Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    October 2014
    S M T W T F S
    « Sep    
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Jonathan Leopando (Technical Communications)

    Over the weekend, Microsoft released Security Advisory 2963983 which describes a new zero-day vulnerability found in Internet Explorer. (It has also been assigned the CVE designation CVE-2014-1776.)

    This remote code execution vulnerability allows an attacker to run code on a victim system if the user visits a website under the control of the attacker. While attacks are only known against three IE versions (IE 9-11), the underlying flaw exists in all versions of IE in use today (from IE 6 all the way to IE 11).

    Serious as this vulnerability is, it’s not all bad news. First of all, the vulnerability is only able to run code with the same privileges as the logged-in user. Therefore, if the user’s account does not have administrator rights, the malicious code will not run with them either, partially reducing the risk. (Of course, this is only true if the user’s account isn’t set up as an administrator.)

    Secondly, some workarounds have been provided by Microsoft as part of their advisory; of these enabling Enhanced Protected Mode (an IE10 and IE11-only feature) is the easiest to do. In addition, the exploit code requires Adobe Flash to work, so disabling or removing the Flash Player from IE also reduces the risk from this vulnerability as well.

    We will continue to monitor this threat and provide new information as necessary.

    Update as of April 28, 2014, 12:30 P.M. PDT

    End of support for any software, OS or not, leaves users and organizations more vulnerable to threats. However, there are some solutions that can help address or mitigate this dilemma. Virtual patching can complement traditional patch management strategies as it can “virtually patch” affected systems before actual patches are made available. Another benefit is that it can “virtually patch” unsupported applications. For example, Trend Micro Deep Security has been supporting Windows 2000 vulnerabilities even beyond its end of support.

    It should be noted that the Enhanced Mitigation Experience Toolkit (EMET) can also help mitigate attacks that may exploit this particular vulnerability. This toolkit prevents software vulnerabilities from being exploited through several security mitigation technologies. According to the Microsoft advisory, “EMET helps to mitigate this vulnerability in Internet Explorer on systems where EMET is installed and configured to work with Internet Explorer.”

    Trend Micro Deep Security and OfficeScan Intrusion Defense Firewall (IDF) have released a new deep packet inspection (DPI) rule to protect against exploits leveraging this vulnerability:

    • 1006030 – Microsoft Internet Explorer Remote Code Execution Vulnerability (CVE-2014-1776)

    They also have a rule that restricts the use of the VML tag. This rule is already available to customers:

    • 1001082 – Generic VML File Blocker

    Update as of April 28, 2014, 6:10 P.M. PDT

    As we mentioned earlier, this vulnerability is now designated as CVE-2014-1776. It is due to the way Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated (a use-after-free condition). Successful exploitation allows an attacker to execute arbitrary code in the context of the current user.

    To mitigate this threat, Microsoft suggests to unregister VGX.DLL, which is responsible for rendering of VML (Vector Markup Language) code in webpages.

    The vulnerability is exploited when victim opens specially crafted webpages using Internet Explorer. Users can be convinced to open these sites via clickable links in specially crafted emails or instant messages. An Adobe Flash file embedded in these malicious sites is used to bypass Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) protections on the target system.

    As we mentioned earlier, we provide two rules that protect users against this threat. Not only will these rules help reduce the threat until a patch is provided by Microsoft, it will also protect unsupported OSes, such as Windows XP.

    Additional analysis by Pavithra Hanchagaiah.

    Update as of April 30, 2014, 4:25 AM PDT

    To further protect users from this threat, we have released the following additional heuristic solutions for this threat:

    • For Deep Discovery, NCIP 1.12083.00 and NCCP 1.12053.00 provide additional protection as well.
    • Our browser exploit prevention technology (present in Titanium 7) has rules that detect websites that contain exploits related to this vulnerability.

    To help administrators investigate if this threat is affecting their networks, products with  ATSE (Advanced Threats Scan Engine), such as Deep Discovery,  have heuristic rules which detect attacks using this vulnerability. These attacks are detected as HEUR_SWFHS.A and HEUR_SWFJIT.B in the ATSE pattern 9.755.1107 since April 22.

    Update as of May 1, 2014, 5:33 AM PDT

    We have also released the following additional solution for this threat:

    • OPR 10.767.00 provides additional heuristic capabilities to help detect malicious scripts that take advantage of this vulnerability.

    Update as of May 1, 2014, 7:15 AM PDT

    The original version of this post mentioned modifying the ACL for VGX.DLL, based on recommendations from Microsoft. Microsoft has modified their guidance, and the blog post has been modified accordingly.

    Update as of May 1, 2014, 11:03 AM PDT

    The original version of this post mentioned that Windows XP will not be receiving a patch for this vulnerability. Microsoft has just released a security update (MS14-021) for this vulnerability, including one for Windows XP. This blog post has been modified accordingly.


    A new zero-day vulnerability in certain versions of Internet Explorer has been identified and is being used in targeted attacks. Microsoft has not released an official bulletin acknowledging this vulnerability yet, but has spoken to news sites and confirmed that both Internet Explorer 9 and 10 are affected. The newest version, Internet Explorer 11, does not suffer from this vulnerability.

    If exploited, this vulnerability allows an attacker to target users with a drive-by download, allowing files to be downloaded and run user systems without any user input needed, beyond visiting a website.

    Two versions of Windows are not affected by this threat: Windows 8.1 (because it includes IE11), and Windows XP (because it only supports up to IE8.) All other versions of Windows are at potential risk, depending on the version of Internet Explorer present on the system.

    This attack was initially spotted on the website of a non-profit organization in the United States. The files used in this exploit are detected as HTML_EXPLOIT.PB, HTML_IFRAME.PB, and SWF_EXPLOIT.PB. The backdoor that was planted on affected machines using this zero-day is detected as BKDR_ZXSHELL.V. No formal bulletin or workarounds have been issued by Microsoft; we recommend that users of Windows 7 or 8 consider upgrading to Internet Explorer 11 to avoid this problem.

    We are currently analyzing both the exploit itself and the payloads used in this attack, and will provide further information as appropriate.

    Update as of 5:00 PM PST, February 16, 2014:

    We have released new Deep Security rules that provide protection against this vulnerability, namely:

    • 1005908 – Microsoft Internet Explorer Remote Code Execution Vulnerability (CVE-2014-0322)
    • 1005909 – Microsoft Internet Explorer Remote Code Execution Vulnerability (CVE-2014-0322) – 2
    • 1005911 – Microsoft Internet Explorer Remote Code Execution Vulnerability (CVE-2014-0322) – 3

    Update as of 11:00 PM PST, February 19, 2014:

    Microsoft has released an advisory acknowledging this attack and confirming that it is limited to Internet Explorer 9 and 10. A workaround has also been provided in the form of a Microsoft Fix It solution.


    People are seldom an entirely open book. It’s common sense and rational to keep some stuff like financial and medical records away from prying eyes. For others, it can be something trivial and silly (say, an embarrassing taste in music) to the more serious (like a traumatic event in one’s past).

    With so many methods of sharing, keeping things private is increasingly becoming more  difficult. Websites and services often ask for personal information and track users’ online habits to provide a more “customized” experience. Despite methods of sharing within a select group, sharing online has practically become synonymous with sharing with the public. No matter the privacy level of an account, anything posted online will sooner or later find its way to the public.

    This kind of activity is driving some users to reconsider the amount of information they are willing to share. In 2014, we will see users exert more effort in learning tools that can protect their data and control what they share online. This year will be about making sure that secrets remain secret.

    It’s not just individuals who have secrets to keep. So do businesses. These can include their future plans and strategies, to their current procedures, to personnel records of their employees and clients. Exposed to the public – and their competitors – these can cost a business millions, and perhaps in an absolute worst case, drive them out of business completely.

    Protecting data should become every organization’s top priority this year, considering that we will see one major data breach incident per month. 2013 was marked by several major data breaches and we will see such incidents continue this year.

    As part of our 2014 predictions, we developed this video, with the help of our CTO Raimund Genes, to talk about what users and organizations can do to protect themselves and keep their secrets secret in today’s digital landscape:

    So what can you do to protect your secrets? Our advice to users will help here: avoid oversharing on social media. Don’t bank or shop online on sites that you don’t trust. Keep track of you data, wherever it is – whether it’s in the cloud, or on one of your devices. In short, being a good citizen of the Internet will help in keeping your secrets away from cybercriminals and other such bad actors found online.

    For more concrete steps that outline what you can do to protect your secrets, you can visit the Secrets website, which is part of our broader 2014 predictions.


    2013 was the year that the Android malware not just grew, but matured into a full-fledged threat landscape. Not only did the number of threats grow, the sophistication and capabilities associated with these threats grew as well.

    As we noted earlier, the number of mobile malware threats has crossed the one million mark, and as of the end of 2013 stood at almost 1.4 million malicious and high-risk apps. We believe that by the end of 2014, this number will be at over 3 million.

    Figure 1. Volume of malicious and high-risk apps

    Not only are there more threats, the threats are becoming more diverse. No longer are mobile-centric cybercriminals content with just premium service abuse; the proportion of mobile malware with some sort of information-stealing ability grew from 17% at the start of 2013 to almost a quarter by year’s end. Overall, about a fifth of all mobile malware had some sort of information theft capability.

    Figure 2. Mobile malware threat type distribution

    New threats and problems also reared their head in 2013. We saw a tenfold growth of one-click billing fraud apps; these apps attempt to register users for paid services that they would normally not be interested in. In addition, we also saw a serious vulnerability – the “master key” vulnerability - which put almost all Android users at risk of installed apps being modified by attackers to include malicious code. Malicious mobile sites also made an appearance in 2013.

    Looking forward to 2014

    These developments will continue into 2014 and make the mobile threat landscape more closely resemble the PC landscape, which is already well-developed and sophisticated. Mobile threats will continue to grow in number and become, in effect, “mass-produced”. In addition, we expect to see more obfuscated and native code in an attempt to evade detection by anti-malware solutions.

    Our complete look back at the 2013 mobile threat landscape, and our view of what 2014 may turn out to be, can be found in our latest Monthly Mobile Report, titled Beyond Apps.

    Posted in Malware, Mobile | Comments Off

    Over the holidays, it was reported that malicious ads had appeared on various Yahoo sites and affected users in Europe. Two claims about this attack have been made: first, that it affected “millions” of users, and secondly, that it was used to plant Bitcoin miners on affected computers. Some of these claims may be a bit overstated, and the coverage may not have been able to give a more complete picture of the threat.

    We can’t say for certain just how many users were exposed to this attack. However, it’s worth noting that users with up-to-date versions of Java would have been protected. We identified two Java vulnerabilities – CVE-2012-0507 and CVE-2012-4681 - that were used in this attack to plant various malicious payloads on user systems. (It is believed that these vulnerabilities were delivered by the Magnitude Exploit Kit, one of the successors to the infamous Blackhole Exploit Kit.) However, both of these vulnerabilities have been patched for a fairly long time: the first vulnerability was patched in February 2012; the other was patched in August 2012.

    Similarly, while Bitcoin miners may have been part of the potential payloads, it was far from the only one. We identified multiple malware threats as payloads. These included DORKBOT and GAMARUE variants, as well as TROJ_OBVOD.AY, which is used in click fraud schemes. The payloads that were delivered to users were quite diverse.

    Aside from keeping their software patched, well-designed security products can help keep users safe. For example, the browser exploit technology that is part of our existing products is able to protect users against this particular attack.  This technology analyzes scripts and other web objects that runs in the browser and uses heuristic analysis to determine if these are malicious. This protects users even if the updated software is not present on a user’s system. It is not a replacement for keeping software up to date, but well-thought out endpoint security is very useful in increasing the available “defense in depth” for users.

    While the infection vector may have been out of the ordinary, the attack itself was not. Basic good computing practices – such as keeping software updated and using a well-built security product – would have helped reduce the risk for end users tremendously. It’s an excellent reminder for users to practice safe computing practices.

    With additional analysis from Kai Yu.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice