Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Author Archive - Douglas Otis (Senior Threat Researcher)

    Since its introduction in late 2012, Windows 8 has proven to be perhaps the most controversial version of Windows in recent memory. Much of the controversy is a direct result of its user interface, which represents a departure from the traditional desktop that’s been in use for many years. This debate has caused the other features of Windows 8 and its ARM-based cousin, Windows RT, to receive far less attention. These other features must be considered in deciding whether to migrate to Windows 8.

    From a security perspective, the picture is mixed. Some features such as improved Unified Extensible Firmware Interface (UEFI) support, enhanced Address Space Layer Randomization (ASLR) support, picture passwords, and Internet Explorer 10 all help improve the new OS’s security. Windows To Go – a way to incorporate a fully managed Windows 8 image on a USB device – is meant to improve BYOD support. Not all these features work as well as one would think, however. For example, the UEFI protection has been bypassed by proof of concept attacks. In addition, the drastically different UI can make things difficult for users. All these needs to be considered by users and organizations making decisions about whether to migrate or not.

    Our new report, Windows 8 and RT: New Beginnings, goes over the new features in Windows 8, paying particular attention to new security features.  The report gives readers a good grasp of these new features and provides the information needed to decide whether to migrate to this new version or not. The full copy of the report may be found by clicking the link here.

    We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

    Posted in Bad Sites | Comments Off on Windows 8 and Windows RT: An Overview

    Back in October of 2010, Apple announced they would drop support for Java. This did not spur Oracle to directly support this Unix platform as it did for other Unix operating systems. The delay this caused in Java updates allowed OS X to play a role in clickfraud schemes among other nefarious activities. Apple finally responded by producing their own updates culminating in Java 6 update 33. Since then, another change to Java 6 affects time zone changes in two different regions. It seems unlikely OS X will receive further updates for Java 6 by Apple.

    On August 14th 2012, Oracle released Java 7 update 6 for Lion and Mountain Lion OS running on Apple’s Mac platform. Oracle’s direct support for OS X brings an end to blaming Apple for slow Java updates. The future of Java and its relative security is now clearly in the hands of Oracle. Within two weeks of Oracle releasing their version of Java 7 update 6 for OS X, an exploit was discovered that affected Windows, where OS X and Linux have the same vulnerability. This vulnerability affects Firefox, IE 9, and Safari 6. Oracle’s record is not sterling at offering timely Java exploit patches, and the clock is ticking.

    A Java in Mac Background

    Java was invented at Sun in the early 1990s. This programming environment helped bridge differences between operating systems from mainframes to embedded devices. Java was even seen as an alternative control method to that of Microsoft’s ActiveX, introduced in 1996, to extend Microsoft’s COM and OLE OS communications. In 2000. Windows replaced JavaScript with ActiveX as their API for their browser. This plugin API had been developed for Netscape. JavaScript is not Java, but Netscape considered Java to represent a client-server solution offering a distributed OS. Microsoft’s Internet Explorer 5.5 ActiveX exposed OS applications to the network, where Microsoft expected broad adoption of their applications would increase Windows’ influence over the Internet.

    Microsoft’s stated reason for making the change to ActiveX extending their browser was to improve security. This occurred as Microsoft dropped Windows Internet Name Service (WINS) in favor of DNS that offered name hierarchy, the basis for today’s certificate authority. ActiveX seemingly became a replacement strategy for WINS as their means to dominate the Internet. Instead, malefactors used ActiveX over the Internet to control Windows applications. ActiveX did not establish Windows as a dominant player on the Internet, nor did ActiveX improve security.

    Android adopted Java in 2005 to establish a Java Runtime Environment (JRE). Sun open-sourced Java under the GPLv2 in November 2006. Unhappy exceptions were not permitted for mobile applications, Google developed its own Java Virtual Machine (JVM) technology, called Dalvik that avoided programming interface constraints and transformed JRE’s stack approach into Java Virtual Machine’s (JVM) use of registers.

    Since then, Sun was acquired by Oracle in 2010. Apple has not offered an uninstaller for Java, and programs using Java may not heed disable checks in Apple’s Java control panel and attempt to use Java anyway. Many of these same programs also fail to notice Oracle’s control panel for Java 7 update 6, nor accept the location of the Java 7 environment as being valid. These Java issues will take some time to be resolved, but Apple has made their intentions clear by no longer automatically installing Java and not supporting Java 7.

    Apple App Rules

    The Mac App Store Review Guidelines rule number 2.24 states that:

    “Apps that use deprecated or optionally installed technologies (e.g., Java, Rosetta) will be rejected”

    By controlling how applications are updated, what meta-information and shortcuts are permitted, prohibiting auto-launching without user consent, and prohibiting the downloading of other applications or modifications – all these has the goal of improving security. Enforcing these security assurances would be less practical and more open to exploitation by malefactors if Java were permitted.

    In addition, Apple has a history of shunning cross-platform libraries that pass execution with data structures over the stack they consider inherently less optimal. Apple opted to use Objective-C, which exchanges messages and not execution. This language was developed in the early 1980s for the NeXT multi-media computer that became the platform for the first browsers then ported as Netscape and Internet Explorer.

    Will we eventually say goodbye to Java-based apps like Cyberduck and to Java itself on OS X versions that came before Lion?

    What does this mean for OS X users?

    First, back up your system before making any changes to Java. These changes may break non-Apple applications, particularly those that rely on Java to run. While Java is not used by OS X, be aware if something goes wrong with one of the non-Apple applications or a new vulnerability is actively being exploited. There is no install/uninstall utility friendly to both Apple and Oracle environments to properly install or remove existing Java virtual runtimes.

    Users may not have installed the Java provided by Apple. Not installing this will cause OS X to prompt the user to install Java when a application attempts to use Java. Once Apple’s Java is installed followed by the installation of Oracle’s, under System Preferences normally located on the Dock, the Java cache should be cleared by clicking on Java icon located under the Other section.

    This action opens the Java Control Panel. In the Java Control Panel, click on Settings under Temporary Internet Files and click on the Delete Files button in the Temporary Internet Files window. This will open the Delete Files and Applications window, click OK to confirm.

    You may find that Chrome, which is a 32-bit browser, does not support the 64-bit Java 7.

    If you want to remove Java 7, Oracle has provided removal instructions in this page. Their instructions describe restoring a symbolic link to regain the function of the /Library/Internet Plugins/JavaAppletPlugin.plugin after placing it in the trash as the method for removing Oracle’s version when restoring Apple’s.

    Uninstalling Java 6 provided by Apple without installing Oracle’s Java 7 can be done manually by removing “JavaVM.framework,” located at /System/Library/Frameworks/. Additionally, this will also require removing links at the following directories pointing to the runtimes in the framework:

    • /System/Library/Java/JavaVirtualMachines
    • /Library/Java/JavaVirtualMachines

    Deprecating Adobe Flash and Java by Apple is aimed at ridding OS X and iOS of problematic languages causing the majority of vulnerabilities and problems. A question comes to mind: will HTML5 prove to be safer when everyone still wants to see the dancing fruit?

    Coming Soon: The TrendLabs Security Intelligence Blog will be the new Malware Blog

    Posted in Exploits, Vulnerabilities | Comments Off on Apple: A Thing Unto Itself Sans Java

    In a recently concluded discussion by the Domain Keys Identified Mail (DKIM) Working Group, a group created under the Internet Engineering Tasks Force (IETF), some of those involved have decided to disregard phishing-related threats common in today’s effective social engineering attacks. Rather than validating DKIM’s input and not relying upon specialized handling of DKIM results, some members deemed it a protocol layer violation to examine elements that may result in highly deceptive messages when accepted on the basis of DKIM signatures.

    The details are simple and the original goals were good. DKIM was intended to authenticate domain relationships with an email message bound at a minimum to that of the From header field. The relationship was to provide a basis for message acceptance but failed to offer the intended protections whenever a message contains invalid or fake elements still considered to offer a valid signature. While it would not be a protocol violation to declare such messages with invalid or fake elements to not have a valid signature, there are some who think otherwise.

    Here is how DKIM can be exploited:

    1. Obtain a free DKIM signed email account.
    2. Send yourself a message of a sensitive nature. Perhaps it could be about a job offer related to an online social network seeking the eventual recipient’s resume.
    3. Prepend any dummy From header field ignored by DKIM to mislead recipients with regard to the message’s origin. Certainly, the message may include a Web link offering additional details. This Web link may attempt some zero-day exploit or request additional personal details such as the recipient’s social networking page to escalate additional attacks.
    4. Exploiting DKIM’s replay insensitivity, a malefactor can then resend the message as a mailing list to their intended victims where it will have a valid signature with a From header purporting to being from any email address a malefactor desires.

    Read the rest of this entry »


    This report is related to the results of the sinkholing activity we conducted on a CARBERP communication-and-control (C&C) server. Our findings were initially published in this blog post.

    We contacted identifiable hosts that may have been affected by the CARBERP infections monitored by a particular C&C server. Beyond typical name/account information and perhaps information related with electronic manufacturers, it appears another goal may have been to obtain names associated with social security numbers.

    Apparent Victims Ranked by DNS Query Frequency
    Victim Sectors Victim Domains
    [U.S.] Government Agency
    [U.S.] Government Agency
    [U.S.] Government Agency
    [US] Investment Firm
    [US] Pharmaceutical Firm
    [CA] Life Insurance Firm
    [US] Electronics Manufacturer
    [CH] Luxury Item Retailer
    [G.B.] Law Office
    [U.S.] Mutual Insurance Firm
    [U.S.] Credit Card Provider
    [U.S.] Investment Firm
    [U.S.] Electronics Manufacturer
    University in North America region
    University in North America region
    University in EMEA region
    University in EMEA region
    Educational institution in North America region
    Educational Institution in EMEA region
    University in North America region
    University in North America
    Educational Institution in North America
    University in EMEA
    University in North America
    University in North America

    Victims of such a crime may discover a few good remedies. The Social Security Administration will not place alerts on social security numbers reported in a breach or fraudulently used. Victims must detect fraudulent transactions and report these crimes to local law enforcement agencies and request that alerts be placed by a credit reporting agency, ironically after entrusting them with their social security numbers.

    A strategy to deal with a breach is not directly handled by either local law enforcement or assigning government agencies. With the possible exception of credit card accounts, the individuals rather than the organizations permitting a breach may bear the consequence.

    Read the rest of this entry »

    Posted in Bad Sites | Comments Off on CARBERP Sinkholing Speculations

    We were recently able to sinkhole a CARBERP command-and-control (C&C) server similar to the way by which we sinkholed a ZeuS C&C server in March this year. This post will explain our findings related to the said activity.

    The results basically led us to conclude that CARBERP has proven once more that malware creators are getting better at hiding and establishing their creation’s covert communications, and that today’s establishments are ill-prepared to deal with issues such as when a previously undetected botnet exposes private information.

    This botnet is purported to have been deployed since early 2010 but managed to avoid attention until September last year. Malware Intelligence reported in February 2010 that new .CAB files were added specifically targeting the theft of certificates, keys, and banking credentials. Trust Defender reported in October last year that CARBERP was able to control Internet traffic by hooking the export table of WININET.dll and USER32.dll. reported at the beginning of February this year how uniquely generated RC4 keys encrypt subsequent exchanges and compromised data.

    Easier to Not Ask for Permission

    The CARBERP C&C server is a repository of plug-ins designed to compromise various applications running on a version of Windows. After the first logging, CARBERP bots offer the currently running processes by posting a /set/first.html then requesting for plug-ins by posting a /set/plugs.html or acquiring a task by /set/task.html.

    CARBERP can also operate within user privileges and not make registry or system file changes. It takes advantage of file system features to hide its presence. It also adds a startup link, as do many applications, and is able to spoof websites, log keystrokes, and establish covert communications using encoded messages. CARBERP may be revealed by processes not associated with a visible file.

    Read the rest of this entry »



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice