Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    July 2014
    S M T W T F S
    « Jun    
     12345
    6789101112
    13141516171819
    20212223242526
    2728293031  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Jonathan Leopando (Technical Communications)




    Soon after Paunch was arrested, we found that the flow of spam campaigns going to sites with the Blackhole Exploit Kit (BHEK) had slowed down considerably. Instead, we saw an increase in messages with a malicious attachment.

    Recently, however, we came across rather unusual spam samples that combines characteristics of both attacks.

    Figure 1. Spammed message

    These particular messages contain both a link to a malicious site, as well as a malicious attachment. Having a spam message that contains both kinds of threats is not common – generally, spam will have one or the other.

    The URLs linked to by these messages are generally compromised sites, which point to Javascript files in a similar manner to that used by the Blackhole Exploit Kit. We cannot confirm whether these Javascript files resulted in redirects to landing sites that would lead to exploit kits, but the added content to the compromised sites we have seen is almost identical to that used by Blackhole campaigns.

    The malicious attachment is another UPATRE variant, TROJ_UPATRE.SMB. This downloader installs a ZBOT variant onto the affected system. We had earlier identified that the Cutwail botnet had been sending out spam messages with UPATRE downloaders as attachments, and that is also the case here.

    Long term, it’s unclear what this indicates. It may mean that attackers are turning to another exploit kit to replace BHEK as a long-term solution, but we cannot say for sure. We are continuously looking out for new threats in order to protect our users. In the meantime, we block the spam messages, websites, and files associated with this threat.

    Additional analysis by Emmanuel Nisperos

     
    Posted in Malware, Spam | Comments Off



    About two weeks ago, it was reported that “Paunch”, the author of the Blackhole Exploit Kit (BHEK), had been arrested by Russian law enforcement. (In addition to his work on BHEK, Paunch is also suspected of working on the Cool Exploit Kit.) Some reports suggested that associates of Paunch had been arrested as well, although how exactly they were tied to BHEK remains unclear.

    What is clear is how cybercriminals have reacted so far. As part of our continuous monitoring of global spam activity, we routinely monitor spam campaigns that use BHEK to distribute various threats.

    Since the weekend of October 5-6 – when Paunch was arrested – we have not observed any major spam campaigns that used the BHEK to deliver malware. Let us be clear: in the two weeks since Paunch’s arrest, significant BHEK spam runs have ceased. Neither have we observed any other major campaigns that use similar exploit kits. The calendar below shows the major spam campaigns we have observed in the weeks leading to Paunch’s arrest:

    Table 1. BHEK spam campaigns identified

    Meanwhile, in underground forums, cybercriminals are still digesting the news of Paunch’s arrest and wondering what the long term impact will be, as well as what his ultimate fate will be.

    One particular area of concern in Russian underground forums is whether users of BHEK could face arrests themselves. In particular, users who purchased BHEK directly from Paunch or his authorized resellers would be in Paunch’s database of clients, which is now presumably in the hands of law enforcement.

    Figure 1. Underground forum post

    It is unclear what will happen to Paunch next. His real name has not been released by police, and neither have any details of his arrest – including what charges he faces – made public. Some believe that he could receive a suspended sentence in lieu of any jail time, and become an expert in the employ of the Russian Federal Security Service, the FSB.

    Figure 2. Underground forum post

    In the long term, the impact of BHEK’s apparent demise remains somewhat unclear. Other exploit kits are available, but these may not have the support structure that Paunch was able to build with BHEK. We will continue to monitor these developments as necessary in order to protect Trend Micro customers.

    Earlier this year we provided an overview of the current state of BHEK, as it was used by attackers earlier this year. Among the most high-profiles uses was in spam campaigns based around news reports of the birth of the British royal baby.

    Additional information provided by Jon Oliver and Max Goncharov

     
    Posted in Exploits, Spam | Comments Off



    Recently, Twitter made public financial statements related to its upcoming initial public offering (IPO). Part of these statements including how many active users it has: Twitter said it has 218 million monthly active users, three-quarters of which have accessed the site from a mobile device.

    It’s not a surprise that some of these users are malicious. What is uncommon is that some of these malicious accounts do try to “engage” with other accounts – even those of security vendors like Trend Micro. Too bad for these users – we are one step ahead of them, as we have previously blocked the dubious sites they offer.

    Recently, we came across four accounts that added the @TrendLabs Twitter account to various lists. This would not have been unusual, except all four accounts were clearly malicious:

    Figure 1. Accounts/lists added

    Upon further investigation, these accounts led to more malicious sites offering a variety of hacking tools targeting sites like Facebook and Twitter, as well as a scam site offering free iPhone 5ses.

    Figure 2. Hacking tool website

    It’s highly likely that these malicious sites are scam sites, offering none of the supposed “tools” that are on offer. Cybercriminals are not below stealing from other would-be online crooks and attackers as well.

    Unfortunately, this is not the first (or the last) threat that we can encounter on popular social networking sites. Previously, incidents like survey scams, rogue apps, and other threats  were frequent, although recent improvements by these sites were able to keep these threats at bay. However, as the popularity of mobile devices grew, cybercrmininals have found a new platform to use in their schemes. Just recently, we found a fake Facebook mobile page that asks users to disclose credit card details. Cybercriminals may either sell or use these to initiate unauthorized transactions.

    We advise would-be “curious” users to avoid these sites and profiles completely, and if possible to report these accounts to site administrators (if possible, using the automated block/report features of these services).

    The sites are already blocked by Trend Micro web reputation services.

    Additional analysis by Karla Agregado and Paul Pajares.

     
    Posted in Bad Sites, Social | Comments Off



    There is one truly remarkable aspect about the social media services that people take for granted: they don’t ask their users for anything. You can talk with as many friends, take as many selfies, post as many status messages, all without paying anything.

    That may be true at face value, but that’s not really true. It’s said that “if you’re not paying for it, you’re the product.” In the world of social media, that’s definitely true. Social media companies all need to pay the bills (and more); the most common way of doing so is by selling ads.

    More than selling ads, these ads are targeted – based on what you do, say, and share on these sites. The social networks will even try to sell this as a feature, hailing these as “relevant” ads.

    Is my personal information being sold?

    Not really. The information that social networks hold about any user is far too valuable to be sold off. That information is why social media companies are worth billions of dollars. What the information is used for is to allow advertisers and marketers to target users with remarkable specificity.

    For example, an advertiser who wants to sell car accessories may choose exactly who they want to show their ads to: it can be something along the lines of males of a specific age group, who already “likes” certain car makes, etcetera. (Purely out of coincidence, this week a gathering of advertisers and marketers is being held in New York as part of Advertising Week.)

    Note that in theory, all of this information is anonymized. In practice, this means that your name is not attached to the information. However, depending on how much information you give about yourself – and what privacy settings you used – someone might be able to identify you anyway.

    In the future, not only could your data be used to customize your ads – you yourself could be used in advertising. Under proposed policy changes your name and picture can be used for advertising within Facebook as well – without you giving your direct consent. So, for example, if you “like” a certain brand, they can use your picture in their Facebook.

    Yes, I want my ads to be relevant to me. I don’t mind brands that I like letting others know that I like them.

    Some users may actually welcome these developments. Others, however, will be more skeptical. Some may even consider it equivalent to stalking, while others will just find it “creepy”.

    Others may object at this point - hang on, I didn’t agree to this! As a matter of fact, you did. By merely agreeing to use any social media site, you agree to their terms. If, unfortunately, due to the network effect you need to use a social network to stay in touch with others… you’re basically out of luck.

    Whatever the case, this is something that people should be mindful about. Social media sites will use your data to profit – and not necessarily by “selling” your information. You may not be paying with money, but you’re paying with your information.

    There are two things users can do. First, be careful about what you do share: social media sites can’t profit off what they don’t have. Secondly, if privacy controls and opts-out exist – use them. You may not always have a choice to protect your information, but if you do, use them – in order to send a message about how you value your information.

    Of course, if you’re on social media, the sites themselves are not the only potential parties you may want to protect your data from. Other users and third-party apps are on this list. To learn how to use the privacy features of social networks to your full advantage, you can consult our digital life e-guide, How to Protect Your Privacy on Social Media.

     
    Posted in Data, Social | Comments Off



    The annual gathering in the Las Vegas heat known as DEF CON is always… interesting. Newly discovered potential threats that are talked about in DEF CON are always intriguing, to say the least. There were plenty of good talks, but there were several common threads that piqued my interest.

    Unconventional Threats

    By “unconventional” I mean threats against devices that people outside of the security community  and even some inside it  would not consider to be targets. Charlie Miller and Chris Valasek talked about how cars could be “hacked” if an attacker gained access to the car’s internal networks. Another talk, smartly called “Home Invasion 2.0″, discussed how many networked devices – like home automation systems, baby monitors, and even toilets  are insecure. This has been discussed by our researchers before, as well as by our CTO in our 2013 predictions. The insights they’ve shared then are similar to the concerns raised in the talks I mentioned earlier: the fact that these systems were not designed with attacks in mind.

    Designing secure systems  as opposed to systems that “just work”  is hard. It takes more time, it takes more resources, and it takes more money. It also requires awareness on the vendor’s part that their system needs to be secured in the first place.

    These unconventional threats will be a significant problem moving forward. We are seeing devices connected to the Internet that have few good reasons, if any, to be online. Hopefully it wouldn’t take long before the importance of securing these devices will be realized.

    Conventional Threats Still Ripe Targets

    Don’t mistake that conventional threats have gone away. Chema Alonso’s talk discussed the serious risks of IPv6 in existing networks  thanks in part to OSes enabling it by default. There was also a release and demo of a new tool called Evil FOCA . Said tool enabled ordinary man-in-the-middle attacks.

    BYOD was under fire, too. Problems with WPA2-Enterprise wireless access were the subject of two separate talks  and were punctuated by DEF CON itself shutting down its own secure wireless network midday on the last day of the conference! In some ways, the problem is less broken protocols and more broken processes. Secure protocols exist, but aren’t used because they’re more difficult to use.

    In short: just because “unconventional” threats are increasing does not mean “conventional” threats will go away. But I’d like to make the point that in so many cases, security “problems” are of a human nature, not always a technical one.

    The Snowden Factor

    Of course, you couldn’t talk about DEF CON without talking about the issues raised by Edward Snowden’s revelations. After all, DEF CON founder Jeff Moss (known by his handle, The Dark Tangent) asked “feds” to stay away this year. Attendees expressed just how they felt about the matter with (multiple) Snowden cutouts making the rounds of the hallways and by attending talks by the American Civil Liberties Union (ACLU) on this matter. No one paying attention to the ACLU’s position will be surprised by what was said today, but the depth of concern (to say the least) among attendees should not be underestimated. Whatever one feels about Snowden, the impact will be felt for quite some time.

    It’s quite a turnaround from just last year, where NSA head General Keith Alexander actually had a well-attended talk. (Alexander was also present at Blackhat this year.) Privacy against government surveillance has always been a worry with the DEF CON audience, but the concern this year was, without doubt, unprecedented.

    Conclusions

    What DEF CON 21 boils down to is this: good security is hard. For new, Internet-enabled gadgets, we’re finding out what happens when unsecured systems are targeted by smart people trying to break them. In the “post-PC era”, it will only become harder as more and more targets come online. Things could get interesting  in all senses of the word.

     
    Posted in Bad Sites, Data, Mobile | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice