Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    March 2015
    S M T W T F S
    « Feb    
  • Email Subscription

  • About Us

    Throughout course of my monitoring future and possible targeted attacks, I recently chanced upon a spear-phishing email sent to an undisclosed recipient that contains three seemingly harmless documents. I was curious about the attached documents so I first checked the one titled AlSajana Youth Center financial Report.docx. The so-called financial report turned out to be a non-malicious document (see Figure 1) but the other two attached files struck me as suspicious as well. Their file names were u0627u0644u0645u0639u062Fu064429u0.docx and u0625u0646u062Cu0644u064Au0632u0649.doc.

    Figure 1. Sample of the non-malicious .DOCX file with the file name AlSajana Youth Center financial Report.docx

    Figure 2. Attached files named u0627u0644u0645u0639u062Fu064429u0.docx and u0625u0646u062Cu0644u064Au0632u0649.doc

    (click to enlarge image)

    True enough, when we opened the documents, we found suspicious connections to the URL hxxp://, which we found running in the background. These malicious documents are both detected as TROJ_MDLINK.A. The domain is for sale, but it has suspicious redirections before landing to a normal Facebook link The domain has since been listed as a suspicious site according to our source and we now block this domain under the classification “Disease Vector”.

    Making use of legitimate functions in Microsoft Word

    After checking, we found that the legitimate process winword.exe triggered these suspicious connections. We then checked if the document had an embedded macro that connects to the malicious URL. To our surprise, we found none. Next, we checked the Microsoft Word document for vulnerability exploitations–still nothing. At this point, we were curious to know what made winword.exe connect to the URL.

    We noticed that both documents contained text and other objects such as an image file. Curious about the image inserted in the document, I immediately checked for inserted hyperlinks in the image. And yet again, we found none. After some more digging into this seemingly normal file, we found out that there are three ways to insert an image in Microsoft Word and other software under Microsoft Office for that matter:

    1. Insert – embed the image in the document.
    2. Link to File – links the image to a file (a local file or a file in the web). If the link is inaccessible or unloadable, it puts a placeholder for an image that cannot be displayed.
    3. Insert and Link – a combination of Insert and Link to File. This feature is used so that when the link is inaccessible or cannot be loaded, it would still display the image.

    Apparently, the insert and link feature was used to insert the image in the suspicious-looking document. I was finally getting somewhere. If it weren’t for the suspicious connection, we wouldn’t have flagged these documents as malicious (no macro, no exploits, no other sign of being malicious). So how did the attackers craft these documents? There are two possible ways to do this. Use the insert and link feature of Microsoft Office with a link to the image that you want to embed. Save the document. Then opt to do the following: Replace the content of the link with something else or change the link within the file (even with little knowledge of the document file structure).

    Figure 3. Microsoft Word enables you to update or modify the links in the document

    Figure 4. Winword.exe runs the malicious URL

    Both methods are very simple to do and they both use a legitimate feature of Microsoft Office. We find this new technique very interesting because of its simplicity and the way it evades detection.

    Should I be worried about this type of attack?

    Yes and no. Unfortunately, file-based detections prove to be futile in staying protected against this type of attack since there is nothing malicious per se in the file such using exploits and malicious macros. This feature cannot be disabled and is in Microsoft Word and is enabled by default in other Microsoft Office applications. It does not display itself as a hyperlink either, so users will most likely be caught unaware that the malicious URL is already running in the background–all you need to do is open the document.

    Theoretically, cybercriminals may also abuse the “insert and link” feature in Microsoft to point to downloading malicious files via social engineering techniques. However, it’s highly unlikely that the file download would be successfully carried out unnoticed because it would require the user to eventually execute the file. Adding a malicious script in the “insert and link” feature seems like a more logical move.

    Best practices and countermeasures

    Microsoft already has a feature to enable security alerts about links to suspicious websites, but this is may not be enough to protect users as it only works for sites that were previously flagged as suspicious. The security alerts won’t work for new websites being used by attackers. It’s best to take a proactive approach in defending against this type of attack. Always check if the email sender is from a trustworthy source, i.e., from friends, coworkers, or other legitimate sources. Here’s how to check for links to files in different versions of Microsoft Office:

    For Microsoft Office 2003:

    • Select Edit > Links.

    For Microsoft Office 2007:

    • Select Office button > Prepare.
    • Click Edit Links to Files.

    For Microsoft Office 2010:

    • Select File > Info.
    • On the right-hand side, under Related Documents, click Edit Links to Files.

    Because this is a legitimate feature in Microsoft Office, malicious URL blocking and network discovery are our best bets to combat attacks that may possibly utilize this technique.

    This potential attack scenario highlights the importance of a multilayer approach to protection provided by the Trend Micro™ Smart Protection Network™, which can block all related malicious files, URLs, and emails. In this case, even if the file may be non-malicious, we are able to block it with Web Reputation Services due to the malicious nature of the URL linked via the ‘insert and link’ feature. Users can also visit the Trend Micro™ Site Safety Center to check whether a URL is malicious or not. Related hashes:

    • 175f992f3a8241198b1171032606d620e07b27d9
    • a3f73a71a75787a8a2c586fd210d69ecfadcf61b

    With additional insights by Maydalene Salvador and Karla Agregado

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Recently, we have noticed large numbers of repackaged Android apps showing up in Chinese app stores. While these apps pretend to be “free”, in the end they cost the users time and money: they are either shown various ads or they are subscribed to various premium SMS numbers. (Note that these apps were not found in the official Google Play store.)

    Two channels are at work here. First, foreign apps that have been localized or repackaged by Chinese companies and used for various schemes. Secondly, paid/premium apps can be repackaged by pirates to produce a “free” version that contains ads or other added code. In either case, there is a risk that the repackaged code may be malicious.

    In the first case, local Chinese companies have been contracted by the original developers to localize apps for the Chinese market. This includes translation, as well as changing payment methods to those used in the Chinese market. However, unscrupulous companies may add their own code at this stage to add advertisements and collect money from users via SMS numbers.

    These advertisements collect the user’s location, phone model, and other installed apps without explicitly getting the user’s permission. The apps may also be designed so that in some circumstances, users may “accidentally” click on the button which sends an SMS payment. Payment notices may also be intercepted, as seen in the following code:

    Figure 1. Code intercepting payment notice text messages

    In the second case, pirates (either individuals or companies) crack paid apps, add their code, and distribute them via major Chinese app stores. Using commercials and fake downloads, these repackaged apps reach the top lists of these app stores, with millions of downloads.

    Figure 2. repackaged version of Minecraft with 52 thousand downloads per week

    These apps contain display multiple advertisements when they are launched, and trying to close them just leads to download another app with even more advertisements. We even found spyware pushed as a security app; this particular app required root privileges and a result it is not easy to remove. (The screenshot below shows an ad for one of these spyware apps.)

    Figure 3. Ads at app startup that lead to other risky apps

    Figure 4. App permissions requested by app installed by ad in Figure 3

    Apps being used to promote various scams are also a widespread problem. This malicious app repackaged the original Monument Valley game with an advertisement library; in addition it randomly pushes scams messages to users, which lead them to further phone scams.

    Figure 5. repackaged Monument Valley, with 520 thousand downloads

    This app displays advertisements via system notifications that leads to a website at hxxp:// This site contains offers for the user to purchase iPhones and other mobile devices for approximately $100 cash on delivery. The user is asked to enter his name, phone number, and shipping address. There is at least one known case where the victim was later called and asked to pay a “prepaid shipping fee.”

    Acquiring this personal information is the goal of this scam. which is detected as ANDROIDOS_SCAMAD.HBT. The user is at risk of receiving more fraudulent calls, unless they change their phone number.

    Figure 6. App notification for iPhones being sold

    Figure 7. Website gathering user information

    The above screenshot shows some of the items for sale (different variants of the iPhone 5S); the next three fields are where the user would enter their personal information before clicking one of the buttons below, which would submit the information to the attacker.

    The malicious apps in this post are mostly gathered from the top app lists of some major Chinese app stores. These top lists contain many repackaged apps, which pose serious risks to users. Users – particularly those in China – should be careful about downloading these apps. Last year, we discussed the threats of repackaged apps in a white paper titled Fake Apps: Feigning LegitimacyTrend Micro Mobile Security protects users against these threats by scanning apps that are installed onto the device.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    2014 showed that vulnerabilities could be found in all applications – both Heartbleed and Shellshock caught system administrators off-guard by revealing that open-source server applications could have severe vulnerabilities as well.

    The reality is that making software free from vulnerabilities is difficult and expensive, if not completely impossible. For every thousand lines of code, you can expect to find 15 to 50 errors of some kind. Maybe you can get that error rate down for truly critical applications like space exploration, but that adds time and money to the costs of software development.

    Despite the costs associated with doing so, developers need to do a better job of creating secure products. Changes in how software vulnerabilities are found and disclosed mean that the risks to users due to vulnerabilities are greater than ever.

    Vulnerabilities that were spotted used to be reported to developers so that they could be fixed in order to protect as many users as possible. However, more and more vulnerabilities are being discovered by companies that sell this information to the highest bidder. This doesn’t help anyone – except the companies engaged in buying and selling these vulnerabilities. Developers can’t fix their products, users are left at risk, and the security community at large is left in the dark about today’s threats. The Internet, as a whole, is less safe.

    It shouldn’t be a surprise that some governments are already trying to control these markets. Last year, the Wassenaar Arrangement considered exploit code to fall under the new category of “intrusion software”; items covered by the Arrangement are considered to be “dual-use” (i.e., both military and civilian applications). This means that the 41 member countries of the Arrangement may subject these items to export controls. In fact, this year’s would-be attendees of Pwn2Own were asked to check with their lawyers if export authorization or government notification was necessary before they could participate.

    Of course, researchers who discover vulnerabilities want to be compensated for their efforts as well. There are ways to do this without selling vulnerabilities on the open market. Major sites and vendors already pay bug bounties to researchers who find vulnerabilities in their products. There are ways to ensure that researchers are compensated without putting vulnerabilities on the open market.

    We can’t force companies or individuals to stop buying or selling vulnerabilities, but what we can do is dry up the supply. By creating more secure products that contain fewer vulnerabilities and do a better job of mitigating those that are present, we make the Internet safer for everyone.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    In the past few weeks we’ve noticed a problematic pattern developing: the increasing use of exploit kits in malvertising. In particular, zero-day exploits (usually seen first in targeted attacks) are now being deployed in malicious ads right away, instead of first being used in targeted attacks against enterprises or other large organizations.

    This is a worrying trend, as it means that more users could be affected by these threats before a patch becomes available. Two of the recent Adobe Flash zero-days (CVE-2015-0311 and CVE-2015-0313) were delivered to end users via malvertisements, putting large numbers of users at risk.

    We recently released a paper titled The Evolution of Exploit Kits which discusses the threat from exploit kits. This paper continues our previous discussion and outlines the existing threat from these today, which are a key tool in the arsenal of attackers today. We also partially delve into the history of exploit kits, including the notorious Blackhole exploit kit, which collapsed with the arrest of its author in late 2013.

    Some patterns in the attacks from 2014 are expected to continue into 2015, such as:

    • Increasing targeting of Flash vulnerabilities for exploitation. Previously, Java and Acrobat/Reader vulnerabilities were some of the most frequently targeted by exploit kits.
    • We saw fewer exploit kit “brands” in use in 2014. This was in contrast to previous years, where the number of exploit kit “brands” was growing. However, the kits that are currently being actively developed are becoming more sophisticated, with increasing use of evasion techniques.

    Figure 1. Number of exploit kits in use

    What can users and enterprises do to protect themselves against these threats? The most important defense against an exploit kit is to keep installed versions of software as up-to-date. While zero-days are seeing more usage in exploit kits, older vulnerabilities that have already been patched are still widely used. By keeping their software updated, end users can mitigate much of the risk associated with these risks.

    Security products can also help mitigate the risks. Products with smart sandboxes can be used to help find and detect malicious behavior, including zero-day exploits. In addition, products that use web and file reputation detection can also block the redirection chain and detect payloads.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Almost every Patch Tuesday cycle contains one bulletin that (for convenience) rolls up multiple Internet Explorer vulnerabilities into a single bulletin. February’s Patch Tuesday cumulative IE bulletin (MS15-009) included a fix for a particularly interesting vulnerability that could be used to bypass one of the key anti-exploit technologies in use today, address space layout randomization (ASLR).

    This vulnerability was designated CVE-2015-0071. To be used in an attack, this vulnerability must be combined with another one that is capable of actually running code on the affected machines. In attacks seen by iSIGHT, this has been paired with an Adobe Flash vulnerability (CVE-2014-9163), which was fixed in December.

    This vulnerability was found in the jscript9.dll module. To analyze this vulnerability, I examined this file (version 9.0.8112.1645) on a Windows 7, 32-bit system.

    Patch differences

    Examining the patched and unpatched versions of this DLL, we found a modification im the SetProperty function.

    Figure 1. Patched SetProperty function

    Figure 2. Unpatched SetProperty function

    In the patched version, the function Js::JavascriptRegExpConstructors::EnsureValues is called, and only then is the property’s value set. The unpatched version does not call this particular function at all.

    The function EnsureValues can show us how to fully analyze this vulnerability. To do this, we need to explain some data structures dealing with regular expressions.


    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice