Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    September 2014
    S M T W T F S
    « Aug    
  • About Us

    Patch-Tuesday_grayFor this month’s patch Tuesday, Microsoft released four security bulletins, addressing flaws found in Internet Explorer, Microsoft .NET Framework, Microsoft Windows, and Microsoft Lync server.  One bulletin is rated as ‘Critical’ while the rest are tagged as ‘Important’.

    One of the notable bulletins in this month’s cycle is MS14-052, which addresses thirty-six vulnerabilities found in Internet Explorer. IE 6 to 11 are affected by these vulnerabilities.

    MS14-053 resolves issues found in the Microsoft .NET Framework that could allow denial of service once exploited successfully by attackers. Similarly, when the vulnerabilities addressed in MS14-055 are leveraged by attackers it could also lead to denial of service. On the other hand, Adobe also plans to release security updates addressing vulnerabilities in Adobe Flash Player and Adobe Reader and Acrobat by September 15.

    Although this month’s security updates are relatively few compared to the previous months, it is highly advisable to update systems with the latest patches to protect it  from threats leveraging such vulnerabilities.

    Trend Micro Deep Security and Office Scan with the Intrusion Defense Firewall (IDF) plugin protect user systems from threats that may leverage vulnerabilities discussed in MS14-052 via the following DPI rules:

    • 1006164 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-2799)
    • 1006219 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4065)
    • 1006224 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4080)
    • 1006227 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4081)
    • 1006230 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4082)
    • 1006221 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4084)
    • 1006229 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4086)
    • 1006222 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4087)
    • 1006225 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4088)
    • 1006220 – Microsoft Internet Explorer Use After Free Vulnerability (CVE-2014-4089)
    • 1006223 – Microsoft Internet Explorer Use After Free Vulnerability (CVE-2014-4092)
    • 1006226 – Microsoft Internet Explorer Use After Free Vulnerability (CVE-2014-4094)
    • 1006228 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4095)

    The rules above also protect users of Internet Explorer on Windows XP, which is no longer being supported by Microsoft.

    For more information on these security bulletins, visit our Threat Encyclopedia page.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Home Depot has confirmed via their corporate website that their payment systems were breached. This followed reports last week, which suggested that Russian and Ukrainian cybercriminals had successfully breached the Atlanta-based retailer’s PoS terminals.

    The statement offered full details, but suggested the breach affected users who shopped at their US and Canadian branches from April onwards. Home Depot’s investigation began on September 2, which indicates a worse-case scenario of a breach of four to five months. It has been claimed that up the information of up to 60 million cards may have been stolen.

    Speculation suggests that the Home Depot attack was carried out using BlackPOS malware; a BlackPOS variant discussed by Trend Micro researchers in late August may have been part of this attack, as the behavior we found with this variant and those ascribed to the Home Depot attack are very similar.

    This particular BlackPOS variant is different in several ways from more common variants, suggesting that the code has been changed significantly since the source code for BlackPOS was leaked in 2012. A different API call is made to list processes which can be targeted for information theft; in addition custom search routines for credit card track information have been introduced as well. This particular variant is detected as TSPY_MEMLOG.A.

    These increasingly sophisticated threats make it clear that PoS malware is becoming a bigger and bigger threat. Continued attacks against PoS systems will not only cause financial losses, but also reduce the confidence of consumers in existing commerce systems.

    Migrating to more modern “chip-and-personal identification number (PIN)” cards and terminals may help reduce the risk down the road. Also, it is good for users to regularly check their bank statements for any anomalous transaction. Going over the recent transactions on a regular basis should allow users to spot and dispute fraudulent transactions made on their cards.

    Later this week, we will publish a paper outlining existing threats to PoS systems. System administrators of organizations that are at potential risk can use the information in these papers to detect, mitigate, and address these attacks. Our earlier paper titled Point-of-Sale System Breaches: Threats to the Retail and Hospitality Industries provided examples of potential PoS threats to retailers and companies in the hospitality sector.

    For more information, you may check out Data Breaches page in Threat Encyclopedia.

    Update as of 2:42 PM, September 11, 2014

    Even though BlackPOS ver2 has an entirely different code compared to the BlackPOS which compromised Target, it duplicates the data exfiltration technique used by the Target BlackPOS. It is an improved clone of the original, which is why we decided to call this BlackPOS ver2.

    It is also being reported in the press that some security vendors called this malware (TSPY_MEMLOG.A.) as “FrameworkPOS.”  This is a play of the service name <AV_Company> Framework Management Instrumentation with which the malware installs itself.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Last July, the US Department of Homeland Security warned of a new kind of criminal attack: “Google dorking“. This refers to asking Google for things they have found via special search operators. Let’s look closely and see what this is.

    Google finds things online using a program that accesses web sites: the Google web crawler, called the Googlebot. When the Googlebot examines the web and finds “secret” data, it adds it to Google’s database just like any other kind of information. If it’s publicly accessible, it must be fine, right?

    Now suppose your company’s HR representative left a spreadsheet with confidential employee data online. Since it’s open for everyone to access, the crawler sees and indexes it. From them on, even though it might have been hard to find before, a simple – or not so simple – Google search will point any attacker to it. Google never stored the actual data (unless it was cached), it just made it easier to find.

    This kind of “attack” has been around for as long as search engines have been around. There are whole books devoted to the subject of “Google dorking”, which is more commonly known as “Google hacking”.  Books have been published about it for years, and even the NSA has a 643-page manual that describes in detail how to use Google’s search operators to find information.

    The warning – as ridiculous as it might seem – has some merit. Yes, finding information that has been carelessly left out in the open is not strictly criminal: at the end of the day, it was out there for Googlebot to find. Google can’t be blamed for finding what has been left public; it’s the job of web admins to know what is and isn’t on their servers wide open for the world to see.

    It’s not just confidential documents that are open to the public, either. As we noted as far back in 2013, industrial control systems could be found via Google searches. Even more worryingly, embedded web servers (such as those used in web cameras) are found online all the time with the Shodan search engine. This latter threat was first documented in 2011, which means that IT administrators have had three years to shut down these servers, but it’s still a problem to this day.

    In short: this problem has been around for a while, but given that it’s still around an official warning from the DHS is a useful reminder to web admins everywhere: perform “Google dorking” against your own servers frequently, looking for things that shouldn’t be there. If you don’t, somebody else will and their intentions might not be so pure. Point well taken, thanks DHS!


    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    In the second post of this series, we discussed the first two types of attacks involving wearables. We will now proceed to the third type of attack, which can be considered the most damaging of the three.

    High User Risk, Low Feasibility Attacks

    These attacks are considered the most dangerous but these are also considered the least likely to happen. If an attacker manages to successfully compromise the hardware or network protocol of a wearable device, they would have access to the raw data in the ‘IN’ devices but also the ability to display arbitrary content on ‘OUT’ devices.

    These scenarios range from personal data theft to mangling the reality of a camera device. These attacks might affect the wearer adversely and might even stop them from performing their daily routines. These attacks can also have a major impact if these devices are used in a professional setting: a simple Denial-of-Service (DoS) attack could prevent a doctor from operating on a patient or prevent a law enforcement agent from acquiring input data to catch criminals.

    Given that the single, most-used protocol used by these devices is Bluetooth, a quick explanation would be helpful. Bluetooth is a short range wireless protocol similar to Wi-Fi in uses but with a big difference. Whereas Wi-fi has an “access point” philosophy in mind, Bluetooth works like an end-to-end kind of communication. You need to pair two devices in order to make two devices “talk” to each other via Bluetooth. In this pairing process, the devices interchange an encryption key that will serve to establish communication between the two devices. Another difference with Wi-Fi is that Bluetooth tries to minimize radio interference by hopping from one band to another in a pre-established sequence.

    This type of set-up has two main effects on hacking via Bluetooth. One, an attacker needs to acquire the encryption key being used by listening to the paired devices the first time these sync up. Any later than that and the communication will be just noise to the intruder. Two, a DoS attack needs to broadcast noise in a wide range of frequencies in use by the protocol in order for it to have an impact. This is not impossible but such an attack involves a bigger effort than against just any other radio protocol.


    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    In the previous post, we talked about the definition and categories of wearables. We will now focus our attention at possible attacks for such devices.

    The possibility of attacks varies largely, depending on the broad category we are focusing on. The probability of attack will increase depending on where the attack can take place. Conversely, the possibilities of physical damage are much more remote as you go further from the physical device. As the attack moves further away from the device, the focus shifts towards stealing the data.

    Low User Risk, High Feasibility Attacks

    These attacks are the easiest to pull off but they have the most limited application against the user. In this scenario, the attacker compromises the cloud provider and is able to access the data stored there.

    Figure 1. Hackers are accessing the cloud provider to get the data


    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice