Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Paul Ferguson (Senior Threat Researcher)

    Yet another zero-day vulnerability recently reared its ugly head in the threat landscape. Discovered by Marco Giuliani at Prevx, the proof of concept (POC) shows that a vulnerable application programming interface (API) in Windows can be manipulated by changing its input to cause an overflow in the kernel that will allow arbitrary code to run in kernel mode. As proven in our internal testing, the POC described by the author is capable of elevating system privileges without the user’s knowledge even in more recent Windows OS versions that utilize user account control (UAC).

    Click for larger view

    The timing of the POC’s release is particularly crucial, considering the upcoming Thanksgiving holidays. With users spending more time online in search of discounts and Black Friday deals, it may become easier for cybercriminals to spread malware exploiting the zero-day vulnerability. Users are thus advised to exercise caution when conducting their usual online activities.

    Analysis and screenshot provided by threat analyst Edgardo Diaz, Jr.


    Sometimes, not cleaning up your own backyard and responding to abusive requests can be costly when an ISP ends up on the Spamhaus Block List (SBL), as one particular Latvian hoster, Microlines.LV, recently discovered.

    Chris Williams explains the situation today in The Register.

    The Spamhaus SBL generally lists blocks of IP addresses that exhibit long-term instances of hosting malware, exploit kits, distributed denial-of-service (DDoS) command-and-control (C&C) servers, spam, and others where the responsible ISP ignores and dismisses complaints about the abusive nature of the malicious content.

    In essence, getting listed by Spamhaus can have a serious impact on any legitimate customer that a targeted ISP may have since Spamhaus block lists are extensively used by other organizations around the world to deny traffic to or from the listed IP addresses.

    After reading about how this saga unfolded today, I decided to look a bit further into our own domain reputation system (DRS) to see if I could validate whether we had also identified malicious content associated with any IP addresses that were allocated to Microlines.LV.

    What we saw is a smaller concentrated block of IP addresses with Microlines.LV, an entire allocation that has exhibited long-term hosting of rogue antivirus, various exploit kits, ZeuS and Gozi Trojans, and an array of other badness.

    Not only that, it appears that the bad guys operating out of Eastern Europe are also now also using portions of LATNET’s (the upstream ISP of Microlines.LV) IP address space to host additional malware.

    Our research confirms what Spamhaus has made public in its SBL listings. We have seen long-term, large-scale criminal activity associated with Microlines.LV as well as a hodgepodge of hosts in LATNET itself.

    Apparently, cybercriminals in Eastern Europe are using other Eastern European ISPs and data centers to host their criminal enterprises. This is not a new phenomenon, as this has been happening in various places (including hosting providers in the United States, the United Kingdom, the Netherlands, Germany, and elsewhere) around the world.

    But sometimes, the bad guys can’t simply “blend into the noise” and hide in the shadow of another ISP, they have to have the light shine brightly to expose the darkness.

    Trend Micro’s customers are protected from these threats by the Trend Micro™ Smart Protection Network™ since the network security and domain intelligence that we use in our research directly goes toward protecting our customers.


    I  hate to single out individual countries, organizations, ISPs, or any other entity but I have to tell you—my head almost explodes when I run into barriers in trying to contact the responsible organization where I see criminal activity.

    Now sure, I see criminal activity in a lot of places, granted. It is almost endemic in Eastern Europe and in other hosting facilities where Eastern European criminals manage to dupe (or simply buy) services from under the guise of being legitimate consumers.

    That’s why I am writing this now.

    I am very disappointed in the results of my efforts earlier this evening to try to contact the responsible ISP and domain contacts listed in WHOIS about a recently discovered KOOBFACE/LDPinch credential drop site located within their facilities.

    First, the address contact listed in the IP allocation WHOIS bounced as “address unknown.”

    Then the contact address listed for the domain seems to have simply black holed.

    And after asking personal contacts for assistance, even more emails were rejected.

    This is not only frustrating, it is infuriating.

    And it is fundamentally wrong and contributes to the ability of Eastern European criminals (in this particular case) to enjoy the protection that these failures provide.

    This is not a new phenomenon—recall the control of Abdallah Internet by components of the Russian Business Network detailed in a report by the Shadowserver Foundation in 2008.

    And there are still remnants of Russkrainian criminal operations in Turkish ISPs—this is a validated fact for which we have multitudes of evidence.

    In any event, it would be nice if we could actually get the attention someone in Turkey to assist us in mitigating these threats.

    As it stands today, Turkey seems to be a black hole where no one seems to be able to be contacted about criminal abuse issues and I’m sure the Eastern European criminals like it that way.

    And that’s a shame.


    I was prompted into crafting this post by a Scientific American blog post which stated that many experts in various scientific studies are sometimes “blinded” by — in fact — their focused studies of a particular subject, missing some of the finer aspects of the larger picture, so to speak.

    This reminds me of the many of the various efforts over the course of the past five or so years to connect-the-dots on Eastern European cyber crime — something which I have spent a great deal of time and effort, with reasonable success — Trend Micro customers get protected as a direct byproduct of this research.

    Of course, this leads me to the reason for this post — there are certainly “gray areas” of cyber crime where we have yet to identify. It’s an ongoing research project, so to speak, and realistically it is a never-ending quest.

    This is where I provide kudos to Dmitry Samosseiko of Sophos, for his excellent paper he presented at Virus Bulletin 2009 in Geneva, entitled The PARTNERKA – What Is It and Why Should You Care?” [.pdf]

    We’ve also been closely following  these “parnterka” relationships, or affiliate programs, for several years — including “installs for cash”  or “pay-per-install” programs that Dancho Danchev has written about on many occasions, and several other “business network” relationships between several entities in Russian, The Ukraine, Estonia, and elsewhere in Eastern Europe.

    The bottom line here is that there are very organized, sophisticated, and professional criminal organizations operating out of Eastern Europe, and Trend Micro researchers are very much engaged on this front.

    It is a very shadowy, nefarious cyber crime landscape of fraud & theft, and is not always as it appears on the surface — it requires much digging, verifying, connecting-the-dots, and other research that requires may hours, days, and even months of research. There is much that we still don’t know, and that holds true for everyone trying to expose these criminal enterprises.

    But we’re on it.

    My threat research group does “Threat Intelligence X” and “Threat Intelligence Y”, where “X” is the operational threats that exist now, and 15 minutes from now. Threat Intelligence “Y” is what we can expect to see in 6 months, a year, two years, etc., on the threat landscape.

    And all of the threat landscape that exists now (and 15 minutes from now) get represented in the Trend Micro Smart Protection Network, which provides our customers protection against threat from three threat vectors — e-mail, web, and malicious files themselves.

    I’m very proud of our efforts here.

    Paul Ferguson
    Threat Research



    Albert Gonzales

    Albert Gonzales may be taking the majority of the heat (and rightly so), and the full force of U.S. Law Enforcement prosecution, but he is only the tip of the proverbial iceberg.

    There is an entire Eastern European organized criminal operation that is further along in this food chain.

    In case you haven’t heard, Gonzales and his co-conspirators are responsible for hacking into TJX, Heartland Payment Systems, Dave & Buster’s, and other retailers and payment processors, to steal credit & debit card account numbers.

    As Kim Zetter reports on the Wired “Threat Level” Blog, there are multiple Eastern European connections to known organized criminal operations in Russia, The Ukraine, and Latvia (and elsewhere), some of which Trend Micro threat researchers have been tracking for several years now.

    Besides these direct hacks of businesses and credit card processors, we have seen a very robust growth in malware which directly targets banking institutions, banking login credentials, malware that piggy-backs banking sessions, etc., ad nauseum, in an effort to steal money. Period.

    In fact, the largest growth of malware that we have seen in 2009 has virtually all been geared towards stealing credentials of one sort or another.

    This is organized cyber crime at it’s most base form, and it is actually getting worse.

    There is a rather long, and twisted history here — especially involving Gonzales and other individual involved in similar crimes, but the real interesting connections lead back to Eastern Europe, especially Russia and The Ukraine.

    While I’m not trying to make this incident any more shocking than it already is, the real issues are not being discussed in the mainstream media — luckily, Wired has dug into the background of these issues a bit, and so has Brian Krebs at The Washington Post.

    Make no mistake, these issues are very complicated — all “good” criminals make sure that they are hard to track. But not all tracks are invisible.

    Trend Micro researchers, including myself, have been tracking this specific criminal activity in Eastern Europe for several years now, and we intend to first, protect our customers, and secondly, try to work with law enforcement and others to identify the criminals.

    Trend Micro researchers are hard on the trails of these malicious activities, and when we identify sites that are designed to victimize you, we ensure that they get blocked by the Trend Smart Protection Network.

    Make sure you are protected.

    Trend Micro researchers not only ensure that our customers are protected, but we also actively work work with International Law Enforcement to  identify the criminal actors behind these crimes.

    Don’t be victimized.

    “Fergie” a.k.a Paul Ferguson, Threat Research



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice