In the course of our threat research, we’ve encountered different types of social engineering lures that aim to trigger different emotions such as fear and happiness. These lures are often effective, as we’ve seen happen in several incidents in the past. However, they are also easily recognizable as they often use a common theme, be it a recent event or an ongoing season.

There are also other techniques that use different, more sober approach. These techniques do not aim to trigger alarm, but instead to try to avoid it. They try to blend into their intended victims’ normal behavior or use their interests in order to get the them into schemes. And though these techniques are far less alarming in terms of the message they bring, they are harder to detect, and often more sinister.

An example of this is the watering hole technique, which was used recently in an attack that ended up affecting companies such as Facebook and Apple. Choosing to use a mobile developer forum as the watering hole, the lure was almost passive — it did not need any means to get the victims to visit the site. The site was strategically chosen because visiting it was already known to be a part of the victim’s normal routine.

Earlier this week, we also saw reports of an attack wherein the name of the report recently released by Mandiant is being used as the lure. The message in related to the attack comes as a recommendation from the sender to read the article, along with a PDF file which supposedly is the report itself (of course in reality the file is malicious — a PDF exploit we detect as TROJ_PIDIEF.EVF). We were also alerted of news regarding another threat using the Mandiant report, which supposedly targeted journalists. Detected as TROJ_PIDIEF.EVE, this malware drops the non-malicious .PDF file, Mandiant_APT2_Report.pdf and a backdoor detected as BKDR_POISON.EVE.

Figure 1. Screenshot of the dropped .PDF file

Figure 2. TROJ_PIDIEF.EVE drops this non-malicious .PDF file

Read the rest of this entry »

Late last week, the Council on Foreign Relations website was compromised and modified to host a 0-day exploit affecting Internet Explorer. Analysis revealed that the attack was set to affect a specific set of users, as it was set to work only if the browser language was set to English (US), Chinese (China), Chinese (Taiwan), Japanese, Korean, or Russian.

Microsoft has then issued a security advisory for the vulnerability and provided some workarounds, to serve as protection until a solution is released. Trend Micro users, however, are already protected through Trend Micro Deep Security, specifically through the following rules:

• 1005297 – Microsoft Internet Explorer CDwnBindInfo Object Use-After-Free Vulnerability (CVE-2012-4792)
• 1005301 – Identified Suspicious JavaScript Encoded Window Location Object
• 1005298 – Microsoft Internet Explorer CDwnBindInfo Object Use-After-Free Vulnerability (CVE-2012-4792) Obfuscated

The abovementioned rules are set to detect all known variants of exploits.

The use-after-free vulnerability in Microsoft Internet Explorer enables remote attackers to execute arbitrary code execution. As stated in Microsoft’s blog, we have also observed that all the reported targeted attacks so far have been triggered by an encoded or obfuscated JavaScript Window Location objects which is generally used to change the location object of the current window. The vulnerability is with cButton object which has been freed but its reference was used again during the page reload will point to an invalid memory location yielding arbitrary code execution under the context of the current user. Microsoft Internet Explorer versions 6, 7, and 8 are affected, but newer versions such as IE9 & IE 10 are not affected by this vulnerability.

Read the rest of this entry »

The quality of user experience in terms of mobile apps is directly related to the amount of user information entered into it. And now that we are at a time being considered as the “post-privacy era”, people need to be aware of the pros and cons in entering their information into mobile apps.

Developers are continuously trying to improve mobile apps, which have started to play big parts in our lives. Apps make things more convenient for us, and at times more fun: from apps that help us organize our tasks, apps that let us see all the latest news in a glance, to apps that allow us to have fun by slicing fruits or killing green pigs.

Trend Micro Researcher Robert McArdle also explained that apps create a better user experience for users. He states, “The other big reason for the popularity of apps is their ease of use. Browsing the internet on your mobile phone is not the same experience as doing it on a laptop. In most cases apps are specially crafted browsers for a particular site.”

The amount of user information entered into apps is a known privacy issue, one that was heavily discussed because of the recent Carrier IQ issue. As we mentioned before, the biggest issue with Carrier IQ was informed consent — something that is well-taken into consideration with apps since users must knowingly install an app before it gains access to any information. So for apps, the choice to whether volunteer their information or not, in exchange for certain services, is really on the users’ hands.

To help users out in making such a decision, we’ve listed here 3 truths about applications that users can consider before installing an app, and volunteering their personal information:

Sometimes, apps really do require/need user information to function

Apps have become customizable, wherein the programs are designed to function based on users’ input. Good examples of these are location-based apps like Shopkick and Foursquare. Such apps were among the top tech trends for 2011, and are expected to boom more in 2012.

For such apps, it is only logical to require user information upon signing up. But of course, the amount of information required should be limited only to those necessary in order for the app to function properly. Android built their “permissions” model on this concept, and is something that should be utilized by the users.

Read the rest of this entry »

Adobe released an out-of-band security update to address six critical vulnerabilities, all affecting Adobe Flash Player.

One of the six, a cross-site scripting (XSS) vulnerability identified as CVE-2011-2444, is reportedly being exploited in the wild. The bug is reportedly being used in targeted attacks that involve malicious links sent out to targets via email.

Adobe attributed the discovery of CVE-2011-2444 to Google, who, in response to finding the vulnerability, issued an update for the Google Chrome browser to prevent attackers from exploiting the security hole.

Users are strongly advised to apply the patches as soon as possible, especially since exploiting any of the addressed vulnerabilities can lead to either remote code execution or to information disclosure.

Note that users who utilize multiple browsers may need to separately update their other browsers. Users can visit this page for all of their browsers to check if they have the latest version of Adobe Flash Player installed and this page to update. Here is the list of Adobe Flash Player versions affected by vulnerabilities addressed by this update:

• Flash Player 10.3.183.7 and earlier
• Flash Player 10.3.183.7 and earlier for network distribution
• Flash Player 10.3.186.6 and earlier for Android
• Flash Player 10.3.183.7 and earlier for Chrome

We will update this post once we find more information about the exploit.

We were recently made aware of attacks leveraging the recent data breach that involved Epsilon.

According to reports, the attack involves a Web page that looks very similar to the press release issued by Epsilon concerning the breach. The page also instructs the recipients to click a link at the bottom of the post in order to download and run a tool that will supposedly help them determine if their personal information was among those disclosed during the attack.

We were able to analyze the details of the attack and found that the link  downloads an .EXE file now detected as TROJ_MSPOSER.ASM. Running TROJ_MSPOSER.ASM displays the following GUI, which seems to suggest that the system is being checked. 

Of course, the graphic is really just there in an attempt to convince the victims that what they downloaded was really a tool that will help them determine if their information is still secure. In the background, however, another malicious file is being installed into the system.

Read the rest of this entry »