Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    April 2014
    S M T W T F S
    « Mar    
     12345
    6789101112
    13141516171819
    20212223242526
    27282930  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Ryan Certeza (Technical Communications)




    Tax season in the US and Canada has always been popular among cybercriminals. After all, it’s one of the few reliable times in a year that a lot of money gets thrown around online, due to the convenience of filing (and) paying taxes over the Internet. As such, we make it a point to look out for threats specifically targeting taxpayers before, during and after tax season and every year, we invariably find a lot of them.

    This year was no different, with the threats we spotted ranging from a Silverlight vulnerability exploit to UPATRE malware spam campaigns. We also found the usual spam and phishing threats that came out at the last minute, even after the deadline has passed.

    Silverlight Vulnerability Exploit

    This Silverlight exploit, as its name suggests, exploits the (MS13-022) Vulnerability in Silverlight Could Allow Remote Code Execution (2814124) vulnerability to run malicious code on a system through a specially-crafted app. It should be noted that the said vulnerability is over a year old now. This exploit was found to be the end result of a series of URL redirections, stemming from a website that promised to teach the user how to avoid paying income tax in Canada.

    Upon analysis, we found this particular malware (detected as TROJ_SHESDE.E), which uses the exploit, to be quite similar to the one we reported on last November. We also discovered that with this exploit, it sought to redirect users to malicious URLs, whereupon malware may have potentially been planted for automatic download upon the victim’s system. At around this time, we also spotted another malware that also exploited Silverlight in the same fashion, and we detected this as JS_SHESDE.E.

    Tax-themed Spam Campaigns

    The UPATRE malware spam campaign that we detected this tax season was no different from those we’ve discovered previously, besides the main body of its text urging its readers to open its malicious attachment in order to file their taxes.

    Figure 1. Tax-related spam with TROJ_UPATRE attachment

    The malicious attachment itself, detected as TROJ_UPATRE.YQU, connects to malicious URLs to download an encrypted version of a ZBOT variant (TSPY_ZBOT.YQU). As TSPY_ZBOT.YQU starts its info-stealing routines, it also drops a RTKT_NECURS variant, depending on whether the affected system is a 32-bit or 64-bit environment. Whichever variant it drops, the outcome is the same—it disables the AV products installed in the system as well as protect the dropped ZBOT variant from detection and removal.

    Besides this, we also spotted similar spammed mail, also sporting a UPATRE variant, at around the tail end of the tax season—specifically around April 15, which was of course the deadline for all tax filing. And even after this, we still saw tax-related spam and phishing scams—most likely a ploy of cybercriminals to take advantage of those in a rush to beat the deadline.

    Seasonal threats will always be around, but thankfully it’s easy to avoid becoming a victim to them. It’s a good idea to keep all the software in your system updated and patched to their most recent versions. Spammed mails, no matter the subject or content, should always be deleted without being opened if the sender is unfamiliar or suspiciously different than accustomed to.

    Trend Micro customers are protected from these threats, as they have all been blocked upon detection.

    With additional analysis from Alvin Nieto, Ardin Maglalang, Joseph C Chen, Lala Manly, Maersk Menrige and Mark Tang

     
    Posted in Malware, Spam, Vulnerabilities |



    For many, the holiday season is a season for shopping and spending. But cybercriminals see it in a different light—they see it as a prime opportunity to steal.

    Take, for example, online shopping. Malicious websites to try and trick online shoppers into giving them their money instead of the legitimate shopping websites. These sites are often made to look exactly like the website they’re mimicking, and feature a login screen that asks the user to enter their personal information. They are interested in any and all kinds of login information – for example, we recently saw phishing sites that stole the Apple IDs of users.

    We have kept track of the number phishing sites created since 2008. We pay particular attention to those that target Christmas shoppers and/or have holiday themes. There are plenty of these, and they persist all year. Unsurprisingly, they rise towards the end of the year, as seen in the graph below:

    Figure 1. Christmas-related / Holiday-themed Phishing Sites

    These sites also peak during big shopping dates, such as Black Friday and Cyber Monday. Online shoppers tend to search for huge discounts on these dates.

    Cybercriminals target specific items that users might be looking for in particular when shopping online, such as gadgets (tablets, smartphones and DSLR cameras) toys, video games/consoles, software, and so on. We examined the most popular items sold and wished for on online shopping sites and compared them with the phishing sites we saw. We found that these were the most targeted items:

    Figure 2. Top 10 Most Targeted Shopping Items

    Spam campaigns also take advantage of the season. We recently found a spam campaign which targeted British users. This campaign promoted cheap flights to destinations in the Canary Islands—popular tourist destinations for Britons. The name of a well-known provider of travel packages was also used.

    Figure 3. Sample Holiday Spam

    The email contains a .ZIP file that claims to contain more available holiday destinations. Opening the archive yields a .PDF file that is actually a malicious executable file. (We detect this file as TROJ_DLOAD.NOM.) Its final payload is  a ZBOT variant, which can steal critical personal information of users from their systems.

    Figure 4. Malicious File In Archive

    Users can avoid these threats by following these tips:

    • Don’t use search engines to find good deals. Web threats lurk in search engine results, and they’re often pushed up to the top of the first page because of Blackhat SEO. Instead, bookmark popular and well-established shopping websites and do your searching from there.
    • If it’s a deal too good to be true, it probably is. Half-off promos and amazing discounts certainly exist (moreso during the holidays) but if it’s from an unfamiliar website or simply just beyond any reasonable sense of scale, then chances are it’ll lead to a web threat.
    • Use online shopping apps instead of using your mobile browser. If you’re a huge online shopper and you use your mobile device to do all your buying, check if your favorite site has an app and use that instead. This allows for a more secure transaction between you, the customer, and the website itself—removing the chance for web threats.
    • Install a security solution. A security solution can easily remove the risk of you accidentally stumbling onto opportunistic web threats when you’re shopping online by blocking malicious websites before you can even get to them. It also detects and removes any suspicious files or malware that may end up in your devices.

    For more information on the threats that plague online shopping as well as how to shop in a safe manner, check out our latest e-guide, How to Safely Shop Online, as well as our latest image gallery, 5 Most Popular Online Shopping Items for Cybercriminals.

    Update as of 10:15 PM PST, November 26.

    As expected, cybercrmininals have started to leverage Black Friday, which usually marks the start holiday shopping season. Similar to the Halloween threats we noted previously, we uncovered several Black Friday-themed spam that lead to survey scam sites. These scams steal information from users by posing as survey questionnaires, asking personally identifiable information (PII) such as email addresses, contact information etc.

    black_friday_sample

    Figures 4-5. Black Friday-related spam

     
    Posted in Bad Sites, Malware, Spam | Comments Off



    Five years ago, Conficker/DOWNAD was first seen and quickly became notorious due to how quickly it spread and how much damage it caused.

    Remarkably, after all that time, it’s still alive. It can still pose a serious problem, as it can propagate to other systems on the same network as an infected machine – a factor that may explain its high rate of infection to this day.

    Based on feedback from the Smart Protection Network, DOWNAD has been a leading threat for years. It has been the most prolific threat – as measured by the number of infections seen in the wild – since 2011. It has beat out a wide variety of threats – from crack key generators to ZeroAccess – for this dubious distinction.

    It also popularized the use of domain generation algorithms. This technique generates multiple (hundreds, in the case of DOWNAD) domains on a daily basis. It uses these domains to connect to its command-and-control servers. The sheer number of generated domains makes blocking this C&C much more difficult. Since then, it has been adopted by other malware families as well.

    In order to propagate across networks, it used a zero-day vulnerability, which was later designated by Microsoft as MS08-67.  Despite the availability of a patch, many users remain vulnerable due to negligent patching practices as well as piracy. Pirated versions of Microsoft Windows, are often unable to download and install security patches.

    In the long-term, as Windows XP machines are retired due to its end of extended support period next year, DOWNAD is destined to recede into the background. However, some systems may still be at risk. The simplest solution is simple: ensure that the software you ran – particularly your operating system – has the latest security updates. You should also check out our tips on how to see if your system is in fact infected.

    We have prepared a full malware profile which describes the capabilities, the spread, and the risks of DOWNAD/Conficker.

     



    Patch-Tuesday_grayIt’s Patch Tuesday again, and Microsoft has served up eight bulletins this month, three of them rated Critical. One of the three critical bulletins – MS13-090 – deserves special mention, as it fixes a zero-day vulnerability (CVE-2013-3918) found just last week in an Internet Explorer ActiveX control. Separately, IE itself fixed ten vulnerabilities as part of MS13-088.

    It’s worth noting that another recent TIFF-related zero-day that we discussed has not been patched as part of this month’s update, so the recommendations and work-arounds that were suggested at that time remain in effect.

    We strongly urge all users to apply these updates as soon as possible. Trend Micro users may also use the following Deep Security rules to protect themselves from threats exploiting these patched vulnerabilities.

    • 1005705 Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-3871)
    • 1005784 Internet Explorer Information Disclosure Vulnerability (CVE-2013-3908)
    • 1005778 Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-3910)
    • 1005781 Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-3911)
    • 1005782 Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-3912)
    • 1005774 Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-3914)
    • 1005775 Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-3915)
    • 1005777 Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-3916)
    • 1005773 Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-3917)
    • 1005783 Microsoft Windows Graphics Device Interface Integer Overflow Vulnerability (CVE-2013-3940)
    • 1005779 Microsoft Internet Explorer ActiveX Control Code Execution Vulnerability (CVE-2013-3918)
    • 1005785 Restrict Information Card Signin Helper ActiveX Control
     
    Posted in Vulnerabilities | Comments Off



    Social networking websites have actively been used in different malicious campaigns by cybercriminals in the past –  most of which incorporate techniques such as phishing and spam.  One of these campaigns are the Blackhole Exploit Kit (BHEK) spam campaign, which has been plaguing Internet users for quite a while. BHEK spam campaigns are known to use popular brand names and websites to lure users.

    It’s no surprise, then, that we are now seeing a BHEK spam campaign targeting social networking website Pinterest and its users. Prior to this campaign, the website has also been the target of other threats, such as survey scams and spammed mails that lead to malicious websites.

    We received a sample of the messages being spammed, and upon analysis, discovered how its infection chain goes. Here is the entire infection chain, as follows:

    • The user receives the spammed mail in his inbox. It is tailored to resemble a legitimate mail from Pinterest, and notifies the user about a successful password change. It also presents a link that would allow him to see his new password.
    • Should the user click on the link, he is put through a series of website redirects. This redirection is detected as HTML_IFRAME.USR.
    • HTML_IFRAME.USR then downloads another malware onto the system, TROJ_PIDIEF.USR, which in turn drops BKDR_KRIDEX.KA. This final payload, being backdoor malware, has the ability to perform commands from a remote malicious user, and therefore can compromise a system’s security.

    While there is nothing new in this routine, users are still advised to always perform account-related changes only the websites they subscribe to. We also point towards the usage of CRIDEX as a final payload – a malware family that we’ve written about as one of the two families used in BHEK attacks. Like ZBOT, CRIDEX is used mainly to steal online banking information.

    To further protect themselves from these sort of threats, users should ensure that all software in their systems are updated and patched (namely Java, Adobe Acrobat, Adobe Reader, and Flash). This is because BHEK operates by exploiting vulnerabilities in popular software, and having those software plus their browser of choice updated can help prevent users from becoming victims. Avoiding links presented in suspicious mails and verifying the mail’s content first by contacting the supposed sender through other means (phone call, visitation) can also go a long way.

    The security solutions provided by Trend Micro™  protects users from all the elements of this threat.

    With additional analysis from Threat Response Engineers Alvin Bacani and Anti-Spam Research Engineer Mark Aquino.

     
    Posted in Bad Sites, Exploits, Malware, Social, Spam | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice