Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:


  • Recent Posts

  • Calendar

    July 2015
    S M T W T F S
    « Jun    
     1234
    567891011
    12131415161718
    19202122232425
    262728293031  
  • Email Subscription

  • About Us

    Most victims of the Stegoloader Trojan, which has recently been making its rounds in the news, are observed to come from healthcare organizations in North America.  The malware known as TROJ_GATAK has been active since 2012 and uses steganography techniques to hide components in .PNG files.

    Looking at recent victims of the Stegoloader malware, we observed that majority of the infected machines counted for the last three months came from the United States (66.82%), followed by Chile (9.10%), Malaysia (3.32%), Norway (2.09%), and France (1.71%).

    In the same duration, we saw that the most affected organizations came from the healthcare, financial, and manufacturing industries.


    Figure 1. TROJ_GATAK infection count per industry in the last three months

    Notably, all healthcare organizations affected by the malware came from the North American region. Trend Micro researchers are currently looking into how cybercriminals can use this for organized attacks, although evidences are yet to be found.

    There have been recent successful breaches exposing millions of customer files of healthcare organizations like Anthem and Premera Blue Cross. Although yet to be seen in attacks, steganography can potentially be a new technique cybercriminals looking to perform healthcare attacks can use to expose medical records in the future.

    Steganography, a Picture of Spying

    In a previous article on steganography and malware, we noted how the technique of embedding malicious code in image files to evade detection will only become more popular especially among the more industrious malware groups out there.

    The reemergence of TROJ_GATAK and its apparent focus on certain regions and industries show that cybercriminals continually experiment with the creative uses of steganography for spreading threats.

    When we first blogged about the malware in January 2014, the TROJ_GATAK.FCK variant was bundled with key generators for various applications and FAKEAV is its final payload.

    The final payload for the three recent samples of the malware, TROJ_GATAK.SMJV, TROJ_GATAK.SMN, and TROJ_GATAK.SMP are under analysis.

    Note that the routines from variants of past years remain the same. The malware is downloaded from the Internet by users who believe it to be key generators or keygens. Once downloaded, it poses as a legitimate file related to Skype or Google Talk. It eventually downloads the stock photo where a huge part of its routines is embedded. The following are samples of photos used by the malware to embed malicious components:


    Figure 2. Sample images downloaded by TROJ_GATAK

    The malware has anti-Vm and anti-emulation capabilities, allowing it to avoid analysis.

    Past attacks using steganography have been noted to use interesting but seemingly harmful sunset and cat photos to target online bank accounts. Although the technique of using photos quite old, its ability to help cybercriminals and threat actors evade detection remain a strong reason for its continuous use in the wild.

    Here are the SHA1 hashes related to the malware reported above:

    TROJ_GATAK.SMJV

    • bce6a9368f7b90caae295f1a3f4d3b55198be2e2
    • b8db99cf9c646bad027b34a66bb74b8b0bee295a
    • d5d0a9ecf1601e9e50eef6b2ad25c57b56419cd1

    TROJ_GATAK.SMN

    • 2d979739fbf4253c601aed4c92f6872885f73f77
    • 11f25bee63a5493f5364e9578fa8db9ed4c4b9c9

    TROJ_GATAK.SMP

    • 24b2da2aaa97228e0670fc6d5bda037cf127a284
    • 36c00d11e6c51b0174addb5f38e559022bf1a16a
    • 490043a6e903dbd5ddca9c86abba41abeae2edbe

    You can read more about steganography in the following posts:

    Update as of June 29, 2015, 12:32A.M. PDT (UTC-7)

    The following keyloggers (detected as TROJ_DROPPER.GTK) are confirmed related to this attack:

    • CompuApps_SwissKnife_Premium_v3_37_keygen.exe (790528 bytes)
      SHA1: BFE821A91CD7B6E9488D46741630ED91752910CA
    • DigiEffects_Suite_AEX_v3_0_0_CE_64_bit_keygen.exe (865842 bytes)
      SHA1: AF5AE925758B629E594FB8F01EF89D113354A130

    We also added hashes for TROJ_GATAK.SMP above.

     
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon  

    Earlier we talked about the out-of-band update for Flash Player that was released by Adobe (identified as APSB15-14) that was released to fix CVE-2015-3113. This update raised the Flash Player version to 18.0.0.194.

    Our analysis of the current flaw reveals that the root cause of CVE-2015-3113 is similar to CVE-2015-3043. Both cause a buffer overflow within the Flash Player code. In fact, code targeting the previous exploit can also cause crashes in version 18.0.0.160 (the version immediately before this emergency update).

    Both vulnerabilities can be used to run arbitrary code (i.e., malware) on user systems if they visit a site with a malicious Flash file. Users who visit a malicious or compromised site containing malicious Flash files that still use older, unpatched versions of Flash Player are at risk.

    Vulnerability comparisons

    Both CVE-2015-3113 and CVE-2015-3043 are heap overflow vulnerabilities in the FLV audio parsing flow. They are both in how Flash Player processes audio with the Nellymoser codec; they can be triggered by modifying the FLV file’s audio tag. They both overflow a hardcoded length heap buffer with a length of 0x2000.

    CVE-2015-3043 and CVE-2015-3113 both trigger this bug using sample_count * sample_size > 0x2000, and bypass the length check.

    Old Patch for CVE-2015-3043

    CVE-2015-3043 was originally patched in 17.0.0.169. This was done by limiting the sample count acquired from the FLV audio tag.

    Figure 1. Original patch

    We can see that the sample count is limited to 0x400. We can compute the biggest buffer size needed from this: FLV specifies a size of 4 as the biggest size per sample. The Nellymoser codec has a hardcoded multiple size of 2 (as seen in the code below). Therefore, the biggest buffer needed is 0x400 * 4 *2 = 0x2000.

    Figure 2. Nellymoser doubling

    New Patch in 18.0.0.160

    However, the code underwent significant changes in 18.0.0.160. The code now looks like this:

    Figure 3. New patch

    The GetSampleCount function checks the final buffer size needed. If the final buffer size is larger than 0x2000, it will limit it to 0x2000. However, this ignores the Nellymoser decode function’s hardcoded double operation; this can be used to trigger a heap buffer overflow once again.

    Conclusion

    The analysis above shows that both the previous Flash zero-day and the current incident share the same underlying root cause. In fact, code targeting the previous zero-day will cause 18.0.0.160 to crash.

    This incident highlights how important careful development of patches is, to prevent patched bugs from being re-exploited at a later time. Regression testing must also be a part of software development in order to check that old bugs do not threaten new versions of software.

    Update as of June 24, 2015, 8:08 A.M. (PDT):

    Trend Micro Deep Security and Vulnerability Protection protect user systems from threats that may leverage this vulnerability with the following DPI rule:

    • 1006810 – Adobe Flash Player Heap Buffer Overflow Vulnerability (CVE-2015-3113)

    Update as of June 26, 2015, 3:10 P.M. PDT (UTC-7):

    Trend Micro solutions are available to help protect users against threats that may leverage this vulnerability. Endpoint products detect malware that attempt to exploit this vulnerability as SWF_EXPLOYT.S. The existing Sandbox with Script Analyzer engine, which is part of Trend Micro™ Deep Discovery, can be used to detect this threat by its behavior without any engine or pattern updates.

    Hashes of related files:

    • 5f6a2521c6bfd5becfefc3a3db74d0a23d382f0e
    • 5f28787f60c5f8d9f3aa9163975422d1ff55f460
     
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon  

    Adobe has just released an update to address a vulnerability found in its Flash Player browser plug-in. In its security advisory (APSB15-14), Adobe notes that this vulnerability “is being actively exploited in the wild via limited, targeted attacks. Systems running Internet Explorer for Windows 7 and below, as well as Firefox on Windows XP, are known targets.”

    The critical flaw (CVE-2015-3113) could potentially allow an attacker to take control of the affected system. The affected software versions are the following:

    • Adobe Flash Player 18.0.0.161 and earlier versions for Windows and Mac
    • Adobe Flash Player Extended Support Release version 13.0.0.292 and earlier 13.x versions for Windows and Macintosh
    • Adobe Flash Player 11.2.202.466 and earlier 11.x versions for Linux

    Adobe has stated that the latest version of Flash Player Desktop Runtime for Windows and Mac (v. 18.0.0.194) will address this issue. Users who may be unsure of the version of their Flash software may use this link to check.

    Adobe Flash Player on Google Chrome and Internet Explorer on Windows 8.1 and later should automatically update to the latest version.  Updates, including those for Windows XP, are also available in the Adobe Flash Player Download Center. We would also recommend that users opt for automatic updates whenever possible so that their applications are updated as soon as possible.

    We will update this entry should any additional information be made available.

    Update as of June 24, 2015, 8:12 A.M. (PDT):

    Trend Micro Deep Security and Vulnerability Protection protect user systems from threats that may leverage this vulnerability with the following DPI rule:

    • 1006810 – Adobe Flash Player Heap Buffer Overflow Vulnerability (CVE-2015-3113)

    More information can also be found in our entry, New Adobe Zero-Day Shares Same Root as Older Flaws.

    Update as of June 26, 2015, 3:10 P.M. PDT (UTC-7):

    Trend Micro solutions are available to help protect users against threats that may leverage this vulnerability. Endpoint products detect malware that attempt to exploit this vulnerability as SWF_EXPLOYT.S. The existing Sandbox with Script Analyzer engine, which is part of Trend Micro™ Deep Discovery, can be used to detect this threat by its behavior without any engine or pattern updates.

    Hashes of related files:

    • 5f6a2521c6bfd5becfefc3a3db74d0a23d382f0e
    • 5f28787f60c5f8d9f3aa9163975422d1ff55f460
     
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon  

    Mention the “Deep Web” and most people will instantly associate it with the part of the Internet used for nefarious and illegal activities. For others, it is this inaccessible side of the Web, the one that requires a lot of technical skill and know-how to reach. Although these assumptions are somewhat correct, they only cover a small portion of the Deep Web as a whole.

    For over two years, Trend Micro’s Forward-Looking Threat Research Team (FTR) has done extensive exploration of the Deep Web, collecting and analyzing its contents and keeping tabs on ongoing activities. The result is Below the Surface: Exploring the Deep Web, a research paper that aims to give its readers a better understanding of what truly goes on in the Deep Web and darknets, and the effects these could have in the real world.

    Two sides of the coin

    Anonymity is the main feature of the Deep Web, and there are plenty of people who would want to use and abuse that. For example, people who want to shield their communications from government surveillance may want to take refuge in darknets. Whistleblowers, like Edward Snowden, can share vast amounts of insider information to journalists without leaving a paper trail. Dissidents in restrictive regimes may need anonymity in order to safely let the world know what’s happening in their country.

    On the flipside, those with malicious intentions can also greatly benefit from this anonymity. For example, drug sellers wouldn’t want to set up shop in an online location where law enforcement can easily determine their IP address. The same could be said for those engaged in other illegal activities like selling contraband and stolen goods.

    Digging into the Deep Web

    We decided to look further down the rabbit hole to get more information about the illegal activities and services offered in the Deep Web. To get information, we employed our system, called the Deep Web Analyzer (DeWa). DeWa is responsible for collecting URLs linked to the Deep Web, including TOR- and I2P-hidden sites and Freenet resource identifiers, and trying to extract relevant information tied to them like page content, links, email addresses, HTTP headers, and so on.

    So far, we’ve collected more than 38 million events that account for 576,000 URLs, 244,000 of which bear actual HTML content.

    DeWa also has a feature that alerts us if hidden services get a lot of traffic or if there is a large hike in number of sites. This is especially helpful in finding new malware families of cybercriminals who use TOR-hidden services to hide the more permanent parts of their infrastructures.

    Cybercrime in the Deep Web

    Among our observations was the fact that light drugs (read: cannabis) were the most-exchanged goods, followed by pharmaceutical products like Ritalin and Xanax, hard drugs, and even pirated games and online accounts.

    vendor-breakdown

    Figure 1. Drugs are revealed to be the most popular merchandise in the Deep Web

    The Deep Web is also home to Bitcoin and money-laundering services. Bitcoin offers a level of anonymity for users. As long as they don’t link their wallet code to their real identities, they are, to some extent, anonymous. Nonetheless, Bitcoin transactions are public, which means investigators can still examine them. Numerous services have sprouted in the Deep Web, offering to move Bitcoins through a network via micro transactions. Paying a handling fee will result in the customer getting the same amount of money but with the added bonus of having transactions that are harder to track or pin down.


    Figure 2. An example of a Bitcoin-laundering service offered in the Deep Web

    The challenge of the Deep Web

    Anonymity in the Deep Web will continue to raise a lot of issues and be a point of interest for both law enforcers and Internet users who want to circumvent government surveillance and intervention. Right now, there seems to be a race between “extreme libertarians” and law enforcement agencies, with the former trying to find new ways to become even more anonymous and untraceable.

    As such, security defenders like Trend Micro need to continue keeping tabs on the Deep Web as its role in the Internet and the real world grows.

    For full details about this Deep Web investigation, read our paper Below the Surface: Exploring the Deep Web (which you can find by clicking the thumbnail below). The results of our other inquiries into the Deep Web may be found in the Deep Web section of the Threat Intelligence Center.

     
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon  

    Recently, researchers announced that a vulnerability in Samsung Android devices had been found which allowed attackers to run malicious code on vulnerable devices if they became the targets of a man-in-the-middle attack.

    In this post we will explain how this vulnerability works, and what can users do to protect themselves.

    The Vulnerability

    The stock Android keyboard on these affected Samsung devices includes some features based on the Swiftkey SDK. To implement these features, it downloads files that are specific to each keyboard language, as seen below:

    Figure 1. Downloaded keyboard file

    These files are downloaded whenever the language for the device is set up, such as when it is turned on for the first time, or after a factory data reset (where all data and configuration is deleted). This narrows down the window of vulnerability because the files will no longer need to be downloaded after the language is set, unless the user decides to update and download a language pack.
    The files contain important information necessary to each keyboard language. These include character sets and punctuation rules. However, note that the files are downloaded via HTTP, not HTTPS. (We just recently discussed why using HTTPS is a good idea.) This means that an attacker would be able to replace these files if the attacker already had the capability to carry out a man-in-the-middle attack. (There are some countermeasures designed to help defend against this attack. However, these can be bypassed without much difficulty by an attacker that can already carry out MITM attacks.)

    By itself, this would not necessarily be a problem. However, the downloaded files are saved (and were created with) permissions for the system user, which is analogous to the root and Administrator users on Linux and Windows devices. This user has elevated privileges, which means that any code that is downloaded also runs with these elevated privileges.

    The combination results in a rather clever attack: the attacker carries out a man-in-the-middle attack that replaces the files downloaded by the keyboard. The replacement files have been specially crafted so that once processed by the keyboard app, aribitrary code of the attacker’s choosing can be run on the phone, giving the attacker complete control of the device.

    Potential countermeasures

    Currently, no patch exists for this vulnerability. Samsung has indicated that they will use their Knox security solution to remotely issue a fix, but when this will be released is unclear. In the official statement released by Samsung, they only mention that they will “begin rolling out a security policy update in the coming days.” Samsung has also advised users to ensure their devices automatically receive security policy updates. Steps to configure their devices to do so can also be found in the statement.

    Until then, there are two possible countermeasures. The first countermeasure is to only connect to Wi-Fi networks that are secure, in order to prevent any man-in-the-middle attacks. This can be a problem if the user has to connect to public Internet connections. The use of a Virtual Private Network (VPN) helps secure a user’s connection in these cases.

    Secondly, the user can stop the use of the default Samsung keyboard. To do this, they have to do two things: first, select an alternate keyboard instead of the default system keyboard. This can be done under the Language and input section of the device’s settings:

    Figures 2-4. Steps to change Android keyboard

    However, using a different keyboard is not enough. The system keyboard itself has to be turned off. Unfortunately, this has to be done every time the device is turned on. This can be done under the Applications part of the settings menu:

    Figures 5-7. Steps to disable system keyboard

    These steps will mitigate the risk to the user from this vulnerability.

     
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon  



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice