Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    September 2014
    S M T W T F S
    « Aug    
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Trend Micro

    Before the end of the month, we will release a new paper in our Cybercriminal Underground Economy Series titled Russian Underground Revisited. This is a followup to our earlier paper Russian Underground 101both papers examined the Russian Underground and looked at the goods and services being sold inside these underground communities.

    While the full details will not be published until next week, the overall finding of the report is clear: cybercrime has never been more affordable and accessible, even for lesser-skilled cybercriminals.

    The lower ranks of the underground communities are often derisively referred to as “script kiddies”, but this does not mean that the damage they cause is any less consequential. Technical understanding of security flaws is not a prerequisite to exploiting them at all; they are just like the “users” of any other organization: they just want their code “to work”; the only difference here is that their code is carrying out malicious behavior.

    What does this mean? For starters, it means that the volume of threats will keep on increasing for the foreseeable future. We may also see more variety in threats, if only because the attackers are more numerous than before. (One shouldn’t interpret falling prices as a sign of a failing business.) In addition, the scope and variety of the products for sale are also improving, making the resources available for “script kiddies” more powerful.

    Cybercrime is a business, and the prices we’ve seen validate what we already know: that times are good, victims are plentiful, and the risk is relatively low. This is all in spite of technical solutions that have increased the security of computing devices overall. It highlights the need for cybercrime solutions that focus not just on technical issues, but also economic and legal ones as well.

    Posted in Malware | Comments Off

    4:59 am (UTC-7)   |    by

    500x1500 web

    How the Heartbleed bug works

    In previous blog entries, we’ve discussed various aspects of the Heartbleed vulnerability in OpenSSL. Last Tuesday, our first blog post covered an analysis of the vulnerability itself, as well as some steps that IT administrators of affected systems could do in order to protect themselves. Later entries looked at how popular websites and mobile apps were, in their own ways, vulnerable to the threat.

    To help deal with the Heartbleed vulnerability, we’ve released several tools that can be used to detect possible exposure to the risks:

    We have released into the Google Play app store the Trend Micro Heartbleed Detector. This tool is designed to help users tell if they are vulnerable to any aspect of this threat. In particular, it checks for three things:

    • It checks whether the version of OpenSSL used in the device’s version of Android may be vulnerable.
    • It checks whether any OpenSSL libraries embedded in the user’s installed apps may be vulnerable.
    • It checks whether the user’s installed apps communicate to any unpatched (and therefore, vulnerable) servers.

    Main Page

    Figure 1. Detector application

    If any vulnerable apps are detected, the detector offers to uninstall the app for the user:

    Summary marked

    Figure 2. Vulnerable app detected

    We don’t recommend for users to immediately uninstall all vulnerable apps, but this is something everyone should consider for applications that handle critical information, such as mobile banking applications. In addition, it’s a good idea for users to contact the companies that maintain these vulnerable apps to update their apps or websites as soon as possible.

    For Chrome users, we’ve also released the Trend Micro OpenSSL Heartbleed Scanner app. The scanner allows for users to check if specific sites are vulnerable to Heartbleed. The tool can be downloaded from the Chrome Web Store.

    For other users who want to check if a site is vulnerable or not, you may also do so through our Trend Micro Heartbleed Detector website.

    We will continue to monitor this issue and release more information as needed.  For other posts discussing the Heartbleed bug, check our entries from the past week:

    Posted in Bad Sites | Comments Off

    6:09 am (UTC-7)   |    by

    A key part of our cybercrime research focuses on the communities that cybercriminals form. These are used in much the same way that communities of other shared “interests” are – to socialize, to get together, and to buy and sell various items of interest.

    For security researchers, the activities of these underground communities – and the corresponding economies that they form – is a valuable source of threat intelligence. This allows us to examine current trends in the threat landscape, as well as look into and prepare for future threats.

    Our research in the past has highlighted the wide variety of good and services available in the cybercrime underground. These range from crypters, exploit kits, and Trojans – to denial of service (DoS) attacks, proxy servers, and web traffic, and everything in between. Our research into the underground has included findings related to malicious traffic management, the reaction to the fall of the BlackHole Exploit Kit, as well as overviews of the Chinese and Russian undergrounds.

    One consistent trend has been the continuing fall in prices of most goods and services. The average price of items has been dropping across the board, making these items accessible to more would-be cybercriminals. Pricier, more effective versions of these goods are available, of course – but the “average” versions of these tools are more than adequate for their purposes.

    There is no shortage of targets either, with much of the world today now online. The following chart shows the number of countries with the most Internet users and thus, potential victims:

    Figure 1. Countries with largest online population

    There are multiple cybercrime communities around the world with various ties to each other, but they have unique characteristics that differentiate them as well. Throughout the year, we will be publishing various papers that describe various communities, as well as the economies that they create. These papers are all part of our Cybercriminal Underground Economy Series, or CUES. These papers will highlight the unique characteristics of each market, provide a summary of the good and services available, and the prices for these items.

    The first paper of CUES, covering the mobile cybercrime underground in China, was released earlier this month. The CUES portal will be updated as more papers covering other economies such as those in Russia and Brazil are released.

    Posted in Malware | Comments Off

    On several underground forums, a cybercriminal named gripper is selling ATM skimmers and fake POS terminals, and is making some very bold claims doing so:

    Figure 1. Underground advertisement.

    The cybercriminal claims that he can mass-produce VeriFone VerixV point-of-sale (PoS) devices. (Verifone is a US-based provider of POS terminals.) Some specific VeriFone products such as the Vx510, the Vx670, and the Vx810 Duet are specifically mentioned. These rogue terminals can be used in a store to steal the credit card information of customers; the stolen information is then used or sold on the black market.

    In addition, the seller wants to prove that he is a reputable seller and said he is willing to provide ship his product anywhere in the world, as well as provide 24/7 support. He went on to say:


    These criminals claim they are able to mass produce almost anything related to ATM and PoS devices. One such ad listed the parts and devices they can produce and ship, with some prices in parentheses:

    • Fake berifone VerixV terminals (VX510, 670 and 810 Duet)
    • Gerber file for producing the PCBs for MSRV009 credit card readers
    • ATM panel, camera panel, and keypads for Wincor ProCash2050xe ATMs
    • green cover panel and camera panel for NCR 5886 ATMs ($1850)
    • apple ring and camera panels for NCR Self Serve ATMs ($2000)
    • keypard for Wincor ATMs ($1000)

    Producing parts for ATM skimmers and fake PoS terminals is not new; it has been reported by other researchers since 2011. What is very worrying is that the sellers are claiming that they can mass-produce these items from locations in China. This is something we should be worried about as mass production of these devices or parts could result in more bank fraud for end-users. The sellers appear to be quite knowledgable about developments in ATM skimmers and PoS terminals; they are also very open in what they offer to would-be buyers. In fact, several customers have already vouched for gripper, sharing their good customer experience with this seller.

    A gallery of pictures supplied by the cybercriminals in order to promote their wares follows.

    Figures 2-5. ATM skimmer and PoS terminal images

    Posted in Bad Sites | Comments Off

    We recently came across this particular post in an underground forum:

    Figure 1. Underground forum post

    This particular post in Russian was advertising a new product, known as “BlackOS”. Contrary to the name, it is not an operating system. However, it is definitely “black”, or malicious: it is used to manage and redirect Internet traffic from malicious/compromised websites to other malicious sites.

    These types of products are not new in underground communities – for example, Brian Krebs talked about the similar site almost two years ago. Even BlackOS itself is not completely new. It is a new version of the earlier “Tale of the North” software, described by security researchers in September 2013.

    Capabilities of BlackOS

    BlackOS and other similar packages are designed to automate the process of managing and exploiting websites easier. This allows a cybercriminal to squeeze out the most profit from his victims. It has a web interface which is used to manage the web traffic and its different features. It can cope with high volumes of Internet traffic, and inject iframes and redirect traffic as specified by its user.

    Here are some of the features of BlackOS, as stated in an advertisement in underground forums (as translated from the original Russian):

    1) Implement the optimal model of converting traffic. Distribute and installs on geo user agent;
    2) Get a unique opportunity to refuse to sell iframe traffic ;
    3) Automatically detect PR domains , links and implement an effective impact on the issuance of search engines ;
    4) Get a fast , stable and socks5 private lists for any of your software, requiring the use of proxy;
    5) Sort the list of accounts as fast as possible ;
    6) Upload any of your scripts with verification . Pour shells and mass execute commands on them set / code cleanup , eval (), system (), sendmail and check antiDDOS ;
    7) Perform a vulnerability scan on your servers
    8) Proccess the parsing Databases of remote CMS

    New features for managing accounts, along with a powerful SEO tools and interface as intuitive novice webmasters and professionals allow us to hope that BlackOS take its rightful place on your work space.

    BlackOS is not particularly cheap. It costs $3,800 a year; a reinstall/rebuild costs $100. For cybercriminals on a budget, basic configurations (16GB of RAM, octacore CPU, and SSD storage) can be rented for $100 a month. (The creators of BlackOS only accept payment in Bitcoin, Litecoin, or Perfect Money.)

    One of the features of BlackOS is integration with online scanners that check if a website is already blocked by various security solutions, as seen below:

    Figure 2. Online scanner
    (Click image above to enlarge)

    As we mentioned earlier, BlackOS appears to be an updated version of the previous Tale of the North package. One may ask why, then, is it being sold as “new” software? For that, we have to look into the Tale of the North and its author, Peter Severa.

    Peter Severa and the Tale of the North

    Peter Severa, who uses the handle Severa in various underground forums, began as a spammer as far back as 2003. He has used various spam botnets to send spam, including the Waledac and Kelihos botnets – in fact, he is currently facing criminal charges relating to his use of the latter. This has not scared him, though: to this day he is still active in the underground.

    His ICQ and Jabber accounts are well-known to the underground community; he also had a Webmoney account at one time, although that account was banned. We believe that the now-banned account was used by another “handle”, which was actually Severa hiding his identity. We also believe that Severa has a new Webmoney account.

    Severa wrote Tale of the North to manage the web traffic coming from users clicking links in his spam emails. For example, he could redirect users to various websites based on their geographic location.

    Recently, however, there appears to have been a dispute between Severa and other people involved with Tale of the North. According to the following underground forum post, Severa left the project and the other “contributors” have continued under the BlackOS name:

    Figure 3. Underground forum post
    (Click image above to enlarge)

    A partial translation of that post follows:

    BlackOS previously sold as North Tale. We had a team and there was a conflict, and I closed the project. The system is now marketed under the name BlackOS, and I have nothing to do with it now. I make no claims to manager/BlackOS; all conflicts between us completely settled and I wish him success in his future development and sales of the software. It ‘s a really cool product that is unparalleled in the market, which required a decent number of man-years of development

    We don’t know much about who’s selling BlackOS now. His Jabber account is publicly known (so would-be clients can contact him), and he also goes by the handle manager. Beyond that, his identity is unclear.

    What about Severa? He hasn’t left the underground community. He is now running two active affiliate programs—both named partially after himself: SevPod and SevSka—that spread spambot malware.

    In February, Severa was advertising SevPod in forum posts, like this one:

    Figure 4. SevPod advertisement
    (Click image above to enlarge)

    A partial translation follows:

    I want to introduce you to your new project – a private affiliate for substitution issue, {affiliate program URL}. I managed to make a really long-lived substitute, and your download will bring you income for many months, even after you stop shipping. Unlike other substitutions, I have bids for virtually all countries. Of course, miracles do not happen, and you will get the maximum revenue from the US, Canada, Australia, UK, Western Europe, but the third world countries will be bring you a steady income for a long time to! 95% of the money that I get for clicks from feed providers, I’m pay for your your ads.

    The about page for SevPod goes on:

    … is the latest revolutionary affiliate program by substitution SERPs. We get maximum bids from our feed providers, 95% of the funds we receive we give to our clients. Convert clicks from almost all countries of the world. We also use more modern methods of monetizing traffic, such as pay per user activity on the site, pay per view and interactions with different content. Unlike click bot traffic, we use live traffic, so our traffic is much more expensive, and will bring you income for a long time.

    From these posts and sites, it is clear that Severa is still involved in the traffic redirection business and spam, although one could say he is focusing more on the “business” aspect of cybercrime than the technical aspects.

    The information we gathered in this post was taken from various underground sources, although all of it was essentially public. We urge any law enforcement agencies investigating Severa or the creators of BlackOS to reach out to us, as we have additional information that is not part of this post.

    Posted in Bad Sites, Malware | Comments Off


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice