Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    July 2014
    S M T W T F S
    « Jun    
     12345
    6789101112
    13141516171819
    20212223242526
    2728293031  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Ryan Certeza (Technical Communications)




    Sporting events are getting more and more connected, and the just-concluded World Cup is no exception. Brazilian telecom provider Oi made sure that no expense was spared in ‘connecting’ the World Cup , and even claimed that this year’s event is in fact the most connected in the history of the World Cup.

    Oi claims that they provided connections to all twelve host stadiums across Brazil, resulting with 32 terabytes of data being generated by the media, sponsors, volunteers and FIFA officials in just ten days.  More than 152,000 unique devices (smartphones, tablets and laptops) have been connected to the public Wi-Fi networks installed in the host stadiums.

    Online users all over the world looked for news and updates about the World Cup and made themselves targets for cybercriminals and their socially-engineered threats. Public Wi-Fi networks may keep sports fans online, but their insecurity may lead to them being hacked and their personal information being siphoned.

    World Cup-themed threats have popped up left and right, from phishing websites to spam to malicious mobile apps. One particular phishing scheme managed to snare more than 3,000 users in a span of 72 hours. Most of the victims came from connected countries such as the US (19%) , Japan (14%), Germany(12%) and France (9%).

    Figure 1. Phishing website targeting World Cup fans

    Figure 2. Phishing site victim count

    This message lured users into handing over their login details using a fake US$200 prize, as well as a legitimate promo with a hefty cash prize. The promo itself was themed to take advantage of the World Cupand this in itself may have resulted in such a large amount of victims in a small amount of time.

    We’re not saying that sporting events becoming more and more connected is inherently a bad thing. However, being connected in this day and age without being secure IS inviting trouble. While telecom providers can help, the ultimate responsibility of being secure is on users. They must protect themselves so that at the end of the event, they’re left with fond memories and souvenirsnot malware infections that will result in depleted bank accounts and compromised devices.

    In order to help drive this message homeof sports fans looking after themselves in terms of online securitywe decided to run a survey on our Race to Security website and see just the kind of sports fans our visitors and readers mostly are. From there, we figured out the most common type of fan among our readers, and how they should secure themselves. We’ve also made sure to include tips for everyone to take heed of no matter what kind of fan they are. To find out the results and more information about protecting yourself during sport events, check our latest infographic, What The Race To Security Survey Says.

     
    Posted in Bad Sites, Malware, Mobile, Social |



    Evolution is a continuous process, and nothing can exemplify the process better in our industry than the threats we defend against. From simple pranks and nuisances, they’ve become thieves of information, violators of privacy, destroyers of reputations and even saboteurs of businesses, all for the sake of money. They’ve also become tools for activists and terrorists of the cyber variety, used to make strong statements against governments or organizations.

    But as such threats evolve, so must the security solutions that defend against them, or be left in the dust. This is our ethos in Trend Micro – that the protection we provide for our customers not only improve with every version we come out with, but continuously evolve into more powerful, more efficient and more impenetrable to cybercriminal attacks.

    Our latest infographic, Trend Micro Endpoint Security Technology Evolution: A Complete Approach to Security, illustrates this. Using the visualization of a tree taking root and sprouting branches from its tree trunk, we catalog the evolution of cybercrime as well as the technologies we developed to address those malicious evolutions.

    Take malware, for example, one of the main tools of cybercrime.From its primal state as a prank program to how it’s become a money-making machine, we’ve not only developed one but three technologies to address it:

    • Signature-based Scanning, which identifies, isolates and deletes malware by matching it to a specific malware signature/pattern;
    • Heuristic Behavior Scanning, which detects polymorphic malware  through its malicious behavior, and;
    • File Reputation Services, which identifies and blocks malware through their history, sources, behavior and reputation.

    Each of these technologies work in conjunction with each other, as well as those that address the other tools of cybercrime – to provide a well-rounded and balanced approach to security that families and businesses deserve.

     

     
    Posted in Exploits, Malware, Mobile |



    Cross-platform threats can be dangerous, both at home and in the office. These can ‘jump’ from one platform to another, or target all of them at the same time – potentially infecting a user’s entire network, or even a company’s network if left unchecked. The risk to critical data and system functionality, not to mention overall network security, can be catastrophic if not mitigated properly.

    With the mobile device boom, cybercriminals had begun taking the portable platform into consideration with their all-encompassing attacks. We’ve already detected quite a few. Some examples:

    • ANDROIDOS_USBATTACK.A, a malicious app that not only can perform information theft routines on the affected device, but also downloads malware that triggers only when the device itself is connected to a PC via USB. While the end payload is the PC’s microphone being turned into a wiretapping device, it could have easily sported much more damaging routines.
    • TROJ_DROIDPAK.A, a Trojan that downloads and installs malicious apps onto any Android device connected to the affected PC. The apps are malicious versions of online banking apps, which could compromise a user’s online banking account.

    Both examples feature cross-platform infection in opposite directions – from the mobile device to the PC, and vice versa. In the long run, cybercriminals may look to expanding this chain to everything else that the mobile device can connect with (such as home automation systems and other parts of the Internet of Everything). This could also mean that cybercriminals will also be looking to augment their targeted attacks against organizations to also include mobile device attacks (as evidenced by the mobile RAT found in a LuckyCat C&C server).

    In our latest Monthly Mobile Report, The Reality of Cross-Platform Mobile Threats, we tackle cross-platform mobile threats, what makes it possible and what we may expect from this particular avenue of cybercrime in the future. We also explore how users and business owners alike can combat this multi-pronged threat before they can be victimized by it.And with cybercriminals currently using the 2014 World Cup to drive desktop and mobile device threats – which could mean cross-platform attacks in the horizon – there’s no better time for users and business owners to catch up and be informed.

    Cross-platform mobile threats may seem intimidating, but with the right tools and the right know-how, it can be protected against. Read our latest Monthly Mobile Report at the link above, or on our Mobile Threat Information Hub.

     
    Posted in Malware, Mobile |



    Tax season in the US and Canada has always been popular among cybercriminals. After all, it’s one of the few reliable times in a year that a lot of money gets thrown around online, due to the convenience of filing (and) paying taxes over the Internet. As such, we make it a point to look out for threats specifically targeting taxpayers before, during and after tax season and every year, we invariably find a lot of them.

    This year was no different, with the threats we spotted ranging from a Silverlight vulnerability exploit to UPATRE malware spam campaigns. We also found the usual spam and phishing threats that came out at the last minute, even after the deadline has passed.

    Silverlight Vulnerability Exploit

    This Silverlight exploit, as its name suggests, exploits the (MS13-022) Vulnerability in Silverlight Could Allow Remote Code Execution (2814124) vulnerability to run malicious code on a system through a specially-crafted app. It should be noted that the said vulnerability is over a year old now. This exploit was found to be the end result of a series of URL redirections, stemming from a website that promised to teach the user how to avoid paying income tax in Canada.

    Upon analysis, we found this particular malware (detected as TROJ_SHESDE.E), which uses the exploit, to be quite similar to the one we reported on last November. We also discovered that with this exploit, it sought to redirect users to malicious URLs, whereupon malware may have potentially been planted for automatic download upon the victim’s system. At around this time, we also spotted another malware that also exploited Silverlight in the same fashion, and we detected this as JS_SHESDE.E.

    Tax-themed Spam Campaigns

    The UPATRE malware spam campaign that we detected this tax season was no different from those we’ve discovered previously, besides the main body of its text urging its readers to open its malicious attachment in order to file their taxes.

    Figure 1. Tax-related spam with TROJ_UPATRE attachment

    The malicious attachment itself, detected as TROJ_UPATRE.YQU, connects to malicious URLs to download an encrypted version of a ZBOT variant (TSPY_ZBOT.YQU). As TSPY_ZBOT.YQU starts its info-stealing routines, it also drops a RTKT_NECURS variant, depending on whether the affected system is a 32-bit or 64-bit environment. Whichever variant it drops, the outcome is the same—it disables the AV products installed in the system as well as protect the dropped ZBOT variant from detection and removal.

    Besides this, we also spotted similar spammed mail, also sporting a UPATRE variant, at around the tail end of the tax season—specifically around April 15, which was of course the deadline for all tax filing. And even after this, we still saw tax-related spam and phishing scams—most likely a ploy of cybercriminals to take advantage of those in a rush to beat the deadline.

    Seasonal threats will always be around, but thankfully it’s easy to avoid becoming a victim to them. It’s a good idea to keep all the software in your system updated and patched to their most recent versions. Spammed mails, no matter the subject or content, should always be deleted without being opened if the sender is unfamiliar or suspiciously different than accustomed to.

    Trend Micro customers are protected from these threats, as they have all been blocked upon detection.

    With additional analysis from Alvin Nieto, Ardin Maglalang, Joseph C Chen, Lala Manly, Maersk Menrige and Mark Tang

     
    Posted in Malware, Spam, Vulnerabilities | Comments Off



    For many, the holiday season is a season for shopping and spending. But cybercriminals see it in a different light—they see it as a prime opportunity to steal.

    Take, for example, online shopping. Malicious websites to try and trick online shoppers into giving them their money instead of the legitimate shopping websites. These sites are often made to look exactly like the website they’re mimicking, and feature a login screen that asks the user to enter their personal information. They are interested in any and all kinds of login information – for example, we recently saw phishing sites that stole the Apple IDs of users.

    We have kept track of the number phishing sites created since 2008. We pay particular attention to those that target Christmas shoppers and/or have holiday themes. There are plenty of these, and they persist all year. Unsurprisingly, they rise towards the end of the year, as seen in the graph below:

    Figure 1. Christmas-related / Holiday-themed Phishing Sites

    These sites also peak during big shopping dates, such as Black Friday and Cyber Monday. Online shoppers tend to search for huge discounts on these dates.

    Cybercriminals target specific items that users might be looking for in particular when shopping online, such as gadgets (tablets, smartphones and DSLR cameras) toys, video games/consoles, software, and so on. We examined the most popular items sold and wished for on online shopping sites and compared them with the phishing sites we saw. We found that these were the most targeted items:

    Figure 2. Top 10 Most Targeted Shopping Items

    Spam campaigns also take advantage of the season. We recently found a spam campaign which targeted British users. This campaign promoted cheap flights to destinations in the Canary Islands—popular tourist destinations for Britons. The name of a well-known provider of travel packages was also used.

    Figure 3. Sample Holiday Spam

    The email contains a .ZIP file that claims to contain more available holiday destinations. Opening the archive yields a .PDF file that is actually a malicious executable file. (We detect this file as TROJ_DLOAD.NOM.) Its final payload is  a ZBOT variant, which can steal critical personal information of users from their systems.

    Figure 4. Malicious File In Archive

    Users can avoid these threats by following these tips:

    • Don’t use search engines to find good deals. Web threats lurk in search engine results, and they’re often pushed up to the top of the first page because of Blackhat SEO. Instead, bookmark popular and well-established shopping websites and do your searching from there.
    • If it’s a deal too good to be true, it probably is. Half-off promos and amazing discounts certainly exist (moreso during the holidays) but if it’s from an unfamiliar website or simply just beyond any reasonable sense of scale, then chances are it’ll lead to a web threat.
    • Use online shopping apps instead of using your mobile browser. If you’re a huge online shopper and you use your mobile device to do all your buying, check if your favorite site has an app and use that instead. This allows for a more secure transaction between you, the customer, and the website itself—removing the chance for web threats.
    • Install a security solution. A security solution can easily remove the risk of you accidentally stumbling onto opportunistic web threats when you’re shopping online by blocking malicious websites before you can even get to them. It also detects and removes any suspicious files or malware that may end up in your devices.

    For more information on the threats that plague online shopping as well as how to shop in a safe manner, check out our latest e-guide, How to Safely Shop Online, as well as our latest image gallery, 5 Most Popular Online Shopping Items for Cybercriminals.

    Update as of 10:15 PM PST, November 26.

    As expected, cybercrmininals have started to leverage Black Friday, which usually marks the start holiday shopping season. Similar to the Halloween threats we noted previously, we uncovered several Black Friday-themed spam that lead to survey scam sites. These scams steal information from users by posing as survey questionnaires, asking personally identifiable information (PII) such as email addresses, contact information etc.

    black_friday_sample

    Figures 4-5. Black Friday-related spam

     
    Posted in Bad Sites, Malware, Spam | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice