Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    October 2014
    S M T W T F S
    « Sep    
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Spencer Hsieh (Threat Researcher)

    In our efforts around addressing targeted attacks, we often work with IT administrators from different companies in dealing with threats against their network. During these collaborations, we’ve recognized certain misconceptions that IT administrators — or perhaps enterprises in general — have in terms of targeted attacks. I will cover some of them in this entry, and hope that it will enlighten IT administrators on how they should strategize against targeted attacks, also known as APTs.

    A targeted attack is a one-time effort

    Some IT administrators tend to think that targeted attacks are a one-time effort — that being able to detect and stop one run means the end of the attack itself. The truth, however, is that targeted attacks are also known as APTs because the term describes the attack well: advanced and persistent. The attacks are often well-planned and dynamic enough to adapt to changes within the target network. Being able to trace and block an attempt will mean that elimination of the threat. If anything, it can mean that there might be several other attempts not being detected, elevating the need for constant monitoring.

     There is a one-size-fits-all solution against targeted attacks

    The demand for a complete and effective solution against targeted attacks is quite high, but a solution simply can not exist considering the nature of targeted attacks. Attackers spend much time during reconnaissance to understand the target company — its IT environment, and its security defenses — and IT admins need to adapt this mentality in terms of their security strategy. All networks are different, and this means that each one will need to be configured differently. IT admins need to fully understand the network and implement the necessary defense measures to fit their environment.

    Your company is not important enough to be attacked

    Another big assumption that companies have when it comes to targeted attacks is that they are unlikely to be a target because they do not have important data in their systems. Unfortunately, the importance of certain data may be relative to the intention of whoever is trying to get hold of it. For example, an HR personnel in a company may not find much importance in records of the employment history of past applicants, but an attacker might find use for it as a reference for social engineering. As Raimund said in one of his videos earlier this year, enterprises need to identify their core data and protect them sufficiently.

    Targeted attacks always involve zero-day vulnerabilities

    It goes without saying that zero-day vulnerabilities pose a great risk to enterprises, and users in general. However, based on analysis of targeted attacks seen in the past, older vulnerabilities are used more frequently. In our Targeted Attack Trends report from the second half of 2013, the most exploited vulnerability was not only one that was discovered in 2012, but was also patched in the same year. This trend raises the importance of applying security updates to all systems within a network – a missed update for one system may be all it takes to compromise an entire network.

    Targeted attacks are a malware problem

    The last misconception I’ll discuss is quite tricky because it is partly true. IT admins are mostly concerned about having a solution that will prevent malware from getting into their network. Although it is a valid concern,  focusing on malware will only solve part of the problem.  Targeted attacks involve not only the endpoints, but the entire IT environment. For example, many tools involved in lateral movement are legitimate administration tools. If the solution is focused only on detecting malware, it will not be able to detect the malicious activity. IT admins need to consider solutions that cover all aspects of the network.

    For more details on various targeted attacks, as well as best practices for enterprises, you may visit our Threat Intelligence Resources on Targeted Attacks.


    Last month, security researchers released a report about a targeted attack operation which they named Careto, or Mask in Spanish. The attack was noted for encoding its configuration data and encrypting its network traffic, making analysis more difficult.

    However, the capabilities of the Mac malware used in Careto was not as sophisticated as its Windows counterpart. (We detect this as OSX_CARETO.A.) It connects to a hardcoded command-and-control (C&C) server and runs /bin/sh to open a shell, which can then run commands sent from the C&C server. This particular backdoor is only approximately 88 kilobytes in size, which is not particularly large (especially since it contains both 32- and 64-bit code.) However, analysis of this malware is still not easy, due to the mentioned encoding and encryption. In this blog post, we look into the details of this encoding and encryption.

    Figure 1. File structure of OSX_CARETO.A

    Read the rest of this entry »

    Posted in Malware | 1 TrackBack »

    In targeted attacks, during the lateral movement stage attacks try to gain access to other computers on the same local area network (LAN). One useful tool to achieve this is ARP spoofing, which can be used to carry out a variety of attacks to steal information as well as plant backdoors on other machines. We recently came across a tool that automates ARP attacks, as well as using these kinds of attacks to inject IFRAMEs into websites, deliver fake software updates, and disrupt SSL connections.

    ARP Spoofing

    Hacking tools that automate ARP attacks are fairly common, so we well not delve too deep into all aspects. The tool can scan for live hosts on the LAN, which are then saved in an encrypted file. These IP addresses can then become the targets of ARP spoofing attacks.

    For starters, this tool can be used to  intercept network traffic and extract login credentials of network services. This particular tool that we saw, which we also detect as HKTL_ARPSPOOF , supports a variety of protocols. It has ability to steal the credentials from a wide variety of protocols, such as: FTP, HTTP, IMAP, NetBIOS, POP3, SMB, and SMTP.

    For these protocols, the tool scans the network traffic to extract user names and passwords. These are then saved in an encrypted file, which the attacker can upload at their discretion. Because users frequently use the same password across different accounts, these credentials might be used across a wide variety of services, not just the ones they were captured off.

    In addition to this, this tool is also capable of carrying out man-in-the-middle attacks against TLS/SSL traffic. If users are not wary and ignore warnings about invalid certificates, any credentials sent to sites that use TLS/SSL, instead of being “secure”, can be captured and used by an attacker. Many high-profile sites already force the usage of TLS/SSL when users attempt to log into their services.

    IFRAME Injection

    This malware can also inject IFRAMEs into sites the user visits. It monitors the system’s HTTP traffic and injects an invisible IFRAME whenever possible. The results – as gathered in our testing – can be seen below.

    Figure 1. Injected IFRAME

    In this case, a (non-malicious) IFRAME was injected into the default web site of the HTTP server. An attacker could use this “feature” to send users to a malicious URL, where they can host a page with malicious code to exploit various vulnerabilities on the user’s system.

    Fake Update Package

    We constantly warn users to always ensure their software is up to date to help protect themselves. However, this tool exploits that to push malware to other users. This tool is also capable of using ARP spoofing to trick the system into thinking that an update for Windows Media Encoder 9 is being offered to the user; however this file is actually malicious.

    Figure 2. Fake update code

    Possible Target

    One function of this tool offers a potential clue as to the identity of the persons responsible for it. A portion of the code is specifically targeted at users of the Central Tibetan Administration, which relies on Google Apps to provide email for its users.

    Figure 3. Code for specific target


    The capabilities of this tool highlight the effectivity of ARP spoofing to steal information, particularly login credentials. These can be very useful in conducting lateral movement.

    IT administrators should consider retiring old, unencrypted protocols in favor of newer, encrypted ones, as these resist attack better than their predecessors. However, user training should also emphasize the importance of listening to alerts about invalid certificates, as these can indicate serious security problems.

    Posted in Malware, Targeted Attacks | Comments Off

    A later stage of  advanced persistent threats (APT) attacks is the  “lateral movement” stage, where attackers typically use legitimate computer features to move within the network undetected. This takes place after the initial breach and the establishment of command-and-control links back to the attacker. We earlier discussed the steps in an APT attack in the infographic, Connecting the APT Dots.

    As shown below, the impact attackers can have on networks grows larger as APTs go deeper. Upon reaching the lateral stage, attackers are now virtually undetected by traditional security methods. This allows them to gain even more access privileges and move on to the next APT attack stages.

    Figure 1. Graph of APT Stage vs. Impact to Network

    Lateral Movement Tactics

    The lateral movement stage of APT attacks can be further divided into three major steps: reconnaissance, credentials stealing, and computer intrusions.

    The first step allows attackers to collect vital intelligence for their next attacks by using built-in OS tools and other popular utilities. These tools may include the netstat command for connection information and port scanning for open ports.

    Once well-informed, APTs will then steal legitimate credentials to establish control. Attackers can do this in various ways, such as: spoofing ARP protocol packets, using keyloggers, pass the hash attacks or hooking login authentication processes.

    After acquiring legitimate credentials, attackers will target other computers to move closer to their real target. They are more likely to use remote access or administration tools that leave few traces to accomplish this.

    What Enterprises Can Do

    The use of legitimate computer features can defeat basic perimeter-based and blacklisting security methods. However, there are many measures enterprises can still use to fortify their security, including: the use of application control, security and information event management (SIEM), and adapting a custom defense solution.

    Enterprises need to establish solid threat intelligence from internal knowledge of their network and other external indicators. Threat intelligence partnered with the use of custom defense technology will empower IT personnel in detecting anomalous use of legitimate computer features; thus, securing their networks from APT-related activities.
    Find out more about these tools and measures as highlighted in the infographic The Danger of Compromise.

    You can also read more about the steps APTs take during the lateral movement stage in the Security in Context paper, How Do Threat Actors Move Deeper into Your Network.

    Posted in Targeted Attacks | Comments Off

    Command-and-control (C&C) server communication is essential for botnet creators to control zombie computers (or bots). To hide this from security researchers, they often use rootkits and other “tricks”. However, hiding the network traffic – specifically from monitoring outside an infected computer – is not an easy task, but is something that the botnet creators have improved through the years.

    Detecting and blocking C&C communication is one way to protect users against the dangers of botnets. Threat actors know this, thus they have developed different ways to make the C&C communication more resistant to network security products.

    In this report, we will discuss how the latest wave of Pushdo variants keep its C&C communication channel under the radar. Known as a spamming botnet, Pusho/Cutwail was taken down several times in the past. They are also known to distribute ZeuS/ZBOT variants.

    Pushdo Hides Among the Crowd

    If you are a potential attacker, the best way to not get caught is to blend your communications with normal/legitimate traffic and appear as inconspicuous as possible. Pushdo creators understand this and adopted this strategy into their latest malware.

    As shown in Figure 1, these Pushdo variants send out numerous HTTP requests. Among them are requests to the real C&C server. However, most of these requests serve as mere distractions.


    Figure 1. PUSHDO Network Traffic Snippet

    The malware sample we analyzed contains an encrypted list of 200 domains (see Figure 2). It randomly chooses 20 among them and requests either the root path or the path of “?ptrxcz_[random]”. Some of these domains belong to large companies or famous educational institutions, while some are obscure websites. This makes C&C server identification using network traffic analysis more difficult as it can be tough to distinguish real C&C connections among the fake ones.


    Figure 2. Decrypted list of the 200 domains

    Another by-product of this fake C&C feature is the potential distributed denial-of-denial (DDoS) the malware can initiate against the 200 web severs on the list. Though the true intention is not to execute this attack, the huge of number of useless requests eats up a lot of bandwidth of these websites.

    Sandbox analysis is a popular tool in malware analysis. Many organizations have adopted some kind of automatic sandbox system to detect and block unknown malware. This fake C&C feature, however, poses new challenges to these systems. Before adding a server into the C&C blacklist, a system needs to check the whitelist first. If the whitelist is not good enough, there may be some false positives and inadvertently make legitimate websites inaccessible to users.

    Pushdo DGA Complicates Matters

    Another noteworthy PUSHDO feature is its domain generation algorithm (DGA). DGA is a popular among botnet malware these days. It’s purpose is to make malware more resistant to C&C takedowns.

    Pushdo in particular uses calendar date as the seed in its DGA and generates 30 domains for each day. It tries to connect to not only domains for a given day, but also all domains generated from days between 30 days earlier and 15 days latter. In other words, it may try to connect to 1380 domains each day. It seems most of them are parked domains right now and point to an advertisement page (Figure 3).


    Figure 3. Screenshot of Pushdo Generated Domain

    This DGA feature can be challenging for behavior and sandboxing analysis. Using sandboxing analysis without reverse engineering the malware and figuring its DGA may not be enough to block C&C communication, as the malware generates different domains for each day.

    During our analysis, we effectively monitored Pushdo’s C&C using Trend Micro Web Reputation Services feedback. As shown in Figure 4, there were attempts to connect to one of the C&C servers. The query requests came from different locations, suggesting that there are still other computers infected by this malware.


    Figure 4. Requests sent to Trend Micro Web Reputation Service

    Traditional method of combating malware, such as file-signature detection, may not be sufficient in today’s threat landscape.Malware authors and the likes have developed effective tactics against signature-based detection like polymorphism and use of packers.

    Monitoring behavior of a malware inside sandbox is a good approach to address this challenge – but they are not stand alone solution. Malware like PUSHDO proves that a relying on one solution is not enough. Such technology, coupled with deep analysis and tools like Web Reputation Services, provides more robust protection against these threats.

    Posted in Malware | Comments Off


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice