Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:


  • Recent Posts

  • Calendar

    May 2015
    S M T W T F S
    « Apr    
     12
    3456789
    10111213141516
    17181920212223
    24252627282930
    31  
  • Email Subscription

  • About Us


    Author Archive - Trend Micro




    Our report on the threats seen in 3Q 2014 shows us that once again, software vulnerabilities are the most favored cybercriminal targets. Following the second quarter’s infamous Heartbleed vulnerability came another serious vulnerability in open-source software: Shellshock. Having gone unnoticed for years, the Shellshock incident suggests that there might be more vulnerabilities in Bash or in applications previously thought safe. Below is a timeline of events that Shellshock unraveled.

    Figure 1. A timeline of events that illustrate the Shellshock exploitation that took place last quarter.

    Apart from threatening to wreak havoc on over half a billion servers and Linux and UNIX systems worldwide, Shellshock also proves that cybercriminals and attackers still target systems that users may tend to overlook. Case in point, the third quarter also exposed several loopholes in point-of-sale (PoS) systems, whose threats appear to be growing as evidenced by last quarter’s Home Depot data breach.

    Vulnerabilities were also seen in Android-based devices with over 75% of Android users affected by both FakeID vulnerability and Android browser flaws. Here’s a breakdown of the  Android OSes affected by these vulnerabilities that we’ve also included in our report:

    Figure 2. Android Operating Systems Affected by FakeID and Android Browser Vulnerabilities.

     

    Apart from targeting the mobile platform, threat actors also utilized vulnerabilities to launch attacks, which signaled a dire need for network administrators to be able to spot indicators of compromise (IOCs) and implement effective network monitoring.

    For more details about these and other security threats in the third quarter, check our security roundup titled Vulnerabilities Under Attack: Shedding Light on the Growing Attack Surface.

     
    Posted in Bad Sites, Exploits, Malware, Mobile, Targeted Attacks, Vulnerabilities | Comments Off on 3Q 2014 Security Roundup: Vulnerabilities Under Attack



    Recent reports have implicated a sophisticated piece of malware known as Regin in targeted attacks in various countries. Regin was described as being highly sophisticated and designed to carry out long-term stealthy surveillance on would-be victims at the behest of its creators, who have been suggested to be nation-states. Telecommunication companies are believed to have been the primary targets of this attack.

    How long Regin has been active is unclear. Timestamps of files associated with Regin vary in some reports. Some place the attack in 2003, while others say it started in 2006, 2008, or 2011. Known victims include a Belgian telephone company, leading to suspicions about the threat actors behind this attack.

    While overall Regin is a well-crafted and designed attack, in our threat monitoring, we note that many of its techniques have been used in other attacks before. In addition, the overall goal of this attack remains the same: to steal information from the target and do so while remaining stealthy.

    The graphic below outlines some of the advanced techniques we believe that were used by Regin:

    Figure 1. Advanced techniques used by Regin

    As one can see, very few of the techniques that were used by Regin were completely without precedent in one form of another. The techniques chosen by the creators of Regin appear to have been chosen to maximize its stealth features; this would allow an attacker to maintain a long-term presence on an affected system, which would be an effective tool for gathering stolen information.

    We will continue to watch out for developments related to this threat and release updates as necessary.

     

     


    Nov10
    3:10 am (UTC-7)   |    by

    In an earlier blog post, we tackled what Wirelurker malware is and its security implications and risks for iOS and OSX devices.  Within hours of the discovery of this malware, a Windows-based malware (detected as TROJ_WIRELURK.A) that performs the same attack was also seen in the wild. In this blog post, we’d like to share practices and recommendations for users and enterprises in order secure their devices from this threat.

    The following are some simple steps for users to check whether their Apple devices are infected by this malware.

    For Mac computers:

    You may check whether the following launch daemons exist in your Mac:

    • /Library/LaunchDaemons/com.apple.globalupdate.plist
    • /Library/LaunchDaemons/com.apple.machook_damon.plist
    • /Library/LaunchDaemons/com.apple.itunesupdate.plist
    • /Library/LaunchDaemons/com.apple.watchproc.plist
    • /Library/LaunchDaemons/com.apple.periodic-dd-mm-yy.plist
    • /Library/LaunchDaemons/com.apple.systemkeychain-helper.plist
    • /Library/LaunchDaemons/com.apple.MailServiceAgentHelper.plist
    • /Library/LaunchDaemons/com.apple.appstore.plughelper.plist

    For jailbroken devices:

    You may use SSH to connect to your device and check whether the following file exists:

    • /Library/MobileSubstrate/DynamicLibraries/sfbase.dylib

    For non-jailbroken iOS devices:

    • Check whether there are any suspicious apps you did not install.
    • Open the “Settings” app, click the “Profile,” and check whether there are any suspicious profiles.

    Below are guideline to help you protect your Mac and iOS devices:

    1. Do not jail break your iOS device.
    2. Make sure your Mac and iOS are up-to-date.
    3. Do not install any pirated software or software from untrusted sources. Only install software from the official App store.

    Wirelurker_fig1

    Figure 1. Users can switch an option in “System Preferences” then select “Security & Privacy” to make sure only apps from official Mac App Store can be installed

    Users who need to install software from other sources (and opt to select Mac App Store and identified developers) are strongly advised to practice extreme caution before installing them, and to make sure that the installers are from trusted sources and not tampered with.

    4. Install security software on your Mac and make sure you always have the latest update.

    5. Make sure you only connect your iOS devices to computers that you trust.

    6. Pay attention to the installation request from enterprise provisioning applications. Allow only those from trusted sources to be installed on your device.

    7. Remove any suspicious profiles from your iOS devices.

    Wirelurker_fig2<
    Figure 2.  Users can check the profiles installed in their iOS device in “Settings”> “General” > “Profile(s)”

    8. Carefully review any iOS application’s request for access to your camera, contacts, microphone, location information, and other sensitive data.

    Wirelurker_fig3
    Figure 3. Review the privacy setting for each app in “Setting”.  Users can prevent an app from accessing private information in “Settings” > “Privacy”

    Enterprises that have joined Apple’s enterprise developer program can may boost their security with the following steps:

    • Make sure you properly secure your private key.
    • Make sure only those necessary employees can access the private key.
    • Remember to deny former employees or team members access to the private key.
    • Revoke your certificate(s) as soon as possible if you feel your private key has been compromised.

    Revoking certificates is important as we have seen Windows malware that have been signed by stolen certificates. If enterprises lose their certificates, attackers could use the said certificates to impersonate them and use them to sign malware. Such actions may not only damage the enterprise’s reputation but also cost them a lot of resources in handling follow-ups.

    Trend Micro protects users from this threat via its Trend Micro Antivirus for Mac that detects the malware in OS X devices. We also detect the malicious apps installed onto jailbroken iOS devices as IOS_WIRELURKER.A.

     



    A new Shellshock attack targeting SMTP servers was discovered by Trend Micro.  Attackers used email to deliver the exploit. If the exploit code is executed successfully on a vulnerable SMTP server, an IRC bot known as “JST Perl IrcBot” will be downloaded and executed. It will then delete itself after execution, most likely as a way to go under the radar and remain undetected.

    The diagram below illustrates the attack cycle.


    Figure 1. Diagram of the SMTP attack

    1. The attacker creates a custom email with Shellshock malicious code inserted in the Subject, From, To and CC fields.
    2. The attacker then sends this email to any potential vulnerable SMTP server.
    3. When a vulnerable SMTP mail server receives this malicious email, the embedded Shellshock payload will be executed and an IRC bot will be downloaded and executed. A connection to IRC server will also be established.
    4. Attackers can then perform different routines with the mail server, such as launching a spam run.

     Possible Vulnerable Mail Servers

     We listed down various environments with possible vulnerable mail servers.

    1. qmail Message Transfer Agent (MTA)
      .qmail is a Unix-based configuration file that controls the delivery of email messages and is responsible for launching Bash shell commands for execution. It is possible to configure this to launch a program and once it calls Bash, the attack is successful. (The attack requires that a .qmail file exists for the valid recipient on the qmail MTA and that the .qmail file contains any delivery program.)
    2. exim MTA with versions earlier than Version 4
      Starting with Version 4 of exim, the pipe_transport  does not call a Shell for variable expansion and command line assemble.
    3. Postfix using procmail: the Postfix MTA invokes procmail, which is a Mail Delivery Agent (MDA). An MDA is used to sort and filter incoming mail.
      Postfix has no obvious Shellshock vulnerability. However, procmail (a type of message delivery agent) itself could use an environmental variable to pass message headers to subsequent deliver/filter programs, resulting in the vulnerability in Shellshock attacks.
      Note: Debian/Ubuntu Postfix distribution default sets procmail at its mailbox_command configuration in main.cf. This means the Debian/Ubuntu Postfix distribution are vulnerable to Shellshock attacks.

    Analysis of the Attack

    According to our analysis, the malicious email crafted by the attacker will connect to the following URLs and download IRC bots if the malicious script embedded in the emails were successfully executed by a vulnerable SMTP server:

      • hxxp://{BLOCKED}.{BLOCKED}.31.165/ex.txt
      • hxxp://{BLOCKED}.{BLOCKED}.251.41/legend.txt
      • hxxp://{BLOCKED}.{BLOCKED}.175.145/ex.sh

    All IRC bots discovered so far are written by Perl. The files ex.txt and ex.sh are the same file but with different names.


    Figure 2. Source code downloaded by “JST Perl IrcBot” 

    “JST Perl IrcBot” connects to a command-and-control (C&C) IRC server through Ports 6667, 3232, and 9999. The bot performs the following routines, compromising the security of the affected system:

      • Download file(s) from URLs
      • Send mail
      • Scan ports
      • Perform distributed denial-of-service (DDoS) attacks
      • Run Unix command

    This SMTP server attack has been seen in countries such as Taiwan, Germany, the U.S., and Canada.


    Figure 3. Top countries which visited the site hosting the malware

    The IRC bot discovered in this STMP attack will connect back to following IRC servers where it waits for commands from the bot master or attacker:

      • 62[.]193[.]210[.]216
      • d[.]hpb[.]bg

    There are at least 44 variants of IRC Perl bots detected by Trend Micro. The related hashes for this attack are:

      • SHA1: 23b042299a2902ddf830dfc03920b172a74d3956 (PERL_SHELLBOT.SMA)
      • SHA1: 8906df7f549b21e2d71a46b5eccdfb876ada835b (PERL_SHELLBOT.SM)

    Conclusion

    This SMTP attack highlights yet another platform for attackers to exploit the Shellshock vulnerability to launch IRC bots.

    We recommend IT administrators to block all related IPs and domains related to this attack. Although, the victim countries and impact are limited as of posting, we are continuously monitoring this threat for any new development.  Trend Micro can detect all discovered IRC bots related to this attack so all our customers are well protected. Trend Micro Deep Security prevents this kind of attack on SMTP servers via the following rule, which was released since September 30:

    • 1006259 – GNU Bash Remote Code Execution Vulnerability Over SMTP

    For more information on Shellshock vulnerability, you can read our Summary of Shellshock-Related Stories and Materials.

    Users can also get free protection from Shellshock via these tools.

     
    Posted in Exploits, Vulnerabilities | Comments Off on Shellshock–Related Attacks Continue, Targets SMTP Servers



    We’ve frequently talked about how important it is for law enforcement and security companies to work together to stop cybercrime. One particular reason to do so is because of the nature of cybercrime: simply put, it has no borders.

    Perhaps more than any other type of crime, cybercrime respects no borders. A cybercriminal in Russia can have colleagues in the Ukraine, use servers in the United Kingdom, and target users in the United States.

    We work extensively with Interpol to help fight cybercrime around the world. We recently agreed to help provide tools, training, and information to Interpol so that law enforcement agencies from around the world can build the necessary capabilities to fight law enforcement on their own turf.

    However, we also work with countries individually, and in some of those cases we are able to bring agencies from different countries together to investigate the same group of cybercriminals. By serving as a go-between for these various countries, we’re able to help police from diffeent countries work on the same case without having to go through complex and time-consuming procedures used when mutual legal assistance treaties (MLATs) are invoked.

    There are still areas where international cooperation in fighting cybercrime can be improved. Something that we think would be highly beneficial is if countries work together to form multinational police agencies that could help deal with regional cybercrime issues. In Europe, we have Europol, which handles helps support the activities of various local law enforcement bodies. An agency like Europol can be very useful in areas where countries have very limited capabilities to investigate cybercrime, such as Africa.

    Cybercrime is a global problem, and without global solutions it cannot be fought effectively. Trend Micro works with law enforcement agencies from across the globe in order to deal with these threats and help make the Internet safer for everyone.

     
    Posted in Malware | Comments Off on Fighting Cybercrime Across Borders: Why Law Enforcement Collaboration Matters


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice