Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    April 2014
    S M T W T F S
    « Mar    
     12345
    6789101112
    13141516171819
    20212223242526
    27282930  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Romeo Dela Cruz (Threat Response Engineer)




    Last March, I blogged about the Andromeda, a well-known botnet that surfaced in 2011 and is making a comeback this year. Just months after my report, we are still seeing notable activities from the said botnet, in particular a sudden boost of GAMARUE variants last week. The Andromeda botnet is a spam botnet that delivers GAMARUE variants, which are known backdoors and have a noteworthy way of propagating via removable drives.

    We’re keeping track of the GAMARUE infection for the past weeks and observed some noteworthy activities. For the past 30 days, we noticed a sudden spike of its variants on May 17. In particular, there was a 82% increase from May 16 – May 17 and another 32% on May 18. A significant bulk of these malware, specifically 63%, is WORM_GAMARUE variants.

    gamarue-chart-30days copy

    Figure 1. GAMARUE detection for the past 30 days (April 20 – May 31)

    In my initial blog entry, I reported that the bulk of infection came from Australia. Last year, Germany was also one of the most GAMARUE-affected countries. However, just months after my first post, we are seeing a trend in which a majority of WORM_GAMARUE variants are affecting India, Turkey, and Mexico.

    Andromeda-graph-distribution-1

    Figure 2. Top countries affected by WORM_GAMARUE

    Currently, we can not readily determine why GAMARUE variants increased on the said dates. If anything, this trend shows that the botnet is still active and poses risks to users.

    Andromeda Botnet: Old Threat Repackaged

    In our 2013 1Q Security Roundup, we concluded that during this quarter, cybercrime was characterized by old threats made new. The Andromeda spam botnet is a good example of this trend, this time with aid of the Blackhole Exploit kits (BHEK) and some new neat tricks.

    This threat arrives as a spammed message containing a malicious attachment (GAMARUE variants) or links leading to certain sites, which now include those compromised by the notorious Blackhole Exploit kit. GAMARUE variants are known to propagate via removable drives. It also drops component files instead of copies of itself to make detection difficult. Taking cue from threats like DUQU and KULUOZ, GAMARUE variants also uses certain APIs to inject itself to normal process to evade detection.

    Propagating techniques aside, GAMARUE variants have backdoor capabilities since it communicates with certain C&C servers to send and receive commands. This communication, in effect, gives a remote malicious user control over the infected system. Some of the commands the malware can execute include downloading other malware onto the system, most notably info-stealing threats like ZeuS/ZBOT variants.

    Because some Andromeda-related spam messages eerily looks like legitimate email notification from commercial services (flight, hotel, courier services etc.), the usual criteria for determining a spam are not sufficient. As an alternative, you can verify to see if the email you’ve received is legitimate or not. Since BHEK is known to exploit software vulnerabilities like Java, you must always update your system with the latest security patch or re-consider your use of Java. For better protection, install antimalware software like Trend Micro, which protects your system from spam, malicious URLs, and malware.

    We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

     
    Posted in Botnets, Malware | Comments Off



    The Andromeda botnet – first spotted in late 2011 – has recently resurfaced. This threat arrives via a familiar means: spammed messages with malicious attachments or links to compromised websites hosting Blackhole Exploit Kit (BHEK) code. Here is one spam message we saw recently:

    andromeda_spam

    Figure 1. Sample spammed message

    Andromeda itself is highly modular, and can incorporate various modules, such as:

    • Keyloggers
    • Form grabbers
    • SOCKS4 proxy module
    • Rootkits

    As is typical of backdoors, it can download and execute other files like ZeuS, as well as update and remove itself if needed. Typically, variants of the Andromeda malware can be bought online for 300-500 US dollars. However, each of the plugins mentioned above costs an extra sum of money. The most recent version number we have identified is version 2.60. The top affected countries of this threat are Australia, Turkey, and Germany based on our Smart Protection Network feedback below:

    spn_andromeda

    Figure 2. Andromeda infection count from January- February 25 2013

    Read the rest of this entry »

     
    Posted in Botnets, Malware | Comments Off



    In our 2013 Security Predictions, we predicted that conventional malware will focus mainly on refining tools instead of creating new threats. A perfect example of this prediction is how Blackhole Exploit Kit continuously attempts to circumvent the efforts done by the security industry. True enough, we recently received reports of a Blackhole Exploit Kit (BHEK) run that incorporated an exploit (detected by Trend Micro as JAVA_ARCAL.A) targeting the recently patched CVE-2013-0431.

    If users can still recall, this vulnerability is part of the Java zero-day ruckus last January. This slew of critical incidents led Oracle to release an out-of-band security update to quickly address the issue. However, this release raised some crucial questions.

    This particular BHEK run starts with spammed messages spoofing PayPal. When users click the item number indicated in these messages, they are led to several redirecting sites until they arrive at the page hosting the encrypted BHEK code. This code then checks the vulnerable system for versions of Adobe Reader, Flash Player, and Java. This determines which exploit (and subsequent payload) are downloaded onto the system.

    Spam-sample-BHEK-fakepaypal

    Figure 1. Sample spoofed PayPal email message

    In the testing we did, the BHEK code found certain versions of Adobe Reader, which prompted it to download and execute a malicious .PDF file (detected as TROJ_PIDIEF.MEX), which exploits an old vulnerability in CVE-2010-0188.

    Read the rest of this entry »

     



    Expecting an online booking or package delivery confirmation? Just make sure to avoid these fake email messages serving BKDR_KULUOZ.PFG.

    This backdoor was first seen in the wild around April to June of 2012 and a part of a well-known botnet. However, we have recently been noticing several spam variants carrying this malware, like the one below:

    fedex_kuluoz

    Figure 1. Sample FedEx spammed message

    BKDR_KULUOZ arrives in the form of attachments (usually archived) in spammed messages. These email messages typically spoof well-known corporations. So far, the spam variants we’ve seen recently included fake email notifications from courier services like FedEx, UPS (postal-themed), and airline companies. Like most malware arriving via email, BKDR_KULUOZ are disguised as your average office files like .PDF (Adobe) or .DOC (Microsoft document) files, to make them appear legitimate.

    Once user downloads and executes the file, it drops and opens a .TXT file as a ploy to trick unsuspecting users into thinking that there’s no harm being done on the system.

    kuluoz_fig2

    Figure 2. Screenshot of the dropped.TXT file

    It then creates svchost.exe process and injects another .PE file, which is a .DLL File with export named “work.” Typically, a malware injects its code into to normal processes so that it will be harder to terminate on the infected system.  In addition, this backdoor also executes its code using the following native APIs to slowdown/hinder debugging:

    • “ZwCreateSection”
    • “ZwReadVirtualMemory”
    • “ZwMapViewOfSection”
    • “ZwUnmapViewOfSection”
    • “ZwResumeThread”

    Accordingly, this technique of coding malware is also seen in threats like DUQU and Andromeda. This downloader malware also communicates to its command-and-control (C&C) server to send and receive information and commands. In turn, the infected system is susceptible to further attacks and is effectively under a remote user’s control.

    Read the rest of this entry »

     
    Posted in Botnets, Malware, Spam | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice