Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2014
    S M T W T F S
    « Jul   Sep »
  • Email Subscription

  • About Us

    Archive for August 14th, 2014

    Targeted attacks are designed to circumvent existing policies and solutions within the target network, thus making their detection a big challenge. As we’ve stressed in our previous entry about common misconceptions about targeted attacks, there is no one-size-fits-all solution against it; enterprises need to arm themselves with protection that can provide sensors where needed, as well as IT personnel equipped enough to recognize anomalies within the network and to act accordingly.

    In order to detect anomalies, however, IT administrators will need to know first what to look out for. Since attacks are commonly designed to leave little to no tracks at all, it is important to know where possible indicators of a compromise can be found. In this post, we will list what parts of the network IT administrators need to closely monitor for any signs of a breach.

    Check for Injected DNS Records

    Attackers often tamper with DNS records in order to make sure that connections to their C&Cs are not blocked. IT admins can check for the following signs for records that might have been injected by attackers:

    1. Unknown domains “parked” into IPs like,,,,, and These IPs are typically used by attackers as placeholders for C&Cs that are not yet being used
    2. Unknown domains that were registered very recently, say 3 days ago (can be determined by using whois)
    3. Domains that appear to consist of random characters (examples:, or
    4. Domains that appear to imitate known entities (examples: microsoft-dot .com or

    Audit Accounts for Failed/Irregular Logins

    Once an attacker is able to establish its presence in a network and its communication with the C&C, the next step is often to move laterally within the network. . Attackers can seek out the Active Directory, mail or file server and access them via an exploit using a server vulnerability. However, since admins will have patched and secured important servers against vulnerabilities, attackers can try to brute force administrator accounts. For IT admins, the login record is the best reference for any attempts to do this. Checking for failed login attempts, as well as successful ones made at irregular time periods can reveal attackers’ attempts to move within the network.

    Study Warnings from Security Solutions

    Sometimes, security solutions will flag seemingly non-malicious tools as suspect and users will ignore the warnings since the file may either be familiar to the user or not harmful. However, time and again, we encounter situations where the warning meant that there is an attacker in the network. Attackers may either be using ill-designed hacker tools or sometimes legitimate administrative tools like PsExec or others from the Sysinternals Suite to perform diagnostics on the system or network. Some security solutions will flag these non-malicious tools if these are not preinstalled in the user computer. The IT admin must ask why the user is using this tool and if there is no good reason, the IT admin may have stumbled upon the attacker’s lateral movement.

    Check for Strange Large Files

    Unknown large files found in a system need to be checked as it may contain data stolen from within the network. Attackers often store these files in their targets’ systems prior to exfiltration, often hiding them through “normal-looking” file names and file types. IT administrators may be able to check for these through file management software.

    Audit Network Log for Abnormal Connections

    Consistently auditing the network monitoring logs is critical as it can help identify anomalies in the connections within the network. For this, it would require the IT administrators to be fully knowledgeable of the network and the activities that happen within it at any given time. It is only through having awareness of the network’s “normal” can possible anomalies be identified. For example, network activity found happening within what should be idle hours can be a sign of an attack.

     Abnormal Protocols

    In relation to abnormal connections, IT administrators also need to check for the protocols used in these connections, especially for those coming from inside the network. Attackers often choose the protocol they use based on what is allowed in the network, so it is important to inspect the connections even when they are using normal protocols.

    For instance, we have seen attackers use https (port 443) protocol to connect to the outside, but when we inspected the content, it only contains http data. IT admins will not bother to inspect https connections because they always assume they are encrypted.

    Increased Email Activity

    IT administrators can check the mail logs to see if there are strange spikes for individual users.  Abnormal peaks in email activity should be investigated as that user might be in the midst of a targeted spear-phishing attack. Sometimes, if the attacker does research, the attacker may know that an employee will be going to an important meeting and will send spear phishing emails as early as 3 months before the meeting. This is another clue.

    Reading through this list now, I am pretty sure IT administrators are thinking that they have a tough job ahead of them. I won’t disagree; guarding a network against targeted attacks is a tall order. In the past we talked about ways how organizations can ensure that their IT personnel are empowered enough to do this, and I fully recommend the said steps. The cost of preparing for an attack can easily be overshadowed by the cost of mitigating one, so it is critical that IT administrators — the company’s first line of defense — are fully-equipped.


    Traditional AV blacklisting is no longer enough to secure enterprise network against targeted attacks. In order to mitigate the risks pose by this security threat, enterprises need to implement Custom Defense—a security solution that uses advanced threat detection technology and shared indicator of compromise (IoC) intelligence to detect, analyze, and respond to attacks that are invisible to standard security products.

    For more details on various targeted attacks, as well as best practices for enterprises, you may visit our Threat Intelligence Resources on Targeted Attacks.


    Posted in Targeted Attacks | Comments Off on 7 Places to Check for Signs of a Targeted Attack in Your Network

    Sartorial decisions and technology are often considered two separate, distinct items. However, the surge of wearable “smart” devices has blurred the line between the two. Nowadays, it is common to see people accessorized in pieces of equipment that complement their day-to-day activities.

    Some might assume that wearable smart devices are complicated futuristic gadgets. However, they might be surprised to find that a lot of people now own one or two of these devices; smartwatches and fitness trackers are prime examples these..

    According to Senior Threat Researcher David Sancho, wearable devices can be classified under three categories, depending on how they deal with data.

    • “IN” devices – These capture user data via sensors. Fitness trackers are a good example. These capture the number of steps a user has undertaken, distance walked, calorie intake, heartbeat, GPS coordinates, etc. These devices usually store the information locally in the device and synchronize with mobile devices or computers.
    • “OUT” devices – These display data from other gadgets, often from mobile devices. Smartwatches are an example, with their capacity to display texts and other application data.
    •  “IN and OUT” devices – These capture data and use filters to display information in different manners. Display devices, such as Google Glass, are not only capable of capturing data, but they also feed the data to the user by means of retina projection. Simpler devices can also become “IN and OUT” devices by gathering user data (steps, distance, etc.) and by streaming it from their companion mobile phone.

    According to a study, 82% of wearable tech users believe that their quality of living significantly improved with the use of smart devices. And yet, wearable devices can also be a bane. Past examples show that the “smarter” a device has become, the greater the opportunities cybercriminals have on their hands.

    For example, if bad guys manage to compromise the hardware or network protocol of a wearable device, they would gain access to the data stored there and have control of the content being displayed by “OUT” devices. Attackers can also access the user accounts associated with the devices and can abuse the data gathered there.

    Wearables also bring in the issue of privacy and permission. For example, you might not think too much of your smart glasses recording your everyday commute, but the people you run into might find that feature too intrusive. (This scenario might be one of the reasons Google published a Glass etiquette guide that includes the rule, “Ask for permission.”)

    Just like any form of technology, wearables can bring about improvement and enjoyment. However, having wearables doesn’t just mean knowing how to use them; it also means knowing how to secure them. Users should know the ins and outs of their devices, considering most wearable devices are some form of “IN and OUT” devices. Learn more about wearable smart devices in our infographic, The Ins and Outs of Wearable Devices.

    Posted in Internet of Things | Comments Off on Wearing Your Tech on Your Sleeve

    Legitimate services are often used by cybercriminals to try and make their attacks more convincing. Recently, I spotted attacks that used services and platforms like Google Drive and Dropbox in order to look less suspicious to unwary users.

    I received a spammed message like the one shown right below that supposedly came from Gmail itself. It warned me that someone logged into my account from an unknown device. However, all of the links in it pointed to a Google Drive URL:

    Figure 1. Sample spam email

    Even though the email message is similar to a legitimate Gmail message, a careful user will note that the displayed e-mail address and the supposed source address did not match. Further examination of the email’s headers indicates that the email was, in fact, sent via a website’s mail form.

    As I mentioned earlier, all the links provided in the email actually go to an HTML file hosted on Google Drive. This HTML file is used to detect the operating system and browser of the user. For example, this particular code is used to determine what operating system the user is running:

    function nav() {
    var OSName="UnknownOS";
    if (navigator.platform.indexOf("Win")!=-1) OSName="W";
    if (navigator.platform.indexOf("Mac")!=-1) OSName="M";
    if (navigator.platform.indexOf("X11")!=-1) OSName="U";
    if (navigator.platform.indexOf("Linux")!=-1) OSName="L";
    if (/Android/.test(navigator.userAgent)) OSName="A";
    return OSName;

    Note that the above code is comprehensive and considers various platforms: Windows, Mac, Unix, Linux, and even mobile platforms (Android). Further code also differentiates what payloads are delivered based on the user’s browser. This is what the user would see (here, running Firefox):

    Figure 2. Fake plugin download page

    However, while the HTML code can differentiate between different configurations, a relatively limited number of payloads are actually delivered. These are detected as BKDR_PERCS.A.  This backdoor steals email credentials and user names and passwords. It also logs keystrokes as part of its information theft routines. As a backdoor, it can also accept remote commands from the attackers.

    Examining the infection chain in Deep Discovery Advisor makes the infection chain a little clearer:

    Figure 3. Deep Discover Advisor screen (Click to enlarge)

    On systems with Firefox, the backdoor is sent in the form of an XPI file (used by Firefox extensions). This binary file contains the backdoor itself, as well as associated malware components.

    The actual malicious payloads are hosted on Google Drive as well. The attackers upload new files to be used in this attack on a fairly regular basis, although the behavior remains the same. For example, on the first day I saw this, this attack distributed files with the following hashes:

    • 012BCE75BCACDAE0CCCB37B6740A925F769F5547
    • D18C7C42236171C37A6A3B7C1DEE6E0A6381AC4E

    Two days later, the links were changed and now pointed to files with the following hashes:

    • 711AFD18ACCF650F6AEC42F836380EE158D4F8D5
    • A7F8F8A251534867CC9FE56636CFAB26D12C03C4

    Several days after that, the same behavior happened and the new files had the following hashes:

    • 711AFD18ACCF650F6AEC42F836380EE158D4F8D5
    • A7F8F8A251534867CC9FE56636CFAB26D12C03C4

    As these files are located on legitimate services, they are also sent via HTTPS, which helps evade some web filtering techniques. In addition, it used a compromised website’s mailer system and an IPv6 address, which can also evade email reputation services.


    Figure 4. Screenshot of the email headers of the spam email


    Figure 5. Screenshot of the name resolution of the sending email server

    Trend Micro protects users from this spam run by detecting malicious files and blocking all related malicious URLs. We also contacted Google about the malicious files that have been uploaded so they can be removed.

    Posted in Malware, Spam | Comments Off on Suspicious Login Message Faked, Distributes Backdoor


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice