Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:


  • Recent Posts

  • Calendar

    June 2015
    S M T W T F S
    « May    
     123456
    78910111213
    14151617181920
    21222324252627
    282930  
  • Email Subscription

  • About Us


    Author Archive - Trend Micro



    Mar9
    9:28 pm (UTC-7)   |    by

    Analysis by Kenney Lu

    In recent years, we have seen a lot of reports about home routers being vulnerable to attacks. Our research as early as 2008 shows malware rigging routers to redirect users to different sites. Other attacks we have seen include backdoors and possible DNS rebinding attacks. In these scenarios, the intent and goal of the attacks are pretty straight-forward.

    Snooping Around Your Network

    We recently came across one malware, detected as TROJ_VICEPASS.A, which pretends to be an Adobe Flash update. Once executed, it attempts to connect to the home router to search for connected devices. It then tries to log in to the devices to get information. Should it be successful, it will send the information to a command-and-control (C&C) server and deletes itself from the computer.


    Figure 1. Infection chain

    A Closer Look at its Routines

    Users may encounter this malware when visiting suspicious or malicious sites hosting a supposed Flash update. Users are encouraged to download this update and install it in their computers.


    Figure 2. Site hosting fake Adobe Flash update


    Figure 3. Fake Flash update

    Once the malware is executed, it attempts to connect to the connected router through its admin console, using a predefined list of user names and passwords. If successful, the malware will attempt to scan the network to look for connected devices.


    Figure 4. Scanning for connected devices

    The malware scans for devices using HTTP, with a target IP range of 192.168.[0-6].0-192.168.[0-6].11, which are IP addresses which are assigned by home routers. The target range is hard-coded. A look at the internal log format reveals such:

    Find router IP address – start

    Searching in 192.168.0.0 – 192.168.0.11

    [0] connect to 192.168. 0.0

    URL: ‘192.168.0.0’, METHOD: ‘1’, DEVICE: ‘Apple’

    …. (skip)

    Find router IP address – end

    We noticed that the malware checks for Apple devices such as iPhones and iPads, even though those devices cannot have an HTTP open panel. However, it should be noted that the strings focus more on routers. We found that the malware uses the following strings in its search:

    • dlink
    • d-link
    • laserjet
    • apache
    • cisco
    • gigaset
    • asus
    • apple
    • iphone
    • ipad
    • logitech
    • samsung
    • xbox


    Figure 5. The search for Apple devices

    Once the malware finishes scanning, the results of the search are encrypted using base64 and a self-made encryption method. Base64 is only an encoding technique so the scan results still require an encryption method. The encrypted result will be sent to a C&C server via HTTP protocol.


    Figure 6. Encryption of scan results


    Figure 7. Sending results to the C&C server

    After it has sent the results, it will delete itself from the victim’s computer, removing any trace of it. It uses the following command to do so:

    • exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del “%s”

    Gathering Intelligence

    Based on its routines, the malware might be used by cybercriminals as a “scout” for bigger campaigns. The intelligence gathering could be the first step in more severe attacks. The information could be stored and used for future cross-site request forgery (CSRF) attacks similar to the one discussed here. If they have previous log in credentials for specific IPs, the attack would be easier to perform. Of course, we cannot be truly certain but this seems to be the likeliest scenario for malware with this type of routine.

    Protecting Routers and Other Devices

    Whatever its ultimate goal, this malware shows the importance of securing devices—even those that might not seem like likely targets. Users should always change their routers’ default login credentials; strong passwords or passphrases are a must. Users can also opt for password management software to help them with all their passwords.

    Aside from good password habits, users should always remember other security practices. For example, they should avoid clicking links on emails as much as they can. If they need to go to a site, typing the address or using a bookmark is preferred. If their software requires updates, users can directly visit the official site for downloads. They can also opt for their applications to automatically install updates once they are available. Lastly, users should always protect their devices with security solutions. For example, they can use Trend Micro security for their computers and Trend Micro Mobile for Android and iOs for their smartphones.

    User names and passwords

    This malware uses the following list of possible user names:

    • admin
    • Admin
    • administrator
    • Administrator
    • bbsd-client
    • blank
    • cmaker
    • d-link
    • D-Link
    • guest
    • hsa
    • netrangr
    • root
    • supervisor
    • user
    • webadmin
    • wlse

    It uses the following list of passwords:

    • _Cisco
    • 0000
    • 000000
    • 1000
    • 1111
    • 111111
    • 1111111
    • 11111111
    • 111111111
    • 112233
    • 1212
    • 121212
    • 123123
    • 123123Aa
    • 123321
    • 1234
    • 12345
    • 123456
    • 1234567
    • 12345678
    • 123456789
    • 1234567890
    • 1234qwer
    • 123ewq
    • 123qwe
    • 131313
    • 159753
    • 1q2w3e4r
    • 1q2w3e4r5t
    • 1q2w3e4r5t6y7u8i9o0p
    • 1qaz2wsx
    • 2000
    • 2112
    • 2222
    • 222222
    • 232323
    • 321123
    • 321321
    • 3333
    • 4444
    • 654321
    • 666666
    • 6969
    • 7777
    • 777777
    • 7777777
    • 88888888
    • 987654
    • 987654321
    • 999999999
    • abc123
    • abc123
    • abcdef
    • access
    • adm
    • admin
    • Admin
    • Administrator
    • alpine
    • Amd
    • angel
    • asdfgh
    • attack
    • baseball
    • batman
    • blender
    • career
    • changeme
    • changeme2
    • Cisco
    • cisco
    • cmaker
    • connect
    • default
    • diamond
    • D-Link
    • dragon
    • ewq123
    • ewq321
    • football
    • gfhjkm
    • god
    • hsadb
    • ilove
    • iloveyou
    • internet
    • Internet
    • jesus
    • job
    • killer
    • klaster
    • letmein
    • link
    • marina
    • master
    • monkey
    • mustang
    • newpass
    • passwd
    • password
    • password0
    • password1
    • pepper
    • pnadmin
    • private
    • public
    • qazwsx
    • qwaszx
    • qwe123
    • qwe321
    • qweasd
    • qweasdzxc
    • qweqwe
    • qwerty
    • qwerty123
    • qwertyuiop
    • ripeop
    • riverhead
    • root
    • secret
    • secur4u
    • sex
    • shadow
    • sky
    • superman
    • supervisor
    • system
    • target123
    • the
    • tinkle
    • tivonpw
    • user
    • User
    • wisedb
    • work
    • zaq123wsx
    • zaq12wsx
    • zaq1wsx
    • zxcv
    • zxcvb
    • zxcvbn
    • zxcvbnm

    Hash of related file:

    • a375365f01fc765a6cf7f20b93f13364604f2605
     
    Posted in Malware | Comments Off on Malware Snoops Through Your Home Network



    The earlier Flash zero-days of the year have brought a new malware threat to the forefront: the BEDEP malware family. It has been the payload of two zero-day exploits in recent weeks: CVE-2015-0311 in late January, and CVE-2015-0313 in early February.

    While these attacks made BEDEP far more widespread, it was not exactly a new malware family either. It was first spotted in September 2014, and is believed to be involved in both advertising fraud and other botnet-related activity. Its popularity as an attack platform grew significantly in early 2015, a direct result of its use in various exploit kit attacks.

    Approximately two-thirds of the victims of BEDEP from November 2014 to February 2015 were located in the United States, with Japan making up most of the remainder. Australia and Germany were also prominent BEDEP victims. We identified more than 7600 affected victims.

    Figure 1. Distribution of BEDEP victims

    How does BEDEP arrive on user systems? The zero-day attacks earlier in the year highlight one method: exploit kits delivered to users via malvertisements on legitimate sites. Both the Angler and Hanjuan exploit kits have been used to spread BEDEP.

    Another infection vector that has been less well documented is “legitimate” software. Legitimate applications today frequently come with components that pose a security risk; we recently saw this when the Superfish adware included components that could be used to attack SSL. In these cases, it went further: the BEDEP backdoor was installed onto user systems (under the file name rifa.dll.)

    Once installed on a machine, BEDEP has fairly typical backdoor routines that would allow an attacker to take control of the machine (by downloading and running various payloads).

    More details about BEDEP, as well as best practices and available Trend Micro solutions, can be found in our BEDEP Security Brief.

     
    Posted in Malware | Comments Off on BEDEP: Backdoors Brought Into The Light By Flash Zero-Days


    Mar4
    1:54 pm (UTC-7)   |    by

    Security researchers and news outlets are reporting about a newly discovered vulnerability believed to exist since the 90s. This vulnerability, dubbed as FREAK (Factoring RSA Export Keys), forces a secure connection to use weaker encryption—making it easy for cybercriminals to decrypt sensitive information.

    Vulnerable since the 1990s

    The flaw came about in the 1990s. Back then, the US government mandated that software intended for export use “export cipher suites that involved encryption keys no longer than 512 bits.” According to researchers, that kind of encryption might have sufficed in the 90s but 512-bit RSA keys can now be decrypted in about 7 hours and for only US$100 with so much computing power readily available from the cloud.

    While this restriction was lifted in the late 90s, some implementations of TLS and SSL protocols still support these export–grade encryption modes.

    FREAK, Out in the Open

    FREAK was discovered by Karthikeyan Bhargavan at INRIA in Paris and the mitLS team. They found that OpenSSL (versions prior to 1.0.1k) and Apple TLS/SSL clients are vulnerable to man-in-the-middle (MITM) attacks. Once attackers are able to intercept the HTTPS communication between vulnerable clients and servers, they force the connection to use the old export-grade encryption.

    Attackers who “listen” in on the communication will then be able to decrypt the information with relative ease.

    Apple’s SecureTransport is used by applications running on iOS and OS X. These include Safari for iPhones, iPads, and Macs. Meanwhile, OpenSSL is used by Android browsers and other application packages. From our understanding, the attack is possible only if the OpenSSL version is vulnerable to CVE-2015-0204.

    Popular Sites Affected

    According to reports, 37% of browser-trusted sites are affected by this flaw. Affected sites include Bloomberg, Business Insider, ZDNet, HypeBeast, Nielsen, and the FBI. It bears stressing that there are country-specific sites that were also affected.

    Addressing the FREAK Flaw

    OpenSSL has provided a patch for CVE-2015-0204 in January. Apple is reportedly deploying a patch for both mobile devices and computers.

    We advise Android users to refrain from using the default Android browser in their devices. They can instead use the Google Chrome app as it is not affected by the bug. Furthermore, connections to the Google search site are not affected.

    According to Deep Security Labs Director Pawan Kinger, FREAK is a serious and very real vulnerability which may require some level of sophistication to exploit. However, its sophistication won’t dissuade determined attackers. Carrying out a FREAK exploit requires attackers to be able to first create a man-in-the-middle (MITM) attack against the servers. It would also require the ability to control an SSL session between client and server and then force that session to downgrade to the lower encryption level. Then, the attacker would have to take the weakly encrypted traffic and perform a brute force attack against it that would take several hours, as opposed to days or weeks with higher encryption.

    We are currently evaluating its exact impact and attack mechanism on servers. For the time being, we advise businesses running websites and other server applications using export grade ciphers to upgrade their systems as well as upgrading to the latest OpenSSL. Administrators can also check if their site is vulnerable by using the SSL Labs’ SSL Server Test.

    Several workarounds have been suggested by freakattack.com, a site dedicated to disseminating information about this vulnerability:

    • Administrators should disable support for any export suites.
    • Administrators should disable support for all known insecure ciphers and enable forward secrecy.

    Trend Micro Deep Security protects users from this vulnerability through the following DPI rule:

    • 1006485 – OpenSSL RSA Downgrade Vulnerability (CVE-2015-0204)

    Note that this rule is available for client-based Vulnerability Protection.

    Update as of March 5, 2015, 5:20 PM PST

    We have added the following DPI rules to protect servers against this threat:

    • 1006561 – Identified Usage Of TLS/SSL EXPORT Cipher Suite In Response
    • 1006562 – Identified Usage Of TLS/SSL EXPORT Cipher Suite In Request

    Update as of March 5, 2015, 9:43 AM PST

    Microsoft has confirmed all version of Windows are vulnerable. Red Hat confirmed that versions 6 and 7 of Red Hat Enterprise Linux (RHEL) are vulnerable as well. Browsers that are vulnerable to the FREAK vulnerability include Internet Explorer, Opera (Mac OS X / Linux), and Safari.

     

     



    2014 was a year that was marked with numerous changes in the threat landscape. We saw a lot of improvements in existing malware, either with new evasion techniques or versions. We even saw some old techniques and attacks resurface in the landscape.

    Evasion Tactics

    We are seeing more malware incorporate Tor in their routines as a method of evasion. We have seen ZBOT variants include a Tor component to hide the malware’s communication to its command-and-control (C&C) servers. We have also seen a variant of BIFROSE malware, often used in targeted attacks, include Tor in its communications routine.

    In a span of a few months, we witnessed the malware POWELIKS increase its anti-detection techniques. At first, POWELIKS hid its malicious codes in the Windows Registry, making detection and forensics difficult. We later found new variants employ a new autostart mechanism and removes users’ privileges in viewing the registry’s content.

    Spam also upped the ante by using snippets of current news articles in the body text of the email. This technique, adding random clips of incidents or news that maybe relevant given the date and time, is used by spammers to avoid email filters.

    The Rise of 64-Bit Malware

    In 2014, Google made the observation that majority of Windows users are now using 64-bit operating systems. Unfortunately, attackers are also following suit with 64-bit malware.

    Notorious banking malware ZeuS/ZBOT was found targeting 64-bit systems. This 64-bit version for ZeuS/ZBOT is a progression for the malware. Upon analysis, we found that this new versions has upgraded its antimalware evasion techniques, including execution prevention of certain analysis tools.

    In the 2H 2013 Targeted Attack Trends report, we noted that almost 10% of all malware related to targeted attacks run exclusively on 64-bit platforms. Activity in the threat landscape supports this statistic. We spotted an upgraded 64-bit KIVARS used in targeted attacks. Meanwhile, 64-bit versions of the malware MIRAS was discovered to have been used in data exfiltration stage in a targeted attack. Yet another malware, HAVEX, was also found to have 64-bit versions. Read the rest of this entry »

     
    Posted in Malware | Comments Off on Notorious Malware Improvements and Enhancements of 2014



    2014 can be remembered as the year when PoS malware attacks became truly widespread. Many retailers and other businesses became victims of these attacks, which resulted in financial losses and embarrassment for their victims. One can ask: how do these organizations become victims of PoS malware in the first place?

    Most of the methods used to compromise a system with PoS malware are broadly similar to those used by any other malware. In our paper titled PoS RAM Scraper Malware, we discussed some possibilities, including:

    • A malicious insider
      Employees of an organization could decide to plant PoS malware on the relevant systems. This is one of the hardest threats to defend against, but as far as PoS malware is concerned, one of the earliest scrapers were first discovered in air-gapped PoS systems. To this day, some PoS malware families will dump stolen data directly to a USB stick.
    • Phishing/social engineering
      Phishing is one of the oldest techniques around to compromise a network, and it’s still very effective. This risk is particularly acute in small businesses, which tend to use a PoS system not just for payment purposes, but for others as well (such as email, browsing, and social media). This increases the risk that various social engineering attacks will prove to be successful.
    • Vulnerability exploitation
      PoS systems are frequently not updated, partially at the behest of terminal vendors who may have something of a “it’s not broke, don’t fix it” mentality. Unfortunately, this means that these systems are vulnerable to many exploits that attackers regularly try to use. This can be a problem particularly in cases where PoS systems are used for other purposes.
    • Non-compliance with PCI DSS guidelines
      The payment industry’s PCI DSS guidelines are supposed to mandate best practices within the industry, but in some cases these are not followed. The causes for non-compliance may vary, but the end result is the same: poor implementation of best practices allows various “small” incidents to leak payment information.
    • Targeted attacks
      More sophisticated attacks may also be used to target a business’s PoS systems. For example, targeting a third-party contractor with access to a company’s network may be easier than targeting the company directly.

    Whatever the threat may be, a variety of technologies can be used to detect these threats. Deep packet inspection tools can help detect the network traffic associated with these attacks. Most importantly, given that the functions performed by PoS systems are sufficiently limited in scope, they represent an ideal situation for application control. This would make launching malware attacks of any kind significantly more difficult.

    The infographic, Protecting Point of Sales Systems from PoS Malware, outlines how a PoS attack takes place, and what steps need to be taken to protect against them.

     
    Posted in Malware | Comments Off on Protecting Your Money: How Does PoS Malware Get In?


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice