Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    October 2014
    S M T W T F S
    « Sep    
  • About Us

    We’ve frequently talked about how important it is for law enforcement and security companies to work together to stop cybercrime. One particular reason to do so is because of the nature of cybercrime: simply put, it has no borders.

    Perhaps more than any other type of crime, cybercrime respects no borders. A cybercriminal in Russia can have colleagues in the Ukraine, use servers in the United Kingdom, and target users in the United States.

    We work extensively with Interpol to help fight cybercrime around the world. We recently agreed to help provide tools, training, and information to Interpol so that law enforcement agencies from around the world can build the necessary capabilities to fight law enforcement on their own turf.

    However, we also work with countries individually, and in some of those cases we are able to bring agencies from different countries together to investigate the same group of cybercriminals. By serving as a go-between for these various countries, we’re able to help police from diffeent countries work on the same case without having to go through complex and time-consuming procedures used when mutual legal assistance treaties (MLATs) are invoked.

    There are still areas where international cooperation in fighting cybercrime can be improved. Something that we think would be highly beneficial is if countries work together to form multinational police agencies that could help deal with regional cybercrime issues. In Europe, we have Europol, which handles helps support the activities of various local law enforcement bodies. An agency like Europol can be very useful in areas where countries have very limited capabilities to investigate cybercrime, such as Africa.

    Cybercrime is a global problem, and without global solutions it cannot be fought effectively. Trend Micro works with law enforcement agencies from across the globe in order to deal with these threats and help make the Internet safer for everyone.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Much has been reported about the recent discovery of a cyber-espionage campaign that was launched by a group known as the “Sandworm Team.” At the very heart of this incident—a zero-day vulnerability affecting all supported versions of Microsoft Windows and Windows Server 2008 and 2012.

    In our analysis, the vulnerability may allow attackers to execute another malware through a flaw in the OLE package manager in Microsoft Windows and Server. Early reports shared that the vulnerability was being exploited in targeted attacks against several organizations and industry sectors. Analysis by Trend Micro researchers revealed that the attacks had ties to SCADA-centric targets. Furthermore, this vulnerability was soon used in yet another attack that employed a new evasion technique in the form of malicious files embedded in .PPSX files.

    Sometimes Old, Sometimes New

    Zero-day exploits aren’t the only exploits used in the targeted attack landscape. In the first half of 2014, we saw that attackers still heavily target older vulnerabilities. One prime example would be CVE-2012-0158, a vulnerability related to Windows Common Controls. Despite the existence of a patch since early 2012, this vulnerability has proven to be an integral tool in targeted attacks, including that of the PLEAD campaign.

    Of course, this doesn’t mean that zero-day vulnerabilities didn’t make an impact in 2014 so far. A targeted attack was discovered exploiting a Windows zero-day vulnerability was found to have targeted several embassies. The bug was patched a couple of days after—which was notable as this occurred prior to the end of support for Windows XP, which was an affected platform. Another zero-day vulnerability also figured heavily in the attacks conducted by the threat actors behind the Taidoor campaign. Discovered in the latter portion of March, a patch for this zero-day was made available in the April Patch Tuesday.

    The Trade-off

    Vulnerabilities are almost always patched by vendors, especially if the vulnerability is considered critical. But despite the existence of patches, not all users and organizations apply them or apply them immediately. One reason would be that applying the patch might disrupt operations. Or there might be a significant delay in applying the patches as the patches first need to be tested before being applied to corporate environments.

    In this sense, attackers go for older vulnerabilities for their “reliability.” These are the tried-and-tested vulnerabilities that can be found in targeted networks and organizations. And since these vulnerabilities have been around for years, it would appear easier for attackers to create the perfect malware or threat that can exploit this bug.

    On the other hand, newer vulnerabilities can give attackers the upper hand. Zero-day exploits can catch all parties, including security vendors, off-guard. With vendors scrambling to create the necessary security measures and corresponding patch, zero-day exploits can use this “window of insecurity” to attack and affect even the most secured environments. In that sense, zero-day vulnerabilities can be considered more effective and even, riskier.

    Payoff in the Targets

    Zero-days can be even more effective if the affected platform or application is outdated or has reached its end of support. With no patches made available, the window of “insecurity” initially exploited by zero-days becomes a permanent one.

    That was initially the case for an Internet Explorer vulnerability that was being exploited in targeted attacks. The vulnerability (CVE-2014-1776) garnered much attention as it was initially reported that Microsoft would not be releasing a patch for Windows XP. However, a patch was soon made available for the platform.

    Countermeasures and Mitigations

    Addressing targeted attacks requires not only the right set of tools but also the right mindset. In our entry, “Common Misconceptions IT Admins Have on Targeted Attacks,” we enumerated several misconceptions that might greatly affect the security of a network. Included there is the misconception that targeted attacks always involve zero-day vulnerabilities. As we have seen, attackers do not limit themselves with zero-day vulnerabilities. In fact, older vulnerabilities are more favored than zero-days. This stresses the importance of applying all security patches once they are available.

    Addressing zero-days can be more difficult but not impossible. Tactics like virtual patching can help mitigate threats in the presence of zero-days and unsupported systems. Honeypots (which can attract attackers) can flag attacks at the earlier stages. Technologies like heuristic scanning and sandbox protection can help identify suspicious files and execute said files in a protected environment without compromising the network. Organizations should also look into employee education. Email lures are often the first stage in targeted attacks; if employees are trained to flag suspicious emails, network defense can improve greatly.

    Trend Micro Deep Security protects users from zero-day vulnerabilities mentioned in this entry via the following rules:

    • 1005801 – Microsoft Windows Kernel Elevation Of Privilege Vulnerability (CVE-2013-5065)
    • 1006030 – Microsoft Internet Explorer Remote Code Execution Vulnerability (CVE-2014-1776)
    • 1006045 – Microsoft Internet Explorer Remote Code Execution Vulnerability (CVE-2014-1776) – 1
    • 1005989 – Identified Malicious C&C Server SSL Certificate  (For CVE-2014-1761)
    • 1005990 – Microsoft Word RTF Remote Code Execution Vulnerability (CVE-2014-1761)
    • 1006000 – Microsoft Word RTF Remote Code Execution Vulnerability (CVE-2014-1761) – 1

    With additional insight from Ziv Chang

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    In our recently released report, Operation Pawn Storm, we talked about an operation that involved three attack scenarios. For this post, we will talk about the third scenario: phishing emails that redirect victims to fake Outlook Web Access login pages.

    What’s most notable about this is that it is simple, effective, and can be easily replicated. Through one line of simple Javascript code, the millions of Outlook Web Access (OWA) users are placed at risk of becoming a victim of a clever but simple phishing attack. No exploits and vulnerabilities are used here. A feature of JavaScript, the preview pane of Microsoft’s OWA and two typo-squatted domains are used. We have seen this kind of phishing attack being used against US defense companies like Academi (formerly known as Blackwater), SAIC and the OSCE.

    How it works

    To target defense company Academi, the attacker registered two typosquatted domain names:

    1. tolonevvs[dot]com (real news domain: (news site about Afghanistan))
    2. academl[dot]com (real company domain:

    A link to the typosquatted domains are then sent to Academi through spear-phishing emails – to a very limited number of employees who might actually expect to receive email notifications from

    When the target opens the email through the preview pane of Microsoft Outlook Web Access and clicks on the typosquatted domain, a new tab will be opened which loads the original news site. From the target’s perspective, their browser will look like this:


    Figure 1. The real news site opened in a new tab after clicking the typosquatted domain (Click to enlarge)

    This may seem harmless, but there is more to this than just an opened tab to a news site. The typosquatted domain actually contained a mildly obfuscated JavaScript code:


    Figure 2. JavaScript code in the typosquatted domain,

    This JavaScript is not malicious because it simply sets the windows open property to point to a URL:

    window.opener.location = “hxxps://mail[dot] academl[dot]com/owa/auth/logon.aspx?replaceCurrent=1&”

    What this means is that the legitimate URL of the original OWA session in the first tab of the browser gets changed to the URL of the fake OWA server set up by the attacker, which in this case is mail[dot]academl[dot]com. When the victim is done with reading the news and he returns to his OWA session, he will see this:


    Figure 3. Phishing site opened in the original OWA tab

    At this point, the target is likely to believe that while reading the news on the legitimate website, the OWA server logged him out. The truth, however, is that if the target enters his/her credentials again, his/her information will then be captured by the attacker.

    For the complete details on the attacks we saw using this technique, please check out our paper, Operation Pawn Storm.

    Not Limited to Operation Pawn Storm or OWA

    Although we did see this technique used in a certain operation, basically any company having an OWA web server is at risk becoming a victim of this kind of phish attack. Even two factor authentication might not prevent a one-time complete download of the mailbox of the victim. The only safe way to prevent this kind of attack is to turn off the preview pane in OWA.

    Users of other web mail services than OWA are also are at risk. For example, we verified that Gmail users who read their e-mail in Safari, and Yahoo e-mail users who read their e-mail in Safari or Firefox could become victims of a similar phishing trick. Users are strongly recommended to be very careful when entering their information into login pages, and to make sure that they are logging into the correct site and not a typosquatted one.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    The competition between mobile OSes is heating up, with Apple’s iOS 8 and Google’s Android Lollipop in tight competition, as the public discovers their features and what these OSs can do for them. There are notable changes and significant improvements in these releases, particularly in their default settings.

    Encryption by default seems to be the primary selling points of both OSs. With rising awareness about data protection and consumers demanding better privacy and security on their devices, both major mobile OSes are in a neck and neck race when it comes to marketing their product’s safety features.

    Apple: TouchID and Encryption

    Apple now allows third-party app developers to use Touch ID, giving them more power to authenticate their users. iPhone users also see a significant modification in how apps can track locations. In older iOS versions, the options were limited to “always on/always off”. Now the option to select “when app is open” for location tracker is added, giving users more freedom and control over apps tracking their whereabouts.

    Eye Candy

    Google, on the other hand, had Android L automatically encrypt data in mobile devices, as opposed to manually configuring this (as was the case in previous Android versions). Any data inside a smartphone running Android L will have to be unlocked with the user’s password, a very similar to Apple iOS 8.

    One can remotely locate and reset to factory settings lost or stolen smartphones. This provides an added security layer to consumers who don’t want strangers capitalizing on their any of the data stored in their devices; users can also render the phone practically useless as phones running Android L can no longer be reset to factory settings without the registered owner’s password, preventing the decide from being sold off.

    There is more to the mobile threat landscape than meets the eye. The multilayered security features in iOS 8 and the Android L more-than-welcome improvements. For more information on the protective measures in mobile operating systems, read our monthly mobile report, “The New Security Features of iOS 8 and Android Lollipop.”

    Trend Micro protects users from mobile threats via its Trend Micro Mobile Security both for  iPhone, iPad Touch, and iPad users and Android smartphone and tablet users.  Android users can download this security app here while Apple users can download it  here.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Despite the availability of fixes related to the Sandworm vulnerability (CVE-2014-4114), we are still seeing new attacks related to this flaw. These attacks contain a new routine that could prevent detection.

    A New Evasion Technique

    In our analysis of the vulnerability, we noted this detail:

    “…[T]he vulnerability exists in PACKAGER.DLL, which is a part of Windows Object Linking and Embedding (OLE) property. By using a crafted PowerPoint document, an .INF file in embedded OLE object can be copied from a remote SMB share folder and installed on the system. Attackers can exploit this logic defect to execute another malware, downloaded via the same means.”

    In this new attack, the malicious .EXE and .INF files are already embedded into the OLE object, rather than downloading the malware in a remote location. One advantage of this approach is that it will not require the computer to connect to the download location, thus preventing any detection from the Network Intrusion Prevention System (NIPS).

    The Infection Chain

    One sample we came across was part of an attack targeting an email provider. The attackers used a spoofed email to convince the recipient to open the attachment.

    Figure 1. Spoofed email message

    The attachment is a .PPSX file—a Microsoft PowerPoint presentation with the embedded file.

    Figure 2. Slide with embedded malicious file

     A Closer Look

    Similar to samples discussed in previous entries, this sample also contains 2 OLE objects, oleObject1.bin and oleObject2.bin. Taking a closer took at the OLE objects will show that the malicious EXE and INF are embedded in the objects.

    Figure 3. oleObject1.bin showing the embedded EXE file

    Figure 4. oleObject2.bin showing the embedded INF file

    Viewing the OLE objects using an OLE viewer will show two streams, the ComObj stream and the Ole10Native stream, where the malicious files are embedded. Looking at the CompObj will tell us that the data Ole10Native stream is written by OLE Packager. This means that the embedded EXE and INF files are treated as packages and can be triggered or installed directly into the system using this vulnerability.

    Figure 5. Ole10Native stream is written by OLE Packager

    When the PowerPoint file is opened, the Packager module (packager.dll) reads the information in the OLE objects then drops the contents slide1.gif and slides.inf to the %Temp% folder.

    It will then invoke InfDefaultInstall.exe to install the file slides.inf. INF files are usually used by Windows to install drivers. In this particular instance, the job of slides.inf is to rename the file slide1.gif to slide1.gif.exe then execute it using the RunOnce registry entry.

    Figure 6. Registry entry

    The following image shows what the process flow looks like:

    Figure 7. Process flow of the attack

    We detect the crafted PowerPoint slideshow file including the slides.inf as as TROJ_MDROP.ZTBJ. The final payload which is the slide1.gif is detected as TROJ_TALERET.ZTBJ-A, a known family of malware used in targeted attacks involving different Taiwanese industries and government organizations.

    Users are strongly advised to patch their systems with the patch for the vulnerability (MS14-060). This incident also highlights the importance of applying all patches as soon as they are available. In this instance, a vulnerability patch from 2012 (MS12-005 patch) can provide a preventive measure against attacks. The presence of this specific patch alone can deter attacks as the message can alert recipients into the suspicious nature of the file before opening said malicious file.  Lastly, it is recommended for users and employees not to open PowerPoint files from unknown sources as this may possibly lead to malware infection.

    SHA1 of the sample mentioned in this entry:

    • c8a9ab7f720b469a31c667fe7dcad09cdf0dbfa1

    Additional insights from MingYen Hsieh, Tim Yeh, Chingo Liao, Lucas Leong, Vico Fang, and Shih-hao Weng.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice