Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    December 2014
    S M T W T F S
    « Nov    
     123456
    78910111213
    14151617181920
    21222324252627
    28293031  
  • Email Subscription

  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Trend Micro Senior Threat Researchers




    Recently, I talked at the VB2012 conference in Dallas about one of the recent developments in today’s threat landscape: the increasing prevalence of police ransomware. Earlier, Trend Micro published a white paper discussing this threat, titled The “Police Trojan”.

    The idea behind ransomware is relatively simple: the cybercriminals block the user from accessing their own computer. This continues until the user pays the cybercriminal money in order to unlock their system. We first saw this type of threat in Russia back in 2005 to 2006.

    More recently, we’ve seen this threat spread to other countries. Using geo-location, users are presented with a notice – supposedly from local police – that they have committed some crime, and to unlock their PC they need to pay a “fine” of some sort.

    As we looked into this threat, we found that this threat was, in someways, similar to previous fake antivirus threats. Multiple gangs produce their own variants; the social engineering is very good at getting users to pay up, and new versions are appearing all the time. Affiliate programs are also used to monetize this threat.

    We found at least two groups of suspects that run separate affiliate programs. Each group targets different countries, and use locally available payment schemes. There are also differences in the Trojans themselves.

    One of these groups uses server-side scripts to serve the appropriate images and scripts, depending on the user’s country:

    A second group uses a different technique. Here, the images and scripts are embedded in base64-encoded PHP code. The images and scripts are never downloaded separately, as they might be in the first case.

    In cases where the user’s country can’t be determined (or, perhaps, not being targeted by the cybercriminals), a more “conventional” alert, similar to that used by FAKEAV attacks, is displayed.

    How do cybercriminals get their money? Instead of using credit cards, victims are asked to purchase vouchers for electronic cash. Two providers, Ukash and paysafecard, are frequently used by cybercriminals. Both of these services are legitimate; however the vouchers are like cash in that there is no record if they actually change hands.

    What happens is that cybercriminals take the vouchers they have gathered and sell them to various exchange sites, for around 40-50% of the voucher’s face value. The exchanges, in turn, sell these to other users for up to 90% of their value.

    This highlights how cybercriminals are trying out new schemes in order to replace old ones which may have become less effective. New cybercriminal groups arrive on the scene; new business models are created. It is up to the security industry to keep up to protect users.

    For further details about these attacks, you may read the following blog posts:

     



    We released a new research paper describing the activities of another APT campaign, IXESHE (pronounced “i-sushi”).

    One of the most notable characteristics of the IXESHE campaign is the attackers’ use of compromised servers in target organizations as command-and-control (C&C) servers. This tactic allowed them to hide their presence by confusing their activities with data belonging to legitimate individuals. In one particular case, we saw C&C servers hosted on the compromised machines of an East Asian country, making targeted attacks against that government easier. In another case, we received an error message from a C&C server, which indicated that the front-end servers were merely acting as proxies for the actual back-end servers.

    Our research also showed that attackers utilized dynamic Domain Naming System (DNS) servers and broadly distributed external C&C servers around the world to make detection and takedowns more difficult to do.

    The IXESHE campaign has been underway since at least July 2009 when we first saw samples of this particular malware family. Its primary method of entry into user systems is via malicious .PDF files that exploit Adobe Acrobat, Reader, or Flash Player vulnerabilities. These malicious files are sent as attachments to targeted emails sent to potential victims within target organizations.

    In the process of our investigation, we were able to determine that its victims could be broadly classified into three categories:

    • East Asian governments
    • Electronics manufacturers
    • A German telecommunications company

    For further details, please consult the full paper which you can download from the Security Intelligence section of the Trend Micro website.

    Click for larger view

     



    While conducting continuous threat-monitoring activities, Trend Micro threat researchers identified multiple suspicious files that included a strange digital signature. This signature immediately caught our attention, as it seemed to be signed by legitimate antivirus company Kaspersky.

    Click Click

    While checking the certificate, we noticed that the hash value applied to the suspect file was invalid. This is because hash values are specific to the original file to which they are applied whereas this particular signature has been stolen. Also, the signature had already expired. (The signature used in this case appears to be copied, ironically, from Kaspersky’s “ZbotKiller” cleaning tool.)

    Click Click

    Upon further investigation, we confirmed that the suspicious files are indeed malicious—ZeuS (ZBOT) variants detected as TSPY_ZBOT.BWP, TROJ_ZBOT.BYM, and TROJ_ZBOT.KJT.

    This isn’t the first time cybercriminals stole digital signatures. The first STUXNET malware was signed with a certificate from Realtek Semiconductors Corp., a later variant with JMicron Technology—although in both these cases the criminals had managed to gain access to the company’s private signing key.

    This fake Kaspersky certificate illustrates what seems to be a growing trend among cybercriminals and serves as a good reminder to users to always check the details of signatures and to ensure that they are valid.

    Certificates, unfortunately, can be copied by any cybercriminal with intent from any company—the antivirus company mentioned in this instance could not have prevented this incident from taking place—and it is likely that we will continue to see more such incidents in the future.

    Trend Micro has informed Kaspersky of this incident.

     


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice