Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    April 2014
    S M T W T F S
    « Mar    
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Trend Micro

    4:59 am (UTC-7)   |    by

    500x1500 web

    How the Heartbleed bug works

    In previous blog entries, we’ve discussed various aspects of the Heartbleed vulnerability in OpenSSL. Last Tuesday, our first blog post covered an analysis of the vulnerability itself, as well as some steps that IT administrators of affected systems could do in order to protect themselves. Later entries looked at how popular websites and mobile apps were, in their own ways, vulnerable to the threat.

    To help deal with the Heartbleed vulnerability, we’ve released several tools that can be used to detect possible exposure to the risks:

    We have released into the Google Play app store the Trend Micro Heartbleed Detector. This tool is designed to help users tell if they are vulnerable to any aspect of this threat. In particular, it checks for three things:

    • It checks whether the version of OpenSSL used in the device’s version of Android may be vulnerable.
    • It checks whether any OpenSSL libraries embedded in the user’s installed apps may be vulnerable.
    • It checks whether the user’s installed apps communicate to any unpatched (and therefore, vulnerable) servers.

    Main Page

    Figure 1. Detector application

    If any vulnerable apps are detected, the detector offers to uninstall the app for the user:

    Summary marked

    Figure 2. Vulnerable app detected

    We don’t recommend for users to immediately uninstall all vulnerable apps, but this is something everyone should consider for applications that handle critical information, such as mobile banking applications. In addition, it’s a good idea for users to contact the companies that maintain these vulnerable apps to update their apps or websites as soon as possible.

    For Chrome users, we’ve also released the Trend Micro OpenSSL Heartbleed Scanner app. The scanner allows for users to check if specific sites are vulnerable to Heartbleed. The tool can be downloaded from the Chrome Web Store.

    For other users who want to check if a site is vulnerable or not, you may also do so through our Trend Micro Heartbleed Detector website.

    We will continue to monitor this issue and release more information as needed.  For other posts discussing the Heartbleed bug, check our entries from the past week:

    Posted in Bad Sites |

    In late November, Microsoft revealed that a zero-day vulnerability was in use in targeted attacks against Windows XP and Server 2003 systems. From samples of the exploit examined, it has a backdoor payload that possesses sophisticated anti-analysis techniques.

    Further research of this earlier attack – discussed in the blog posts above – has revealed that the exploit was deployed via email to at least 28 embassies in a Middle Eastern capital.  The malicious payload arrived as an attachment to a blank email sent to the target embassies. The subject line of the email and the name of the attachment referred to the ongoing conflict in Syria, to induce its recipients to open the email.

    Apart from the targeting and the anti-analysis techniques, there does not appear to be other particularly unusual or unique behaviors in this attack. The anti-analysis techniques in the backdoor (detected as BKDR_TAVDIG.GUD) were designed to hide from or freeze debuggers, making analysis and attribution more difficult.

    Whoever was responsible for this attack had the means, motivation and opportunity to carry out a targeted attack across multiple targets. This suggests a level of organization and available resources beyond ordinary cybercriminals. Beyond that, we are unable to draw any other conclusions. We do not know if the embassies were indeed affected by the malware mentioned or if there are other sets of targets, only that the samples received strongly suggest that the embassies were the intended recipients.

    As part of our 2014 predictions, we mentioned that obsolescent and unpatched operating systems and applications may cause issues in the coming year. This incident highlights that problem, particularly if used in targeted attacks. Similarly, zero-days are frequently first used in targeted attacks; earlier this year another Internet Explorer zero-day was first used in targeted attacks. Malicious attachments are a favored infection vector for targeted attacks; the same technique was used to target Asia-Pacific governments and G20 meeting attendees earlier this year.

    It is also important to remember that all is not lost when it comes to defending against targeted attacks. In his paper Suggestions to Help Companies with the Fight Against Targeted Attacks, Trend Micro researcher Jim Gogolinski stated that there is much that can be done to defend a company against targeted attacks. Trend Micro also participated in the development of the guide System Design Guide for Thwarting Targeted Email Attacks along with  Japan’s Information Technology Promotion Agency (IPA), which provides in-depth strategy for helping deal with email attacks.

    Posted in Targeted Attacks, Vulnerabilities | Comments Off

    10:51 pm (UTC-7)   |    by

    Through investigation and collaboration between our researchers and engineers, we discovered a malicious online banking Trojan campaign targeting users in Japan, with the campaign itself ongoing since early June of this year. We’ve reported about such incidents in the past, including in our Q1 security roundup – and we believe this latest discovery shows that those previous attacks have been expanded and are a part of this particular campaign.

    We discovered the online banking Trojan involved in this campaign to be a variant of the Citadel family. Citadel variants are well-known for stealing the online banking credentials of users, directly leading to theft.

    We’ve identified at least 9 IP addresses serving as its command and control(C&C) servers, most of them detected to be belonging in the US and Europe. Monitoring these servers, we also discovered that 96% of the connections to these servers are coming from Japan – further proof that the most of the banking trojan infections are coming from that one specific country.

    In addition to this, we also managed to find out the following about this campaign:

    • Only financial and banking organizations native to Japan are targeted in this attack
    • Popular webmail services (Gmail, Yahoo! Japan mail, Hotmail) were also targeted

    We are currently enhancing the monitoring of the C&C servers related to this campaign. During a six-day period, we detected no less than 20,000 unique IP addresses connecting to these servers, with only a very minimal decrease from beginning to end. This means that there is still a large number of infected systems still stealing online banking credentials and sending them to the cybercriminals responsible.

    The banks and financial institutions targeted in this campaign have already released warnings and advisories to their customers and loyalists regarding the attack itself. Users are reminded to read these warnings properly before logging into their online banking accounts.

    Trend Micro customers are protected from all related malware and malicious elements in this attack.

    Posted in Bad Sites, Malware | Comments Off

    Over the course of the past few weeks, we’ve talked a lot Advanced Persistent Threats (APT), and how such threats require a different class of protection in order to be managed effectively.

    There can be no doubt that APT attacks are a real threat. Such threats are unpredictable in nature, could lead to devastating consequences, and could affect just about any organization. The recent work from ISACA on the 2012 Advanced Persistent Threat (APT) Awareness Study shows 63% of security professionals said they were or could be a target for APT attacks. That alone says that people in the know are taking this threat seriously.

    But that survey also showed that fewer than 10% of those surveyed understood that these threats are significantly different from traditional threats. Awareness of the problem is a good start. But there’s work to be done to increase awareness around solutions.

    As part of our ongoing work to help educate people about threats as well as solutions, we’ve partnered with Forrester Research on a new study: Mitigating Targeted Attacks Requires an Integrated Solution. This study surveyed 350 IT enterprise security decision-makers in the US, UK, France, and Germany, asking them about their technology expectations for targeted threat detection and response. It outlines some of the effective steps organizations are taking to protect themselves from APT attacks. In addition, it also highlights some areas of caution too: most notably that a number of organizations are still focusing resources in the wrong direction to protect against APT attacks.

    Read the rest of this entry »

    Posted in Bad Sites, Targeted Attacks | Comments Off

    This upcoming 2013 Consumer Electronics Show (CES), various companies will unveil the latest gadgets and devices from laptops, tablets, and smartphones to home automated systems and smart TVs. While these Interned-enabled devices offer convenience and accessibility, they can also introduce security risks. Previously, we have seen reports on unauthorized access by third parties on devices such as smart TVs, printers, heart devices, and coffee makers. In our blog entry, New Gadget + the Internet = New Threat, senior threats researcher Ranieri Romera posed the question of how safe is it to connect new, Internet-enabled devices to the Internet. Furthermore, he tackled how cybercriminals can potentially leverage vulnerabilities found on these devices to steal crucial user information. He also mentioned that the lack of security options in devices make these vulnerable.

    In our infographic, The Automated Home of Tomorrow: How Vulnerable is it to Cybercrime? we demonstrate sample devices and their possible security risks scenarios based on our research. For instance, smart refrigerators that enable users to buy their groceries online can be used by cybercriminals as an avenue to steal login credentials and order unwanted items without user’s knowledge. On the other hand, when cars and home security systems (like CCTV cameras, door locks etc.) are hacked, these could put users at danger. Cybercriminals can disrupt car functions, which might lead to accidents and open homes to possible intrusion.

    Users are highly recommended to inquire first the available security options and device’s features before purchasing any gadgets. It is also important for users to be more pro-security and familiarize themselves on the risks of connecting devices to the Internet For tips and best practices, read our e-guide, A Guide to 2013 New Year’s Resolutions.

    Posted in Bad Sites | Comments Off


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice