Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    April 2014
    S M T W T F S
    « Mar    
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Trend Micro

    This is part of a series of blog posts discussing the Chinese underground. The previous parts may be found here:

    The full paper can be found here.

    Virtual assets – in the form of currency, equipment, or membership in online games – have significant real-world value as well. This is particularly true in China, were online games are a very popular form of entertainment.

    Despite this real-world value, laws to protect virtual asset theft are neither well developed nor effectively enforced. Because of this, some members of the Chinese underground prefer to target these kinds of assets rather than real-money items.

    The diagram below illustrates the value chain of virtual assets theft in China:

    Broadly speaking, the value chain has three phases: first, the login credentials for online games are stolen via malware or phishing. In the next phase, the credentials are used to steal virtual assets such as in-game money, equipment, or even the account itself. Finally, the crime is monetized by selling these in online marketplaces – for real money.
    Read the rest of this entry »

    Posted in Malware | Comments Off

    We received inquiries about the Gauss attack, which garnered significant media attention as it drew comparisons to Flame. Gauss was designed to steal system-related information and gather banking, social networking, email and instant messaging (IM) credentials. Researchers also surmised that this is possibly the latest among the strings of state-sponsored attacks, which gathered awareness with the discovery of STUXNET in 2010.

    Similarities with Flame

    As readers may recall, Flame was touted as a cyber espionage tool that executes several information stealing techniques including screen shots capture and audio recording. Similar to Flame, Gauss was discovered to have targeted several countries in the Middle East.

    Aside from its geographic scope, Gauss and Flame share several noteworthy technical commonalities, such as:

    • Both were written on the same programming language (C++)
    • Employed the same .LNK exploit vulnerability (CVE-2010-2568)
    • Used USB as a storage for stolen information/data
    • Designed to steal browser history/cookies
    • Used same encryption method (XOR)
    • Contained similar command and control (C&C) structure

    These shared denominators lead researchers to conclude that Gauss may be the handiwork of the same people behind Flame. Despite these similarities, Gauss was designed to focus on stealing information from Lebanese banks like Bank of Beirut, BlomBank, ByblosBank, FransaBank and Credit Libanais among others. It was also found to target other entities such as Citibank and online payment system PayPal. To some experts, this fixation on Lebanese banks was proof that this attack may be sponsored by a particular state.

    Trend Micro products protect users from this by detecting and deleting the related malware and blocking access to the C&C IP addresses. We will amend this blog entry for further updates.

    Update as of August 13, 2012 2:17 AM PST

    Trend Micro detects the file components of this threat as TSPY_GAUSS.A.

    Update as of August 15, 2012 5:35 PM PST

    Trend Micro detects the related malicious JavaScript of this threat as JS_GAUSS.A. Gauss-related URLs were also blocked via web reputation service.

    Coming Soon: The TrendLabs Security Intelligence Blog will be the new Malware Blog

    Posted in Malware, Targeted Attacks, Vulnerabilities | Comments Off

    This is part of a series of blog posts discussing the Chinese underground; the introductory post can be found here. The full paper can be found here.

    Broadly speaking, the Chinese underground operates with four distinct but inter-related value chains. These are:

    1. Real money theft
    2. Virtual assets theft
    3. Internet resources and services abuse
    4. Blackhat techniques, tools, and training

    We’ll discuss each chain in its own separate blog post. For know, we will concentrate on the first: real money theft.

    More and more users in China are participating in online commerce. 37.8% of Chinese Internet users, or 194 million users, have engaged in online shopping by late 2011. 167 million and 166 million users took part in online payment and online banking systems. This large volume of users engaging in commerce online, using real money and real goods, has attracted large numbers of cybercriminals.

    Broadly speaking, the chain for real money theft in China is not too different from those elsewhere, as seen in the chart below:

    There are many similarities between real money theft elsewhere and in China. Phishing, info-stealing malware, identity theft, and information theft are all part and parcel of information theft syndicates elsewhere. Similarly, the profit methods are not particularly different: money transfers and fake credit cards are to be found in prominence as well.
    Read the rest of this entry »

    Posted in Data | Comments Off

    12:55 pm (UTC-7)   |    by

    We have received several reports and inquiries about the file infector PE_QUERVAR.B-O and its infected file, PE_QUERVAR.B. Both are getting some media attention, specifically in Europe, where reports have identified infections registering mostly in the Netherlands.

    Its massive spreading may be explained by a couple of things:

    1. It infects files commonly used and shared by users: MS Word (.doc, .docx), MS Excel (.xls, .xlsx), and .EXE (normal executable) files. Once a user opens an infected file, the malware automatically looks for other MS Word/MS Excel/EXE files that it will infect in the user’s computer.
    2. It targets drives that DO NOT have System Volume Information. These are commonly mapped network drives and USB/removable drives. A shared drive gets the infection spreading pretty fast.

    Once files are infected, QUERVAR renames the files and changes the file extension to .SCR, but the file icon remains the same. If the computer view is configured to hide file extensions and the user opens an infected file, nothing will happen and the file will not be opened.

    Note that manually renaming the file will not work. Infected files are also encrypted by QUERVAR, adding difficulty to cleaning and restoring. While some are taking this as a sign that this is ransomware, our analysis so far hasn’t shown that to be the case. We’re not sure why these are encrypted but are continuing to research that.

    Trend Micro products detect both file infectors via the Smart Scan Pattern 9.311.00. It automatically deletes PE_QUERVAR.B-O. Updates will further be posted in this blog entry.

    Update as of 6:28 PM PST

    Trend Micro customers are encouraged to update their patterns to 9.313.00. PE_QUERVAR.B infected files are restored to its usable state by this pattern.

    Update as of August 15, 3:59 PM PST

    We saw reports that Citadel Zeus variants were observed to download QUERVAR. While we were unable to confirm this, we analyzed {BLOCKED}.{BLOCKED}.162.163, the IP address which is said to host QUERVAR and Citadel Zeus. Based on our Smart Protection Network, we found out that it also hosts Hermes (detected by Trend Micro as TROJ_GATAKA.AI), which is downloaded by QUERVAR. This leads us to conclude that certain variants of Citadel ZeuS, Hermes and QUERVAR may be coming from a single threat actor.

    Trend Micro also blocks the related IP addresses.

    Update as of August 16, 10:48 PM PST

    The Hermes malware mentioned in the above update is now detected as BKDR_GATAKA.A.

    Coming Soon: The TrendLabs Security Intelligence Blog will be the new Malware Blog


    4:17 pm (UTC-7)   |    by

    Trend Micro researcher Lion Gu, together with other security researchers belonging to the China Education and Research Network Computer Emergency Response Team (CCERT) have written a white paper titled Investigating China’s Online Underground Economy containing a comprehensive look into the cybercrime underground in China. The result of months of hard work, research, and thorough analysis, the paper describes the architecture, the targets, and the techniques of Chinese cybercriminals. (The English-language version of this paper was published by the University of California-San Diego’s Institute on Global Conflict and Cooperation.)

    As director for Threat Research Martin Roesler noted, what’s clear from the paper is that the Chinese cybercrime underground has adapted to local conditions. For example, online gamers are at particular risk in China. Many Chinese users lack access to online banking (due to financial constraints), making banking fraud unpopular. However, many of these same users spend money on online games, making attacks against these much more popular.

    Roesler also notes that mobile users are also at added risk. Many Internet users in China have no fixed Internet access at home, relying instead on mobile access. This means that in China, mobile malware is far more important than it might otherwise be in other regions. Because of the relative lack of availability of other mobile platforms, Android devices are at a particularly high risk in China.

    One thing that the Chinese underground market has in common with other regions is its growth. Not only did we see growth in the number of participants and posts made in popular forums; we also saw much interest in underground forums in would-be attackers being tutored by older, more experienced criminals.

    This degree of knowledge and understanding of the cybercrime provides Trend Micro with additional information that is useful in providing comprehensive and timely threat protection. Underground monitoring of the global cybercrime underground is routinely carried out by our researchers and engineers, providing improved threat intelligence for all Trend Micro users.

    We shall be discussing these, and many more findings, in the next few days.

    Posted in Bad Sites, Hacked Sites, Malware | Comments Off


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice