Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Zero-Day Alerts

  • Hacking Team Leak

  • Recent Posts

  • Calendar

    July 2015
    S M T W T F S
    « Jun    
  • Email Subscription

  • About Us

    Author Archive - Abigail Pichel (Technical Communications)

    Patch-Tuesday_grayThis month’s Patch Tuesday is primarily notable for two reasons. It addresses the recent zero-day vulnerability for Microsoft Word and it also marks the last Patch Tuesday for Windows XP and Microsoft Office 2003. All in all, April Patch Tuesday is relatively light, with only two ‘critical’ and two ‘important’ updates.

    One ‘critical’ update is a patch (MS14-017) addressing the recent zero-day affecting Microsoft Word and Office web applications. If exploited, this vulnerability (CVE-2014-1761) could allow a remote attacker to execute commands remotely via specially crafted files and email messages. This vulnerability was first reported by Microsoft in a Security Advisory, which also contained a fixit tool. According to an advance notification from the company, users must disable the tool after the security update has been applied.

    This month’s release also includes a ‘critical’ cumulative security update for Internet Explorer. This will address six vulnerabilities for the application. If exploited, these could allow remote code execution if a user visits a specially crafted webpage. MS14-019 fixes a vulnerability of Microsoft Windows that will allow remote code execution if a user runs a specially crafted .BAT or .CMD file. A vulnerability in Microsoft Office is addressed by MS14-020. The vulnerability may allow remote code execution if a user opens a specially crafted file in an affected version of Microsoft Publisher.

    As mentioned earlier, this is also the last Patch Tuesday for Windows XP. After 13 years of service, Microsoft will not provide updates for the popular OS version. Users who rely on the platform may find their computers at increased risk as any vulnerability will not be patched anymore. Discussions about the Windows XP end-of-support may be found in our blog entries, “Managing Windows XP’s Risks in a Post-Support World” and “Windows XP Support Ending – Now What?” We encourage users to upgrade to later versions of Windows to ensure that computers remain protected.

    Though not as heavily publicized as Windows XP, Microsoft Office 2003 has also reached its end-of-support—or to be more precise, its extended end-of-support. Office 2003 users will no longer receive any extended period for updates and fixes. Like Windows XP users, Office 2003 users are encouraged to updater to later versions to continue to receive updates. However, users may also opt to go for open source applications like LibreOffice (for Windows and Linux) and NeoOffice (for Mac OS X).

    Microsoft has also released a security advisory containing updates for Adobe Flash Player in Internet Explorer. This update addresses vulnerabilities in Adobe Flash Player for Internet Explorer versions 10 and 11.

    We encourage users to apply these updates as soon as possible. Additional information may also be found in the Trend Micro Threat Encyclopedia page. Appropriate rules for Trend Micro Deep Security have also been created and are available for use by system administrators.

    Posted in Vulnerabilities | Comments Off on April 2014 Patch Tuesday Fixes Microsoft Word Zero-Day

    Just six months after mobile malware and high risk apps reached the one million mark, we have learned that that number has now doubled.

    Figure 1. The number of malicious and high risk apps reaches the 2M mark

    This milestone comes at the heels of the “tenth anniversary” of mobile malware. 2004 saw the first mobile malware—a proof-of-concept (PoC) malware named SYMBOS_CABIR—which infected Nokia phones. But it wasn’t until during the start of the smartphone era that mobile malware exploded onto the threat landscape. From relatively harmless pop-up messages, mobile malware has since evolved to include premium service abuse, information theft, backdoors, and even rootkits.

    And the threats continue to evolve. After hitting the 1M mark, we are now seeing mobile malware veer into pioneer territory. These malware could very well be the bellwether for the kinds of malware we’ll be seeing in the following months.

    Anonymity with TORBOT

    The Onion Router (more commonly known as TOR) is known as one way for users to become “anonymous” online. It’s also known for its connection to underground markets. Cybercriminals are now using TOR to hide their malicious mobile routines. ANDROIDOS_TORBOT.A is the first mobile malware to use TOR to connect to a remote server. Once connected, it performs routines like make phone calls, intercept and read text messages, and send text messages to a specific number. The use of the TOR network makes it more difficult to track down the activity and trace the C&C server.

    Proliferation with DENDROID

    We’ve often discussed how the number of mobile malware keeps increasing at a rapid pace. The creation of a particular remote access Trojan (RAT) mobile malware may soon become a significant contributor to that number.

    ANDROIDOS_DENDROID.HBT can take screenshots, photos, and video and audio recordings. It can also record calls. But what makes DENDROID notable is that it is also peddled as a crimeware tool. DENDROID is being sold in underground markets for US$300 with the promise of easily “Trojanizing” legitimate apps. DENDROID provides an APK binder tool, an APK client, and a background control panel for would-be buyers to repack created apps. Perhaps making it more alarming is that DENDROID was actually found in the Google Play Store.; the malware was able to bypass Google Bouncer and avoid detection.

    Mobile Devices Are Now Miners

    Cybercriminals have also branched out to making miners out of mobile devices. ANDROIDOS_KAGECOIN.HBT has the ability to mine cryptocurrencies like Bitcoin, Dogecoin, and Litecoin. The mining only occurs once the mobile device is charging so the excess usage will not be noticeable. However subtle the routine might try to be, the routine takes a definite toll on the mobile device. Mining for digital currencies requires a lot of processing power that most phones do not have so users will end up with phones with sluggish performance.

    The New Frontier for Mobile Threats

    One thing to note is that the malware discussed in this entry involve topics that are pretty popular within the tech landscape. TOR continues to gain popularity and awareness due to concerns over online privacy. Cryptocurrencies, like Bitcoin and Dogecoin, are fast becoming popular with the public as their monetary values continue to rise (and fall). This only shows that cybercriminals are willing to tap into anything remotely feasible in order to gain new victims.

    With mobile threats reaching the 2 million mark , it’s important that users take the time to secure their devices. Scrutinizing apps, avoiding unknown URLs, and deleting suspicious messages and emails can contribute to a device’s security. Paying close attention to reported software vulnerabilities and flaws—such as the ones involving custom permissions and a system crash vulnerability—is also needed as cybercriminals are wont to exploit these. The Trend Micro Mobile Threat Hub provides helpful information about mobile threats and other security tips for smartphones, tablets and other gadgets.

    Posted in Malware, Mobile | Comments Off on Mobile Malware and High Risk Apps Reach 2M Mark, Go for “Firsts”

    Microsoft has released a security bulletin announcing of a zero-day vulnerability affecting Microsoft Word. Furthermore, the company states that there are “limited, targeted attacks directed at Microsoft Word 2010.” If exploited, this vulnerability (CVE-2014-1761) could allow a remote attacker to execute commands remotely via specially crafted files and email messages.

    Microsoft has also released preliminary details of the vulnerability and the exploit code. The vulnerability is exploited if a user opens an RTF file in Microsoft Word or previews or opens an RTF email message in Microsoft Outlook using Microsoft Word as the email viewer. It should be noted that Microsoft Word is the default email reader for Microsoft Outlook 2007, Microsoft Outlook 2010, and Microsoft Outlook 2013.

    Several workarounds were included in Microsoft’s initial bulletin, including disabling opening of RTF files and enforcing Word to always open said type of file in Protected View. A fixtool has also been made available to help address the vulnerability while Microsoft works on a more permanent solution.

    What’s interesting is that Microsoft Word 2003 is listed as one of the affected software for this particular vulnerability—just a couple of weeks before support for Microsoft Office 2003 ends on April 8th.  We advise users to upgrade to later versions of the software to continue receiving security updates.

    We are currently looking into this vulnerability and will provide further information as appropriate. Trend Micro Deep Security has released a new deep packet inspection (DPI) rule to protect against exploits leveraging this vulnerability:

    • 1005990 – Microsoft Word RTF Remote Code Execution Vulnerability (CVE-2014-1761)

    Update as of April 4, 2014, 3:08 P.M. PDT

    Exploits related to this vulnerability are detected by Trend Micro as the following:



    Microsoft has released five bulletins for the month, with two rated as critical and the remaining, important. A notable inclusion in this month’s release is MS14-012. This bulletin addresses the Internet Explorer zero-day vulnerability (CVE-2014-0322) discovered last month. If exploited, the vulnerability could allow attackers to victimize users with a drive-by download. This vulnerability was used in targeted attacks, using a “hybrid exploit” wherein the malicious code was split between JavaScript and Adobe Flash.

    The remaining “Critical” bulletin is MS14-013. If exploited, this vulnerability could allow attackers remote code execution in the application programming interface DirectShow via specially crafted image files. MS14-014, meanwhile, addresses a security concern for Microsoft Silverlight for both Windows and Mac users. Though Silverlight is no longer being developed by Microsoft, support for this program will continue until October 2021.

    Two vulnerabilities, CVE-2014-0300 and CVE-2014-0323, are addressed by the bulletin MS14-015. If exploited, these could allow attackers to execute a malicious application, provided they have a valid logged-in session. MS14-016 fixes the vulnerability that could allow attackers a security feature bypass if they make multiple attempts to match passwords to a user account.

    This month’s Patch Tuesday marks the looming end-of-support for Windows XP. Come April, Windows XP will no longer receive security patches for their computers, making them vulnerable to all sorts of attacks. We recommend that users to update their OS to newer versions of Windows to continue to receive protection via security patches.

    Adobe has also released updates in time for Patch Tuesday, with security updates for Adobe Flash Player.

    We encourage users to apply these updates as soon as possible. Additional information may also be found in the Trend Micro Threat Encyclopedia page. Appropriate rules for Trend Micro Deep Security have also been created and are available for use by system administrators.

    Posted in Vulnerabilities | Comments Off on Five Bulletins for March 2014 Patch Tuesday, Including One for Mac Users


    This month’s Patch Tuesday features seven bulletins, with four rated as critical. Updates for Internet Explorer take the spotlight as one bulletin, MS14-010, addresses 24 vulnerabilities in Internet Explorer. These vulnerabilities could result in remote code execution, which could allow an attacker the same user rights as the current user.

    A second bulletin, MS14-007, addresses a separate vulnerability in Direct2D that can trigger remote code execution by opening a malicious website in Internet Explorer or opening an email attachment.

    The remaining critical vulnerability of most importance for most users is MS14-011, which patches a vulnerability in the VBScript scripting engine. If exploited, this could also trigger remote code execution.

    Another critical bulletin, MS14-008, affects Microsoft Forefront for Exchange. While this product is now discontinued, Microsoft has promised security updates until December 2015. Three other bulletins released today were rated as important by Microsoft.

    Other vendors have also been busy patching flaws in their software. Last week, Adobe released a patch to Flash Player to deal with reported in-the-wild vulnerabilities, and this week Shockwave Player received an update as well.

    Users are advised to apply these security updates as soon as possible, as well as visit the Trend Micro Threat Encyclopedia page for further information. Appropriate rules for Trend Micro Deep Security have also been created and are available for use by system administrators.

    Posted in Vulnerabilities | Comments Off on Four Critical Bulletins for February 2014 Patch Tuesday


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice