Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    November 2014
    S M T W T F S
    « Oct    
  • About Us

    Based on our research into the iOS threat Masque Attacks announced last week, Trend Micro researchers have found a new way that malicious apps installed through successful Masque Attacks can pose a threat to iOS devices: by accessing unencrypted data used by legitimate apps.

    According to reports, the iOS threat uses enterprise provisioning to attack non-jailbroken iOS devices as WireLurker does. This means that  provisioning allows enterprises to install “homegrown” apps on iOS devices without the need to be reviewed by Apple. They can then distribute these apps to their employees through iTunes (via USB) or via wireless transfer through the company’s app store.

    While the WireLurker threat has been found to install fake or malicious apps via USB, Masque Attack brings more severe consequences by leveraging this. Masque Attack can replace installed apps with malicious versions via the same signing key or bundle ID. In that sense, the replacement (and malicious) app can then perform routines such as steal sensitive data.

    Masque Reveals App Flaw

    Much has been reported about how enterprise provisioning can be abused by malicious apps. But what happens when the malicious app actually make its way into the iOS device?

    We tested several apps and found that some of the popular iOS apps do not employ data encryption for their databases. In our analysis, we simply used file browsers to access these files. Additionally, the apps we tested are messaging/communication apps, which means that they store a lot of sensitive information like names and contact details.

    Figure 1. Unencrypted database in instant messaging (IM) app


    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    These days, when you see someone staring intently or tapping at their mobile phones, chances are that they’re busy with an app. This comes as no surprise as 80% of consumers’ time on mobile devices apps is spent in apps for gaming, news, productivity, utility, social networking, and more.

    Safe and Risky Apps

    We are currently seeing almost 11 million samples in existence as of October 2014. Of these samples, 64% are considered safe, while 23% are considered high risk or adware. The app permissions given to these types of apps may be used to cause potentially unwanted routines. Of all the malicious apps we detected, 13% are outright malicious, or categorized as malware. These types of apps are known to originate from third-party app stores, or simply put, non-Google Play stores.

    Figure 1. Cumulative Malware and High Risk/Adware App Detections Based on Unique Samples, October 2014

    For the month of October, we counted more than 532,000 new Android samples. Almost a third, 29%, are malware, while a third, 30%, are adware. Less than half, 41%, of the apps checked were considered safe.


    Figure 2. Malware and High Risk/Adware App Detections Based on Unique Samples, October 2014

     These threats fall in either one of the seven types of malicious apps we know, as follows:

    Figure 3. Android Malware Types

    We also continued to see desktop threats that can latch onto mobile devices as well, or vice versa. The USBATTACK malware for Android is one such threat. It poses as a device cleaner but actually does otherwise. This malware steals device information, downloads AUTORUN malware on the SD card, and then runs itself on a connected PC so it can use its microphone to record media.

    What drives these threats?

    For one, mobile app adoption continues to flourish. This results to an attractive market ripe for cybercriminal threats and scams. App stores also serve as catalysts for mobile usage, given that these house the apps that consumers are so fond of using.

    Based on our observations, third-party app stores are quite popular to mobile users this month. The number of downloaded apps from third-party app stores (4.17 million) is more than the number downloaded from Google Play (2.58 million) or than those downloaded from all other app stores (4.13 million).

    The expanding adoption of third-party app stores can be quite problematic for mobile users given that many cybercriminal app developers can easily distribute apps using these channels.

    Is a careful examination of apps really needed?

    In the technology industry, the process of vetting apps, or tracking which ones are secure and identifying those that are not, is a valid option to ensure the safety of app stores. The diagram below shows how the vendor Blackberry, for instance, makes use of the technology of vetting mobile apps:

    Figure 4. How Trend Micro Mobile App Reputation Service works

    Vetting helps with app validation before they are submitted to app stores to vet out the risky and/or malicious ones. Categories are also used, such as malware, private data leak, battery usage, etc., which consumers might find helpful in order to gauge which apps are not only safe but also optimal for use on their devices.

    Now that the shopping season is looming closer, more cybercriminals are expected to come up with rogue, malicious apps that target mobile payments. What better time to attack consumers but during the height of their shopping for Black Friday or Cyber Monday? Vetting apps is a way for app store operators can ensure the safety of their users, and at the same time, users can ensure the safety of the apps they download.

    Read more about the mobile landscape and threats found in October and the app categories that are used for vetting apps in our report, How Vetting Mobile Apps Works for App Stores and Its Users.


    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    For many organizations today, the question is no longer if they will fall victim to a targeted attack, but when. In such an event, how an organization responds will determine whether it becomes a serious event or if it stays a mere annoyance.

    This requires something of a change of mindset for information security professionals. Previous techniques and many best practices are under the premise that an attacker can be kept out.

    However, that’s no longer the case today. The malware used in targeted attacks is frequently not detected (because it’s been custom-made for specific organizations). A well-crafted social engineering attack can look like a normal business email or engaging click bait.

    In short, an attacker with sufficient resources will be able to find their way inside their target, regardless of what the defender does. The defender can raise the price of getting in, but not prevent it entirely.

    The SANS Institute provides some guidelines to organizations on how they should react to incidents. Broadly speaking, however, the response can be divided into four steps:


    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    We recently found that the malware family ROVNIX is capable of being distributed via macro downloader. This malware technique was previously seen in the DRIDEX malware, which was notable for using the same routines. DRIDEX is also known as the successor of the banking malware CRIDEX.

    Though a fairly old method for infection, cybercriminals realized that using malicious macros work just fine–even against sophisticated defense measures.

    ROVNIX Malware Routines

    Based on our analysis, ROVNIX writes malicious rootkit drivers to an unpartitioned space of the NTFS drive. This effectively hides the driver since this unpartitioned space cannot be seen by the operating system and security products.

    To load the malicious driver, ROVNIX modifies the contents of the IPL. This code is modified so that the malicious rootkit driver is loaded before the operating system. This technique essentially serves two purposes: to evade detection, and to load an unsigned driver for Windows versions 7 and onwards.

    ROXNIX Infection Chain

    In this attack, the malicious document contains a social engineering lure, specifically a fake alert from Microsoft® Office®, that instructs users to enable macro settings.


    Figure 1. Screenshot of the document with the malicious macro


    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    5:00 am (UTC-7)   |    by

    PoS malware has been receiving a tremendous amount of attention in the past two years with high profile incidents like Target, Home Depot, and Kmart. With the massive “Black Friday” shopping season coming up, PoS malware will surely get additional publicity. This high profile nature means, we constantly look for evolving PoS malware and look into their behavior patterns to better protect our customers and users.

    In order to be successful, PoS scammers don’t rely only on their malware to attack and exfiltrate victim data. They also use a wide variety of tools in order to support their endeavors. Some of these tools are also used by system administrators such as putty, as well as other tools provided by Microsoft as part of the Sysinternals suite.

    Looking at the additional tools PoS threat actors use can be interesting because we can get a preview into their daily activities and use this to profile their activities.

    PoS Terminal Insecurities

    Unfortunately, PoS terminals and environments  are very often left insecure. This makes them an excellent target of opportunity for attackers. There are a variety of methods used when attackers go after PoS terminals. One way attackers look to gain access to PoS devices is via VNC (Virtual Network Computing). Typically, credentials are either non-existent or very insecure. This presents many opportunities for attackers to use tools to attack VNC credentials.

    Microsoft’s Remote Desktop Protocol presents an additional weak point in PoS environments. Unfortunately, the same weaknesses often found in VNC sessions are also found in RDP configurations. Weak and/or nonexistent credentials is common within PoS terminals using RDP. This also presents many opportunities for attackers to leverage tools to attack RDP sessions.

    BackOff Actor Toolkits

    Earlier this year, Trend Micro published a paper detailing many different PoS RAM scrapers, including BackOff. Backoff became popular and widely used starting in July of 2014 because it’s custom-packed to obfuscate its code and make it difficult for security researchers to reverse-engineer its binaries.

    BackOff will almost always, in some way, communicate to a command-and-control (CYC) server to exfiltrate data or receive configuration updates. In addition to receiving commands and exfiltrating data, these same server’s are often used to transfer tools to and from victim machines. This helps the attacker easily and quickly get tasks done while drawing the least amount of attention by reducing the amount of work the attacker has to do to transfer these tools to multiple victims.

    When looking at BackOff variants, one particular sample drew our attention – r0.exe. Upon examination, we found that this sample connects to The infection vector is not known

    The particular C&C server contained a wealth of information about what tools the attackers are using, as well as how they stored their data. We noticed that there were a litany of other tools that the attackers were using. Typically, these tools are used in conjunction with or after a compromised machine has been infected.

    The server contained on the server multiple files, including ZIP files, which are broken down further below. This is not an all-inclusive list of all files on the server, but is meant to showcase the tools and capabilities of these actors.

    r0.exe (MD5 hash: 7a5580ddf2eb2fc4f4a0ea28c40f0da9) – This file is a BackOff sample that was compiled on October 22, 2014. The file communicates to the following URLs for its C&C functions:


    r0.exe also creates a known BackOff mutex, aMD6qt7lWb1N3TNBSe4N.

    3-2.exe (MD5 hash: 0fb00a8ad217abe9d92a1faa397842dc) – This file is also a BackOff sample which was compiled approximately a month earlier than r0.exe (it was compiled on September 16, 2014). This file communicates to:


    DK Brute priv8.rar (MD5 hash: 028c9a1619f96dbfd29ca64199f4acde) – This RAR file contains multiple tools and files. One of these files is putty.exe, an SSH/telnet client. Also included was UltraVNCViewerPortable.exe, and WinSCP. Both of these tools make sense to include in a scammer’s toolkit, as they can be used because to connect to remote systems and transfer files.

    DK Brute.exe is also included; this is a tool used to brute force Windows RDP and other remote connection protocols, using a password list.

    IPCity.rar (MD5 hash: 9223e3472e8ff9ddfa0d0dbad573d530) – This RAR file contains three files. One is a .CSV file (GeoLiteCity.csv) which is used to map latitude/longitude coordinates to countries. This file appears to have been offered earlier as a free download from Maxmind, which provides databases to map physical locations to IP blocks.

    A tool called ip_city.exe was in the .RAR file as well. This tool is used to convert city and country locations to IP blocks. Taken collectively, these tools can be used by an attacker to better scan and target particular countries and IP blocks.

    Figure 1. Screenshot of ip_city.exe

    VUBrute (MD5 hash: 01d12f4f2f0d3019756d83e94e3b564b) – This password-protected ZIP file contains a a VNC brute forcer, VUBrute. This tool is popular in Russian underground forums and is used to compromise VNC credentials.

    Figure 2. Screenshot of VUBrute

    logmein_checker.rar (MD5 hash: 5843ae35bdeb4ca577054936c5c3944e) – This RAR file contains an application called Logmein Checker. LogMeIn is a popular commercial remote access tool. This application takes an account list (list of username/password combinations) and runs it though a list of IP addresses/ports. This is used to find valid LogMeIn sessions using weak credentials.

    Figure 3. Logmein Checker UI

    The attackers are likely using this to attack either PoS machines with weak LogMeIn credentials, or other machines on networks that also contain PoS devices.

    portscan.rar (MD5 hash: 8b5436ca6e520d6942087bb38e97da65) – This file contains a file named KPortScan3.exe, which is a basic port scanner. It allows IP ranges and port numbers to be entered. Based on data obtained from the C&C server, we believe this tool was used to scan ports 445, 3389, 5900, as well as other ports. It’s likely this tool was chosen because of its ease of use and the likelihood that a port scanner would be run in Windows.

    Figure 4. Port scanner UI

    C&C Infrastructure Analysis and Relationship Building

    After looking closer at the C&C server, we pivoted and found additional files that are and have been hosted on it. In total, there have been over 9 unique samples of malware hosted on, dating back to February of 2014. This includes PoS malware, including Alina, a popular PoS RAM scraper.

    We also found an additional directory on this server: The name Rome0 may look familiar to those of you who Xyiltol and the Trackingcybercrime blog.

    While accessing this directory doesn’t generate a response, we continued to check for sites that had /something/login.php?p=Rome0 as part of the URL. When doing this, we found another site: Looking closer at the relationship between and, we saw that there was an open directory on the C&C server: These URLs don’t return any results either.

    When we looked at the root directory, however, we found a Zip file named (MD5 hash: f9cbd1c3c48c873f3bff8c957ae280c7). This file contained what appeared to be the code for the C&C server, as well as several text documents containing names and credit card track data.

    Figure 5. Server root directory contents

    While we don’t know if the same French criminal Rome0 owns or operates these two servers for PoS operations, we do know that both servers have used Rome0 in their URL. We also noticed in one of the text files a directory named /home/rome0/
    public_html/something/bot.php, presumably showing the user’s internal directory for hosting files. In addition, we know that Rome0 is heavily involved in PoS malware and carding, based on Xyiltol’s excellent investigative work.


    While we didn’t showcase many new tools in this post, it is an interesting case study as to some of the tools that PoS scammers use. This list isn’t exhaustive, but it shows that the attackers using these tools are not relatively advanced. They use what works, without reinventing the wheel and developing new programs.

    Information about these tools is useful in order for administrators in order to help protect PoS systems on a regular basis.

    In addition to the malicious files listed above, here is a list of all the URLs we looked into for this post:

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice