Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    April 2014
    S M T W T F S
    « Mar    
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Trend Micro

    9:10 pm (UTC-7)   |    by

    Looking back at the first quarter of the year, the highlight – or, perhaps more appropriately, lowlight – was clear. Popular software packages like Reader/Acrobat, Flash, and Java all had to deal with multiple zero-day exploits in the month – exploits that became widely available in underground circles long before any patches were made available by the vendors.

    Having one high-profile incident like that in a quarter is significant in and of itself, but having multiple ones that affect different applications is even more unusual. Users were put at increased risk of downloading malicious files – without them having done anything wrong – multiple times in the quarter. In the absence of an official patch from vendors, home users didn’t have an effective way to protect themselves. Such was the scale of the problem that the US Department of Homeland Security urged users to remove Java if they didn’t need it.

    These exploits were soon incorporated into exploit kits, which became something of a growth industry in the quarter as well. In addition to the familiar Blackhole Exploit Kit, we saw new ones like Whitehole and Cool emerge as well.

    The spectre of destructive attacks (as we outlined in our 2013 predictions) was raised, too, when a large-scale attack took many computers in South Korea offline by deleting their Master Boot Record (MBR), rendering them unable to boot. The identity of those responsible behind these attacks remain unclear.

    For full details about these and other threats encountered in the first quarter of 2013, you may consult our just-published 1Q Security Roundup. An online version has also been made available for more convenient viewing.

    Posted in Bad Sites | Comments Off

    At the recently held RSA Conference 2013, the new CA Security Council (CASC) was launched, with Trend Micro as one of the seven charter members of this grouping of certificate authorities (CAs). What is the CASC, and what do we hope to achieve by joining CASC?

    The CA/Browser Forum and CASC’s Role

    Trend Micro has been involved in the SSL business since it acquired AffirmTrust in August 2011. Why was the CASC formed when there are already existing groups like the CA/Browser Forum (which Trend Micro is also a member of) where CAs can already make their opinions heard? It was formed because it will fill a need that existing industry groups are unable to fill.

    While some Trend Micro employees have been involved with the CA/Browser Forum since its founding, this particular group has some issues. Because its membership includes browser vendors as well as CAs, it cannot advocate for CAs alone or their causes. There are also times when CAs and browser vendors don’t agree on specific issues. Because of this, CAs need a platform where they can spread their message directly outside of the Forum.

    Creation of the CA Security Council

    To create a new voice for CAs and a central information source about SSL security for journalists and the public, Trend Micro and six other CAs founded the CA Security Council (CASC).  The other six members are: Comodo, Digicert, Entrust, GlobalSign, GoDaddy, and Symantec.  Together, CASC members are responsible for 95 percent or more of trusted SSL certificates in the world. CASC’s mission statement is:

    The CASC’s mission is to advance internet security by promoting deployments and enhancements to publicly trusted certificates and through public education, collaboration, and advocacy. The CASC strives for the adoption of digital certificate best practices and the proper issuance and use of digital certificates by CAs, browsers, and other interested parties.

    CASC is also meant to provide a rapid response to articles and questions about CAs and SSL in general. Good examples of situations where CASC would be able to respond was the 2011 breach of Dutch CA Diginotar, as well as the breach later that year of a Comodo reseller.

    Following stories like these, people in the security community have rightly asked “Is SSL broken?” (No.) and “Can CAs be trusted?” (Yes.) CASC is working with CAs as a group so we can respond when new SSL questions arise; CASC members and experts are already being treated as the “go-to” source for technology journalists.

    Read the rest of this entry »

    Posted in Bad Sites | Comments Off

    Certain German websites were defaced by a group of hackers on April Fools day. However, this act was no ordinary prank.

    The hackers left messages on the defaced German websites in Arabic, and the message is quite clear:

    Figure 1. Screenshot of defaced German website

    Translated, the text reads as:

    Algeria to the core #

    With Palestine unjust or wronged

    They also posted the same news on their Facebook page.

    Unfortunately, this is not the first time that this group of hackers called “Algeria to the core” defaced websites. Just recently, Australian, Thai and Israeli websites were defaced by the same group. This group’s members include people who go by the following online names:

    • Dz_Med@Ka
    • Dr_h0uCk
    • Dz_Hunter
    • LaMiN3 DK
    • TAYO_DZ
    • Dz_ErRoR
    • JOCk
    • GeL-Dz
    • Evil-Dz h4x0r
    • Les Soldats de L’est
    • VaGa-Hacker-Dz.

    This group has been active for a while now. According to zone-h, their earliest recorded activity was back in August 2012, but note that not all defacement incidents are reported.

    Read the rest of this entry »

    Posted in Targeted Attacks | Comments Off

    12:03 pm (UTC-7)   |    by

    Our investigation and analysis of last week’s MBR wiper attacks in South Korea is still ongoing. This post summarizes our results and available protection.

    The MBR wiper arrives as a dropper file (detected as TROJ_KILLMBR.SM), which drops four files onto the system:

    • Agentbase.exe –the actual MBR wiper, also detected as TROJ_KILLMBR.SM
    • ~pr1.tmp – a UNIX executable, detected as UNIX_KILLMBR.A
    • Alg.exe – non-malicious file, related to PuTTY client
    • Conime.exe – non-malicious, related to PuTTY client

    However, before it wipes the MBR, it performs two additional routines: firstly, it terminates the processes of two Korean antivirus suites, if these are running on the affected systems. (Other variants we’ve seen also terminate a third antivirus product, which is also Korean.)

    Secondly, it searches for saved SSH credentials from two known SSH clients – mRemote and Secure CRT. It searches the folders where these two clients save credentials, namely:

    • %AppDataLocal%\Felix_Deimel\mRemote\confCons.xml (for mRemote)
    • %Application Data%\VanDyke\Config\Sessions (for Secure CRT)

    It checks the credentials stored at these locations at looks for accounts with root access to servers. If it finds any, the malware will attempt to log onto these servers. It checks the operating system of these servers; if it find any of the following operating systems it will upload the ~pr1.tmp file to this server and run it.

    • AIX
    • HP-UX
    • Linux
    • SunOS

    The actual MBR wiper overwrites the MBR with three repeated strings: PRINCPES, HASTATI. or PR!NCPES. Some variants of this wiper only trigger at or before 2PM on March 20, 2013; others may trigger only at 3PM or later. Deleting the MBR results in the system being unable to boot as normal.

    For newer versions of Windows (Vista and later), some variants of the MBR wiper also deletes all files in all folders on the affected system as well. It restarts the PC, and users are then unable to use their machine.

    Read the rest of this entry »

    Posted in Malware, Targeted Attacks | Comments Off

    We have continued to look into the MBR-wiping attacks that hit Korea earlier. We believe we now have a good picture of how the attack was conducted by looking into two different scenarios, why it caused so much damage, and how we were able to protect users using Trend Micro Deep Discovery and other solutions.

    Spoofed Bank Notification Leads to Downloader

    On March 19, we saw the first indications of this attack, where South Korean organizations received a spam message that contained a malicious attachment, including a supposed monthly credit billing information. The message posed as coming from a bank. The attachment is actually a downloader, which downloaded 9 files from several different URLs. To hide the malicious routines, a fake website is shown.

    It was at this stage that Deep Discovery was able to protect our customers by heuristically detecting the malicious attachment via ATSE (Advanced Threats Scan Engine). Deep Discovery executed the attachment in a sandbox, which was used to generate a list of URLs that was used to block these attacks right away. The URLs found at this stage were then blocked. The combination of information provided by Deep Discovery and decisive actions by IT administrators was able to ensure our customers were protected in a timely manner.

    The screenshot below shows the appearance of the alerts:


    Read the rest of this entry »

    Posted in Malware, Targeted Attacks | Comments Off


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice