Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    July 2014
    S M T W T F S
    « Jun    
     12345
    6789101112
    13141516171819
    20212223242526
    2728293031  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Jamz Yaneza (Threat Research Manager)




    With its launch of Windows 8, Microsoft promises a rejuvenated OS and brand that translate to improved user experience. But when it comes to security, did Microsoft take it up a notch?

    Beyond Window 8’s interface and over-all experience, users are also concerned with its resilience against threats. Below are some of my observations on certain security changes that Microsoft implemented on Windows 8.

    Windows Defender. Microsoft returns with their full product (previously known as One Care) pre-installed. Windows 7 came with a spyware-only version of Windows Defender (though users could download the free Microsoft Security Essentials for free). Now, though Windows Defender combines both spyware and antivirus capabilities. On retail versions, users have the choice of installing their security product, preferably from the Microsoft App Store. However, if no security product is installed after two-weeks then Windows 8 will activate Windows Defender.

    This is a smart decision by Microsoft, as this sidesteps possible legal issues by giving users an opt-in opportunity. For users who may forget to install their favorite security product, Windows Defender provides baseline security level.

    Read the rest of this entry »

     



     With Apple pushing out both a standalone removal tool for users and a combined Java update/removal tool, it’s safe to say that the current outbreak of Flashback malware is well on its way to being addressed. However – such a widespread incident (affecting at least 1% of all Macs in use today) is likely to have long-term repercussions on the threat landscape for Apple Mac computers.

    Macs: Innocent No More

    Macs have not been as big a target for cybercriminals for one simple reason: they weren’t worth attacking. When Mac OS X was first launched in 2001, the Mac market share was small enough that it wasn’t worth it for cybercriminals to target those systems – not when there were so many low-hanging fruit in the form of Windows systems.

    Now, however, somebody in the cybercriminal underground has proven that Macs are a perfectly viable target for attacks. Half a million users is nothing to sneer at. Where this unknown attacker led, we expect others to follow. Further convoluted attacks targeting Macs are likely to occur soon, now that somebody has proven that it’s possible (and dare we say profitable) to carry these attacks out.

    In fact, this is something that’s already well under way. Before Flashback hit the news, we’d already found targeted attacks that affected Mac users as well. We’ve also found a new threat right after that – the SABPAB malware family – that exploits either the same vulnerability as Flashback, or other Mac-specific vulnerabilities in Microsoft Office. (We detect these threats as OSX_SABPAB.A, with the malicious Office documents detected as TROJ_MDROP.SBPAB.)

    Mac users will have to learn, the hard way, that no operating system is completely secure. They will have to learn the best practices that Windows users take as “normal” in order to avoid becoming victims of the next big Mac malware event.

    Apple: Room for Improvement

     As Macs become a bigger target, Apple is going to have to deal with the fact that they are a bigger target now and figure out how to manage the increased burden. So far, things have not been encouraging.

    The underlying vulnerability that Flashback used was not unknown before Flashback entered center stage in public. In fact, in the Windows version of Java, it had already been fixed and patched as early as February. However, because Apple distributes its own copy of Java, the said fix was not made available to Mac users until after Flashback had started spreading through the Mac community.

    As a result of what happened with Flashback, it can be taken for granted that attackers will be waiting for the next Java update (which will arrive in May, since Oracle does quarterly scheduled updates) and seeing which flaws can be exploited on Macs as well. If Apple acts with the same seeming lack of urgency as it did with the previous patch, another Flashback-like malware attack becomes much more likely.

    In addition, Apple could also use this experience to work better with the security industry. Apple’s initial response to Flashback has been criticized by some parties; it’s clear the company does not have the experience that other vendors (like Microsoft) have had in dealing both with security vendors and threat incidents.

    However, don’t get me wrong and let’s not put the whole patching debacle at Apple’s feet. At the end of the day it is a tough balancing act to integrate several thousand pieces of code and yet, execute form and function, the way Cupertino has been known to set itself apart really well. There is also the matter of other third-party applications and plug-ins which users have to be mindful of and keep updated on their own, not unlike, as previously mentioned, in the more predominant Microsoft Windows environment.

    Mac malware has arrived, and is here to stay. Both users and Apple will have to adjust to this new reality in order to protect themselves and the entire platform as a whole. The infographic below highlights some of the threats we’ve seen for Macs in recent years:

     



    We already knew that more and more people are becoming tablet and smartphone owners, but two new surveys that were released just this week reinforced that. A Google/Ipsos poll found that smartphone use was growing in all 5 surveyed countries. In the US, smartphone ownership rose from 31% to 38% of the population by September/October 2011. Over the holiday, a separate Pew poll found that ownership of eBook readers and tablets doubled.

    Increasingly, threats to users are “going mobile” – and quite comfortably it seems. The mobile threat landscape has grown exponentially ever since the first proof-of-concept Palm Trojan was found. Mobile and tablet users are now seeing the same kinds of threats seen in the PC-world. Here are some scenarios that show the increasing similarities:

    1. More than five years ago, a common tactic that cybercriminals used was getting reconfigured modems to call out to premium service and long distance numbers. Today, mobile malware frequently attempts to sign up users to premium services with regular subscription fees. Other times, they will transmit pilfered credentials and data to attackers, not caring about the user’s (limited) data plan, a potentially unsecured WiFi hotspot, or roaming with an expensive data plan.
    2. For twenty-odd years the predominant malware threats were viruses, then it was worms and today its mostly one-time use Trojan downloaders. All this was just a means to an end; to keep your systems infected and compromised and prolong the threat. On mobile platforms, we already have data stealing Trojans tucked away in the guise of a useful mobile app but which silently record and transmit your data in the background.
    3. Read the rest of this entry »

     



    Last week we came across a report about a Plankton variant embedded in various apps emerging in the Android Market. One of the samples we inspected is a puzzle game called Sexy Ladies-2.apk, which is detected as ANDROIDOS_PLANKTON.P along with many other apps related to it.

    Other external reports tell of the millions of app downloads with similar suspect code, which led to coining it as the “largest Android malware outbreak ever”. In that report, the analyzed application is a puzzle game. It starts a service that can create a shortcut, get/set bookmarks, post device information to its server (including IMEI, brand, device, model, operating system, OS version, display metrics, locale), set notifications, and set browser homepage.

    Our findings show us that this application can be categorized as adware since it appears to be simply used for advertisements. A more appropriate term may be “mobile app adware” with the SDK (software development kit) being used for legitimate download upfront revenues so that people can download them from various mobile app distribution sites. The app’s basic functionality is as was claimed: install a search shortcut and serve ads through that app. Its behavior does not send any private personal data to external server. In short, it turns out to be a monetizing ad service so that app developers can make more money from their free apps. This is basic search monetization.

    “Mobile App Adware”

    At this point this is a perfect example of “mobile app adware.” This is bolstered from the fact that the current business model is for an SDK integrated into the app and is used for legitimate download affiliate revenue. In today’s content-serving business and marketing model, this makes it practically the same as what is being done on desktop PCs.

    Threat Response Engineer Erika Mendoza adds “taking ad networks into consideration, I think it makes more sense now that a lot of applications are bundled with code similar to this. This mobile adware is quite aggressive, but it still depends on the user if they consider this annoying behavior malicious.”

    But researchers at Lookout Mobile Security don’t think that this behavior means it’s a malware attack, rather, it is an “aggressive form of an ad network.” We agree with the claim that it isn’t malware per se, however, the issues regarding this involve how mobile information is gathered and stored. There are also potential privacy issues down the line which today users may not understand the possible ramifications of until much later.

    Read the rest of this entry »

     



    The recently reported malware attacks against Mac users prompted Apple to release a security update. We did initial analyses of both the FAKEAV for Macs as well as the latest Apple security update in our previous blog entry. I’ve extracted the version of XProtect.plist (Apple’s pattern file) to dig deeper into what’s inside it. The Property List (.PLIST) file type is an .XML file that uses Apple’s plist document type definition (DTD). .PLIST file types are standard parts of Apple’s Mac OS X Core Foundation.

    The update notes are stored in the file XProtect.meta.plist.

    Click for larger view

    XProtect.plist is basically XML formatted and is easily read using Mac’s built-in Dashcode tool.

    Click for larger view

    Read the rest of this entry »

     


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice