Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    September 2014
    S M T W T F S
    « Aug    
     123456
    78910111213
    14151617181920
    21222324252627
    282930  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Trend Micro




    Places in the Internet where cybercriminals come together to buy and sell different products and services exist. Instead of creating their own attack tools from scratch, they can instead purchase what they need from peers who offer competitive prices. Like any other market, the laws of supply and demand dictate prices and feature offerings. But what’s more interesting to note is that recently, prices have been going down.

    Over the years, we have been keeping tabs on major developments in the cybercriminal underground. Constant monitoring of cybercriminal activities for years has allowed us to gather intelligence to characterize the more advanced markets we have seen so far and come up with comprehensive lists of offerings in them.

    In 2012, we published “Russian Underground 101,” which showcased what the Russian cybercriminal underground market had to offer. Later that year, we worked with the University of California Institute of Global Conflict and Cooperation to publish “Investigating China’s Online Underground Economy,” which featured the Chinese cybercriminal underground.

    Last year, we revisited the Chinese underground and published “Beyond Online Gaming: Revisiting the Chinese Underground Market.” We learned then that every country’s underground market has distinct characteristics. So this year, we will add another market to our growing list: Brazil.

    The barriers to launching cybercriminal operations have greatly lessened in number. Toolkits are becoming more available and cheaper; some are even offered free of charge. Prices are lower and features are richer. Underground forums are thriving worldwide, particularly in Russia, China, and Brazil. These have become popular means to sell products and services to cybercriminals in the said countries.

    Cybercriminals are also making use of the Deep Web to sell products and services outside the indexed or searchable World Wide Web, making their online “shops” harder for law enforcement to find and take down.

    Our first cybercrime economy update for the year will focus on the burgeoning market for mobile malware/scam-related tools and software in China, to be released next week on March 3.

    All of these developments mean that the computing public is at risk of being victimized more than ever and must completely reconsider how big a part security should play in their everyday computing behaviors. In the coming months we will dig deeper into these, and present our findings to educate users.

     
    Posted in Malware | Comments Off


    Feb24
    11:45 am (UTC-7)   |    by

    In these times, embracing consumerization is not only inevitable for any company; it is now, at some level, necessary. It’s become a powerful business tool, providing efficiency to the company, as well as convenience to the employees. The usage of mobile devices in corporate environments is a primary example of how enterprises apply consumerization, a practice that enterprises apply more and more each day.

    With continued adoption comes challenges. The risks around mobile threats are typically focused on malicious apps, but for enterprises there are other problems. Since the devices are used to store, send, and receive corporate data, protecting them from unauthorized access is critical to the company. So how can we maintain enterprise-level security in consumer-level devices?

    The risks entailed by consumerization has proven to be difficult to deal with — the complexity of managing multiple platforms, separating personal and corporate data, avoiding data leakage, and addressing privacy concerns has enterprises struggling to find the balance between convenience and security. And as the balance remains to be achieved, the risk grows. Mismanaging consumerization has proven to be costly for enterprises, as cybercriminals now see the inclusion of mobile devices in enterprise networks as an addition to their attack surface — a new vector that they can use to infiltrate.

    In the past we’ve talked about a three-step plan to consumerization, which includes having a plan, identifying a set of policies to implement, and putting in the right infrastructure to apply the identified policies.

    Our Trend Micro Safe Mobile Workforce is an example of the infrastructure that can be used in embracing consumerization. It is a virtual mobile infrastructure solution that aims to answer the needs of both IT managers and employees in consumerization by providing a clear infrastructure that separate corporate and personal data. It hosts the mobile operating system on centralized servers to provide a safe infrastructure whenever users need to access corporate information.

    What does this mean for users? It means that their corporate mobile environment is not stored in their device, so their data remains secure even if the device gets lost. They can also access their environment from any location, without being tied to a single device. This also means that there is no limitation in terms of functionality when the employee uses the device for personal purposes.

    What does this mean for IT administrators? it means that they will be able to fully manage and maintain all corporate environments connected to the network (Android and iOS) through the centralized server. And since Safe Mobile Workforce completely separates corporate and user data, administrators get to have full control of the corporate environment without worrying about privacy concerns from the employees.

    To get a better idea of how the Trend Micro Safe Mobile Workforce works, check out our infographic, Split Screen: Separating Corporate from Personal Data on Mobile Devices.

     
    Posted in Mobile | Comments Off



    Any vulnerability in Internet Explorer is a large issue, but last week’s zero-day vulnerability (designated as CVE-2014-0322) is particularly interesting. It used what we call a “hybrid exploit”, where the malicious exploit code is split across multiple components that use differing technology: in this case, the exploit code was split between JavaScript and Adobe Flash. The use of “hybrid exploits” provides attackers with a way to evade existing mitigation technology like ASLR and DEP.

    Let’s go over how this exploit was delivered to users. The victim website was compromised, and two malicious files were uploaded to it:

    • Erido.jpg (detected as HTML_EXPLOIT.PB, MD5 hash: 00ae7a1514809749a57d4d05d8c969b5)
    • Tope.swf (detected as SWF_EXPLOIT.PB, MD5 hash: 732b6a98b0a7b2ee795f2193a041520d)

    The overall flow can be found in the following diagram, which will be explained in the text.

    Figure 1. Overall control flow

    A page on the website (img.html) was modified with additional JavaScript and an iframe to load the malicious Flash file, as follows:

    <embed src=Tope.swf width=10 height=10></embed>

    When called, the Flash file carries out a heap spray. Control is then passed back to the JavaScript, via a function call in the Flash file. The actual malicious code that triggers CVE-2014-0322 is actually found here, and not in the Flash file. (To prevent further attacks that may exploit this vulnerability, we will not provide further details about the exploit.) Control is then passed back to the Flash file, where the code responsible for arbitrary memory reads and writes is located.

    From here on, the goal of the code is simple: it searches for return-oriented programming (ROP) gadgets in the memory (specifically, it uses ROP gadgets in ntdll.dll), constructs the ROP chain, and overwrite the virtual table of a Flash object in order to hijack the execution flow of the Flash virtual machine.

    Two ROP gadgets were used in this attack:

    • 77a646a8 94 xchg eax,esp // Pivot the stack pointer
    • ntdll!ZwProtectVirtualMemory (1a1b3000, 1000, PAGE_EXECUTE_READWRITE)

    The first ROP gadget pivots the stack pointer to let it point to controlled data; the second gadget calls ZwProtectVirtualMemory to change this shellcode’s protection to PAGE_EXECUTE_READWRITE, to bypass DEP protection.

    If this shellcode needs to call APIs, it will first check whether the API is hooked inlineby checking the starting byte code of the API. If that is the case, then it will skip the first 5 bytes of the API, to escape from the hook. This technique is used to bypass the detection of security products that are watching for this behavior.

    Figure 2. Malicious shellcode

    The above shellcode does the following:

    1. Decode two PE files using the data in the file Erido.jpg
    2. Drops the two PE files to:
      • %Temp%\sqlrenew.txt
      • %Temp%\stream.exe
    3. Load the contents of sqlrenew.txt into memory
    4. Return to the caller to prevent a Flash or IE crash

    The contents of sqlrenew.txt merely executes the other dropped file, stream.exe. However, this will only happen when IE has been terminated and the module itself is being unloaded.

    Figure 3. Malicious shellcode

    Conclusions

    Any zero-day vulnerability in a widely used program like Internet Explorer is significant, but this one appears to be doubly so. To avoid known exploit mitigation techniques like ASLR and DEP, this attack uses multiple web objects interacting with each other to carry out the exploit instead of a single easily detected file.

    It is likely that we will see more of this technique in the future as cybercriminals try to make their exploits more effective on all platforms. Both developers and security vendors will need to respond to this emerging threat in order to keep users safe.

     
    Posted in Exploits, Vulnerabilities | Comments Off



    2013 was another year marked by many changes – for good and bad – in the threat landscape. Some threats waned, others grew significantly, while completely new threats emerged and made life difficult for users. What remained constant, however, were the threats against the safety of digital information. In this entry, we present some of these threats that were seen last year. These are described in more detail in our roundup titled Cashing In On Digital Information

    Cybercrime: Banking Malware, CryptoLocker Grow; Blackhole Exploit Kit Tumbles

    Some malware types linked to cybercrime grew significantly in 2013. We saw almost a million new banking malware variants, which was double what we saw in 2012. Much of this growth occurred in the latter half of the year:

    Figure 1. Volume of new banking malware

    Two countries – the United States and Brazil – accounted for half of all banking malware victims:

    Figure 2. Countries most affected by banking malware

    We saw ransomware become far more potent in the latter part of the year as CryptoLocker emerged as a new threat that hit users hard. This new threat – an evolution of previous ransomware attacks – encrypted the data of users, requiring a one-time payment of approximately $300 (payable in cryptocurrencies like Bitcoin) before their data would be decrypted. In some ways, CryptoLocker became as serious a problem for end users as fake antivirus malware had in previous years.

    The fall of the Blackhole Exploit Kit in 2013 due to the arrest of its creator, Paunch, was a significant event that appreciably changed the threat landscape. It significantly cut the use of malicious links in spam messages by attackers. While other exploit kits have emerged into the threat landscape since then, no other kit has achieved BHEK’s levels of prominence.

    Targeted Attacks and Data Breaches: Still In Operation

    Despite reduced media attention, targeted attacks continued to hit organizations across the world last year. We observed attacks in many parts of the world, with countries in Asia at particular risk from these coordinated targeted attacks. Well-organized campaigns like EvilGrab and Safe highlighted the capabilities and sophistication of modern targeted attacks.

    Figure 3. Countries affected by targeted attacks

    Data breaches also continued to plague organizations. Companies like Adobe, Evernote, and LivingSocial were all hit by various breaches that exposed the customer data of millions of users. Breaches like these not only cause a loss of face for the affected organizations, but may also put them at legal risk for failing to protect the data of their users.

    Mobile Threats: Mobile Banking Under Fire

    Mobile threats continued to flourish last year, with an estimated one million malicious and high-risk apps found in the year alone. Significantly, we saw increasing use of mobile banking threats like the PERKEL and FAKEBANK families, both of which put users of mobile banking apps and websites at the same risk of fraud and financial loss that other users face. Information stealers like banking malware are now the third most common type of malicious/high-risk app found, behind traditional standbys like premium service abusers and adware:

    Figure 4. Types of mobile malware threats

    Digital Life: Privacy at Risk

    Revelations about government spying made many question if online privacy was still alive, or even possible. Previously, users had always worried that cybercriminals could get their hands on one’s personal information; now they worry about large, previously trusted organizations – both government and private – doing the same thing.

    Attacks delivered via social media (combined with social engineering) have now become the norm, with newer social networks like Instagram, Pinterest, and Tumblr suffering from their own scams as well. Indeed, attacks on all social media platforms have become so common, it may almost be considered “business as usual.”

    For a more comprehensive analysis of these threats, check our 2013 roundup titled Cashing In On Digital Information.

     
    Posted in Bad Sites, Exploits, Malware, Mobile, Social, Spam, Targeted Attacks | Comments Off


    Jan26
    10:21 pm (UTC-7)   |    by

    We noted in our 2014 predictions that we believed that there would be one major data breach per month. Reports of data breaches against retailers ushered in the new year, where the credit card information of several million shoppers was stolen. There is no denying the scale and severity of breaches of this kind. While much ink–online and offline–has been focused on matters like who the author of the malware was, in the longer view what’s important to note is that there were many ways this attack might have been prevented–or security steps that could have been taken to thwart this kind of attack.

    For example, POS systems represent a near-ideal situation for whitelisting and/or locked down systems: there is no compelling need to run general-purpose applications on a POS system. A locked down system would have made it more difficult to run malware on the POS devices.

    Alternately, it is highly unlikely that such a large-scale attack was carried out with malware installed onto POS systems on an individual basis. It’s almost certain that some form of remote management software was used to install the malware onto the POS systems. This isn’t the first time that systems used to automatically install software onto systems has been compromised; last year the auto-update system of several applications in South Korea was used to plant malware onto affected systems.

    The movement of such significant amounts of data across networks should also have been detectable as well. Network defense solutions would have been able to detect the internal network traffic used by this attack, or the data exfiltration traffic, or both.

    The broad outlines of this attack are known, but specifics – such as what exact security procedures were in place and how/if they were evaded – are not yet public. However, businesses that handle critical data can take this incident and use it to determine if they, too, are at risk from similarly well-executed attacks. Companies in such a situation should double-check that all possible security procedures and products are in use and set up correctly, as well as for trained IT personnel to handle incidents as they happen.

    One thing that is clear is that for high-value targets, simple endpoint security is no longer sufficient. As we mentioned earlier, protections based on detecting network and system behavior (such as Deep Discovery and Deep Security) would have been very useful in dealing with these kinds of threats. Enterprises that do not have these solutions in place should consider implementing them in order to be able to guard against similar attacks; there is a good chance that other companies in similar situations will now have to deal with copycat attacks.

    We detect the malware that we believe was used in this attack as TSPY_POCARDL.AB and TSPY_POCARDL.U; if any related threats are found we will release further protection as necessary. Frequently asked questions about this incident are answered in the Simply Security blog.

    For more details on various targeted attacks, as well as best practices for enterprises, you may visit our Threat Intelligence Resources on Targeted Attacks.

     


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice