Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    November 2014
    S M T W T F S
    « Oct    
     1
    2345678
    9101112131415
    16171819202122
    23242526272829
    30  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Jay Yaneza (Technical Support)




    In the past few months,  the Tor anonymity service as been in the news for various reasons. Perhaps most infamously, it was used by the now-shuttered Silk Road underground marketplace. We delved into the topic of the Deep Web in a white paper titled Deepweb and Cybercrime. In our 2014 predictions, we noted that cybercriminals would go deeper underground – and part of that would be using Tor in greater numbers.

    Cybercriminals are clearly not blind to the potential of Tor, and network administrators have to consider that Tor-using malware might show up on their network. How should they react to this development?

    What’s Tor, anyway?

    Tor is designed to solve a fairly specific problem: to stop a man-in-the-middle (such as network administrators, ISPs, or even countries) from determining or blocking the sites that a user visits. How does it do this?

    Previously known as “The Onion Router”, Tor is an implementation of the concept of onion routing, where a number of nodes located on the Internet that serve as relays for Internet traffic. A user who wants to use the Tor network would install a client on their machine.

    This client would contact a Tor directory server, where it gets a list of nodes. The user’s Tor client would select a path for the network traffic via the various Tor nodes to the destination server. This path is meant to be difficult to follow. In addition, all traffic between nodes is encrypted. (More details about Tor may be found at the official website of the Tor project.)

    In effect, this hides your identity (or at least, IP address) from the site you visited, as well as any potential attackers inspecting your network traffic along the way. This is quite useful if you’re a visitor who wants to cover your tracks or if, for some reason, the server that you’re trying to connect to denies connections from your IP address.

    This can be done for both legitimate and illegitimate reasons. Unfortunately, this means that it can and has already been used for malicious purposes.

    How can it be used maliciously?

    Malware can just as easily use Tor as anyone else. In the second half of 2013, we saw more malware making use of it to hide their network traffic. In September, we blogged about the Mevade malware that downloaded a Tor component for backup command and control (C&C) communication. In October 2013, Dutch police arrested four persons behind the TorRAT malware, a malware family which also used Tor for its C&C communication. This malware family targeted the bank accounts of Dutch users, and investigation was difficult because of the use of underground crypting services to evade detection and the use of cryptocurrencies (like Bitcoin).

    In the last weeks of 2013, we saw some ransomware variants that called itself Cryptorbit that explicitly asked the victim to use the Tor Browser (a browser bundle pre-configured for Tor) when paying the ransom. (The name may have been inspired by the notorious CryptoLocker malware, which uses similar behavior.)

    Figure 1. Warning from Tor-using ransomware

    Earlier this month, we discussed several ZBOT samples that in addition to using Tor for its C&C connection, also embeds its  64-bit version “inside” the normal, 32-bit version.

    Figure 2. Running 64-bit ZBOT malware

    This particular malware runs perfectly in a 64-bit environment and is injected into the running svchost.exe process, as is typically the case with injected malware.

    This increase in Tor-using malware means that network administrators may want to consider additional steps to be aware of Tor, how to spot its usage, and (if necessary) prevent its use. Illegitimate usage of Tor could result in various problems, ranging from circumvented IT policies to exfiltrated confidential information.

    We will discuss these potential steps in a succeeding blog post.

     
    Posted in Malware | Comments Off



    Over the past few weeks, we’ve been seeing an increase in the number of spreading CryptoLocker malware. This new kind of ransomware has been hitting more users over the past few weeks. Compared to the month of September, the number of identified cases in October has almost tripled.

    CryptoLocker infections were found across different regions, including North America, Europe Middle East and the Asia Pacific. Almost two-thirds of the affected victims – 64% – were from the US. Other affected countries include the UK and Canada, with 11% and 6% of global victims, respectively.

    Previously, we discussed how these threats were arriving via email. CryptoLocker can be viewed as a refinement of a previously known type of threat called ransomware. Such “improvements” are in line with our 2013 Security Predictions, where we mentioned that the focus of cybercriminals would be the refinement of existing tools, rather than the creation of entirely new threats.

    What can I do?

    There are different ways an individual or an organization can handle the CryptoLocker threat. Since this threat starts as spam carrying TROJ_UPATRE (a downloader), its success depends on the social engineering lures used in the message and how users would respond to it.

    Let us start off first with simple (but frequently ignored) safe computing practices to consider when opening emails and file attachments, in general:

    • Always check who the email sender is. If the email is supposedly coming from a bank, verify with your bank if the received message is legitimate. If from a personal contact, confirm if they sent the message. Do not rely solely on trust by virtue of relationship, as your friend or family member may be a victim of spammers as well.
    • Double-check the content of the message. There are obvious factual errors or discrepancies that you can spot: a claim from a bank or a friend that they have received something from you? Try to go to your recently sent items to double-check their claim. Such spammed messages can also use other social engineering lures to persuade users to open the message.
    • Refrain from clicking links in email. In general, clicking on links in email should be avoided. It is safer to visit any site mentioned in email directly. If you have to click on a link in email, make sure your browser uses web reputation to check the link, or use free services such as Trend Micro Site Safety Center.
    • Always ensure your software is up-to-date. Currently there are no known CryptoLocker that exploits vulnerabilities to spread, but it can’t be ruled out in the future. Regularly updating installed software provides another layer of security against many attacks, however.
    • Backup important data. Unfortunately, there is no known tool to decrypt the files encrypted by CryptoLocker. One good safe computing practice is to ensure you have accurate back-ups of your files. The 3-2-1 principle should be in play: three copies, two different media, one separate location. Windows has a feature called Volume Shadow Copy that allows you to restore files to their previous state, and is enabled by default. Cloud storage services (such as SafeSync) can be a useful part of your backup strategy.

    For enterprise customers, review your policies regarding email attachments. It is generally considered bad form to send an executable file using email. Most organizations also have strict attachment blocking policies – if you don’t have one right now, it would be a good time to consider creating one.

    Configuring devices for specific purposes is another method to reduce chances of Cryptolocker infection. For example, if the user is only required to use Microsoft Word, a system and user account with limited privileges would be adequate. Most enterprises may already have this approach, but this can be enhanced to use a list of whitelisted software applications and take advantage of certain Windows features like AppLocker.

    This can complement an organization’s overall security strategy. Users can implement an antimalware solution that not only protects users from executing malicious files, but provides protection even before the malware arrives in your system.

    Our email reputation service is able to block these spammed messages with malicious attachments. Specifically, the True File Type Filtering feature can alert users if an email attachment is potentially malicious:

    solution-trendmicro-email

    In addition, our web reputation service can also block access to the related URLs. A combination of antimalware solution plus a solid list of applications allowed to run reduces the surface area of attack on a desktop.

    Conclusion

    While not presenting anything new to the table, CryptoLocker has taken the scare tactics effectively used before by ransomware and fake antivirus attacks to a new level. Most users rely nowadays on good antimalware software, but it is important to note that user education, regular software update, and a strict computer usage policy are crucial defense against CryptoLocker and similar threats.

    As malware nowadays are being refined by cybercriminals, computer systems must be likewise hardened to resist these attacks. A holistic approach in addressing malware infections aims not only to address to reduce the rate of the infection itself, but can help in breaking the whole cycle of the malware infection chain by providing a defense in depth strategy that covers multiple facets of an attack.

    Trend Micro customers who use OfficeScan (OSCE) and Worry-Free Business Security/Services (WFBS/WFBS-SVC) can follow these best practices to prevent ransomware infection.

     



    The notorious info-stealing ZeuS/ZBOT variants are reemerging with a vengeance, with increased activity and a different version of the malware seen this year. In our 2013 Security Predictions, we predicted that cybercrime will be characterized by old threats resurfacing, but with certain refinements and new features in tow. The 1Q of the year proved this thesis, as seen in threats like CARBERP and Andromeda botnet.

    We can now include the data-stealing malware ZeuS/ZBOT to this roster of old-but-new threats, which we’ve noted to have increased these past months based from Trend Micro Smart Protection Network feedback.

    ZBOT-2013

    Figure 1. Smart Protection Network feedback for ZBOT (Jan – May 7 2013)

    As seen in this chart, ZBOT variants surged in the beginning of February and continued to be active up to this month. It even peaked during the middle of May 2013. These malware are designed to steal online credentials from users, which can be banking credentials/information or other personally identifiable information (PII).

    ZBOT Earlier Versions vs. Current Versions

    Early generation of ZBOT variants creates a folder in %System% folder where it would save the stolen data and configuration file. Users can also find a copy of itself in the said folder. These ZBOT versions modify the Windows hosts file to prevent users from accessing security-related websites. The strings appended to the hosts file can be seen in the downloaded configuration file. An example of earlier ZBOT versions include TSPY_ZBOT.SMD and TSPY_ZBOT.XMAS.

    Current ZBOT variants were observed to create two random-named folders in the %Applications Data% folder. One folder contains the copy of the ZBOT folder while the other folder contains encrypted data. Example of this is TSPY_ZBOT.BBH, which was found to globally on top based from Smart Protection Network.

    ZBOT malware of this generation are found to be mostly either Citadel or GameOver variants. Unlike earlier version, the mutex name is randomly generated.

    Both variants send DNS queries to randomized domain names. The GameOver variant also opens a random UDP port and sends encrypted packets before sending DNS queries to randomized domain names.

    How does this malware steal your credentials?

    ZBOT malware connects to a remote site to download its encrypted configuration file.

    ZBOT_communication_screenshot

    Figure 2. Screenshot of ZBOT communication to C&C server

    The following information can be seen once the configuration file is decrypted:

    • Site where an updated copy of itself can be downloaded
    • List of websites to be monitored
    • Site where it will send the stolen data

    These configuration files contain banks and other financial institutions that ZBOTs monitor in browsers.
    Since configuration files are downloaded from remote sites, the contents of these files may change any time. Malicious actors can change the list of sites they want to monitor on the affected system.

    Trend Micro Solution for ZBOT variants

    There are several avenues for detecting ZBOT variants, such as:

    1. First, as the malware tries to write to the registry “Userinit” entry in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    2. Secondly, detecting the call-back routine to the remote site upon execution, as it acquires its configuration file
    3. Finally, detecting where the site would send the stolen data, or if acquires an updated copy of itself

    In the screen capture below, it demonstrates that the exact behaviour of writing to the registry “Userinit” entry in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon was successfully blocked by OfficeScan’s Behavioural Monitoring function and the malware fails to execute:

    screenshot-Officescan-detection copy

    Figure 3. OfficeScan Scanning Screenshot

    The second opportunity to detect ZBOT variants is when the malware downloads its configuration file, an updated copy of itself, or even with the attempt to upload its stolen information. Trend Micro Web Reputation Services can detect this function:

    MaliciousURL-detected

    Figure 4. Trend Micro blocks the related URL associated with ZeuS

    In the screen capture above, the URL was detected as malicious. With further investigation, we determined that this site is associated with ZeuS/ZBOT. The same is observed if using Trend Micro’s Deep Discovery:

    DDI-screenshot-1

    DDI-screenshot-3

    Figure 5. Screenshot of Deep Discovery detection of malicious network activity

    Similarly, an attempt to connect to any related URL that is related to ZBOT/ZEUS upon performing it’s call-back routine can be detected via DeepDiscovery Inspector.

    For removing the malware, since this malware injects itself into certain processes, there are instances that a reboot is required. As ZeuS/ZBOT malware downloads newer version of itself, the binary itself may not be detected but could generally act the same. As such, certain parts of the infection can be blocked or partially mitigated.

    Conclusion

    What we can learn from ZeuS/ZBOT’s spike in recent months is simple: old threats like ZBOT can always make a comeback because cybercriminals profit from these. Peddling stolen banking and other personal information from users is a lucrative business in the underground market. Plus, these crooks can use your login credentials to initiate transactions in your account without your consent. Thus, it is important to be careful in opening email messages or clicking links. Bookmark trusted sites and avoid visiting unknown ones. Always keep your system up-to-date with the latest security releases from software vendors and install trusted antimalware protection.

    To know more about how cybercriminals are getting better at stealing information, you can refer to this infographic.

    With additional inputs from Threat researchers Rhena Inocencio and Roddell Santos.

    We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

     
    Posted in Malware | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice