Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    October 2014
    S M T W T F S
    « Sep    
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Jonathan Leopando (Technical Communications)

    Home Depot has confirmed via their corporate website that their payment systems were breached. This followed reports last week, which suggested that Russian and Ukrainian cybercriminals had successfully breached the Atlanta-based retailer’s PoS terminals.

    The statement offered full details, but suggested the breach affected users who shopped at their US and Canadian branches from April onwards. Home Depot’s investigation began on September 2, which indicates a worse-case scenario of a breach of four to five months. It has been claimed that up the information of up to 60 million cards may have been stolen.

    Speculation suggests that the Home Depot attack was carried out using BlackPOS malware; a BlackPOS variant discussed by Trend Micro researchers in late August may have been part of this attack, as the behavior we found with this variant and those ascribed to the Home Depot attack are very similar.

    This particular BlackPOS variant is different in several ways from more common variants, suggesting that the code has been changed significantly since the source code for BlackPOS was leaked in 2012. A different API call is made to list processes which can be targeted for information theft; in addition custom search routines for credit card track information have been introduced as well. This particular variant is detected as TSPY_MEMLOG.A.

    These increasingly sophisticated threats make it clear that PoS malware is becoming a bigger and bigger threat. Continued attacks against PoS systems will not only cause financial losses, but also reduce the confidence of consumers in existing commerce systems.

    Migrating to more modern “chip-and-personal identification number (PIN)” cards and terminals may help reduce the risk down the road. Also, it is good for users to regularly check their bank statements for any anomalous transaction. Going over the recent transactions on a regular basis should allow users to spot and dispute fraudulent transactions made on their cards.

    Later this week, we will publish a paper outlining existing threats to PoS systems. System administrators of organizations that are at potential risk can use the information in these papers to detect, mitigate, and address these attacks. Our earlier paper titled Point-of-Sale System Breaches: Threats to the Retail and Hospitality Industries provided examples of potential PoS threats to retailers and companies in the hospitality sector.

    For more information, you may check out Data Breaches page in Threat Encyclopedia.

    Update as of 2:42 PM, September 11, 2014

    Even though BlackPOS ver2 has an entirely different code compared to the BlackPOS which compromised Target, it duplicates the data exfiltration technique used by the Target BlackPOS. It is an improved clone of the original, which is why we decided to call this BlackPOS ver2.

    It is also being reported in the press that some security vendors called this malware (TSPY_MEMLOG.A.) as “FrameworkPOS.”  This is a play of the service name <AV_Company> Framework Management Instrumentation with which the malware installs itself.

    Posted in Malware, Targeted Attacks |

    Our friends at the ShadowServer Foundation are now scanning for the Netcore/Netis router backdoor which we found in August.  Their findings are in line with what we published then: that the vast majority of those affected in China, with more than a million scanned IP addresses currently affected by this threat.

    The devices at these IP addresses are vulnerable to being taken over by attackers due to an open port on the external side of the router; accessing this port and entering a fixed password (which is hard-coded in the firmware) allows an attacker to gain access and completely compromise the user’s network.

    On a positive note, the numbers of affected devices (around 1.35 million) is down significantly from the numbers we found initially (more than 2 million). The biggest fall was from August 31 to September 1, with more than 430,000 IP addresses no longer responding to ShadowServer’s probes.

    We wish to reiterate that in the absence of firmware updates, there is no effective way of mitigating this vulnerability for most users. While the number of vulnerable devices has gone down significantly, 1.35 million devices is still a large number of devices and users at risk. Netscore/Netis has not yet gotten back to us, and we are unaware of any patched firmware versions that have been released.

    We would like to thank ShadowServer for providing this service to the Internet at large and helping protect individual users. This kind of  cooperation between researchers is invaluable in helping deal with emerging threats, as different parties can each bring something valuable and work together towards common goals.


    The topic of open Wi-Fi and public hotspots has been in the news again, for several reasons. Last month, the Electronic Frontier Foundation launched, a project to create router firmware that would provide open wireless access to anyone in range of the user’s router.

    Notionally, in addition to providing Internet access to everyone who needs it, it would make everyone’s Internet more private by removing the connection between one’s identity and IP address, since anyone could be using the open Wi-Fi to gain access. This would make surveillance and tracking based on the IP address unreliable.

    Well-intentioned as this may be, people actually running this is not a good idea. Let’s assume that this can be done in such a way that your private network traffic is segregated from the open Wi-Fi traffic. Your own network traffic would not be at risk of exposure, but that’s not the only risk.

    What goes out on your Internet connection ISP is your responsibility. You’re likely to end up in legal hot water if illegal behavior is carried out via your IP address.  The potential for abuse is extremely high. High bandwidth usage by “guests” can also eat up your data cap, resulting in either a throttled connection or a large bandwidth bill at the end of the month.

    Similar initiatives have been tried in other countries by projects like RedLibre and Guifi (both in Spain). However, the adoption of these has been rather limited. The implementation of these projects may have differed, but ultimately the risks are enough to deter users from participating in them, no matter how well-intentioned.

    The other story that’s put public Wi-Fi in the news was Comcast Internet turning the modems of 50,000 subscribers into residential Wi-Fi hotspots. This hotspot would be separate from any Wi-Fi network the user established, and would be for the use of all Comcast subscribers. Before someone could log into this public hotspot, they would have to enter their Comcast username and password.

    Other ISPs are bound to come up with similar public Wi-Fi hotspots. Two questions come to mind here. If I am a subscriber, should I opt out my network of this? Is it safe to log onto these public hotspots? Let’s deal with the first one.

    In theory, the risks to users are far less in this scenario than with a purely open Wi-Fi scenario. Any data consumed by this access point does not count against the user’s data cap. Abuse of the hotspot is something that would be the responsibility of the ISP, not you. So, there’s no risk, right?

    Not exactly. From a technical perspective, the biggest problem would be the separation of the hotspot’s traffic from your own. Unfortunately, wireless routers don’t have a good track record when it comes to software vulnerabilities. The existence of a vulnerability that exposes your network can’t be ruled out.

    The real risk for is for people who want to use these hotspots. The above risk of vulnerable firmware applies to would-be users, too: it’s entirely possible that the network traffic of guests could be exposed to an attacker running a malicious version of the router firmware. It’s an inherent risk of connecting to a network that you may not completely trust.

    Another risk is it enables other attacks that put your ISP credentials at risk. As some tech sites have noted, it is very easy to set up a fake hotspot with the same Service Set Identifier (SSID) as that used by the public hotspots offered by ISPs. Since these public hotspots use a captive portal to ask for your ISP’s credentials (to validate that you are a customer), an attacker can create a fake version of that portal to steal the ISP login credentials.

    Until a better technical situation for open Wi-Fi becomes available, users will have to be careful in dealing with situations like this. An earlier blog post of ours also discussed using open Wi-Fi safely, with the use of virtual private networks (VPNs) being the most important tip there. Meanwhile, running one of these open wireless networks, given all the possible risks, is not a very good idea.

    Posted in Mobile | Comments Off

    In its recent report,  National Police Agency mentioned that the current estimated total cost of unauthorized transactions suffered by Japanese users reached 1.417 billion yen during the period of January-May 2014. In comparison the estimated total damage cost from these kinds of threats was 1.406 billion yen in 2013.

    Data released by Japanese Bankers Association also gives similar alarming statistics: 21 cases of online banking theft occurred in Q1 2014 compared to 14 cases for the whole of 2013. The damage cost in Q1 2014 for these cases is already three times more than the entire damage cost in 2013. Similarly, our Trend Micro Security Roundup for Q1-2014 shows Japan placing second in the countries most affected by online banking malware, following the United States.


    Figure 1. Countries Most Affected by Online Banking Malware, January–March 2014

    We have seen ZBOT variants like Citadel and Gameover targeting Japanese users in the past, but now we are seeing that a significant increase in the number of online banking Trojans is almost single-handedly due to a single malware family – the VAWTRAK family of online banking malware.

    VAWTRAK was first spotted in August 2013 as an attachment to fake shipping notification emails. However, at the time, it was only engaged in the theft of information from FTP and email clients. Recently, however, VAWTRAK has expended to include the theft of banking credentials. As a result of this new behavior, we have seen a significant increase in the number of users affected by VAWTRAK.

    We assume that several popular sites in Japan may have been compromised – either directly or via malicious advertisements. From these sites, they are led to malicious sites which contain the Angler Exploit Kit; in several cases the Angler Exploit Kit was identified as leading the users to various Flash and Java exploits. These exploits are then used to install VAWTRAK onto affected systems. Angler is one of the more popular replacements for the Blackhole Exploit Kit, which was shut down in 2013. Feedback from the Smart Protection Network  indicates that the top countries affected by this threat are Japan (79.22%), United States (6.47%), and Germany (6.29%).



    Figure 2. Top countries affected by VAWTRAK, May-June 2014

    In terms of behavior, VAWTRAK is not particularly innovative. Its behavior is very similar to previous malware families. Its previous behavior of stealing FTP credentials is similar to FAREIT malware, while its banking theft routines is similar to the ZBOT family of banking malware. Both of these families are frequently distributed by spam messages via malicious attachments.

    In addition to stealing your money, VAWTRAK also increases the risk of users being affected by other malware. It checks for the presence of a wide variety of security software (including Trend Micro products). If it finds any, it tries to downgrade the privileges of the security software, in an attempt to render these ineffective. Four major banks and five other credit card companies in Japan have been targeted by this malware.

    According to senior threat researcher Matsuka Bakuei, the increase in banking malware targeting JP banks can be attributed to information stealing malware such as VAWTRACK and TSPY_AIBATOOK, that have added a functionality allowing it to steal banking credentials.  Furthermore,  traditional banking malware like ZeuS/Citadel is not the only malware which hit JP banks.

    In the meantime, we advise that users disable or uninstall browser plug-ins (like Java, Adobe Flash, and Adobe Reader) if they are not needed. If they are needed, we strongly recommend that they be kept up to date, in order to minimize the risk from exploit kits that frequently use exploits for old vulnerabilities.

    We block the websites involved in these VAWTRAK attacks, as well as the various VAWTRAK variants (detected as BKDR_VAWTRAK.PHY, BKDR_VAWTRAK.SM, and BKDR_VAWTRAK.SMN.)

    With additional analysis from Arabelle Ebora, Rhena Inocencio and Kawabata Kohei


    When we said as part of our 2014 predictions that there would be one major data breach per month, we actually hoped we’d be wrong. Unfortunately, so far, we’ve been proven right: the latest victim of a massive data breach is the well-known auction site eBay.

    To recap, earlier this week eBay disclosed in a blog post that they had suffered a breach that compromised a database containing “encrypted passwords and other non-financial data”. While they said there was no evidence of unauthorized activity or access to financial information, as a best practice they asked all users to change their passwords.

    The scale of the attack is difficult to understate. In a separate FAQ, eBay stated that all 145 million of their users would be affected. By any standard, this represents one of the largest data breaches (by number of affected users) of all time.

    The breached information included the following details of users:

    • Name
    • Encrypted password
    • Email address
    • Physical address
    • Phone number
    • Date of birth

    There’s really only one thing that end users of eBay can do: change their passwords. If you’re an eBay user and you haven’t changed your password yet – open a new tab and do it right away. If you have difficulty remembering a password, use a password manager. (We’ve previously given out tips on password security.)

    System administrators may look at this incident and think: how do I make sure this doesn’t happen to me? After all, if a large, presumably well-funded organization like eBay could be attacked and breached, what more a smaller company with fewer resources?

    We have created a special report on data breaches, which looks at the overall data breach threat. Looking at this specific incident, some things stand out that other organizations can learn from. First of all, let’s remember how the attack started: with compromised employee credentials. It is quite likely that these were compromised via some form of spear-phishing. We had earlier discussed the entry points of targeted attacks.

    Some technical and non-technical solutions are possible to improve a network’s defenses at this stage. For example, internal usage of two-factor authentication systems can lessen the risks associated with any single password being compromised. Training staff to identify and avoid potential spearphising attacks may also be useful.

    As for the data itself, all organizations should consider the increased (and correct) use of encryption. Items that people would consider as sensitive information (like those compromised in this data breach) may or may not be stored in an encrypted format.

    Just as importantly, the encryption has to be used correctly. Best practices have to be followed throughout the entire process – from what algorithms are used, to how the encryption is carried out, to how keys are generated, etcetera. In the best of circumstances, cryptography is hard, let alone when it is not done correctly.

    There’s no single solution that can remedy all potential security problems. That, however, is the point of a layered security solution: there are various ways that an attack can enter a network, and various ways that it can be detected as well. A properly designed custom defense solution will provide the best opportunity to detect and mitigate these threats.

    Posted in Bad Sites | Comments Off


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice