Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    August 2014
    S M T W T F S
    « Jul    
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Jonathan Leopando (Technical Communications)

    As more and more users entrust parts of their digital lives to the cloud, they’re increasingly running into a problem: it doesn’t always last forever. More specifically, cloud services that people have relied upon are just like any other business: they can close their doors.

    Just in the past few weeks, here are some cloud services that have shut down or drastically changed their offerings:

    But some changes to these services resulted to significant “birth pains”. Take for example MySpace, which has been rolling out new features for some time and relaunched a new branding last June. Some commended this relaunch, but its remaining loyal users became upset as this restart deleted their content.

    The rapid pace of innovation when it comes to mobile and cloud services means that, unfortunately, services which fail to succeed and become profitable quickly shut down as well – even if they have many users who depend on them. So, what can you, as a user do, to minimize the risk if this does happen to you?

    There’s not much you can do about services that use data that isn’t yours (like, say, video and music streaming services). However, for your own data – like documents, pictures, and news feeds – there are steps you can take.

    Remember the traditional 3-2-1 rule about backups: at least three copies, in at least two different media, with at least one copy off-site. Storing your data in the cloud fulfills the last two requirements, but it also means that you should keep copies of your data outside of any particular service’s own closed cloud.

    This means, for example, storing a copy of your movies and pictures on your device (or even another cloud service). For every cloud service you use, the procedure would be different, but the concept is the same: make sure your data exists in some form outside of any app or service’s own servers.

    Preparing for a cloud service going offline may seem like an extreme precaution. Aside from a service going completely away, there are many other scenarios where you’d like to access data in a cloud offline: you’re in a location with non-existent/insecure/expensive Internet access, or the service goes down due to maintenance and/or a security breach.

    For cloud services provider, it is best if they announce any major changes (or shutdown) months ahead. The recent shutdown of Google Reader was a good example of effective announcement, as it resulted to minimal effect to the users (other than searching for an alternative service, of course). The MySpace gaffe, unfortunately, shows that changes or improvements can turn awry.

    The underlying fact: “going to the cloud” is not an excuse to manage your data poorly. You still have to be responsible for your data and avoid putting all your eggs in one basket. For more information on how to protect your data in the cloud, you may read our Digital Lifestyle E-Guide Keeping Your Cloud Data in Check.

    Posted in Social | 1 TrackBack »

    Trend Micro researchers have uncovered a targeted attack launched against government agencies in various countries. The email claimed to be from the Chinese Ministry of National Defense, although it appears to have been sent from a Gmail account and did not use a Chinese name.

    Figure 1. Fake message

    The document contains a malicious attachment, which exploits a vulnerability (CVE-2012-0158) in Microsoft Office (all versions from Office 2003 to Office 2010 were affected) that was patched more than a year ago. The exploit is used to drop a backdoor onto the system, which steals login credentials for websites and email accounts from Internet Explorer and Microsoft Outlook. (It also opens a legitimate “dummy” document, to make the target believe that nothing malicious happened.) Any stolen information is uploaded to two IP addresses, both of which are located in Hong Kong.

    This particular attack was aimed primarily at both personnel belonging to Europe and Asia governments. The message was sent to 16 officials representing European countries alone. The topic of the email – and the attached document – would be of interest to these targets. In addition, the information stolen and where it was stolen from – is very consistent with targeted attacks aimed at large organizations that use corporate mainstays like Internet Explorer and Outlook.

    It’s worth noting, however, that Chinese media organizations were also targeted by this attack. The backdoor itself has also been detected in the wild – but, interestingly, it has been most frequently seen in China and Taiwan, with a more limited presence in other Asian countries.

    The vulnerability used in this attack is one that is commonly used by targeted attacks. High-profile campaigns like Safe and Taidoor have made use of this vulnerability; if anything it’s a commonly targeted flaw in sophisticated campaigns.

    Trend Micro products already detect all aspects of this threat – the message and C&C servers are now blocked; the malicious attachment is detected as TROJ_DROPPER.IK and the backdoor itself as BKDR_HGDER.IK. In addition, Deep Discovery was able to protect our customers by heuristically detecting the malicious attachment using the ATSE (Advanced Threats Scan Engine).

    Based on analysis by Jayronn Bucu.


    Last week, security researchers announced a new vulnerability for Android phones which could allow installed apps to be modified without the user being aware of it. Almost all Android devices are vulnerable, as the vulnerability has existed since Android 1.6 (Donut), and currently only the Samsung Galaxy S4 has been patched to protect against it.

    The vulnerability – known in some quarters as the “master key” vulnerability – has attracted considerable media attention, but it has not always been accurately reported. We have updated Trend Micro Mobile Security to protect our users, but at the same time we wish to clarify what’s going on, what the threat is, and what users can do.

    What’s this “master key” vulnerability?

    The vulnerability is related to how Android apps are signed. All Android apps have a digital signature from their developer, which verifies that the app actually did come from the developer and was not modified en route. An app can only be updated if the new version has a matching signature from the same developer.

    This particular vulnerability is in that last step. What researchers have found is a way for attackers to update an already installed app even if they do not have the original developer’s signing key. In short, any installed app can be updated with a malicious version.

    Note that technically, there is no “master key” that has been breached. Yes, any app can be modified and used for malicious purposes, but there’s no “master key” in the first place.

    What are the risks?

    This vulnerability can be used to replace legitimate apps on an Android device with malicious versions. Apps with many permissions – like those from the phone’s manufacturer or the user’s service provider – are at particular risk.

    Once on the device, they can behave in the way that any malicious app would, except the user would think they were a completely legitimate app. For example, a modified/Trojanized app for a bank would continue to work for the user, but the credentials would have been sent to an attacker.

    What can users do to protect themselves?

    We’ve updated our Trend Micro Mobile App Reputation Service to detect apps that abuse this vulnerability, but so far we have not found any. Nonetheless, for users of Trend Micro Mobile Security, we have released an update to the pattern to ensure that we will detect apps that target this particular vulnerability. (All users with pattern version 1.513.00 or later are covered. Apps found exploiting the vulnerability will be detected as Android_ExploitSign.HRX) This is sufficient to ensure that our users are protected from this threat.

    We strongly suggest disabling the ability to install apps from sources outside of Google Play. This setting can be found under Security in the system settings of Android devices.

    Google has made some steps to protect users. They’ve modified the backend of their online store so that apps that try to exploit this problem are blocked. Thus, users who do not download apps from third-party stores or sideload APK files should not be at risk from this threat. The company also released a fix for the vulnerability and distributed it among OEMs. Hopefully, the importance of this update will prevent delays in its deployment.

    Update as of July 11, 2013 3:43 AM PST

    We were able to find a report that features a different approach for the same attack to bypass Android signature checking, this time using a Java Zipfile implementation vulnerability. We are currently working on the solution, and malicious apps that will be found using this technique will be detected as AndroidOS_ExploitSign.HRXA.

    Posted in Exploits, Mobile | Comments Off

    As part of our 2013 predictions, we predicted that legitimate cloud services would be abused by cybercriminals. Unfortunately, that has proven to be the case – and in today’s current climate, it is unlikely to get any better.

    For example, last week we saw a spam run that used Dropbox to host its malicious payload. It’s not the only case we’ve seen where legitimate cloud services have been utilized for malicious purposes – only the most recent noteworthy one.

    The issue is bigger than just one popular service – others like Evernote and Sendspace have been abused as well. It’s natural to ask if these services can prevent such cases from happening again. However, a competing demand has also been heard from the public: privacy.

    Today, people are much more concerned about whether their data is being read by governments or monetized by service providers themselves. They are likely to demand more privacy. For example, in the case of a cloud storage provider, the demand might be that the cloud provider not know anything about what files are being stored on their servers. To the provider, the customer’s data would merely be a blob of indecipherable bits that means nothing to them.

    Fundamentally, there is a clash between the demands of privacy and the demands of security. Say, for example, a storage provider wanted to ensure that their service wasn’t being used to host malware. They could, for example, use very powerful solutions – file scanning, sandbox testing, etcetera – to test all uploaded files. Notwithstanding the obvious effects on costs and server requirements, this would also be perceived as spying by many users. (In today’s climate, that accusation can quite easily destroy a company.)

    The converse is also true: they could provide completely private storage, where all encryption is performed on user devices, and they have no idea what’s being stored on their sites. A service like that would certainly be abused by criminals. Because cloud providers have to meet legitimate customer demands for secure, private services, this creates a system that also shields illegitimate users’ activities from detection”.

    Both examples above, of course, are at extremes – but they illustrate the tradeoff any cloud provider must make. They must strike a balance that suits their strategy and business model. However, this means that some level of abuse will be inevitable – and might even be viewed as an inevitable cost of doing business.

    What should users take away from this?  As we said above, some abuse will be inevitable. It doesn’t even have to be a vendor you chose; it can be a vendor that either another user or a cybercriminal chose. Some writers have implied that as computing moves to the cloud, users can abdicate some responsibility for their security to other parties (like, say, cloud services of one kind or another.)

    Nothing could be further from the truth. Users must still take responsibility for their own security and adopt security solutions that work for them and put them in control. Obviously, this means different things for a family at home and a corporation with thousands of seats – but the principle remains the same. The user, and not the “cloud”, has ultimate responsibility for keeping themselves safe.


    The past few weeks have seen some very high-profile sites adopt two-factor authentication in one form or another. First was Twitter, followed soon by Evernote and Linkedin.

    For users of these sites, these represent a welcome improvement to their security. In the event that their password is (somehow) compromised, an attacker faces another barrier before they can gain access.

    There is still room for improvement. All three services use text message verification – i.e., they send an access code to the user’s phone when somebody tries to log in. Unfortunately, mobile malware can also intercept text messages: it is possible for a clever attacker to intercept these.

    An alternative which some sites use is an authenticator app, which generates the verification code on the device. Some sites require their own app; other sites are compliant with RFC 6238 so that a single app can authenticate multiple services.

    There are also some usability challenges. Not all apps or operating systems allow the user to enter authentication codes (actually, relatively few do). In these cases, you need to create an application/device-specific password – if the service supports it. (Theoretically, a bad implementation of these could pose a risk as well.) In addition, there is the very real problem of people losing their phones. In the United States alone, 1.6 million people lost their smartphones in 2012. A large service rolling out two factor authentication has to consider some way for users to authenticate if they’ve lost their device.

    This highlights the importance of the stolen device problem we talked about recently. Not only are mobile devices in and of themselves valuable and contain the user’s personal data, they can act as the keys to the rest of the user’s accounts.

    Of course, these three services are not the only ones to introduce two-factor authentication. Many other high-profile companies like Blizzard, Facebook, Google, and Microsoft all support some form of two-factor authentication. Users should check which of their services support it and strongly consider activating it.

    Posted in Social | 1 TrackBack »


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice