Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    July 2014
    S M T W T F S
    « Jun    
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Bernadette Irinco (Technical Communications)

    We’re currently investigating a new zero-day exploit that affects Internet Explorer versions 7, 8, and 9. The exploit, which is detected by Trend Micro as HTML_EXPDROP.II, is found to be hosted in {BLOCKED}.{BLOCKED}.104.149. Incidentally, this server also hosted the Java zero-day exploit reported last August 30.

    Based on our initial analysis, when executed, HTML_EXPDROP.II drops a malicious .SWF file (SWF_DROPPR.II). The .SWF file then drops a backdoor detected as BKDR_POISON.BMN. More information the analysis will be posted in this entry.

    Trend Micro Smart Protection Network™ blocks access to the malicious servers and detects the exploit and other malicious files. Watch this space for updates and additional analysis information.

    Update as of September 18, 2012 6:11 AM PDT

    We have identified a second attack that uses this zero-day exploit as well. BKDR_PLUGX.BNM — a variant of the recently discovered PlugX remote access tool (RAT), is the payload of this other attack. It has been demonstrated to have significant information theft and backdoor capabilities, and is used as a component of sophisticated information theft campaigns.

    We detect the malicious files as noted above and URL reputation blocks access to the command-and-control servers. In addition, Deep Security protects users from this threat via IDF rule 1005194 – Microsoft Internet Explorer ‘execCommand’ Use-After-Free Vulnerability.

    Update as of September 18, 2012 6:57 PM PDT

    Microsoft announced that they will be issuing a workaround for this vulnerability within the next few days.

    Update as of September 18, 2012 11:22 PM PDT

    BKDR_PLUGX.BNM has been renamed to TROJ_PLUGX.ME. For more information on PlugX and its capabilities, please check our previous reports:

    Update as of September 19, 2012 10:02 PM PDT

    Microsoft has announced that an out-of-bound patch to resolve this vulnerability will be released on Friday, at 10AM PDT (5PM UTC). In the mean time, a workaround has also been added to the earlier bulletin.

    While this vulnerability may have seen limited exploitation previously, we have seen more and more attacks exploit this security hole. This may have led Microsoft to decide to release a patch outside of the regular Patch Tuesday cycle.

    Until the patch is released, the browser exploit prevention built into Titanium 2013 also protects users against exploits targeting this vulnerability.


    The security holes in virtual environments open up enterprises to threats that may result in business disruption, data theft, and financial loss. Cybercriminals leverage web server and web applications’ vulnerabilities to access parts of a company’s servers that they should not be able to. These vulnerabilities can be used to access company assets ranging from customer databases to trade secrets. The stolen information can be sold in underground forums or used to launch a far more damaging attack.

    However, despite the obvious risk to the company’s data and the cost of data breaches, system administrators either prefer or are forced to keep their servers unpatched. System administrators sometimes delay patch deployment since restarts are necessary for updates to take effect. For systems requiring 100% uptime, this could mean significant business loss. Vendors may also take time (ranging from days to weeks, even years) in developing patches for vulnerabilities, so administrators have no choice. Just recently, Microsoft announced about zero-day attacks on the vulnerability in Microsoft XML Core Services. Once exploited, it could control an infected system via web-based browser attack. At the time of announcement, there’s no patch available yet. In 2011 alone, 1822 critical ‘software flaw’ vulnerabilities were reported, which more or less put organizations at risk. As such, administrators make a difficult call that may expose their networks to threats, putting company data at risk.

    The infographic “Looking Beyond the Challenges of Securing Virtual Environments” shows virtualization-specific issues that can introduce threats to the corporate network such as legacy exploits, PoCs (proof-of-concept), and zero-day attacks. Once enterprises slip through security holes, these may potentially damage a brand name/image or worse lead to the loss of company “crown jewels.”


    During the third quarter of 2011, the threat landscape saw great shifts, replacements, as well as continued cybercriminal efforts. The nature of the attacks seen in the past quarter mostly dealt with software vulnerabilities and different threat infection vectors. This signified possible changes in cybercriminal strategy.

    First off, Google replaced Microsoft as the software vendor with the greatest number of reported vulnerabilities for the quarter—82. This is due to the increasing number of vulnerabilities found in Chrome, which continues to grow in popularity. Oracle came in second place, with 63 vulnerabilities, while Microsoft fell to third place with 58 vulnerabilities.

    Furthermore, the United States, which normally takes the top spot in the list of spam-sending countries dropped out of the top 10 list and was replaced by India and South Korea. South Korea has earlier expressed willingness to take action in order to reduce the spamming activity in their country by blocking port 25 on a nation wide level.

    Trend Micro threat researchers also witnessed a significant shift in terms of cybercriminal attack targets. The attacks have changed from being massive in nature—those aimed at affecting as many users as possible, to targeted, particularly those against large enterprises and government institutions. Research conducted by Trend Micro researchers on these attacks led them to the discovery of one of the most notable groups behind targeted attacks in the third quarter— the LURID downloader.

    Read the rest of this entry »


    When talking about social media threats, the focus tends to be on the notorious KOOBFACE malware, which has recently turned a “new leaf” and now propagates via peer-to-peer (P2P) file sharing.

    However, KOOBFACE is not the only threat that hounds social media. These social networking sites also have features that can become threat vectors. A seemingly harmless wall post from a friend, a video shared by an online contact, or an instant message from a colleague can potentially lead to an attack.

    These features are meant to make socializing effective and meaningful. However, they have also been used by cybercriminals in their attacks.

    In Facebook, the wall is the riskiest region of the user interface. Cybercriminals have concocted several threats leveraging popular news items such as the deaths of Osama bin Laden and singer Amy Winehouse; even the hoax that is Lady Gaga’s death.

    To give avid users a rundown of potential threats they may encounter, here’s an infographic on the current landscape or geography of social media threats. Click here to see a bigger version of the infographic below.

    For tips on how to arm yourself against social media threats, check out our e-book, “A Guide to Threats on Social Media.”


    As expected, criminals are now taking advantage of the notoriety of Stuxnet as a mechanism to deploy malicious code. Senior Threats Researcher Ivan Macalintal found poisoned search results that leveraged on this notorious malware threat. Some of the search strings used in this blackhat SEO campaign include “stuxnet SCADA,” “stuxnet removal tool,” “stuxnet cleanup,” “stuxnet siemens,” and “stuxnet worm” among others. Some of these poisoned search words/phrases appeared on top results. One of the malicious URLs ({BLOCKED} where the search strings points to, leads users to sites that exploit vulnerabilities as described in CVE-2010-0886 and CVE-2010-1885. Moreover, in some of the search results seen, users are redirected to sites with PDF and SWF exploits.

    In effect, it leads to various payloads which include a downloader that installs other malicious codes on the system, and a FAKEAV variant detected as TROJ_FAKEAV.SMZU. FAKEAV variants are known for banking on popular searches and news events to lead users into buying rogue antivirus software.

    Click for larger view Click for larger view

    Another example is the malicious URL, {BLOCKED} (another malicious site that the search strings yield) that guises itself as a fake Youtube page pointing users to a malware. Trend Micro detects it as TROJ_CODECPAY.AY.

    In the past, cybercriminals have taken advantage of popular security threats like Conficker to proliferate their malicious deeds.

    Users who were infected by Stuxnet and/or curious about this threat maybe lured into clicking these poisoned search results. As a safety precaution, never clicked on these URLs and get information (about Stuxnet) from trusted websites only.

    Here are some previous blog posts that have discussed Stuxnet:

    Trend Micro users are protected from this attack via its Trend Micro™ Smart Protection Network™ that blocks all related malicious URLs and detects the malicious files.

    Update as of October 1, 2010, 12:30 AM, UTC-7

    The PDF and SWF exploits that were seen in these attacks are now detected as TROJ_PIDIEF.XE and SWF_AGENT.WAW, respectively.

    Stuxnet was first seen in relation to the Windows LNK zero-day vulnerability, as discussed in the following link:



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice