Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    May 2015
    S M T W T F S
    « Apr    
  • Email Subscription

  • About Us

    In an interesting turn of events, a C&C used in the Carbanak targeted attack campaign now resolves to an IP linked to the Russian Federal Security Service (FSB).

    Yesterday, while checking the indicator of compromise (IOC) data from the Carbanak report, when I noticed that the domain name (which was identified as a C&C server in the report) now resolves to the IP address When I checked for related information, I found that the said IP is under ASN AS8342 RTCOMM-AS OJSC RTComm.RU and its identified location is Moscow City – Moscow – Federal Security Service Of Russian Federation.

    Figure 1. Information on

    For those who are not familiar, Carbanak is a targeted attack campaign that hit banks and financial organizations earlier this year. Based on reports, it employed methods and techniques such as spear phishing email and exploits, commonly seen in targeted attacks. Accordingly, attackers did intelligence gathering about their target networks in order to infiltrate it.

    I checked for other interesting details in the other IOCs but didn’t find anything related to this particular anomaly. I still do not know why it happened; I do not really think that FSB Russia would point the Carbanak-related domain name to an IP address which is affiliated with Russian Federal Security Service. It is also possible that the owner of the domain had done this as a prank.

    A reverse lookup on the IP addresses revealed that there are several other domains resolving to it apart from   Reverse IP Lookup   DomainTools

    Figure 2. Other domains resolving to the FSB Russia

    We will monitor this further and post updates when they’re available.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Our analysis of the win32k.sys vulnerability used in a recent targeted attack reveals that it opens up an easy way to bypass the sandbox, making it a bigger threat than originally thought.

    As mentioned in Microsoft security bulletin MS15-051, CVE-2015-1701 is an elevation of privilege vulnerability that exists when the Win32k.sys kernel-mode driver improperly handles objects in memory. The vulnerability exists in Win32k.sys, which is a weak security point in Windows.

    Elevation of privilege vulnerabilities are technically less dangerous since they can’t be exploited remotely, but since this vulnerability can be used to bypass the sandbox — a security feature designed to keep attackers from being able to execute malicious files in users’ environment — this becomes a viable tool for attackers.

    The vulnerability exists in the Windows OS process of creating windows for applications. To illustrate, we’ll first look at the processes involved when an application wants to create a window:

    1. The application registers a window class to System, which defines the window’s style and behavior. The most important property of window class is window procedure which defines the window ‘s behavior when there’s an incoming message. The window procedure is provided by the application.
    2. The application then calls the API CreateWindow/CreateWindowEx with the window class to create the window. These APIs will switch to kernel mode to call service routine NtUserCreateWindowEx. NtUserCreateWindowEx is complicated function and does the real job of creating the window in Windows system.  During the function execution, it will switch to user mode many times to call many functions that exist in user mode. These function do jobs which is fit to run in the user mode (example: to load an image, etc.).

    Since this is a lengthy process, I’ve simplified the process of creating a window, leaving only the key point related to the vulnerability: (more…)

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    East Asian government agencies came under siege when attackers targeted several servers within their networks. The said attackers, who showed familiarity and in-depth knowledge of their agencies’ network topology, tools, and software, were able to gain access to their targeted servers and install malware. After which, they used the compromised servers not only as gateways to the rest of the network but also as C&C servers. This particular attack has been active since 2014.

    The attackers tried to maintain their presence in the network by modifying applications installed in the servers. Certain files in the said applications—mostly productivity, security, and system utility apps—were tampered to load malicious DLL files. The common denominator among these tampered apps is that they were all set to run upon system startup. This suggests that the applications were modified in order to ensure that the installed malware will run every time the server is launched.

    Servers are Prime Targets

    Our investigation revealed five applications the attackers modified:

    • Citrix XenApp IMA Secure Service (IMAAdvanceSrv.exe)
    • EMC NetWorker (nsrexecd.exe)
    • HP System Management Homepage (vcagent.exe)
    • IBM BigFix Client (BESClient.exe)
    • VMware Tools (vmtoolsd.exe)

    According to our monitoring, the attacker initially targeted two servers, and then continued to move through the network looking for more to infect. This was done continuously until early 2015, affecting more servers. Some of those affected were network management servers, meaning that they had access to all systems within their assigned subnet. We did not find traces of how the attackers utilized this level of access to the network, but we assume that they used this to maintain their presence in the network and to steal information.

    Using the Target’s Environment against Them

    Attackers were able to identify applications installed in the servers and modified them to run malicious code. The target applications’ import table were modified to add a reference to a malicious DLL (the name of the DLL varies to match the target application). When the modified application is run, the malicious DLL is loaded as well.

    Figure 1. Modified import table, with reference to malicious DLL (highlighted in blue)

    It is almost impossible to find differences between the original version and the modified ones, as even their file sizes are almost identical. The difference will be noticeable, however, if the files are signed, which was the case for four of the five files we analyzed. Since modifications will invalidate file signatures, the attackers stripped off the signatures from the modified versions. The pictures below show the original BESClient.exe on the left and the modified version on the right.

    Figures 2 and 3. Properties of original and modified executables

    As previously mentioned, BESClient.exe was modified to add a reference to a DLL file named libBEScrypto_1_0_0_6.dll. This DLL file is a malware loader that will then try to decrypt and rename a file (whose name and folder also matches the modified application.) In this case, the file at C:\Program Files (x86)\BigFix Enterprise\BES Client\BESInfo.dat is decrypted and renamed to %Temp%\mesnt.exe, and the malware loader will execute mesnt.exe.

    Once mesnt.exe is executed, it will create a new svchost.exe process with the suspended flag, which allows malicious code to be executed. Mesnt.exe will then be deleted and the now un-suspended svchost.exe process connects back to a specified command-and-control (C&C) server which is also found within the target network. As mentioned earlier, this shows how much intelligence has been gathered about the target. Using an internal IP address ensures that any activity will not be seen as malicious, and instead be seen as normal network activity.

    Figure 4. An internal IP used as C&C for the malware

    We also found the attackers trying to erase their tracks by deleting their backdoor and undoing the changes they made to the applications by removing the malicious DLLs. It is possible that the attackers were able to detect that the environment was being monitored, or that they’ve ceased their information gathering. Regardless, we are continuing our monitoring for any developments.

    The Need for Better Vigilance

    Familiarity with a target environment gives attackers a lot of opportunities to blend into the background and stay hidden from monitoring. The level of access the attackers got in this particular attack shows how deep they can get into the network and how this level of access can be used to ensure that the attackers’ activities are not detected.

    It is therefore very important for organizations to be more keen on monitoring suspicious behaviors in the network, regardless of whether a file is being launched by a known program, or if network communication is coming from within the network.

    Trend Micro™ Custom Defense™ solutions can protect organizations from this type of attack. They provide in-depth contextual analysis and insight that help IT administrators properly identify suspicious behavior in the network, such as the access to the servers in this attack.

    Organizations with Trend Micro Endpoint Application Control enabled in their network will also be able to detect the changes made to the applications and prevent them from executing.

    More information about trends seen in targeted attacks can be found in our annual targeted attack report.

    The following table provides references for the files we found related to this attack:

    File name SHA1 Description Detection Name
    IMAAdvanceSrv.exe d955d7a581cc8f1d428a
    (Citrix) modified executable PTCH_POISON.ZTCC-A
    imaInst.dll ab85f8bdd369f2fa3089
    (Citrix) malware loader BKDR_POISON.ZTCC-A
    imaUpd.dat 57ec4f26e77521198483
    (Citrix) encrypted backdoor BKDR_POISON.ZTCC-A
    nsrexecd.exe 842a9402714bd0d8838b
    (EMC) modified executable PTCH64_POISON.ZTCB-B
    nsrinit.dll d460baf807076ab95290
    (EMC) malware loader BKDR_POISON.ZTCB-B
    libuni.jar a257bc3c6f05e59ef319
    (EMC) encrypted backdoor BKDR_POISON.ZTCB-B
    BESClient.exe c5bc692ceb22dd8c6e49
    (IBM) modified executable BKDR_POISON.TUFM
    libBEScrypto_1_0_0_6.dll 3b6e637504d535f30745
    (IBM) malware loader BKDR_POISON.TUFM
    BESInfo.dat 7f40deb2875543008462
    (IBM) encrypted backdoor TROJ_AGENT.GLI
    vmtoolsd.exe 1b0c561d5fe78168cc34
    (VMWare) modified executable PTCH64_POISON.ZTCB-A
    VmUpgrade.dll 1822b8d10ebb5a363755
    (VMWare) malware loader BKDR_POISON.ZTCB-A
    VMwareRes.pkg 65bd14bf85d26ecd7cec
    (VMWare) encrypted backdoor BKDR_POISON.ZTCB-A

    Additional analysis by Tim Yeh

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Just because security researchers report about threats doesn’t mean we’re exempted from them.

    I recently experienced an incident at home that involved tampered DNS router settings. I was redirected to warning pages that strongly resemble those used in previous FAKEAV attacks. I noticed that my home internet router DNS settings have been modified from its default settings. (My router is a modem/router combo that was provided by my ISP.)

    Sensing that my home router settings may have been tampered with, I did some more checking to see if it has been infected. I tried to browse through HTTP websites, but all HTTP websites displayed a warning message on all of the devices I used (I used my Windows Phone, iPad, and my laptop). This is a sample warning message that shows that my system has been found with “two malicious viruses” and that my personal information “may not be safe.”

    Figure 1. Warning message displayed on HTTP websites from my infected router (Click to enlarge)

    I checked the DNS settings in the router to check for anything suspicious. To my knowledge, the settings are supposed to be as follows:

    Figure 2. Original DNS settings

    Instead, the DNS settings were:

    Figure 3. Tampered settings lists the primary DNS IP address as 5[.]104[.]175[.]151

    I looked up the newly listed IP address via Trend Micro IP reputation service, which lists the new IP as ‘bad.’

    Figure 4. New IP address in DNS settings is listed as ‘bad’ by Trend Micro IP Reputation Service

    I am not entirely sure how the DNS settings were modified, considering that the router already came pre-configured by my ISP. It isn’t unlikely, however, that the router may have been tampered with since the supply chain is a known target and could represent a weak point in any organization.

    Rising number of vulnerable routers on a global scale

    My experience led me to think of other router attacks that have happened in the past months and years. As early as 2010, researchers have demonstrated attacks on home routers that combined DNS rebinding and cross-site request forgery. If done successfully, this particular router attack may allow attackers to change the router’s DNS settings, making everyone connected to it vulnerable to phishing attacks.

    In 2014, we uncovered a router-based attack on our own. Routers manufactured by Netcore were incidentally sold with a wide-open backdoor that can be easily exploited to run arbitrary code, rendering the routers vulnerable. And just last March, we wrote about malware that attempts to connect to home routers to search for connected devices.

    Data from Asus home routers with the Trend Micro Smart Home Network Solution shows that these types of attacks are ongoing. For example, we have detected and blocked attacks involving the vulnerability CVE-2015-0554. These attacks were mostly observed in Australia, China, and Spain.

    Keeping your home network secure

    Routers make an ideal target for cybercriminals—tampering with any wireless router can allow cybercriminals to monitor their targeted users’ online activities. And from past incidents, we can see that cybercriminals use different ways of launching these attacks.

    Securing the router should be a primary concern as these often come with important default settings that may be critical in terms of security. Default settings make routers easier to configure but it can also make them more vulnerable to unauthorized access.  Creating a strong router login password is just one way to keep routers safe from potential threats.

    Changing the router login credentials is the first step to securing a home network. Cybercriminals often use malware and scripts to launch router attacks. Security solutions like Trend Micro security for their computers and Trend Micro Mobile for Android and iOs for smartphones can detect and prevent malware from running in devices. Other security practices like double-checking links, emails, and attachments can go a long way in securing computers and networks.

    Users may also call their ISP provider for assistance as DNS tampering may be the result of ISP issues.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    6:03 am (UTC-7)   |    by

    logjam 1Another flaw has been found in the basic encryption algorithms that secure the Internet. This flaw, named the Logjam attack by its discoverers (researchers from various universities and companies), allows an attacker that can carry out man-in-the-middle attacks to weaken the encryption used in secure connections (such as HTTPS, SSH, and VPNs). In theory, this means that an attacker (with sufficient resources) can break the encryption and read the “secure” traffic.

    In some ways, this attack is similar to the recent FREAK attack. Both attacks were made possible by support for “export-grade” encryption standards. Until the 1990s, cryptography was considered a “munition” in the United States and limits were placed on the strength of cryptography that products “exported” for use outside of the US could support. Unfortunately, what was “acceptable” cryptography then can now be cracked with sufficient computation resources.

    The vulnerability lies in how the Diffie-Hellman key exchange is carried out. Logjam can be used to lower the strength of the accepted algorithms to those that use 512-bit prime numbers (as used in “export-grade” encryption). Similar research (also carried out by the Logjam researchers) proved that other vulnerabilities are present in systems that use 768- and 1024-bit primes. Nation-states may have the resources needed to exploit these flaws; this can allow an attacker to decrypt secure traffic that has been passively collected.

    Who is at risk?

    Theoretically, any protocol that uses the Diffie-Hellman key exchange is at risk from this attack. However, note that this attack requires two factors on the part of the attacker: the ability to intercept traffic between the secure server and the client, as well as significant computation resources.

    The researchers estimate that up to 8.4% of all sites in the top one million domains are vulnerable. Similar percentages of POP3S and IMAPS (secure email) servers are at risk.

    What should I do now?

    For end users, there’s really only one thing to do: update your browsers. All the major browser vendors (Google, Mozilla, Microsoft, and Apple) are preparing updates for their various products, and should release an update soon. You can also check if your browser is vulnerable by visiting this site.

    For software developers, the fix is also relatively simple. Check that any encryption libraries that are used or bundled with your application are all up to date. In addition, the use of larger prime numbers for key exchange can be specified as well.

    The main task falls on IT administrators with servers that use any of the at-risk services and protocols. In these cases, the following needs to be performed:

    • Disable support for all export cipher suites, to ensure they cannot be used.
    • Increase the number of bits used by the prime numbers in the Diffie-Hellman key exchange to 2048 bits; this ensures that exceptional computational powers would be needed to break any encryption based on this process.

    Trend Micro solutions

    We have released the following rules for  Trend Micro Deep Security and Vulnerability Protection users that protect against this threat:

    • 1006561 – Identified Usage Of TLS/SSL EXPORT Cipher Suite In Response
    • 1006562 – Identified Usage Of TLS/SSL EXPORT Cipher Suite In Request

    Post updated on May 20, 2015 7:45 PM PDT to add Trend Micro solutions. 

    Post updated on May 21, 2015 1:40 PM PDT to refine Trend Micro solutions.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice