Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    July 2015
    S M T W T F S
    « Jun    
  • Email Subscription

  • About Us

    The past week has seen some interesting news in the world of online security. First, the US government announced that all websites maintained by federal agencies must be using HTTPS by the end of 2016. Second, the Wikimedia Foundation (best known for Wikipedia) announced that they, too, were rolling out mandatory HTTPS for their own sites as well, with full completion expected “within a couple of weeks”.

    With large organizations moving to full-time HTTPS, and browser vendors pushing for it as well (Mozilla has gone on record that eventually, new features will only be for sites running HTTPS), is it time for smaller site owners to make the move as well? Should end users pressure their favorite sites to adopt HTTPS? Will it really help online security?

    The short answer is yes. Site owners should strongly consider enabling HTTPS for their sites. It’s been clear to many people that in the long run, meaningful adoption of HTTPS would increase the security of the Web. Web giants such as Google and Mozilla, plus international bodies like the Internet Engineering Task Force (IETF) and the World Wide Web Consortium (W3C) have all spoken out in favor of this. Sites that are being set up now should use HTTPS from the start. That’s the direction the web is going today, and a site that’s being set up now should be built with the safety and privacy of its users in mind. For existing sites, enabling HTTPS as soon as is practical is something that owners should strongly consider, especially if sensitive data is being handled.

    Another thing to consider for website administrators is that in the long run, search engines may make HTTPS usage part of their ranking algorithms. Google is already doing just that. While for now it’s not a particularly significant “signal”, down the road that could change. It’s a good idea for site owners to get ahead of the curve and move their users to a more secure and private web.

    HTTPS: A Good Start

    It is important to note that while the mandate to adopt HTTPS is a very important step to improve online security, the effort should not stop there. HTTPS is definitely an improvement, but it is not perfect and is far from a cure-all when it comes to online security.

    Think of it as the equivalent of sending a letter in a secure container; a safe, for instance. An attacker could replace the entire container by their very secure but fake safe, steal the letter after it’s opened (steal the decrypted data from the user’s own machine), or send the user a very secure safe with a bomb inside (direct the user to a malicious  site through a secure channel).  HTTPS deals with the issue of security “in transit”, i.e., while the data is being sent across the Internet. It doesn’t solve other problems with online security, and was never meant to.

    These developments to make HTTPS implementation a norm on the Web is definitely a step into the right direction and it is crucial for website owners to follow suit.


    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    The recent Duqu 2.0 targeted attack used several zero-day vulnerabilities as part of its attack. One of the vulnerabilities used was CVE-2015-2360, which was fixed by MS15-061 as part of the June Patch Tuesday release. Like CVE-2015-1701, this is also in the Win32k.sys file, which is commonly targeted by attackers to bypass existing vulnerability mitigation techniques.

    The vulnerability lies in how windows are handled by the operating system. Some background information about this is necessary:

    1. If an application wants to show a window, it needs to perform two steps:
      1. Registering a window class. This will lead the OS kernel to create a window class object, which exists in kernel space and an application program cannot access it directly from user mode. The structure is named tagCLS. The window class object specifies the window ‘s style and behavior.
      2. Creating a window with the window class object which was registering in the previous step. The progress will lead the OS kernel to create a window object, which exists in kernel space and application program cannot access it directly from user mode. This structure is named tagWND.
    2. Every window has a window procedure to handle window messages. The window procedure can be run in user mode or kernel mode. It depends on the window class object’s file named CSF_flags. If the CSF_flags field has the flag “Server Side Proc”, the window object’s window procedure can be run in kernel mode. If it does not have the flag, the window object’s window procedure can be run in user mode. If one application program provides its own window procedure which is not the default window procedure, the window procedure only runs in user mode: the window class object’s CSF_flags field doesn’t include “Server Side Proc” flag.

    Figure 1. tagCLS structure

    From Figure 1, we can see the tagCLS structure’s CSF_flags field is a 32-bit number. Every bit represents one Characteristic. The first bit is the flag for the “Server Side Proc” characteristic.

    1. win32.sys has a characteristic that it will switch to user mode to run some user mode callback functions to do some work which is fit for user mode. This is frequently exploited by attackers.

    Let’s take a look the vulnerability. The vulnerability can be summarized in the following figure:

    Figure 2. Vulnerable message handling process

    When a window message is received (for example, from WM_SetIcon), the kernel will handle the message. The process is lengthy. In the above illustration, I only included the parts which are related to the vulnerability. The vulnerability exists in the step 4: it doesn’t check that the tagCLS object is valid after it switches back from user mode and continuously does some operation on the tagCLS object. This poses a serious security risk


    This type of vulnerability is not very easy to exploit, because the attacker needs to be very familiar with the working model of win32k.sys This type of vulnerability can be exploited with several common techniques; I list one possibility below:

    Figure 3. Possible exploit methodology

    After step 7, the attacker can create a window with the modified tagCLS object which has “Server Side Proc” flag. The window’s procedure can be run in kernel mode. This means that the attacker can now run their code with elevated kernel mode privileges, effectively allowing for a complete compromise of the affected system.


    The most effective solution for this vulnerability is to roll out the appropriate official patch. It is also worth noting that this vulnerability is only an escalation-of-privilege vulnerability. Other attack techniques are necessary to get code running on the targeted system in the first place; solutions that focus on preventing and detecting these may also be useful to administrators.


    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    It doesn’t take an advanced malware to disrupt a business operation. In fact, even a simple backdoor is enough to do it.

    Earlier this year the Trend Micro Forward-Looking Threat Research Team closely monitored the operations of two Nigerian cybercriminals — identified through aliases Uche and Okiki — who attacked small businesses from developing countries to steal information and intercept transactions with their targets’ partners. All this was done through HawkEye, a simple backdoor that costs around $35.

    While the malware used is simple, the cybercriminal operation itself is not. The operations run by Uche and Okiki, the cybercriminals we investigated on, move away from what we normally see in one-man operations where stolen information is simply sold off to others. Uche and Okiki made use of the information they captured in looking for more opportunities to steal from their victims.

    Taking their Time

    Unlike in typically-seen operations where cybercriminals prefer the “smash and grab” technique — where they send out spam emails with a malware attachment and bank on the chance that the victim runs it — Uche and Okiki took their sweet time engaging with their victims. Specifically targeting company mailboxes meant to receive inquiries from external parties, the cybercriminals sent emails to their targets that didn’t come with any malicious attachment or agenda, and actively communicated with them.

    Figure 1. Sample of actual email sent out by Okiki to his targets

    Once they have gained their targets’ trust, they then used the context of their communication to send HawkEye, ensuring infection and system compromise.

    Bigger Payout

    Instead of aiming to steal information like online banking or social networking credentials, Uche’s and Okiki’s schemes had a different target: the company webmail account. This difference in strategy created more opportunities for these cybercriminals, as getting access to the target’s company email gave them visibility of correspondences between the target and their partners and customers, their transactions and all other information.

    With access to their victims’ transactions, Uche and Okiki used this visibility to launch more schemes which varied from targeting the victims’ affiliates, performing lateral movement to their targets’ bigger offices, to conducting “change of supplier” fraud.

    The “change of supplier” fraud scheme is one that we think brought bigger payouts for Uche and Okiki, since it involves intercepting communications between a supplier and their customers in terms of payment details. What the cybercriminals do is send an email to the customer using the victim’s account (in this case, the supplier) to wrongly inform them that the account details to where they can send in their payment has changed. What is then provided is not an account owned by the supplier, but by the cybercriminal himself. “Change of supplier” schemes ran using Predator Pain and Limitless in the past netted attackers up to $75 million US dollars.

    Big Threat to Small Businesses

    Our findings on these operations show how clever cybercriminals can get in using the tools and information they have in order to steal as much as they can from their targets. This level of focus from cybercriminals, combined with the challenges small businesses face in building a solid security strategy for their network, make up a scenario that is strongly in favor of the bad guys.

    Our full documentation of Uche’s and Okiki’s operations and technical analysis of HawkEye are all in our research paper, Piercing the HawkEye: Nigerian Cybercriminals Use a Simple Keylogger to Prey on SMBs Worldwide.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Adobe may have already patched a Flash Player vulnerability last week, but several users—especially those in the US, Canada, and the UK —are still currently exposed and are at risk of getting infected with CryptoWall 3.0. The Magnitude Exploit Kit included an exploit, detected as SWF_EXPLOIT.MJTE, for the said vulnerability, allowing attackers to spread crypto-ransomware into their target systems. We first saw signs of this activity yesterday, June 15, through our monitoring of threat intelligence from the Trend Micro™ Smart Protection Network™.

    This particular vulnerability, identified as CVE-2015-3105, was fixed as part of Adobe’s regular June Update for Adobe Flash Player which upgraded the software to version However, many users are still running the previous version (, which means that a lot of users are still at risk.

    As of this week, these are the top 10 countries most affected by this threat:

    1. United States
    2. Canada
    3. UK
    4. Germany
    5. France
    6. Australia
    7. Italy
    8. Turkey
    9. India
    10. Belgium

    Ongoing Exploit Problem

    This is another example of how cybercriminals rapidly take advantage of recently-patched vulnerabilities through exploit kits. We saw a similar incident in March, where exploits for an Adobe Flash Player vulnerability were added to the Nuclear Exploit Kit just a week after the patch was released. We also noted earlier this month that Flash Player was being targeted more frequently by exploit kits, and that shows no sign of changing soon.

    Figure 1. Flash version used in testing

    The SWF sample we acquired is heavily obfuscated using secureSWF, and uses two shaders for the actual exploit code.

    Figure 2. Shaders used in exploit code

    Widely-used exploit kits such as Magnitude are often well-maintained with new vulnerabilities. Our research on these tools reveals that Magnitude is one of the most used exploit kits by cybercriminals along with SweetOrange and Angler.

    CryptoWall is also another notable threat in and of itself. We initially saw CryptoWall last year spreading through spam, and again later this year partnering with information stealing malware FAREIT.

    Figure 3. Ransomware demand page

    Trend Micro is already able to protect users against this threat. The existing Sandbox with Script Analyzer engine, which is part of Trend Micro™ Deep Discovery, can be used to detect this threat by its behavior without any engine or pattern updates.  Meanwhile, the Browser Exploit Prevention feature in the Endpoint Security in Trend Micro™ Smart Protection Suite blocks the exploit once the user accesses the URL it is hosted in. Browser Exploit Prevention protects against exploits that target browsers or related plugins.

    We recommend that users stay up-to-date with the latest Flash Player version, and this incident is an excellent reminder of just how important it is to do so. We also note that Google Chrome automatically updates its own included version of Flash Player.

    The malicious Adobe Flash exploit is detected as SWF_EXPLOIT.MJTE. Below is its SHA1:

    • 16ad317b7950c63720f9c7937a60ee3ea78cc940

    Additional analysis by Brooks Li and Joseph C Chen

    Update as of June 16, 2015, 8:30 A.M. PST: We have updated the entry to include the detection name for the exploit.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Windows XP reached end of support last year and now it’s time for another end of life—Windows Server 2003. On July 14, 2015, this widely deployed Microsoft operating system will reach its end of life—a long run since its launch in April 2003. Estimates on the number of still-active Windows Server 2003 users vary from 2.6 to 11 million.

    But this new end of life will raise a whole new set of challenges. Unlike Windows XP, Windows Server 2003 is a server operating system. While Windows XP is used in home PCs and enterprise workstations/laptops, Windows 2003 offers a deeper attack surface across enterprise servers. Windows Server 2003 is (still) widely deployed for core business functions as Directory Server, File Server, DNS Server, and Email Server. Organizations depend on it to run critical business applications and support their internal services like Active Directory, File Sharing, and hosting internal websites.

    When support ends for Windows Server 2003, there won’t be a mechanism to keep it up to date, which is critical in preventing security issues. Typically, security issues would be resolved by regular support for an operating system, which involves:

    • Getting security updates to protect against vulnerabilities
    • Getting regular support on almost any issue with the product
    • Getting non-security updates, i.e., the ‘regular’ bug fixes

    Understanding the risk

    End of life for an operating system—specifically for Windows Server 2003—means the beginning of a lot of effort for your IT department. Organizations like yours must prepare to deal with missing security updates, compliance issues, fighting malware, and other non-security bugs. You will no longer receive patches for security issues or notifications of vulnerabilities. And you will no longer know when there are vulnerabilities that affect your servers.

    At the time of launch, Windows 2003 was as a much safer alternative to Windows 2000. Over time, it became clear that it had its own share of vulnerabilities. CVE Details notes that organizations with Windows Server 2003 faced close to 403 vulnerabilities with 27% of them being remote code execution vulnerabilities. Without notifications to help monitor and measure the risk associated with these vulnerabilities, you may be left facing a big hole in your server security.

    To understand the risk further, let’s see how a similar situation played out for Windows 2000, which reached its end of support on July 13, 2010. There have been several vulnerabilities reported in other versions of Windows operating systems since then. But how many of them affected Windows 2000? One example would be the vulnerability MS10-061, which did affect Windows 2000. It should be noted that there was no security patch for it.

    Unfortunately, you could be facing a similar situation for Windows Server 2003. After July 14, you will no longer be notified of new vulnerabilities and there will no longer be any notifications or patches available to help protect your systems. But you can still take action to keep your out-of-date systems secure before it’s too late. Now is the time for serious planning and careful risk assessment.

    What should system administrators do?

    Migrating to a more recent operating system is definitely the preferred option. But many organizations may face a number of barriers to timely migration—constraints such as limited budget, lack of technical expertise, and reliance on legacy applications.

    Knowing that many organizations will delay migration, attackers will be actively looking for valuable data on out-of-support servers. To prevent intrusions, you need to assess the risk of the data residing on those servers. You need to determine whether the data is secured by itself. If not, you need to ensure advanced security controls are in place. The security capabilities that will best help you to maximize protection of your Windows Server 2003 environment include intrusion prevention system, integrity monitoring, and anti-malware solutions.

    How can Trend Micro help?

    Trend Micro Deep Security uses a combination of the best technologies to protect all of your servers, whether they are out of support or not. Trend Micro Intrusion Prevention System uses virtual patching to help you protect against vulnerabilities in your operating system and in applications running on those servers. It also helps to keep malware off your servers using the power of the Trend Micro Smart Protection Network (SPN) to share critical information.

    Finally, Deep Security helps you monitor any suspicious system changes to your servers using their integrity monitoring capabilities. You can rest easy knowing that you have maximum protection for your end-of-life servers until you can migrate to newer platforms.

    Stay up to date on vulnerabilities and to learn more about how Trend Micro can help protect your organization.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice