Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Author Archive - Abigail Pichel (Technical Communications)

    Adobe has released a security advisory regarding a zero-day vulnerability (CVE-2014-0515) found in the program Adobe Flash. According to the advisory, the updates pertain to “Adobe Flash Player and earlier versions for Windows, Adobe Flash Player and earlier versions for Macintosh and Adobe Flash Player and earlier versions for Linux.”

    Adobe has also acknowledged that an exploit for this zero-day exists, targeting Flash players on the Windows platform. If exploited, the zero-day could allow a remote attacker to take control of the system.

    Users should install the update as soon as they can. They can check out the version of Flash installed through a page in the Adobe website. Updates for Flash via Internet Explorer and Google Chrome will be done automatically but you may require restarting the browser. For users who rely on browsers other than Internet Explorer, they will need to install the update twice (one for IE and another for the other browser). Microsoft has also released a security advisory related to this vulnerability. For downloading updates, we encourage users to rely on Adobe’s official site as “Adobe updates” are often used by bad guys to deliver malware and other threats to users.

    We will continue to monitor this threat and provide new information as necessary.

    Update as of May 2, 2014, 4:00 AM PDT

    We have obtained samples of this attack in the wild. We detect these malicious files as SWF_EXPLOIT.RWF. We believe that this is being used in targeted attacks, as a specific version of Cisco MeetingPlace Express has to be installed for this attack to work.

    In addition to detecting these malicious files, our browser exploit prevention technology (present in Titanium 7) has rules that proactively detect websites that contain exploits related to this vulnerability. Products with the ATSE (Advanced Threats Scan Engine), such as Deep Discovery,  have heuristic rules which detect attacks using this vulnerability. These attacks are detected as HEUR_SWFJIT.B with ATSE pattern 9.755.1107 since April 22.

    Update as of May 07, 2014, 10:48 P.M. PDT

    Trend Micro Deep Security and OfficeScan Intrusion Defense Firewall (IDF) have released a new deep packet inspection (DPI) rule to protect against exploits leveraging this vulnerability:

    • 1006031 – Adobe Flash Player Buffer Overflow Vulnerability (CVE-2014-0515)
    • 1006044 – Restrict Adobe Flash File With Embedded Pixel Bender Objects

    Patch-Tuesday_grayThis month’s Patch Tuesday is primarily notable for two reasons. It addresses the recent zero-day vulnerability for Microsoft Word and it also marks the last Patch Tuesday for Windows XP and Microsoft Office 2003. All in all, April Patch Tuesday is relatively light, with only two ‘critical’ and two ‘important’ updates.

    One ‘critical’ update is a patch (MS14-017) addressing the recent zero-day affecting Microsoft Word and Office web applications. If exploited, this vulnerability (CVE-2014-1761) could allow a remote attacker to execute commands remotely via specially crafted files and email messages. This vulnerability was first reported by Microsoft in a Security Advisory, which also contained a fixit tool. According to an advance notification from the company, users must disable the tool after the security update has been applied.

    This month’s release also includes a ‘critical’ cumulative security update for Internet Explorer. This will address six vulnerabilities for the application. If exploited, these could allow remote code execution if a user visits a specially crafted webpage. MS14-019 fixes a vulnerability of Microsoft Windows that will allow remote code execution if a user runs a specially crafted .BAT or .CMD file. A vulnerability in Microsoft Office is addressed by MS14-020. The vulnerability may allow remote code execution if a user opens a specially crafted file in an affected version of Microsoft Publisher.

    As mentioned earlier, this is also the last Patch Tuesday for Windows XP. After 13 years of service, Microsoft will not provide updates for the popular OS version. Users who rely on the platform may find their computers at increased risk as any vulnerability will not be patched anymore. Discussions about the Windows XP end-of-support may be found in our blog entries, “Managing Windows XP’s Risks in a Post-Support World” and “Windows XP Support Ending – Now What?” We encourage users to upgrade to later versions of Windows to ensure that computers remain protected.

    Though not as heavily publicized as Windows XP, Microsoft Office 2003 has also reached its end-of-support—or to be more precise, its extended end-of-support. Office 2003 users will no longer receive any extended period for updates and fixes. Like Windows XP users, Office 2003 users are encouraged to updater to later versions to continue to receive updates. However, users may also opt to go for open source applications like LibreOffice (for Windows and Linux) and NeoOffice (for Mac OS X).

    Microsoft has also released a security advisory containing updates for Adobe Flash Player in Internet Explorer. This update addresses vulnerabilities in Adobe Flash Player for Internet Explorer versions 10 and 11.

    We encourage users to apply these updates as soon as possible. Additional information may also be found in the Trend Micro Threat Encyclopedia page. Appropriate rules for Trend Micro Deep Security have also been created and are available for use by system administrators.

    Posted in Vulnerabilities | Comments Off on April 2014 Patch Tuesday Fixes Microsoft Word Zero-Day

    Just six months after mobile malware and high risk apps reached the one million mark, we have learned that that number has now doubled.

    Figure 1. The number of malicious and high risk apps reaches the 2M mark

    This milestone comes at the heels of the “tenth anniversary” of mobile malware. 2004 saw the first mobile malware—a proof-of-concept (PoC) malware named SYMBOS_CABIR—which infected Nokia phones. But it wasn’t until during the start of the smartphone era that mobile malware exploded onto the threat landscape. From relatively harmless pop-up messages, mobile malware has since evolved to include premium service abuse, information theft, backdoors, and even rootkits.

    And the threats continue to evolve. After hitting the 1M mark, we are now seeing mobile malware veer into pioneer territory. These malware could very well be the bellwether for the kinds of malware we’ll be seeing in the following months.

    Anonymity with TORBOT

    The Onion Router (more commonly known as TOR) is known as one way for users to become “anonymous” online. It’s also known for its connection to underground markets. Cybercriminals are now using TOR to hide their malicious mobile routines. ANDROIDOS_TORBOT.A is the first mobile malware to use TOR to connect to a remote server. Once connected, it performs routines like make phone calls, intercept and read text messages, and send text messages to a specific number. The use of the TOR network makes it more difficult to track down the activity and trace the C&C server.

    Proliferation with DENDROID

    We’ve often discussed how the number of mobile malware keeps increasing at a rapid pace. The creation of a particular remote access Trojan (RAT) mobile malware may soon become a significant contributor to that number.

    ANDROIDOS_DENDROID.HBT can take screenshots, photos, and video and audio recordings. It can also record calls. But what makes DENDROID notable is that it is also peddled as a crimeware tool. DENDROID is being sold in underground markets for US$300 with the promise of easily “Trojanizing” legitimate apps. DENDROID provides an APK binder tool, an APK client, and a background control panel for would-be buyers to repack created apps. Perhaps making it more alarming is that DENDROID was actually found in the Google Play Store.; the malware was able to bypass Google Bouncer and avoid detection.

    Mobile Devices Are Now Miners

    Cybercriminals have also branched out to making miners out of mobile devices. ANDROIDOS_KAGECOIN.HBT has the ability to mine cryptocurrencies like Bitcoin, Dogecoin, and Litecoin. The mining only occurs once the mobile device is charging so the excess usage will not be noticeable. However subtle the routine might try to be, the routine takes a definite toll on the mobile device. Mining for digital currencies requires a lot of processing power that most phones do not have so users will end up with phones with sluggish performance.

    The New Frontier for Mobile Threats

    One thing to note is that the malware discussed in this entry involve topics that are pretty popular within the tech landscape. TOR continues to gain popularity and awareness due to concerns over online privacy. Cryptocurrencies, like Bitcoin and Dogecoin, are fast becoming popular with the public as their monetary values continue to rise (and fall). This only shows that cybercriminals are willing to tap into anything remotely feasible in order to gain new victims.

    With mobile threats reaching the 2 million mark , it’s important that users take the time to secure their devices. Scrutinizing apps, avoiding unknown URLs, and deleting suspicious messages and emails can contribute to a device’s security. Paying close attention to reported software vulnerabilities and flaws—such as the ones involving custom permissions and a system crash vulnerability—is also needed as cybercriminals are wont to exploit these. The Trend Micro Mobile Threat Hub provides helpful information about mobile threats and other security tips for smartphones, tablets and other gadgets.

    Posted in Malware, Mobile | Comments Off on Mobile Malware and High Risk Apps Reach 2M Mark, Go for “Firsts”

    Microsoft has released a security bulletin announcing of a zero-day vulnerability affecting Microsoft Word. Furthermore, the company states that there are “limited, targeted attacks directed at Microsoft Word 2010.” If exploited, this vulnerability (CVE-2014-1761) could allow a remote attacker to execute commands remotely via specially crafted files and email messages.

    Microsoft has also released preliminary details of the vulnerability and the exploit code. The vulnerability is exploited if a user opens an RTF file in Microsoft Word or previews or opens an RTF email message in Microsoft Outlook using Microsoft Word as the email viewer. It should be noted that Microsoft Word is the default email reader for Microsoft Outlook 2007, Microsoft Outlook 2010, and Microsoft Outlook 2013.

    Several workarounds were included in Microsoft’s initial bulletin, including disabling opening of RTF files and enforcing Word to always open said type of file in Protected View. A fixtool has also been made available to help address the vulnerability while Microsoft works on a more permanent solution.

    What’s interesting is that Microsoft Word 2003 is listed as one of the affected software for this particular vulnerability—just a couple of weeks before support for Microsoft Office 2003 ends on April 8th.  We advise users to upgrade to later versions of the software to continue receiving security updates.

    We are currently looking into this vulnerability and will provide further information as appropriate. Trend Micro Deep Security has released a new deep packet inspection (DPI) rule to protect against exploits leveraging this vulnerability:

    • 1005990 – Microsoft Word RTF Remote Code Execution Vulnerability (CVE-2014-1761)

    Update as of April 4, 2014, 3:08 P.M. PDT

    Exploits related to this vulnerability are detected by Trend Micro as the following:



    Microsoft has released five bulletins for the month, with two rated as critical and the remaining, important. A notable inclusion in this month’s release is MS14-012. This bulletin addresses the Internet Explorer zero-day vulnerability (CVE-2014-0322) discovered last month. If exploited, the vulnerability could allow attackers to victimize users with a drive-by download. This vulnerability was used in targeted attacks, using a “hybrid exploit” wherein the malicious code was split between JavaScript and Adobe Flash.

    The remaining “Critical” bulletin is MS14-013. If exploited, this vulnerability could allow attackers remote code execution in the application programming interface DirectShow via specially crafted image files. MS14-014, meanwhile, addresses a security concern for Microsoft Silverlight for both Windows and Mac users. Though Silverlight is no longer being developed by Microsoft, support for this program will continue until October 2021.

    Two vulnerabilities, CVE-2014-0300 and CVE-2014-0323, are addressed by the bulletin MS14-015. If exploited, these could allow attackers to execute a malicious application, provided they have a valid logged-in session. MS14-016 fixes the vulnerability that could allow attackers a security feature bypass if they make multiple attempts to match passwords to a user account.

    This month’s Patch Tuesday marks the looming end-of-support for Windows XP. Come April, Windows XP will no longer receive security patches for their computers, making them vulnerable to all sorts of attacks. We recommend that users to update their OS to newer versions of Windows to continue to receive protection via security patches.

    Adobe has also released updates in time for Patch Tuesday, with security updates for Adobe Flash Player.

    We encourage users to apply these updates as soon as possible. Additional information may also be found in the Trend Micro Threat Encyclopedia page. Appropriate rules for Trend Micro Deep Security have also been created and are available for use by system administrators.

    Posted in Vulnerabilities | Comments Off on Five Bulletins for March 2014 Patch Tuesday, Including One for Mac Users


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice