Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    December 2014
    S M T W T F S
    « Nov    
     123456
    78910111213
    14151617181920
    21222324252627
    28293031  
  • Email Subscription

  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Trend Micro



    Oct8
    12:25 pm (UTC-7)   |    by

    We’re nearing the holiday season and some of you might be going for some early holiday shopping—checking your money to go for a shopping splurge. The holiday season also ushers in cybercrime activities that are typical this time of the year:

    • We have seen a surge of fake bank emails. We’ve also seen other forms of spammed threats, including KELIHOS, VAWTRACK, and even some forms of the 419 scam.
    • We have also witnessed the increase in BANKER malware. Variants of this malware family attempt to steal sensitive information, such as banking credentials and email account details. They employ info-stealing techniques, often times, phishing pages that mimic the official banking sites, to get a user’s bank information, such as user names, passwords, or card codes. The stolen information could then be sent to a predetermined email address, to drop zones in hosted servers or to a URL via HTTP post.

    This series of entries focuses on a particular BANKER malware, detected as TSPY_BANKER.DYR. After taking an in-depth look of the malware itself, we will then place this malware within the whole threat ecosystem, with its ties to spam and even parcel mule scams, which refers to people who send packages in other parts of the world, acting as ‘mules.’  These people typically fall on this scam because of its ‘get rich easy’ nature.

    All About DYRE 

    This particular detection is related to DYRE (also known as DYREZA, DYRANGES, or BATTDIL) malware. TSPY_BANKER.DYR has a lot of similarities with DYRE variants, as seen in its routines:

    • It has the capability to perform man-in-the-middle attacks through browser injections. It can also get browser snapshots, steal personal certificates, and steal information like the specific browser versions.
    • It steals bank credentials and monitors sessions involving online transactions to specific banks.
    • It can drop a configuration file that contains the list of targeted banks (via C&C updates) and the bot ID (comprises of the computer name, the OS version, and a unique 32-character identifier). The list of targeted banks include international, American, and European ones.
    • It uses Session Traversal Utilities for NAT (STUN), a method for the end host to discover its public IP address if it’s within a network that does network address translation. It’s a common method for applications of real-time voice, video and other messaging services to discover its public IP address, or the IP address that is publicly visible in the internet. Cybercriminals use this method to know exactly the location of their malware (and possibly know who is trying to run it).


      Figure 1. Screencap of STUN method

    • It also has the capability download a VNC module.

    A look into its network profile confirms details of the routines mentioned above:

    • Connections to C&C servers at Port 443, with a defined string format
    • Connections to STUN Servers
    • Accepting inbound connections
    • Although not presented in the screen capture below, the user agent being used is Opera/9.80


    Figure 2. Network profile for TSPY_BANKER.DYR

    Read the rest of this entry »

     



    PoS malware has been in the news lately due to data breaches in various high-profile retailers. Card information stolen from these attacks have ended up on the well-known underground shop Rescator. We prefer to refer to the people behind this shop as the Lampeduza gang, as Rescator is not the only person running this business.

    We have found that other cybercrime gangs are using the fame of the Lampeduza gang to lure other cybercriminals into accessing fake online credit card shops.

    C&C Intelligence

    During one of our research projects, we came across a C&C server hosting a KINS control panel at resurspowerlbc.su. This was registered on May 9, 2014, with the email address nesternko43@mail.ru. The same email address was used to register other domains that hosted host a fake version of the Lampeduza card shop.

    Some of these domains included

    • babli.su
    • brandcc.name
    • dumpster.su
    • e-obmen.su
    • iswipe.su
    • just4valid.su
    • mn0g0.su
    • resurspowerlbc.su
    • safegs.su
    • shipping-panel.su
    • shipping-panel.us
    • shockwave-update55.su
    • update-shockwave34.su

    Included in the above list was one fake jobs site (safegs.su) and two fake shipping sites (shipping-panel.su and shipping-panel.us).
    Read the rest of this entry »

     



    Our coverage on the Bash bug vulnerability (more popularly known as “Shellshock”) continues as we spot new developments on Shellshock-related threats and attacks.

    Here is a list of our stories related to this threat:

     
    Posted in Malware, Vulnerabilities | Comments Off


    Sep28
    6:27 am (UTC-7)   |    by

    It seems like the floodgates have truly opened for Shellshock-related attacks. We have reported on different attacks leveraging the Bash bug vulnerability, ranging from botnet attacks to IRC bots.

    We have also mentioned that we spotted Shellshock exploit attempts in Brazil. It appears that these attempts were not limited to that country alone. We saw yet another Shellshock exploit attackthis time targeting a financial institution in China.

    Trend Micro Deep Discovery was able to detect this attempt and found that attackers were trying to see if several IPs owned by the institution were vulnerable to a Shellshock vulnerability, specifically CVE-2014-06271. Further analysis revealed that three of the tested IPs were possibly vulnerable, as the attackers tried to the use the command “/bin/uname –a.” The command “uname” displays system information, including the OS platform, the machine type, and the processor information.

    At first glance, retrieving system information might seem harmless. But as we mentioned before, the information-gathering could possibly be a sign of preparation for more damaging routines. This one command could be a gateway for bigger, more damaging attacks.

    The timing of the attempts is quite interesting, given that Golden Week celebrations in China begin on October 1st. It’s very plausible that this attempt could be the initial phase of an attack that may occur during this holiday, as network administrators will be on leave at this time.

    Trend Micro continuously monitors attacks that may leverage the Bash vulnerability, while securing users and organizations from such real world threats. Trend Micro Deep Discovery provides network-wide visibility and intelligence to detect and respond to targeted attacks and advanced threats.

    Users are protected from this threat via our Smart Protection Network that detects the malware and blocks all related malicious URLs. Exploits abusing the Bash vulnerability, on the other hand, are detected via the following solutions:

    • Deep Discovery rule: 1618 – Shellshock HTTP REQUEST
    • DPI rule: 1006256 – GNU Bash Remote Code Execution Vulnerability
    • CVE-2014-6271-SHELLSHOCK_REQUEST detection

    Other users who may want to check if they are affected should check our free protection for Shellshock. We’ve also released browser extension and device scanners to protect users’ browsers and devices against the risks posed by Bash bug vulnerability. These tools can scan devices to detect if has been affected by the bug.

    For more information on the Bash bug vulnerability, you may read our other articles:

    Users can also check out our online article, About the Shellshock Vulnerability: The Basics of the “Bash Bug”, for a quick and easy summary of what Shellshock actually is and why it’s such a big deal.

     



    Given the severity of the Bash vulnerability, also known as Shellshock, it is no wonder that we’re seeing a lot of attacks leveraging this. Just hours after this vulnerability was reported, malware payload such as ELF_BASHLITE.A emerged in the threat landscape. Other payload like PERL_SHELLBOT.WZ and ELF_BASHLET.A were also spotted in the wild, which have capabilities to execute commands, thus can compromise a system or a server.

    Apart from these malware payloads, DDoS attacks against well-known organizations have been reported. During the course of our investigation, we spotted exploit attempts in Brazil that test if the target server is vulnerable. This means that attackers behind such attempts are probably gathering intelligence. Once they get the information they need, they can possibly launch succeeding attacks, and consequently, infiltrate their target network.

    Our researchers are continuously monitoring possible attacks that may employ Shellshock. In the course of our investigation, we spotted an active IRC bot (Internet relay chat) that leveraged the Bash vulnerability. Trend Micro detects this bot as PERL_SHELLBOT.CE. Infected systems will connect to an IRC server, us[dot]bot[dot]nu via port 5190 and join the IRC channel, #bash. It will then wait for commands from a remote attacker.  We analyzed the code and found out that it has the capability to launch the following commands:

    • Perform DDoS attacks
      1. UDP
      2. TCP
      3. HTTP
    • IRC Booting/Disconnecting through CTCP, Message, Notice Flooding
    • Download Arbitrary File
    • Connect to Server (IP:Port)
    • Scan opened ports (<ip>)
    • Send E-mails (<subject>, <sender>, <recipient> <message>)
    • Ping IP (<ip>,<port>)
    • Resolve DNS <ip/host>
    • Check Bot Configuration

     

    day-3-bash-infect-diagram

    Figure 1. PERL_SHELLBOT.CE infection diagram

    So far, we have witnessed this bot launch the command to change channel. This is probably done as a form of evasive technique to prevent being taken down. As of posting, we have seen more than 400 active bots join the IRC channel. We found that most of those who accessed the IRC server are located in the U.S., Japan, Canada, and Australia.

    The threats and attack attempts, and now the emergence of a live IRC bot clearly shows the severity of this vulnerability and its real world impact to users and enterprises. We will remain vigilant and be on the lookout for other attacks and threats. Stay tuned as we update this blog for new developments.

    For more information on Bash vulnerability, read our previous articles:

    With additional analysis from Alvin Bacani, Karla Agregado, and Mark Manahan. 

     
    Posted in Malware, Vulnerabilities | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice