Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    October 2014
    S M T W T F S
    « Sep    
     1234
    567891011
    12131415161718
    19202122232425
    262728293031  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Abigail Pichel (Technical Communications)




    We recently noticed that there has been an increase in spammed messages that use airline information as bait. These messages are made to look like notifications from airlines such as Delta Airlines, British Airways, US Airways, and American Airlines. Each message comes with an attachment—often in the form of a fake e-ticket—that recipients are supposed to open. This attachment is actually a BKDR_KULUOZ variant.

    spam_sample_holiday_kuluoz

    Figure 1. Screenshot of sample spam

    KULUOZ variants are known to download and execute other malware, such as SIREFEF/ZACCESS and FAKEAV variants. KULUOZ variants are also evolving: we’ve even seen one variant, detected as BKDR_KULUOZ.MN, that collect system information including the antivirus installed in the affected computer. This is a routine previously unheard of from this malware family.

    While we have seen KULUOZ spam in the past, there have been no significant change in numbers in the past several months. KULUOZ spam now represents nearly half of all malicious spam attachments.

    spam_holidays_1

    Figure 2. Breakdown of spam attachments over a one-week period

    Based on our investigation, this batch of BKDR_KULUOZ is distributed by the Cutwail/Pushdo botnet. Previously, we noted that the said botnet was responsible for sending out Blackhole Exploit kit (BHEK)-like spam that serve UPATRE variants.

    Previous instances of KULUOZ spam used shipping and airline notifications as bait. The exclusive use of airline tickets in this new campaign could be a deliberate move, considering people frequently travel over the holidays. Victims may be more inclined to click attachments if they’re actually expecting airline tickets.

    Users should remain extremely careful when opening messages. Since most messages are specially crafted to look as legitimate as possible, it’s ideal to double-check with the sender to see if an email is legitimate. Trend Micro Smart Protection Network blocks all related threats in this attack.

    With additional insights from Merianne Polintan, Jerwin Solidum, Maydelene Salvador, and Mark Manahan.

     
    Posted in Botnets, Spam | Comments Off



    Patch-Tuesday_gray
    The last Patch Tuesday of the year features 11 bulletins, with five rated as Critical and the remaining as Important. This month’s release addresses a notable zero-day vulnerability that was used in attacks. The particular bulletin—MS13-096—was noticeably absent in last month’s Patch Tuesday. As previously reported, attackers took advantage of the vulnerability by embedding .DOC files with malicious .TIFF files to gain account privileges.

    Unfortunately, another zero-day vulnerability remains unpatched. Microsoft earlier that a security fix for the escalation of privilege vulnerability (CVE-2013-5065) was not included in this month’s security releases.  Thus, recommendations and workarounds suggested at that time of its discovery remain in effect. Trend Micro Deep Security has been protecting users from threats exploiting this vulnerability via the rule 1005801 – Microsoft Windows Kernel Elevation Of Privilege Vulnerability (CVE-2013-5065) since its discovery.

    The remaining Critical bulletins addresses vulnerabilities in Microsoft Windows, Internet Explorer, and Microsoft Exchange. These may allow remote code execution if exploited by attackers.

    Users are advised to apply these security updates as soon as possible, as well as visit the Trend Micro Threat Encyclopedia page. Trend Micro Deep Security protects customers from threats via the following rules:

    • 1005805 — Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-5047)
    • 1005806 — Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-5048)
    • 1005807 — Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-5049)
    • 1005808 — Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-5051)
    • 1005809 — Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-5052)
    • 1005764 — Microsoft Graphics Component Remote Code Execution Vulnerability (CVE-2013-3906)
    • 1005812 — Microsoft Scripting Runtime Object Library Use-After-Free Vulnerability (CVE-2013-5056)
    • 1005815 — Microsoft WinVerifyTrust Signature Validation Vulnerability (CVE-2013-3900)
    • 1000552 — Generic Cross Site Scripting(XSS) Prevention
     
    Posted in Vulnerabilities | Comments Off



    Spam may be seen by the public as a minor nuisance now,  but this couldn’t be further from the truth. We recently encountered spam that triggers an infection chain with ZBOT malware as the end result.

    The spammed message is supposed to have come from Allergan Limited, the UK arm of the global health care company Allergan, Inc. The message informs the recipient that the attachment contains information about the recipient’s medical information. This attachment is actually malicious and is detected as TROJ_ARTIEF.PI. This malware takes advantage the MSCOMCTL.OCX RCE vulnerability (CVE-2012-0158), which affects versions of Microsoft Office (specifically 2003, 2007, and 2010). This vulnerability was also targeted in other threats that we documented, including the spoofed APEC 2013 email and the EvilGrab malware found in the Asia-Pacific region.


    Figure 1. Fake email from Allergan Limited

    This malware drops and executes BKDR_LIFTOH.AD. This backdoor often downloads ZBOT. In this instance, the backdoor leads to the download of TSPY_ZBOT.VHP. ZBOT malware are known for stealing user login credentials, account information etc., in particular targeting online banking users.

    One interesting detail in this particular attack is the use of BKDR_LIFTOH malware. Variants often propagate via social networking sites and multi-protocol instant messaging (IM) programs. Propagation through spam is quite rare.

    This isn’t the only spam that employs the same attack. We spotted other spam with the same malware attachment, but with different content. Content from these emails suggests that these messages target British users.



    Figures 2 and 3. Other similar spammed messages

    Users should always take extra precaution when dealing with e-mail attachments; in general these should not be opened unless  Email from unknown senders should be ignored or immediately deleted. Trend Micro protects users from this threat by blocking the spam messages and detecting the malware cited in this entry.

    With additional insights from Eruel Ramos and Alvin Bacani

     
    Posted in Malware, Spam | Comments Off



    Online banking is one of the many tasks that have been made more convenient by mobile technology. Now, users can purchase products and/or services, pay their bills and manage their finances from anywhere, and anytime. However, there are threats against mobile banking exist, which need to be addressed and secured against.

    Some of these threats include:

    • Mobile phishing – malicious mobile websites that pass themselves off as login websites of legitimate organizations, such as banks and social networks. These are designed to trick users into entering their login information. So far, in this quarter, nearly half of all mobile phishing websites spoof financial services websites.
    • Malicious apps – Apps that contain malicious routines, such as stealing information from the device they’ve been installed on. These are usually found either in third-party app stores or malicious websites, and frequently passed off as legitimate apps.
    • Trojanized apps – Legitimate apps that have been turned into malicious apps. These are more dangerous because to the end user, they are completely indistinguishable from the real app. Because of this, the malicious app – and its routines – could be running for a long time, long before the user even suspects anything.

    Mobile-Banking-01-graph-edi

    Figure 1. Distribution of types of mobile phishing pages in Q3 2013 to date

    While banks are taking steps to reduce losses due to mobile banking, in the end users – both individuals and businesses – must take steps to protect themselves. Users should be familiar with their bank’s mobile banking procedures, in order to more easily spot things that are “off” and could indicate an attack. In general, too, good computing habits will help keep users secure.

    Businesses need to understand and educate their staff about the risks related to online banking, so that the bottom line is not at risk from these threats. This may include guidelines on whether employees can/should use mobile banking from personal devices. In addition, businesses should work together with their bank to look into possible procedures and steps to reduce known risks.

    For more information about mobile banking and how to secure it, we have recently released the latest edition of our Monthly Mobile Report titled Security in Mobile Banking, as well as an e-guide. These discuss the basics of mobile banking, and how they should be secured.

     
    Posted in Mobile | Comments Off



    The discovery (and subsequent media coverage) of the mobile malware OBAD shows that mobile threats continue to be a serious concern for users.  Just like Windows malware, mobile malware are also becoming more sophisticated, both in technique and deployment. This confirms one of our 2013 security predictions.

    OBAD exploits an Android vulnerability to avoid detection and uninstallation. OBAD’s propagation method is notable because of its use of Bluetooth, a routine previously seen in Symbian malware.

    FAKEAV mobile malware routines now include pop-up windows and messages about “infected” apps. Rather than show persistent notifications, mobile ads now lead users to web threats.

    These refinements take advantage of characteristics of the current mobile landscape. Android vulnerabilities are exploited because Android fragmentation makes it difficult to address vulnerabilities. This concern on Android’s update issues may contribute to the growing concerns about mobile malware, making it easy for users to become victims of mobile FAKEAV.

    Our latest monthly mobile report discusses these emerging threats, issues affecting or influencing these threats, and what you can do to help secure your devices better.

     
    Posted in Mobile | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice