Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    April 2014
    S M T W T F S
    « Mar    
  • About Us

    Spammers are constantly trying new ways to bypass filters to deliver spam. One of the more typical methods is the use of word salad spam, wherein spammed messages are filled with random words. We recently noticed a spike in salad spam that’s circulating in the wild. Aside from the sudden increase, what’s interesting about this particular spam run is that it uses exact sentences copied from Wikipedia articles.

    For example, in the spammed message below, the first sentence is “Knipe taught his Hawkeye team 75 new plays in one week.” That sentence comes from the Wikipedia article about the American football player and coach Alden Knipe. The second sentence, “As a result, wine consumption in Australia has greatly increased as of 2006.,” comes from the article about cleanskin wine. The last sentence, referring to the House of Blues and the Theatre of the Living Arts, comes from the article about the Verizon VIP Tour.

    Figure 1. Sample spammed message

    This seemingly normal content may ensure the delivery of the message alone.  However, the spammers took it one step further by forging the From form field, making it appear that the email was sent from the recipient’s email account. This adds a layer of legitimacy to the spammed messages.

    Further analysis of the email samples show that this spam run is distributed by computers infected by the Kelihos botnet. This botnet is known for spamming and Bitcoin theft.  Our research indicates that these messages were sent from a variety of countries, including Argentina (18%), Spain (17%), Germany (11%), Italy (11%), and the United States (10%).

    Even though the Wikipedia salad spam may not be malicious—it can be described as a “nuisance” at best—the technique shows that bad guys are still refining known spamming techniques. While there was no malicious payload for this particular spam attack, the same could not be said for future spam runs. Users are advised to be cautious when opening emails. A good rule of thumb would be immediately deleting emails from unknown senders.

    Trend Micro protects users from these threats.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    News of a maritime disaster happening on South Korea waters hit full force on April 16, 2014. MV Sewol, a South Korean vessel, capsized off of the country’s southern coast.

    While the world was still reeling from the horrific turn of events, cybercriminals began getting to work. Just mere hours after this event was reported worldwide, we have seen some spammed messages using this piece of news. In the samples that we have observed, the actual news is not used as bait but made as part of the message itself.

    Figure 1. Spammed message

    Notice that everything else in the spammed message speaks of nothing about the ferry incident. However, looking at the entirety of the message, one finds the incident used at the bottom of the message. This technique, adding random clips of incidents or news that maybe relevant given the date and time, is used by spammers to avoid email filters.

    Once email of this kind gets through your filters, only your anti-malware solution and your ability to distinguish legitimate emails from spam are the only protections that you can rely on. Notice that in the image above, there is an attachment that points to a court appearance notification. Once you mistakenly open said attachment, a backdoor runs on your computer. Further analysis of this particular case lead us to the detection of the attachment as BKDR_KULUOZ.SMAL. This backdoor can allow a remote malicious user to perform commands like update the malware version, download and execute files, and set the computer to idle or sleep.

    KULUOZ is known to be distributed by the Asprox botnet. KULUOZ downloads other malware such as FAKEAV and ZACCESS, as well as install components of the Asprox botnet on your computer, possibly making your computer a spam distributor. Further analysis revealed that this particular KULUOZ variant is part of the Asprox botnet.

    Events like this, unfortunate as they are, are the items that spammers and cybercriminals use to further their activities. Cybercriminals often use just-occurred events as they know there is a demand for more information—any information—about said events. In that type of situation, people might be more inclined to open emails or click any links.

    While Trend Micro products readily filters email messages of this nature and prevents execution of malicious attachments, your best line of defense also is your knowledge. Identify spam from legitimate email by looking closely at the sender, the subject, and the message. Most spam use bogus email addresses, and subject lines and/or messages that are attention-catching. Identifying spam saves you a lot of time and headache associated with keeping your data and your computer safe.

    With additional analysis from Mark Aquino

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    The year so far has been a particularly stressful one for enterprise IT staff. Early in the year, concerns over data breaches and point of sale POS malware gave retailers something to worry about.

    The long-simmering headache of Windows XP migration came to a head when support for the venerable OS ended in April. That would normally have been the security headline of the month, but a vulnerability in OpenSSL known as Heartbleed reared its less than welcome head.

    All in all, then, IT security personnel can be a bit excused if they’re tired and just a bit weary of patching holes as they happen. Hopefully, these teams are able to properly recuperate from these rather stressful times, as the importance of trained and empowered security personnel cannot be underestimated.

    While the role of technical solutions gets more attention (and, frequently, funding), these solutions are worthless without trained personnel that know how to use them. Dealing with today’s attack environment is not just about using more sophisticated tools; it is also about trained IT security people making decisions, with the best information provided by their tools as well as threat intelligence at their disposal.

    Unfortunately in many organizations, these teams get the short shrift and are viewed as nothing more than a cost center. This sounds good until a major breach or other security failure happens – which ends up costing an organization far more.

    So how exactly can organizations take care of their information security personnel? Here are four areas where organizations can help.

    Give them the tools they need – and let them experiment, too. 

    First of all, the information security teams must have the resources they need. This can include hardware, software, and headcount.  Teams should be able to do their job without having to worry that they don’t have the resources to do it. Yes, this can be expensive, but: so are attacks and data breaches.

    In addition, organizations should let teams have some leeway to experiment. If they want to try new tools, or use new methods to gather or analyze threat information – let them experiment. These ideas don’t have to be production quality right out of the gate, all that’s needed is a proof of concept to check if the idea will work.

    Let them learn and make mistakes.

    New threats and problems are always emerging. As we just saw in rather lurid detail this year, things we thought were secure sometimes aren’t. Learning has to be a key part of a team’s goals. in order to stay in front of the threats encountered in day-to-say usage.

    Information about threats is not always precise; things that appear to be threats may turn out to be completely harmless, and the reverse is also true. Mistakes happen; trying to reduce them is obviously desirable, but it shouldn’t turn your security team into an overcautious group that is afraid of pointing out an obvious attack.

    Ensure data is freely accessible

    This ties in with our first statement. If an organization really wants their teams to experiment, it should ensure that its logs and databases should be in easily accessible and open formats. All files being archived should be stored in plain text files such as comma separated values (CSV) rather than a proprietary binary format.  Plain text can be easily processed by many viewers and scripting languages.

    Why is this important? This allows for searches to be performed in a relatively quick and efficient manner. This provides an organization security professionals the best possible access to potential threat information. Depending on the information an organization logs and archives, it also offers intriguing possibilities for data correlation. The available threat intelligence to an organization’s defenders may improve as a result.

    Listen to them.

    In many organizations the security professionals are not listened to, either by other IT staff or by upper management. That is a mistake, as security professionals know what they’re talking about and can provide helpful insights if asked. It’s true for any profession, but in the security field it is of particular importance that its practitioners be engaged and considered by the rest of the organization.

    All in all, the lesson is simple: the foundation of any organization’s security posture is the individuals actually putting that posture into force on the ground. To ensure the success of any policies, the individuals implementing them must receive the proper support and resources necessary to do their job.

    Are you an information security professional? Let us know what you think in the comments.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Facebook users are once again the target of a malicious scheme—this time in the form of a notification about “Facebook Chat”.

    The spammed notification pretends to come from the “official Facebook Chat Team.” A notification shows users of a tagged comment to a Facebook Note containing a fake announcement about a Facebook Chat verification requirement.

    Figure 1. Facebook Chat verification notification

    The spam tries to sound urgent to convince users to verify their accounts. To do so, they are first asked to to go to a Pastebin URL and are instructed to copy a specific code. The set of instructions differ depending on what browser is being used (Google Chrome, Mozilla Firefox, or Internet Explorer).

    Users are then directed to a shortened link and are asked to press a particular function key (F12 for Google Chrome users, for example).  After clicking on the console tab, users are supposed to paste the provided Javascript code into the address bar, then press Enter. This actually gives bad guys access to the user’s account, giving them the capability to auto-tag anyone in the users’ friends list and start the cycle of victimizing other account users.

    Figure 2. Console where the Javascript code is supposed to be entered

    From the get-go, users should know that there is no product called “Facebook Chat,” let alone a team that sends out a supposed “advisory” to its users. The social media site’s official instant messaging feature is called Facebook Messenger, which also the name of its stand-alone app. Earlier this month, Facebook announced that Android and iOS users will be required use this stand-alone app by eliminating the chat features of the traditional app versions of the site.

    Facebook has taken action against threats like this by releasing an official announcement.  The official Facebook warning notes, “This is a variant on the self-XSS attack. By pasting the code in the browser console, the user gives the code access to their account. The code usually posts the same scam on other people’s walls, and subscribes the user to pages controlled by the attacker – but it could do much worse things.”

    In 2013, a mobile phishing page disguised as a legitimate Facebook mobile page has been used to victimize users by stealing their credit card details. In the same year, the Facebook Security Check page has been spoofed by phishers leading to a number of stolen account credentials.

    Protecting your online accounts from different threats requires constant vigilance. Always check and verify links that are sent your way, even if they come from a friend or contact. In the same light, sift through the number of contacts you add to your network and only add those you know personally to minimize risks of compromising your accounts and harming your computer.

    Since April 2012, Trend Micro has worked hand in hand with Facebook to secure and shield users from attacks such as this. We already block all threats associated with this attack.
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    4:59 am (UTC-7)   |    by
    500x1500 web

    How the Heartbleed bug works

    In previous blog entries, we’ve discussed various aspects of the Heartbleed vulnerability in OpenSSL. Last Tuesday, our first blog post covered an analysis of the vulnerability itself, as well as some steps that IT administrators of affected systems could do in order to protect themselves. Later entries looked at how popular websites and mobile apps were, in their own ways, vulnerable to the threat.

    To help deal with the Heartbleed vulnerability, we’ve released several tools that can be used to detect possible exposure to the risks:

    We have released into the Google Play app store the Trend Micro Heartbleed Detector. This tool is designed to help users tell if they are vulnerable to any aspect of this threat. In particular, it checks for three things:

    • It checks whether the version of OpenSSL used in the device’s version of Android may be vulnerable.
    • It checks whether any OpenSSL libraries embedded in the user’s installed apps may be vulnerable.
    • It checks whether the user’s installed apps communicate to any unpatched (and therefore, vulnerable) servers.

    Main Page

    Figure 1. Detector application

    If any vulnerable apps are detected, the detector offers to uninstall the app for the user:

    Summary marked

    Figure 2. Vulnerable app detected

    We don’t recommend for users to immediately uninstall all vulnerable apps, but this is something everyone should consider for applications that handle critical information, such as mobile banking applications. In addition, it’s a good idea for users to contact the companies that maintain these vulnerable apps to update their apps or websites as soon as possible.

    For Chrome users, we’ve also released the Trend Micro OpenSSL Heartbleed Scanner app. The scanner allows for users to check if specific sites are vulnerable to Heartbleed. The tool can be downloaded from the Chrome Web Store.

    For other users who want to check if a site is vulnerable or not, you may also do so through our Trend Micro Heartbleed Detector website.

    We will continue to monitor this issue and release more information as needed.  For other posts discussing the Heartbleed bug, check our entries from the past week:

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice