From being perceived as a luxury, smartphones have already transcended to become a must-have among users. But not all is glitter in the world of mobile device technology. With their growing popularity comes with certain issues, including battery life and the presence of power-hungry mobile adware.

Despite offering impressive resolutions and more advanced features, users are more concerned with their devices’ battery life. Though manufacturers are poised to offer devices with longer battery life, certain trends such 4G/LTE potentially offsets battery enhancements.

Usage certain apps and ads were also found to be power-hungry activities. In particular, ads displayed on mobile devices were also found to consume 65-75 percent of energy in free apps, as per a Purdue University and Microsoft study.

In August, we saw an increase of adware in Android applications. While these apps can have malicious routines like collecting user’s personal information, they also pose risks to battery life.

To know more about these trends in mobile devices and the increasing risks of mobile adware, read our first Mobile Monthly Review, “The Growing Problems of Mobile Adware.”

More information on mobile threats and best practices can be found in Trend Micro’s Mobile Threat Information Hub.

The more things change, the more they remain the same. Cybercriminals are still using various news events as bait to get users to read their emails and install malware. Proof: we received email samples that used the Ramadan and an upcoming conference — all to lure users into downloading and executing the malicious attachments.

Ramadan-Themed Message Carry Malicious Files

With the recent observation of Eid ul-Fitr marking the end of the Muslim holy month of Ramadan, certain attackers crafted Ramadan-themed messages to take advantage of the event. We found two email variants that contain .XLS attachments verified to be malicious (detected by Trend Micro TROJ_MDROP.AIG).

The sender address contains the word “Uyghur”, which is likely a spoofed email address created by its perpetrators to make it appear that it came from the World Uyghur conference. The malware associated with this email is under analysis.

Read the rest of this entry »

We were alerted to reports of an exploit targeting the CVE-2012-1535, a vulnerability in Adobe Flash Player to drop a backdoor into the vulnerable system.

The said exploit masquerades as a .DOC file (detected as TROJ_MDROP.EVL) that possibly arrives as an attachment to email messages. Users who are tricked into opening the said file actually execute the said exploit. Once exploit is successful, it then drops the files %User Profile%Application Datataskman.dll and %User Profile%Local Settings~WORDL.tmp, which are detected by Trend Micro as BKDR_BRIBA.EVL. Said backdoor attempts to make a connection to http://publicnews.{BLOCKED}o.com/logo.gif, possibly to download another file. However, said URL is inaccessible as of this writing.

Affected Adobe Flash Player versions include 11.3.300.270 and earlier versions for Windows, Mac, and Linux OS. Android OS users need not worry as they are not affected by this vulnerability.

Trend Micro Smart Protection Network™ detects and deletes all malware related to this attack. It also prevents connections made to related URLs accessed by both malware. Deep Security users are protected via the following rules:

• 1004114 – Identified Malicious Adobe SWF File
• 1004647 – Restrict Microsoft Office File With Embedded SWF

Whenever possible, immediately apply the latest security update released by Adobe. Users should also refrain from opening email messages and downloading attachments coming from unknown resources.

Update as of August 17, 2012 6:36 AM PST

Additional Deep Security rules have been issued for customers. Apply the following rules to protect your network against this exploit:

• 1005154 – Adobe Flash Player Remote Code Execution Vulnerability
• 1005155 – Adobe Flash Player Remote Code Execution Vulnerability (CVE-2012-1535)

Coming Soon: The TrendLabs Security Intelligence Blog will be the new Malware Blog

The demise of Beastie Boys’ Adam Yauch (also known by his moniker MCA) have resonated among hip hop fans these past days. Sadly, we have seen a particular attack that targets specific recipients and used this news item as a social engineering lure.

We have found an email sample that leverages Yauch’s death to entice users to download and open the malicious attachment. The message appears as a news item from a non-profit organization that features the late musician’s recent passing. It also contains a .DOC file attachment, which is supposed to contain the complete story. Users who download and open the .DOC attachment are actually executing a malware detected by Trend Micro as TROJ_DROPPR.JET. This Trojan file drops another malicious file, detected as particular TROJ_SWYSYN.SME, that connects to possibly malicious URLs.

Celebrity news items, whether factual or not, have been a staple bait in cybercriminal attacks. Adam Yauch’s death is just one of the several web threats that took advantage of the death of famous music icons. Similar threats include the string of clickjacking attacks that used the demise of Whitney Houston, Amy Winehouse, and even Lady Gaga‘s supposed death.

Trend Micro users need not worry as they are protected via the Smart Protection Network™, which detects and deletes the related malware and blocks spam with malicious attachments with its file and email reputation technology. To know more about how attackers take advantage of noteworthy news items e.g. celebrity gossips and news and other social engineering tricks, you may read our comprehensive e-guide “How Social Engineering Works”.

A federal judge approved the U.S. Government’s request to continue to run clean DNS servers for DNS Changer -infected victims by 120 days. The U.S. Government was initially granted a request to permit a private company to replace the rogue DNS servers with normal DNS servers. This previous decision also stated that the replacement servers must halt its operation by March 8, 2012. But with this decision, these servers have 4 more months to operate.  This extension is supposed to give affected entities more time to clean their computers. This development came days after an Estonian County Court approved the extradition of four more individuals involved in Esthost operations, a subsidiary of the company Rove Digital. All six suspects who were arrested in November last year can now be extradited to the U.S. upon approval of the Estonian government.

The Esthost takedown last year was considered a triumph for the online security industry. Dubbed “Operation Ghost Click”, this collaboration among the FBI, NASA, Estonian Police, Trend Micro, and other industry partners resulted to the halting of almost 4,000,000 bots. The DNS Changer botnet was estimated to have affected millions of users and businesses. For more information on the Esthost takedown, the “largest cybercriminal takedown in history”, please refer to our previous blog posts:

• Esthost Taken Down – Biggest Cybercriminal Takedown in History
• 2011 in Review: Security Wins

Extension Means More Recovery Period for Affected Users

This extension was granted in light of new information that March 8 deadline proved to be insufficient for affected parties. A report released last month indicates that 3 million systems worldwide are still infected. The roster of victims also include 50 percent of Fortune 500 companies and almost half of all US government agencies. The US government argued that terminating the replacement servers on the previously set date will only disrupt the operations of affected businesses, corporations, and individuals.

Before the takeover, DNS Changer Trojans were found to modify settings to use DNS servers setup by malicious third parties. This modification resulted to the hijacking victims’ search results eventually leading them to malware-hosting sites and adware among other threats. The malware also prevented users from visiting security sites that might help combat this infection. This means that DNS Changer victims were exposed to malware threats for a long time.

By terminating the replacement servers now, while concerned parties are still struggling with the infection, will only result to users being cut off of their access to the Internet. Trend Micro senior threat researcher Feike Hacquebord believes that it may take some time to completely recover from the effects of the DNSChanger, “Rove Digital has been spreading DNS Changer Trojans and other malware for many years. It is not an easy task to clean up the big mess caused by malware infection campaigns spanning more than 5 years.” But Hacquebord is hopeful that this reprieve can bring more positive results, the “DNSChanger Working Group (DCWG) is working hard to help Internet service providers with informing victims and assisting them with computer clean-ups. We are hopeful that in the coming months, the number of infections will go down significantly.”

The decision to extend the deadline underscores the scope and the damages created by the Esthost operation/ Rove Digital. For the meantime, users can check if their systems are infected or not by validating their IP addresses using “eye check” sites. DCWG also provides helpful tips on how users can verify if they are affected by this botnet.