Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    November 2014
    S M T W T F S
    « Oct    
     1
    2345678
    9101112131415
    16171819202122
    23242526272829
    30  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Trend Micro




    Recent data breaches in big enterprises like large banks and retail chains make one thing clear: data privacy and protection is a concern for all organizations, not just large ones. If  large enterprises with plenty of available resources can be affected by attacks and lose their data, smaller organizations without these resources are at risk as well.

    Users are not just worried about whether their data is secure; today they are also worrying if their data will be used properly by the sites and businesses they deal with. The concern among users about privacy has increased in months and years.

    The statistics bear this all out. A survey carried out in March 2014 by the market research firm GfK highlighted significant, and growing, concerns from consumers about their personal data. 49% of respondents said they were “very much” concerned about how their data was protected, with 60% of respondents saying this concern had increased in the past 12 months.

    Consumers are also taking action. A 2014 study by Radius Global found that 69% of survey respondents would do less business with a company they knew had been breached; 67% would try to only do business with companies that they feel can handle their data. The consequences for companies are clear.

    So, what should companies do? First of all, they need to recognize that data protection is now an important a part of doing business. This means that they must actually approach this as something that is important, and not just a pain that has to be tolerated.

    To do this, organizations should first take stock and remember just what they are protecting and consider what’s most important – i.e., what is their core data. These should be protected with the best available resources. Keep in mind that the levels of protection necessary can change, depending on regulations (like the soon-to-be-implemented data protection regulations in the European Union).

    Local regulations on data protection can vary significantly. In the United States, there are no comprehensive law that covers all sectors. Instead, per-industry legislation such as the Health Insurance Portability and Accountability Act (HIPAA) are in place.

    In other countries, more comprehensive regulations that cover all sectors are more common. For example, countries in the European Union will soon be covered by the EU General Data Protection Regulation, which mandates EU-wide rules on data protection. Japan has similar laws in the form of the Act on the Protection of Personal Information, which dates back to 2003.

    However, not all organizations actually understand these regulations: in the EU, only 13% of businesses called their understanding of the upcoming regulations “very good”.  This is despite the fact that, for example, in the EU businesses can be fined up to 5% of their annual turnover if they are in violation of the proposed regulations.

    Similar approaches need to be taken to assuage concerns about privacy. Ensure that what data is being collected is used correctly and in such a way as not to be perceived as “creepy” by end users. The same data protection that is done for core data must be applied here, too: end users will not take kindly to businesses that don’t protect the data of their customers.

    In the end, data protection comes down not just to technical aspects, but for organizations to decide that it matters. With the new year fast approaching, companies can learn from the many incidents of 2014 and ensure that their own organizations do not fall victim to similar attacks. To know more about data protection law, read our infographic, The Road to Compliance: A Visual Guide to the EU Data Protection Law.

    Trend Micro secures user’s data via its integrated data loss prevention technology that protects data found in endpoints, servers, networks, and even the cloud. It also protects the transfer of data between locations and comes with a central policy management, which does not require installation of different technologies across multiple security layers.

     
    Posted in Targeted Attacks |



    Microsoft has announced the discovery of a zero-day vulnerability affecting all supported versions of Microsoft Windows and Windows Server 2008 and 2012. Reports are also coming in that this specific vulnerability has been exploited and used in attacks against the North Atlantic Treaty Organization (NATO) and several European industries and sectors.

    According to reports, this vulnerability (CVE-2014-4114) was exploited as part of a cyber-espionage campaign of attackers dubbed as the “Sandworm Team.” This particular vulnerability has allegedly been in use since August 2013, “mainly through weaponized PowerPoint documents.”  Details of the vulnerability have been made available, including the following:

    • This vulnerability exists in the OLE package manager in Microsoft Windows and Server.
    • The OLE packager can download and execute INF files. “In the case of the observed exploit, specifically when handling Microsoft PowerPoint files, the packagers allow a Package OLE object to reference arbitrary external files, such as INF files, from untrusted sources.”
    • If exploited, the vulnerability can allow an attacker to remotely execute arbitrary code.

    Microsoft has announced that it will release a patch for this vulnerability as part of this month’s Patch Tuesday. We encourage both users and admins to immediately download and install the patches as soon as they are made available.

    We are currently analyzing the related sample. We will update this entry as soon as more details and solutions are available.

    Update as of October 15, 2014, 11:24 P.M. (PDT):

    Further analysis of this zero-day vulnerability can be found in our entry, An Analysis of Windows Zero-day Vulnerability ‘CVE-2014-4114′ aka “Sandworm.” You may also read the entry October 2014 Patch Tuesday Fixes Sandworm Vulnerability for information regarding the corresponding patch.

     


    Oct10
    7:15 am (UTC-7)   |    by

    In the first part of this series, we discussed both the routines and entry point of the banking malware DYRE. However, information theft isn’t the last step for this malware. It turns out this malware is also involved in yet another scheme—the parcel mule scam.

    The Parcel and the Mule

    During our analysis of DYRE malware, Global BlackPoint, a web panel, was uncovered.


    Figure 1. Global BlackPoint site

    A quick search online led to domain listings, which have been leased over a year ago. The intended audience of this site can choose to shop for select items.


    Figure 2. Items for sale

    However, research and intelligence about the contents of this web panel pointed to the fact that it’s being used as a site to purchase items in the United States and re-ship them to different locations. The site indicates this within its terms and conditions of use.

    "
    Figure 3. Terms and conditions

    These goods are delivered to individuals who live within the United States, who then ship them elsewhere in the world. These individuals may have titles such as “Shipping and Receiving Manager” or “Logistics Specialist,” but in reality, they are actually “mules.” Hired from job postings on sites like Craigslist, these individuals were promised around US$50 per parcel or around US$2,000 a month.

    This elaborate scheme is sometimes called parcel mule scam, or reshipping scam. Cybercriminals gain profit from these scams as they use money stolen from bank accounts (courtesy of the banking malware) to buy the items, which are then resold. Mules are hired in order to smuggle the goods out of the country. Hiring mules also lessens the possibility of the smuggling activity being traced back to the criminals. These kinds of scams have been around for some time but people fall for this type of scam due to its “get rich quick” nature.

    Retracing the Steps

    In short, we have a three-step threat story:

    • One possible entry point is spammed commercial or banking email. The main objective is to get lots of people to click on the malware component, and infect as many.
    • These components would get a secondary infection, another malware, to get another component. We call this TSPY_BANKER.DYR, otherwise known as DYREZA, DYRANGES or BATTDIL. The objective here is to grab banking credentials for money.
    • Once money has been pilfered, these goods are delivered to package mules which re-ship these goods for delivery to locations outside the United States. This kind of operations is classically called parcel mule scam or reshipping scam.

    Countermeasures

    Against spam and BANKER malware:

    • Know your bank policies. If you receive an email and don’t have an account in the said bank, it’s not worth reading, delete it immediately. You can also call the nearest branch if you want to validate details.
      • If you’re reading mail via a web browser (web mail), try to make sure that the mail hosting service is reliable enough and has some sort of built-in anti-spam and anti-phishing capabilities.
      • If you’re reading email via an email client, most would have security features turned on by default. Use them to secure your email reading.
      • The use of an antivirus with web reputation services to block any suspicious link and attachment is also recommended.
    • A full-featured antimalware solution is the best tool against this type of threat scenario. The solution should be able to block malicious files based on signature and behavior and has a firewall to filter inbound and outbound connections. It would be better if it offers client-side utilities like spam and URL filtering. A cloud-based solution is also ideal, in order to have the most up-to-date protection.
    • In unfortunate cases of infection, it’s better to stop it as early as you can. Change passwords immediately and monitor your online banking transactions. If you spot any suspicious activity, call your bank immediately.

    Against parcel mule scams:

    • Work-from-home jobs certainly exist but if they sound too good to be true, check and double-check them first. It’s important to always research the business trying to recruit you, even when in dire need.
    • Be informed about parcel mule scams. The U.S. Postal Inspection Service has a page about reshipping scams.
    • Victims of such scams can file a complaint with the Internet Crime Complaint Center (IC3), which processes online crime complaints from victims and third parties.

    With additional insight from Rhena Inocencio.

    Related hashes of files discussed in this series:

    • 4FD6C74EE50CA470869D8FAB1AB2C3D1C19E20CE
    • 145c82caa303bd141fd6069ab92fefdfac3568bc
    • e32ef7def60a8ccc0c051182f2103dbbfe6de625
    • B2CAF5A18279C1CB10DA174C581A7138FF8B0CF2
    • B9F3D4C1531F128AB032EA6D752BAB008EC59921
     
    Posted in Malware |


    Oct8
    12:25 pm (UTC-7)   |    by

    We’re nearing the holiday season and some of you might be going for some early holiday shopping—checking your money to go for a shopping splurge. The holiday season also ushers in cybercrime activities that are typical this time of the year:

    • We have seen a surge of fake bank emails. We’ve also seen other forms of spammed threats, including KELIHOS, VAWTRACK, and even some forms of the 419 scam.
    • We have also witnessed the increase in BANKER malware. Variants of this malware family attempt to steal sensitive information, such as banking credentials and email account details. They employ info-stealing techniques, often times, phishing pages that mimic the official banking sites, to get a user’s bank information, such as user names, passwords, or card codes. The stolen information could then be sent to a predetermined email address, to drop zones in hosted servers or to a URL via HTTP post.

    This series of entries focuses on a particular BANKER malware, detected as TSPY_BANKER.DYR. After taking an in-depth look of the malware itself, we will then place this malware within the whole threat ecosystem, with its ties to spam and even parcel mule scams, which refers to people who send packages in other parts of the world, acting as ‘mules.’  These people typically fall on this scam because of its ‘get rich easy’ nature.

    All About DYRE 

    This particular detection is related to DYRE (also known as DYREZA, DYRANGES, or BATTDIL) malware. TSPY_BANKER.DYR has a lot of similarities with DYRE variants, as seen in its routines:

    • It has the capability to perform man-in-the-middle attacks through browser injections. It can also get browser snapshots, steal personal certificates, and steal information like the specific browser versions.
    • It steals bank credentials and monitors sessions involving online transactions to specific banks.
    • It can drop a configuration file that contains the list of targeted banks (via C&C updates) and the bot ID (comprises of the computer name, the OS version, and a unique 32-character identifier). The list of targeted banks include international, American, and European ones.
    • It uses Session Traversal Utilities for NAT (STUN), a method for the end host to discover its public IP address if it’s within a network that does network address translation. It’s a common method for applications of real-time voice, video and other messaging services to discover its public IP address, or the IP address that is publicly visible in the internet. Cybercriminals use this method to know exactly the location of their malware (and possibly know who is trying to run it).


      Figure 1. Screencap of STUN method

    • It also has the capability download a VNC module.

    A look into its network profile confirms details of the routines mentioned above:

    • Connections to C&C servers at Port 443, with a defined string format
    • Connections to STUN Servers
    • Accepting inbound connections
    • Although not presented in the screen capture below, the user agent being used is Opera/9.80


    Figure 2. Network profile for TSPY_BANKER.DYR

    Read the rest of this entry »

     



    PoS malware has been in the news lately due to data breaches in various high-profile retailers. Card information stolen from these attacks have ended up on the well-known underground shop Rescator. We prefer to refer to the people behind this shop as the Lampeduza gang, as Rescator is not the only person running this business.

    We have found that other cybercrime gangs are using the fame of the Lampeduza gang to lure other cybercriminals into accessing fake online credit card shops.

    C&C Intelligence

    During one of our research projects, we came across a C&C server hosting a KINS control panel at resurspowerlbc.su. This was registered on May 9, 2014, with the email address nesternko43@mail.ru. The same email address was used to register other domains that hosted host a fake version of the Lampeduza card shop.

    Some of these domains included

    • babli.su
    • brandcc.name
    • dumpster.su
    • e-obmen.su
    • iswipe.su
    • just4valid.su
    • mn0g0.su
    • resurspowerlbc.su
    • safegs.su
    • shipping-panel.su
    • shipping-panel.us
    • shockwave-update55.su
    • update-shockwave34.su

    Included in the above list was one fake jobs site (safegs.su) and two fake shipping sites (shipping-panel.su and shipping-panel.us).
    Read the rest of this entry »

     


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice