Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    August 2014
    S M T W T F S
    « Jul    
     12
    3456789
    10111213141516
    17181920212223
    24252627282930
    31  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Trend Micro




    In late November, Microsoft revealed that a zero-day vulnerability was in use in targeted attacks against Windows XP and Server 2003 systems. From samples of the exploit examined, it has a backdoor payload that possesses sophisticated anti-analysis techniques.

    Further research of this earlier attack – discussed in the blog posts above – has revealed that the exploit was deployed via email to at least 28 embassies in a Middle Eastern capital.  The malicious payload arrived as an attachment to a blank email sent to the target embassies. The subject line of the email and the name of the attachment referred to the ongoing conflict in Syria, to induce its recipients to open the email.

    Apart from the targeting and the anti-analysis techniques, there does not appear to be other particularly unusual or unique behaviors in this attack. The anti-analysis techniques in the backdoor (detected as BKDR_TAVDIG.GUD) were designed to hide from or freeze debuggers, making analysis and attribution more difficult.

    Whoever was responsible for this attack had the means, motivation and opportunity to carry out a targeted attack across multiple targets. This suggests a level of organization and available resources beyond ordinary cybercriminals. Beyond that, we are unable to draw any other conclusions. We do not know if the embassies were indeed affected by the malware mentioned or if there are other sets of targets, only that the samples received strongly suggest that the embassies were the intended recipients.

    As part of our 2014 predictions, we mentioned that obsolescent and unpatched operating systems and applications may cause issues in the coming year. This incident highlights that problem, particularly if used in targeted attacks. Similarly, zero-days are frequently first used in targeted attacks; earlier this year another Internet Explorer zero-day was first used in targeted attacks. Malicious attachments are a favored infection vector for targeted attacks; the same technique was used to target Asia-Pacific governments and G20 meeting attendees earlier this year.

    It is also important to remember that all is not lost when it comes to defending against targeted attacks. In his paper Suggestions to Help Companies with the Fight Against Targeted Attacks, Trend Micro researcher Jim Gogolinski stated that there is much that can be done to defend a company against targeted attacks. Trend Micro also participated in the development of the guide System Design Guide for Thwarting Targeted Email Attacks along with  Japan’s Information Technology Promotion Agency (IPA), which provides in-depth strategy for helping deal with email attacks.

     
    Posted in Targeted Attacks, Vulnerabilities | Comments Off



    The third quarter of the year shone the spotlight on parts of the hidden Internet that would have preferred to remain hidden. Services favored by cybercriminals such as the digital currency Liberty Reserve and the online marketplace Silk Road were all shut down during the quarter. Right after the quarter ended, the notorious creator of the Blackhole Exploit Kit, Paunch, was arrested as well, severely curtailing related spam campaigns.

    Cybercrime Continues Unabated

    Despite these steps, however, cybercrime continued to grow during the quarter. The number of online banking Trojans detected reached record levels, with more than 200,000 infections reported in the quarter. Three countries – the United States, Brazil and Japan – accounted for over half of these infections.

    Figure 1. Number of online banking infections

    Mobile Malware Crosses 1 Million Mark

    Our 2013 predictions noted that we believed the number of high-risk and malicious Android apps would exceed 1 million sometime in the year. That was exactly what happened this quarter. Premium service abusers remained  the most common threat. These sign up users for paid “premium services” without their consent and highlights how mobile malware has become mainstream, continuously growing and affecting more users around the world.

    As a sign of the growing maturity of mobile platforms, a major vulnerability was found in Android with correspondingly serious risks. The so-called “master key” vulnerability allowed an attacker to “update” a legitimate app with a malicious version.

    Java 6 Becomes a Permanent Threat

    Older, unpatched versions of software have always posed serious security risks. This was shown when a new exploit targeting a vulnerability in Java 6 was seen. This came after Oracle officially declared Java 6′s end-of-life (EOL), highlighting the risks of using EOLed software that will no longer receive patches. This serves as a potential preview of what will happen next year, when Windows XP – still in use in many systems and networks all over the world.

    Read more about the goings-on in the third quarter in the full report, titled The Invisible Web Unmasked.

     
    Posted in Exploits, Malware, Mobile, Vulnerabilities | Comments Off



    Further analysis by Trend Micro researchers on the reported defacement of the Singapore Prime Minister Office website revealed that the website was not actually defaced  – attackers abused the search function of the Singapore PMO website to display an image that looks like a hacked version of the site.

    Sing_PMO

    Figure 1. Image shown from within the PMO website that falsely claims the site was hacked

    The attackers exploited an XSS vulnerability in the website’s search page by entering the code triggering the display of the image as the search string. This caused the web page to execute the code and display the image, along with text that said “ANONYMOUS SG WAS HERE BIATCH~”, giving the impression that the website was defaced.

    We’d like to point out that the Singapore PMO website remains intact, and was not compromised in any way. Visitors of the site will not be able to see the image, since it is only accessible if the URL with the injected script embedded is accessed. The attackers drove users into the link with the displayed image by distributing the URL through social media.

    This attack is a form of cross-site scripting or XSS and has been seen in many attacks in the past, including those that affected other government websites. XSS vulnerabilities are low-hanging fruits for attackers since the likelihood of a website having them is very high, thus it is seen as one of the easier routes in terms of attacking a website.

    This ease in execution for hackers, however, is paralleled by great risks for the potential targets. While the attack on the PMO website only triggered the display of an image, we have seen other attacks that triggered redirections to malicious sites, leading visitors to malware.

    We strongly recommend website developers to make sure that their sites are fully secure against XSS attacks through the following means:

    1. Review the website code regularly to make sure that it is configured to prevent code injection. This can be done by setting up limitations for input contents in order to reject special characters, as well as sanitizing output byHTML-encoding user input/strings.
    2. Scan for web application vulnerabilities to identify possible attack vectors and address them immediately.
     


    Nov1
    6:49 am (UTC-7)   |    by

    Hacking incidents we’ve documented in the past show a common strategy used by attackers: finding a vulnerability and exploiting it. Whether it was the New York Times or small businesses in Asia, the starting point was found to be a compromise caused by a vulnerability. This vulnerability may either have been technical (vulnerable software), or non-technical (an uninformed employee).

    This finding highlights the need for a comprehensive defense against such attacks. As one of our researchers, Jim Gogolinski, said in a previous report, companies are not helpless from targeted attacks. However, building a solid defense strategy will require resources as well as diligence from the organization itself.

    For hacking attacks in particular, keeping a company’s network secure will require both proactive and reactive security strategies. Below are some tips that may help IT administrators keep their company’s site secure.

    Proactive Steps Against Hacking Attacks

    • Implement a program to regularly test and deploy updates, especially security update.
    • Check that the installed software on all endpoints and servers are updated.
    • Make sure that security software is present (and in use) across the board. These should also be configured to detect and prevent phases of an attack,  as well as observe indicators over the network, on disk, and in memory.
    • Processes and standard operating procedures (SOPs) should be built with security in mind. This applies to not just to employees, but to partners, contractors and customers as well.
    • Investigate any anomalous network and system behavior. Attacks are known to begin with reconnaissance, and such suspicious activities may be the first sign of an attack.
    • Continuously plan or review your incident response procedures with all necessary parties (not only IT groups). Jim also discussed how to implement these procedures in his earlier report, How Can Social Engineering Training Work Effectively?

    What to Do in Case of an Attack

    In the past, some attacks have been “announced”. Details of the attack – such as when it will happen and who the targets are – are released to the public beforehand, In such circumstances, the most important step a company may take is to make sure that all proactive defense actions (such as those listed above) are in place, and to exercise a high level of awareness of their network and their logs.

    Announced operations, with their relatively open disclosure of tactics, tools, and procedures are golden opportunities for evaluation and improvement of countermeasures in real world scenarios. Taking advantage of these opportunities helps train people, process, and technology to recognize signals of a targeted attack regardless whether it is publicly disclosed or covert.

    However, whether there is increased risk brought on by an announced attack or not, it is important for companies to always have their defenses up. In the end, the costs of  keeping networks secure may prove to be minimal as compared to mitigating a successful breach.

     
    Posted in Targeted Attacks | Comments Off


    Sep2
    10:51 pm (UTC-7)   |    by

    Through investigation and collaboration between our researchers and engineers, we discovered a malicious online banking Trojan campaign targeting users in Japan, with the campaign itself ongoing since early June of this year. We’ve reported about such incidents in the past, including in our Q1 security roundup – and we believe this latest discovery shows that those previous attacks have been expanded and are a part of this particular campaign.

    We discovered the online banking Trojan involved in this campaign to be a variant of the Citadel family. Citadel variants are well-known for stealing the online banking credentials of users, directly leading to theft.

    We’ve identified at least 9 IP addresses serving as its command and control(C&C) servers, most of them detected to be belonging in the US and Europe. Monitoring these servers, we also discovered that 96% of the connections to these servers are coming from Japan – further proof that the most of the banking trojan infections are coming from that one specific country.

    In addition to this, we also managed to find out the following about this campaign:

    • Only financial and banking organizations native to Japan are targeted in this attack
    • Popular webmail services (Gmail, Yahoo! Japan mail, Hotmail) were also targeted

    We are currently enhancing the monitoring of the C&C servers related to this campaign. During a six-day period, we detected no less than 20,000 unique IP addresses connecting to these servers, with only a very minimal decrease from beginning to end. This means that there is still a large number of infected systems still stealing online banking credentials and sending them to the cybercriminals responsible.

    The banks and financial institutions targeted in this campaign have already released warnings and advisories to their customers and loyalists regarding the attack itself. Users are reminded to read these warnings properly before logging into their online banking accounts.

    Trend Micro customers are protected from all related malware and malicious elements in this attack.

     
    Posted in Bad Sites, Malware | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice