Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    December 2014
    S M T W T F S
    « Nov    
  • Email Subscription

  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Trend Micro

    We’ve frequently talked about how important it is for law enforcement and security companies to work together to stop cybercrime. One particular reason to do so is because of the nature of cybercrime: simply put, it has no borders.

    Perhaps more than any other type of crime, cybercrime respects no borders. A cybercriminal in Russia can have colleagues in the Ukraine, use servers in the United Kingdom, and target users in the United States.

    We work extensively with Interpol to help fight cybercrime around the world. We recently agreed to help provide tools, training, and information to Interpol so that law enforcement agencies from around the world can build the necessary capabilities to fight law enforcement on their own turf.

    However, we also work with countries individually, and in some of those cases we are able to bring agencies from different countries together to investigate the same group of cybercriminals. By serving as a go-between for these various countries, we’re able to help police from diffeent countries work on the same case without having to go through complex and time-consuming procedures used when mutual legal assistance treaties (MLATs) are invoked.

    There are still areas where international cooperation in fighting cybercrime can be improved. Something that we think would be highly beneficial is if countries work together to form multinational police agencies that could help deal with regional cybercrime issues. In Europe, we have Europol, which handles helps support the activities of various local law enforcement bodies. An agency like Europol can be very useful in areas where countries have very limited capabilities to investigate cybercrime, such as Africa.

    Cybercrime is a global problem, and without global solutions it cannot be fought effectively. Trend Micro works with law enforcement agencies from across the globe in order to deal with these threats and help make the Internet safer for everyone.

    Posted in Malware |

    Much has been reported about the recent discovery of a cyber-espionage campaign that was launched by a group known as the “Sandworm Team.” At the very heart of this incident—a zero-day vulnerability affecting all supported versions of Microsoft Windows and Windows Server 2008 and 2012.

    In our analysis, the vulnerability may allow attackers to execute another malware through a flaw in the OLE package manager in Microsoft Windows and Server. Early reports shared that the vulnerability was being exploited in targeted attacks against several organizations and industry sectors. Analysis by Trend Micro researchers revealed that the attacks had ties to SCADA-centric targets. Furthermore, this vulnerability was soon used in yet another attack that employed a new evasion technique in the form of malicious files embedded in .PPSX files.

    Sometimes Old, Sometimes New

    Zero-day exploits aren’t the only exploits used in the targeted attack landscape. In the first half of 2014, we saw that attackers still heavily target older vulnerabilities. One prime example would be CVE-2012-0158, a vulnerability related to Windows Common Controls. Despite the existence of a patch since early 2012, this vulnerability has proven to be an integral tool in targeted attacks, including that of the PLEAD campaign.

    Of course, this doesn’t mean that zero-day vulnerabilities didn’t make an impact in 2014 so far. A targeted attack was discovered exploiting a Windows zero-day vulnerability was found to have targeted several embassies. The bug was patched a couple of days after—which was notable as this occurred prior to the end of support for Windows XP, which was an affected platform. Another zero-day vulnerability also figured heavily in the attacks conducted by the threat actors behind the Taidoor campaign. Discovered in the latter portion of March, a patch for this zero-day was made available in the April Patch Tuesday.

    The Trade-off

    Vulnerabilities are almost always patched by vendors, especially if the vulnerability is considered critical. But despite the existence of patches, not all users and organizations apply them or apply them immediately. One reason would be that applying the patch might disrupt operations. Or there might be a significant delay in applying the patches as the patches first need to be tested before being applied to corporate environments.

    In this sense, attackers go for older vulnerabilities for their “reliability.” These are the tried-and-tested vulnerabilities that can be found in targeted networks and organizations. And since these vulnerabilities have been around for years, it would appear easier for attackers to create the perfect malware or threat that can exploit this bug.

    On the other hand, newer vulnerabilities can give attackers the upper hand. Zero-day exploits can catch all parties, including security vendors, off-guard. With vendors scrambling to create the necessary security measures and corresponding patch, zero-day exploits can use this “window of insecurity” to attack and affect even the most secured environments. In that sense, zero-day vulnerabilities can be considered more effective and even, riskier.

    Payoff in the Targets

    Zero-days can be even more effective if the affected platform or application is outdated or has reached its end of support. With no patches made available, the window of “insecurity” initially exploited by zero-days becomes a permanent one.

    That was initially the case for an Internet Explorer vulnerability that was being exploited in targeted attacks. The vulnerability (CVE-2014-1776) garnered much attention as it was initially reported that Microsoft would not be releasing a patch for Windows XP. However, a patch was soon made available for the platform.

    Countermeasures and Mitigations

    Addressing targeted attacks requires not only the right set of tools but also the right mindset. In our entry, “Common Misconceptions IT Admins Have on Targeted Attacks,” we enumerated several misconceptions that might greatly affect the security of a network. Included there is the misconception that targeted attacks always involve zero-day vulnerabilities. As we have seen, attackers do not limit themselves with zero-day vulnerabilities. In fact, older vulnerabilities are more favored than zero-days. This stresses the importance of applying all security patches once they are available.

    Addressing zero-days can be more difficult but not impossible. Tactics like virtual patching can help mitigate threats in the presence of zero-days and unsupported systems. Honeypots (which can attract attackers) can flag attacks at the earlier stages. Technologies like heuristic scanning and sandbox protection can help identify suspicious files and execute said files in a protected environment without compromising the network. Organizations should also look into employee education. Email lures are often the first stage in targeted attacks; if employees are trained to flag suspicious emails, network defense can improve greatly.

    Trend Micro Deep Security protects users from zero-day vulnerabilities mentioned in this entry via the following rules:

    • 1005801 – Microsoft Windows Kernel Elevation Of Privilege Vulnerability (CVE-2013-5065)
    • 1006030 – Microsoft Internet Explorer Remote Code Execution Vulnerability (CVE-2014-1776)
    • 1006045 – Microsoft Internet Explorer Remote Code Execution Vulnerability (CVE-2014-1776) – 1
    • 1005989 – Identified Malicious C&C Server SSL Certificate  (For CVE-2014-1761)
    • 1005990 – Microsoft Word RTF Remote Code Execution Vulnerability (CVE-2014-1761)
    • 1006000 – Microsoft Word RTF Remote Code Execution Vulnerability (CVE-2014-1761) – 1

    With additional insight from Ziv Chang


    Recent data breaches in big enterprises like large banks and retail chains make one thing clear: data privacy and protection is a concern for all organizations, not just large ones. If  large enterprises with plenty of available resources can be affected by attacks and lose their data, smaller organizations without these resources are at risk as well.

    Users are not just worried about whether their data is secure; today they are also worrying if their data will be used properly by the sites and businesses they deal with. The concern among users about privacy has increased in months and years.

    The statistics bear this all out. A survey carried out in March 2014 by the market research firm GfK highlighted significant, and growing, concerns from consumers about their personal data. 49% of respondents said they were “very much” concerned about how their data was protected, with 60% of respondents saying this concern had increased in the past 12 months.

    Consumers are also taking action. A 2014 study by Radius Global found that 69% of survey respondents would do less business with a company they knew had been breached; 67% would try to only do business with companies that they feel can handle their data. The consequences for companies are clear.

    So, what should companies do? First of all, they need to recognize that data protection is now an important a part of doing business. This means that they must actually approach this as something that is important, and not just a pain that has to be tolerated.

    To do this, organizations should first take stock and remember just what they are protecting and consider what’s most important – i.e., what is their core data. These should be protected with the best available resources. Keep in mind that the levels of protection necessary can change, depending on regulations (like the soon-to-be-implemented data protection regulations in the European Union).

    Local regulations on data protection can vary significantly. In the United States, there are no comprehensive law that covers all sectors. Instead, per-industry legislation such as the Health Insurance Portability and Accountability Act (HIPAA) are in place.

    In other countries, more comprehensive regulations that cover all sectors are more common. For example, countries in the European Union will soon be covered by the EU General Data Protection Regulation, which mandates EU-wide rules on data protection. Japan has similar laws in the form of the Act on the Protection of Personal Information, which dates back to 2003.

    However, not all organizations actually understand these regulations: in the EU, only 13% of businesses called their understanding of the upcoming regulations “very good”.  This is despite the fact that, for example, in the EU businesses can be fined up to 5% of their annual turnover if they are in violation of the proposed regulations.

    Similar approaches need to be taken to assuage concerns about privacy. Ensure that what data is being collected is used correctly and in such a way as not to be perceived as “creepy” by end users. The same data protection that is done for core data must be applied here, too: end users will not take kindly to businesses that don’t protect the data of their customers.

    In the end, data protection comes down not just to technical aspects, but for organizations to decide that it matters. With the new year fast approaching, companies can learn from the many incidents of 2014 and ensure that their own organizations do not fall victim to similar attacks. To know more about data protection law, read our infographic, The Road to Compliance: A Visual Guide to the EU Data Protection Law.

    Trend Micro secures user’s data via its integrated data loss prevention technology that protects data found in endpoints, servers, networks, and even the cloud. It also protects the transfer of data between locations and comes with a central policy management, which does not require installation of different technologies across multiple security layers.

    Posted in Targeted Attacks | Comments Off

    Microsoft has announced the discovery of a zero-day vulnerability affecting all supported versions of Microsoft Windows and Windows Server 2008 and 2012. Reports are also coming in that this specific vulnerability has been exploited and used in attacks against the North Atlantic Treaty Organization (NATO) and several European industries and sectors.

    According to reports, this vulnerability (CVE-2014-4114) was exploited as part of a cyber-espionage campaign of attackers dubbed as the “Sandworm Team.” This particular vulnerability has allegedly been in use since August 2013, “mainly through weaponized PowerPoint documents.”  Details of the vulnerability have been made available, including the following:

    • This vulnerability exists in the OLE package manager in Microsoft Windows and Server.
    • The OLE packager can download and execute INF files. “In the case of the observed exploit, specifically when handling Microsoft PowerPoint files, the packagers allow a Package OLE object to reference arbitrary external files, such as INF files, from untrusted sources.”
    • If exploited, the vulnerability can allow an attacker to remotely execute arbitrary code.

    Microsoft has announced that it will release a patch for this vulnerability as part of this month’s Patch Tuesday. We encourage both users and admins to immediately download and install the patches as soon as they are made available.

    We are currently analyzing the related sample. We will update this entry as soon as more details and solutions are available.

    Update as of October 15, 2014, 11:24 P.M. (PDT):

    Further analysis of this zero-day vulnerability can be found in our entry, An Analysis of Windows Zero-day Vulnerability ‘CVE-2014-4114′ aka “Sandworm.” You may also read the entry October 2014 Patch Tuesday Fixes Sandworm Vulnerability for information regarding the corresponding patch.

    Posted in Targeted Attacks, Vulnerabilities | Comments Off

    7:15 am (UTC-7)   |    by

    In the first part of this series, we discussed both the routines and entry point of the banking malware DYRE. However, information theft isn’t the last step for this malware. It turns out this malware is also involved in yet another scheme—the parcel mule scam.

    The Parcel and the Mule

    During our analysis of DYRE malware, Global BlackPoint, a web panel, was uncovered.

    Figure 1. Global BlackPoint site

    A quick search online led to domain listings, which have been leased over a year ago. The intended audience of this site can choose to shop for select items.

    Figure 2. Items for sale

    However, research and intelligence about the contents of this web panel pointed to the fact that it’s being used as a site to purchase items in the United States and re-ship them to different locations. The site indicates this within its terms and conditions of use.

    Figure 3. Terms and conditions

    These goods are delivered to individuals who live within the United States, who then ship them elsewhere in the world. These individuals may have titles such as “Shipping and Receiving Manager” or “Logistics Specialist,” but in reality, they are actually “mules.” Hired from job postings on sites like Craigslist, these individuals were promised around US$50 per parcel or around US$2,000 a month.

    This elaborate scheme is sometimes called parcel mule scam, or reshipping scam. Cybercriminals gain profit from these scams as they use money stolen from bank accounts (courtesy of the banking malware) to buy the items, which are then resold. Mules are hired in order to smuggle the goods out of the country. Hiring mules also lessens the possibility of the smuggling activity being traced back to the criminals. These kinds of scams have been around for some time but people fall for this type of scam due to its “get rich quick” nature.

    Retracing the Steps

    In short, we have a three-step threat story:

    • One possible entry point is spammed commercial or banking email. The main objective is to get lots of people to click on the malware component, and infect as many.
    • These components would get a secondary infection, another malware, to get another component. We call this TSPY_BANKER.DYR, otherwise known as DYREZA, DYRANGES or BATTDIL. The objective here is to grab banking credentials for money.
    • Once money has been pilfered, these goods are delivered to package mules which re-ship these goods for delivery to locations outside the United States. This kind of operations is classically called parcel mule scam or reshipping scam.


    Against spam and BANKER malware:

    • Know your bank policies. If you receive an email and don’t have an account in the said bank, it’s not worth reading, delete it immediately. You can also call the nearest branch if you want to validate details.
      • If you’re reading mail via a web browser (web mail), try to make sure that the mail hosting service is reliable enough and has some sort of built-in anti-spam and anti-phishing capabilities.
      • If you’re reading email via an email client, most would have security features turned on by default. Use them to secure your email reading.
      • The use of an antivirus with web reputation services to block any suspicious link and attachment is also recommended.
    • A full-featured antimalware solution is the best tool against this type of threat scenario. The solution should be able to block malicious files based on signature and behavior and has a firewall to filter inbound and outbound connections. It would be better if it offers client-side utilities like spam and URL filtering. A cloud-based solution is also ideal, in order to have the most up-to-date protection.
    • In unfortunate cases of infection, it’s better to stop it as early as you can. Change passwords immediately and monitor your online banking transactions. If you spot any suspicious activity, call your bank immediately.

    Against parcel mule scams:

    • Work-from-home jobs certainly exist but if they sound too good to be true, check and double-check them first. It’s important to always research the business trying to recruit you, even when in dire need.
    • Be informed about parcel mule scams. The U.S. Postal Inspection Service has a page about reshipping scams.
    • Victims of such scams can file a complaint with the Internet Crime Complaint Center (IC3), which processes online crime complaints from victims and third parties.

    With additional insight from Rhena Inocencio.

    Related hashes of files discussed in this series:

    • 4FD6C74EE50CA470869D8FAB1AB2C3D1C19E20CE
    • 145c82caa303bd141fd6069ab92fefdfac3568bc
    • e32ef7def60a8ccc0c051182f2103dbbfe6de625
    • B2CAF5A18279C1CB10DA174C581A7138FF8B0CF2
    • B9F3D4C1531F128AB032EA6D752BAB008EC59921
    Posted in Malware | Comments Off


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice