Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    April 2014
    S M T W T F S
    « Mar    
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Trend Micro

    Any vulnerability in Internet Explorer is a large issue, but last week’s zero-day vulnerability (designated as CVE-2014-0322) is particularly interesting. It used what we call a “hybrid exploit”, where the malicious exploit code is split across multiple components that use differing technology: in this case, the exploit code was split between JavaScript and Adobe Flash. The use of “hybrid exploits” provides attackers with a way to evade existing mitigation technology like ASLR and DEP.

    Let’s go over how this exploit was delivered to users. The victim website was compromised, and two malicious files were uploaded to it:

    • Erido.jpg (detected as HTML_EXPLOIT.PB, MD5 hash: 00ae7a1514809749a57d4d05d8c969b5)
    • Tope.swf (detected as SWF_EXPLOIT.PB, MD5 hash: 732b6a98b0a7b2ee795f2193a041520d)

    The overall flow can be found in the following diagram, which will be explained in the text.

    Figure 1. Overall control flow

    A page on the website (img.html) was modified with additional JavaScript and an iframe to load the malicious Flash file, as follows:

    <embed src=Tope.swf width=10 height=10></embed>

    When called, the Flash file carries out a heap spray. Control is then passed back to the JavaScript, via a function call in the Flash file. The actual malicious code that triggers CVE-2014-0322 is actually found here, and not in the Flash file. (To prevent further attacks that may exploit this vulnerability, we will not provide further details about the exploit.) Control is then passed back to the Flash file, where the code responsible for arbitrary memory reads and writes is located.

    From here on, the goal of the code is simple: it searches for return-oriented programming (ROP) gadgets in the memory (specifically, it uses ROP gadgets in ntdll.dll), constructs the ROP chain, and overwrite the virtual table of a Flash object in order to hijack the execution flow of the Flash virtual machine.

    Two ROP gadgets were used in this attack:

    • 77a646a8 94 xchg eax,esp // Pivot the stack pointer
    • ntdll!ZwProtectVirtualMemory (1a1b3000, 1000, PAGE_EXECUTE_READWRITE)

    The first ROP gadget pivots the stack pointer to let it point to controlled data; the second gadget calls ZwProtectVirtualMemory to change this shellcode’s protection to PAGE_EXECUTE_READWRITE, to bypass DEP protection.

    If this shellcode needs to call APIs, it will first check whether the API is hooked inlineby checking the starting byte code of the API. If that is the case, then it will skip the first 5 bytes of the API, to escape from the hook. This technique is used to bypass the detection of security products that are watching for this behavior.

    Figure 2. Malicious shellcode

    The above shellcode does the following:

    1. Decode two PE files using the data in the file Erido.jpg
    2. Drops the two PE files to:
      • %Temp%\sqlrenew.txt
      • %Temp%\stream.exe
    3. Load the contents of sqlrenew.txt into memory
    4. Return to the caller to prevent a Flash or IE crash

    The contents of sqlrenew.txt merely executes the other dropped file, stream.exe. However, this will only happen when IE has been terminated and the module itself is being unloaded.

    Figure 3. Malicious shellcode


    Any zero-day vulnerability in a widely used program like Internet Explorer is significant, but this one appears to be doubly so. To avoid known exploit mitigation techniques like ASLR and DEP, this attack uses multiple web objects interacting with each other to carry out the exploit instead of a single easily detected file.

    It is likely that we will see more of this technique in the future as cybercriminals try to make their exploits more effective on all platforms. Both developers and security vendors will need to respond to this emerging threat in order to keep users safe.

    Posted in Exploits, Vulnerabilities |

    10:21 pm (UTC-7)   |    by

    We noted in our 2014 predictions that we believed that there would be one major data breach per month. Reports of data breaches against retailers ushered in the new year, where the credit card information of several million shoppers was stolen. There is no denying the scale and severity of breaches of this kind. While much ink–online and offline–has been focused on matters like who the author of the malware was, in the longer view what’s important to note is that there were many ways this attack might have been prevented–or security steps that could have been taken to thwart this kind of attack.

    For example, POS systems represent a near-ideal situation for whitelisting and/or locked down systems: there is no compelling need to run general-purpose applications on a POS system. A locked down system would have made it more difficult to run malware on the POS devices.

    Alternately, it is highly unlikely that such a large-scale attack was carried out with malware installed onto POS systems on an individual basis. It’s almost certain that some form of remote management software was used to install the malware onto the POS systems. This isn’t the first time that systems used to automatically install software onto systems has been compromised; last year the auto-update system of several applications in South Korea was used to plant malware onto affected systems.

    The movement of such significant amounts of data across networks should also have been detectable as well. Network defense solutions would have been able to detect the internal network traffic used by this attack, or the data exfiltration traffic, or both.

    The broad outlines of this attack are known, but specifics – such as what exact security procedures were in place and how/if they were evaded – are not yet public. However, businesses that handle critical data can take this incident and use it to determine if they, too, are at risk from similarly well-executed attacks. Companies in such a situation should double-check that all possible security procedures and products are in use and set up correctly, as well as for trained IT personnel to handle incidents as they happen.

    One thing that is clear is that for high-value targets, simple endpoint security is no longer sufficient. As we mentioned earlier, protections based on detecting network and system behavior (such as Deep Discovery and Deep Security) would have been very useful in dealing with these kinds of threats. Enterprises that do not have these solutions in place should consider implementing them in order to be able to guard against similar attacks; there is a good chance that other companies in similar situations will now have to deal with copycat attacks.

    We detect the malware that we believe was used in this attack as TSPY_POCARDL.AB and TSPY_POCARDL.U; if any related threats are found we will release further protection as necessary. Frequently asked questions about this incident are answered in the Simply Security blog.


    The third quarter of the year shone the spotlight on parts of the hidden Internet that would have preferred to remain hidden. Services favored by cybercriminals such as the digital currency Liberty Reserve and the online marketplace Silk Road were all shut down during the quarter. Right after the quarter ended, the notorious creator of the Blackhole Exploit Kit, Paunch, was arrested as well, severely curtailing related spam campaigns.

    Cybercrime Continues Unabated

    Despite these steps, however, cybercrime continued to grow during the quarter. The number of online banking Trojans detected reached record levels, with more than 200,000 infections reported in the quarter. Three countries – the United States, Brazil and Japan – accounted for over half of these infections.

    Figure 1. Number of online banking infections

    Mobile Malware Crosses 1 Million Mark

    Our 2013 predictions noted that we believed the number of high-risk and malicious Android apps would exceed 1 million sometime in the year. That was exactly what happened this quarter. Premium service abusers remained  the most common threat. These sign up users for paid “premium services” without their consent and highlights how mobile malware has become mainstream, continuously growing and affecting more users around the world.

    As a sign of the growing maturity of mobile platforms, a major vulnerability was found in Android with correspondingly serious risks. The so-called “master key” vulnerability allowed an attacker to “update” a legitimate app with a malicious version.

    Java 6 Becomes a Permanent Threat

    Older, unpatched versions of software have always posed serious security risks. This was shown when a new exploit targeting a vulnerability in Java 6 was seen. This came after Oracle officially declared Java 6′s end-of-life (EOL), highlighting the risks of using EOLed software that will no longer receive patches. This serves as a potential preview of what will happen next year, when Windows XP – still in use in many systems and networks all over the world.

    Read more about the goings-on in the third quarter in the full report, titled The Invisible Web Unmasked.

    Posted in Exploits, Malware, Mobile, Vulnerabilities | Comments Off

    Further analysis by Trend Micro researchers on the reported defacement of the Singapore Prime Minister Office website revealed that the website was not actually defaced  – attackers abused the search function of the Singapore PMO website to display an image that looks like a hacked version of the site.


    Figure 1. Image shown from within the PMO website that falsely claims the site was hacked

    The attackers exploited an XSS vulnerability in the website’s search page by entering the code triggering the display of the image as the search string. This caused the web page to execute the code and display the image, along with text that said “ANONYMOUS SG WAS HERE BIATCH~”, giving the impression that the website was defaced.

    We’d like to point out that the Singapore PMO website remains intact, and was not compromised in any way. Visitors of the site will not be able to see the image, since it is only accessible if the URL with the injected script embedded is accessed. The attackers drove users into the link with the displayed image by distributing the URL through social media.

    This attack is a form of cross-site scripting or XSS and has been seen in many attacks in the past, including those that affected other government websites. XSS vulnerabilities are low-hanging fruits for attackers since the likelihood of a website having them is very high, thus it is seen as one of the easier routes in terms of attacking a website.

    This ease in execution for hackers, however, is paralleled by great risks for the potential targets. While the attack on the PMO website only triggered the display of an image, we have seen other attacks that triggered redirections to malicious sites, leading visitors to malware.

    We strongly recommend website developers to make sure that their sites are fully secure against XSS attacks through the following means:

    1. Review the website code regularly to make sure that it is configured to prevent code injection. This can be done by setting up limitations for input contents in order to reject special characters, as well as sanitizing output byHTML-encoding user input/strings.
    2. Scan for web application vulnerabilities to identify possible attack vectors and address them immediately.

    6:49 am (UTC-7)   |    by

    Hacking incidents we’ve documented in the past show a common strategy used by attackers: finding a vulnerability and exploiting it. Whether it was the New York Times or small businesses in Asia, the starting point was found to be a compromise caused by a vulnerability. This vulnerability may either have been technical (vulnerable software), or non-technical (an uninformed employee).

    This finding highlights the need for a comprehensive defense against such attacks. As one of our researchers, Jim Gogolinski, said in a previous report, companies are not helpless from targeted attacks. However, building a solid defense strategy will require resources as well as diligence from the organization itself.

    For hacking attacks in particular, keeping a company’s network secure will require both proactive and reactive security strategies. Below are some tips that may help IT administrators keep their company’s site secure.

    Proactive Steps Against Hacking Attacks

    • Implement a program to regularly test and deploy updates, especially security update.
    • Check that the installed software on all endpoints and servers are updated.
    • Make sure that security software is present (and in use) across the board. These should also be configured to detect and prevent phases of an attack,  as well as observe indicators over the network, on disk, and in memory.
    • Processes and standard operating procedures (SOPs) should be built with security in mind. This applies to not just to employees, but to partners, contractors and customers as well.
    • Investigate any anomalous network and system behavior. Attacks are known to begin with reconnaissance, and such suspicious activities may be the first sign of an attack.
    • Continuously plan or review your incident response procedures with all necessary parties (not only IT groups). Jim also discussed how to implement these procedures in his earlier report, How Can Social Engineering Training Work Effectively?

    What to Do in Case of an Attack

    In the past, some attacks have been “announced”. Details of the attack – such as when it will happen and who the targets are – are released to the public beforehand, In such circumstances, the most important step a company may take is to make sure that all proactive defense actions (such as those listed above) are in place, and to exercise a high level of awareness of their network and their logs.

    Announced operations, with their relatively open disclosure of tactics, tools, and procedures are golden opportunities for evaluation and improvement of countermeasures in real world scenarios. Taking advantage of these opportunities helps train people, process, and technology to recognize signals of a targeted attack regardless whether it is publicly disclosed or covert.

    However, whether there is increased risk brought on by an announced attack or not, it is important for companies to always have their defenses up. In the end, the costs of  keeping networks secure may prove to be minimal as compared to mitigating a successful breach.

    Posted in Hacked Sites, Targeted Attacks | Comments Off


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice