figure 3. Fake game app premium service abuse notification

     SMS filtering and theft

    Another malware family we detected leveraging World Cup fever is the ANDROIDOS_SMSSTEALER.HBT family. Variants of this family share similar methods of fraud and fakery with OPFAKE, with one exception: they can connect to their remote C&C server to receive and execute commands, some of which being adding an SMS filter (to block/conceal certain incoming messages), sending SMS, and installing new malware.


    Figures 4 and 5. More fake World Cup game apps

    Analyzing its C&C servers, we found 76 domains, all of them registered to a Tanasov Hennadiy. We also found that the C&C servers in question were also used to host third-party app download websites, where most apps are repacked with advertisements and information theft routines.

    Figure 6. C&C domain registrant name and address

    Figure 7. List of hosted malicious apps/files

     Premium Service Abuse

    We also found that the Trojan mentioned in our previous blog  is also part of the cybercriminals’ World Cup arsenal, with a new variant we detect as ANDROIDOS_OPFAKE.HTG. A typical Premium Service Abuser, affected users find themselves charged with exorbitant premium service fees that they never themselves purchased.

    Figure 8. Fake World Cup game app/PSA

    Slot Game Swindling

    Finally, we found a malicious World Cup slot game app that we detect as ANDROIDOS_MASNU.HNT. Its malicious routines include filtering user payment confirmation messages, so that users may not notice the real amount of money they’ve been paying when playing this game, and thus spend more without restraint.

    Figure 9. Malicious World Cup slot game app

    Some football betting apps have also been found leaking information without user notification, as well as blatant security risks in their micropayment process. We advise users to be very careful with their financial and personal information when using these apps (or not to use them at all).

    Besides these malware, we also found quite a few high-risk apps also themed after the World Cup. Most, if not all, sport some sort of information theft routine, as well as pushing ad notifications/unwanted app advertisements.

    While it may be a fact of life that big sporting events like these will inevitably have some sort of cybercriminal attack or campaign following close behind, being a victim of them isn’t. Users are reminded not to download anything from third party app download sites, and to utilize mobile security solutions (such as our own Trend Micro Mobile Security) in order to keep their mobile devices secure.

    Readers can be assured that we will continuously monitor these World Cup-related threats and publish news updates as we get them. Check out this blog as well as our Race to Security website for all the latest news regarding this particular topic.


    Posted in Bad Sites, Malware, Mobile, Social | Comments Off on Watch Out For Fake Versions of World Cup 2014 Apps

    We recently discussed the latest attacks affecting users in Japan that were the works of the BKDR_VAWTRAK malware. This malware family combines backdoor and infostealer behaviors and had just added the banking credentials theft to its repertoire.

    It was also mentioned that this malware tries to downgrade the privileges of security software, including Trend Micro products. In this post, we will add more details on how VAWTRAK performs this routine, as well as provide information on potential countermeasures.

    How Software Restriction Policies Are Abused

    The particular feature used by VAWTRAK to disable security software is known as Software Restriction Policies. It was first introduced in Windows® XP and Server 2003. It can be thought of as a very early form of whitelisting or blacklisting feature. Microsoft’s own documentation states that this feature was intended to perform the following:

    1. Fight viruses
    2. Regulate which ActiveX controls can be downloaded
    3. Run only digitally signed scripts
    4. Enforce that only approved software is installed on system computers
    5. Lock down a machine

    There are several methods that can be used to identify which files are blocked from running on a system. In the case of VAWTRAK, it uses the path where the applications are installed to determine if they should be blocked or not. It looks for the following directories under the %Program Files% and %All Users Profile%\Application folder, which are used by various security products:

    • a-squared Anti-Malware
    • a-squared HiJackFree
    • Agnitum
    • Alwil Software
    • AnVir Task Manager
    • ArcaBit
    • AVAST Software
    • AVG
    • avg8
    • Avira GmbH
    • Avira
    • BitDefender
    • BlockPost
    • Common Files\Doctor Web
    • Common Files\G DATA
    • Common Files\P Tools
    • Common Files\Symantec Shared
    • DefenseWall
    • DefenseWall HIPS
    • Doctor Web
    • DrWeb
    • ESET
    • f-secure
    • F-Secure\F-Secure Internet Security
    • FRISK Software
    • G DATA
    • K7 Computing
    • Kaspersky Lab Setup Files
    • Kaspersky Lab
    • Lavasoft
    • Malwarebytes
    • Malwarebytes’ Anti-Malware
    • McAfee
    • Microsoft Security Client
    • Microsoft Security Essentials
    • Microsoft\Microsoft Antimalware
    • Norton AntiVirus
    • Online Solutions
    • P Tools Internet Security
    • P Tools
    • Panda Security
    • Positive Technologies
    • Sandboxie
    • Security Task Manager
    • Spyware Terminator
    • Sunbelt Software
    • Symantec
    • Trend Micro
    • UAenter
    • Vba32
    • Xore
    • Zillya Antivirus

    If it finds that any of the above directories are present, it adds the following registry entries to force applications in that directory to run with restricted privileges:

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\Paths\{generated GUID for the AV software} ItemData = “{AV software path}” SaferFlags = “0”

    As a result, any file under the said directory would not run, returning the following error message:

    Figure 1. Error message

    This is not the only time we have seen this tactic used, but the prominence of recent VAWTRAK attacks means there are more users affected by it than normal.

    To protect our users, we not only detect and remove BKDR_VAWTRAK malware, but we also specifically detect this particular behavior to ensure that Trend Micro products are able to run and provide the necessary protection as needed. We encourage users to download and use the latest available pattern files to ensure they have the most up-to-date protection available.

    Special mention to Rhena Inocencio for the malware analysis and Roddell Santos and Dexter To for the validation of this security feature.


    Patch-Tuesday_grayTwo out of seven bulletins in today’s Microsoft Patch Tuesday are tagged as critical while the rest are marked as important. The critical bulletins addressed a number of vulnerabilities found existing in Microsoft Office and Internet Explorer, which when exploited could allow remote code execution, thus compromising the security of the systems.

    Perhaps the most interesting bulletin here is MS14-035, which resolves flaws in Internet Explorer versions 6 to 11, can be abused via a specially crafted web page and can possibly lead to attackers gaining more user rights on the affected systems. The bulletin only patches the vulnerability for Server 2003, but the vulnerability almost certainly exists in the now-unsupported Windows XP as well.

    This is the sort of problem what we warned about earlier this year: newly discovered vulnerabilities will now be wide-open for use by attackers. This particular problem will only get worse over time.

    Another critical bulletin, MS14-036, also fixes flaws existing in Microsoft Windows, Microsoft Office, and Microsoft Lync or a platform for video messaging and conference. Any specially crafted webpage or file could possibly compromise the system.

    MS14-032 also addresses vulnerabilities in Microsoft Lync or a platform for video messaging and conference, which can lead to information disclosure when exploited. Another notable bulletin is MS14-031, which also addressed vulnerabilities in Microsoft Windows and can possibly lead to denial of service when exploited by cybercriminals.

    On the other hand, Adobe also rolls out one security bulletin to resolve issues in Adobe Flash Player, covered under the following CVEs. This brings the current version of Adobe Flash Player to

    • CVE-2014-0531
    • CVE-2014-0532
    • CVE-2014-0533
    • CVE-2014-0534
    • CVE-2014-0535
    • CVE-2014-0536

    We highly recommend users to apply these security patches and upgrade their Adobe products to its latest versions. This is to prevent their systems from being infected with threats leveraging vulnerabilities discussed in these security bulletins.

    Users may also visit our Trend Micro Threat Encyclopedia page to know more about the appropriate Deep Security solutions.

    Posted in Vulnerabilities | Comments Off on June 2014 Patch Tuesday Resolves Critical Flaws in Internet Explorer, Microsoft Office


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice