Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:


  • Recent Posts

  • Calendar

    April 2015
    S M T W T F S
    « Mar    
     1234
    567891011
    12131415161718
    19202122232425
    2627282930  
  • Email Subscription

  • About Us

    We have been able to identify a new point-of-sale (PoS) malware family that has affected more than 100 victim organizations in Brazil. We have dubbed this new malware family as “FighterPOS”. This name is derived from BRFighter, the tool used by the author to create this new threat. This one-man operation has been able to steal more than 22,000 unique credit card numbers.

    Its creator appears to have had a long history in carding, payment scams, and malware creation; in addition we believe that this malware author acted independently and without any accomplices or associates. FighterPOS is not cheap. It is currently priced at 18 bitcoins (currently worth around US$5,250). However, its control panel is well-designed and it supports a wide variety of features that may be useful to attackers.

    This blog post outlines the behavior of FighterPOS, with more technical details available in our paper entitled FighterPOS: The Anatomy and Operation of a New POS Malware Campaign.

    Purchasing

    At first glance, the advertisement is not particularly unusual. What piqued our interest was the professional nature of the ad and the malware’s supported features.

    Figure 1. Advertisement selling FighterPOS
    (Click to enlarge)

    The control panel and malware is currently being sold for 18.3823 BTCs, or roughly US$5,250. While this may seem expensive, the opportunity to make that money back is relatively easy. The buyer could potentially resell each credit card received right away, or use it at a later time. If the buyer wants an additional executable and panel instance, the author charges an additional US$800.

    Figure 2. FighterPOS Control Panel

    The author, who went by the username cardexpertdev, clearly stated in the ad that the executable is not fully undetectable (FUD), stating that the individual will need to use a crypting service to ensure the malware is undetectable by antivirus scanners. This is common when PoS malware is created, and crypting services are traditionally required to bypass many defensive security controls.

    FighterPOS was not the only product related to credit card fraud that cardexpertdev was selling. He was also selling credit card numbers, EMV chip recorders, and other similar fraud-related products and tools to other cybercriminals.

    Victimology

    Data obtained from the C&C servers indicate that FighterPOS has infected approximately 113 PoS terminals, more than 90% of which were found in Brazil. Evidence of system infection in other countries, including the United States, Mexico, Italy, and the United Kingdom was also found.

    Figure 3. Distribution of FighterPOS-affected machines

    Together, the infected systems have sent 22,112 unique credit card dumps for a single month (late February to early April) to the FighterPOS operator. Many of the victims of FighterPOS are users of Linx MicroVix or Linx POS systems – both popular software suites in Brazil.

    FighterPOS Functionality

    The functionality of FighterPOS is similar to other PoS malware families we’ve seen in the past. It is capable of collecting credit card track 1, track 2, and CVV codes. The malware also contains a RAM scraping functionality, commonly seen in many PoS malware families. Additionally, its keylogger functionality allows the attacker to log all keystrokes on the infected terminal. The code for the RAM scraping functionality is similar to that found in NewPosThings.

    Two malware samples that gained our attention were IE.exe (MD5 hash: 55fb03ce9b698d30d946018455ca2809, detected as TSPY_POSFIGHT.SM) and IEx.exe (MD5 hash: 55fb03ce9b698d30d946018455ca2809), which both connect to the C&C server located at hxxp://ctclubedeluta.org/.

    Both of the samples are written in Visual Basic 6. Although Visual Basic 6 is considered outdated and antiquated, applications written in this language still work, even on fully patched systems.

    One may ask why a “new” PoS malware family is built on such an old platform as Visual Basic. We believe that this is because FighterPOS code is not entirely new. Instead, the vnLoader malware (designed for botnets) was modified to add PoS-specific features. It retains its botnet-oriented capabilities, which include:

    • Malware auto-update
    • File download and execution
    • Sending out credit card data
    • Sending out keylogged data
    • Layer 7 or layer 4 DDoS attacks

    The DDoS capability effectively turns this POS family into a very flexible and attractive tool for prospective buyers.

    Conclusion

    FighterPOS is a full-featured piece of malware, carefully developed using strong encryption. It supports multiple ways to talk with its C&C infrastructure. Its keylogging capabilities allow for DDoS attacks and gaining full control of victim machines. We currently estimate that each infected machine sends back ten new credit card numbers to the attackers.

    We are continuously evaluating this threat, and are still performing research not only on the malware family, but also the C&C infrastructure. For endpoint monitoring and validation for possibly active infections, Trend Micro Deep Discovery Inspector can use indicators of compromise, C&C servers and sites listed below.

    Indicators of Compromise

    SHA1 MD5 Compile Time (UTC) Size (in bytes) DDI Detection
    0aea8f97ecbd4b9dbdae
    336f7310d35af8883bae
    b0416d389b0b59776fe4c4ddeb407239 2/4/2015 21:29 618,496 TSPY_POSFIGHT.SM
    30628221ab520b3e6d86
    9bdeb619ef157103c227
    e3db204be71efe8a41d949f2d3fdfa18 3/27/2015 23:01 618,496 TSPY_POSFIGHT.SM
    4482823a86dca8613ea5
    b7daeca23c950e6d9291
    e29d9560b6fcc14290f411eed9f4ff4f 9/8/2014 17:37 143,360 HTTP Download Executable File
    76e8b0f54cea080e9321
    18cd203b459a479170a8
    55fb03ce9b698d30d946018455ca2809 2/10/2015 17:55 618,496 TSPY_POSFIGHT.SM
    a106bba216f71f468ae7
    28c3f9e1db587500c30b
    6cb50f7f2fe6f69ee8613d531e816089 11/24/2014 17:21 178,688 TSPY_POSFIGHT.B
    c04b07467a962f34f893
    932422ca29f2cfdc938b
    e647b892e3af16db24110d0e61a394c8 3/4/2015 20:54 618,496 TSPY_POSFIGHT.SM
    fe13b63feb1fee2d8ff2
    6368e8e690dd9c19c70c
    7b011dea4cc53c1099365e0b5dc23558 2/21/2015 13:37 618,496 TSPY_POSFIGHT.SM
    00aec55105f241f49318
    8993d1558d7e2aacaafc
    af15827d802c01d1e972325277f87f0d 1/28/2015 12:06 614,400 TSPY_POSFIGHT.SM
    28157df6c45cf2f6f40c
    884ed7e06ab4f2b4d874
    361b6fe6f602a771956e6a075d3c3b78 12/19/2014 0:53 581,632 TSPY_POSFIGHT.SM
    4411c502f3348233022b
    77bb4624ae81c72416af
    b99cab211df20e6045564b857c594b71 2/4/2015 16:37 618,496 TSPY_POSFIGHT.SM

    We have seen the following C&C servers and sites in use:

    • 69[dot]195[dot]77[dot]74
    • ctclubedeluta[dot]org
    • msr2006[dot]biz
    • sitefmonitor[dot]com
     
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon  

    Apr12
    11:03 pm (UTC-7)   |    by

    The collaboration between Trend Micro, INTERPOL, Microsoft, Kaspersky Lab, and the Cyber Defense Institute resulted in a triumph for the security industry earlier this week: the takedown of the SIMDA botnet. Trend Micro provided information such as the IP addresses of the affiliated servers and statistical information about the malware used, which led to the disruption of the botnet activities.

    SIMDA, the Malware Behind the Botnet

    The botnet relies on the backdoor SIMDA for its operations. One notable feature of the malware is that it modifies HOSTS files, which redirects users to malicious sites whenever they try to access legitimate sites. Our research shows that the malware targeted popular sites including Facebook, Bing, Yahoo, and Google Analytics, as well as their regional counterparts: e.g., Yahoo Singapore, Bing Germany, etc. This shows that the botnet creator wanted to affect as many users as it can, on a global scale. Here’s a sample screenshot of a modified HOSTS file.

    Figure 1. Modified HOSTS file

    Figure 1. Modified HOSTS file

    Analysis also reveals that the malware collects information about the affected system. It also checks for the presence of certain processes, including those used for malware analysis. The latter could be seen as a detection precaution.

    Further research shows that the botnet activity spanned the globe. We found that the redirection servers were located in 14 countries, among which include the Netherlands, Canada, Germany, Russia, and the United States. Botnet victims were also scattered. Feedback from the Trend Micro™ Smart Protection Network™ lists at least 62 affected countries, including the United States, Australia, Japan, Germany, Italy, among others. Below is a visualization of the redirection servers located in several countries:

    Figure 2. Redirection IPs

    Figure 2. Redirection IPs

    (Click to enlarge)

    Botnets in the Threat Landscape

    Botnets have deep ties throughout the threat landscape. For most cybercriminals, creating a botnet is the precursor for other malicious activities. Botnets can be used to send spamperform distributed denial-of-service (DDoS) attacksperform click fraud, or attack targeted domains.

    For cybercriminals to launch these attacks, they need to be in constant communication with all their infected computers, whose numbers can reach the thousands and above. This is where command-and-control (C&C) servers come in. A C&C infrastructure allows cybercriminals to have a dedicated connection between themselves and their victim’s network. Our Global Botnet Map shows the connection between bots and C&C servers, highlighting the location of the C&C servers and the victimized computers they control.

    Botnets are harmful to users in two ways: they push threats to users and they force victims to be unwitting accomplices to malicious activities. Being part of a botnet means a user is no longer in control of his computer; the bot master can dictate what the infected computers can and will do.

    Addressing Botnets

    Cybercriminals employ different tricks to add more victims to their botnets. For example, they often take advantage of peer-to-peer (P2P) networks to distribute disguised malware. Spammed messages are another go-to method for adding more computers to their botnets.

    We advise users to be cautious when opening emails. Avoid opening emails and attachments from senders who are unknown or who cannot be verified. P2P networks aren’t inherently malicious but users should be aware that dealing with these sites can increase their chances of encountering malware. Users should also invest in a security solution that goes beyond simple malware detection; features such as spam detection and URL blocking can go a long way in protecting users from threats.

    We mentioned that SIMDA modifies HOSTS files as part of its redirection routines. There might be instances where the modified HOSTS files may remain even after detecting and removing SIMDA from the affected computer. The presence of these modified files might lead to further infections. We advise users to manually check HOSTS files and to remove any suspicious record in these files.

    Trend Micro protects users from the SIMDA botnet by detecting malware variants as BKDR_SIMDA.SMEP and BKDR_SIMDA.SMEP2, and other BKDR_SIMDA variants. TROJ_HOSIMDA.SM is the Trend Micro detection name for the modified HOSTS files. All associated URLs have been blocked as well. Non-Trend Micro customers may use Trend Micro Housecall for scanning.

     
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon  

    A malware that is being tied to the recent cyber attack in France is detected by Trend Micro as a variant of the NJWORM/Kjw0rm remote access Trojan (RAT). This malware (with the MD5 hash of 2962c44ce678d6ca1246f5ead67d115a), which we detect as VBS_KJWORM.SMA, is backdoor that may have been around since 2014.

    Ties to previous targeted attacks

    Our initial analysis showed that VBS_KJWORM.SMA was created by a hacking tool named Sec-wOrm 1.2 Fixed vBS Controller. This is a RAT generator that we detect as HKTL_KJWORM.

    It should be noted that the Kjw0rm family is already known to us; in January we had written about this family when it emerged from the NJWORM source code leak. Kjw0rm was found in the Arabic-language section of dev-point.com.

    Figure 1. Sample screenshot of the RAT generator “Sec-wOrm 1.2 Fixed vBS Controller”. (SECWORM)
    Hat tip goes out to the Dev4dz forum

    Using data from the Trend Micro™ Smart Protection Network we found that VBS_KJWORM.SMA is observed in at least 12 countries in the past week, including South Africa and India. This is not surprising, since this malware is available in underground forums and can be used by anyone.

    This particular malware can be used as a backdoor into the infected system. In addition, the C&C server reportedly used in the attack has been tied to another backdoor, BKDR_BLADABINDI.C. Our investigation leads us to believe the actors behind Kjw0rm and BLADABINDI are the same.

    Further information from the Smart Protection Network suggests that other VBS malware variants are currently circulating in the wild. Four separate C&C servers (distinct from those used by NJWORM) were also found. These different samples, in turn, are connected to previous NJRAT/JENXCUS attacks. NJRAT has been tied to DUNIHI attacks in the Latin American region.

    Note: The SECWORM malware is a RAT derived from KJw0rm with some modifications and improvements. 

    Understanding the impact of a cyber attack on a company outage

    The massive cyber attack that hit the French TV5Monde television network this past April 9, according to reports, began at approximately 10:00 P.M. local time (4:00 P.M. Eastern time) , when 11 of their channels went off the air.

    In addition to this, TV5Monde’s website, company email, as well as their social media outlets came under attack. The network’s Facebook page was used to post propaganda messages allegedly from the Islamic State (ISIS). One of the network’s Twitter accounts was also accessed and posted messages against the United States and France, as well as issued threats to families of French soldiers. Copies of French soldiers’ IDs and passports were also published.

    It should be noted that the technical background of this attack is not yet clear. However, the RAT generator is currently available in several hacker forums and can be used by any threat actor. Therefore, one does not need a lot of technical skill to use it.

    Trend Micro solutions

    Trend Micro detects all related malware at the endpoint level. In addition, Trend Micro products block connections to C&C servers for these malware.

    At the network level,Trend Micro is able to proactively detect these threats. Trend Micro Deep Discovery is able to detect VBS-based malware, providing additional protection to organizations facing these kinds of attacks today.

     

     
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon  

    Digital certificates are the backbone of the Public Key Infrastructure (PKI), which is the basis of trust online. Digital certificates are often compared to signatures; we can trust a document because it has a signature, or certificate authority (CA) by someone we trust. Simply put, digital certificates are a reproduction of a simple model which occurs in the real world.

    Incidents involving digital certificates have been in the news recently. Issues surrounding digital certificates and CAs are not always clear or noticeable to end users. However, IT managers, software developers, and other security professionals need to understand these problems so that the risks can be properly managed.

    So who or what can we trust online?

    Every computer connected to the Internet contains a list of trusted root CAs. These root CAs issue certificates, which can be used to either sign certificates for other CAs or to servers. There needs to be a “chain of trust” from any certificate that the system sees to any of the root certificates that it trusts.

    What does “trusted” mean?

    If a secure connection or signed file is “trusted”, this generally equates to an absence of warnings. Digital certificates are used to secure websites using SSL/TLS, identify and validate executable files using code signing, and secure email via Secure/Multipurpose Internet Mail Extensions (S/MIME). If a browser accesses an HTTPS server with an untrusted server certificate, it will generate a warning. If an unsigned or untrusted executable file is run, a warning message may be generated. A user may see these messages and avoid potentially risky behavior.

    HTTPS is widely used as a way to assure users that connections to sites are authentic. Many users view the “green bars” that browsers use to mark HTTPS addresses as a sign that their connections are safe.

    This trust is based on two things:

    1. CAs are not supposed to issue certificates to inappropriate users.
    2. Users (e.g. PC, browsers or mobile devices) should not add any inappropriate CA to the list of trusted CAs.

    Unfortunately, the basis of this trust is now being challenged. Institutions and organizations that may not necessarily be trustworthy are widely thought of as such.

    Here are several cases that highlight the problems, in today’s trust-based CA system.

    Trust lost: CAs issuing certificates to inappropriate users

    CAs need to have a good track record when it comes to securing their own systems to ensure they don’t issue improper certificates. However, they have been incidents where their own security and processes were targeted.

    In 2011, an attacker calling himself the ComodoHacker was able to penetrate the systems of Diginotar, a Dutch CA. The attacker issued multiple fraudulent certificates. The loss of confidence in Diginotar’s security led to major operating system vendors removing them from their lists of trusted CAs. This eventually led to Diginotar shutting down as a business.

    While Diginotar was a relatively minor player in the CA market, the attacker also claimed to have access to the networks of Comodo, which was a far larger CA.

    More recent cases are just as troubling. In March 2015, Comodo issued a certificate for the live.fi domain to an unauthorized party. This domain was the Finnish domain of the live.com online services, which is a part of Microsoft. How was this the case?

    Comodo issued what are known as Domain Validation certificates to Microsoft. These types of CA require the site owner to verify that he does control the domain he wants a CA for. The most common method is to send an email from that domain with one of several possible email addresses, namely:

    • admin@
    • administrator@
    • postmaster@
    • hostmaster@
    • webmaster@

    The live.fi domain is used by Microsoft to provide free email… and a clever Finnish man found that the address hostmaster@live.fi was available. He was able to acquire this address and use it to obtain certificates for live.fi that would have been trusted by any browser, but was not under the control of Microsoft. In interviews, the Finnish man stated he had already reported the problem to Microsoft and Finnish authorities in January of 2015.

    The certificate could have been used to mount man-in-the-middle (MITM) attacks with a certificate that would have been verified by any browser in use. This would have fooled many users into giving up their credentials. Comodo cancelled the certificate, and Microsoft released a separate update for Windows as well.

    Fortunately, there was a silver lining. Only one fraudulent certificate was created, and it could not be used for other purposes. This is because the allowed uses are defined in the certificate (Extended Key Usage). Certificates for SSL servers can only be used for server verification; code signing certificates are limited to that specific purpose as well.

    Later in the month, Google had their own certificate snafu. They discovered that an Egyptian ISP (MCS Holdings) held a digital certificate that could be used for MITM attacks via a proxy. Generally, these proxies require that a certificate be installed in devices to be transparent. However, in this case, the MCS Holdings certificate was signed by the China Internet Network Information Center (CNNIC), which was included in root stores. This means that any certificates issued with the MCS Holdings certificate would be seen as valid by systems, even if they had no “right” to issue that certificate (i.e., for domains they did not own).

    As in the case of Diginotar, this incident has resulted in serious consequences for the CAs involved. The certificate issued by MCS Holdings has been blacklisted by Google, Microsoft, and Mozilla. In addition, CNNIC itself has been targeted for action as well.

    Both Google and Mozilla have indicated that moving forward, certificates issued by CNNIC would no longer be trusted. This means that while organizations that currently rely on CNNIC-derived certificates can still use them, once these certificates expire, new certificates (with a different CA) will need to be acquired.

    These cases highlight the inherent risk in a CA-based model: attacks targeting CAs can occur, and if these certificates fall into the hands of attackers with strong motives to intercept communications, user information could be put at risk. For the CAs themselves, any lapse in the process of how certificates are issued can result in a swift blacklisting, instantly ruining what can be a profitable business for the CA.

    Mistrust added: inappropriate CAs among trusted CA lists

    The most recent case of a CA being added to user systems was Superfish, where adware capable of monitoring HTTPS traffic was preinstalled on Lenovo PCs. Due to the (poor) way it was implemented, in a nutshell, anyone could issue any certificates.

    This means on any PCs with Superfish installed, the trust placed in HTTPS might well be misplaced: phishing by making a malicious sites appear to be secure, intercepting communications using MITM attacks, signing malware so that users would run it, making users believe that signed mail was legitimate.

    It is difficult, if not impossible, to use the Internet if there is an underlying current of distrust. If we can’t tell if our visits to Gmail, Facebook, Twitter or online banking sites are safe, we can’t even browse websites. If we can’t tell if the program we’re try to run is real or not, even opening what we think is Notepad entails a risk.

    What should users and CAs do?

    CAs need to ensure that their own systems are secure to minimize the possibility of fraudulent certificate issuance. They should also be careful about issuing certificates to widely recognized and popular domains, especially since the effects if such a wrongly issued certificate becomes public may be significant. A system based on trusting institutions (such as CAs) only functions well if the said institutions are actually trustworthy.

    CAs should consider verifying via other means of communication (such as the phone) requests for certificates from domains, as this is a step cybercriminals may have difficulty meeting. Recipients of certificates with more privileges (such as the one issued to MCS) should be subject to tighter controls to prevent potential abuse.

    Site owners who want to ensure that fraudulent certificates are not issued in their name should consider pre-registering the email addresses frequently used for website verification, to ensure they stay under the control of the site administrator. Alternately, those addresses should be set aside and not registered at all.

    The current CA-based system of trust is not perfect, and relies on both certificate authorities and users to exercise good judgment and prudence. It is far from perfect, but it is what we have now. Additional safeguards can improve the security of SSL certificates. As more and more sites become HTTPS-only, this issue will become more prominent in the coming years.

     
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon  

    Support for Windows XP ended over a year ago. By any standard, Windows XP ranks as one of the most influential versions of Windows ever, thanks to its longevity and widespread adoption by enterprises around the world. However, the end of support should have served as a clear signpost to users and organizations to immediately upgrade to newer systems.

    A year later, remarkably, Windows XP isn’t quite dead yet. Its exact share can be debated. Net Market Share data suggests its share as of March 2015 is at around 17%. StatCounter has this figure at over 11%. Analytics data from US government websites can be used to get an estimate as well; this data places XP market share at just under 5%.

    The risks to Windows XP have not gone away, either. A year’s worth of vulnerabilities that may affect Windows XP have not been patched—only once did Microsoft publicly release a patch for a Windows XP zero-day vulnerability. In addition, various security upgrades for later versions of Windows have not been retrofitted to Windows XP: a good example is Control Flow Guard, which is only available in Windows 8.1 Update 3 (from November 2014) and in Windows 10 (currently in Technical Preview).

    Support for Windows Server 2003 to end in July

    In just under three months, however, IT administrators will have to do the upgrade dance again. Windows Server 2003’s support will end in July this year. A survey of IT professionals by Spiceworks outlined the scale of the issue. 61% of organizations still have at least one instance of Server 2003 running; and only 15% of respondents indicated that their organizations had completed migration. Of those who plan to have some Server 2003 systems active even after the end of support, almost everyone (85%) indicated that security risks were a concern.

    As with Windows XP, we highly recommend that organizations prepare and implement migration plans—if they haven’t already. The potential risks here are even greater, considering servers are the systems at risk.

    Available solutions and recommendations

    Users running unpatched systems are advised to enable Enhanced Mitigation Experience Toolkit (EMET) on their Windows systems. EMET is a free tool by Microsoft designed to protect Windows systems even before new and undiscovered threats.

    Additionally, users who cannot upgrade to newer Windows versions are still protected against threats with our security solutions. Trend Micro Deep Security and Vulnerability Protection are both able to detect threats before they reach user systems. Trend Micro Endpoint Application Control can also lock down systems by preventing unwanted and unknown applications and processes from running.

    Deep Security will support Windows 2000 until 2017 and Windows 2003 and XP until 2020. In addition, our endpoint products will continue to be supported for these older Windows versions until 2016.

     
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon  



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice