Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    April 2014
    S M T W T F S
    « Mar    
     12345
    6789101112
    13141516171819
    20212223242526
    27282930  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Trend Micro



    Jun5
    12:26 pm (UTC-7)   |    by

    On Sunday, Microsoft issued Security Advisory 2718704 which announces an update that revokes the trust of two Microsoft-issued intermediate Certificate Authority (CA) certificates for all currently supported versions of Windows. The certificates revoked are:

    • Microsoft Enforced Licensing Intermediate PCA (2 certificates)
    • Microsoft Enforced Licensing Registration Authority CA (SHA1)

    As outlined in Microsoft’s initial advisory, analysis of the Flame attack has shown that these certificates were used to issue unauthorized digital certificates that were used by attackers to make components of the Flame attack appear to be signed by Microsoft. This made these malware components falsely appear to be code from Microsoft and appear to have played a role in infecting systems through a man-in-the-middle (MitM) against Microsoft’s Windows Update mechanism.

    While we and others have said that the Flame attack is limited and not a broad threat to customers, the ability to sign malicious code with these certificates and bypass security checks does represent a potential, broad threat. While there is no indication at this time that other attacks have used these certificates to make malware look legitimate, it is a very real possibility that this could happen in the future.

    We are urging all customers to deploy the updates associated with with Microsoft Security Advisory 2718704 as soon as possible. This update will invalidate these certificates and flag any code signed by them, including possible malware, as untrusted.

    As of Monday evening, Microsoft has also indicated on their blog that they will be issuing an additional update in the future to provide additional protections for the Windows Update mechanism against man-in-the-middle attacks. We urge all customers to make preparations now so that when this update is available, it can be deployed as soon as possible.

    While there is no indication of broad attacks utilizing either the fraudulent digital certificates or man-in-the-middle attacks against Windows Update, these are very serious issues with the potential to be utilized for broad attacks. Customers should deploy the update available now as soon as possible and the soon-to-be-released as soon as possible as well.

    As we’ve noted, Trend Micro customers are protected against the Flame malware. In addition to deploying these updates as soon as possible, customers should ensure their Trend Micro products are running the latest updates and signatures to help ensure broadest protections against any attempts to use these mechanism in attacks.

    As always, we will provide new information to customers as we find it on our blog.

     
    Posted in Vulnerabilities | Comments Off


    May31
    2:11 pm (UTC-7)   |    by

    In our recent post about the Flame malware, we promised to update you with information from our ongoing investigation. Today we wanted to give you the latest information on the threat itself, protections available for Trend Micro customers and results from our analysis so far. In a nutshell, while Flame is a very interesting piece of malware, it’s not a broad threat.

    Flame has been noteworthy the past few days. But it’s noteworthy because of the nature of the malware and what appears to be its very limited and specific targets. Flame right now is not a significant threat to users more broadly. Information from our Smart Protection Network™ and working with customers show actual numbers of infections to be extremely low and confined to the Middle East and Africa regions.

    The threat from Flame is lessened even more for Trend Micro customers because they are protected against the attack both through current signatures (which detect the malware as WORM_FLAMER.A and the configuration files as TROJ_FLAMER.CFG) and URL blocking of identified command and control (C&C) servers.

    In terms of analysis, our focus is on protecting Trend Micro customers, so our ongoing analysis is focused on identifying additional C&C servers because these are geographically disbursed and can move. Interestingly, our analysis is showing C&C servers located primarily in Europe and Asia.

    The malware itself is focused on stealing data and is very large, making thorough analysis slow. In this case, the largeness is due to the multi-faceted capabilities of the malware: it has been equipped with a variety of tools to accomplish its mission once it’s made its way into the target network. Some of the components that it includes date back to 2009.

    As Rik Ferguson also noted, the malware is also unusual because it appears to be written in the Lua programming language which is often used as a scripting language by game developers (and not typically used for malware).

    Our analysts are continuing to work to understand all the components in this malware, particularly to continue adding URL blocking as new C&C servers are identified. While Flame itself doesn’t represent a broad risk right now, there is a risk that the malware will be taken up by others and repurposed for broader attacks like we’ve seen in other attacks like this such as Stuxnet. Our worldwide teams are watching for that and if we see that, will add protections and provide information for Trend Micro customers on this blog as soon as possible.

    Update as of June 1, 2012 3:17 AM PST

    Trend Micro protects enterprises from the malicious network packets related to FLAME via Trend Micro Deep Discovery.

    Update as of June 4, 2012 2:49 AM PST

    Trend Micro has been covering users from the two vulnerabilities used to deploy Flame since 2010. In particular Trend Micro Deep Security protects users from exploits targeting MS10-061 via rule 1004401 (released on September 2010) and MS10-046 via rule 1004314, 1004293, 1004294, 1004308, 1004304, and 1004302 (released on July and August 2010).

    Update as of June 4, 2012 7:21 PM PST

    Microsoft issued Security Advisory 2718704 to revoke two certificates that are being used by Flame components. Users running Windows XP, Vista, Server 2003, Server 2008 (Server Core Installation included), and 7, as well as Windows Mobile 6, 7, and 7.5 users are advised to run Microsoft Update to download and install the security update from Microsoft.

     
    Posted in Malware, Targeted Attacks | Comments Off


    May29
    5:02 pm (UTC-7)   |    by

    We were alerted to reports about the info stealing malware Flame, which has reportedly been seen in Iran and certain countries since 2010. Dubbed the most sophisticated malware, Flame is capable of performing several information stealing techniques, including capturing screen shots, and recording audio via the affected computer’s microphone. Because of its scope and specific targets, Flame has drawn comparison to other notorious threats such as Stuxnet. Stuxnet, malware that surfaced in 2010, targets SCADA systems.

    Trend Micro detects Flame malware as WORM_FLAMER.A. In our on-going analysis, we’ve found that this worm spreads via removable drives. It is also capable of spreading to other computers in a local network when one machine within that network is infected. Other significant routines of this worm include its ability to terminate running processes that are mostly anti-malware/firewall/security-related, capturing screen shots and audio recording, propagation, and its ability to log and report its activities.

    Trend Micro protects users from WORM_FLAMER.A by detecting and removing it from affected computers. The configuration files, TROJ_FLAMER.CFG, used by this worm are also detected and removed from systems. We will regularly update you in succeeding blog entries as we find more results in our investigation.

    Update as of May 29, 2012, 8:54 PM PST

    In addition to detecting WORM_FLAMER.A and its configuration files, Trend Micro also blocks access to all found related URLs as we move forward with our investigation.

    Update as of June 5, 2012, 1:02 AM PST

    Trend Micro has been covering users from the two vulnerabilities used to deploy Flame since 2010. In particular Trend Micro Deep Security protects users from exploits targeting MS10-061 via rule 1004401 (released on September 2010) and MS10-046 via rule 1004314, 1004293, 1004294, 1004308, 1004304, and 1004302 (released on July and August 2010).

    Moreover, as more components are uncovered in relation to Flame, new findings cite that some of these components might be using certificates issued by Microsoft. To mitigate this risk, Microsoft issued Security Advisory 2718704 to revoke two certificates that are being used by Flame components. Users running Windows XP, Vista, Server 2003, Server 2008 (Server Core Installation included), and 7, as well as Windows Mobile 6, 7, and 7.5 users are advised to run Microsoft Update to download and install the security update from Microsoft.

     
    Posted in Malware, Targeted Attacks | Comments Off



    Today, Trend Micro is proud to announce that we are taking part in Facebook’s new security initiative to help protect its more than 900 million users against the wide variety of threats that target users of the world’s most popular social network.

    As part of this initiative:

    • Facebook and Trend Micro will work together to leverage the latter’s threat intelligence capabilities, particularly its knowledge of malicious websites, to protect Facebook users. This means even non-Trend Micro users of Facebook will also be protected by the enhanced capabilities of the Trend Micro™ Smart Protection Network™ against threats commonly found on the social network like survey scams.
    • Users in the US, Canada, Britain, and Australia can download a free copy of either Titanium™ Security Essentials (for Windows users) or Smart Surfing (for Mac users). This free copy will be valid for six months, and all users have to do is like the Fearless Web page and visit the new AV Marketplace section to download a copy.

    Among the threats that users face on Facebook are survey scams, which frequently leverage the latest viral trend du jour. In the most recent example we’ve seen, fake news of Justin Beiber supposedly stabbing a fan was used to lure users onto malicious sites that kept going to various survey sites.

    Upon completing the win an iPad 2 UK offer, viewers are redirected to several other pages where more videos (and survey scams) are hosted:

     

    Read the rest of this entry »

     
    Posted in Exploits, Malware, Social, Spam | Comments Off


    Apr17
    7:00 am (UTC-7)   |    by

    Following the so-called “Year of Data Breaches,” the first quarter of 2012 veered away from attacks that led to data loss and, instead, focused on mobility. The mobile threat incidents we’ve seen in the first quarter remained true to one of 2012 predictions—Android-based smartphones will continue to be a likely target for cybercrime. Trend Micro, in fact, identified approximately 5,000 new malicious Android apps in just the first three months of the year most likely due to the increase of Android user base.

    Advanced persistent threat (APT) campaigns like Luckycat continued to ensue aided by trends like consumerization and outsourcing as well as interacting with new technologies, platforms, and entities, which seemingly broadened the attack surface. Proving once again just how important data is, the Luckycat campaign attacked a diverse set of targets using a variety of malware.

    As in the past, hard-to-resist social engineering lures played a huge role in getting victims, regardless of device, to click malicious links, download malware, or visit malicious sites. Interest in new platforms like Pinterest again proved that with popularity came notoriety.

    The past three months have been rife with different kinds of threats with one common denominator—mobility. Simply put, going mobile opened up several opportunities for users and cybercriminals alike. Though it’s true that the rise of mobility is full of potential, the issue of security should always remain at the forefront.

    To take a closer look at the security landscape in the first quarter, read our comprehensive report, “Security in the Age of Mobility”

    Click for larger view

     


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice