Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    April 2014
    S M T W T F S
    « Mar    
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Trend Micro

    6:09 am (UTC-7)   |    by

    A key part of our cybercrime research focuses on the communities that cybercriminals form. These are used in much the same way that communities of other shared “interests” are – to socialize, to get together, and to buy and sell various items of interest.

    For security researchers, the activities of these underground communities – and the corresponding economies that they form – is a valuable source of threat intelligence. This allows us to examine current trends in the threat landscape, as well as look into and prepare for future threats.

    Our research in the past has highlighted the wide variety of good and services available in the cybercrime underground. These range from crypters, exploit kits, and Trojans – to denial of service (DoS) attacks, proxy servers, and web traffic, and everything in between. Our research into the underground has included findings related to malicious traffic management, the reaction to the fall of the BlackHole Exploit Kit, as well as overviews of the Chinese and Russian undergrounds.

    One consistent trend has been the continuing fall in prices of most goods and services. The average price of items has been dropping across the board, making these items accessible to more would-be cybercriminals. Pricier, more effective versions of these goods are available, of course – but the “average” versions of these tools are more than adequate for their purposes.

    There is no shortage of targets either, with much of the world today now online. The following chart shows the number of countries with the most Internet users and thus, potential victims:

    Figure 1. Countries with largest online population

    There are multiple cybercrime communities around the world with various ties to each other, but they have unique characteristics that differentiate them as well. Throughout the year, we will be publishing various papers that describe various communities, as well as the economies that they create. These papers are all part of our Cybercriminal Underground Economy Series, or CUES. These papers will highlight the unique characteristics of each market, provide a summary of the good and services available, and the prices for these items.

    The first paper of CUES, covering the mobile cybercrime underground in China, was released earlier this month. The CUES portal will be updated as more papers covering other economies such as those in Russia and Brazil are released.

    Posted in Data, Malware |

    Places in the Internet where cybercriminals come together to buy and sell different products and services exist. Instead of creating their own attack tools from scratch, they can instead purchase what they need from peers who offer competitive prices. Like any other market, the laws of supply and demand dictate prices and feature offerings. But what’s more interesting to note is that recently, prices have been going down.

    Over the years, we have been keeping tabs on major developments in the cybercriminal underground. Constant monitoring of cybercriminal activities for years has allowed us to gather intelligence to characterize the more advanced markets we have seen so far and come up with comprehensive lists of offerings in them.

    In 2012, we published “Russian Underground 101,” which showcased what the Russian cybercriminal underground market had to offer. Later that year, we worked with the University of California Institute of Global Conflict and Cooperation to publish “Investigating China’s Online Underground Economy,” which featured the Chinese cybercriminal underground.

    Last year, we revisited the Chinese underground and published “Beyond Online Gaming: Revisiting the Chinese Underground Market.” We learned then that every country’s underground market has distinct characteristics. So this year, we will add another market to our growing list: Brazil.

    The barriers to launching cybercriminal operations have greatly lessened in number. Toolkits are becoming more available and cheaper; some are even offered free of charge. Prices are lower and features are richer. Underground forums are thriving worldwide, particularly in Russia, China, and Brazil. These have become popular means to sell products and services to cybercriminals in the said countries.

    Cybercriminals are also making use of the Deep Web to sell products and services outside the indexed or searchable World Wide Web, making their online “shops” harder for law enforcement to find and take down.

    Our first cybercrime economy update for the year will focus on the burgeoning market for mobile malware/scam-related tools and software in China, to be released next week on March 3.

    All of these developments mean that the computing public is at risk of being victimized more than ever and must completely reconsider how big a part security should play in their everyday computing behaviors. In the coming months we will dig deeper into these, and present our findings to educate users.

    Posted in Data, Malware |

    2013 was another year marked by many changes – for good and bad – in the threat landscape. Some threats waned, others grew significantly, while completely new threats emerged and made life difficult for users. What remained constant, however, were the threats against the safety of digital information. In this entry, we present some of these threats that were seen last year. These are described in more detail in our roundup titled Cashing In On Digital Information

    Cybercrime: Banking Malware, CryptoLocker Grow; Blackhole Exploit Kit Tumbles

    Some malware types linked to cybercrime grew significantly in 2013. We saw almost a million new banking malware variants, which was double what we saw in 2012. Much of this growth occurred in the latter half of the year:

    Figure 1. Volume of new banking malware

    Two countries – the United States and Brazil – accounted for half of all banking malware victims:

    Figure 2. Countries most affected by banking malware

    We saw ransomware become far more potent in the latter part of the year as CryptoLocker emerged as a new threat that hit users hard. This new threat – an evolution of previous ransomware attacks – encrypted the data of users, requiring a one-time payment of approximately $300 (payable in cryptocurrencies like Bitcoin) before their data would be decrypted. In some ways, CryptoLocker became as serious a problem for end users as fake antivirus malware had in previous years.

    The fall of the Blackhole Exploit Kit in 2013 due to the arrest of its creator, Paunch, was a significant event that appreciably changed the threat landscape. It significantly cut the use of malicious links in spam messages by attackers. While other exploit kits have emerged into the threat landscape since then, no other kit has achieved BHEK’s levels of prominence.

    Targeted Attacks and Data Breaches: Still In Operation

    Despite reduced media attention, targeted attacks continued to hit organizations across the world last year. We observed attacks in many parts of the world, with countries in Asia at particular risk from these coordinated targeted attacks. Well-organized campaigns like EvilGrab and Safe highlighted the capabilities and sophistication of modern targeted attacks.

    Figure 3. Countries affected by targeted attacks

    Data breaches also continued to plague organizations. Companies like Adobe, Evernote, and LivingSocial were all hit by various breaches that exposed the customer data of millions of users. Breaches like these not only cause a loss of face for the affected organizations, but may also put them at legal risk for failing to protect the data of their users.

    Mobile Threats: Mobile Banking Under Fire

    Mobile threats continued to flourish last year, with an estimated one million malicious and high-risk apps found in the year alone. Significantly, we saw increasing use of mobile banking threats like the PERKEL and FAKEBANK families, both of which put users of mobile banking apps and websites at the same risk of fraud and financial loss that other users face. Information stealers like banking malware are now the third most common type of malicious/high-risk app found, behind traditional standbys like premium service abusers and adware:

    Figure 4. Types of mobile malware threats

    Digital Life: Privacy at Risk

    Revelations about government spying made many question if online privacy was still alive, or even possible. Previously, users had always worried that cybercriminals could get their hands on one’s personal information; now they worry about large, previously trusted organizations – both government and private – doing the same thing.

    Attacks delivered via social media (combined with social engineering) have now become the norm, with newer social networks like Instagram, Pinterest, and Tumblr suffering from their own scams as well. Indeed, attacks on all social media platforms have become so common, it may almost be considered “business as usual.”

    For a more comprehensive analysis of these threats, check our 2013 roundup titled Cashing In On Digital Information.

    Posted in Bad Sites, Data, Exploits, Malware, Mobile, Social, Spam, Targeted Attacks | Comments Off

    2:30 am (UTC-7)   |    by

    Trend Micro, working with the Organization of American States, has released a study outlining the current state of cyber security in Latin America. The joint paper is titled Latin American and Caribbean Cybersecurity Trends and Government Responses. The region has a threat landscape that differs from other parts of the world with key differences in the threats seen, the cybercrime underground, and the ability of governments to respond. (We have also created an infographic that looks at the broader cybercrime underground, which can be found here.)

    Looking at the feedback provided by the Smart Protection Network, the most common threat in the Americas and the Caribbean was file infectors, as this chart of the top malware threats in 2012 illustrates:

    Figure 1. Top Malware Threats in 2012

    The continued prevalence of old threats like file infectors is an indicator of a population’s lack of awareness in safe computer and internet usage.

    As part of the study, we surveyed representatives from various OAS member-governments. Their responses revealed that citizens remain unconcerned and unaware of the dangers of cybercrime and hacking. Internet users in Latin America do not always keep their anti-malware solutions up-to-date and pay little attention to security concerns.

    This may prove problematic in the long run, considering that internet use is increasing at one of the highest rates worldwide. As is happening now, unsafe use of the Internet is feeding the high levels of cybercrime in Latin America.

    The region’s threat landscape is filled with organized groups led by a mix of political and financial motives. What makes it stand out are the new techniques and malware that allow attackers to target industrial control systems (ICS), which are critical for the smooth operations of essential services like utilities, banks, and water-purification plants.

    On the other hand, the cybercriminal underground remains bent on retrieving sensitive information and profiting with the help of banking Trojans and botnets. The Latin American situation, however, has altered, probably in answer to Eastern Europe botnet crackdowns. For instance, the region’s threat actors use free hosting services instead of hijacked servers to evade law enforcement operations. They also trade cybercrime tools and stolen information over social networks and chat services, most notably Orkut and IRC.

    Figure 2. Ads for tools and information

    Governments in Latin America realize these dangers and are taking steps to protect their users and critical infrastructures. However, survey responses indicate that measures against cybercrime remain patchy and uneven across the region. Many OAS member states began their cybersecurity efforts by establishing Computer Security Incident Response Teams (CSIRTs) as part of their cybersecurity strategy, as in the case of Colombia and Panama. Other countries like Chile, Peru, Mexico, Trinidad and Tobago, Uruguay, and others are endeavoring to do the same.

    On the whole, political leaders are aware of the dangers of cybercrime and hacking but efforts are often restricted by the lack of resources dedicated to building cybersecurity capacity and shortage of specialized knowledge and expertise to implement technical policies.

    The study includes three recommendations for governments and organizations in the region to help improve the state of cyber security. These are:

    1. Raise awareness of safe cyberhabits and general cybersecurity awareness among Internet users, critical infrastructure operators, and government employees, a cheap and effective way to minimize cyber risks and close security gaps that remain wide open.
    2. Invest in and promote enrolment in technical-degree programs to ensure an ample pool of qualified candidates from which to draw professionals that will be needed to fill the increasing number of information security careers.
    3. Continue strengthening policy mechanisms to assign governmental roles and responsibilities related to cybersecurity and codifying information-sharing and cooperation mechanisms.

    You may read the full paper here. For Spanish-speakers, you may also read the full paper in Español.

    We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

    Posted in Bad Sites | Comments Off

    8:47 pm (UTC-7)   |    by

    The whole idea of Big Data brings with it its own special tools and frameworks that are needed to manage the truly enormous mountains of data that are generated, analyzed, and correlated.

    One of the frameworks that has found success in Big Data is Hadoop, which is managed by the Apache Foundation. Hadoop is used by a wide variety of organizations to manage and process large quantities of data across computer clusters using simple programming models.

    Trend Micro also uses Hadoop in its own environments, and we saw opportunities to help improve the security model of Hadoop. We’ve worked with other Hadoop developers to improve three key areas of Hadoop:

    #1: Developing a Coprocessor API for HBase

    HBase is a scalable, distributed database built on top of Hadoop and the Hadoop Distributed File System (HDFS). We worked with other developers to introduce a coprocessor API to HBase. Adding this feature to HBase allows developers to include new features and functionality in their HBase platforms.

    This allows for Hadoop users to customize their installations to add new features that are not part of the original HBase feature set. While not directly feature-related, this was essential for the second area where we contributed to Hadoop.

    #2: Using the Coprocessor For Access Control

    With the ability to now add new features, Trend Micro worked to add access control to HBase using the new coprocessor API. This allowed database administrators to set more precise permissions for users.

    This may not sound like a significant addition, but it is. This makes multi-tenant usage of a Hadoop/HBase cluster much more secure, as each user is assured that their data is secure and not accessible to other parties.

    Read the rest of this entry »

    Posted in Data | Comments Off


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice