Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    April 2014
    S M T W T F S
    « Mar    
     12345
    6789101112
    13141516171819
    20212223242526
    27282930  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Jonathan Leopando (Technical Communications)




    A new zero-day vulnerability in certain versions of Internet Explorer has been identified and is being used in targeted attacks. Microsoft has not released an official bulletin acknowledging this vulnerability yet, but has spoken to news sites and confirmed that both Internet Explorer 9 and 10 are affected. The newest version, Internet Explorer 11, does not suffer from this vulnerability.

    If exploited, this vulnerability allows an attacker to target users with a drive-by download, allowing files to be downloaded and run user systems without any user input needed, beyond visiting a website.

    Two versions of Windows are not affected by this threat: Windows 8.1 (because it includes IE11), and Windows XP (because it only supports up to IE8.) All other versions of Windows are at potential risk, depending on the version of Internet Explorer present on the system.

    This attack was initially spotted on the website of a non-profit organization in the United States. The files used in this exploit are detected as HTML_EXPLOIT.PB, HTML_IFRAME.PB, and SWF_EXPLOIT.PB. The backdoor that was planted on affected machines using this zero-day is detected as BKDR_ZXSHELL.V. No formal bulletin or workarounds have been issued by Microsoft; we recommend that users of Windows 7 or 8 consider upgrading to Internet Explorer 11 to avoid this problem.

    We are currently analyzing both the exploit itself and the payloads used in this attack, and will provide further information as appropriate.

    Update as of 5:00 PM PST, February 16, 2014:

    We have released new Deep Security rules that provide protection against this vulnerability, namely:

    • 1005908 – Microsoft Internet Explorer Remote Code Execution Vulnerability (CVE-2014-0322)
    • 1005909 – Microsoft Internet Explorer Remote Code Execution Vulnerability (CVE-2014-0322) – 2
    • 1005911 – Microsoft Internet Explorer Remote Code Execution Vulnerability (CVE-2014-0322) – 3

    Update as of 11:00 PM PST, February 19, 2014:

    Microsoft has released an advisory acknowledging this attack and confirming that it is limited to Internet Explorer 9 and 10. A workaround has also been provided in the form of a Microsoft Fix It solution.

     



    People are seldom an entirely open book. It’s common sense and rational to keep some stuff like financial and medical records away from prying eyes. For others, it can be something trivial and silly (say, an embarrassing taste in music) to the more serious (like a traumatic event in one’s past).

    With so many methods of sharing, keeping things private is increasingly becoming more  difficult. Websites and services often ask for personal information and track users’ online habits to provide a more “customized” experience. Despite methods of sharing within a select group, sharing online has practically become synonymous with sharing with the public. No matter the privacy level of an account, anything posted online will sooner or later find its way to the public.

    This kind of activity is driving some users to reconsider the amount of information they are willing to share. In 2014, we will see users exert more effort in learning tools that can protect their data and control what they share online. This year will be about making sure that secrets remain secret.

    It’s not just individuals who have secrets to keep. So do businesses. These can include their future plans and strategies, to their current procedures, to personnel records of their employees and clients. Exposed to the public – and their competitors – these can cost a business millions, and perhaps in an absolute worst case, drive them out of business completely.

    Protecting data should become every organization’s top priority this year, considering that we will see one major data breach incident per month. 2013 was marked by several major data breaches and we will see such incidents continue this year.

    As part of our 2014 predictions, we developed this video, with the help of our CTO Raimund Genes, to talk about what users and organizations can do to protect themselves and keep their secrets secret in today’s digital landscape:

    So what can you do to protect your secrets? Our advice to users will help here: avoid oversharing on social media. Don’t bank or shop online on sites that you don’t trust. Keep track of you data, wherever it is – whether it’s in the cloud, or on one of your devices. In short, being a good citizen of the Internet will help in keeping your secrets away from cybercriminals and other such bad actors found online.

    For more concrete steps that outline what you can do to protect your secrets, you can visit the Secrets website, which is part of our broader 2014 predictions.

     



    2013 was the year that the Android malware not just grew, but matured into a full-fledged threat landscape. Not only did the number of threats grow, the sophistication and capabilities associated with these threats grew as well.

    As we noted earlier, the number of mobile malware threats has crossed the one million mark, and as of the end of 2013 stood at almost 1.4 million malicious and high-risk apps. We believe that by the end of 2014, this number will be at over 3 million.

    Figure 1. Volume of malicious and high-risk apps

    Not only are there more threats, the threats are becoming more diverse. No longer are mobile-centric cybercriminals content with just premium service abuse; the proportion of mobile malware with some sort of information-stealing ability grew from 17% at the start of 2013 to almost a quarter by year’s end. Overall, about a fifth of all mobile malware had some sort of information theft capability.

    Figure 2. Mobile malware threat type distribution

    New threats and problems also reared their head in 2013. We saw a tenfold growth of one-click billing fraud apps; these apps attempt to register users for paid services that they would normally not be interested in. In addition, we also saw a serious vulnerability – the “master key” vulnerability - which put almost all Android users at risk of installed apps being modified by attackers to include malicious code. Malicious mobile sites also made an appearance in 2013.

    Looking forward to 2014

    These developments will continue into 2014 and make the mobile threat landscape more closely resemble the PC landscape, which is already well-developed and sophisticated. Mobile threats will continue to grow in number and become, in effect, “mass-produced”. In addition, we expect to see more obfuscated and native code in an attempt to evade detection by anti-malware solutions.

    Our complete look back at the 2013 mobile threat landscape, and our view of what 2014 may turn out to be, can be found in our latest Monthly Mobile Report, titled Beyond Apps.

     
    Posted in Malware, Mobile | Comments Off



    Over the holidays, it was reported that malicious ads had appeared on various Yahoo sites and affected users in Europe. Two claims about this attack have been made: first, that it affected “millions” of users, and secondly, that it was used to plant Bitcoin miners on affected computers. Some of these claims may be a bit overstated, and the coverage may not have been able to give a more complete picture of the threat.

    We can’t say for certain just how many users were exposed to this attack. However, it’s worth noting that users with up-to-date versions of Java would have been protected. We identified two Java vulnerabilities – CVE-2012-0507 and CVE-2012-4681 - that were used in this attack to plant various malicious payloads on user systems. (It is believed that these vulnerabilities were delivered by the Magnitude Exploit Kit, one of the successors to the infamous Blackhole Exploit Kit.) However, both of these vulnerabilities have been patched for a fairly long time: the first vulnerability was patched in February 2012; the other was patched in August 2012.

    Similarly, while Bitcoin miners may have been part of the potential payloads, it was far from the only one. We identified multiple malware threats as payloads. These included DORKBOT and GAMARUE variants, as well as TROJ_OBVOD.AY, which is used in click fraud schemes. The payloads that were delivered to users were quite diverse.

    Aside from keeping their software patched, well-designed security products can help keep users safe. For example, the browser exploit technology that is part of our existing products is able to protect users against this particular attack.  This technology analyzes scripts and other web objects that runs in the browser and uses heuristic analysis to determine if these are malicious. This protects users even if the updated software is not present on a user’s system. It is not a replacement for keeping software up to date, but well-thought out endpoint security is very useful in increasing the available “defense in depth” for users.

    While the infection vector may have been out of the ordinary, the attack itself was not. Basic good computing practices – such as keeping software updated and using a well-built security product – would have helped reduce the risk for end users tremendously. It’s an excellent reminder for users to practice safe computing practices.

    With additional analysis from Kai Yu.

     



    The past few weeks have been rather exciting for Bitcoin owners and speculators, with prices peaking at over $1200 per BTC. Some commentators – including former Fed Chairman Alan Greenspan – have called Bitcoin prices a “bubble”, with a former Dutch central banker comparing it to the tulip mania of the 17th century. Other cryptocurrencies, like Litecoin, have seen similar gains as well.

    We’ve covered Bitcoin extensively in the blog in the past, including earlier this year when the total value of all Bitcoins was approximately $1 billion. It now stands at more than twelve times that value. Basic information about Bitcoin-related malware may be found in the Threat Encyclopedia entry discussing Bitcoin.

    How much Bitcoin mining malware is there?

    Bubble or not, there is plenty of value in Bitcoin. This is giving rise to more Bitcoin-related threats. Victims are now being used to “mine” Bitcoins; in addition the Bitcoin wallets of existing users are now tempting targets for theft as well.

    From September to November, feedback from the Smart Protection Network indicated that more than 12,000 PCs globally had been affected by Bitcoin-mining malware. More than half of all infections came from one of three countries: Japan, the United States, and Australia.

    Bitcoin mining – the process by which new Bitcoins are created – is computationally intensive. The recent boom in Bitcoin prices may have made using malware viable again for cybercriminals. Both CPU and even GPU-based miners have been eclipsed in recent months by application-specific integrated circuit (ASIC)-based dedicated miners, which boast of hash rates that are orders of magnitude faster than what can be achieved using even high-end PC hardware.

    However, because any mined bitcoin nowadays has such high value, even “slow” miners are now worth it for cybercriminals. For users,  the problem is that Bitcoin mining is always resource-intensive and can slow down the system due to the increased CPU load. We detect a variety of Bitcoin malware as BKDR_BTMINE, TROJ_COINMINE and HKTL_BITCOINMINE.

    Is Your Money At Risk?

    This “bubble” has also made stealing Bitcoins much more lucrative. For example, the Deep Web site Sheep Marketplace shut down earlier this month – with users losing as much as $100 million in Bitcoins to thieves. So what can users do?

    There’s not much that users can deal with corrupt sites and exchanges except not to do business with them. What users can do is take care of is their own personal Bitcoin wallets.

    It’s important to recognize that there are two factors that make defending against Bitcoin theft particularly important. First of all, all Bitcoin transactions are permanent. There is no “undo” button here. If a thief is able to take control of your Bitcoin wallet and transfer all your funds, you have no technical recourse.

    That brings us to the second factor: there is no regulator or other authority that one can appeal to in the Bitcoin world. If you’re the victim of credit card fraud, you can appeal to your bank to reverse the charges – and in many cases, they will. That option is not available in the world of Bitcoin; if your wallet is compromised by an attacker you have no recourse. Any Bitcoin wallet on a system is exceptionally vulnerable to being affected by malware on that same system.

    Protecting Bitcoin

    Aside from avoiding being infected by malware in the first place, what users can do to prevent any damage from Bitcoin thieves? Consider the real-world wallet. If one had millions or billions in real-world money, you wouldn’t carry all of it with you all the time. Some would be with you, but most would be securely stored somewhere.

    That would work with Bitcoin as well. Keeping everything in just one wallet is very dangerous. A division of wallets into at least one “spending” wallet (which you use for sending money via Bitcoin) and one or more “receiving” wallets. (It would even be a good idea to keep these wallets offline to more thoroughly protect them as well.)

    One more thing to note. Bitcoin is promoted as being “anonymous”, but in a way nothing could be further from the truth. Because all Bitcoin transactions are public, it is possible to see all the transactions a user has made. Therefore, given enough circumstantial evidence, it may be possible to get the identity of a user. This is something that users should keep in mind before adopting Bitcoin as a currency.

    Simply put, while Bitcoin may be a product of the 21st century, at the same time it is something that has been around for centuries – cash. The same caution and prudence that applies to handling cash should be applied here as well.

     
    Posted in Data, Malware | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice