Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    April 2014
    S M T W T F S
    « Mar    
     12345
    6789101112
    13141516171819
    20212223242526
    27282930  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Trend Micro




    Before the end of the month, we will release a new paper in our Cybercriminal Underground Economy Series titled Russian Underground Revisited. This is a followup to our earlier paper Russian Underground 101both papers examined the Russian Underground and looked at the goods and services being sold inside these underground communities.

    While the full details will not be published until next week, the overall finding of the report is clear: cybercrime has never been more affordable and accessible, even for lesser-skilled cybercriminals.

    The lower ranks of the underground communities are often derisively referred to as “script kiddies”, but this does not mean that the damage they cause is any less consequential. Technical understanding of security flaws is not a prerequisite to exploiting them at all; they are just like the “users” of any other organization: they just want their code “to work”; the only difference here is that their code is carrying out malicious behavior.

    What does this mean? For starters, it means that the volume of threats will keep on increasing for the foreseeable future. We may also see more variety in threats, if only because the attackers are more numerous than before. (One shouldn’t interpret falling prices as a sign of a failing business.) In addition, the scope and variety of the products for sale are also improving, making the resources available for “script kiddies” more powerful.

    Cybercrime is a business, and the prices we’ve seen validate what we already know: that times are good, victims are plentiful, and the risk is relatively low. This is all in spite of technical solutions that have increased the security of computing devices overall. It highlights the need for cybercrime solutions that focus not just on technical issues, but also economic and legal ones as well.

     
    Posted in Data, Malware |


    Apr17
    4:59 am (UTC-7)   |    by

    500x1500 web

    How the Heartbleed bug works

    In previous blog entries, we’ve discussed various aspects of the Heartbleed vulnerability in OpenSSL. Last Tuesday, our first blog post covered an analysis of the vulnerability itself, as well as some steps that IT administrators of affected systems could do in order to protect themselves. Later entries looked at how popular websites and mobile apps were, in their own ways, vulnerable to the threat.

    To help deal with the Heartbleed vulnerability, we’ve released several tools that can be used to detect possible exposure to the risks:

    We have released into the Google Play app store the Trend Micro Heartbleed Detector. This tool is designed to help users tell if they are vulnerable to any aspect of this threat. In particular, it checks for three things:

    • It checks whether the version of OpenSSL used in the device’s version of Android may be vulnerable.
    • It checks whether any OpenSSL libraries embedded in the user’s installed apps may be vulnerable.
    • It checks whether the user’s installed apps communicate to any unpatched (and therefore, vulnerable) servers.

    Main Page

    Figure 1. Detector application

    If any vulnerable apps are detected, the detector offers to uninstall the app for the user:

    Summary marked

    Figure 2. Vulnerable app detected

    We don’t recommend for users to immediately uninstall all vulnerable apps, but this is something everyone should consider for applications that handle critical information, such as mobile banking applications. In addition, it’s a good idea for users to contact the companies that maintain these vulnerable apps to update their apps or websites as soon as possible.

    For Chrome users, we’ve also released the Trend Micro OpenSSL Heartbleed Scanner app. The scanner allows for users to check if specific sites are vulnerable to Heartbleed. The tool can be downloaded from the Chrome Web Store.

    For other users who want to check if a site is vulnerable or not, you may also do so through our Trend Micro Heartbleed Detector website.

    We will continue to monitor this issue and release more information as needed.  For other posts discussing the Heartbleed bug, check our entries from the past week:

     
    Posted in Bad Sites |



    In late November, Microsoft revealed that a zero-day vulnerability was in use in targeted attacks against Windows XP and Server 2003 systems. From samples of the exploit examined, it has a backdoor payload that possesses sophisticated anti-analysis techniques.

    Further research of this earlier attack – discussed in the blog posts above – has revealed that the exploit was deployed via email to at least 28 embassies in a Middle Eastern capital.  The malicious payload arrived as an attachment to a blank email sent to the target embassies. The subject line of the email and the name of the attachment referred to the ongoing conflict in Syria, to induce its recipients to open the email.

    Apart from the targeting and the anti-analysis techniques, there does not appear to be other particularly unusual or unique behaviors in this attack. The anti-analysis techniques in the backdoor (detected as BKDR_TAVDIG.GUD) were designed to hide from or freeze debuggers, making analysis and attribution more difficult.

    Whoever was responsible for this attack had the means, motivation and opportunity to carry out a targeted attack across multiple targets. This suggests a level of organization and available resources beyond ordinary cybercriminals. Beyond that, we are unable to draw any other conclusions. We do not know if the embassies were indeed affected by the malware mentioned or if there are other sets of targets, only that the samples received strongly suggest that the embassies were the intended recipients.

    As part of our 2014 predictions, we mentioned that obsolescent and unpatched operating systems and applications may cause issues in the coming year. This incident highlights that problem, particularly if used in targeted attacks. Similarly, zero-days are frequently first used in targeted attacks; earlier this year another Internet Explorer zero-day was first used in targeted attacks. Malicious attachments are a favored infection vector for targeted attacks; the same technique was used to target Asia-Pacific governments and G20 meeting attendees earlier this year.

    It is also important to remember that all is not lost when it comes to defending against targeted attacks. In his paper Suggestions to Help Companies with the Fight Against Targeted Attacks, Trend Micro researcher Jim Gogolinski stated that there is much that can be done to defend a company against targeted attacks. Trend Micro also participated in the development of the guide System Design Guide for Thwarting Targeted Email Attacks along with  Japan’s Information Technology Promotion Agency (IPA), which provides in-depth strategy for helping deal with email attacks.

     
    Posted in Targeted Attacks, Vulnerabilities | Comments Off


    Sep2
    10:51 pm (UTC-7)   |    by

    Through investigation and collaboration between our researchers and engineers, we discovered a malicious online banking Trojan campaign targeting users in Japan, with the campaign itself ongoing since early June of this year. We’ve reported about such incidents in the past, including in our Q1 security roundup – and we believe this latest discovery shows that those previous attacks have been expanded and are a part of this particular campaign.

    We discovered the online banking Trojan involved in this campaign to be a variant of the Citadel family. Citadel variants are well-known for stealing the online banking credentials of users, directly leading to theft.

    We’ve identified at least 9 IP addresses serving as its command and control(C&C) servers, most of them detected to be belonging in the US and Europe. Monitoring these servers, we also discovered that 96% of the connections to these servers are coming from Japan – further proof that the most of the banking trojan infections are coming from that one specific country.

    In addition to this, we also managed to find out the following about this campaign:

    • Only financial and banking organizations native to Japan are targeted in this attack
    • Popular webmail services (Gmail, Yahoo! Japan mail, Hotmail) were also targeted

    We are currently enhancing the monitoring of the C&C servers related to this campaign. During a six-day period, we detected no less than 20,000 unique IP addresses connecting to these servers, with only a very minimal decrease from beginning to end. This means that there is still a large number of infected systems still stealing online banking credentials and sending them to the cybercriminals responsible.

    The banks and financial institutions targeted in this campaign have already released warnings and advisories to their customers and loyalists regarding the attack itself. Users are reminded to read these warnings properly before logging into their online banking accounts.

    Trend Micro customers are protected from all related malware and malicious elements in this attack.

     
    Posted in Bad Sites, Malware | Comments Off



    Over the course of the past few weeks, we’ve talked a lot Advanced Persistent Threats (APT), and how such threats require a different class of protection in order to be managed effectively.

    There can be no doubt that APT attacks are a real threat. Such threats are unpredictable in nature, could lead to devastating consequences, and could affect just about any organization. The recent work from ISACA on the 2012 Advanced Persistent Threat (APT) Awareness Study shows 63% of security professionals said they were or could be a target for APT attacks. That alone says that people in the know are taking this threat seriously.

    But that survey also showed that fewer than 10% of those surveyed understood that these threats are significantly different from traditional threats. Awareness of the problem is a good start. But there’s work to be done to increase awareness around solutions.

    As part of our ongoing work to help educate people about threats as well as solutions, we’ve partnered with Forrester Research on a new study: Mitigating Targeted Attacks Requires an Integrated Solution. This study surveyed 350 IT enterprise security decision-makers in the US, UK, France, and Germany, asking them about their technology expectations for targeted threat detection and response. It outlines some of the effective steps organizations are taking to protect themselves from APT attacks. In addition, it also highlights some areas of caution too: most notably that a number of organizations are still focusing resources in the wrong direction to protect against APT attacks.

    Read the rest of this entry »

     
    Posted in Bad Sites, Targeted Attacks | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice