Tweet

IT administrators and the likes are expected to have a long day today, as Microsoft releases its security bulletin for May that resolves 33 vulnerabilities. Though this is not Microsoft’s biggest release (April 2011′s 17 bulletins addresomg 64 vulnerabilities come to mind), it is crucial for users to apply these security updates, which include a resolution to the zero-day incident involving the US Department of Labor webpage.

This roster of updates include two Critical bulletins addressing Internet Explorer (IE). The first one resolves around a vulnerability found on IE versions 6 to 10 on all Windows OSs, from Windows XP to Windows 8. It also addresses the vulnerability in IE 10 uncovered during the Pwn2Own contest last March.

The other critical IE bulletin deals with a vulnerability limited to IE 8, which made the headlines recently because of a related zero-day exploit found in a US Department of Labor webpage. Based on our own investigation, users visiting this compromised site are lead to a series of redirections until their systems are infected with a BKDR_POISON variant.

Even before this month’s release, Trend Micro Deep Security has been protecting users from this vulnerability via rule 1005491 – Microsoft Internet Explorer Use-After-Free Remote Code Execution Vulnerability (CVE-2013-1347).

The rest of the bulletins were tagged as Important, which includes a security flaw in Windows that may lead to a denial of service (DoS) attack.

Just like last month, Adobe also released their security bulletins today, which include fixes for Adobe Reader and Acrobat, Flash Player. The software vendor also issued a “security hotfix” for a ColdFusion vulnerability, which is reportedly being exploited in the wild.

Users are advised to implement these bulletins as soon as possible to avoid exploits similar to the US DoL incident. For more details about how Trend Micro can protect users, you may refer to this Threat Encyclopedia page.

We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

Tweet

App developers often include ads on their applications to increase revenue. These ads feature enticing titles or blurbs to surge more user hits. Typically, clicking these ads either prompt users to download an app or be redirected to a web page. However, cybercriminals who never run out of new ways to spread their deeds, could also use this as a venue to steal user information.

We recently spotted a fraudulent website which is pushed by ads found in multiple Android apps. (Some of these apps were downloaded from the Google Play store, while others were found from third-party stores.) These ads use popular brands as hooks like “iPhone 5” and “Samsung Galaxy Note II” and supposedly selling these items for a ridiculously low price. Once users click the ad, it will lead them to a website which shows many means to buy the said phones.

Figure 1. Ad for Samsung Galaxy Note II

Figure 2. Ad for iPhone 5

In reality, these sites are just scam sites that try to defraud users out of their money. They do not actually sell the devices they are promoting.

Figure 3. Fraudulent website advertising Samsung Galaxy Note II

Figure 4. Fraud website with iPhone 5 ad

These ads are being delivered by a large, mainstream ad network, which claims to be used by more than 90,000 apps. While this attack is currently limited to Chinese users, because of the large number of apps on this particular ad network it is possible that similar attacks will be delivered to other users in the future.

Last March, we blogged about Google’s decision to remove apps that block ads and the potential risks this may pose on unsuspecting users. No doubt the insufficient audit of ads on the Android platform may lead to more fraud, phishing attacks or even malware distribution. We recommend ad providers to provide more powerful audit mechanisms to protect users from attacks leveraging ads.

Trend Micro protects users from this attack by blocking the said malicious website. We also advise Android users to be cautious in clicking ads on their devices as this may potentially lead to information and identity theft. For better protection of your devices, users should also be wary of other mobile threats like malicious URLs and mobile phishing sites.

We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

Tweet

Last April 23 – 25, I attended the seventh Counter eCrime Operations Summit (CeCOS VII) initiated by the Anti-Phishing Working Group (APWG). This year, the conference was held in Buenos Aires, Argentina. Security experts from Japan, Paraguay, Brazil, North America, Russia, and India flew to the South American city to discuss about the developments in the cybercrime arena. Together with 8 other participants from Japan, I arrived in Buenos Aires after a 38-hour flight. However, the talks and the level of energy in the conference definitely made the whole trip worth it.

Overall, CeCOS featured 23 sessions divided into eight tracks, including two panel discussions. Aside from attending interesting talks, I also participated as a speaker at the event.

I was very much interested in attending two talks: the National Field Reports and Mobile Attack Sessions. The National Field report particularly intrigued me, as it argues that the threat landscape of a particular country is a reflection of what’s happening globally.

By now, it’s pretty much established that the mobile platform is the latest cybercrime battlefield, so I think it’s crucial to know what’s happening in the mobile threat front.

As I mentioned earlier, I also participated as a speaker. As the representative of the anti-phishing council of Japan (CAPJ), I gave the talk Finding the Banking Trojan in Eastern Asia.

Speaking at CeCOS VII

Japanese-language phishing emails were first spotted in 2004 and since then, these mails have poured in and caused serious damage. As technology developed, these emails took more subtle forms, which made detection more difficult. In addition, instead of direct links to phishing sites or a malicious attachment, phishing sites instead contain links to compromised sites that eventually lead users to malicious sites that contain exploit kits.

As we all know, attackers are already expanding their threats to other platforms, particularly mobile. Thus, I presented my analysis of ANDROIDOS_CHEST, which targets Android OS and was reportedly found affecting South Korea. Users would receive text messages offering free coupons for either movie tickets, fast food, or coffee if the user downloaded an app, which was actually ANDROIDOS_CHEST.

The malware monitors and gathers text messages in order to defeat two-factor authentication done via text messaging. ANDROIDOS_CHEST then sends the gathered messages to the attacker.

The most important question though is, how can users protect themselves from the threats of phishing? The CAPJ has these tips:

1. Keep your computer safe.
2. Beware of suspicious emails.
3. Access and bookmark legitimate URLS.

Another helpful advice is to always keep your systems updated with the latest security patches for your system. As Banking Trojans are usually delivered through exploit kits (by way of phishimg emails), users are protected from exploits that target old vulnerabilities.

Trend Micro provides tools and technologies that help protect users against security breaches and data theft. Trend Micro DirectPass manages your passwords so that using and remembering unique passwords for multiple accounts is no longer difficult. Trend Micro Mobile Security protects against threats like ANDROIDOS_CHEST that are on mobile devices. The Smart Protection Network provides both email and web reputation, blocking these threats before they arrive on user systems.

We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

Tweet

Recent incidents highlight how frequently – and creatively – cybercriminals try to steal data. From “homemade browsers” to million-user data breaches, to the daily theft carried out every day by infostealers and phishing attacks, every day.

All this stolen information ends up for sale in the underground to the highest bidder. From there, it can be used in many uniformly illegal ways - from identity theft, to credit card fraud, to launching attacks on other users. They can also be used to buy either expensive goods (which are then shipped to the cybercriminals), or pay for “bulletproof” web hosting that is frequently used for malicious sites. These may not cost that much individually, but the losses to users can be significant.

It’s not just the fruits of cybercrime that are bought and sold in the underground – so are the tools, like exploit kits, vulnerabilities, and malware toolkits as well. Price tags here can reach the thousands of dollars, particularly for more advanced and sophisticated tools.

There is so much money in the underground that it has become organized and systematic, much like real-world businesses. While the specifics of how the underground has organized itself varies from region to region, the mere fact that it has organized itself is noteworthy – both to allow for more information and tools to be sold, as well as reducing the risks of getting caught.

Our new infographic – The Cybercriminal Underground: How Cybercriminals Are Getting Better At Stealing Your Money – explores what items are being sold and bought in the cybercrime underground, how the underground is organized, and how users are directly affected. It’s an excellent way to understand what users are up against in securing their information online. It may be viewed by clicking oh the thumbail below:

To view all infographics from TrendLabs, visit http://about-threats.trendmicro.com/infographics.

We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

Tweet

While looking into recent reports about the Winnti malware family, we discovered another backdoor which was built using similar techniques and has other similarities as well. It is also possible that it is being used in similar targeted attacks.

We found this particular threat via feedback provided by the Smart Protection Network; we detect it as BKDR_TENGO.A. It passes itself off as a legitimate system DLL file, winmm.dll, like most of the Winnti samples. We believe that this was done using a legitimate tool called Aheadlib, which is a legitimate analysis tool. Aheadlib accepts any DLL file and is able to construct C code to hook all the functions provided by the original library. This is very useful in analyzing malware, but can also be abused to help create files that pass themselves off as legitimate system libraries.

We suspect that this was used in a targeted attack. Despite this, however, the file is not encrypted and neither was it particularly hard to analyze. Its main behavior is to steal Microsoft Office, .PDF, and .TIFF files from USB drives inserted into the system. These stolen files are stored in the $NtUninstallKB080515$ under the Windows folder. It also creates a log file named Usblog_DXM.log. The files can be retrieved by the attacker at a later time. Aside from retrieving files, it has several backdoor commands which allow the attacker to take control of the system. (The full list of commands can be seen in its Threat Encyclopedia entry, which we’ve linked to above.)

Two of the commands - Help and MainInfo – will show the name of the backdoor, as well as the C&C servers it is using. The full list of possibly malicious IP addresses and servers we’ve seen it connecting to is:

• 50.93.204.62
• 98.143.145.118
• 100.42.216.249
• 108.62.10.239
• 192.154.102.244
• 199.180.103.42
• 216.70.128.124
• 216.70.255.201
• banana02.myz.info
• songcai89.ddns.info
• thaifruit.myz.info

Two of these IP addresses proved to be of particular interest, namely 50.93.204.62 and 98.143.145.118. They are located in the United States, but multiple Chinese-language domains point to them. All of these have been blocked as command-and-control servers.

This attack highlights how information theft can be performed even with malware that is not particularly advanced or sophisticated. It also shows some of the challenges in attributing attacks of this nature.

We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.