Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    July 2014
    S M T W T F S
    « Jun    
  • About Us

    The topic of open Wi-Fi and public hotspots has been in the news again, for several reasons. Last month, the Electronic Frontier Foundation launched, a project to create router firmware that would provide open wireless access to anyone in range of the user’s router.

    Notionally, in addition to providing Internet access to everyone who needs it, it would make everyone’s Internet more private by removing the connection between one’s identity and IP address, since anyone could be using the open Wi-Fi to gain access. This would make surveillance and tracking based on the IP address unreliable.

    Well-intentioned as this may be, people actually running this is not a good idea. Let’s assume that this can be done in such a way that your private network traffic is segregated from the open Wi-Fi traffic. Your own network traffic would not be at risk of exposure, but that’s not the only risk.

    What goes out on your Internet connection ISP is your responsibility. You’re likely to end up in legal hot water if illegal behavior is carried out via your IP address.  The potential for abuse is extremely high. High bandwidth usage by “guests” can also eat up your data cap, resulting in either a throttled connection or a large bandwidth bill at the end of the month.

    Similar initiatives have been tried in other countries by projects like RedLibre and Guifi (both in Spain). However, the adoption of these has been rather limited. The implementation of these projects may have differed, but ultimately the risks are enough to deter users from participating in them, no matter how well-intentioned.

    The other story that’s put public Wi-Fi in the news was Comcast Internet turning the modems of 50,000 subscribers into residential Wi-Fi hotspots. This hotspot would be separate from any Wi-Fi network the user established, and would be for the use of all Comcast subscribers. Before someone could log into this public hotspot, they would have to enter their Comcast username and password.

    Other ISPs are bound to come up with similar public Wi-Fi hotspots. Two questions come to mind here. If I am a subscriber, should I opt out my network of this? Is it safe to log onto these public hotspots? Let’s deal with the first one.

    In theory, the risks to users are far less in this scenario than with a purely open Wi-Fi scenario. Any data consumed by this access point does not count against the user’s data cap. Abuse of the hotspot is something that would be the responsibility of the ISP, not you. So, there’s no risk, right?

    Not exactly. From a technical perspective, the biggest problem would be the separation of the hotspot’s traffic from your own. Unfortunately, wireless routers don’t have a good track record when it comes to software vulnerabilities. The existence of a vulnerability that exposes your network can’t be ruled out.

    The real risk for is for people who want to use these hotspots. The above risk of vulnerable firmware applies to would-be users, too: it’s entirely possible that the network traffic of guests could be exposed to an attacker running a malicious version of the router firmware. It’s an inherent risk of connecting to a network that you may not completely trust.

    Another risk is it enables other attacks that put your ISP credentials at risk. As some tech sites have noted, it is very easy to set up a fake hotspot with the same Service Set Identifier (SSID) as that used by the public hotspots offered by ISPs. Since these public hotspots use a captive portal to ask for your ISP’s credentials (to validate that you are a customer), an attacker can create a fake version of that portal to steal the ISP login credentials.

    Until a better technical situation for open Wi-Fi becomes available, users will have to be careful in dealing with situations like this. An earlier blog post of ours also discussed using open Wi-Fi safely, with the use of virtual private networks (VPNs) being the most important tip there. Meanwhile, running one of these open wireless networks, given all the possible risks, is not a very good idea.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    In our efforts around addressing targeted attacks, we often work with IT administrators from different companies in dealing with threats against their network. During these collaborations, we’ve recognized certain misconceptions that IT administrators — or perhaps enterprises in general — have in terms of targeted attacks. I will cover some of them in this entry, and hope that it will enlighten IT administrators on how they should strategize against targeted attacks, also known as APTs.

    A targeted attack is a one-time effort

    Some IT administrators tend to think that targeted attacks are a one-time effort — that being able to detect and stop one run means the end of the attack itself. The truth, however, is that targeted attacks are also known as APTs because the term describes the attack well: advanced and persistent. The attacks are often well-planned and dynamic enough to adapt to changes within the target network. Being able to trace and block an attempt will mean that elimination of the threat. If anything, it can mean that there might be several other attempts not being detected, elevating the need for constant monitoring.

     There is a one-size-fits-all solution against targeted attacks

    The demand for a complete and effective solution against targeted attacks is quite high, but a solution simply can not exist considering the nature of targeted attacks. Attackers spend much time during reconnaissance to understand the target company — its IT environment, and its security defenses — and IT admins need to adapt this mentality in terms of their security strategy. All networks are different, and this means that each one will need to be configured differently. IT admins need to fully understand the network and implement the necessary defense measures to fit their environment.

    Your company is not important enough to be attacked

    Another big assumption that companies have when it comes to targeted attacks is that they are unlikely to be a target because they do not have important data in their systems. Unfortunately, the importance of certain data may be relative to the intention of whoever is trying to get hold of it. For example, an HR personnel in a company may not find much importance in records of the employment history of past applicants, but an attacker might find use for it as a reference for social engineering. As Raimund said in one of his videos earlier this year, enterprises need to identify their core data and protect them sufficiently.

    Targeted attacks always involve zero-day vulnerabilities

    It goes without saying that zero-day vulnerabilities pose a great risk to enterprises, and users in general. However, based on analysis of targeted attacks seen in the past, older vulnerabilities are used more frequently. In our Targeted Attack Trends report from the second half of 2013, the most exploited vulnerability was not only one that was discovered in 2012, but was also patched in the same year. This trend raises the importance of applying security updates to all systems within a network – a missed update for one system may be all it takes to compromise an entire network.

    Targeted attacks are a malware problem

    The last misconception I’ll discuss is quite tricky because it is partly true. IT admins are mostly concerned about having a solution that will prevent malware from getting into their network. Although it is a valid concern,  focusing on malware will only solve part of the problem.  Targeted attacks involve not only the endpoints, but the entire IT environment. For example, many tools involved in lateral movement are legitimate administration tools. If the solution is focused only on detecting malware, it will not be able to detect the malicious activity. IT admins need to consider solutions that cover all aspects of the network.

    For more expert advice and defense measures against targeted attacks,  you may check our Targeted Attacks portal.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Repackaged applications, which are a category of fake applications, play a crucial role in the proliferation of mobile malware. Like fake apps, repackaged apps use social engineering tactics, displaying similar user interface (UI), icon, package names and app labels as the legitimate/official version of the apps they spoofed. This is done to trick users into downloading fake apps and consequently, generating profit.

    Based on the research, nearly 80% of the top 50 free apps found in Google Play have bogus versions. These apps can range from business, media and video, and games. In addition, more than half of fake apps today are tagged as ‘high-risk’ and ‘malicious’ due to the risk it pose to the users.

    figure 1-01
    Figure 1. Free apps with and without fake versions that were available in Google Play

    Several third-party app stores distribute repackaged apps, some of which are even Trojanized apps or apps that have been modified to add malicious code. Some samples include FAKEBANK, premium abusers, and Trojanized game apps. Cybercriminals add mobile ad software development kits (SDKs) in their bogus apps so as to generate income by pushing advertisements. Furthermore, they also change the mobile ad SDKs of legitimate apps just so they can get the earnings instead of the original developers. Another means of ‘trojanizing’ an app is by inserting malicious code into classes.dex file, which can introduce risks like malware infection and data theft.

    Because of the security risks that repackaged apps pose to users, it is advisable for these app stores to include rules and audit mechanism to control the propagation of fake/repacked apps.  Google Play has implemented a rule preventing apps which are similar in terms of code and physical appearance with an already existing app.

    In the past, we discussed how repackaged apps leverage the popularity of mobile apps with Flappy Bird as a case sample in our monthly mobile review. In our research paper, Fake Apps: Feigning Legitimacy, we provided an in-depth discussion on repackaged apps, its risks to users, and ways which they can secure their mobile devices.

    With additional analysis by Symphony Luo

    Update as of July 17, 2014, 9:08 A.M. PDT:

    Note that the fake apps samples we gathered are from third party sources and none was found in Google Play.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    While wearable personal technology may be the most “public” face of the Internet of Everything, the most widespread use of it may be in smart meters.

    What is a smart meter, exactly? It’s a meter for utilities (electricity, gas, or water) that records the consumption of the utility in question, and transmits it to the utility provider via some sort of two-way communication method. (Examples of these methods include a wireless mesh network, power line networking, or a connection to the user’s own Internet service.) Unlike simple home monitors, smart meters can collect data for remote reporting to the utility.

    One smart meter in isolation has limited uses. However, if the majority of meters in an area are now “smart”, the utility is able to reap large benefits. With the added information provided by large numbers of smart meters, a utility can adjust their services as needed to improve the efficiency, reliability, costs, and sustainability of their services.

    Deployment and Usage

    Some may think that smart meters are more theoretical than anything else. However, they are already in widespread use in some countries, and it is easy to see how in the next few years they will become even more widespread.

    Let me talk about the part of the world I know – Europe. For example, the former Italian electric monopoly, Enel, has rolled out smart meters to almost all of its 36 million customers. In addition, Enel has deployed a remote management system known as Telegestore, which allows the utility to carry out actions via the smart meter that would otherwise require a physical visit. 330 million meter readings and over a million other operations were carried out remotely, making this easier for both customers and Enel. Enel also owns 92% of the Spanish utility firm Endesa, and is rolling out similar products in that market.

    Italy and Spain are not the only countries in Europe leading the way in smart meter adoption. Other countries identified by the European Union as being “dynamic movers” in smart meters include Estonia, Finland, France, Ireland, Malta, the Netherlands, Norway, Portugal, Sweden, and the United Kingdom. In these countries, regulators and utilities are both making the necessary steps to move forward with smart meter adoption.

    Technical Standards and Risks

    There are a diverse number of industry groups and protocols that are promoting smart meter technology. In part, this is a reflection of the varying ways that smart meters are deployed and used: for different applications, different technology may be needed. However, this also means that there a wide variety of technical standards used in smart meters.

    Other such niche devices – such as home automation equipment and Internet routers – have proven to have serious security risks. It’s one thing to have, say, a light switch have some sort of vulnerability. It’s another thing for utility meters and controls to have vulnerabilities. Smart meters and smart grids have not yet been fully tested and vetted for potential security risks; we have to consider the potential scenarios if these devices are proven to have flaws – as some of them inevitably well.

    The video below highlights some of these potential scenarios. In future blog posts, we will look into some of these scenarios in some detail and discuss the circumstances that can lead into these issues.

    You can read parts 2 and 3 of this blog series here:

    For more information on the security risks and how to secure smart devices, visit our Internet of Everything hub which contains our materials that discuss this emerging field.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    We have been dealing with targeted attacks and know that there is no single technology that can practicably defend an organization’s network against these high-impact campaigns. This is sad, true, but it does mean there are ways to harness security technologies like sandboxing and heuristic scanning so that they work together to protect as a stronger whole.

    The use of heuristics and sandboxing as complementary technologies that cover each other’s weaknesses serves as an effective and efficient way in identifying unknown threats at the earliest time possible. Heuristic scanning employs a rule-based system in order to quickly identify possibly malicious files. Its effectiveness relies heavily on how the rules are defined. Sandboxing, on the other hand, is a method to safely execute a suspicious file in a protected environment, usually VM, in order to see what it will do, without infecting the host.

    Efficiency and Accuracy

    In practice, heuristic scanning acts as a filter before sending a file to the sandbox. Doing so can reduce cost and increase system capacity. Heuristic scanning can also determine a file’s file type and, if your two technologies are working together. For example, heuristic scanning can tell the sandbox that a certain Office file is Word 2003, Word 2007, or Word 1.0. Therefore the sandbox can execute the file in the appropriate/expected environment.

    Furthermore, even if a company has enough resources to sandbox every single file under all possible conditions, there are malware that can tell that it is being run in a sandbox and thus not exhibit any malicious routine. An IT admin’s best bet is to have detected this file earlier via heuristic scanning first, for better detection coverage.

    Solution Versus Zero-days

    As mentioned before, the effectiveness of heuristics plus sandboxing relies heavily on the defined heuristic rules. These rules need to be forward-looking enough to recognize previously unknown threats, but also specific enough so as to avoid false alarms.

    One good way to check for the effectivity of these rules is to see how well the rules fare against zero-day exploits. By nature, zero-day exploits are malware using unpatched vulnerabilities but with similar exploitation techniques. If sufficiently “smart”, heuristic rules will be able to catch them.

    Even years-old heuristic rules in the Trend Micro Advanced Threat Scan Engine, for instance, have been able to detect recent zero-days:

    1. CVE-2014-0515 in May, 2014 was detected by a rule developed in 2014 – HEUR_SWFJIT.B
    2. CVE-2014-1761 in April, 2014 was detected by a rule developed in 2012 — HEUR_RTFEXP.A/HEUR_RTFMALFORM.
    3. CVE-2014-0496 in February, 2014 was detected by a rule developed in 2010 — HEUR_PDFEXP.A
    4. CVE-2013-3346 in November, 2013 was detected by a rule developed in 2010 — HEUR_PDFEXP.A

    Aim for Early Detection

     Assume compromise: enterprises should understand by now that the later they are able to catch onto an on-going targeted attack campaign, the more difficult it is to mitigate the damage or even to detect the attack. Therefore, early detection must be first priority for network defenders, and a layered protection will go a long way.

    Additional insights and analysis by Shih-hao Weng and Sunsa Lue.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice