Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Author Archive - Julius Dizon (Research Engineer)

    More and more spying tools are being sold in app stores, specifically those catering to Android users. One of those that has gotten some attention from the media goes beyond the typical routines of known spying tools, which include text message forwarding and GPS information transfer. In addition to the said routines, this particular spying tool records phone calls made from infected devices.

    Unlike the other Android malware that pose as legitimate apps, this uses a social engineering hook. It publishes its routines and promotes itself as a spying tool that users can use through a certain Chinese third-party app store.

    Click for larger view Click for larger view

    We have analyzed a couple of samples of this app, which we now detect as ANDROIDOS_NICKISPY.A and ANDROIDOS_NICKISPY.B.

    ANDROIDOS_NICKISPY.B appears to be an updated version of ANDROIDOS_NICKISPY.A, as the two essentially have the same routines, except for a few differences. For example, ANDROID_NICKISPY.A sends the IMEI number of the infected device to a hardcoded number while ANDROIDOS_NICKISPY.B doesn’t. On the other hand, unlike ANDROID_NICKISPY.A, ANDROID_NICKISPY.B displays an icon, as shown in Figure 1 below. Once the user tries to access the app through the icon, it displays a warning to the user and states the routines that it will perform.

    Click for larger view Click for larger view

    Read the rest of this entry »


    TrendLabsSM has created a STUXNET Scanner Tool to further help administrators identify clues to determine which computers in their networks are still infected by STUXNET.

    A few months ago, STUXNET targeted SCADA systems—critical control systems that run complex infrastructure such as those that run transportation systems, water systems, and oil refineries, among others. STUXNET searches SCADA-related strings in order to view project databases and information stored in critical systems.

    Given the nature of the attack, administrators naturally want to be doubly sure that none of their systems are infected by this malware. Despite providing immediate protection for infected systems, we are still receiving reports from customers who need help to ensure that all of their systems are free of this particular threat.

    This STUXNET Scanner Tool may be downloaded for free here.

    This tool helps administrators identify infected machines within their own networks even if STUXNET is not sending out or receiving communications. As we have explained in previous blog entries and in the information page STUXNET Malware Targets SCADA Systems, STUXNET installs both a server and a client component to enable the Remote Procedure Call (RPC) routine in an infected computer so it can communicate with other infected systems for the purpose of updating itself and the systems it communicates with.

    How the STUXNET Scanner Tool Works

    Once installed and run, the tool enumerates live IP addresses within the internal network and sends spoofed packets similar to the packets sent by known STUXNET variants. Any host infected by STUXNET will respond to this spoofed packet. Through this, network administrators can easily identify which IPs are infected within the network, thereby helping them perform the necessary actions to isolate and clean the said systems.

    Click for larger view

    Trend Micro has been protecting users from all known STUXNET-related malware through the Trend Micro™ Smart Protection Network™.

    STUXNET has also been discussed in the following Malware Blog entries:

    Special thanks to threat solution engineer Yuki Chen and threat analyst Joseph Cepe for contributing to the creation and testing of this tool.

    Update as of November 16, 2010 9:37 p.m. UTC

    When using this tool, users are advised to follow the standard operating procedure of their respective organizations for conducting penetration testing. It is likewise important to note that the STUXNET Scanner Tool acts as the client in the STUXNET peer-to-peer (P2P) communication routine. It attempts to communicate with the RPC server component from the given list of IP addresses. IDS events may also be triggered by this tool whenever it simulates STUXNET network communication.

    The STUXNET Scanner Tool uses a fixed universally unique identifier (UUID), which allows it to have very minimal cases of false positives. Just the same, users are advised to scan the machine for infection. Users can utilize free tools like Trend Micro’s HouseCall to scan their systems.


    We’ve been spending some time looking into TSPY_ZBOT.BYZ—the ZeuS variant that was used in the recent LICAT file infector attack.

    Aside from the behaviors noted in previous blog posts (File Infector Uses Domain Generation Technique Like DOWNAD/Conficker and ZeuS Ups the Ante with LICAT), TSPY_ZBOT.BYZ also uses techniques designed to avoid automatic heuristics-based detection. For example, common ZeuS 2.0 variants contain relatively few imported external APIs. (ZeuS 2.0 refers to variants of the ZeuS banking malware that have been spotted since the start of the year with improved information theft routines. They have been discussed in the previous blog posts At A Glance: New ZeuS Variants and A Look at ZBOT 2.0 Information Theft.)

    By contrast, TSPY_ZBOT.BYZ imports many external APIs. To a heuristic scanner, this changes the appearance of the file and lowers the possibility of detection.

    Click for larger view Click for larger view

    In addition, TSPY_ZBOT.BYZ is compressed somewhat differently from other ZeuS 2.0 variants. While to the human eye no differences can easily be seen, the calculable entropy of these samples is quite different. Encrypted and packed malware that are related will have similar entropy values, something that can be used in analysis and heuristic detections.

    TSPY_ZBOT.BYZ is also designed to make analysis in sandboxed environments more difficult. Its dropped copy in the %Application Data% folder will have updated information about its “correct” location. If this particular copy is executed in a different folder, it will simply terminate.

    Another routine especially worth noting is that TSPY_ZBOT.BYZ conducts an integrity check by searching for the string “DAVE” in its configuration file before performing its malicious routines. We are currently conducting further investigation on this routine and we will release an update as soon as information becomes available.

    Update as of October 13, 2010, 6:00 PM (UTC – 7)

    Clarification has been made with regard to the malware’s behavior in sandboxed systems.

    Update as of October 14, 2010, 2:00 AM (UTC – 7)

    Some of the domains used in these ZeuS attacks are now live and spreading new ZeuS variants. These variants show behavior similar to the original TSPY_ZBOT.BYZ sample, and are being proactively detected as TSPY_ZBOT.SMEQ. These active domains are also being actively blocked as well.

    These new variants show the impact of TSPY_ZBOT.BYZ being able to avoid heuristic detection. Determining the relationship between TSPY_ZBOT.BYZ and the new variants would become harder; correspondingly the new variants would be more difficult to detect. However, our smart patterns are able to deal with this and detect these new variants accordingly.

    To properly guard against this threat, conventional antivirus is not sufficient. Both improved detection techniques and proactive blocking of the websites, working together, can protect users.


    In the past week, TrendLabs noticed a significant growth in the number of file infectors in the wild, particularly in Latin America. A significant increase in PE_SALITY.BA cases was particularly spotted in the region. A rise in VIRUX variants, particularly PE_VIRUX.R, was also spotted at around the same time.

    File infectors are not a new threat nor do they have the notoriety of much-talked-about threats like ZBOT, KOOBFACE, and FAKEAV. However, this does not make them any less of a problem, particularly for enterprise users. In addition, these attacks are growing in sophistication as well.

    According to TrendLabs’ Escalation Team, previous versions of SALITY file infectors such as PE_SALITY.SA used simpler encryption techniques. In particular, they used only one layer of encryption, making analysis a simpler affair by looking at sections of the file that have only zeroes as shown in Figure 1.

    Click for larger view

    However, PE_SALITY.BA has increased the complexity of its encryption routine. Analysis thus became more complicated than before. The results can be seen in the code sample shown in Figure 2.

    Click for larger view

    It should also be noted that PE_SALITY.BA, like other previous SALITY variants, goes beyond merely infecting files. Not only does it disable antivirus services, it also turns off alerts that Windows normally displays if no security software currently runs on the system. It also spreads via removable drives like worms. Taken together, PE_SALITY.BA is just as destructive, if not more so, as many other more well-known malware threats.

    As for PE_VIRUX.R, the most noteworthy change in its behavior is the fact that it now adds a null last section to the files it infects as shown in Figure 3.

    Click for larger view

    While this does not affect the file infector’s behavior, it does complicate the routines security companies use to clean infected files.

    The routines seen in PE_SALITY.BA and PE_VIRUX.R highlight the fact that all malware threats are growing in sophistication, not just more well-known threats like KOOBFACE and FAKEAV. Enterprise users should be particularly on guard, as file infectors tend to hit large companies disproportionately.

    Trend Micro™ Smart Protection Network™ protects users from file infectors by detecting and preventing the download and execution of malicious files (e.g., PE_SALITY.BA and PE_VIRUX.R) on systems.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice