Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    October 2014
    S M T W T F S
    « Sep    
     1234
    567891011
    12131415161718
    19202122232425
    262728293031  
  • About Us

    A new spam attack disguised as invoice message notifications was recently seen spreading the UPATRE malware, that ultimately downloads its final  payload- a BANKER malware related to the DYREZA/DYRE banking malware.

    Background

    In early October we observed a surge of spammed messages sent by the botnet CUTWAIL/PUSHDO, totaling to more than 18,000 messages seen in a single day. CUTWAIL/PUSHDO has been in the wild since as early as 2007 and was considered one of the biggest spam botnets in 2009.

    We spotted some spammed emails that disguise itself as invoice message notifications or “new alert messages” from various companies and institutions.

    Figure 1. Screenshots of spammed messages related to CUTWAIL/PUSHDO

    (more…)

     
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon  

    The Domain Name System (DNS) plays a vital role in the operation of the Internet. Over the years, it has been a primary target for malicious users looking for vulnerabilities in its protocol and infrastructure.
    Some examples include cache poisoning attacks, vulnerable DNS server implementations, and bogus user interactions.

    Taking advantage of users’ spelling mistakes

    Misspelled domain names in the browser’s address bar are a common user mistake, which attackers were quick to take advantage of. Attackers register the “squatting” or misspelled version of victim domains in order to capitalize on the potential incoming traffic. They eventually use these domains for a wide range of unethical and illegal ways, which may include exfiltration of user credentials through phishing. (more…)

     
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon  

    Earlier today, Google researchers Bodo Möller, Thai Duong, and Krzysztof Kotowicz released a paper discussing a serious bug in SSL 3.0 that allows attackers to conduct man-in-the-middle attacks and decrypt the traffic between Web servers and end users.

    For example, if you’re shopping online with your credit card, you may think that your information is secure but thanks to this bug (known as POODLE) it may actually be at risk. An attacker can hijack your transaction, retrieve your credit card information, or even change your order.

    The bullet points below summarize some key points of this vulnerability:

    • CVE ID: CVE-2014-3566
    • Popular name: POODLE (Padding Oracle On Downgraded Legacy Encryption)
    • Vulnerabilty: SSL 3.0 fallback bug
    • Attack vector: Man-in-the-middle

    How does the POODLE attack work?

    According the paper, the key issue is the integrity of the padding on SSL 3.0 block ciphers. This padding is not verified by the protocol. This will allow an attacker to alter the final block of the SSL cipher if the hacker can successfully hijack the connection from an end user to the Web server. This can lead to the attacker being able to successfully decrypt any encrypted traffic that they are able to capture.

    SSL 3.0 is an older encryption protocol that has been around for 15 years. It has been succeeded by TLS (which is now at version 1.2). However, TLS clients and servers will downgrade to earlier versions of the protocol if one side of the transaction does not support the latest version.

    Consider the example below. The browser supports version of TLS up to 1.2. In the first handshake, the browser uses the highest protocol version (TLS 1.2) that it supports. If that handshake fails, the browser will retry with earlier versions (TLS 1.1, then TLS 1.0). The attacker then will make it so the browser will downgrade versions up to SSL 3.0, at which point the POODLE vulnerability can then be exploited to decrypt any communications between the two parties.

    Sniffer 2-01

    Figure 1:  Attackers may force the communication between a client and server to downgrade from TLS to SSL 3.0 to be able to decrypt the network communication

    Countermeasures

    This vulnerability can be avoided if the SSL 3.0 protocol is disabled. Site administrators can disable support for this on their side; for example these instructions show how to do this in Apache.

    End users can disable SSL 3.0 support on their end as well, through the following steps:

    • For Chrome users, running Chrome with the command Chrome.exe  –ssl-version-min=tls1 will specify that the minimum version of SSL that will be used is TLS 1.0.
    • In Firefox, type about:config in the search bar to change settings. Search for the keyword security.tls.version.min and set the value to 1 to disable SSL 3.0 support.
    • Internet Explorer users can follow the steps in Security Advisory 3009008 to disable SSL 3.0

    For enterprises they can do server patch via the following steps:

    Note, however, that disabling SSL3.0 is not a practical step for all users, especially since it can still be needed to work with legacy systems. The security advisory from OpenSSL.org recommended the usage of TLS_FALLBACK_SCSV mechanism to web servers, to ensure that SSL 3.0 is used only when necessary (when a legacy implementation is involved). This way, attackers can no longer force a protocol downgrade.

    We will continue to proactively monitor for threats that use this vulnerability and provide updates and solutions as necessary.

    Update as of 1:48 PM, October 15, 2014

    Trend Micro Deep Security customers are protected from attacks that may leverage POODLE vulnerability via the following DPI rules:

    • 1006293 – Detected SSLv3 Request
    • 1006296 – Detected SSLv3 Response
     
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon  

    When it comes to targeted attacks, attackers are not omniscient. They need to gather information in the early stages to know the target they may gather information from various sources of intelligence, like Google, Whois, Twitter, and Facebook. They may gather data such as email addresses, IP ranges, and contact lists. These will then be used as lure for phishing emails, which inevitably result in gaining access in the targeted organization’s network.

    Once inside, the attackers will begin the lateral movement stage. In this stage, attackers will perform port scans, services scans, network topology mapping, password sniffing, keylogging, and security policy penetration tests. The goal is to find more confidential information and find a stealthy method of access.

    The lateral movement allows the attackers information they can then use to their advantage. They are now aware of existing security weak points, firewall rule setting flaws, and the wrong security equipment deployment. They also now have the latest network topology, password sets, and security policies.

    They can use this newfound knowledge even after their attempts have been discovered. Often times, efforts to thwart existing and prevent new attacks involve removing the malware and monitoring for network activity. But since attackers are aware of the topology, they can try new ways to gain access easily without being noticed.

    Earlier, we posted an entry detailing how IT administrators can protect enterprises from targeted attacks and breaches via looking at their network vulnerabilities.  In this blog post, we want to tackle how network topology can aid in defending the enterprise network from risks pose by targeted attacks.

    Changing the Network Topology

    It’s not enough to change passwords and remove the malware. To protect an organization from targeted attacks, changing the network topology should also be considered.

    Network topology refers to how devices are connected within a network, both physically and logically. The term refers to all devices connected to a network, be it the computers, the routers, or the servers. Since it also refers to how these devices are connected, network topology also includes passwords, security policies, and the like.

    If the targeted organization changes the network topology, the attackers’ gained knowledge will become useless to their attacks. If the threat actors attempt to enter the network using the old method, it will be flagged by the new(er) security policies put in place. Changes like moving the “location” of the target data or moving segments will require a longer period of time for attackers to find the targeted data. This length of time can prove invaluable as it can give admins more time to detect the malicious activity before any real damage can be done.

    (more…)

     
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon  

    I prefer using the phrase “Internet of Everything” when discussing what most people call the Internet of Things because in many ways, the latter term isn’t enough. What makes the Internet of Everything so powerful is the data about you and me that these devices can gather.

    Consider how these devices actually work. They almost always need to “phone home” to some central server run by the service provider. This means that anything that you do on the device is seen by the provider. You have to trust that they will keep your data secure and not misuse it or neglect it over time.

    Unfortunately, there are many ways your data can be misused or compromised. For example, the devices themselves can be insecure and be compromised by an attacker. The modules that are used by these devices, likely borrowed from open source, are susceptible to exploitation over time, and the vendor may not have thought too much about how to get them quickly and seamlessly updated. The servers themselves can be compromised and breached in a targeted attack.

    This doesn’t even enter into what the service provider can do with your data. You don’t really realize the extent of the data that an IoE device can take until you read the privacy policy. These policies, however, are difficult to comprehend, and may change over time without any notification to the consumer.

    Privacy policies will at least be able to say what data is collected, but in general they don’t disclose the full reality of what can be done with your information. As an example, many will have provisions stating that the data will be used to deliver the services provided. In practice, this broad generalization can be used as a legal basis to justify many different ways to use and possibly exploit your data.

    So, what should users do? Before purchasing an Internet-connected hardware device, make sure that you are comfortable with the fact that any data you provide them with, could potentially be stored on unsecured servers in data centers situated in different countries, over a long period of time. Your personal “data at rest” on the manufacturer’s servers represent an increased risk to you over time. Some risks include the possibility of data breaches, sharing or reselling of your data, along with general neglect of the data in scenarios such as company security lapses, or events such as sale or merger of the company.

    If you’re the type of consumer who is concerned about privacy, it is recommended that you should find out what type of data (personal identifiable information, user credentials etc.) is being gathered on the device and sent to the vendor by inquiring to the sales/support of the vendor. And if you’re considering different service providers for the same kind of service, compare their privacy policies and see which one you feel comfortable with. Reviewing the privacy policy is a good start to make you aware of what they may be doing with your data.

    Consider, too that many startup funded companies may not have fleshed out their business model yet. Your data is a key part of how they may be initially, or additionally monetize the service that they provide. These pressures can result in the misuse of your data. One could argue that a company that is charging more for their service up front would be less prone to attempt to monetize further employing your data, but again there is no guarantee — data is a key element of IoE. A more reputable company that has a brand to protect may be a better choice, though this neither is fully guaranteed as well. An example is the recent gleaning of data from USB drives plugged into LG TVs.

    To know more on how to be safe in the Internet of Everything, read our “Security Considerations for Consumers Buying Smart Home Devices,” which can guide you in making decisions on the Internet connected devices you introduce into your daily life.

     
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon  



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice