Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    January 2015
    S M T W T F S
    « Dec    
  • Email Subscription

  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Trend Micro

    12:54 am (UTC-7)   |    by

    Home surveillance/security cameras have been available for quite some time, and can be used to keep track of one’s home, children, pets, or business.  These devices are, in some ways, the first exposure of people to the Internet of Things.

    For most people, home surveillance means setting up a camera and using the Internet to access the camera feed in real-time. Higher end camera models can even be controlled remotely, making them useful for monitoring a large area with a single camera. This is a marked difference from previous iterations of home surveillance, which had restrictions or limitations in terms of accessibility.

    Online and Open Accessibility

    The older generation of security cameras required the configuration of the home router such as port forwarding, so that you can view the video feed remotely. While convenient, this set-up means that the camera is also accessible to pretty much anyone with an Internet connection.

    There are websites that scour the Internet for Internet-connected security cameras. One such site is Shodan. By logging in to Shodan, a person can find a specific camera based on the brand and IP address.

    Figure 1. Search results from Shodan

    There are even sites that offer streaming videos of publicly accessible cameras. A now-inaccessible Russian site took advantage of default usernames and passwords to access and upload camera feeds online. According to an article by CNN, the site featured streams from 4,600 cameras in the U.S. and thousands more in 100 countries. A quick online search revealed the existence of other, similar sites. There are even mobile apps that provide real-time streaming from cameras across the world.

    Figure 2. Camera feeds all over the world

    Managing Access

    Perhaps in a direct response of this issue, the newer generation of security cameras usually provides some form of cloud management and/or viewing functions.  Once configured, the camera communicates to the vendor cloud servers, allowing users to view the feed by logging into a web portal or by using mobile apps published by the vendor.

    In this set-up, the camera communicates to the vendor cloud servers only.  Connections initiated from the Internet cannot reach the camera, as the home router blocks them.  The camera is more secure from activities like unauthorized remote viewing.

    Vendor and User Security

    Accessibility issues aside, another important issue for these cameras is data protection. Vendors should provide strong encryption for all data/video feed from device to cloud servers to protect user privacy.  However, we found that some popular camera brands are still lacking in their security implementation.

    For example, the screenshot below is the packet capture between a D-Link DCS-932L camera communicating with the D-Link cloud server.  Certain traffic from the camera to the cloud servers is encrypted, but not all. There is still clear text communication over the Internet. Such an issue can only be addressed by the vendor, not the users.

    Figure 3. Clear text communication between server and camera

    The Importance of User Initiatives

    While some issues can only be addressed by camera vendors, this doesn’t mean that users should rely on security features offered by the cameras. The existence of the live stream sites shows the importance of changing default login credentials and using strong usernames and passwords. Strong authentication should be also used for home networks, to avoid any unauthorized access.  Users can also refer to our entry, Security Considerations for Consumers Buying Smart Home Devices, for a comprehensive discussion on buying smart devices.



    Our engineers were investigating a case involving a targeted attack when they came across a custom tool called vtask.exe. Once executed, vtask.exe hides Windows tasks in the current session. What’s curious about this attacker-created tool is that it appears to have been compiled in 2002—twelve years ago.

    A Look at Vtask

    The compiler time shows that Vtask is a tool written in Visual Basic (VB) and compiled on November 2002. We can image the situation 12 years ago: Decompilers for VB programs were not available yet, which made analysis of this tool difficult.

    Vtask.exe requires an .OCX component generated by the old VB compiler. In this case, the required .OCX component is mshflxgd.ocx. A compiler is not necessary but the .OCX file is in order for Vtask to run. It bears stressing that mshflxgd.ocx is a common library. Other software may use it as well. The presence of this component doesn’t automatically mean the computer also has Vtask.

    Vtask is not a rootkit, so it can only hide windows of executables, not processes. We can still see the processes running in the background via Task Manager.

    Hiding Running Tasks

    Vtask is used to hide windows of executable programs. This tool is especially useful when the platform of the targeted computer is not a Windows Server version. Windows Server allows multiple users to log in, with each login having a different version of the desktop, even if they use the same login credentials.

    If the targeted computer runs on Windows Server, the users will not be able to see the desktop of the attacker.

    Figure 1. Desktop before Vtask is launched

    Figure 2. Desktop after Vtask has launched

    However, if the computer runs on platforms other than Windows Server, only one user can be logged at a time. Thus, when the user logs on, the attacker loses the view of the desktop. Vtask is used to automatically hide the ongoing tasks conducted by the attacker.

    Read the rest of this entry »

    Posted in Targeted Attacks |

    Last July we came across a crypto-ransomware variant known as Critroni or Curve-Tor-Bitcoin (CTB) Locker. We observed recent improvements to the CTB malware, which now offer a “free decryption” service, extended deadline to decrypt the files, and an option to change the language of the ransom message. These new variants also demand payment of 3 BTC (around $USD 630), while older ones seen in July only charged 0.2 BTC, or $USD 24.

    Along with these improvements, we are also seeing a spike in these attacks in several regions, mainly in Europe-Middle East-Africa (EMEA), China, Latin America and in India.

    CTB-Locker Infection

    We have previously reported about CTB Locker’s use of Tor to hide its activities but this new variant comes with notable, new differences.

    This CTB-Locker variant arrives via spammed emails. These spammed messages were sent in different languages and often pretend to contain important notices so that the recipient is tricked into opening the attachment, which we noticed was archived twice.

    Some of the spam samples used in these attack were sent by systems that are part of the long-running CUTWAIL botnet. CUTWAIL is known for reusing available resources (including bots); it should not be a surprise that some of the IP addresses identified as part of this spam run have been part of our spam blacklists for years, with some addresses being blacklisted as early as 2004.

    Figure 1. Sample spam emails with malicious .ZIP attachment that contain the downloader malware, TROJ_CRYPCTB.SMD

    The attachment is actually a downloader malware, detected as TROJ_CRYPCTB.SMD. This malware connects to several URLs, leading to the download of the CTB-Locker malware onto the computer. This ranswomware is detected as TROJ_CRYPCTB.SME. Checking these URLs, we determined that they are all compromised and based in France. The malware goes through a round-robin type of method to select which URL to download the malware from.

    Here’s a diagram explaining the attack, whose infection chain begins with the spammed message accompanies with a malicious .ZIP attachment as show in the sample spam in Figure 1.

    Figure 2. Sample CTB-Locker infection chain

    New Developments

    The older TROJ_CRYPCTB.A variant seen in July gave users only 72 hours, while this new one allots users 96 hours for payment. The extension of the deadline might be for practical reasons: a longer deadline could mean more victims will be able to pay the fee.

    Pressing “next” leads to a page that displays a “Test Decryption” portion, in which the malware entices users with this freebie. The “Test Decryption” portion allows decrypt for five random files, seemingly to convince users that the decryption actually works. There are additional instructions that inform the user not to rename or delete files, and only chosen files will be decrypted. The malware also displays the ransom message in other languages like German, Dutch, and Italian.

    Pressing ‘Next’ leads to the payment page, where the malware instructs victims to pay the amount of 3 BTC or $USD 630 in order to proceed with the file decryption; otherwise, all the files will permanently remain encrypted. The message also includes instructions on paying the ransom via Tor browser. Below is a comparison between the older CBT-Locker variant we saw in July 2014 and its latest version.

    Figure 3. New CBT-Locker variant demands up to $USD 630 or 3 BTC in order for users to decrypt their files

    The message states that victims must pay the ransom by the deadline. Otherwise, all the files will permanently remain encrypted.

    Analysis of the variant revealed a feature previously unseen in CTB Locker variants—the chance to decrypt files for free. This freemium model was seen in the malware CoinVault, but this CTB Locker variant upped the ante by allowing the victim to choose five files, rather than just one, to be decrypted.

    The free decryption can be seen as a way to convince users to pay the ransom. Decrypting the files show the victim that their other files can actually be recovered—if they pay the fee.

    Figure 4. “Free decryption” service

    Another unique function or feature found in this variant is that the ransom message gives the user the option to select the language, apart from English. So far, three more languages were spotted:, Italian, German, and Dutch.

    Figure 5. Random messages in three more languages. Top left: Italian; Top right: German; Bottom: Dutch

    Protection Against Crypto-Ransomware

    The first line of defense in staying protected against this new type of ransomware is knowing how to properly discern spammed emails from legitimate ones. Though some emails may look legitimate in nature, it’s always best to check the sender’s address, subject line, and of course email contents for anything that appears suspicious.

    Always remain cautious when dealing with unfamiliar files, emails, URLs, and most especially, email attachments. While it might be tempting to take the “free decryption” bait and pay the ransom, there is no guarantee that the cybercriminals will actually decrypt your files and have everything back to normal.

    Users should also remember to routinely back up their data. The 3-2-1 principle should be in play: three copies, two different media, one separate location.

    Related hashes for the downloader of CRYPCTB ransomware:


    Related hashes for CRYPCTB:

    With additional analysis by Homer Pacag, Lala Manly, Merianne Polintan, Michael Casayuran, Paul Pajares, Rika Gregorio and Ruby Santos


    2015 has just begun, but we’re already seeing old problems crop up again – particularly the abuse of a lot of legitimate web sites. Since the start of the year, we’ve been seeing a significant increase in the number of spammed messages with links that lead to various Russian dating sites.

    Figure 1. Sample of dating site spam

    While messages of these types are fairly common, this recent wave is unusual in several ways. First, the level of dating site spam is higher than normal. On one day alone (January 4), we identified more than 150,000 email samples which had been received by our honeypots. These have been sent by more than 50,000 unique IP addresses.

    The senders of these messages are also unusual. These types of spam messages tend to be sent from known spam-sending IPs. That was not the case here. These senders were sent from IPs that had not been used to send spam before. In addition, these IP addresses appear to be part of /23 or /24 IP address blocks, without any associated domain names (or meaningless ones).

    These spam-sending IPs are located in a wide variety of countries. Of the more than 50,000 spam-sending IPs we mentioned earlier, only Iran has a double-digit share with 11.37% (more than 5,700 IPs). The rest are distributed across various countries, with Spain, Vietnam, Argentina, and Germany rounding out the top five.

    The links in these spam messages do not directly lead to the dating sites. Instead, they pass through various message boards that contain spammed post with full-length versions of the pitches in the emails:

    Figure 2. Spammed post on message board
    (Click for full-size version)

    These message boards do not appear to be complicit in these attacks; we believe they have been victimized by various bots that target these forums. Large numbers of forums have been targeted; in one day alone, we saw emails that sent links to more than 700 different forums. Sites that run on phpBB and Discuz!, both popular forum software, have been targeted in this manner. These sites are generally ranked as non-malicious, which may help evade spam filters.

    While dating site spam is currently being sent in this manner, we can’t rule out further attacks that take advantage of similar methods to try and evade spam filters; we currently block these types of spam messages and will block any similar types that appear in the future.

    With additional analysis from Jimmy Lin, Jon Oliver, Matt Yang and Yi Lee

    Posted in Spam | 1 TrackBack »

    3:18 pm (UTC-7)   |    by

    In recent weeks, a major Korean electric utility has been affected by destructive malware, which was designed to wipe the master boot records (MBRs) of affected systems. It is believed that this MBR wiper arrived at the target systems in part via a vulnerability in the Hangul Word Processor (HWP), a commonly used application in South Korea. A variety of social engineering lures were used to get would-be victims to open these files. Below is a quick overview of the attack with the infection chain starting from a spearphishing email sent to the employees’ inboxes.

    Malware Behavior

    We detect the malware as TROJ_WHAIM.A, which is a fairly straightforward MBR wiper. In addition to the MBR, it also overwrites files that are of specific types on the affected system. It installs itself as a service on affected machines to ensure that it will run whenever the system is restarted. Rather cleverly, it uses file names, service names, and descriptions of actual legitimate Windows services. This ensures that a cursory examination of a system’s services may not find anything malicious, helping this threat evade detection.

    Figure 1. List of legitimate service names used by TROJ_WHAIM.A


    Similarities to Previous MBR Attacks?

    This particular MBR-wiping behavior, while uncommon, has been seen before. We observed these routines in March 2013 when several attacks hit various South Korean government agencies resulting in major disruptions to their operations. The malware involved in this attack overwrote the MBR with a series of the words PRINCPES, HASTATI, or PR!NCPES. The recent attack on Sony Pictures also exhibited a similar MBR-wiping capability.

    There are also similarities to the previous MBR wiper attacks as well. All three attacks mentioned earlier overwrite the MBR with certain repeated strings. This attack uses the repeating “Who Am I?” string, while the Sony attack used a repeating 0xAAAAAAAA pattern.

    Figure 2. Screenshot of ‘Who Am I’ message seen upon bootup of infected systems

    Destructive Malware and Demands

    It has been claimed that the attack on Sony Pictures was because of that studio’s production of the film The Interview. While we cannot independently verify the veracity of these claims, something similar has happened with this incident. We’ve noticed a particular Twitter user tweeting his demands toward the affected company, and if not met, would subsequently release various KHNP documents. Among these demands are the shutdown of nuclear power plants in Korea (nuclear provides for 29% of South Korean electricity requirements).

    No Definitive Attribution

    While there are definite similarities in the behavior of all these attacks, this is not enough to conclude that the parties behind the attacks are also related. All three attacks have been well documented, and it is possible that the parties behind each attack were “inspired” by the others without necessarily being tied. Without sufficient evidence, we cannot make claims either way.

    These attacks highlight our findings about the destructive, MBR-wiping malware that appear to have become a part of the arsenal of several threat actors. This is a threat that system administrators will have to deal with, and not all targeted attack countermeasures will be effective. Techniques to mitigate the damage that these attacks cause should be considered as a part of defense-in-depth networks.

    With additional insights by Abraham Camba, MingYen Hsieh, and Rika Gregorio

    Update as of 11:29 P.M. PST, December 23, 2014

    Upon further analysis, we confirmed that TROJ_WHAIM.A checks if the current date and time is Dec 10, 2014 11:00 AM or later. If it meets this condition, it sets the registry, HKEY_LOCAL_MACHINE\SOFTWARE\PcaSvcc\finish to 1, thus triggering the MBR infection. Otherwise, it sleeps for a minute and checks the system time again.

    Aside from the MBR infection capabilities and overwriting certain strings, another similarity of this attack to the March 2013 incident is its ‘time bomb’ routine. A certain action is set in motion once the indicated date/time by the attackers is reached by the infected system.

    Posted in Malware, Targeted Attacks |


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice