Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    July 2014
    S M T W T F S
    « Jun    
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Archive for July, 2014

    While new threats are emerging that hit new avenues or targets like PoS systems and cryptocurrencies, old threats like phishing remains to be an effective means of gathering user data. A simple spam email that leverages holidays, online shopping, release of anticipated gadgets, and hot/current news items can redirect unsuspecting users to survey scams and phishing pages that ask for their credentials and personal identifiable information (PII). A very recent example of this is the attacks we saw leveraging the interest around the World Cup.

    Phishing pages often mimicked legitimate banks’ websites to trick users into thinking that they’re inputting their information to the real banks or companies. As an example, the research done by Trend Micro experts on the Russian underground has revealed the amount of information gathered by a cybercriminal that “specializes” on stealing such information. On the other hand, spear phishing, a more dangerous variant of phishing, is primarily utilized for targeted attack campaigns. These malicious emails use contextually relevant subjects, and send to employees of various functions in order to penetrate the network.

    To avoid becoming victims of phishing and other nefarious threats that come with it, we created the video below to educate users on how you can spot phishing scams. It specifically looks at a phishing operation in Brazil that leveraged on the recently concluded 2014 World cup and hosted phishing site templates, malware, and victims’ personal documents in an online sharing site.

    This is the first of our Cybercrime Exposed series of videos, which aims to expose the inner workings of the latest threats today to arm users with awareness. Stay tuned for the next episodes to be released within the next few months.

    Posted in Bad Sites, Malware, Spam |

    The security of the Android platform is based on its sandbox and permission protection mechanism, which isolates each app and restricts how processes can communicate with each other. However, because it is designed to be open to include other open source projects like Linux and OpenSSL, it can inherit many features as well as vulnerabilities.

    This means that the protection of the sandbox cannot cover every aspect of the system, and threats to Android still remain. Open ports are one potential source of vulnerabilities, and we recently found a new vulnerability in the app of a Chinese deals site, Meituan, that highlighted this problem.

    Earlier this year, Heartbleed was a notable example; apps with their own vulnerable OpenSSL library to create TLS/SSL connections are at risk of leaking local memory information. Similarly, any vulnerability in an app or external module may affect the security of the entire system.

    Linux is also a potential source of vulnerabilities. Because Android is based on the Linux kernel and still uses many native Linux APIs, Linux vulnerabilities may affect Android as well. For example, CVE-2014-3153 was used by root exploit tools like TowelRoot. Another example was CVE-2014-0196.

    Network protocol implementations in Linux are also facing security challenges. Vulnerabilities seen this year in the Linux TCP/IP stack included CVE-2014-0100CVE-2014-2523 also affected Android as well. These vulnerabilities, if exploited, put users at risk, as an attacker would be able to exploit their machine remotely.

    Android systems that insecurely use these network protocols may also have vulnerabilities. CVE-2011-3918 was a vulnerability in the zygote process, which allowed an attacker to launch a local denial of service via a malicious app. The cause was the developer used the socket protocol without setting the right permissions. Similar vulnerabilities include CVE-2011-1823, CVE-2013-4777, CVE-2013-5933. Developers need to be aware of  of the security risks when using these protocols, as there can be serious consequences resulting from their mistakes.

    User installed apps may increase this risk as well. Look at the following screenshot:

    Figure 1. Apps with open ports

    The screenshot shows how many apps listen on an open TCP port, which means the device is exposed online without the benefit of a firewall. What if an app was built by a developer who wasn’t aware of the security issues? Even well-known software applications have their share of network-related vulnerabilities. As it stands, it would be better to have a firewall of some kind to protect Android users, but that is not part of the mobile OS today.

    These kind of vulnerabilities do exist on Android.  We found a vulnerability in the Android app of Meituan, a Chinese site similar to Groupon. It affects versions of the Meituan app below 4.6.0. Vulnerable versions of this app listen on TCP port 9517, which allows the app to receive messages from a server. However, because it does not authenticate the sender, any machine on the Internet can trigger a command on the phone.

    The code snippet responsible for the vulnerability is below:

    Figure 2. Vulnerable app code

    It parses the received TCP data in a certain format and then sends android.intent.action.VIEW with the “intent” in the received data. Using this vulnerability, an attacker can send large numbers of messages using your phone to a fraudulent number, or open phishing websites.

    If your Android version is older than 4.0.4, the USSD vulnerability may also be triggered by this problem. This means that your phone may even be remotely wiped by an attacker!

    We are looking forward to enhancements to Android security like SELinux, Storage Access Framework, and Device Administration. However, there are still many unprotected parts of the Android system. These network vulnerabilities will be a significant problem moving forward.

    We disclosed this vulnerability to Meituan on June 3 of this year, and the vendor confirmed it to us on the same day. A fix was issued to users two days later on June 5, with version 4.6.1 of the app. Trend Micro and Meituan worked together on the solution, and we mutually agreed to disclose details of this vulnerability at this time.

    Posted in Mobile, Vulnerabilities |

    Ever since the mobile boom, smartphones have become an integral part of our lives, enough that they’ve become virtually indispensable in today’s fast-paced world. Not only do they serve to connect us to our friends and loved ones wherever they may be, but they also allow us to do our daily tasks and chores all with a single tap of a screen. We’ve formed such an unbreakable relationship with our smartphones that cybercriminals have included them in their list of targets to attack for monetary gain. For better or for worse, smartphones have become an important part of our daily toolset for life.

    From the way the winds of change are blowing, however, it seems that smartphones are about to become a bigger part of our lives, and that’s with the Internet of Everything involved. With the unveiling of iOS 8, Apple also revealed HomeKit, an app service that will help the user manage third-party IoE-enabled devices in their home. With HomeKit, users will be able to group certain devices by the rooms they’re installed in, and set parameters/controls unique to each ‘room’ grouping. This allows for users to be able to modify settings easily, either in a room-to-room basis or more granular. As of this writing, Google has yet to come up with their equivalent, but we can be sure to see it in the coming days.

    With this development, we can already see how it’s going to be quite the next big thing, in terms of overall convenience and cool factor. What’s more convenient – and honestly, exciting – about controlling the myriad elements in your home with the gadget you do nearly everything on? Scenarios like your refrigerator texting you while you’re outdoors, reminding you that you’re low on eggs – or remotely turning off an appliance you suddenly remembered only after leaving your home – has universal appeal, and smartphone makers are trying to get us to that future.

    But that’s only one side of the coin. The other side, unfortunately, is that introducing the smartphone to your automated home ecosystem may not be the most secure of decisions. This is because the many security pitfalls of the platform – that we’ve talked about at length in this blog – may carry over to the IoE-enabled devices in your home, and thus make you vulnerable to cybercriminal attacks. A cybercriminal hacking into your phone to subscribe you to premium services? Already done. A cybercriminal hacking into your security system THROUGH your phone, deactivating it so they can rob you blind? Very possible!

    This is the gist of our latest Mobile Monthly Report, titled “Mobile Security and the Internet of Everything: The Smartphone Remote Hub Problem”. We explore just what the ramifications are, security-wise, in making your smartphone the ‘remote hub’ or ‘universal remote’ of the automated home network. We also look into what early adopters can do to help protect themselves, in case they have already done the deed. We also have June’ mobile malware and adware stats for our readers to peruse.

    Smartphones may be the end-all and be-all in convenience, but with how they’re hot in the eyes of cybercriminals, we need to apply them carefully. You can check out the latest MMR here.

    Posted in Mobile |

    In the first half of the year, the spam volume increased by 60% compared to the data last 1H 2013.  We can attribute these to several factors:  the prevalence of DOWNAD and the steady boom of malware-related emails with spam-sending capabilities (such as MYTOB). Prevalent threats like UPATRE and ZeuS/ZBOT also employed spam as its infection vectors to deliver their payload. In our 2013 review of the spam landscape, we predicted that spam will still be used to distribute malware.  This remains to be true.


    Figure 1. Spam volume for Q2, 2014

    Spam Attacks Target German Users

    Almost 83% of all spam analyzed are written in English and the other 17% are non-English languages.  The top non-English language used in spam is German followed by Japanese.  We spotted spam attacks written in German that led to control panel malware (CPL). CPL malware initially affected Brazilian users earlier this year. Moreover, towards the later part of 2Q 2014, we saw the emergence of EMOTET, a banking malware that supposedly sniff network activity to steal user data.  Similarly, it arrives via email messages that purport as shipping invoices and bank transfers.  Based on our investigation, certain banks in Germany are included in the list of monitored websites for this threat.


    Figure 2. Top5 language used in spam mails

    The curious case of image and salad spam

    Based on our honeypot sources, the top three spam types are malware-related (20%), health-related (16%), and commercial and stock spam (11%). We also saw a surge of stock spam in the last six months.  One spam sample we spotted is a stock trading spam that informs users about trading tips that could help them get rich quickly. In terms of spam techniques, we observed that before salad words or random gibberish words are incorporated in HTML but now they are in the message body together with news clips to make it appear legitimate and to bypass spam filters.  In addition, spammers are also combining not so new techniques like the use of newsclip with image spam instead of just plain image. This is done to avoid detection of spam filters.

    Top Spam Types-01

    Figure 3. Top spam categories

    New and recycle spam tactics and techniques

    Newsworthy events, movies, and issues remain to be effective social engineering lures to trick users into opening spam emails, which possibly can lead to data theft and system information. KULUOZ, a malware distributed by the Asprox botnet takes a different turn and steals news headlines from CNN and BBC news and placed these news snippets in the email body.  We observed that they copy part of the news article together with the headline so as to bypass spam filters. The Thai Coup incident is one the many notable news leveraged by these spam campaigns.  Apart from stealing headlines, this specific KULUOZ spam run employs its usual tactic of using shipping notification templates.

    Another trend we observed is the abuse of popular file storage platform like Dropbox to host malware.   Last May, we noticed that UPATRE-related spam utilized a Dropbox link, not only as part of its social engineering lure but also to download the malicious files.  When users clicked the URL, they will point to a Dropbox link where they download UPATRE, a malware known for downloading information stealers ZeuS. The ZeuS variant that UPATRE downloads, also downloads another malware NECURS.  In other samples we gathered, the Dropbox link is embedded in the message body but points to Canadian pharmacy websites.  We also spotted a spammed message that abused CUBBY, another file hosting service similar to Dropbox. However, this particular spam run leads to a BANKER variant instead.

    Spam and its Impact in the Threat Landscape

    Based on our honeypot data, the number of malware related emails increased by 22 percent.  In our previous blog post, we tackled that more than 40 percent of malware related spam mails can be attributed to machines infected by DOWNAD in Q2. Although DOWNAD or Conficker emerged as early as 2008, it remains to be a prevalent threat today.  In fact, it is one of the top three malware that affects enterprises and SMBs.

    UPATRE takes the lead as the top malware distributed via spam mails, followed by TSPY_ZBOT and BKDR_KULUOZ. UPATRE constitutes more than 33% of total malspam volume. However, towards June, we’re seeing a decline in the number of spam campaigns related to this malware.  ZeuS ranks as one of the top sources of malspam and most malware propagated via spam.

    KULUOZ downloads malware like FAKEAV and ZACCESS and can possibly turn infected systems to spam distributors.  Last April, KULUOZ took advantage of the tragic news on MV Seoul maritime accident.

    Top Malware from Spam 2-02

    Figure 4. Top10 malware from spam mails


    Figure 5. TROJ_UPATRE VS. Total malspam

    Spam Towards the Second Half of 2014

    Spam remains to be a crucial arsenal of cybercriminals in proliferating their malicious activities. We predict that in the second half of the year, the volume of spam will continue to increase. Cybercriminals may leverage upcoming holidays and events in the next quarters just like in previous years thus contributing to the spiking number of its volume.

    We’ll also continue to see spam being employed as malware carriers. Furthermore, we observed that newly created domains spread via email are increasing. This is probably due to the domain generation algorithm capabilities of spam sending malware like DOWNAD. It can affect the volume of spam since one domain can be seen in a number of spam emails already.

    Update as of July 22, 2014, 11:00 P.M. PDT:

    We have updated Figures 2 and 4 to make the numbers presented more clearer.

    Posted in Malware, Spam |

    This is the third (and last) in a series of posts looking at the threats surrounding smart grids and smart meters. In the first post, we introduced smart meters, smart grids, and showed why these can pose risks. In the second post, we looked at the risks of attacks on smart meters.

    In this post, we’ll look at the risks when smart grids are attacked. Smart grids pertain to an electric grid with digital information/communication capabilities for recording information on both consumers and suppliers. What differentiates an attack on a smart grid from an attack on a smart meter? Simply put, scale: an attack on a smart grid affects many more users than an attack on an individual meter. The potential for damage is proportionately much more significant.

    However, this also means that the attack surface is different. Not only can the smart meters be attacked, but the servers at the utility that controls the smart meters can also serve as an attack vector. However, these servers can also be defended with tools used to defend against targeted attacks.

    Perhaps the most obvious smart grid attack scenario would be: extortion. An attacker would take control of the smart grid in order to disrupt the provided services. The attacker might even choose to “update” the firmware on the devices if they choose to, making the attack more difficult to completely mitigate. Either way, the goal of the attacker would be to cause disruption in the service in order to get money out of the local utility company or government. Alternately, the chaos itself may be the goal, either for political reasons or to distract local law enforcement from other crimes going on at the same time.

    One slightly more subtle attack against the smart grid would be a denial of service attack. How would the smart grid cope with corrupt data? This data can either be completely corrupt (incorrect format and content), or perhaps the corrupted data could have the correct format, but incorrect or crorrupt data. Either way, like buffer overflows on other piece of software, vulnerabilities in servers may also pose a risk to the grid as a whole.

    Figure 1. Denial of service attack targeting an entire grid
    (A screenshot from our video highlighting attack scenarios)

    An attack with less dire consequences would be meter tampering. It is very possible for smart meters to be tampered with – in fact, it’s already happened in Malta. As all the reading is “electronic”, it’s trivially easy to modify the readings of the meters. Modify the reading too much and the discrepancy becomes too obvious, but a small modification might not raise eyebrows much.

    We raise these scenarios not because we want to frighten people, but to raise awareness against them. It is possible to defend against these attacks – by designing the systems with security in mind, by ensuring that the appropriate custom defense solutions are in place, etcetera. However, these can only be put in place if people recognize that the threat does exist.

    You can read the previous blog posts on smart meters here:

    For more information on the security risks and how to secure smart devices, visit our Internet of Everything hub which contains our materials that discuss this emerging field.

    Posted in Vulnerabilities |


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice