Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    October 2014
    S M T W T F S
    « Sep    
     1234
    567891011
    12131415161718
    19202122232425
    262728293031  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Trend Micro




    The incidents that cropped up in the months of April to June 2014—from the data breaches, DDoS attacks, to malware improvements and threats to privacy—highlighted the need for enterprises to craft a more strategic response against and in anticipation of security threats.

    There were plenty of threats to be found in the quarter. There was the major vulnerability, Heartbleed, in the widely used cryptographic library OpenSSL. We saw both tech companies and restaurant chains fall victim to data breaches. We saw Windows XP patched one last time by Microsoft post-EOS. We saw major decisions in the judicial systems of the United States and Europe that could affect how data is handled and protected for years to come.

    Other parts of the threat landscape continued to become a bigger problem. Both online banking malware and mobile malware continued to affect many users:

    Figure 1. Online banking malware detection volume

    Figure 2. Cumulative mobile malware threat volume

    Some organizations will deal with these incidents in an exemplary manner. Others will fail. Most will be somewhere in between. Part of this quarter’s roundup discusses how several organizations dealt with various online threats that affected them, and what others can learn from these examples.

    Of course, cybercrime and targeted attacks are not the only perceived “threats” in the world. Increasingly, large Internet companies and government surveillance are perceived as “threats” as well. Here, too, we see how these threats are being addressed: both the EU’s “right to be forgotten” and Riley v. California, a US Supreme Court decision that held that searching the information on a cellphone requires a warrant, can be viewed as responses of the American and European legal systems to the situations in both regions. As digital problems intrude more on the daily lives of users, it is nearly certain that courts will have to weigh in moving forward.

    More details about the threats found in the second quarter—as well as how these threats were dealt with—can be found in TrendLabs report entitled Turning the Tables on Cyber Attacks.

     



    In the early 2000s, Africa gained notoriety due to the 419 “Nigerian” scam. This scam involved making payments in exchange for a reward for helping so-called high-ranking Nigerian officials and their families. While all the scams may not have necessarily originated from Africa, the use of Nigerian officials was imprinted upon the public consciousness, thereby forever associating this scam with the continent.

    Web Defacement as a Popular Form of Protest

    The 419 scam isn’t the only cybercrime activity in the area. Web defacement is a major cybercrime activity among hackers in North Africa, with several groups from Morocco, Algeria, Tunisia, and Egypt leading the region. These groups aim to deface sites based in the United States, Europe, and pretty much any country with poor security. Their messages are often related to current events or some cause. These North African groups also use defacement as some form of competition. It’s not rare to see one group deface another country’s sites when a political event occurs.

    In 2013, we discussed website defacement, which occurred during April Fools’ Day. A group of Algerian hackers, known as “Algeria to the core,” defaced websites including German and Australian ones. Web defacement is an old hacking technique that consists of breaking into websites with weak security and replacing the content with customized messages.

    Hackers have used defacement as a form of protest or to send a message for a particular cause. Defacement has also been used as an act of cyber warfare among hacker groups from different countries.

    Attacks in a Larger Scale: Botnets, RATs, and Targeted Attack Techniques

    Cybercriminals in the region are moving from web defacement to more lucrative forms of cybercrime that involve the use of botnets, remote access Trojans (RATs), and banking/finance-related malware.

    In November 2013, we found that several Ice IX servers were tied to a group of individuals located in Nigeria. Ice IX is a banking Trojan, used with the better-known ZeuS/ZBOT malware. These malware are used to steal online banking credentials, email addresses, and information related to social media accounts. Earlier this year, an arrest involving the SpyEye banking malware showed that one of the key players was an Algerian cybercriminal who went by the alias bx1. Bx1 was also known for a history of defacing websites.

    B140812

    Figure 1: Web defacement by Algerian cybercriminal “bx1”

    Apart from banking/finance-related malware, cybercriminals have begun operating botnets using RATs, such as in the case of the Blackshades RAT. Sold as a toolkit, Blackshades can steal passwords, log keystrokes, launch denial-of-service (DoS) attacks, and download and run malware onto affected systems. Several Blackshades infections may then form a botnet for distributed denial-of-service (DDoS) attacks or sell the stolen information and documents.

    We are also seeing a shift toward the use of targeted attack techniques for malware campaigns. One methodology is the use of malicious email attachments and exploits for known vulnerabilities, such as CVE-2012-0158, to deliver malware like ZeuS/ZBOT. They are also using RATs, like the aforementioned Blackshades, in targeted attack-like campaigns.

    Beyond Africa

    Africa isn’t the only region experiencing this type of cybercriminal expansion. We are seeing the same indicators in India, which may possibly mean that more and more people are turning to cybercrime as a lucrative business. The adoption of such methodologies could be traced back to the society these cybercriminals live in, wherein some of them are highly educated but without any employment prospects. With a lot of time on their hands, they can easily pick up the skills for cybercrime and earn money. Moreover, the shortage of laws related to cybercrime—and the lack of enforcement for existing laws—in these countries make it difficult to catch and apprehend these criminals.

    These developments show that cybercriminals will always adopt to new trends and situations whether in the use of new malware or targeted attacks techniques to continue their attacks. However, only time will tell if these cybercriminals will shift yet again—this time, to being major players in targeted attack groups.

     
    Posted in Bad Sites | Comments Off


    Aug6
    4:05 am (UTC-7)   |    by

    Last week, the US Computer Emergency Readiness Team (US-CERT) reported about a newly discovered malware, dubbed “Backoff”, which targets point-of-sale (PoS) systems. Similar to other PoS malware such as Dexter and Scraper, Backoff is also used to steal financial information for malicious purposes.

    Based on our analysis, when Backoff is executed, it copies itself into %Application Data%\OracleJava\javaw.exe and launches the copy in %Application Data% with parameter -m <path_to_original_backoff>.  This will terminate the original Backoff process and delete the initial copy of itself. We have seen the same installation technique used in the Alina family of PoS RAM-scraping malware. More details of its routines can be found in the US-CERT article. This entry, however, focuses on the scope and breadth of its infection.

    We analyzed Backoff and discovered that it has multiple versions, ranging from 1.4 to 1.55. The 1.55 build has multiple versions as well, differentiated by nicknames such as “backoff”, “goo” and “MAY.” The “goo” version connects to three malicious domains that we cannot disclose just yet as we are still looking into them.

    Connection Patterns

    Checking with our internal data, we also saw that these domains communicated a lot with the affected IP addresses, with the first two domains getting hits from the US. The first domain alone has had more than 46,000 hits since June 14, 2014. Interestingly, we found less hits from June 28 to July 25, with only 52 unique IPs.

    backoff_pos1

    Figure 1. Number of hits on the malicious domain #1

    The second domain, meanwhile, scored more than 59,000 hits since April 26, 2014, with the same decline in the number of hits from May 8 to June 2, with only 60 unique IPs this time.

    backoff_pos2

    Figure 2. Number of hits on the malicious domain #2

    We also noticed an interesting pattern when we changed the time frame to one-week increments.

    backoff_pos3

    Figure 3. Decreasing pattern in the number of hits. Pattern is similar for both domains.

    We saw a clear decrease in the hits during “dead hours”, specifically at 2:00 AM. The hits went back up at 10:00 AM. This follows typical business operating hours wherein PoS devices are in active use — the number of hits rises as business operating hours begin and drops as businesses close for the day. Looking at the week-by-week statistics, the last week of July alone registered more than 10,000 hits.

    US as Top Target

    What does this all mean, then? For one, it cements the fact that Backoff is a very active and persistent threat that has already infected a lot of point-of-sale devices. Based on our Smart Protection Network data, the top country that accessed the malicious domains is the United States. Clearly, the US market is a favored target for those behind Backoff. As such, we recommend that businesses in the US have their PoS devices analyzed and secured.

    heatmap3

    Figure 4. Heat map of malicious communications found in affected US states

    PoS malware could be one of the many constants in life that we would have to deal with, like social engineering scams and mobile malware. Cybercriminals obviously see this as profitable, which was exemplified in data breach incidents in the retail industry in 2013. An old vulnerability residing in PoS systems was exploited in order to carry the said attacks, which resulted in the loss of credit and debit card information of at least 40 million customers. Also, cybercriminals have begun to cut middlemen out, as some are actually mass-manufacturing pre-compromised PoS devices. We need to stop viewing PoS devices as mere tools or gadgets but as systems that also require tight security.

    Trend Micro protects users via its Smart Protection Network that blocks all malicious domains and detects this PoS malware as:

    Below are the hashes of the malicious files discussed in this entry:

    • 0607CE9793EEA0A42819957528D92B02
    • 12C9C0BC18FDF98189457A9D112EEBFC
    • 17E1173F6FC7E920405F8DBDE8C9ECAC
    • 21E61EB9F5C1E1226F9D69CBFD1BF61B
    • 927AE15DBF549BD60EDCDEAFB49B829E
    • F5B4786C28CCF43E569CB21A6122A97E

    For more details about PoS malware in general, check out our whitepaper, Point-of-Sale System Breaches:  Threats to the Retail and Hospitality Industries.

     
    Posted in Malware | Comments Off



    The promise of easy money remains the biggest motivation for cybercrime today. Cybercriminals thus make it their main objective to steal information that would lead them to the money, like online banking information. Once stolen, the information can be used to transfer funds illegally from victims’ accounts.

    In 2013, the total amount of money stolen through this exact method in Japan has amounted to 1.4 billion yen. This is purportedly the biggest amount to date, and it seems 2014 is well on its way to catching up, with 600 million yen already stolen, according the publication of the National Police Agency (NPA). We have reason to believe that those numbers will continue to climb, which poses a challenge on how to stop cybercrime once and for all.

    As part of our efforts to stop cybercrime, our dedicated team of researchers, the Forward-Looking Threat Research Team have been doing research about what it takes to prevent financial losses from online account theft by cybercriminals. Moreover, we have identified some methods to track down and identify these cybercriminals responsible, such as command-and-control (C&C) server analysis, analyzing stolen information, and malware analysis.

    For instance, cybercriminals behind the recent popular banking Trojan called Citadel (TSPY_ZBOT) use WebInjects to display fake screen displays needed to carry out online banking logging theft. By analyzing the WebInject modules, it is possible to find out more about the server where the stolen information has been sent to.

    Because any information from victims which victims input in the fake screen will be stored in the server, we can immediately pinpoint the existence of victims by monitoring the server’s stored information. As a result, we can quickly prevent actual financial loss through reactionary methods, such as freezing the compromised bank accounts before the money is transferred to the cybercriminals.

    Figure_banking _trojan_140415

     

    Figure 1. Webinject Banking Trojan’s Infection Chain

    These kind of measures, of course, can’t be pulled by just a security vendor such as TrendMicro. It is absolutely necessary to collaborate with concerned organizations such as the police and the bank involved. Trend Micro’s TM-SIRT, which is a contact point of cooperation for security-raising activities in Japan, provides concerned organizations with information obtained from internal research groups such as the FTR (forward-looking threat research) team in order to help combat this kind of theft by cybercriminals.

    Taking down the server involved in the financial theft is another method of combating such cybercriminal activity, but it is a temporary solution at best. This is because it may not affect the cybercriminal’s efforts as much as we would like it to be, and it may even motivate them to more sophisticated attacks.

    Server monitoring is a more preferable. It allows security experts to grasp the picture of attack and control the situation better. Moreover, it may help to identify the cybercriminals by simply waiting for them to log into the server to obtain their stolen information. Server monitoring can then be expected to prevent new attacks by the same cybercriminals and also to prevent other attacks.

    On April 28, Trend Micro received a certificate of appreciation from the Japan Metropolitan Police Department. This commendation was awarded for providing useful information in combating online financial theft in Japan. Trend Micro will continue to study and provide a holistic and fundamental approach to security, as well as cooperate with law enforcements around the globe for our company vision: a world safe for exchanging digital information.

     
    Posted in Malware | 1 TrackBack »


    Apr28
    5:54 am (UTC-7)   |    by

    The Russian Underground has been around (in an organized manner) since 2004, and has been used both as a marketplace and an information exchange platform. Some well-known centers of the Russian underground include zloy.orgDaMaGeLab, and XaKePoK.NeT. Initially, these forums were used primarily to exchange information, but their roles as marketplaces have become more prominent.

    Many parts of the Russian underground today are now highly specialized. A cybercriminal with ties to the right people no longer needs to create all his attack tools himself; instead he can buy these from sellers that specialize in specific products and services. For example, you see groups that do only file encryption, or DDoS attacks, or traffic redirection, or traffic monetization. Groups are able to specialize in each of these items do what they do best and produce better, more sophisticated products. 

    Perhaps the most popular product in the Russian underground economy today is traffic and various traffic-related products. Examples include traffic detection systems (TDSs), traffic direction, and pay-per-install (PPI) services. This purchased Web traffic not only increases the number of cybercrime victims; it may also be used to gather information about potential targeted attack victims.

    Like any other economy, the laws of supply and demand are followed in the Russian underground. As we mentioned last week, the prices of underground goods have dropped across the board. This is generally because of the increased supply for these goods available – for example, stolen American credit cards are widely available; as a result the price has fallen. This is evident in the following chart of stolen credit card prices:

    Figure 1. Prices for stolen credit cards

    The same is true for stolen accounts:

    Figure 2. Prices for hacked accounts

    With falling prices, however, comes a loss in reliability: goods or services are not always as high-quality as advertised. Sometimes, escrow providers (known as garants) are used to try and give both parties (buyer and seller) reassurances that neither party is scamming the other.

    Today, we released our updated look at the Russian Underground titled Russian Underground RevisitedThis is an update to our earlier paper discussing the items which are bought and sold in various parts of the Russian underground. For this edition, we have clearly outlined the products and services being sold and what their prices are. In addition, we discuss the changes since the original paper to highlight the continued evolution of the cybercrime threat landscape.

    This is part of the Cybercrime Underground Economy Series of papers, which take a comprehensive view of various cybercrime markets from around the world.

     


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice