Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    November 2014
    S M T W T F S
    « Oct    
  • About Us

    Microsoft has released an out-of-band security bulletin (MS14-068) that addresses a vulnerability in the implementation of Kerberos in various versions of Windows. The bulletin states that this vulnerability is already being used in “limited, targeted attacks”. This warning, plus the fact that Microsoft considered this threat serious enough to merit an out-of-cycle patch, should make users consider patching as soon as possible.

    Kerberos is a protocol used to authenticate users within a network. This vulnerability (designated as CVE-2014-6324) could allow an attacker to escalate privileges to that of a domain administrator; this could then be used to compromise any system connected to that domain, including domain servers.

    This is a serious flaw which lends itself to usage in targeted attacks. An attacker will have to use separate means to penetrate a network, but once inside this vulnerability could be used to compromise any machine connected to the organization’s domain server (effectively, all machines).

    Used properly, this vulnerability is as effective a tool for moving laterally within an organization as is known today. No workaround or mitigation has been clearly identified by Microsoft (aside from patching the vulnerability); the only requirement for a successful attack is for the attacker to already have valid domain credentials. For an attacker that has already penetrated existing networks, this hardly represents a barrier.

    The damage an attacker could do if an organization’s domain server was compromised could be significant. In a worst case scenario, the entire domain would have to be rebuilt from the ground up, which would be extremely costly in time and resources for any organization.

    Microsoft itself suggests that this attack has been used in targeted attacks saying that they “are aware of limited, targeted attacks that attempt to exploit this vulnerability.” With knowledge that a vulnerability exists, and information provided by the patch, we can expect to see more attacks that target this flaw in the future.

    The vulnerability is present in all server versions of Windows from Server 2003 onward. Administrators should immediately roll out patches to these systems as soon as is practical. A patch is available for client versions of Windows, but this is a defense-in-depth upgrade that does not address any vulnerabilities.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Last August, we wrote about POWELIKS’s malware routines that are known for hiding its malicious codes in the registry entry as part of its evasion tactics.

    In the newer samples we spotted, malware detected as TROJ_POWELIKS.B employed a new autostart mechanism and removes users’ privileges in viewing the registry’s content. As a result, users won’t be able to suspect that their systems are already infected by the POWELIKS malware. This new autostart technique is fairly new to the threat landscape, a technique that is not currently covered by Autoruns for Windows. This Windows utility shows all files and registries that will execute upon Windows startup.

    When executed, POWELIKS creates the following registry entry:


    (Default)=”rundll32.exe javascript:\”\\..\\mshtml,RunHTMLApplication \”;eval…….”


    Normally, users will see the following screenshots via the registry editor:


    Figure 1: The created key of Poweliks

    Based on the above screenshot, it would seem that the malware isn’t present in the registry. However, the contents of the POWELIKS malware is actually hidden and successfully hides its code by removing the user’s permission in the specific registry.


    Figure 2: User’s permission profile


    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    In our monitoring of the global threat landscape, we tend to notice that countries sometimes are affiliated with a particular cybercriminal activity. One classic example is Brazil, which is known for its association with banking malware. As we noted in a previous blog entry, “[0]nline banking theft is especially rampant in the country, whose history of hyperinflation has once led to an early adoption of online financial systems and a large online banking community.” However, we felt like something was missing. What would explain the growth of these activities in Brazil?

    Several factors may have contributed to this growth. For example, Brazil has a lack of concrete laws and limited law enforcement agency resources that address cybercrime in the country. Additionally, the technological and consumer landscape in Brazil, which has a 50% Internet penetration rate, and a 69% credit card penetration rate, has made the country all too appealing for cybercriminals.

    However, another factor may have also contributed to Brazilian cybercrime: the existence of a flexible underground market with different offerings, ranging from banking Trojan development to online fraud training. The latter is highly notable as this is the most unique item in the market, which may not be found in other underground markets.

    In Brazil, it’s possible to start a new career in cybercrime armed with only US$500. Would-be cybercriminals are supported and helped by tools, forums, and experts from the dark side of the Internet. These bad guys do not fear the authorities and their groups get bigger in a short span of time.

    These criminals use a wide array of tools and services for their communication. These include IRC channels, Deep Web forums, and private servers. Social networks and encrypted text chat software, including those for mobile, are also heavily used by the bad guys. In short, cybercrime communication is made easy, which makes law enforcement efforts more difficult.

    Figure 1. A sample post in an underground forum, translates to “Can anyone help me with credit card stealing? I’d like to start working on this.”

    Our paper, “The Brazilian Underground Market: The Market for Cybercriminal Wannabes?,” discusses at length the tools and services sold in the Brazilian black market. The paper also talks about the characteristics that set it apart from other underground markets. For example, Russian and Chinese cybercriminals hide in the deep recesses of the Web and use tools that ordinary users do not such as Internet Relay Chat (IRC) channels. Meanwhile, Brazilian cybercrooks use more popular means like Facebook, YouTube, Twitter, Skype, and WhatsApp for organizing and advertising.

    Another key feature of Brazilian online threats is that they mostly target local victims. These threats are developed locally, sold to local criminals, and used to target fellow Brazilians. Because of this ‘localization’ there is no good way to get threat intelligence unless we immerse ourselves in the Brazilian landscape.

    By providing information on the kinds of threats or attacks offered by the Brazilian underground, we hope to help companies and users to defend themselves. We also aim to help law enforcement agencies and researchers get intelligence on cybercrime operations.

    This is part of the Cybercrime Underground Economy Series of papers, which take a comprehensive view of various cybercrime markets from around the world.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    In the entry FlashPack Exploit Leads to New Family of Malware, we tackled the Flashpack exploit kit and how it uses three URLs namely (http://{malicious domain}/[a-z]{3}[0-9]{10,12}/loxotrap.php, http://{malicious domain}/[0-9,a-z]{6,10}/load0515p6jse9.php, http://{malicious domain}/[a-z]{3}[0-9]{10,12}/ldcigar.php) as its landing site.

    We monitored the abovementioned URLs and found out that the FlashPack exploit kit is now using free ads to distribute malware such as ZeuS/ZBOT, DOFOIL, and ransomware variants. This technique of using ad networks for malicious intent is called malvertising.

    Based on data from the Trend Micro™ Smart Protection Network™, the North American region has the most number of users who accessed these malicious URLs.

    Tables 1-3. Most affected regions per URL

    Distributing DOFOIL via Ad Networks

    Around the end of August, we observed that the detections for TROJ_DOFOIL (specifically TROJ_DOFOIL.WYTU, TROJ_DOFOIL.WYTV, TROJ_DOFOIL.WYTX, and TROJ_DOFOIL.SM01) took a sudden surge, which peaked last October. This threat is currently active in the wild and is known for its capabilities such as connecting to C&C URLs, dropping files, and detecting sandboxes.


    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Earlier this week, we noticed that there was a spike in the volume of spammed messages that pretend to come from the messaging service Viber.  This app, which also has  a desktop version, allows users for free calls and messages. The email informs the recipient that they have one voice message for their account.

    Figure 1. Sample spammed message

    Different Routines for PC and Mobile

    The infection routine is pretty straightforward for computers: clicking the embedded link leads to the download of backdoor malware, detected as BKDR_KULUOZ.VLU, in the system.

    However, recipients who open the email on their mobile devices experience a different routine altogether. Rather than drop any malware, the user is redirected to different websites, such as a random URL, a search engine site, or even official app stores.

    Mobile users were sometimes redirected to a streaming site. Investigations revealed that this site has been linked to suspicious activities. For example, the site covertly charges the credit card number users must give during registration. Some users were redirected to the site by clicking a “Flash Player” update advertisement.

    Figure 2. Users are sometimes redirected to a streaming site

    Redirections Based on Mobile OS

    What’s more notable is that redirection can also vary depending on the OS of the device. Android users were directed to the “Go Launcher” app on the Google Play Store. Apple users were directed to a Chinese gaming app on the iTunes site. It should be noted that both of these apps are not malicious.

    Figures 3 and 4. Users are sometimes redirected to Google Play and iTunes

    Redirections based on platform are not limited to official app stores. Android users who click the link were sometimes redirected to what appears to be a blank page. After checking the source code of the page, we found that it contains links that lead to a URL with an .APK file, detected as ANDROIDOS_PAWEN.HBT.

    This app contains links to various adult sites. In addition, it also monitors the user’s incoming and outgoing calls, taking note of any numbers and sending it to a URL hardcoded in the app. The purpose of these URLs is patently clear from their URLs:

    • http://{malicious domain}/scripts/app_tracking_manager.php
    • http://{malicious domain}/scripts/app_call_tracking_manager.php

    However, it should be noted that users are not led to the link that contains the malicious .APK file. Meanwhile, iPhone users were sometimes redirected to an adult site.


    While we have seen several threats that work on different platforms, the amount of possible outcomes for this one spam attack is highly notable. It’s also interesting that the spammers behind this attack took great pains to redirect mobile users to different sites based on the platform of their devices.

    Messaging services are a common social engineering lure for attacks such as this one. Perhaps what makes this one more plausible than others is that Viber does have a desktop client. For users who receive the email, it wouldn’t be a far stretch for a recipient to assume that the voice mail exists.

    We advise users to be cautious when opening emails. Emails can be easily spoofed by spammers and other cybercrooks. Clicking links in emails should be avoided as much as possible. It’s far better for users to directly type the URL of the site on the address bar than rely on the embedded link.

    Trend Micro uses its Smart Protection Network to protect users from this threat by detecting the spam samples, malicious URLs, and all the malware related to this attack. Mobile users are also protected by the Smart Protection Network via its mobile products.

    We have reported this to Google.

    Hashes for the related detections are as follows:

    • 03f078d14c6714631f2f6acc78d0f5f23e80da70
    • de0563e92daea91d028d5b26a2e2c01477af1ac8

    With additional insight from Chloe Ordonia, Sylvia Lascano, Francis Atanzo, and Gideon Hernandez.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice