Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    June 2015
    S M T W T F S
    « May    
  • Email Subscription

  • About Us

    Author Archive - David Sancho (Senior Threat Researcher)


    Like Swiss Emmental cheese, the ways your online banking accounts are protected might be full of holes. Banks have been trying to prevent crooks from accessing your online accounts for ages. Passwords, PINs, coordinate cards, TANs, session tokens – all of these were created to help prevent banking fraud. We recently come across a criminal operation that aims to defeat one of these tools: session tokens. Here’s how they pull it off.

    This criminal gang intents to target banks that use session tokens sent through SMS (i.e., text messaging). This is a two-factor authentication method that utilizes users’ phones as a secondary channel. Trying to log into the banking site should prompt the bank to send users an SMS with a number. Users need to enter that number along with their regular username and password in order to transact with the bank. By default, this is used by some banks in Austria, Sweden, Switzerland, and other European countries.

    Cybercriminals spam users from those countries with emails spoofing well-known online retailers. The users click a malicious link or attachment and get their computers infected with malware. So far, all this is fairly typical and from a threat perspective, a bit boring.

    But here’s where it gets interesting. The users’ computers don’t really get infected—not with the usual banking malware, anyway. The malware only changes the configuration of their computers then removes itself. How’s that for an undetectable infection? The changes are small…. but have big repercussions.

    Here’s how it works: the users’ computers’ DNS settings are changed to point to a foreign server controlled by the cybercriminals. The malware installs a rogue SSL root certificate in their systems so that the malicious HTTPS servers are trusted by default and they see no security warning.

    Normal two factor

    Figure 1. What happens in the 2-factor authentication process when the PC is infected in Operation Emmental

    Now, when users with infected computers try to access the bank’s website, they are instead pointed to a malicious site that looks like that of their bank. So far, this is just a fancy phishing attack but these criminals are much more devious than that. Once the users enter their credentials, they are instructed to install an app on their smartphone.

    This malicious Android app is disguised as a session token generator of the bank. In reality, it will intercept SMS messages from the bank and forward them to a command-and-control (C&C) server or to another mobile phone number.  This means that the cybercriminal not only gets the victims’ online banking credentials through the phishing website, but also the session tokens needed to bank online as well. The criminals end up with full control of the victims’ bank accounts.

    How’s that for a big malware operation? Localized spam runs, nonpersistent malware, rogue DNS servers, phishing pages, Android malware, C&C servers, and the real back-end servers. You can’t say these criminals are lazy.

    The criminals behind this particular operation target Internet users in Switzerland, Austria, and Sweden. Just this May, they added Japanese Internet users to their list of potential victims. We were able to trace the operators back to online nicknames: -=FreeMan=- and Northwinds. These actors has been active since 2011. Back then, they spread off-the-shelf malware like SpyEye and Hermes. Looking at the binaries that were recently deployed, we think the actors made use of at least two different crypting services. One of these crypting services is run by an individual from Uzbekistan.  We have not been able to identify the other crypting service.

    More information about this attack may be found in our Finding Holes: Operation Emmental white paper, where we discuss this technique in depth. SWITCH.CH, the CERT for Universities in Switzerland, also did research on Emmental and published their findings on their site.

    Posted in Malware, Mobile | Comments Off on Finding Holes in Banking Security: Operation Emmental

    Every now and then, we get questions about password crackers. Usually, these questions are something like, why do you detect these password crackers? They’re not malicious! Well, now is as as good a time as any to address the topic.

    Obviously, password-cracking programs are not terribly malicious. Unless they have been trojanized or manipulated somehow, they just… crack passwords. Usually, given a password-protected file, they try different possibilities to recover that pesky password you forgot. I’m the first to admit that even though it might not be the best use of your computing power, it’s not terribly bad either.

    However, there is a catch. Password-crackers and other software made for network administrators are often seen as part of attacks. This applies to other administration tools as well.

    We have seen everything being used as tools in the attacker’s arsenal: from remote session helpers to file server programs and, yes, password crackers. Often times, a trojan will spearhead the attack and once it’s into the victim’s network, it will download other tools to help it further its objectives. For instance, if the attacker stumbles upon a password-protected file, he might think that’s precisely where the interesting stuff is, and use… a password cracker.

    This brings me to the second (though admittedly similar) malicious use of admin tools: targeted attacks. These usually allow the attacker to connect remotely to the victim and then move laterally inside the network looking for information to steal. In this mission, the attacker might drop in several reconnaissance and offensive tools. Among these – yes, you guess it – password crackers.

    A targeted attack is not just about the “tools” used, even if they are legitimate. It is about who is carrying out the attack. Just because a particular tool started out as a legitimate product does not mean it is always used that way.

    Because of how password crackers are abused in the wild, it makes perfect sense for us to detect them and prevent our customers from running them on their machines. At the end of the day, our customers are masters of their own machines – they can always create an exception for a password cracker if they have a legitimate use for it on their networks.

    We don’t think the freedom of letting common hacker’s tools loose in your network is worth the risk they involve. Dynamite has good uses too, but we try not to store it in our homes.


    For users who are not system administrators, the biggest impact of the Heartbleed vulnerability has been all the passwords that they have had to change. This, together with improvements in alternative authentication methods (like the fingerprint scanners now embedded in flagship smartphones), have caused some rather bold statements about passwords to be made.

    Passwords are out of fashion? Obsolete in the short term, I hear some people say? Not so fast! While it’s true that passwords are not the most convenient way of authenticating yourself and they are inherently insecure, we should not be so quick to dismiss them.

    The main advantage of passwords is that everybody can use them straight away. There is no need to tie yourself to a specific authentication token (“I could swear it was in my bag this morning!”), location (“I can’t log in from the hotel, I forgot I enabled that security feature!”), or smartphone (“I let my phone’s battery go dead!”). It might seem odd to some, but forcing users to own a smartphone – or asking a company to provide their employees with one – might be too costly.

    Even if passwords are supplemented by other authentication methods, passwords will still be around as a secondary method. What would happen otherwise when your phone or hardware token gets stolen? We are simply not ready for a world without passwords, much as we’d like to get rid of them.

    If that’s the case, we might as well learn how to use them properly. It’s not that difficult:

    First, use a different password for each online service. If you’re trying to do this manually, it becomes difficult – which is why the best way to do this is to use a password manager. There are multiple options available, many of which are free.

    Secondly, once you are using a password manager, use a long, hard-to-guess master password for it. If it’s anywhere in a dictionary, it’s not a good  password. Here’s one way  to come up with a secure master password: use the initials of a very long sentence. Imagine there’s no heaven; It’s easy if you try; No hell below us; Above us only sky. Add commas and other punctuation for added difficulty and bonus points: Itnh,ieiyt;nhbu,auos! That’s a better password than what most people use.

    Thirdly, don’t rely on passwords alone. Yes, we said that passwords won’t be going away soon – but if you can, use what second factor of authentication is available. A smartphone is a good choice, as many services can use one to authenticate – whether it’s via an app or text messages.

    I don’t think passwords are going to fall out of fashion anytime soon, if only for the ease of use. This isn’t to say that they will be the only authentication method used – and they shouldn’t be. Complementing them with more factors (two or three!) is the way to go, in my opinion.

    Posted in Bad Sites | Comments Off on Passwords: Not Going Away Anytime Soon

    Windows end of support this, Windows end of support that… a lot of people in the IT field are writing about how Windows XP will be unsupported tomorrow. Why is this a big deal? Like any other software, operating systems evolve and it takes too much effort for the companies who created them to keep supporting older versions as time goes on.

    All Windows versions eventually become obsolete – try to call Microsoft today about that Windows 95 problem you still have and see what kind of response you’ll get. Windows XP, however, is a completely different case. Usually, when support for a Windows version ends that particular version is no longer used in great numbers.

    That’s not the case here. Depending which source you use, Windows XP is still in use in at least 18%, to as much as 28%, of all PCs worldwide. Yes, hard as it is to imagine, somewhere around a fifth or fourth of all PC use an operating system that was released in 2001.

    When Microsoft leaves these users out in the cold after April 8, any security problem they have in the future will be left unpatched; those millions of PCs will not have any available Microsoft-supplied fixes. Of course, you can still use antivirus software and be protected that way, but newly-discovered security holes in the operating system will not be fixed and therefore will be left wide open for attackers to use.

    Why are so many people still using a 13-year-old operating system, I hear you ask? Many of these users fall into three groups. What do each of these groups need to know now that patches are no longer coming?

    Group 1 – Simple users that consider the OS a mere tool.

    Many of the remaining users of XP have a very practical view of their machines. Their philosophy is, “if I have a screwdriver that works, why bother buying a new one 10 years down the line if the old one still works”. Their XP machine does what they need and they’re happy enough with it.

    The problem with this line of thinking is that modern operating systems do get old with time. The screwdriver analogy is flawed in; it’s something extremely simple that never needs an upgrade. Try something more complex for an analogy; how about prescription glasses?

    They become obsolete after a while – either when they get out of fashion, or your eyes change (normally for the worse, unfortunately). Imagine you’re left with old prescription glasses that only one optician can change and this optician goes out of business. You’re on your own. Same with Windows XP.

    If you’re in this situation, maybe it’s time to consider a simpler computing device. If all you do on your PC is check your email and go on social media, maybe it’s time to consider using a tablet instead of a PC.

    Group 2 – Users with a genuine need for Windows XP

    The ancient OS has become the only tool that this particular group of people can use. Think ATMs, POS systems, medical devices, certain machines that are not easily upgradable, or whose hardware is too old for a newer operating system.

    In some cases, virtualizing the OS might do the trick. Combined with a product that blocks attacks against the virtualized environment, this setup might be able to keep attacks at bay. Isolating them from the Internet is also a possibility, though not always realistic. Users on these systems will need to be especially cautious with everything that goes in and out of these devices, whether online (the Internet) or offline (removable media, etc.)

    Regular, even daily backups can help here. Pray a lot, as in this situation your margin for error is frighteningly small.

    Group 3 – Enterprise users

    The last group of Windows XP users are enterprises that haven’t gotten around to upgrading their large installations of Windows XP.

    We feel your pain. Upgrading hardware is never easy, training the users might take time, budget is tight, those kinds of excuses. Well, just remember this: if you have to recover after a massive attack, excuses won’t mean much. We’ve known for years that Windows XP’s support would be ending now; there’s very little excuse for not being prepared for it.

    You have to think that while you’re using Windows XP out of support, any zero-day attacks (and there is a very good chance there will be some) will not be solvable. Yes, you can temporarily manage the risks, but that’s not a permanent solution. It is like having a big crack in your wall that you can patch over with wallpaper for a while, but nobody will ever be able to repair. Enough said.

    Posted in Exploits, Vulnerabilities | Comments Off on Windows XP Support Ending – Now What?

    Breaches, breaches everywhere. There has to be a reason for it – criminals aren’t just following a trend like a spring shopper buying the latest styles of shoes. If you put yourself in the shoes of a cybercriminal (not the spring shopper’s), you’ll be able to appreciate how breach data equates money in a number of ways.

    If a hacker manages to steal a long list of a few thousand names with their respective social security numbers, they can get pretty good money for it in the underground black market. The possibilities for such a list are pretty open: imagine how scammers and fraudsters can make use of that information. Now, imagine if the list includes names with their respective emails. Money too, right? Now imagine names, emails and passwords. Better yet, imagine all of them put together. Now imagine the list is for millions of names, instead of thousands. Yes, a gold mine that can even be sold multiple times to different gangs of fraudsters.

    But cybercriminals haven’t just determined now that this is something good and they should grab this data. They’ve been doing this for years. It’s just that their standard way of doing it has changed: a few years ago, they used Trojans to infect their victims and steal their credentials – they still do that, it’s as good a way as any.

    What’s been gradually changing in the cybercriminal landscape in the latest times is that the bad guys have come to the realization that bulk data stealing is more effective when performed at the source. A botmaster can steal email credentials from every one of their bots – normally counting in the thousands – but if they instead hack the email providers, they could potentially get millions of them.

    Enter the second factor to this equation: the difficulty level to hack. I’m guessing that hacking a big email provider or a bank is pretty complicated but how about those high street retailers that handle thousands of transactions a day? Logic states that they should be difficult as well but apparently, not so much. These retailers fall in the sweet spot between the amount of data they hold and their hindered security level due to the sheer complexity of their operations. Oh, my! The criminals are hitting the jackpot so often with them that it would be funny only if it wasn’t our credentials they’re plundering.

    Among those big retailers are also hotels for pretty much the same reasons. I wouldn’t be surprised if next in line are some bookstores, restaurants, coffee stores or *gasp* gas station chains. Retailers need to realize that they are pretty high up on the target list and they need to start securing their networks sooner rather than later. The loss of reputation that any of these breaches entails should be enough incentive to act quickly by securing any and all data they process. No excuses.

    One of our recently released papers, Point of Sale System Breaches – Why The Retail and Hospitality Industries Need Better Security presents more details about this topic, along with information on how such attacks are executed, and the tools used.

    For more details on various targeted attacks, as well as best practices for enterprises, you may visit our Threat Intelligence Resources on Targeted Attacks.

    Posted in Targeted Attacks | Comments Off on Hitting the Data Jackpot


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice