Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    May 2015
    S M T W T F S
    « Apr    
  • Email Subscription

  • About Us

    Best practices are failing. No matter how good you are at sticking to them, they can no longer guarantee your safety against the simplest threats we saw last quarter. Malicious advertisements are in the sites you frequent, data-leaking apps come preinstalled in your gadgets, and data-encrypting malware run silently in your office networks. Even the macro threats that were supposedly long gone are now back in the wild. Today’s threats leave zero room for error.

    For instance, we saw a surge in malvertisements—pesky online ads users normally consider more annoying than dangerous. But at the start of the year, we found that bad guys have found various ways to abuse these advertising platforms to deploy malware. These malicious advertisements, displayed on legitimate websites, exposed users to zero-day exploits. Regardless if these users followed good security practices like visiting only trusted sites and patching their software, since the malvertisements were displayed in reliable sites and used zero-days, they would’ve still been infected.

    Figure 1. Malvertisements redirected victims to sites that automatically infected their computers with various kinds of malware such as BEDEP and ROZENA.

    In the same vein, critical security issues were found in Superfish, an ad-related browser add-on pre-installed in consumer-grade Lenovo laptops. Considering that this add-on was pre-installed—making it invasive by default—Superfish also had the capability to alter search results based on users’ browsing histories. What made Superfish more alarming, however, was that it was not securely designed. This created opportunities for bad guys to launch man-in-the-middle attacks.

    The uptick in macro malware last quarter, on the other hand, proved that we can’t let old threats slip out of our minds just yet. The number of macro malware in Microsoft® Word files more than doubled since the last quarter of 2014. This showed a clear trend in cybercriminals’ weapons of choice.

    Figure 2. The number of macro malware infections has been constantly increasing since the first quarter of 2014. This could be attributed to the release of new variants and the rise in number of spam carrying malicious-macro-laden attachments.

    Targeted Attacks and Breaches Ramp Up Tools and Targets

    Operation Pawn Storm, an ongoing economic and political cyber-espionage operation exploited vulnerable iOS™ devices to infiltrate target networks. The use of mobile malware isn’t new, but Pawn Storm was the first to target iOS devices.

    Both the retail and healthcare industry were hit hard with data breaches last quarter. PoS malware attacks remained prominent threats to retailers, while health care service providers such as Premera Blue Cross and Anthem, experienced data breaches that exposed nearly a hundred million customer and employee records combined.

    Is Security Fated to Rely on Luck?

    When thinking about security, there are always loopholes to consider, especially if the threats aren’t within your control. Threat communications manager Christopher Budd reiterates this in the case of malvertisements:  “More than any other threat, malvertisements can hurt people even when they’re doing all the right things. Malvertisements can affect people who don’t click links, have fully updated security solutions, and only go to trusted sites. In short, there’s no amount of caution that can protect you from malvertisements, just luck.”

    The best defense, in light of all this, is to equip yourself with the right threat intelligence and keep adjusting the way you implement security. Traditional best practices may no longer work, but if they continue to evolve with today’s threats, you may still have a fighting chance.

    Read our 1Q 2015 Security Roundup here.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Companies risk losing all their customers if they continue neglecting their app store presence. While malicious mobile apps do bring serious security concerns to the fore, (70% of top free apps have fake and mostly malicious versions in app stores) companies and developers also face another challenge in the form of copycats.

    For a company that needs to maintain an official mobile app on Google Play, fake or impostor apps can mean trouble for both their credibility and revenue. For users, the impact is similar, although on a more personal level. If users get fooled into downloading these apps, it can eventually lead to information theft, reputation damage, and overall dissatisfaction with the company’s brand and service.

    Companies that maintain official apps in app stores like Google Play have a big role to play in minimizing the risk of their users installing fake apps. By properly establishing their identity and their apps, they can greatly help their users sort out the real apps from the fake ones. For example: ideally, all apps are released under one developer, as is the case for the various Trend Micro apps:

    Figure 1. Trend Micro apps on Google Play

    However, we have noticed that some organizations are not able to do this. Instead, multiple developers all publish various versions of official apps.

    Figure 2. Various banking apps with different developer names

    Why is this the case? Android requires that all apps should be signed (even with a self-signed certificate). Large organizations will, of course, have different teams responsible for developing different apps. Different private keys may be used to sign any created apps, even if they are consolidated under one account. Furthermore, different accounts may be used to upload the apps, even if they’re all related to the same company.

    The practice can cause confusion among users (as seen in Figure 2), where it is not clear which is the official account. Even if the apps are consolidated under one account, outside of the Google Play store there is no way to identify that these apps as legitimate or not (since the certificate is used to identify the author). This can cause confusion if an app is legitimate or not in third-party stores.

    For developers, the main impact here is that their customers might not be able to properly identify their app and they may lose potential install base. For users, however, this can turn into a big risk, since this makes it harder to spot “legitimate” versions of the app (e.g., the developer name used might not make it clear who published the app). In addition, if the user checks what other apps were published by a specific developer there may not be other apps to be found. In and of themselves, these are not necessarily bad, however malicious apps can share these traits as well.

    How do we know who is faking it?

    Companies need to ensure that they properly identify themselves as the credible source for their apps. It is not extraordinarily difficult for organizations to adopt proper key management to allow all apps released to be signed by one key: many large companies are able to do exactly this. The solution is to implement proper key management practices; the IT department of a large organization should be capable of arranging this correctly. Ideally, all official apps should be signed by one certificate, tied to one developer account.

    For consumers, this has one benefit: all apps from an organization would show up as from one developer in Google Play, as well as third-party app stores. With official apps properly identified, this will help users identify fake apps  and prevent from inadvertently downloading them. This protects them from various problems such as information theft.

    For now, we strongly advise users to be careful in choosing which app to download. Checking all details related to the app — developer name, rating, reviews — can help identify fake apps. Additionally, installing a security app such as the Trend Micro Mobile Security and Antivirus can detect fake apps and prevent them from getting installed.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    As a result of the increase in cyber-attacks launched by nation-states, cybercriminals, hacktivist groups and other entities, it has become increasingly important to understand the ecosystem of hardware, O/S, software, and services that are used in each organization’s network, including the data/telemetry that is collected and sent outside the organization’s network.

    This problem is especially magnified with the emergence of the Internet of Things (IoT), which is turning “heterogeneous networks” into “super-heterogeneous networks” of intelligent devices.

    Figure 1. Corporate network then (L) vs the corporate network now (R): The Internet of Things (IoT) is turning “heterogeneous networks” into “super-heterogeneous networks” of intelligent devices

    Lifecycle Management

    In the past, IT personnel have had to manage the deployment life cycle of a seemingly diverse array of PCs, notebooks, smartphones, tablets, printers, routers, etc., within their business environment.

    This includes initial configuration, adaptation/optimization, updating, and securing these devices over their deployment lifetime. Several decades ago, the word “heterogeneous” was used to describe networks with a “mind boggling” variety of largely PC’s, notebooks, routers, printers, etc.

    Now consider that this same task must be done to an increasingly more diverse “super-heterogeneous” collection of intelligent devices that will have a broader diversity based on several different factors such as an organization’s industry and region.

    Device Discovery

    Consider the possibility that there will not only be coordinated smart device deployments on the corporate network, but also arbitrary deployments of devices by employees – Bring Your Own Thing (BYOT).

    Just as many have traditionally deployed their own routers or printers within their office environment, employees may arbitrarily deploy other, less traditionally-understood smart devices on the organization’s network. At first glance, it may not be entirely clear as to what these devices actually do- the benefits they bring, vs. the perils.

    Knowing about the existence of a smart device deployed on a corporate network will be an increasing challenge for an IT administrator. This is because, beyond having a basic Media Access Control (MAC) address, many smart devices today don’t have a common way to identify themselves on the network. Due to the current lack of standardization for identifying these devices, a series of methods will be needed to properly identify each individual device. Historically NMAP has proven useful for this task, but tracking down the physical location of a device will be a challenge in many cases, due to the lack of device discovery information available, along with possible challenges visually identifying the device due to its form factor.

    Knowing about Device Problems

    Knowing about issues related to specific brands and models of IoT devices is critical. An IT administrator will need to be more proactive about monitoring additional sources of information about smart devices deployed across their network, including but not limited to government entities (ex: CERT’s), hacker forums and organizations, industry groups, media, and manufacturer web sites.

    Availability of Updates

    iot-noupdateOnce a problem is known, the next challenge is how to correct the issue. For instance, if a firmware update is needed, how to obtain it?

    Currently, there are no “Patch Tuesday” bulletins or “Windows Update” notifications available for IoT devices. These relatively well organized schedule and deployment instruments were implemented only after years of pain, along with a mass of complaints from affected organizations. Due to the variety of device manufacturers, an IT administrator will need to spend more time tracking down and downloading available firmware updates.

    How to Apply Updates and Policy Changes

    Once you know there is a problem with a smart device, the next step is how to apply the solution (if one exists). Consider that there may be several thousand of these affected devices deployed across the organization’s global network. Given that many smart devices have their own proprietary way to apply firmware updates and policies, evolved tools will be needed to perform this patching and policy correction to smart devices en masse In addition, we can assume many devices will have limitations as to how much “policy” can be applied. For instance, you might need to change the hostname of a smart device, so that it conforms to an IT policy, or eases identification and manageability. The device may or may not let you do this.

    Data Collection and Transmission

    Another issue is the collection and transmission of data from the organization. Most smart devices include some form of communication with their manufacturer and possibly other providers.


    There are several ways that devices collect data about the organization’s day-to-day operations. For instance, a motion sensor on a thermostat may collect telemetry about the presence of people in an office.

    Another example might be devices that listen for “hot words”, and have the ability distinguish between different voices, and possibly, people. The company that manufactures this device, along with their partners that may also have access to this data, can monetize/trade using this refined “data revenue”. More significantly, this telemetry can be used as part of a coordinated attack on a company.


    It’s important to understand what type of data is being transmitted outside of the organization, and whether or not it is properly encrypted. Additionally these devices use new types of protocols that allow them to be more accessed from outside the organization. Monitoring systems within an organization might sound alarm bells when this communication is attempted, since it may vary from what is considered to be normal. This may in turn also trigger automatic blocks or lockdowns as networks and systems act to protect themselves.


    iot-storageTypically, attacks against cloud infrastructure are popular as they can yield a high amount of “data revenue”. Organizations need to consider how securely their device-collected data is in the manufacturers or their partners cloud. What if the manufacturer or one of their partners goes out of business—what happens to this data? Will it be scrubbed, sold to another organization, or will it end up lying in an arbitrary bay of servers at a computer auction?

    For more information, refer to my previous post titled Is Your Data Safe In The Internet of Everything?.


    Over time, the device must be regularly updated to assure continued operation. How does the collection and transmission of the data change with each update? This is a time consuming process, but needs to be understood.

    Spying in the Workplace

    IoT empowers more covert spying within the workplace through the emergence of an increasingly diverse range of inconspicuous, Internet-connected monitoring devices. Though these highly consumer-friendly devices have been built with the best intentions, they can very easily be deployed, controlled, and monitored via a smartphone or tablet for nefarious purposes.

    Some examples are:

    1. Placing an inconspicuous-looking home environment monitor, or even a baby monitor on a shelf within a conference room to listen in, watch, or record a confidential meeting
    2. Deploying a series of activity sensors on doors & windows in strategic locations within the workplace to monitor employee presence and activities
    3. Deploying a power line-based Ethernet extender to make the corporate Ethernet network accessible via a power outlet in an external area such as a parking lot that is subject to less physical monitoring

    It is critical for the IT personnel to be able to fully identify new devices on their network, and understand the implications.


    Aside from security specific issues, the overall increase in the diversity of devices on the corporate network will also bring additional unforeseen administrative burdens on IT staff – such as the need to replace batteries in devices on a regular basis as an example these issues are further discussed in the Administrator of Things.


    A more user-friendly and diverse “super-heterogeneous” range of devices with more permutations of hardware, OS, software, and cloud platforms means more work is required, more frequently to continue to protect the organization.

    Device visibility and intelligence is crucial to empower IT staff to proactively protect their organization from the additional risks incurred deployment of smart devices across their organization’s network.

    Organizations need to weigh the value being delivered by the new technology vs. the costs required to use it, and the risks that it brings to their organization. The knowledge gained from this process will help to continually evolve the existing IT policy to properly accommodate IoT devices.

    For some key security considerations for IoT devices, please refer to our guide titled What to Consider When Buying a Smart Device.


    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Major government sectors and corporations in both Taiwan and the Philippines have become the latest targets in an ongoing attack campaign in the Asia Pacific region. The threat actors behind Operation Tropic Trooper—we named specifically for its choice of targets—aim to steal highly classified information from several Taiwanese government ministries and heavy industries as well as the Philippine military.

    Throughout March to May 2015, our researchers noted that 62% of the Tropic Trooper-related malware infections targeted Taiwanese organizations while the remaining 38% zoned in on Philippine entities. Although the identities and motivations of the actors behind the campaign have yet to be identified, we have found that the command-and-control (C&C) servers used in this campaign were located in four countries: Taiwan (43% of the servers), USA (36%), Hong Kong (14%) and the UAE (7%).

    Though attacks like these are not new, what our researchers have uncovered are critical security gaps the targeted organizations have yet to fill.

    Operation Tropic Trooper Overview

    Operation Tropic Trooper has been active since 2012, but our researchers have found that the malware attackers used share characteristics with samples we first examined in 2011. The same characteristics were also seen in 2013 when users in India and Vietnam were targeted in a similar effort.

    This latest attack relied on two of the most-exploited Windows® vulnerabilities to date—CVE-2010-3333 and CVE-2012-0158—to infiltrate the target networks. This suggests that the organizations were running on unpatched, vulnerable systems that made them more susceptible to threats.

    Figure 1. Operation Tropic Trooper campaign flow (click the image to enlarge)

    Aside from exploiting those vulnerabilities, the threat actors used basic steganography. This means they were able to conceal malicious code in JPEG files popularly used as Windows XP wallpapers. Steganography, although not a new cybercriminal tactic, is not commonly used in targeted attacks.  That being said, there are possible reasons why the threat actors might have chosen this approach:

    1. As of the first half of this year, almost 17% of systems in Taiwan and 13% in the Philippines still run on Windows XP.  Given that it takes a longer for larger agencies to upgrade their systems, there is a high probability that the targets of this campaign still use the legacy OS.
    2. There is also a possibility that the threat actors used this form of steganography because they either still use the outdated OS themselves or have in-depth knowledge of it.

    The Infiltration and Infection Chain

    The attack begins with emails with crafted documents as attachment. To infiltrate target networks, the attackers relied on crafty social engineering tricks to convince targets to double-click the attachments.

    Figure 2. Spear-phishing email sample

    Opening the attachments leads to the execution of malware that downloads an image file to the system. Some attachments open decoy documents to hide their malicious nature.

    Closer inspection of the downloaded image file reveals that it uses steganography to hide the malicious content. It will decrypt executable files in memory and will not save it to the disks. These files are installers and will drop the backdoor BKDR_YAHAMAM. With the backdoor’s capabilities of downloading, uploading, and creating a remote shell, it can easily conduct the next phase of its attack which is to find other targets within its reach.

    Critical Call for Targeted Entities

    Operation Tropic Trooper is not highly sophisticated. But the fact that it has attained some degree of success and has managed to infiltrate crucial organizations in both Taiwan and the Philippines shows the urgent need for targeted entities to rectify their shortcomings in terms of security.

    Knowing that attackers are still using old techniques and exploiting known vulnerabilities will make it easier for the targeted organizations to pinpoint and fix security gaps in their networks.

    Building threat intelligence is crucial in the fight against targeted attacks. Identifying the tools, tactics, and procedures (TTPs) that threat actors use based on external reports and internal historical and current monitoring can help create a strong database of indicators of compromise (IoCs) that can serve as basis for action.

    Using the right tools for advanced threat protection should also be part of an expanded security monitoring strategy. This includes establishing and empowering incident response teams and training employees, partners, and vendors on social engineering and computer security.

    You can download the paper from this link: Operation Tropic Trooper: Relying on Tried-and Tested Flaws to Infiltrate Secret Keepers.


    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    This month’s Patch Tuesday release can be considered relatively light with only three Critical bulletins, with the remaining 10 bulletins rated as Important.

    As is usually the case, the cumulative update for Internet Explorer (MS15-043) is one of those rated as Critical. MS15-044 addresses critical vulnerabilities in Microsoft Font driver, which could allow remote code execution if users open specially crafted documents or visits an untrusted webpage that contains embedded TrueType fonts. Lastly, MS15-045 addresses a critical vulnerability in Microsoft Journal that could allow for remote code execution if a user opens a specially crafted Microsoft Journal file.

    The remaining ten other bulletins are rated as Important, and cover a wide range of software from Microsoft Office, SharePoint Server, the .NET Framework, and various Windows components.

    We urge users to patch their endpoints and servers as soon as possible. Trend Micro Deep Security and Vulnerability Protection protect user systems from threats that may leverage these vulnerabilities with the following DPI rules:

    • 1006662 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1658)
    • 1006663 – Microsoft Windows Journal Remote Code Execution Vulnerability (CVE-2015-1675)
    • 1006664 – Microsoft Internet Explorer ASLR Bypass (CVE-2015-1685)
    • 1006665 – Microsoft Internet Explorer VBScript ASLR Bypass (CVE-2015-1686)
    • 1006666 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1689)
    • 1006667 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1691)
    • 1006668 – Microsoft Internet Explorer Clipboard Information Disclosure Vulnerability (CVE-2015-1692)
    • 1006669 – Microsoft Windows Journal Remote Code Execution Vulnerability (CVE-2015-1695)
    • 1006670 – Microsoft Windows Journal Remote Code Execution Vulnerability (CVE-2015-1696)
    • 1006671 – Microsoft Windows Journal Remote Code Execution Vulnerability (CVE-2015-1697)
    • 1006672 – Microsoft Windows Journal Remote Code Execution Vulnerability (CVE-2015-1698)
    • 1006673 – Microsoft Windows Journal Remote Code Execution Vulnerability (CVE-2015-1699)
    • 1006674 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1705)
    • 1006675 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1706)
    • 1006676 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1708)
    • 1006678 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1710)
    • 1006679 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1711)
    • 1006680 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1712)
    • 1006694 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1717)
    • 1006695 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1718)
    • 1006696 – Microsoft Office Memory Corruption Vulnerability (CVE-2015-1682)
    • 1006697 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1714)
    • 1006698 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1709)

    More information about these bulletins and their corresponding Trend Micro solutions are posted at our Threat Encyclopedia Page: May 2015 – Microsoft Releases 13 Security Advisories.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice