Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    September 2014
    S M T W T F S
    « Aug    
     123456
    78910111213
    14151617181920
    21222324252627
    282930  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Jonathan Leopando (Technical Communications)




    The past few weeks have been rather exciting for Bitcoin owners and speculators, with prices peaking at over $1200 per BTC. Some commentators – including former Fed Chairman Alan Greenspan – have called Bitcoin prices a “bubble”, with a former Dutch central banker comparing it to the tulip mania of the 17th century. Other cryptocurrencies, like Litecoin, have seen similar gains as well.

    We’ve covered Bitcoin extensively in the blog in the past, including earlier this year when the total value of all Bitcoins was approximately $1 billion. It now stands at more than twelve times that value. Basic information about Bitcoin-related malware may be found in the Threat Encyclopedia entry discussing Bitcoin.

    How much Bitcoin mining malware is there?

    Bubble or not, there is plenty of value in Bitcoin. This is giving rise to more Bitcoin-related threats. Victims are now being used to “mine” Bitcoins; in addition the Bitcoin wallets of existing users are now tempting targets for theft as well.

    From September to November, feedback from the Smart Protection Network indicated that more than 12,000 PCs globally had been affected by Bitcoin-mining malware. More than half of all infections came from one of three countries: Japan, the United States, and Australia.

    Bitcoin mining – the process by which new Bitcoins are created – is computationally intensive. The recent boom in Bitcoin prices may have made using malware viable again for cybercriminals. Both CPU and even GPU-based miners have been eclipsed in recent months by application-specific integrated circuit (ASIC)-based dedicated miners, which boast of hash rates that are orders of magnitude faster than what can be achieved using even high-end PC hardware.

    However, because any mined bitcoin nowadays has such high value, even “slow” miners are now worth it for cybercriminals. For users,  the problem is that Bitcoin mining is always resource-intensive and can slow down the system due to the increased CPU load. We detect a variety of Bitcoin malware as BKDR_BTMINE, TROJ_COINMINE and HKTL_BITCOINMINE.

    Is Your Money At Risk?

    This “bubble” has also made stealing Bitcoins much more lucrative. For example, the Deep Web site Sheep Marketplace shut down earlier this month – with users losing as much as $100 million in Bitcoins to thieves. So what can users do?

    There’s not much that users can deal with corrupt sites and exchanges except not to do business with them. What users can do is take care of is their own personal Bitcoin wallets.

    It’s important to recognize that there are two factors that make defending against Bitcoin theft particularly important. First of all, all Bitcoin transactions are permanent. There is no “undo” button here. If a thief is able to take control of your Bitcoin wallet and transfer all your funds, you have no technical recourse.

    That brings us to the second factor: there is no regulator or other authority that one can appeal to in the Bitcoin world. If you’re the victim of credit card fraud, you can appeal to your bank to reverse the charges – and in many cases, they will. That option is not available in the world of Bitcoin; if your wallet is compromised by an attacker you have no recourse. Any Bitcoin wallet on a system is exceptionally vulnerable to being affected by malware on that same system.

    Protecting Bitcoin

    Aside from avoiding being infected by malware in the first place, what users can do to prevent any damage from Bitcoin thieves? Consider the real-world wallet. If one had millions or billions in real-world money, you wouldn’t carry all of it with you all the time. Some would be with you, but most would be securely stored somewhere.

    That would work with Bitcoin as well. Keeping everything in just one wallet is very dangerous. A division of wallets into at least one “spending” wallet (which you use for sending money via Bitcoin) and one or more “receiving” wallets. (It would even be a good idea to keep these wallets offline to more thoroughly protect them as well.)

    One more thing to note. Bitcoin is promoted as being “anonymous”, but in a way nothing could be further from the truth. Because all Bitcoin transactions are public, it is possible to see all the transactions a user has made. Therefore, given enough circumstantial evidence, it may be possible to get the identity of a user. This is something that users should keep in mind before adopting Bitcoin as a currency.

    Simply put, while Bitcoin may be a product of the 21st century, at the same time it is something that has been around for centuries – cash. The same caution and prudence that applies to handling cash should be applied here as well.

     
    Posted in Malware | Comments Off



    Around this time of the year, many people are finding themselves on the move visiting friends and family, or just playing tourist somewhere in the world. Since it is 2013, however, one new problem has come up: “how do I get online while I’m on the go?”

    Many travelers now expect wi-fi as part of their trip – whether at the airport, in the air, at their hotel, or at tourist attractions. A 2013 study found that 64% of hotels worldwide offered some form of free wi-fi. For some flights “gate to gate” wi-fi access is now available, ensuring you never have to be offline.

    Unfortunately, there is a big problem. The wi-fi offered for travelers is frequently open wi-fi: this means that it is completely insecure against just about any attacker. It is trivial for an attacker to capture the traffic off an open access point, or even set up a fake one and conduct man-in-the-middle attacks. Wi-fi Protected Access (WPA) may prevent others from seeing your traffic but only if the access point is configured to do so.

    Even “secure” wi-fi, if it is offered, is no assurance of security: you could be connecting to a rogue access point with the same access point name and password as the real network. Creating rogue access points is easy: if the password is known, anyone can create a duplicate access point. Even if you do connect to the real network, attackers can be on the very same network as you are. Being “secure” on any network with others that you may not trust is incredibly difficult.

    On the other hand, there are good reasons to use free wi-fi. Many users face either strict data caps or high roaming costs. Getting data access if you’re travelling internationally is not always easy or cheap.  Travel apps can be very useful on the go – for example they can provide directions in unfamiliar places, or point the way towards which places you want to specifically visit or eat at.

    So, how can users stay safe on free wi-fi? Increasingly, there’s really only one way to do so: use a virtual private network (VPN).

    VPNs have usually been the preserve of business travelers who wanted to connect to their company’s network securely. Now, however, they represent a relatively inexpensive way of securing one’s wi-fi connection from wi-fi attacks. There are many reputable VPN service providers with both free and paid services, and even paid services are not particularly expensive. Compared to the possible consequences of having one’s accounts compromised (quite possible with open wi-fi), such services are a bargain.

    These services are not difficult to use. VPN support is built into both iOS and Android, and all reputable services should provide some sort of guide on how to set up your mobile device.

    Figures 1-2. iOS and Android VPN setting locations

    Given how much of our digital lives is now in our mobile devices, it is a great idea to protect these as much as possible. As free wi-fi is fundamentally insecure and is increasingly under attack, users who care about their privacy and security should use VPNs to protect their network traffic if they can.

    What if you’re a business that wants to offer free wi-fi to your customers? The solution to this is fairly simple: use secure wi-fi, but make the SSID and password known publicly. It can be a sign in public, a line on the receipt – it can be different for each business. Even a publicly shared password offers security against casual eavesdropping, although some attacks (like rogue access points) can’t be stopped this way. However, it is an improvement over a completely open network.

     
    Posted in Malware, Mobile | Comments Off



    Soon after Paunch was arrested, we found that the flow of spam campaigns going to sites with the Blackhole Exploit Kit (BHEK) had slowed down considerably. Instead, we saw an increase in messages with a malicious attachment.

    Recently, however, we came across rather unusual spam samples that combines characteristics of both attacks.

    Figure 1. Spammed message

    These particular messages contain both a link to a malicious site, as well as a malicious attachment. Having a spam message that contains both kinds of threats is not common – generally, spam will have one or the other.

    The URLs linked to by these messages are generally compromised sites, which point to Javascript files in a similar manner to that used by the Blackhole Exploit Kit. We cannot confirm whether these Javascript files resulted in redirects to landing sites that would lead to exploit kits, but the added content to the compromised sites we have seen is almost identical to that used by Blackhole campaigns.

    The malicious attachment is another UPATRE variant, TROJ_UPATRE.SMB. This downloader installs a ZBOT variant onto the affected system. We had earlier identified that the Cutwail botnet had been sending out spam messages with UPATRE downloaders as attachments, and that is also the case here.

    Long term, it’s unclear what this indicates. It may mean that attackers are turning to another exploit kit to replace BHEK as a long-term solution, but we cannot say for sure. We are continuously looking out for new threats in order to protect our users. In the meantime, we block the spam messages, websites, and files associated with this threat.

    Additional analysis by Emmanuel Nisperos

     
    Posted in Malware, Spam | Comments Off



    About two weeks ago, it was reported that “Paunch”, the author of the Blackhole Exploit Kit (BHEK), had been arrested by Russian law enforcement. (In addition to his work on BHEK, Paunch is also suspected of working on the Cool Exploit Kit.) Some reports suggested that associates of Paunch had been arrested as well, although how exactly they were tied to BHEK remains unclear.

    What is clear is how cybercriminals have reacted so far. As part of our continuous monitoring of global spam activity, we routinely monitor spam campaigns that use BHEK to distribute various threats.

    Since the weekend of October 5-6 – when Paunch was arrested – we have not observed any major spam campaigns that used the BHEK to deliver malware. Let us be clear: in the two weeks since Paunch’s arrest, significant BHEK spam runs have ceased. Neither have we observed any other major campaigns that use similar exploit kits. The calendar below shows the major spam campaigns we have observed in the weeks leading to Paunch’s arrest:

    Table 1. BHEK spam campaigns identified

    Meanwhile, in underground forums, cybercriminals are still digesting the news of Paunch’s arrest and wondering what the long term impact will be, as well as what his ultimate fate will be.

    One particular area of concern in Russian underground forums is whether users of BHEK could face arrests themselves. In particular, users who purchased BHEK directly from Paunch or his authorized resellers would be in Paunch’s database of clients, which is now presumably in the hands of law enforcement.

    Figure 1. Underground forum post

    It is unclear what will happen to Paunch next. His real name has not been released by police, and neither have any details of his arrest – including what charges he faces – made public. Some believe that he could receive a suspended sentence in lieu of any jail time, and become an expert in the employ of the Russian Federal Security Service, the FSB.

    Figure 2. Underground forum post

    In the long term, the impact of BHEK’s apparent demise remains somewhat unclear. Other exploit kits are available, but these may not have the support structure that Paunch was able to build with BHEK. We will continue to monitor these developments as necessary in order to protect Trend Micro customers.

    Earlier this year we provided an overview of the current state of BHEK, as it was used by attackers earlier this year. Among the most high-profiles uses was in spam campaigns based around news reports of the birth of the British royal baby.

    Additional information provided by Jon Oliver and Max Goncharov

     
    Posted in Exploits, Spam | Comments Off



    Recently, Twitter made public financial statements related to its upcoming initial public offering (IPO). Part of these statements including how many active users it has: Twitter said it has 218 million monthly active users, three-quarters of which have accessed the site from a mobile device.

    It’s not a surprise that some of these users are malicious. What is uncommon is that some of these malicious accounts do try to “engage” with other accounts – even those of security vendors like Trend Micro. Too bad for these users – we are one step ahead of them, as we have previously blocked the dubious sites they offer.

    Recently, we came across four accounts that added the @TrendLabs Twitter account to various lists. This would not have been unusual, except all four accounts were clearly malicious:

    Figure 1. Accounts/lists added

    Upon further investigation, these accounts led to more malicious sites offering a variety of hacking tools targeting sites like Facebook and Twitter, as well as a scam site offering free iPhone 5ses.

    Figure 2. Hacking tool website

    It’s highly likely that these malicious sites are scam sites, offering none of the supposed “tools” that are on offer. Cybercriminals are not below stealing from other would-be online crooks and attackers as well.

    Unfortunately, this is not the first (or the last) threat that we can encounter on popular social networking sites. Previously, incidents like survey scams, rogue apps, and other threats  were frequent, although recent improvements by these sites were able to keep these threats at bay. However, as the popularity of mobile devices grew, cybercrmininals have found a new platform to use in their schemes. Just recently, we found a fake Facebook mobile page that asks users to disclose credit card details. Cybercriminals may either sell or use these to initiate unauthorized transactions.

    We advise would-be “curious” users to avoid these sites and profiles completely, and if possible to report these accounts to site administrators (if possible, using the automated block/report features of these services).

    The sites are already blocked by Trend Micro web reputation services.

    Additional analysis by Karla Agregado and Paul Pajares.

     
    Posted in Bad Sites, Social | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice