Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    April 2014
    S M T W T F S
    « Mar    
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Raimund Genes (Chief Technology Officer)

    As the year draws to a close it’s time for us to take a step back, absorb the lessons of 2012, and look at what 2013 and beyond will bring for users, the security industry, and even cybercriminals. Here are some of my predictions:

    The volume of malicious and high-risk Android apps will hit 1 million in 2013.

    As Android grows, so does the threat of malicious and high risk apps for its users. In 2013, we will be able to detect a million Android apps – a threefold increase from the 350,000 projected to be found by the end of 2012. Android may well be on its way to dominating the mobile space the way Windows dominated the desktop/laptop arena, but this very popularity lures in attackers and cybercriminals.

    This growth is likely to result in an arms race between attackers and Android security providers, similar to the one that occurred more than a decade ago in the Windows ecosystem. However, these steps will not decrease the platform’s appeal to criminals.

    Consumers will use multiple computing platforms and devices. Securing these will be complex and difficult.

    The Windows-centric computing environment of the past has been replaced with a diverse, multi-screen environment thanks to tablets and smartphones. Each operating system brings its own unique usage model and interface. Because of this, it becomes a challenge for users to secure each and every device they own.

    It’s quite possible that many users will simply give up and leave the defaults are in place. However, these may not be the most secure or private settings.

    Read the rest of this entry »


    We know that threat actors take time to study the network environments of their prey. As employees go more and more mobile, the emergence of mobile malware in targeted attacks seems to be a logical progression. For the past few months, however, this notion has been all speculation—and we wondered, not if, but when it will happen.

    Today, we can say for sure: it has.

    At DEFCON, we presented for the first time that file infector viruses could be written on Android and we are now seeing the first tangible evidence that threat actors are expanding their target base—targeted attacks onto mobile platforms. Specifically, we have discovered 2 APKs in early stages of development while monitoring a Luckycat C&C server. You will recall the Luckycat report as one of the more comprehensive write-ups about a targeted attack operating inside enterprise networks.

    The Android apps we found had RAT-like functionality. They can explore a device to seek out sensitive information. They can upload this information to remote servers. They can also download files to acquire a newer version of the malware.

    A remote shell is also available as one of the commands in the apps but the current APKs appear incomplete in this regard. In fact, overall, the apps look like they are still in the early stages of development.

    What do these findings mean?

    For the BYOD phenomenon, the existence of these apps demonstrate even more vividly the risks of allowing smartphones and tablets to connect to the corporate network in an unsecure manner. Mobile devices may be small, handy, and convenient, but they can open users to the same threats that used to be the sole domain of the desktop.

    When it comes to targeted attacks, this development suggests that threat actors are actively adapting to the specific network environment trends of their targets. In this case, the influx of mobile devices in corporate networks. In the paper, we also touch on SABPUB, a Mac malware used in the Luckycat campaign, where Mac has long been considered an “alternative” OS that cybercriminals overlook in favor of Windows.

    Read about this important finding in Adding Android and Mac OS X Malware to the APT Toolbox authored by our researchers Nart Villeneuve, Ben April, and Xingqi Ding. Click the icon below to download the paper.

    APT Toolbox Android Mac OS X Malware Paper

    Posted in Bad Sites, CTO Insights, Mobile, Targeted Attacks | Comments Off

    We’ve recently had the honor of meeting up with our partners and customers in the industry and of sharing insights during our annually held convention Direction 2010, held in Tokyo, Japan last July 7. For a panel discussion, I invited representatives from AV-Comparatives, AV-Test, and NSS Labs to Japan to discuss the need for new metrics and methodologies in testing security products against real-world threats. We all agreed that new tests are needed, tests that better reflect attacks on real customer environments.

    Figure 1. There is a need to reform security product testing methodologies in response to the nature of threats today.

    Live-attack scenarios set against the intended implementation of security solutions provide the best representation of how well a product performs. Testers should also be able to make evident that the harmful effects of malware can be blocked at several points prior to execution. For instance, different solutions are able to:

    1. Block malware from arriving at the endpoint (e.g., Web filtering; Web reputation services)
    2. Stop malware files from executing on the endpoint (e.g., signature-based scanning of files)
    3. Interrupt malware doing bad things upon execution (e.g., behavior monitoring)
    4. Protect vulnerabilities from being exploited (e.g., disable access to known vulnerabilities until patched)

    For the longest time, traditional testing has only been measuring detection (#2). This simplistic approach penalizes innovative solution makers and discounts the value of blocking a threat early on or in mid-execution. Another aspect to consider is the speed by which new threats are addressed (given that we are now talking about one new threat every 1.5 seconds).

    The customer benefit in these new tests is that they really could see which product protects best against real threats. They don’t need to look at artificial “shootouts” against a million old malware samples being checked through a manual scan. And not only do the new tests show how effective a product is in blocking Web-based threats, they also show how fast the security vendor is providing protection against a new threat—time to protect.

    As malware become more and more aggressive and as malware distribution switches from self-replication to spamming campaigns, this will become extremely important. Malware look different now compared with five years ago so the tests should be different as well.

    I’m really happy to see the test labs move toward this direction in order to provide more meaningful tests.

    Posted in Bad Sites, CTO Insights | Comments Off


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice