Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    July 2014
    S M T W T F S
    « Jun    
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Trend Micro

    6:49 am (UTC-7)   |    by

    Hacking incidents we’ve documented in the past show a common strategy used by attackers: finding a vulnerability and exploiting it. Whether it was the New York Times or small businesses in Asia, the starting point was found to be a compromise caused by a vulnerability. This vulnerability may either have been technical (vulnerable software), or non-technical (an uninformed employee).

    This finding highlights the need for a comprehensive defense against such attacks. As one of our researchers, Jim Gogolinski, said in a previous report, companies are not helpless from targeted attacks. However, building a solid defense strategy will require resources as well as diligence from the organization itself.

    For hacking attacks in particular, keeping a company’s network secure will require both proactive and reactive security strategies. Below are some tips that may help IT administrators keep their company’s site secure.

    Proactive Steps Against Hacking Attacks

    • Implement a program to regularly test and deploy updates, especially security update.
    • Check that the installed software on all endpoints and servers are updated.
    • Make sure that security software is present (and in use) across the board. These should also be configured to detect and prevent phases of an attack,  as well as observe indicators over the network, on disk, and in memory.
    • Processes and standard operating procedures (SOPs) should be built with security in mind. This applies to not just to employees, but to partners, contractors and customers as well.
    • Investigate any anomalous network and system behavior. Attacks are known to begin with reconnaissance, and such suspicious activities may be the first sign of an attack.
    • Continuously plan or review your incident response procedures with all necessary parties (not only IT groups). Jim also discussed how to implement these procedures in his earlier report, How Can Social Engineering Training Work Effectively?

    What to Do in Case of an Attack

    In the past, some attacks have been “announced”. Details of the attack – such as when it will happen and who the targets are – are released to the public beforehand, In such circumstances, the most important step a company may take is to make sure that all proactive defense actions (such as those listed above) are in place, and to exercise a high level of awareness of their network and their logs.

    Announced operations, with their relatively open disclosure of tactics, tools, and procedures are golden opportunities for evaluation and improvement of countermeasures in real world scenarios. Taking advantage of these opportunities helps train people, process, and technology to recognize signals of a targeted attack regardless whether it is publicly disclosed or covert.

    However, whether there is increased risk brought on by an announced attack or not, it is important for companies to always have their defenses up. In the end, the costs of  keeping networks secure may prove to be minimal as compared to mitigating a successful breach.

    Posted in Hacked Sites, Targeted Attacks | Comments Off

    10:51 pm (UTC-7)   |    by

    Through investigation and collaboration between our researchers and engineers, we discovered a malicious online banking Trojan campaign targeting users in Japan, with the campaign itself ongoing since early June of this year. We’ve reported about such incidents in the past, including in our Q1 security roundup – and we believe this latest discovery shows that those previous attacks have been expanded and are a part of this particular campaign.

    We discovered the online banking Trojan involved in this campaign to be a variant of the Citadel family. Citadel variants are well-known for stealing the online banking credentials of users, directly leading to theft.

    We’ve identified at least 9 IP addresses serving as its command and control(C&C) servers, most of them detected to be belonging in the US and Europe. Monitoring these servers, we also discovered that 96% of the connections to these servers are coming from Japan – further proof that the most of the banking trojan infections are coming from that one specific country.

    In addition to this, we also managed to find out the following about this campaign:

    • Only financial and banking organizations native to Japan are targeted in this attack
    • Popular webmail services (Gmail, Yahoo! Japan mail, Hotmail) were also targeted

    We are currently enhancing the monitoring of the C&C servers related to this campaign. During a six-day period, we detected no less than 20,000 unique IP addresses connecting to these servers, with only a very minimal decrease from beginning to end. This means that there is still a large number of infected systems still stealing online banking credentials and sending them to the cybercriminals responsible.

    The banks and financial institutions targeted in this campaign have already released warnings and advisories to their customers and loyalists regarding the attack itself. Users are reminded to read these warnings properly before logging into their online banking accounts.

    Trend Micro customers are protected from all related malware and malicious elements in this attack.

    Posted in Bad Sites, Malware | Comments Off

    3:00 am (UTC-7)   |    by

    We recently reported on an unusual attack involving exploit kits and file infectors. What makes the attack even more notable is that the file infectors used also have information theft routines, a behavior uncommon among file infectors. These file infectors are part of the PE_EXPIRO family, which was first spotted in 2010. It’s possible that this specific attack was intended to steal information from organizations or to compromise websites.

    Further analysis shows that the attack used Styx as its exploit kit. Styx has gotten much press over its role in delivering malware onto systems. The use of Styx in this particular attack may be due to differences between Styx and other exploit kits, namely:

    • Multiple Exploit Pages – Styx distributes the malicious script in multiple pages, which are connected by HTTP redirecting
    • Across IFRAME Data Access – Styx accesses data across IFRAMES via JavaScript

    The act of distributing malicious script across multiple pages is quite unusual given that most exploit kits only use one page. Additionally, while exploit kits commonly store data in a HTML tag and access it via JavaScript, Styx does it differently. Other exploit kits store it in the same HTML page; Styx puts the tags in another IFRAME. These two techniques could be seen as methods of avoiding detection.

    The initial report mentioned several vulnerabilities exploited by this attack. Continuous analysis showed that TROJ_PIDIEF.XJM used an old vulnerability, CVE-2010-0188, which affects specific versions of Adobe Reader and Acrobat. The use of an old vulnerability and the enhancement of the PE_EXPIRO malware is further proof that older, though more refined, threats are still present in today’s landscape.

    Regularly updating systems can help prevent infections from attacks such as these. Trend Micro blocks all related URLs in this attack. Trend Micro Deep Security blocks the associated Java files using the following rules:

    • 1005598 – Identified Malicious Java JAR Files – 3
    • 1005599 – Identified Malicious PDF Document – 10
    • 1005410 – Oracle Java Runtime Environment Remote Code Execution Vulnerability (CVE-2013-1493)

    Screenshot of Deep Security log

    Additional analysis by Kai Yu, Mark Tang, Michael Du, Pavithra Hanchagaiah, and Manoj Subramanya


    Posted in Malware, Vulnerabilities | Comments Off

    2:30 am (UTC-7)   |    by

    Trend Micro, working with the Organization of American States, has released a study outlining the current state of cyber security in Latin America. The joint paper is titled Latin American and Caribbean Cybersecurity Trends and Government Responses. The region has a threat landscape that differs from other parts of the world with key differences in the threats seen, the cybercrime underground, and the ability of governments to respond. (We have also created an infographic that looks at the broader cybercrime underground, which can be found here.)

    Looking at the feedback provided by the Smart Protection Network, the most common threat in the Americas and the Caribbean was file infectors, as this chart of the top malware threats in 2012 illustrates:

    Figure 1. Top Malware Threats in 2012

    The continued prevalence of old threats like file infectors is an indicator of a population’s lack of awareness in safe computer and internet usage.

    As part of the study, we surveyed representatives from various OAS member-governments. Their responses revealed that citizens remain unconcerned and unaware of the dangers of cybercrime and hacking. Internet users in Latin America do not always keep their anti-malware solutions up-to-date and pay little attention to security concerns.

    This may prove problematic in the long run, considering that internet use is increasing at one of the highest rates worldwide. As is happening now, unsafe use of the Internet is feeding the high levels of cybercrime in Latin America.

    The region’s threat landscape is filled with organized groups led by a mix of political and financial motives. What makes it stand out are the new techniques and malware that allow attackers to target industrial control systems (ICS), which are critical for the smooth operations of essential services like utilities, banks, and water-purification plants.

    On the other hand, the cybercriminal underground remains bent on retrieving sensitive information and profiting with the help of banking Trojans and botnets. The Latin American situation, however, has altered, probably in answer to Eastern Europe botnet crackdowns. For instance, the region’s threat actors use free hosting services instead of hijacked servers to evade law enforcement operations. They also trade cybercrime tools and stolen information over social networks and chat services, most notably Orkut and IRC.

    Figure 2. Ads for tools and information

    Governments in Latin America realize these dangers and are taking steps to protect their users and critical infrastructures. However, survey responses indicate that measures against cybercrime remain patchy and uneven across the region. Many OAS member states began their cybersecurity efforts by establishing Computer Security Incident Response Teams (CSIRTs) as part of their cybersecurity strategy, as in the case of Colombia and Panama. Other countries like Chile, Peru, Mexico, Trinidad and Tobago, Uruguay, and others are endeavoring to do the same.

    On the whole, political leaders are aware of the dangers of cybercrime and hacking but efforts are often restricted by the lack of resources dedicated to building cybersecurity capacity and shortage of specialized knowledge and expertise to implement technical policies.

    The study includes three recommendations for governments and organizations in the region to help improve the state of cyber security. These are:

    1. Raise awareness of safe cyberhabits and general cybersecurity awareness among Internet users, critical infrastructure operators, and government employees, a cheap and effective way to minimize cyber risks and close security gaps that remain wide open.
    2. Invest in and promote enrolment in technical-degree programs to ensure an ample pool of qualified candidates from which to draw professionals that will be needed to fill the increasing number of information security careers.
    3. Continue strengthening policy mechanisms to assign governmental roles and responsibilities related to cybersecurity and codifying information-sharing and cooperation mechanisms.

    You may read the full paper here. For Spanish-speakers, you may also read the full paper in Español.

    We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

    Posted in Bad Sites | Comments Off

    8:47 pm (UTC-7)   |    by

    The whole idea of Big Data brings with it its own special tools and frameworks that are needed to manage the truly enormous mountains of data that are generated, analyzed, and correlated.

    One of the frameworks that has found success in Big Data is Hadoop, which is managed by the Apache Foundation. Hadoop is used by a wide variety of organizations to manage and process large quantities of data across computer clusters using simple programming models.

    Trend Micro also uses Hadoop in its own environments, and we saw opportunities to help improve the security model of Hadoop. We’ve worked with other Hadoop developers to improve three key areas of Hadoop:

    #1: Developing a Coprocessor API for HBase

    HBase is a scalable, distributed database built on top of Hadoop and the Hadoop Distributed File System (HDFS). We worked with other developers to introduce a coprocessor API to HBase. Adding this feature to HBase allows developers to include new features and functionality in their HBase platforms.

    This allows for Hadoop users to customize their installations to add new features that are not part of the original HBase feature set. While not directly feature-related, this was essential for the second area where we contributed to Hadoop.

    #2: Using the Coprocessor For Access Control

    With the ability to now add new features, Trend Micro worked to add access control to HBase using the new coprocessor API. This allowed database administrators to set more precise permissions for users.

    This may not sound like a significant addition, but it is. This makes multi-tenant usage of a Hadoop/HBase cluster much more secure, as each user is assured that their data is secure and not accessible to other parties.

    Read the rest of this entry »

    Posted in Data | Comments Off


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice