Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    November 2014
    S M T W T F S
    « Oct    
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Bernadette Irinco (Technical Communications)

    This month, Microsoft releases six security bulletins, four of which are rated as critical. Included in this release is MS012-071 that addresses vulnerabilities in Internet Explorer. Accordingly, the said vulnerabilities could lead to remote code execution via a specially crafted website. As such, any remote attacker who exploits these can end up gaining user rights access thus compromising the security of the system.

    Microsoft also addressed vulnerabilities affecting the newly-release Windows 8 and Windows RT. Windows RT is the OS running on Windows tablets. Another notable security bulletin is MS12-076 that addressed the issue of vulnerabilities in Microsoft Excel and MS12-075 that could allow remote code execution in Kernel privileges.

    In other news, there were reports of a zero-day exploit targeting Adobe Reader. It is said that the exploit is being sold in the underground cybercrime and is used by the cybercriminals behind the Blackhole exploit kit. TrendLabs researchers are continually monitoring and investigating this for any developments.

    Trend Micro Deep Security and Office Scan with Intrusion Defense Firewall (IDF) plugin actively protects users against possible threats leveraging these vulnerabilities. For more information on the bulletins and their IDF rules, visit the Threat Encyclopedia page.

    Posted in Vulnerabilities | Comments Off

    DORKBOT, also known as NgrBot, is not a new threat. In fact, it was seen in the wild as early as 2011. Yet last week, DORKBOT made the news for spreading via Skype spammed messages, and has now reached than 17,500 reported infections globally. So what is DORKBOT, really?

    A worm with multiple propagation routines

    DORKBOT typically spreads in several ways: social media (such as Facebook and Twitter), instant messaging applications (Windows Live Messenger, mIRC, and now Skype), and via USB drives.

    In propagating via social media and instant messaging applications, DORKBOT variants initially connect to the website in order to get the affected system’s IP address and location. This is done in order to pick the appropriate language to be used for propagation via instant messaging applications or social networks. However, in the Skype attack, the DORKBOT variants (WORM_DORKBOT.IF and WORM_DORKBOT.DN) checks the system locale in order to select the language.

    Here are some of the messages used, based on our analysis:

    • lol is this your new profile pic
    • hej to jest twój nowy obraz profil?
    • eínai aftí i néa fotografía profíl sas?
    • это новый аватар вашего профиля?))
    • سؤال هي صورتك ؟
    • moin, kaum zu glauben was für schöne fotos von dir auf deinem profil
    • hej er det din nye profil billede?
    • hej je to vasa nova slika profila
    • hey is dit je nieuwe profielfoto?
    • hei zhè shì ni de gèrén ziliào zhàopiàn ma?
    • tung, cka paske lyp ti nket fotografi?
    • hey c’est votre nouvelle photo de profil?
    • hey é essa sua foto de perfil? rsrsrsrsrsrsrs
    • ¿hey esta es tu nueva foto de perfil?
    • ni phaph porfil khxng khun?
    • hej detta är din nya profilbild?
    • hey è la tua immagine del profilo nuovo?

    Read the rest of this entry »


    After the out-of-band update for the IE zero-day reported a few weeks ago, this month’s cycle for patches is fairly a light one. Today, Microsoft released seven bulletins addressing several vulnerabilities for October. Out of the security updates only one is tagged as critical.

    Included in this release is MS12-064 that addresses vulnerabilities existing in Microsoft Office. Accordingly, once this vulnerability is exploited via a specially crafted .RTF file, it could result to remote code execution thus compromising the security of the system. Another notable security update is MS12-070 that patches the vulnerability in Microsoft SQL Server in systems with SQL Server Reporting Services (SSRS). Remote attackers can execute commands when this vulnerability is exploited. Moreover, an attacker can just send a specially crafted link to the users to exploit this vulnerability or create a web page hosting an exploit.

    Trend Micro Deep Security and Office Scan with Intrusion Defense Firewall (IDF) plugin users are protected ever since this security advisory is released. For more information on the bulletins and their IDF rules, visit the Threat Encyclopedia page.

    Posted in Bad Sites | Comments Off

    Web applications have become crucial for enterprises to meet customer demands and conduct business on the web. Web apps process data—anything from retail orders to B2B transactions—and store results in a back-end database server where data such as customer information sits.

    However, web apps also introduce security risks like attacks that leverage server and application vulnerabilities. Some of the factors that contribute to the said risks include fast development for apps such that security is overlooked, the existence of legacy and custom-made web apps, and the complex nature of transactions done online.

    Moreover, security often becomes second priority when web developers are commissioned to deliver websites that are fast, scalable, and has good user interface for various users (customers, partners, and employees). There are also cases when IT administrators delay deployment of patches for web-related servers and databases if the patch is unstable or buggy/incomplete.

    Aside from web apps, vulnerabilities in web and database servers can be used by cybercriminals to penetrate enterprise networks, which can result to business disruption, tampered brand image, or the loss of critical data. For instance, the “Apache Killer,” a tool that takes advantage of an Apache HTTP Server vulnerability, enables a denial of service (DoS) attack when exploited. We also spotted a vulnerability in Oracle Database Server’s TNS listener, which can allow access to the database without the need to enter a password or user name.

    In the TrendLabs’ primer Web Applications Vulnerabilities: How’s Your Business on the Web?, we tackled various security risks on web, web application, and database servers and the situations that introduce these risks in the network. It also delves on solutions that can mitigate and protect the network from security loopholes and attacks.

    Posted in Vulnerabilities | Comments Off

    We’re currently investigating a new zero-day exploit that affects Internet Explorer versions 7, 8, and 9. The exploit, which is detected by Trend Micro as HTML_EXPDROP.II, is found to be hosted in {BLOCKED}.{BLOCKED}.104.149. Incidentally, this server also hosted the Java zero-day exploit reported last August 30.

    Based on our initial analysis, when executed, HTML_EXPDROP.II drops a malicious .SWF file (SWF_DROPPR.II). The .SWF file then drops a backdoor detected as BKDR_POISON.BMN. More information the analysis will be posted in this entry.

    Trend Micro Smart Protection Network™ blocks access to the malicious servers and detects the exploit and other malicious files. Watch this space for updates and additional analysis information.

    Update as of September 18, 2012 6:11 AM PDT

    We have identified a second attack that uses this zero-day exploit as well. BKDR_PLUGX.BNM — a variant of the recently discovered PlugX remote access tool (RAT), is the payload of this other attack. It has been demonstrated to have significant information theft and backdoor capabilities, and is used as a component of sophisticated information theft campaigns.

    We detect the malicious files as noted above and URL reputation blocks access to the command-and-control servers. In addition, Deep Security protects users from this threat via IDF rule 1005194 – Microsoft Internet Explorer ‘execCommand’ Use-After-Free Vulnerability.

    Update as of September 18, 2012 6:57 PM PDT

    Microsoft announced that they will be issuing a workaround for this vulnerability within the next few days.

    Update as of September 18, 2012 11:22 PM PDT

    BKDR_PLUGX.BNM has been renamed to TROJ_PLUGX.ME. For more information on PlugX and its capabilities, please check our previous reports:

    Update as of September 19, 2012 10:02 PM PDT

    Microsoft has announced that an out-of-bound patch to resolve this vulnerability will be released on Friday, at 10AM PDT (5PM UTC). In the mean time, a workaround has also been added to the earlier bulletin.

    While this vulnerability may have seen limited exploitation previously, we have seen more and more attacks exploit this security hole. This may have led Microsoft to decide to release a patch outside of the regular Patch Tuesday cycle.

    Until the patch is released, the browser exploit prevention built into Titanium 2013 also protects users against exploits targeting this vulnerability.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice