Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    March 2015
    S M T W T F S
    « Feb    
  • Email Subscription

  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Ryan Flores (Senior Threat Researcher)

    ZeuS/ZBOT has been one of the most talked about malware families for several years, and with good reason. It has continued to evolve, is very successful in hijacking online banking credentials, and added a variety of features designed to counter  various solutions that are supposed to mitigate it. It is estimated that ZBOT has enabled cybercriminals to steal more than $100 million US dollars since its inception.

    Zeus was designed to automate most of the information stealing behavior, and was specifically built to steal online baking credentials. However, we are seeing a type of under-the-radar online fraud carried out by simple, off-the-shelf keyloggers like Predator Pain and Limitless that are being used to perform corporate email fraud.

    The scale of this fraud is significant – the Commercial Crime Bureau of Hong Kong Police Force estimates this kind of fraud has netted attackers up to $75 million US dollars in the first half of this year, from Hong Kong alone. Consider: this means that cybercriminals in a single city, within six-months, equaled all the losses from ZBOT up to the present.

    Unlike Zeus, Predator Pain and Limitless are relatively simple keyloggers. They indiscriminately steal web credentials and mail client credentials, as well as capturing keystrokes and screen captures. The output is human readable, which is good if you are managing a few infected machines only, but the design doesn’t scale well when there are a lot of infected machines and logs involved.

    This simplicity belies the cunning of the operators behind these keyloggers. Experienced in 419 scams, the operators have the time and determination to target corporations, capture webmail accounts, monitor on-going business transactions, and, when the time is right, hijack the transaction to redirect payments to accounts they control.

    The tools these fraudsters use are not advanced. Combined, clever targeting, patience, cunning and simple keyloggers have netted these cybercriminals large sums of money. These highlight that cybercrime activities are dependent not only on the sophistication of the tools used, but on how well organized the entire scheme is. A sophisticated, well-designed scam can net its operators significant sums of money, as seen here.

    Our paper titled Predator Pain and Limitless: When Cybercrime Turns into Cyberspying discusses our findings about these tools, as well as what we know about the attacks that are being carried out with them.

    The following graphs show the distribution of the victims that we observed, both by country and by industry:

    Figure 1. Predator Pain/Limitless Victims by Country

    Figure 1. Predator Pain/Limitless Victims by Country

    Note that the country distribution graph is biased towards Malaysia because one of the actors involved targets South East Asian countries, with a bias towards Malaysia.

    Figure 2. Predator Pain/Limitless Victims by Industry

    Figure 2. Predator Pain/Limitless Victims by Industry


    Posted in Malware, Targeted Attacks | Comments Off

    Targeted attacks that are part of APT campaigns commonly use exploit documents in their social engineering ploy. These exploit documents serve as unassuming carriers of the attacker’s payload malware into the target’s computer. Since exploit documents are one of the first arrival vectors of APT malware, a little knowledge of the most exploited software and vulnerability will go a long way in removing low hanging security holes within one’s organization.

    Taking data from exploit documents gathered last April, we can see that the most exploited MS Office software is MS Word.

    The big reason for this is that two of the most reliable exploits used by attackers targeted CVE-2010-3333 and CVE-2012-0158, which are MS Word vulnerabilities.

    Coming in at third place as the most common vulnerabilities exploited is CVE-2009-3129, which is an MS Excel software bug. This graph fits in perfectly with the first one as Excel is the second most exploited Office software.

    For the past two years, exploit documents have extensively used CVE-2010-3333 to install malware. However, just last April, it was quickly surpassed by CVE-2012-0158. Its rise as the exploit of choice by attackers are well-documented by Trend Micro researches on two blog entries found here and here.

    From these graphs, we can easily deduce that:

    • Reliable exploits have long lifespans. Attackers would rather use old reliable exploits such as CVE-2010-3333 that are proven to work instead of experimenting with new, but unreliable exploits.
    • A lot of organizations do not update their software. The wide use of a two year old vulnerability just shows patch levels in many industries are not updated.
    • Rapid adoption and use of a new reliable exploit. Within a span of two weeks, CVE-2012-0158 went from zero to actually surpassing CVE-2010-3333 as the preferred exploit of attackers. This just shows that the time window for patching critical vulnerabilities is small, which requires due diligence and discipline on patch management by organizations.

    Trend Micro Deep Security protects users this threat, specifically via the following rules:

    • 1004973 – MSCOMCTL.OCX RCE Vulnerability For Rich Text File (CVE-2012-0158)
    • 1004977 – Restrict Microsoft Windows Common ListView And TreeView ActiveX Controls
    • 1004978 – MSCOMCTL.OCX RCE Vulnerability For Office Binary File (CVE-2012-0158)
    Posted in Exploits, Targeted Attacks, Vulnerabilities | Comments Off

    The recent tragedy that affected Japan is not the first incident that cybercriminals leveraged. Cybercriminals have established early on just how low they would go just to steal money from users—Hurricane Katrina in 2005, Hurricane Gustav in 2008, the Chinese Sichuan earthquake in 2008, and recently the Haiti Earthquake in 2010 were all used one way or another as social engineering bait.

    From a technical perspective, it is disheartening how closely cybercriminals monitored the entire incident just to take advantage of not only the event itself but also the ones that happened afterward. Let’s trace the events, along with the threats we found leveraging them.

    Information Demand Met with Attacks

    The earthquake happened on March 11, 2011 and, almost immediately, most of the world was aware of the incident and constantly sought out more information on Japan’s status.

    The sudden and fast increasing demand for information on the earthquake was met with blackhat SEO attacks wherein cybercriminals rigged search results for strings related to the incident and led users to malicious sites.

    Unsurprisingly, social networks were also filled with inquiries, footage, bits of information on the tragic event, and, of course, posts set up to look like footage and information but actually led to malicious sites and files.

    A few hours after, the tsunami that was triggered by the earthquake hit the coasts of Aomori, Iwae, Miyagi, and Fukushima, causing more damage to the affected areas. Many people from Japan who managed to get themselves in safer ground by the time the tsunami struck were able to take videos showing how the waves destroyed the infrastructure located near coastal lines.

    The cybercriminals again quickly took action to leverage the event and deployed attacks in social networks such as Facebook. Posts that posed as footages of the tsunami were seen all over the network and led to other malicious pages.

    Read the rest of this entry »


    This blog post is based on my talk last November 17 at the Information Security Summit 2010 in Hong Kong.

    cloud computingCloud computing is one of the biggest trends in the computing world today. However, security concerns about the cloud make up one of the major reasons why companies are hesitant to migrate their operations to the cloud. Let’s discuss an important puzzle in cloud computing, that is, the problem of authentication.

    Many authentication schemes are done via the traditional user name-password combination. Problems with relying on these are well-known but, as companies move to the cloud, these become even more important.

    Cybercriminals have known the importance of user credentials for a long time now and have worked hard to develop techniques to steal them. The top 2 online banking Trojan families in recent history—ZeuS and SpyEye—both employ a wide range of techniques to steal user credentials. One of the most ingenious of these is the use of screenshots to counter on-screen keyboard safety measures online banks use as an anti-keylogging mechanism.

    Saying that ZeuS and SpyEye are scary would be an understatement. Corporations should worry about two particular things—first, any website can be targeted, including those that provide confidential services in the cloud and second, even login pages protected by SSL are not safe.

    To make matters worse, account-stealing Trojans account for the majority of malware types Trend Micro has discovered so far, as documented in our first half report. We can only see this trend continuing in the foreseeable future.

    Aside from malware, however, employees themselves are also part of the problem. They may unwittingly give out critical information on social networking and social media sites. Answering quizzes that virally spread on social networks may reveal information that an attacker may find useful when answering security questions on password-recovery features or when impersonating legitimate personnel.

    One of the appeals of cloud computing is that users can access services in the cloud from anywhere in the world, even when out of the office. This, however, presents new risks for corporations that use cloud services. Users may be tempted to use unsecure access points such as free Wi-Fi.

    Read the rest of this entry »


    The U.S. midterm elections may have come and gone but cybercriminals have yet to cease related attacks on users eager for news on the turnout. As the Republicans take center stage, so do blackhat search engine optimization (SEO)-poisoned results.

    Case in point, searching for updates on the U.S. midterm election results led to a poisoned link. This, of course, then led to the all-too-common FAKEAV warning prompt and fake scanning page.

    Click for larger view Click for larger view

    What was interesting about this attack, however, is the fact that in addition to relying on keyword density and backlinks to increase a malicious page’s ranking, the cybercriminals also counted on related images to lead unwitting users into their trap. This was most probably done to trick search engines into increasing the doorway page’s ranking.

    Click for larger view

    Elections and other noteworthy sociopolitical events have been known to be typical malware propagation vectors as seen in these posts:

    Even scarier, however, is the fact that cybercriminals will stop at nothing to infect users’ systems. This attack just goes to show that they are getting better at what they do, keeping up with what vendors and service providers (i.e., search engines) are doing to mitigate threats. With the holidays in tow and craftier tricks up cybecriminals’ sleeves, we are urging users to stay vigilant and cautious in their online dealings. As in years past, it should not come as a big surprise should poisoned links crop up every time you search for great gifts and travel destinations, so beware.

    Find out how blackhat SEO poisoning became one of cybercriminals’ favorite malware proliferation tools in the new Trend Micro research paper, “How SEO Became Big.”



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice