Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    April 2014
    S M T W T F S
    « Mar    
     12345
    6789101112
    13141516171819
    20212223242526
    27282930  
  • About Us

    “Get rich fast” scams have been circulating online for several years now. Some examples would be the classic Nigerian or 419 scams, lottery scams, and work-from-home scams. The stories may vary but the underlying premise is the same: get a large sum of money for doing something with little to no effort.

    Scammers have now added a new topic to their roster of lures: the cryptocurrency Bitcoin. The continued rise and fall (and rise and fall and…) of Bitcoins has captured the interest of the media and the public. Certain events in the cybercriminal underground have also played a significant part in boosting the profile of this digital currency.

    The fact that Bitcoin is being recognized as a legitimate form of currency with real-world value has not gone unnoticed by cybercriminals. We have seen different types of Bitcoin-related threats appear over the past years and now, we can add yet another incident to this roster.

    We came across several spammed phishing messages that use Bitcoin as bait. These messages promise recipients that they can earn a large amount of Bitcoins in a short span of time, with one email promising up to more than US$23,000 in a single day. The emails encourage users to click the embedded link for more information.


    Figure 1. Spammed message about Bitcoin

    The links lead to a site that asks for details like name, address, and credit card information. The registration page appears to have no means of verifying the information; it accepts any data provided in the form fields. This type of behavior is very much typical of phishing sites, which aim to get as many credit card credentials as possible.


    Figure 2. Phishing site

    Scammers often use “get rich quick” schemes because these hold a certain appeal to users. After all, who wouldn’t want to get a large amount of money easily? However, these things are often too good to be true. We encourage users to refrain from opening emails and clicking links from unknown or unverified senders. Users should also do research before sharing personal information—especially those financially related—online with any site or service.

    Trend Micro protects users from all related threats in this incident.

     
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon  

    Software vulnerabilities exist – it’s a fact of life that we all have to live with, and if we’re both lucky and diligent enough, we can patch it before any cybercriminals can exploit it. That isn’t always the case, but thankfully that’s the exception, not the rule.

    However, news broke out recently of a vulnerability involving the Heartbeat extension of OpenSSL, an open-source toolkit that helps webmasters and developers make transactions safer and more secure. This vulnerability, if taken advantage of – and there’s no way of knowing if cybercriminals already have, due to the nature of the vulnerability itself – could mean the compromise of a lot of transactions on websites and applications that use OpenSSL.

    What is the Heartbeat OpenSSL Extension?

    OpenSSL introduced an extension called Heartbeat around December 2011, with its 1.0.1 build release as defined in the RFC 6520 TLS/DTLS Heartbeat Extension. This extension’s function was to help avoid reestablishing sessions and allow for a mechanism by which SSL sessions could be kept alive for longer. The RFC proposed a HeartbeatRequest which must be answered with a HeartbeatResponse message. This results in a conservation of network resources, resources that would generally be used for full session renegotiation.

    It’s to note here that OpenSSL is used by many websites and software, from open source servers such as Apache and nginx to email servers, chat servers, virtual private networks (VPNs) and even network appliances.

    As such, it’s reasonable to assume that the Heartbeat extension is very widely used, thus making the scope of this vulnerability quite wide indeed.

    Understanding The Heartbleed Bug

    The vulnerability, dubbed as the Heartbleed Bug, exists on all OpenSSL implementations that use the Heartbeat extension. When exploited on a vulnerable server, it can allow an attacker to read a portion  up to 64 KB’s worth  of the computer’s memory at a time, without leaving any traces.

    This small chunk of memory could contain user-critical personal information  private keys, usernames, passwords (in cleartext in a lot of cases), credit card information, and confidential documents for example. The attacker could request this chunk again and again in order to get as much information as they want – and this bug could be exploited by anyone on the Internet, anywhere.

    A major Internet content provider was also affected by this bug and they fixed it quickly and diligently. But before it was fixed, some malicious actors had already stolen sensitive information.

    At its core, the Heartbleed bug is a simple and usual programming error, the kind of which leads to security issues. In simplified terms, it returns memory contents without checking on how much it actually reads and returns.

    As such, the user can ask for more information, and it gives the user more from the memory without checking to see if the user is in fact authorized to see that information. There is a payload length field that can be manipulated to grab the memory contents by tricking the server.

    Figure 1. Payload Length of the Heartbleed Bug

    This vulnerability has been assigned with the identifier CVE-2014-0160.

    Since this attack leaves no traces at all – it is an abuse of a bug in the code – it is hard to say if it’s being exploited in the wild. We will be monitoring our sensors for any such behavior.

    Which versions of OpenSSL are affected? Am I affected?

    As per the OpenSSL advisory:

    “Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1.”

    Any other versions of OpenSSL are NOT affected by this bug. If you compiled your applications with any of these versions, then you may be affected.

    Users can also check if their server is affected by the Heartbleed vulnerability with this website.

    The fixed version is 1.0.1g, which was released on April 7, 2014.

    What should I do if I am affected?

    Affected users must upgrade to OpenSSL version 1.0.1g which has the Heartbleed bug fixed.

    If an upgrade is not possible you must recompile your applications to turn off the Heartbeat extension. This can be accomplished by using the -DOPENSSL_NO_HEARTBEATS flag.

    SSL certificates must also be revoked and replaced with new ones. With SSL certificates installed with the affected version of OpenSSL, the private keys could be potentially exposed. With no specific method of knowing which existing certificates are affected, new SSL certificates must be generated.

    End-users should also consider changing their passwords for their online accounts as the Heartbleed bug exposes sensitive information such as usernames and passwords. To avoid compromised accounts, users must reset all their passwords as soon as they are prompted to do so. They should also monitor for any suspicious activity involving their accounts, especially those financially related.

    Trend Micro Solution

    Trend Micro Deep Security customers should upgrade to DSRU-14-009 and assign the following rules:

    • 1006010 – Restrict OpenSSL TLS/DTLS Heartbeat Request
    • 1006011 – OpenSSL TLS/DTLS Heartbeat Information Disclosure Vulnerability
    • 1006012 – Identified Suspicious OpenSSL TLS/DTLS Heartbeat Request

    It is also possible to check for attempts to exploit the vulnerability through visibility and control of what goes on within a network. Through Deep Discovery, it is possible to monitor a web server and check for SSL/TLS-related traffic through the rule CVE-2014-0160-SSL_HEARTBEAT_EXPLOIT. Once found, Deep Discovery searches for Heartbeat message responses and checks for characteristics that indicate an exploit, specifically those related to the number of consecutive responses, the amount of information being echoed back, and others. This makes it possible to detect: attacks against a monitored server, as well as attempts to exploit the Heartbleed vulnerability from within a monitored network. This new Deep Discovery rule is released and automatically applied as part of the automatic update process for Deep Discovery.

    Update as of April 14, 2014, 7:41 A.M. PDT

    Client applications are also vulnerable to the Heartbleed vulnerability. If they connect to a malicious server, the Heartbleed bug can be exploited to read the client system’s memory. Last April 11th, Trend Micro released the following rules to protect customers using Deep Security and IDF from this exploit:

    • 1006016 – OpenSSL TLS/DTLS Heartbeat Message Information Disclosure Vulnerability
    • 1006017 – Restrict OpenSSL TLS/DTLS Heartbeat Message

     

    For other conversations on the Heartbleed bug, check our entries from the past week:

     
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon  

    Patch-Tuesday_grayThis month’s Patch Tuesday is primarily notable for two reasons. It addresses the recent zero-day vulnerability for Microsoft Word and it also marks the last Patch Tuesday for Windows XP and Microsoft Office 2003. All in all, April Patch Tuesday is relatively light, with only two ‘critical’ and two ‘important’ updates.

    One ‘critical’ update is a patch (MS14-017) addressing the recent zero-day affecting Microsoft Word and Office web applications. If exploited, this vulnerability (CVE-2014-1761) could allow a remote attacker to execute commands remotely via specially crafted files and email messages. This vulnerability was first reported by Microsoft in a Security Advisory, which also contained a fixit tool. According to an advance notification from the company, users must disable the tool after the security update has been applied.

    This month’s release also includes a ‘critical’ cumulative security update for Internet Explorer. This will address six vulnerabilities for the application. If exploited, these could allow remote code execution if a user visits a specially crafted webpage. MS14-019 fixes a vulnerability of Microsoft Windows that will allow remote code execution if a user runs a specially crafted .BAT or .CMD file. A vulnerability in Microsoft Office is addressed by MS14-020. The vulnerability may allow remote code execution if a user opens a specially crafted file in an affected version of Microsoft Publisher.

    As mentioned earlier, this is also the last Patch Tuesday for Windows XP. After 13 years of service, Microsoft will not provide updates for the popular OS version. Users who rely on the platform may find their computers at increased risk as any vulnerability will not be patched anymore. Discussions about the Windows XP end-of-support may be found in our blog entries, “Managing Windows XP’s Risks in a Post-Support World” and “Windows XP Support Ending – Now What?” We encourage users to upgrade to later versions of Windows to ensure that computers remain protected.

    Though not as heavily publicized as Windows XP, Microsoft Office 2003 has also reached its end-of-support—or to be more precise, its extended end-of-support. Office 2003 users will no longer receive any extended period for updates and fixes. Like Windows XP users, Office 2003 users are encouraged to updater to later versions to continue to receive updates. However, users may also opt to go for open source applications like LibreOffice (for Windows and Linux) and NeoOffice (for Mac OS X).

    Microsoft has also released a security advisory containing updates for Adobe Flash Player in Internet Explorer. This update addresses vulnerabilities in Adobe Flash Player for Internet Explorer versions 10 and 11.

    We encourage users to apply these updates as soon as possible. Additional information may also be found in the Trend Micro Threat Encyclopedia page. Appropriate rules for Trend Micro Deep Security have also been created and are available for use by system administrators.

     
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon  

    Windows end of support this, Windows end of support that… a lot of people in the IT field are writing about how Windows XP will be unsupported tomorrow. Why is this a big deal? Like any other software, operating systems evolve and it takes too much effort for the companies who created them to keep supporting older versions as time goes on.

    All Windows versions eventually become obsolete – try to call Microsoft today about that Windows 95 problem you still have and see what kind of response you’ll get. Windows XP, however, is a completely different case. Usually, when support for a Windows version ends that particular version is no longer used in great numbers.

    That’s not the case here. Depending which source you use, Windows XP is still in use in at least 18%, to as much as 28%, of all PCs worldwide. Yes, hard as it is to imagine, somewhere around a fifth or fourth of all PC use an operating system that was released in 2001.

    When Microsoft leaves these users out in the cold after April 8, any security problem they have in the future will be left unpatched; those millions of PCs will not have any available Microsoft-supplied fixes. Of course, you can still use antivirus software and be protected that way, but newly-discovered security holes in the operating system will not be fixed and therefore will be left wide open for attackers to use.

    Why are so many people still using a 13-year-old operating system, I hear you ask? Many of these users fall into three groups. What do each of these groups need to know now that patches are no longer coming?

    Group 1 – Simple users that consider the OS a mere tool.

    Many of the remaining users of XP have a very practical view of their machines. Their philosophy is, “if I have a screwdriver that works, why bother buying a new one 10 years down the line if the old one still works”. Their XP machine does what they need and they’re happy enough with it.

    The problem with this line of thinking is that modern operating systems do get old with time. The screwdriver analogy is flawed in; it’s something extremely simple that never needs an upgrade. Try something more complex for an analogy; how about prescription glasses?

    They become obsolete after a while – either when they get out of fashion, or your eyes change (normally for the worse, unfortunately). Imagine you’re left with old prescription glasses that only one optician can change and this optician goes out of business. You’re on your own. Same with Windows XP.

    If you’re in this situation, maybe it’s time to consider a simpler computing device. If all you do on your PC is check your email and go on social media, maybe it’s time to consider using a tablet instead of a PC.

    Group 2 – Users with a genuine need for Windows XP

    The ancient OS has become the only tool that this particular group of people can use. Think ATMs, POS systems, medical devices, certain machines that are not easily upgradable, or whose hardware is too old for a newer operating system.

    In some cases, virtualizing the OS might do the trick. Combined with a product that blocks attacks against the virtualized environment, this setup might be able to keep attacks at bay. Isolating them from the Internet is also a possibility, though not always realistic. Users on these systems will need to be especially cautious with everything that goes in and out of these devices, whether online (the Internet) or offline (removable media, etc.)

    Regular, even daily backups can help here. Pray a lot, as in this situation your margin for error is frighteningly small.

    Group 3 – Enterprise users

    The last group of Windows XP users are enterprises that haven’t gotten around to upgrading their large installations of Windows XP.

    We feel your pain. Upgrading hardware is never easy, training the users might take time, budget is tight, those kinds of excuses. Well, just remember this: if you have to recover after a massive attack, excuses won’t mean much. We’ve known for years that Windows XP’s support would be ending now; there’s very little excuse for not being prepared for it.

    You have to think that while you’re using Windows XP out of support, any zero-day attacks (and there is a very good chance there will be some) will not be solvable. Yes, you can temporarily manage the risks, but that’s not a permanent solution. It is like having a big crack in your wall that you can patch over with wallpaper for a while, but nobody will ever be able to repair. Enough said.

     
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon  

    It is an interesting time to be in IT security today. PRISM and Edward Snowden taught many lessons about how companies should secure their data. There’s been a lot of discussion about the surveillance aspect of this, but consider this whole affair from the side of the NSA.

    To the NSA, this was a data breach of unprecedented proportions. All indications are that Snowden was able to exfiltrate a significant amount of classified data; what has been published so far represents a relatively small portion of what he was able to access. Consider that Snowden technically wasn’t even an employee – he was a contractor. How did he do this? How could a contractor access this much information?

    Some companies may think – “if it can happen to a spy agency, there’s nothing we could do. We should just give up and not protect our data anymore.” Others may say: “let’s build a bigger wall around our data.” Both approaches are incorrect. Obviously, you have to protect your data. However, neither can enterprises just try and protect everything with the same rigor. A truly determined attacker can get in if he wants to get in.

    What an enterprise needs to focus on is what really needs to be protected. Which sets of data, if stolen, can ruin a business? Are they the trade secrets? Or maybe customer data? This will differ for each company – what may be vital for one organization may be trivial for another. Each organization has to decide for itself. Some examples of what a company can consider core data would be: trade secrets, research and development documents, and partner information. Each of these would represent millions of dollars in losses, not just in monetary terms, but in trust and confidence as well.

    Once these core data have been selected and identified, the next step is: defend these strongly. How? That would depend on what the data is, how it is stored, and who needs to access it. Is it something that can be locked in a vault and kept offline for years on end, or is it something that needs to be accessed on a daily basis? For each organization, the challenges will be different, and so will the solutions.

    We must not forget one other component of security: end users. Difficult as it is, end users should be educated to not fall for simple scams. Examples include, “If the administrator asks you for your user credential and password, maybe you should ask another one instead. If you receive an email, which sounds too good to be true, don’t click on it.”

    All in all, it’s a combination of identifying what’s most important, deploying the right technologies, and educating users. It is everybody’s job – not just those of IT professionals – to ensure that the company’s core data stays safe.

     
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon  



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice