Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    July 2014
    S M T W T F S
    « Jun   Aug »
     12345
    6789101112
    13141516171819
    20212223242526
    2728293031  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Archive for July 7th, 2014




    sefnit_mevade1

    Figure 1. Motto taken from the InstallBrain website (http://www.installbrain.com) on July 3, 2014”

    “Monetize On Non-buyers” is the bold motto of InstallBrain—adware that turns out to have been developed by an Israeli company called iBario Ltd. This motto clearly summarizes the potential risks adware companies can introduce to users, especially when they install stuff on systems without their consent.

    Adware is often perceived as low-risk, because these usually display unwanted popups and pop under advertisements. However, they can pose serious security risks when used by adware companies to load malware onto systems wherein their adware has been installed. In our latest research paper, On the Actors Behind MEVADE/SEFNIT, shows that iBario’s InstallBrain adware installed MEVADE/SEFNIT Trojans in significant number of systems in 2013.

    One of the major threat stories in 2013 was the sudden and dramatic increase of Tor users. In August 2013, the number grew from a million to five million users. Fox-IT was the first to publish the cause of the spike: the MEVADE/SEFNIT malware downloaded a Tor component related to its command-and-control (C&C) communications. This malware does click fraud and Bitcoin mining.

    Microsoft was the first to point out the InstallBrain-SEFNIT connection—a connection also seen by Trend Micro. iBario Ltd removed the brand name Installbrain from its corporate website and replaced it with Unknownfile, which basically is just a successor of Installbrain. Feedback from Trend Micro’s Smart Protection Network shows that there are InstallBrain detections in about 150 countries—a clear indication of how widespread this adware is.

    Adware Company Hosts Malware

    In recent media interviews, iBario described itself an entirely Israel-based company with an estimated worth of US$100M. The 9-figure number is probably an exaggeration, and we also believe that iBario outsources a lot of technical work to Ukraine as there are clear links between iBario and Ukrainian contractors. In fact we found the organizational chart of iBario Ukraine on the Internet headed by the CTO of Installbrain.

    sefnit_mevade2

    Figure 2. Organizational chart for iBario Ukraine; screenshot taken on June 20, 2014

    One interesting thing we noted is that while Mevade.C was widespread in more than 68 countries, even sparsely populated ones, there was virtually no infection in Israel. This is perhaps to avoid trouble with the local law enforcement.

    It becomes even more interesting when we found that a domain name of a Ukrainian contractor called Denis R, also known as Scorpion, had one of its hostnames pointing to the IP address of iBario’s source code repository. The said file repository hosted Sefnit malware in 2011, so there was Sefnit malware on the corporate source code repository of iBario in 2011. We cannot provide the exact details of this finding publicly, but we are willing to hand over proof to law enforcement partners.

    The fact that iBario’s Installbrain has installed Sefnit on systems, the presence of Sefnit malware in a code repository of iBario in 2011, and the links between iBario and several suspicious contractors from the Ukraine make us believe that iBario is involved with Sefnit.

    Gateway to Infection

    We believe that deceit, or any indication that a user has given no real consent to the download and installation of a file or to what that file is actually doing, is grounds for us in the security industry to block and detect a file as malware.

    InstallBrain is one real example of the risks of having adware on user systems, and of how attractive and beneficial it can become for adware companies to abuse their access to user computers—to the point of discreetly downloading malware. In this case, the downloaded malware takes over computers to commit click fraud or to mine bitcoins.

    For more information about the threat actors, download our research paper On the Actors Behind MEVADE/SEFNIT.

    Update as of 10:26 AM, August 8, 2014

    Since our research on this situation posted, Mike Peters, Co-Founder & General Manager at iBario LTD, has contacted us. Mr. Peters has claimed that the events related to the SEFNIT and MEVADE malware are due to the actions of a rogue contractor who was able to compromise their network and suborn their systems for malicious purposes without their knowledge. Mr. Peters has indicated that he has worked with Microsoft on this matter and they have both offered to provide additional information in this regard. We have told Mr. Peters that we would be happy to review any new information and make any updates based on additional analysis on this new data.

     
    Posted in Bad Sites, Malware | Comments Off



    We noted a while back that Apple-related scams tend to grow when rumors of new Apple devices are in the news. With the launch of the iPhone 6 expected sometime in September, we expected to see some scams tied to leaks surrounding the latest Apple product. As it turns out, that is exactly what happened.

    Some journalists covering Apple reported last week that they had received emails with a fake “the wait is over” announcement for the iPhone 6. We can confirm that such emails were sent out, as our own sources got a few themselves:

    Figure 1. Sample spam message

    Users who don’t keep track of Apple rumors or the iPhone release schedule might be caught out by this email, as it uses language that wouldn’t be out of place in a real Apple announcement. However, two things are worth noting: a July release would not fit the recent Apple release calendar (both the iPhone 5 and 5S were released in September), and the design in the email does not match recent mockups released by Apple rumor sites.

    As the release date of the iPhone 6 (and perhaps the iWatch) draws closer, we can expect to see more scams and attacks that use these (rumored) Apple products as bait. We ask users to be careful of these “announcement” emails, as they are fertile ground for phishing and other threats.

    We block the spam message spotted in this particular attack, and block access to all websites related to this threat.

     
    Posted in Spam | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice