Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    August 2014
    S M T W T F S
    « Jul    
     12
    3456789
    10111213141516
    17181920212223
    24252627282930
    31  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Jhoevine Capicio (Threats Analyst)




    Most devices like printers, scanners, and VoIP systems nowadays have embedded Web servers for easy administration. Unfortunately, many of these devices are mostly unprotected due to lapses in configuration. Some servers are not properly configured and can be accessed using the default user name and password or are left with no means of protection. What’s worse is that these lapses allow the embedded Web servers to be available to the general public, potentially leading to unwanted information disclosure.

    This is basically what Michael Sutton showed during the “Black Hat USA 2011″ briefings. His talk about embedded Web servers and the hidden threats these pose revealed a number of devices with EWS that are publicly accessible on the Internet.

    For example, HP scanners with Web scan (a feature to remotely scan a document) feature can give access to documents that are left in a scanner. A remote user can also adjust settings to make the scanner automatically send scanned documents to a designated address or to request a copy of recently scanned documents through the Web interface. Printers were also revealed to allow FTP access with no password protection, making it very easy for a malicious user to store malware files in the printer. Lastly, Michael also found some VoIP systems that are left open and showed how easy it is to get a recording of a phone conversation.

    Read the rest of this entry »

     
    Posted in Malware | Comments Off



    C2C Anyone? For chatters who frequent Yahoo! Chat rooms, this is a common thing to say… C2C (Cam to Cam) Chat has been very popular nowadays, from chatters who just want to view their chat mates to webcam shows to far away loved ones…most of the time a webcam is used while chatting on Yahoo! Sad to say, Yahoo! Webcam did not escape the reality that almost all software has vulnerability. Two vulnerabilities for the Yahoo! Messenger have been disclosed to the public. These vulnerabilities have been proven to result in arbitrary code execution, which means that it may just be a little time before it is exploited by malicious users. The first vulnerability is because of lack of boundary checking in the ywcupl.dll (used for Yahoo! Webcam Upload ActiveX control). This error can cause a stack based buffer overflow by assigning a very long string to the “Server” property and then calling the “Send()” method. The second vulnerability is because of lack of boundary checking in the ywcvwr.dll (used for Yahoo! Webcam Viewer ActiveX control). It works the same way as the first vulnerability but this time instead of send(), the exploit is triggered by calling the “Receive()” method. Not to worry though, because Yahoo! has already given an update which solves this issue. Please go to this site to know more about the vulnerability and how to update your Yahoo! Messengers.

     



    It seems Italy is fast becoming the hub of malware authors. I still remember the nasty days when the Linkoptim also known as Gromozon malware was spreading like wildfire throughout the net. And now typo-squatters have followed the lead of LinkOptim to again plague the Italian surfers. For those unfamiliar with typo-squatting, you can read more about it here. Internet users in Italy are currently under attack by a massive typo-squatting made by malware authors. Some of the URLs used by this attack are listed below.



    • 3bay.it
    • 4repubblica.it
    • aklitalia.it
    • corrieere.it
    • eba6y.it
    • eba7y.it
    • fgazzetta.it
    • fgoogle.it
    • gazzetra.it
    • gazzettaa.it
    • katsaweb.it
    • mnsn.it
    • tyiscali.it
    • tyttogratis.it

    For a full list of URLs used in the attack, download the pdf file here. (Courtesy of Sunbelt-Software.) The page shown below is loaded upon visiting these URLs.
    2.JPG
    Here is a babelfish translation of the words on the page. Impossible to find the page demanded In order to visualize the demanded page the modernization of Internet Explorer (direct link to a malware file) is necessary. In alternative, it finds on Extra Search the tried page.


  • 1. Through the internet explorer link.
  • 2. Through the search form provided in the page.
  • 3. Through the toolbar link.
  • 4. Through the video.
  • 5. Through the extraricerca icon.

      All typo-squatter links listed above leads to the same page. A whois lookup also shows the same results among the URLs.

      Status: ACTIVE
      Created: 2005-08-24 00:00:00
      Last Update: 2007-05-08 16:43:56
      Expire Date: 2007-08-24

      Registrant
      Name: PROLAT
      ContactID: PROL20-ITNIC
      Address: zip: LV-5400
      DE
      Created: 2007-03-01 10:27:17
      Last Update: 2007-03-01 10:27:17

      Admin Contact
      Name: Bojarovs Aleksejs
      ContactID: BA3396-ITNIC
      Address: street: Grodnas 42/72
      zip: LV-5400
      city: Daugavpils
      DE
      Created: 2005-06-13 00:00:00
      Last Update: 2007-03-01 07:48:12

      Technical Contacts
      Name: Bojarovs Aleksejs
      ContactID: BA3396-ITNIC
      Address: street: Grodnas 42/72
      zip: LV-5400
      city: Daugavpils
      DE
      Created: 2005-06-13 00:00:00
      Last Update: 2007-03-01 07:48:12

      Registrar
      Organization: FROG
      Name: PROLAT-MNT

      Nameservers
      ns1.metallichosting.com
      ns2.metallichosting.com


      It also shows that the URLs used in the attack have been in existence since August of 2005.
      Typo-squatting is not new; in fact it has existed for a long time now and has also been known to be used by other malwares in the past. Mostly the targets are big companies or websites which are frequented by most internet users like google.com and microsoft.com. Even Trend Micro has been a target of this in the past, I posted a diary entry about this last year.
      The malware authors ultimately rely on the user’s carelessness in order to be successful.


      So to mitigate, users should be careful how they type. Also for sites that are frequently used, you should just bookmark it so that no typing would be necessary. Microsoft has also released a software called Strider URL Tracer which is made to combat typo-squatting. And last for the security admins, especially for the ones in Italy, you can download the whole list of the URLs used in the recent attack from Sunbelt-Software and block them from your network. This way all users even the careless ones are protected from this attack. This doesn’t give excuse to be careless though. We should always be vigilant and have security on our minds especially when critical data are being handled.


    •  


      May2
      10:49 am (UTC-7)   |    by

      FYI for music lovers… A new zero day has vulnerability in Winamp which can cause arbitrary code execution been reported. The vulnerability occurs in Winamp due to the way that it handles .MP4 files. This can be exploited by would be attackers by creating a specially crafted MP4 file and posting it to websites or sending it through e-mails. This vulnerability has been reported in version 5.34 but other versions may also be affected.

       
      Posted in Bad Sites | Comments Off



      If you’re updated with the news in the security industry, then you know that there have been a lot of vulnerabilities in MS Office Applications that are being exploited. Because of this, it has been a common advice to use safer document formats like RTF. What didn’t cross my mind is that RTF files can still be embedded with an object, and if this can be done there’s no reason why I malware can’t be embedded to an RTF file as well. With good social engineering, which for most cases is the downfall of good security, a malware infection can start from an RTF file. That may be the case with this RTF file detected by trend as TROJ_DLOADER.MC…
      Upon opening of the file, it fools users into thinking that an error has just occurred and that they need to double click the embedded file to load the original document.

      RTF file with embedded object
      Of course, by doing this the user is actually loading the embedded object, which in case of an embedded exe file, the action would cause it to execute. Before MS Word loads the file though, a warning message is given to the user.

      warning message
      Normally the warning would already create a sense of alertness for users, but since the user already believe that this action would load the original document, he’d probably just click yes and be done with it, unknowingly beginning the malware infection for his system. The embedded file (also detected as TROJ_DLOADER.MC) in this case downloads a file which has been given a detection of TSPY_AGENT.PPR. Given this, I would still recommend the use of RTF files, why?


      • 1. It is still widely recognized and supported by a lot of Word Processors.
      • 2. It is still a lot safer than other formats.
      Users will just have to be smart about how they deal with embedded objects so they can be on the safe side. Here are a few tips

      • Right click the embedded object and check what it is using Object Packager.

        Using Object Packager

      • This will show the embedded object inside the rtf file. The .EXE extension should at least raise a red flag here. Again, with good social engineering the malware author named the file MICROS~1.EXE, but please don’t be fooled.

       


       

      © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice