Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    October 2014
    S M T W T F S
    « Sep    
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Ryan Flores (Senior Threat Researcher)

    Targeted attacks that are part of APT campaigns commonly use exploit documents in their social engineering ploy. These exploit documents serve as unassuming carriers of the attacker’s payload malware into the target’s computer. Since exploit documents are one of the first arrival vectors of APT malware, a little knowledge of the most exploited software and vulnerability will go a long way in removing low hanging security holes within one’s organization.

    Taking data from exploit documents gathered last April, we can see that the most exploited MS Office software is MS Word.

    The big reason for this is that two of the most reliable exploits used by attackers targeted CVE-2010-3333 and CVE-2012-0158, which are MS Word vulnerabilities.

    Coming in at third place as the most common vulnerabilities exploited is CVE-2009-3129, which is an MS Excel software bug. This graph fits in perfectly with the first one as Excel is the second most exploited Office software.

    For the past two years, exploit documents have extensively used CVE-2010-3333 to install malware. However, just last April, it was quickly surpassed by CVE-2012-0158. Its rise as the exploit of choice by attackers are well-documented by Trend Micro researches on two blog entries found here and here.

    From these graphs, we can easily deduce that:

    • Reliable exploits have long lifespans. Attackers would rather use old reliable exploits such as CVE-2010-3333 that are proven to work instead of experimenting with new, but unreliable exploits.
    • A lot of organizations do not update their software. The wide use of a two year old vulnerability just shows patch levels in many industries are not updated.
    • Rapid adoption and use of a new reliable exploit. Within a span of two weeks, CVE-2012-0158 went from zero to actually surpassing CVE-2010-3333 as the preferred exploit of attackers. This just shows that the time window for patching critical vulnerabilities is small, which requires due diligence and discipline on patch management by organizations.

    Trend Micro Deep Security protects users this threat, specifically via the following rules:

    • 1004973 – MSCOMCTL.OCX RCE Vulnerability For Rich Text File (CVE-2012-0158)
    • 1004977 – Restrict Microsoft Windows Common ListView And TreeView ActiveX Controls
    • 1004978 – MSCOMCTL.OCX RCE Vulnerability For Office Binary File (CVE-2012-0158)
    Posted in Exploits, Targeted Attacks, Vulnerabilities | Comments Off

    The recent tragedy that affected Japan is not the first incident that cybercriminals leveraged. Cybercriminals have established early on just how low they would go just to steal money from users—Hurricane Katrina in 2005, Hurricane Gustav in 2008, the Chinese Sichuan earthquake in 2008, and recently the Haiti Earthquake in 2010 were all used one way or another as social engineering bait.

    From a technical perspective, it is disheartening how closely cybercriminals monitored the entire incident just to take advantage of not only the event itself but also the ones that happened afterward. Let’s trace the events, along with the threats we found leveraging them.

    Information Demand Met with Attacks

    The earthquake happened on March 11, 2011 and, almost immediately, most of the world was aware of the incident and constantly sought out more information on Japan’s status.

    The sudden and fast increasing demand for information on the earthquake was met with blackhat SEO attacks wherein cybercriminals rigged search results for strings related to the incident and led users to malicious sites.

    Unsurprisingly, social networks were also filled with inquiries, footage, bits of information on the tragic event, and, of course, posts set up to look like footage and information but actually led to malicious sites and files.

    A few hours after, the tsunami that was triggered by the earthquake hit the coasts of Aomori, Iwae, Miyagi, and Fukushima, causing more damage to the affected areas. Many people from Japan who managed to get themselves in safer ground by the time the tsunami struck were able to take videos showing how the waves destroyed the infrastructure located near coastal lines.

    The cybercriminals again quickly took action to leverage the event and deployed attacks in social networks such as Facebook. Posts that posed as footages of the tsunami were seen all over the network and led to other malicious pages.

    Read the rest of this entry »


    This blog post is based on my talk last November 17 at the Information Security Summit 2010 in Hong Kong.

    cloud computingCloud computing is one of the biggest trends in the computing world today. However, security concerns about the cloud make up one of the major reasons why companies are hesitant to migrate their operations to the cloud. Let’s discuss an important puzzle in cloud computing, that is, the problem of authentication.

    Many authentication schemes are done via the traditional user name-password combination. Problems with relying on these are well-known but, as companies move to the cloud, these become even more important.

    Cybercriminals have known the importance of user credentials for a long time now and have worked hard to develop techniques to steal them. The top 2 online banking Trojan families in recent history—ZeuS and SpyEye—both employ a wide range of techniques to steal user credentials. One of the most ingenious of these is the use of screenshots to counter on-screen keyboard safety measures online banks use as an anti-keylogging mechanism.

    Saying that ZeuS and SpyEye are scary would be an understatement. Corporations should worry about two particular things—first, any website can be targeted, including those that provide confidential services in the cloud and second, even login pages protected by SSL are not safe.

    To make matters worse, account-stealing Trojans account for the majority of malware types Trend Micro has discovered so far, as documented in our first half report. We can only see this trend continuing in the foreseeable future.

    Aside from malware, however, employees themselves are also part of the problem. They may unwittingly give out critical information on social networking and social media sites. Answering quizzes that virally spread on social networks may reveal information that an attacker may find useful when answering security questions on password-recovery features or when impersonating legitimate personnel.

    One of the appeals of cloud computing is that users can access services in the cloud from anywhere in the world, even when out of the office. This, however, presents new risks for corporations that use cloud services. Users may be tempted to use unsecure access points such as free Wi-Fi.

    Read the rest of this entry »


    The U.S. midterm elections may have come and gone but cybercriminals have yet to cease related attacks on users eager for news on the turnout. As the Republicans take center stage, so do blackhat search engine optimization (SEO)-poisoned results.

    Case in point, searching for updates on the U.S. midterm election results led to a poisoned link. This, of course, then led to the all-too-common FAKEAV warning prompt and fake scanning page.

    Click for larger view Click for larger view

    What was interesting about this attack, however, is the fact that in addition to relying on keyword density and backlinks to increase a malicious page’s ranking, the cybercriminals also counted on related images to lead unwitting users into their trap. This was most probably done to trick search engines into increasing the doorway page’s ranking.

    Click for larger view

    Elections and other noteworthy sociopolitical events have been known to be typical malware propagation vectors as seen in these posts:

    Even scarier, however, is the fact that cybercriminals will stop at nothing to infect users’ systems. This attack just goes to show that they are getting better at what they do, keeping up with what vendors and service providers (i.e., search engines) are doing to mitigate threats. With the holidays in tow and craftier tricks up cybecriminals’ sleeves, we are urging users to stay vigilant and cautious in their online dealings. As in years past, it should not come as a big surprise should poisoned links crop up every time you search for great gifts and travel destinations, so beware.

    Find out how blackhat SEO poisoning became one of cybercriminals’ favorite malware proliferation tools in the new Trend Micro research paper, “How SEO Became Big.”


    You know that something has become mainstream when people have a lot to say about it. Just like any activity, online gaming has had its share of caveats. For instance, a man from Hawaii sued an online game publisher, for allegedly causing him to lose 20,000 hours of his life. You see, the majority of online gamers are full-time employees and so lose a lot of their time just to succeed in the online games they play.

    Apart from such risks, online gamers also face other threats. Yes, you read that right. There exists a comprehensive cybercrime ecosystem that specifically targets online gamers. Though this may not be as common as targeting online bank users, the cybercriminals’ end goal remains the same—to make money at someone else’s expense.

    If you’re interested to know how all of these adds up, read Lion Gu’s research paper on the dark side of online gaming, something you probably should be aware of, as online gaming has just become mainstream.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice