Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Author Archive - Trend Micro

    Data breaches rarely make for sensational news. Media outlets may report about them but public interest often dies down after a week or two.

    Or that was the case until the Ashley Madison breach happened. The recent leak of the Ashley Madison accounts is the culmination of a month-long digital stand-off between the site that blatantly encourages people to have affairs and a hacktivist group called the Impact Team.

    Last July, Ashley Madison reported that they became victims of a data breach. The Impact Team took credit, demanding that the site and another related site be taken offline permanently. The hackers then proceeded to leak snippets of account information as well as company information, including internal company servers.

    The group made good with their threat as the accounts soon found their way into the Deep Web. The leaked information had several revelations. For example, 15,000 accounts had either a .mil or .gov email address. Combing through the addresses, other media outlets have found that work emails were frequently used in accounts.

    (Funnily enough, the leak presented proof that the site practiced some security measures not found in other sites. For example, the passwords were stored using some form of encryption and not just in plaintext.)

    Some have pointed out that users shouldn’t have expected their information to be kept safe, considering the very nature of the website. But removing the moral implications of the site, Ashley Madison assured customers that their information would be kept private and even offered a paid service to delete user data permanently—which it failed to do on both counts.

    Addressing Data Breaches

    This leak proves that many organizations are not ready to deal with a data breach: either by preventing one in the first place or managing one after it’s occurred. This is very problematic given the real-world implications of data breaches.

    “Reputational risk is real if you do not actually invest in next-generation cybersecurity. The hackers of the world will bypass the traditional security defenses that are advocated by major standards organizations like the Payment Card Industry Security Standards Council (PCI SSC),” says Tom Kellermann, chief cybersecurity officer for Trend Micro in an interview.

    This is so much so in the case of Ashley Madison or many other sites working on the premise of keeping its users actions discreet and private.

    In an ideal scenario, security measures against data breaches should be put in place even before such incidents occur. For example, organizations should assess the type of data that they ask from users. Do they really need certain specifics beyond contact and financial information? Even non-essential nuggets of information can be seen as sensitive—especially when used as building blocks to complete a victim’s profile.

    Encrypting sensitive information and restricting access to it goes a long way in mitigating possible intrusions, especially from internal hackers. Some have speculated that the Ashley Madison breach was an inside job; if that were the case, stricter access control could have made it harder to get the data.

    When it comes to data breaches, it is no longer an issue of “if” but “when.”  So even with these preventive measures in place, organizations should assume that there is an intruder in the network. With that thought, continuous monitoring of systems should be implemented to look for suspicious activity.

    With all these in mind, organizations need to deploy  a concrete multi-layered defense system as a proactive step against data breaches, as follows:

    • Deploy web application firewalls (WAF) to establish rules that block exploits especially when patches or fixes are still underway.
    • Deploy data loss prevention (DLP) solutions to identify, track, and secure corporate data and minimize liability.
    • Deploy a trusted breach detection system (BDS) that does not only catch a broad spectrum of Web-, email- and file-based threats, but also detects targeted attacks and advanced threats.

    But what should orgs do after a data breach happens? Firstly, they should confirm if a breach did occur. Victims should learn of the breach from the affected organization, never from the media. Orgs need to state all that they know about the incident, such as the time the incident occurred.

    Posted in Social |

    Best practices are failing. No matter how good you are at sticking to them, they can no longer guarantee your safety against the simplest threats we saw last quarter. Malicious advertisements are in the sites you frequent, data-leaking apps come preinstalled in your gadgets, and data-encrypting malware run silently in your office networks. Even the macro threats that were supposedly long gone are now back in the wild. Today’s threats leave zero room for error.

    For instance, we saw a surge in malvertisements—pesky online ads users normally consider more annoying than dangerous. But at the start of the year, we found that bad guys have found various ways to abuse these advertising platforms to deploy malware. These malicious advertisements, displayed on legitimate websites, exposed users to zero-day exploits. Regardless if these users followed good security practices like visiting only trusted sites and patching their software, since the malvertisements were displayed in reliable sites and used zero-days, they would’ve still been infected.

    Figure 1. Malvertisements redirected victims to sites that automatically infected their computers with various kinds of malware such as BEDEP and ROZENA.

    In the same vein, critical security issues were found in Superfish, an ad-related browser add-on pre-installed in consumer-grade Lenovo laptops. Considering that this add-on was pre-installed—making it invasive by default—Superfish also had the capability to alter search results based on users’ browsing histories. What made Superfish more alarming, however, was that it was not securely designed. This created opportunities for bad guys to launch man-in-the-middle attacks.

    The uptick in macro malware last quarter, on the other hand, proved that we can’t let old threats slip out of our minds just yet. The number of macro malware in Microsoft® Word files more than doubled since the last quarter of 2014. This showed a clear trend in cybercriminals’ weapons of choice.

    Figure 2. The number of macro malware infections has been constantly increasing since the first quarter of 2014. This could be attributed to the release of new variants and the rise in number of spam carrying malicious-macro-laden attachments.

    Targeted Attacks and Breaches Ramp Up Tools and Targets

    Operation Pawn Storm, an ongoing economic and political cyber-espionage operation exploited vulnerable iOS™ devices to infiltrate target networks. The use of mobile malware isn’t new, but Pawn Storm was the first to target iOS devices.

    Both the retail and healthcare industry were hit hard with data breaches last quarter. PoS malware attacks remained prominent threats to retailers, while health care service providers such as Premera Blue Cross and Anthem, experienced data breaches that exposed nearly a hundred million customer and employee records combined.

    Is Security Fated to Rely on Luck?

    When thinking about security, there are always loopholes to consider, especially if the threats aren’t within your control. Threat communications manager Christopher Budd reiterates this in the case of malvertisements:  “More than any other threat, malvertisements can hurt people even when they’re doing all the right things. Malvertisements can affect people who don’t click links, have fully updated security solutions, and only go to trusted sites. In short, there’s no amount of caution that can protect you from malvertisements, just luck.”

    The best defense, in light of all this, is to equip yourself with the right threat intelligence and keep adjusting the way you implement security. Traditional best practices may no longer work, but if they continue to evolve with today’s threats, you may still have a fighting chance.

    Read our 1Q 2015 Security Roundup here.

    Posted in Malware | Comments Off on [1Q 2015 Security Roundup] Bad Ads and Zero Days: Reemerging Threats Challenge Trust in Supply Chains and Best Practices

    11:03 pm (UTC-7)   |    by

    The collaboration between Trend Micro, INTERPOL, Microsoft, Kaspersky Lab, and the Cyber Defense Institute resulted in a triumph for the security industry earlier this week: the takedown of the SIMDA botnet. Trend Micro provided information such as the IP addresses of the affiliated servers and statistical information about the malware used, which led to the disruption of the botnet activities.

    SIMDA, the Malware Behind the Botnet

    The botnet relies on the backdoor SIMDA for its operations. One notable feature of the malware is that it modifies HOSTS files, which redirects users to malicious sites whenever they try to access legitimate sites. Our research shows that the malware targeted popular sites including Facebook, Bing, Yahoo, and Google Analytics, as well as their regional counterparts: e.g., Yahoo Singapore, Bing Germany, etc. This shows that the botnet creator wanted to affect as many users as it can, on a global scale. Here’s a sample screenshot of a modified HOSTS file.

    Figure 1. Modified HOSTS file

    Figure 1. Modified HOSTS file

    Analysis also reveals that the malware collects information about the affected system. It also checks for the presence of certain processes, including those used for malware analysis. The latter could be seen as a detection precaution.

    Further research shows that the botnet activity spanned the globe. We found that the redirection servers were located in 14 countries, among which include the Netherlands, Canada, Germany, Russia, and the United States. Botnet victims were also scattered. Feedback from the Trend Micro™ Smart Protection Network™ lists at least 62 affected countries, including the United States, Australia, Japan, Germany, Italy, among others. Below is a visualization of the redirection servers located in several countries:

    Figure 2. Redirection IPs

    Figure 2. Redirection IPs

    (Click to enlarge)

    Botnets in the Threat Landscape

    Botnets have deep ties throughout the threat landscape. For most cybercriminals, creating a botnet is the precursor for other malicious activities. Botnets can be used to send spamperform distributed denial-of-service (DDoS) attacksperform click fraud, or attack targeted domains.

    For cybercriminals to launch these attacks, they need to be in constant communication with all their infected computers, whose numbers can reach the thousands and above. This is where command-and-control (C&C) servers come in. A C&C infrastructure allows cybercriminals to have a dedicated connection between themselves and their victim’s network. Our Global Botnet Map shows the connection between bots and C&C servers, highlighting the location of the C&C servers and the victimized computers they control.

    Botnets are harmful to users in two ways: they push threats to users and they force victims to be unwitting accomplices to malicious activities. Being part of a botnet means a user is no longer in control of his computer; the bot master can dictate what the infected computers can and will do.

    Addressing Botnets

    Cybercriminals employ different tricks to add more victims to their botnets. For example, they often take advantage of peer-to-peer (P2P) networks to distribute disguised malware. Spammed messages are another go-to method for adding more computers to their botnets.

    We advise users to be cautious when opening emails. Avoid opening emails and attachments from senders who are unknown or who cannot be verified. P2P networks aren’t inherently malicious but users should be aware that dealing with these sites can increase their chances of encountering malware. Users should also invest in a security solution that goes beyond simple malware detection; features such as spam detection and URL blocking can go a long way in protecting users from threats.

    We mentioned that SIMDA modifies HOSTS files as part of its redirection routines. There might be instances where the modified HOSTS files may remain even after detecting and removing SIMDA from the affected computer. The presence of these modified files might lead to further infections. We advise users to manually check HOSTS files and to remove any suspicious record in these files.

    Trend Micro protects users from the SIMDA botnet by detecting malware variants as BKDR_SIMDA.SMEP and BKDR_SIMDA.SMEP2, and other BKDR_SIMDA variants. TROJ_HOSIMDA.SM is the Trend Micro detection name for the modified HOSTS files. All associated URLs have been blocked as well. Non-Trend Micro customers may use Trend Micro Housecall for scanning.

    Posted in Botnets | Comments Off on SIMDA: A Botnet Takedown

    A malware that is being tied to the recent cyber attack in France is detected by Trend Micro as a variant of the NJWORM/Kjw0rm remote access Trojan (RAT). This malware (with the MD5 hash of 2962c44ce678d6ca1246f5ead67d115a), which we detect as VBS_KJWORM.SMA, is backdoor that may have been around since 2014.

    Ties to previous targeted attacks

    Our initial analysis showed that VBS_KJWORM.SMA was created by a hacking tool named Sec-wOrm 1.2 Fixed vBS Controller. This is a RAT generator that we detect as HKTL_KJWORM.

    It should be noted that the Kjw0rm family is already known to us; in January we had written about this family when it emerged from the NJWORM source code leak. Kjw0rm was found in the Arabic-language section of

    Figure 1. Sample screenshot of the RAT generator “Sec-wOrm 1.2 Fixed vBS Controller”. (SECWORM)
    Hat tip goes out to the Dev4dz forum

    Using data from the Trend Micro™ Smart Protection Network we found that VBS_KJWORM.SMA is observed in at least 12 countries in the past week, including South Africa and India. This is not surprising, since this malware is available in underground forums and can be used by anyone.

    This particular malware can be used as a backdoor into the infected system. In addition, the C&C server reportedly used in the attack has been tied to another backdoor, BKDR_BLADABINDI.C. Our investigation leads us to believe the actors behind Kjw0rm and BLADABINDI are the same.

    Further information from the Smart Protection Network suggests that other VBS malware variants are currently circulating in the wild. Four separate C&C servers (distinct from those used by NJWORM) were also found. These different samples, in turn, are connected to previous NJRAT/JENXCUS attacks. NJRAT has been tied to DUNIHI attacks in the Latin American region.

    Note: The SECWORM malware is a RAT derived from KJw0rm with some modifications and improvements. 

    Understanding the impact of a cyber attack on a company outage

    The massive cyber attack that hit the French TV5Monde television network this past April 9, according to reports, began at approximately 10:00 P.M. local time (4:00 P.M. Eastern time) , when 11 of their channels went off the air.

    In addition to this, TV5Monde’s website, company email, as well as their social media outlets came under attack. The network’s Facebook page was used to post propaganda messages allegedly from the Islamic State (ISIS). One of the network’s Twitter accounts was also accessed and posted messages against the United States and France, as well as issued threats to families of French soldiers. Copies of French soldiers’ IDs and passports were also published.

    It should be noted that the technical background of this attack is not yet clear. However, the RAT generator is currently available in several hacker forums and can be used by any threat actor. Therefore, one does not need a lot of technical skill to use it.

    Trend Micro solutions

    Trend Micro detects all related malware at the endpoint level. In addition, Trend Micro products block connections to C&C servers for these malware.

    At the network level,Trend Micro is able to proactively detect these threats. Trend Micro Deep Discovery is able to detect VBS-based malware, providing additional protection to organizations facing these kinds of attacks today.


    Posted in Targeted Attacks | Comments Off on Kjw0rm VBS Malware Tied To Attacks on French TV Station TV5Monde

    OpenSSL said last Tuesday, March 17, that they plan to release several code fixes address a number of vulnerabilities, which include those that have been classified as “high” severity. There had been speculation building around these vulnerabilities, as the bug was hinted as “the next Heartbleed” according to reports.

    The fix was released today, two days after their announcement. Today’s security bulletin noted that the following just-released versions are all secure:

    • OpenSSL version 1.0.2a (addresses CVE-2015-0209, CVE-2015-0285, and CVE-2015-0288)
    • OpenSSL version 1.0.1m (addresses CVE-2015-0288)
    • OpenSSL version 1.0.0r (addresses CVE-2015-0288)
    • OpenSSL version 0.9.8zf (addresses CVE-2015-0288)

    According to the OpenSSL advisory, these versions are now available for download via HTTP and FTP from the following master locations: and

    Server administrators should update their versions of OpenSSL to the appropriate versions, depending on what they have installed.

    OpenSSL is one of the most commonly used implementations of Secure Sockets Layer (SSL) (also known as “transport layer security” or TLS), which is the backbone of secure Internet communications today. SSL/TLS allows for communications between computers to be encrypted, preventing traffic from being eavesdropped by attackers. This is essential for any transaction online that requires secrecy and integrity.

    OpenSSL is widely available for various Unix-like operating systems (such as Linux and Mac OS X), so any vulnerability could put many secure communications at risk.

    We will update this blog post with solutions deployed by Trend Micro Deep Security.

    Posted in Bad Sites | Comments Off on OpenSSL Releases Patches to Address “Severe” Security Holes


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice