Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    March 2015
    S M T W T F S
    « Feb    
  • Email Subscription

  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Trend Micro

    2014 was a year where cybercriminal attacks crippled both likely and unlikely targets. A year rife with destructive attacks, 2014 proved to be a difficult one for individuals and companies who were victimized by these threats.

    Massive data breach disclosures came one after another in 2014 in much more rapid succession than past years. The Sony Pictures breach in December, along with the other big breaches of the year illustrated the wide spectrum of losses that can hit a company that has failed to secure its network.

    Point-of-sale (PoS) RAM scrapers were almost a cybercrime staple in 2014, as several high-profile targets lost millions of customer data to attackers. The Ponemon Institute reports a significant increase in the cost of stolen records in 2014 from the previous year, which shows that using PoS RAM scrapers to target retailers is a thriving business. For the entire 2014 we observed that most PoS malware hit retailers in the United States, followed by Canada and the United Kingdom.

    Software and platforms previously considered secure proved otherwise in 2014- this was made evident by high-profile vulnerabilities Heartbleed and Shellshock that affected Linux systems. Security holes were also found in various commercial software like Windows®, Adobe®, and Java™ all throughout the year.

    Figure 1. Timeline of Major Zero-Day Vulnerabilities in 2014

    Online banking was still a major problem for last year. Operation Emmental added to this growing problem and proved that two-factor authentication was no longer enough to secure sensitive transactions. According to data from the Trend Micro™ Smart Protection Network™, we observed around 145,000 computers infected by online banking malware by the tail end of 2014. Mobile users were also hit by online banking threats with as much as 2,069 mobile banking/financial malware seen in 3Q alone.

    2014 Annual Security Roundup Cover

    Ransomware made the headlines early in the year with CTB-locker infections, but we’ve been seeing ransomware victimize users all throughout 2014. Traditional ransomware like REVETON and RANSOM dominated 2013 with a 97% share, crypto-ransomware took the stage in 2014, as their share increased 27.35%.

    Threat actors and cybercriminal economies continued to thrive last year. With Operation Pawn Storm. threat actors used next-level spear-phishing tactics to obtain the email credentials of primarily military, embassy, and defense contractor personnel from the United States and its allies.

    2014 also saw campaigns like Regin target victims in Belgium and Plead in Taiwan.

    As cybercrime becomes more attractive to the unscrupulous and as targeted attack campaigns become much easier to mount, the pressure to reassess the breadth and quality of cybersecurity investments must only intensify.

    For more details about these and other security threats in 2014, check our security roundup titled Magnified Losses, Amplified Need for Cyber-Attack Preparedness.


    12:54 am (UTC-7)   |    by

    Home surveillance/security cameras have been available for quite some time, and can be used to keep track of one’s home, children, pets, or business.  These devices are, in some ways, the first exposure of people to the Internet of Things.

    For most people, home surveillance means setting up a camera and using the Internet to access the camera feed in real-time. Higher end camera models can even be controlled remotely, making them useful for monitoring a large area with a single camera. This is a marked difference from previous iterations of home surveillance, which had restrictions or limitations in terms of accessibility.

    Online and Open Accessibility

    The older generation of security cameras required the configuration of the home router such as port forwarding, so that you can view the video feed remotely. While convenient, this set-up means that the camera is also accessible to pretty much anyone with an Internet connection.

    There are websites that scour the Internet for Internet-connected security cameras. One such site is Shodan. By logging in to Shodan, a person can find a specific camera based on the brand and IP address.

    Figure 1. Search results from Shodan

    There are even sites that offer streaming videos of publicly accessible cameras. A now-inaccessible Russian site took advantage of default usernames and passwords to access and upload camera feeds online. According to an article by CNN, the site featured streams from 4,600 cameras in the U.S. and thousands more in 100 countries. A quick online search revealed the existence of other, similar sites. There are even mobile apps that provide real-time streaming from cameras across the world.

    Figure 2. Camera feeds all over the world

    Managing Access

    Perhaps in a direct response of this issue, the newer generation of security cameras usually provides some form of cloud management and/or viewing functions.  Once configured, the camera communicates to the vendor cloud servers, allowing users to view the feed by logging into a web portal or by using mobile apps published by the vendor.

    In this set-up, the camera communicates to the vendor cloud servers only.  Connections initiated from the Internet cannot reach the camera, as the home router blocks them.  The camera is more secure from activities like unauthorized remote viewing.

    Vendor and User Security

    Accessibility issues aside, another important issue for these cameras is data protection. Vendors should provide strong encryption for all data/video feed from device to cloud servers to protect user privacy.  However, we found that some popular camera brands are still lacking in their security implementation.

    For example, the screenshot below is the packet capture between a D-Link DCS-932L camera communicating with the D-Link cloud server.  Certain traffic from the camera to the cloud servers is encrypted, but not all. There is still clear text communication over the Internet. Such an issue can only be addressed by the vendor, not the users.

    Figure 3. Clear text communication between server and camera

    The Importance of User Initiatives

    While some issues can only be addressed by camera vendors, this doesn’t mean that users should rely on security features offered by the cameras. The existence of the live stream sites shows the importance of changing default login credentials and using strong usernames and passwords. Strong authentication should be also used for home networks, to avoid any unauthorized access.  Users can also refer to our entry, Security Considerations for Consumers Buying Smart Home Devices, for a comprehensive discussion on buying smart devices.



    Our engineers were investigating a case involving a targeted attack when they came across a custom tool called vtask.exe. Once executed, vtask.exe hides Windows tasks in the current session. What’s curious about this attacker-created tool is that it appears to have been compiled in 2002—twelve years ago.

    A Look at Vtask

    The compiler time shows that Vtask is a tool written in Visual Basic (VB) and compiled on November 2002. We can image the situation 12 years ago: Decompilers for VB programs were not available yet, which made analysis of this tool difficult.

    Vtask.exe requires an .OCX component generated by the old VB compiler. In this case, the required .OCX component is mshflxgd.ocx. A compiler is not necessary but the .OCX file is in order for Vtask to run. It bears stressing that mshflxgd.ocx is a common library. Other software may use it as well. The presence of this component doesn’t automatically mean the computer also has Vtask.

    Vtask is not a rootkit, so it can only hide windows of executables, not processes. We can still see the processes running in the background via Task Manager.

    Hiding Running Tasks

    Vtask is used to hide windows of executable programs. This tool is especially useful when the platform of the targeted computer is not a Windows Server version. Windows Server allows multiple users to log in, with each login having a different version of the desktop, even if they use the same login credentials.

    If the targeted computer runs on Windows Server, the users will not be able to see the desktop of the attacker.

    Figure 1. Desktop before Vtask is launched

    Figure 2. Desktop after Vtask has launched

    However, if the computer runs on platforms other than Windows Server, only one user can be logged at a time. Thus, when the user logs on, the attacker loses the view of the desktop. Vtask is used to automatically hide the ongoing tasks conducted by the attacker.

    Read the rest of this entry »


    Last July we came across a crypto-ransomware variant known as Critroni or Curve-Tor-Bitcoin (CTB) Locker. We observed recent improvements to the CTB malware, which now offer a “free decryption” service, extended deadline to decrypt the files, and an option to change the language of the ransom message. These new variants also demand payment of 3 BTC (around $USD 630), while older ones seen in July only charged 0.2 BTC, or $USD 24.

    Along with these improvements, we are also seeing a spike in these attacks in several regions, mainly in Europe-Middle East-Africa (EMEA), China, Latin America and in India.

    CTB-Locker Infection

    We have previously reported about CTB Locker’s use of Tor to hide its activities but this new variant comes with notable, new differences.

    This CTB-Locker variant arrives via spammed emails. These spammed messages were sent in different languages and often pretend to contain important notices so that the recipient is tricked into opening the attachment, which we noticed was archived twice.

    Some of the spam samples used in these attack were sent by systems that are part of the long-running CUTWAIL botnet. CUTWAIL is known for reusing available resources (including bots); it should not be a surprise that some of the IP addresses identified as part of this spam run have been part of our spam blacklists for years, with some addresses being blacklisted as early as 2004.

    Figure 1. Sample spam emails with malicious .ZIP attachment that contain the downloader malware, TROJ_CRYPCTB.SMD

    The attachment is actually a downloader malware, detected as TROJ_CRYPCTB.SMD. This malware connects to several URLs, leading to the download of the CTB-Locker malware onto the computer. This ranswomware is detected as TROJ_CRYPCTB.SME. Checking these URLs, we determined that they are all compromised and based in France. The malware goes through a round-robin type of method to select which URL to download the malware from.

    Here’s a diagram explaining the attack, whose infection chain begins with the spammed message accompanies with a malicious .ZIP attachment as show in the sample spam in Figure 1.

    Figure 2. Sample CTB-Locker infection chain

    New Developments

    The older TROJ_CRYPCTB.A variant seen in July gave users only 72 hours, while this new one allots users 96 hours for payment. The extension of the deadline might be for practical reasons: a longer deadline could mean more victims will be able to pay the fee.

    Pressing “next” leads to a page that displays a “Test Decryption” portion, in which the malware entices users with this freebie. The “Test Decryption” portion allows decrypt for five random files, seemingly to convince users that the decryption actually works. There are additional instructions that inform the user not to rename or delete files, and only chosen files will be decrypted. The malware also displays the ransom message in other languages like German, Dutch, and Italian.

    Pressing ‘Next’ leads to the payment page, where the malware instructs victims to pay the amount of 3 BTC or $USD 630 in order to proceed with the file decryption; otherwise, all the files will permanently remain encrypted. The message also includes instructions on paying the ransom via Tor browser. Below is a comparison between the older CBT-Locker variant we saw in July 2014 and its latest version.

    Figure 3. New CBT-Locker variant demands up to $USD 630 or 3 BTC in order for users to decrypt their files

    The message states that victims must pay the ransom by the deadline. Otherwise, all the files will permanently remain encrypted.

    Analysis of the variant revealed a feature previously unseen in CTB Locker variants—the chance to decrypt files for free. This freemium model was seen in the malware CoinVault, but this CTB Locker variant upped the ante by allowing the victim to choose five files, rather than just one, to be decrypted.

    The free decryption can be seen as a way to convince users to pay the ransom. Decrypting the files show the victim that their other files can actually be recovered—if they pay the fee.

    Figure 4. “Free decryption” service

    Another unique function or feature found in this variant is that the ransom message gives the user the option to select the language, apart from English. So far, three more languages were spotted:, Italian, German, and Dutch.

    Figure 5. Random messages in three more languages. Top left: Italian; Top right: German; Bottom: Dutch

    Protection Against Crypto-Ransomware

    The first line of defense in staying protected against this new type of ransomware is knowing how to properly discern spammed emails from legitimate ones. Though some emails may look legitimate in nature, it’s always best to check the sender’s address, subject line, and of course email contents for anything that appears suspicious.

    Always remain cautious when dealing with unfamiliar files, emails, URLs, and most especially, email attachments. While it might be tempting to take the “free decryption” bait and pay the ransom, there is no guarantee that the cybercriminals will actually decrypt your files and have everything back to normal.

    Users should also remember to routinely back up their data. The 3-2-1 principle should be in play: three copies, two different media, one separate location.

    Related hashes for the downloader of CRYPCTB ransomware:


    Related hashes for CRYPCTB:

    With additional analysis by Homer Pacag, Lala Manly, Merianne Polintan, Michael Casayuran, Paul Pajares, Rika Gregorio and Ruby Santos

    Updated February 18, 2015, 06:36 PM PST

    TROJ_CRYPCTB.SMD has been renamed to TROJ_DALEXIS.SMK.


    2015 has just begun, but we’re already seeing old problems crop up again – particularly the abuse of a lot of legitimate web sites. Since the start of the year, we’ve been seeing a significant increase in the number of spammed messages with links that lead to various Russian dating sites.

    Figure 1. Sample of dating site spam

    While messages of these types are fairly common, this recent wave is unusual in several ways. First, the level of dating site spam is higher than normal. On one day alone (January 4), we identified more than 150,000 email samples which had been received by our honeypots. These have been sent by more than 50,000 unique IP addresses.

    The senders of these messages are also unusual. These types of spam messages tend to be sent from known spam-sending IPs. That was not the case here. These senders were sent from IPs that had not been used to send spam before. In addition, these IP addresses appear to be part of /23 or /24 IP address blocks, without any associated domain names (or meaningless ones).

    These spam-sending IPs are located in a wide variety of countries. Of the more than 50,000 spam-sending IPs we mentioned earlier, only Iran has a double-digit share with 11.37% (more than 5,700 IPs). The rest are distributed across various countries, with Spain, Vietnam, Argentina, and Germany rounding out the top five.

    The links in these spam messages do not directly lead to the dating sites. Instead, they pass through various message boards that contain spammed post with full-length versions of the pitches in the emails:

    Figure 2. Spammed post on message board
    (Click for full-size version)

    These message boards do not appear to be complicit in these attacks; we believe they have been victimized by various bots that target these forums. Large numbers of forums have been targeted; in one day alone, we saw emails that sent links to more than 700 different forums. Sites that run on phpBB and Discuz!, both popular forum software, have been targeted in this manner. These sites are generally ranked as non-malicious, which may help evade spam filters.

    While dating site spam is currently being sent in this manner, we can’t rule out further attacks that take advantage of similar methods to try and evade spam filters; we currently block these types of spam messages and will block any similar types that appear in the future.

    With additional analysis from Jimmy Lin, Jon Oliver, Matt Yang and Yi Lee

    Posted in Spam | 1 TrackBack »


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice