Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    February 2015
    S M T W T F S
    « Jan    
  • Email Subscription

  • About Us

    2014 was a year that was marked with numerous changes in the threat landscape. We saw a lot of improvements in existing malware, either with new evasion techniques or versions. We even saw some old techniques and attacks resurface in the landscape.

    Evasion Tactics

    We are seeing more malware incorporate Tor in their routines as a method of evasion. We have seen ZBOT variants include a Tor component to hide the malware’s communication to its command-and-control (C&C) servers. We have also seen a variant of BIFROSE malware, often used in targeted attacks, include Tor in its communications routine.

    In a span of a few months, we witnessed the malware POWELIKS increase its anti-detection techniques. At first, POWELIKS hid its malicious codes in the Windows Registry, making detection and forensics difficult. We later found new variants employ a new autostart mechanism and removes users’ privileges in viewing the registry’s content.

    Spam also upped the ante by using snippets of current news articles in the body text of the email. This technique, adding random clips of incidents or news that maybe relevant given the date and time, is used by spammers to avoid email filters.

    The Rise of 64-Bit Malware

    In 2014, Google made the observation that majority of Windows users are now using 64-bit operating systems. Unfortunately, attackers are also following suit with 64-bit malware.

    Notorious banking malware ZeuS/ZBOT was found targeting 64-bit systems. This 64-bit version for ZeuS/ZBOT is a progression for the malware. Upon analysis, we found that this new versions has upgraded its antimalware evasion techniques, including execution prevention of certain analysis tools.

    In the 2H 2013 Targeted Attack Trends report, we noted that almost 10% of all malware related to targeted attacks run exclusively on 64-bit platforms. Activity in the threat landscape supports this statistic. We spotted an upgraded 64-bit KIVARS used in targeted attacks. Meanwhile, 64-bit versions of the malware MIRAS was discovered to have been used in data exfiltration stage in a targeted attack. Yet another malware, HAVEX, was also found to have 64-bit versions. (more…)

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Zero-day exploits pose some of the most serious risks to users everywhere. The absence of a patch means that it is up to users (and whatever security products they use) to protect against these attacks.

    One of the tools that can be used in mitigating these attacks is advanced network detection solutions like Trend Micro Deep Discovery, which contains a sandbox that allows for on-the-fly analysis of various threats entering an organization’s network. This allows it to detect even attacks that use zero-day exploits without any updates being necessary, providing immediate protection to users.

    Problems for common sandboxes

    In today’s threat environment, sandboxing is necessary to defend against persistent threats. These generally rely on behavioral analysis within a virtual environment to detect various threats. As they become more commonplace, attackers will attempt to find methods to evade these sandboxes.

    This means that attackers need to only exert some effort to show less behavior in a sandbox, such as anti-VM and anti-sandbox techniques. It is important for sandboxes to reflect user environments as accurately as possible; Deep Discovery’s custom sandbox can be configured by administrators.

    This poses a challenge in the traditional field of file detection, which has expanded in recent years to exploits. There are several critical challenges to typical sandboxes:

    • The exploit is used to not only deploy a payload, but also to conceal it.
      The malware payload is encrypted so that the sandbox cannot identify if it is an executable file. The shell code in the exploit is responsible for decrypting the payload before it can be executed. In the simplest cases, the malware payload is simply XOR-ed; however we have seen more complex algorithms used.
      Some payloads are even designed to execute in memory directly, which means you cannot get a completed PE file to execute within the sandbox. A common sandbox cannot easily detect malware that uses this evasion method.
    • Exploits evades the sandbox as well.
      Typical sandboxes run specific file types such as .SWF, .JAR, .PDF, in order to check if these files contain exploit code. identify whether it’s an exploit. Attackers know all about this, however, and try to evade it. The exploit code can include lines that will check the running environment of the exploit, or parameter/function calls from HTML. The exploit code won’t run if it is opened directly, or in an incorrect context.

    The Flash zero-day exploits we analyzed earlier this year used these methods to evade detection by common sandboxes. Smart sandboxes (as used by Trend Micro Deep Discovery) have the capability to deal with these evasion techniques and successfully detect zero-day exploits.

    Smart sandbox

    Compared to a common sandbox, a smart sandbox is capable of analyzing the behavior of multiple aspects of a threat: its scripts, its shellcode, and its payload, within a customizable sandbox.

    Figure 1. Structure of a custom sandbox

    Script behavior can tell us an exploit’s anomalous object usage, function calls, and heap sprays. Variables can also be analyzed for ROP/shellcode data.

    Meanwhile, shellcode data can detect an exploit’s usage of stacks and heaps caused by ROP/shellcode execution, and anomalous file/registry operations in application processes. Analysis of payloads can reveal the scope of their impact on systems, such as created autorun routines, dropped files, and connections to C&C servers. This is the same kind of analysis used in traditional behavior analysis.

    Why is a smart sandbox necessary? More and more exploit kits are using advanced obfuscation and evasion techniques:

    Figure 2. Evasion against static scan used in popular exploit kits

    The sandbox in Deep Discovery was built differently to allow our products to deal with these attacks. The sandbox contains an emulator that acts as a customized ActionScript Virtual Machine for Flash exploits, as well as script engines that run Java, JavaScript, and VBScript. This control over the execution environment improves the ability of the sandbox to gather information about any code that is tested within the sandbox.

    For example, recent Adobe Flash zero-day exploits have been heavily encrypted to prevent static heuristics from successfully analyzing them. However, Deep Discovery was able to capture and identify this malicious behavior. In addition, we are able to get a more complete picture of exploits.

    Taken together, this allows Deep Discovery to more quickly detect zero-day threats. Its smart sandbox is able to detect even obfuscated exploits more reliably. No update is necessary to provide protection against these attacks. This provides immediate protection against zero-day attacks; it also allows system administrators to see if they are targets and act accordingly.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    2014 can be remembered as the year when PoS malware attacks became truly widespread. Many retailers and other businesses became victims of these attacks, which resulted in financial losses and embarrassment for their victims. One can ask: how do these organizations become victims of PoS malware in the first place?

    Most of the methods used to compromise a system with PoS malware are broadly similar to those used by any other malware. In our paper titled PoS RAM Scraper Malware, we discussed some possibilities, including:

    • A malicious insider
      Employees of an organization could decide to plant PoS malware on the relevant systems. This is one of the hardest threats to defend against, but as far as PoS malware is concerned, one of the earliest scrapers were first discovered in air-gapped PoS systems. To this day, some PoS malware families will dump stolen data directly to a USB stick.
    • Phishing/social engineering
      Phishing is one of the oldest techniques around to compromise a network, and it’s still very effective. This risk is particularly acute in small businesses, which tend to use a PoS system not just for payment purposes, but for others as well (such as email, browsing, and social media). This increases the risk that various social engineering attacks will prove to be successful.
    • Vulnerability exploitation
      PoS systems are frequently not updated, partially at the behest of terminal vendors who may have something of a “it’s not broke, don’t fix it” mentality. Unfortunately, this means that these systems are vulnerable to many exploits that attackers regularly try to use. This can be a problem particularly in cases where PoS systems are used for other purposes.
    • Non-compliance with PCI DSS guidelines
      The payment industry’s PCI DSS guidelines are supposed to mandate best practices within the industry, but in some cases these are not followed. The causes for non-compliance may vary, but the end result is the same: poor implementation of best practices allows various “small” incidents to leak payment information.
    • Targeted attacks
      More sophisticated attacks may also be used to target a business’s PoS systems. For example, targeting a third-party contractor with access to a company’s network may be easier than targeting the company directly.

    Whatever the threat may be, a variety of technologies can be used to detect these threats. Deep packet inspection tools can help detect the network traffic associated with these attacks. Most importantly, given that the functions performed by PoS systems are sufficiently limited in scope, they represent an ideal situation for application control. This would make launching malware attacks of any kind significantly more difficult.

    The infographic, Protecting Point of Sales Systems from PoS Malware, outlines how a PoS attack takes place, and what steps need to be taken to protect against them.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Trend Micro Reaches 500M Good FilesTrend Micro has recently reached an important milestone: we have vetted our 500 millionth “good file” towards the end of 2014. This means that we have a strong and vast repository of files to competently decide whether any given file is non-malicious or otherwise.

    Securing Single-Purpose Systems

    Whitelisting is increasingly being seen as a key component of modern solutions to dealing with today’s threat landscape. Recent attacks on PLCs (ICS/SCADA) and PoS systems demonstrate how effective locking down systems (enabled via application control) can be.

    In these kinds of systems, the functions that need to be enabled are very limited and specific. Because of this, it is relatively easy to specify the exact files that need to pass through any whitelisting filters. In addition, the damage that can be inflicted if these systems are compromised is significant. Air gapping systems may be an option in some cases, but frequently employees end up bypassing any air gaps anyway (via USB disks), and sometimes it may not even be possible (other design requirements may require connectivity.)

    At the same time, we also know that targeted attacks use highly customized malware that are tested against known blacklists before being deployed to specific targets. It is becoming more and more apparent that blacklisting is no longer sufficient by itself to protect networks.

    With the increasing acceptance of whitelisting and application control solutions for current digital threats, building a database of catalogued and whitelisted files is a crucial ingredient in providing up-to-date protection and solutions to end users.

    Risk Management through Application Control

    What else can whitelisting offer? In addition to protecting against both known and unknown threats, it also offers substantial benefits to IT administrators. When major unpatched vulnerabilities are disclosed, the information can be used to quickly determine what an organization’s risks are. It can also be used to control and classify the apps that employees do use. This allows an organization to save valuable time, resources, and money.

    To help with this, we have been building a centralized file whitelist database, which we call the Goodware Resource Information Database (GRID). When integrated into our products, the GRID service is called Trend Micro Certified Safe Software Service (TMCSSS). We have collected more than more than 570 million non-malicious files over five years. This includes the applications that users are more likely to encounter in their day-to-day usage.

    The collection of files that GRID represents is also used to generate valuable intelligence about legitimate files. File properties are extracted and normalized to ensure that applications, vendors, and software publishers are correctly recorded.  Functional categories, resource usage, vulnerability information, and overall risk ratings are also generated and stored, which can be used for research and analysis purposes.

    Application Control in Endpoint Clients

    GRID has been used to enhance various Trend Micro products, systems, and processes. Product features such as file integrity monitoring and application control are made possible via the database of known clean files the GRID represents. Endpoint products regularly query GRID to improve their performance and accuracy.

    Today’s new threats demand new solutions, and whitelisting is an incredibly valuable tool. Technologies such as GRID helps power whitelisting and improve its utility to network administrators, making managing threats easier, more effective, and less painful.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Last year we saw how the Windows PowerShell® command shell was involved in spreading ROVNIX via malicious macro downloaders. Though the attack seen in November did not directly abuse the PowerShell feature, we’re now seeing the banking malware VAWTRAK abuse this Windows feature, while also employing malicious macros in Microsoft Word.

    The banking malware VAWTRAK is involved with stealing online banking information. Some of the targeted banks include Bank of America, Barclays, Citibank, HSBC, Lloyd’s Bank, and J.P. Morgan. Other variants seen in the past targeted German, British, Swiss, and Japanese banks.

    Arriving via “FedEx” Spam

    The infection chain begins with spammed messages. Most of the messages involved with this infection are made to look like they came from the mailing company FedEx. The emails notify their recipients that a package was delivered to them, and contain a receipt number attached for the supposed “delivery.”

    Figure 1. “FedEx” spam

    Another email we saw came from a fake American Airlines email address, which informs recipients that their credit card has been processed for a transaction. The attached “ticket” is a Microsoft Word file that supposedly contains details of the transaction.

    Figure 2. “American Airlines” email

    Using Macros and PowerShell

    Email recipients who open the document will first see jumbled symbols. The document instructs users to enable the macros, and a security warning on the upper right hand corner leads users to enable the feature.

    Figure 3. Document before and after enabling the macro feature

    Once the macro is enabled, a batch file is dropped into the affected system, along with a .VBS file and a PowerShell script. The batch file is programmed to run the .VBS file, which is then prompted to run the PowerShell file. The PowerShell file finally downloads the VAWTRAK variant, detected as BKDR_VAWTRAK.DOKR.

    Figure 4. Connecting to URLs to download VAWTRAK

    The use of three components (batch file, VBScript, and Windows Powershell file) might be an evasion tactic. The VBS file has “ -ExecutionPolicy bypass” policy flag to bypass execution policies in the affected system. These policies are often seen as a “security” feature by many administrators.  They will not allow scripts to be run unless they meet the requirements of the policy. When the “ -ExecutionPolicy bypass” policy flag is used, “nothing is blocked and there are no warnings or prompts.” This means that the malware infection chain can proceed without any security blocks.

    VAWTRAK Routines

    Once BKDR_VAWTRAK.DOKR is in the computer, it steals information from different sources. For example, it steals email credentials from mail services like Microsoft Outlook and Windows Mail. It also attempts to steal information from different browsers, including Google Chrome and Mozilla Firefox. It also steals account information for File Transfer Protocol (FTP) clients or file manager software like FileZilla.

    Additionally, BKDR_VAWTRAK.DOKR can bypass two-factor authentication like one-time password (OTP) tokens and also has functionalities like Automatic Transfer System (ATS).

    The SSL bypass and ATS capabilities of VAWTRAK malware depends on the configuration file it receives. The configuration file contains the script used for ATS and SSL, which is injected into the web browser. The malicious scripts may change depending on the targeted site. SSL bypass and ATS scripts are like automation scripts injected in the client’s web browser. This creates an impression that the transactions are done on the victim’s machine, which minimizes suspicion toward the malware.

    It also performs information theft through methods like form grabbing, screenshots, and site injections. Some the targeted sites include Amazon, Facebook, Farmville, Google, Gmail, Yahoo Mail, and Twitter.

    VAWTRAK, Old and New

    The use of Microsoft Word documents with malicious macro code is a departure from known VAWTRAK arrival vectors. VAWTRAK variants were previously payloads of exploits; and some VAWTRAK infections were part of a chain involving the Angler exploit kit. The routine involving the use of macros is similar to other data-stealing malware, specifically ROVNIX and DRIDEX.

    Another significant change we have seen is the path and file name used by the malware. VAWTRAK variants previously used these path and file name before:

    %All Users Profile%\Application Data\{random file name}.dat

    %Program Data%\{random file name}.dat

    They have since changed to

    %All Users Profile%\Application Data\{random folder name}\{random filename}.{random file extension}

    %Program Data%\{random folder name}\{random filename}.{random file extension}

    The change in path and file name has security implications. The change would affect systems relying on behavior rules. If their rule/s for VAWTRAK is looking for .DAT extension under the %All Users Profile%\Application Data and %Program Data% folder, they need to update to catch these VAWTRAK samples.

    Macros for Evasion

    VAWTRAK is the latest family to use macro-based attacks. Those were popular in the early 2000s but soon faded into relative obscurity. This particular VAWTRAK variant uses a password-protected macro, which makes analyzing the malware difficult since the macro cannot be viewed or opened without the password or a special tool.

    Affected Countries

    We have been monitoring this new wave of VAWTRAK infections since November 2014. Of the affected countries, the United States has the most number of infections, followed by Japan. Previous data from the Trend Micro™ Smart Protection Network™ showed that most of the VAWTRAK infections were found in Japan.

    Figure 5. Top countries affected by this new VAWTRAK variant


    VAWTRAK has gone through some notable improvements since it was first spotted in August 2013 as an attachment to fake shipping notification emails. Coupled with the continuous use and abuse of malicious macros and Windows PowerShell, cybercriminals have come up with the ideal tool for carrying out their data theft routines. The Trend Micro™ Smart Protection Network™ protects users from this threat by blocking all related malicious files, URLs, and spammed emails. It is also advised that users are able to discern fake emails from legitimate ones, and in this case, real airline tickets or receipts from fake ones.

    Related hashes:

    • de9115c65e1ae3694353116e8d16de235001e827 (BKDR_VAWTRAK.DOKR)
    • 1631d05a951f3a2bc7491e1623a090d53d983a50 (W2KM_VLOAD.A)
    • 77332d7bdf99d5ae8a7d5efb33b20652888eea35 (BKDR_VAWTRAK.SM0)

    With analysis and input by Jeffrey Bernardino, Raphael Centeno, Cris Pantanilla, Rhena Inocencio, Cklaudioney Mesa, Chloe Ordonia, and Michael Casayuran

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice