Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    July 2014
    S M T W T F S
    « Jun   Aug »
  • Email Subscription

  • About Us

    Archive for July 14th, 2014

    While wearable personal technology may be the most “public” face of the Internet of Everything, the most widespread use of it may be in smart meters.

    What is a smart meter, exactly? It’s a meter for utilities (electricity, gas, or water) that records the consumption of the utility in question, and transmits it to the utility provider via some sort of two-way communication method. (Examples of these methods include a wireless mesh network, power line networking, or a connection to the user’s own Internet service.) Unlike simple home monitors, smart meters can collect data for remote reporting to the utility.

    One smart meter in isolation has limited uses. However, if the majority of meters in an area are now “smart”, the utility is able to reap large benefits. With the added information provided by large numbers of smart meters, a utility can adjust their services as needed to improve the efficiency, reliability, costs, and sustainability of their services.

    Deployment and Usage

    Some may think that smart meters are more theoretical than anything else. However, they are already in widespread use in some countries, and it is easy to see how in the next few years they will become even more widespread.

    Let me talk about the part of the world I know – Europe. For example, the former Italian electric monopoly, Enel, has rolled out smart meters to almost all of its 36 million customers. In addition, Enel has deployed a remote management system known as Telegestore, which allows the utility to carry out actions via the smart meter that would otherwise require a physical visit. 330 million meter readings and over a million other operations were carried out remotely, making this easier for both customers and Enel. Enel also owns 92% of the Spanish utility firm Endesa, and is rolling out similar products in that market.

    Italy and Spain are not the only countries in Europe leading the way in smart meter adoption. Other countries identified by the European Union as being “dynamic movers” in smart meters include Estonia, Finland, France, Ireland, Malta, the Netherlands, Norway, Portugal, Sweden, and the United Kingdom. In these countries, regulators and utilities are both making the necessary steps to move forward with smart meter adoption.

    Technical Standards and Risks

    There are a diverse number of industry groups and protocols that are promoting smart meter technology. In part, this is a reflection of the varying ways that smart meters are deployed and used: for different applications, different technology may be needed. However, this also means that there a wide variety of technical standards used in smart meters.

    Other such niche devices – such as home automation equipment and Internet routers – have proven to have serious security risks. It’s one thing to have, say, a light switch have some sort of vulnerability. It’s another thing for utility meters and controls to have vulnerabilities. Smart meters and smart grids have not yet been fully tested and vetted for potential security risks; we have to consider the potential scenarios if these devices are proven to have flaws – as some of them inevitably well.

    The video below highlights some of these potential scenarios. In future blog posts, we will look into some of these scenarios in some detail and discuss the circumstances that can lead into these issues.

    You can read parts 2 and 3 of this blog series here:

    For more information on the security risks and how to secure smart devices, visit our Internet of Everything hub which contains our materials that discuss this emerging field.


    We have been dealing with targeted attacks and know that there is no single technology that can practicably defend an organization’s network against these high-impact campaigns. This is sad, true, but it does mean there are ways to harness security technologies like sandboxing and heuristic scanning so that they work together to protect as a stronger whole.

    The use of heuristics and sandboxing as complementary technologies that cover each other’s weaknesses serves as an effective and efficient way in identifying unknown threats at the earliest time possible. Heuristic scanning employs a rule-based system in order to quickly identify possibly malicious files. Its effectiveness relies heavily on how the rules are defined. Sandboxing, on the other hand, is a method to safely execute a suspicious file in a protected environment, usually VM, in order to see what it will do, without infecting the host.

    Efficiency and Accuracy

    In practice, heuristic scanning acts as a filter before sending a file to the sandbox. Doing so can reduce cost and increase system capacity. Heuristic scanning can also determine a file’s file type and, if your two technologies are working together. For example, heuristic scanning can tell the sandbox that a certain Office file is Word 2003, Word 2007, or Word 1.0. Therefore the sandbox can execute the file in the appropriate/expected environment.

    Furthermore, even if a company has enough resources to sandbox every single file under all possible conditions, there are malware that can tell that it is being run in a sandbox and thus not exhibit any malicious routine. An IT admin’s best bet is to have detected this file earlier via heuristic scanning first, for better detection coverage.

    Solution Versus Zero-days

    As mentioned before, the effectiveness of heuristics plus sandboxing relies heavily on the defined heuristic rules. These rules need to be forward-looking enough to recognize previously unknown threats, but also specific enough so as to avoid false alarms.

    One good way to check for the effectivity of these rules is to see how well the rules fare against zero-day exploits. By nature, zero-day exploits are malware using unpatched vulnerabilities but with similar exploitation techniques. If sufficiently “smart”, heuristic rules will be able to catch them.

    Even years-old heuristic rules in the Trend Micro Advanced Threat Scan Engine, for instance, have been able to detect recent zero-days:

    1. CVE-2014-0515 in May, 2014 was detected by a rule developed in 2014 – HEUR_SWFJIT.B
    2. CVE-2014-1761 in April, 2014 was detected by a rule developed in 2012 — HEUR_RTFEXP.A/HEUR_RTFMALFORM.
    3. CVE-2014-0496 in February, 2014 was detected by a rule developed in 2010 — HEUR_PDFEXP.A
    4. CVE-2013-3346 in November, 2013 was detected by a rule developed in 2010 — HEUR_PDFEXP.A

    Aim for Early Detection

     Assume compromise: enterprises should understand by now that the later they are able to catch onto an on-going targeted attack campaign, the more difficult it is to mitigate the damage or even to detect the attack. Therefore, early detection must be first priority for network defenders, and a layered protection will go a long way.

    For more details on various targeted attacks, as well as best practices for enterprises, you may visit our Threat Intelligence Resources on Targeted Attacks.

    Additional insights and analysis by Shih-hao Weng and Sunsa Lue.

    Posted in Exploits, Targeted Attacks | Comments Off on Heuristic Scanning and Sandbox Protection: Best of Both Worlds


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice