Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    December 2014
    S M T W T F S
    « Nov    
  • Email Subscription

  • About Us

    This year’s last installment of Patch Tuesday security advisories by Microsoft includes MS14-075, a bug in Microsoft Exchange Server, which had been delayed last November. It was rated important due to an elevation in privilege across several versions of Exchange, from 2007 (SP3), 2010 (SP3), and 2013 (Cumulative Update 6). Last month, Microsoft originally listed the patch date for MS14-075 as “Release date to be determined”.

    Microsoft Rates 3 Bulletins as ‘Critical’, 4 as ‘Important’

    A total of three critical bulletings were listed, which were MS14-080, MS14-081, and MS14-084. MS14-080 resolved vulnerabilities in Internet Explorer, while MS14-081 patched previously reported bugs in Microsoft Word and Microsoft Office Web Apps. MS14-084 bulletin fixed a remote code execution vulnerability in the VBScript scripting engine in Microsoft Windows.

    As previously discussed, MS14-075 was given an ‘Important’ rating due to an elevation of privileges across various versions of Microsoft Exchange Server. MS14-082 and MS14-083 both addressed remote code execution flaws in Microsoft Office programs, while MS14-085 fixes a bug that “could allow information disclosure if a user browses to a website containing specially crafted JPEG content.”

    It is highly recommended for users and system administrators to immediately patch these system vulnerabilities. Trend Micro Deep Security and Office Scan with the Intrusion Defense Firewall (IDF) plugin protect user systems from threats that may leverage these vulnerabilities following DPI rules:

    • 1000552 – Generic Cross Site Scripting(XSS) Prevention
    • 1000552 – Generic Cross Site Scripting(XSS) Prevention
    • 1006346 – Identified Unvalidated Redirect And Forward Over HTTP
    • 1006373 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6327)
    • 1006376 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6329)
    • 1006378 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6330)
    • 1006383 – Microsoft Internet Explorer VBScript Memory Corruption Vulnerability (CVE-2014-6363)
    • 1006374 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6366)
    • 1006396 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6369)
    • 1006379 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6373)
    • 1006387 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6375)
    • 1006371 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-6376)
    • 1006381 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-8966)
    • 1006393 – Microsoft Word Index Remote Code Execution Vulnerability (CVE-2014-6356)
    • 1006370 – Microsoft Word Use After Free Remote Code Execution Vulnerability (CVE-2014-6357)
    • 1006394 – Microsoft Office Component Use After Free Vulnerability (CVE-2014-6364)
    • 1006385 – Microsoft Excel Global Free Remote Code Execution Vulnerability (CVE-2014-6360)
    • 1006382 – Microsoft Excel Invalid Pointer Remote Code Execution Vulnerability (CVE-2014-6361)
    • 1006383 – Microsoft Internet Explorer VBScript Memory Corruption Vulnerability (CVE-2014-6363)
    • 1006380 – Microsoft Graphics Component Information Disclosure Vulnerability (CVE-2014-6355)

    More information about these bulletins and their corresponding Trend Micro solutions are posted at our Threat Encyclopedia Page: December 2014 – Microsoft Releases 7 Security Advisories.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Earlier this month, security researchers discovered a new PoS malware family, which they named “LusyPOS” after a reference in Russian underground forums. We detect this as TSPY_POSLUSY.A. In their analysis, they mentioned that it had some characteristics linked to the Dexter family of PoS malware. It also had behavior similar to the Chewbacca PoS malware (which we detect as TSPY_FYSNA.A), which is known to use the Tor network to connect to its command-and-control (C&C) servers.

    However, we believe that LusyPOS is more clearly related to Dexter than it is to Chewbacca, despite the usage of Tor. Dexter and Chewbacca have very distinct text strings used within their code. For example, some variable names are used in Dexter’s code which are not found in Chewbacca. Dexter is one of the most popular and long-running PoS malware families, and we closely monitor this particular threat in order to help protect our customers.

    We’d earlier documented these names – and their uses – in our previous paper analyzing existing PoS malware families. Some of the strings that were identified in LusyPOS were also found in Dexter. For example, the following strings are known to be HTTP POST variables used by Dexter:

    • page
    • ump
    • ks
    • opt
    • unm
    • cnm
    • view
    • spec
    • query
    • val
    • var
    • nbsp

    Similarly, the following are commands that are known to be processed by Dexter:

    • download
    • update
    • checkin
    • scanin
    • uninstall

    The same paper also contains strings used by Chewbacca; however the analysis of LusyPOS did not indicate these strings are present.

    So what does this mean? The information suggests that this new LusyPOS malware family is more closely related to Dexter than Chewbacca. It’s possible that LusyPOS may be a new Dexter variant that has copied the TOR behavior of the newer PoS malware family. Considering the recognized threat that Dexter poses, this is a significant addition to the repertoire of existing PoS threats. Such a capability would be welcomed by cybercriminals, particularly during this time of year.

    The original researchers note that it would be highly abnormal for PoS systems to connect to the TOR network, which is correct. Appropriate firewalls and other network solutions can be used to spot and block this activity as they are found.

    Update as of 1:00 A.M. PST, December 10, 2014

    We have edited this entry to clarify the reference to the relationship between LusyPOS and Chewbacca.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    11:00 pm (UTC-7)   |    by

    It’s that time of year again – the last quarter of the year is a time for many of us to buy a new smartphone, as we look at the new devices launched relatively recently by Apple, Samsung, and all the other phone providers and decide which one we shall use for the duration of our next smartphone contract.

    I’m sure that many of us will take home brand new iPhones and Android devices and set it up just the way we want our personal devices to be. We should take a minute to remember, however, that because these devices are so personal to us, the damage a hacked smartphone can do to is significant.

    Imagine what would happen if a hacker stole your personal data. We don’t have to imagine, however, as this has happened to many users in 2014. At the very least, this is embarrassing to the user in question, but to some it may be more than that.

    Your wallet may be at risk as well. Some cybercriminals try to sign their victims up for various premium SMS services that charge users as part of their monthly bill; others go for bigger fish and try to compromise the user’s online banking accounts – either by intercepting any confirmation codes sent to the user or by hijacking any mobile banking sessions completely.

    Either way, we need to do what we can and make sure that our personal mobile devices stay that way – personal. When you buy a new smartphone or tablet you need to set it up not only to make yourself comfortable with the device, but also to make things more secure.

    On Apple devices, the best hing you can do to stay safe is not do something else: jailbreaking.  By default, all iOS devices like the new iPhone live in a walled garden – what gets in has been approved by Apple. They do a reasonably good job of keeping their users safe.

    This changes, however, if you jailbreak your phone. Yes, you can now install apps that Apple didn’t approve, but these apps can be security risks. In addition, you may not be able to update your device to the latest version of iOS. In short: if you want to keep your iOS device secure, not jailbreaking is an excellent start.

    What about Android devices? What you can do here is to minimize your exposure to malicious apps. Don’t allow apps to be installed from risky sources, like third-party app stores. You should also install a security solution on your phone to catch any threats that may slip through and reach your phone.

    In addition to protecting yourself from mobile malware, you should also realize that because you carry a smartphone everywhere, you can lose your device very easily. If this happens, you may end up losing control of your personal data. Make sure you turn on your lock screen password and device encryption so that if you do lose your phone, the risk of losing your own data is minimized.

    A smartphone is not just a shiny gadget; it is also a storehouse for large amounts of your own valuable information. When you buy your new phone, keep that in mind and set your phone up accordingly.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    4:47 pm (UTC-7)   |    by

    Our previous blog entry discussed the “destructive” FBI security advisory and an analysis about the WIPALL malware family and its direct connection to the massive Sony Pictures hack. In this blog post, we will further discuss other WIPALL malware variants and their main routines that link to the #GOP warning seen in infected computers of Sony Pictures employees. Below is an overview of the infection chain to be discussed in this entry:

    BKDR64_WIPALL.F Disables McAfee’s Services

    The WIPALL variant BKDR_WIPALL.C shares the same coding as the previously discussed variant, BKDR_WIPALL.B. In the case of BKDR_WIPALL.C, the dropped copies are named as igfxtrays{2 random characters}.exe and executes several copies of itself with specific parameters (-a, -m, -d, -s), which contain its main routines.

    Figure 1. Main malware routines of BKDR_WIPALL.C

    It is a notable observation that BKDR_WIPALL.C checks if the infected system is 64-bit. If found to be running on a 64-bit system, the malware drops kph.sys (KProcessHacker driver) and its component ams.exe (detected as BKDR64_WIPALL.F).

    We noticed that BKDR64_WIPALL.F replaces McAfee’s real-time scanner, mcshield.exe with another file located in its current directory, while the original mcshield.exe is placed in the system32 directory. In turn, when McAfee’s service executes, the replacement file will be executed instead of the legitimate real-time scanner component, effectively disabling the antivirus’ operation.

    Figure 2. BKDR64_WIPALL.F obtains the Image Path of McShield.exe from the registry’s list of services: HKLM\CurrentControlSet\services\McShield

    Figure 3. BKDR64_WIPALL.F moves the legitimate mcshield.exe to the System32 folder and replaces it with another mcshield.exe located in the malware’s current directory

    BKDR64_WIPALL.F installs KprocessHacker as a driver service and uses it to terminate the following running processes related to McAfee’s antivirus application (also listed in the infection chain above). This is an added measure in order to ensure the malware’s smooth execution.

    • mcshield.exe
    • UdaterUI.exe
    • McTray.exe
    • shstat.exe
    • FrameworkService.exe
    • VsTskMgr.exe
    • mfeann.exe
    • naPrdMgr.exe

    Based on our analysis, the malware BKDR64_WIPALL.F may have used a driver service because it has a higher privilege than a typical user-mode application. This is to ensure that the processes will be terminated.

    Figure 4. BKDR64_WIPALL.F installs the KProcessHacker component (kph.sys) as a service driver

    Figure 5. BKDR64_WIPALL.F checks all running processes with the hardcoded list of processes related to McAfee antivirus applications

    Figure 6. It uses the KprocessHacker service driver as a device object to terminate the processes

    Tracing Back to #GOP

    This attack, along with the one we discussed in our previous blog entry, were both found to trace back to the hacker group named #GOP or “Guardians of Peace.”

    The BKDR_WIPALL.A infection chain (via its component BKDR_WIPALL.E)  leads to an HTML file displaying the message with the files back.jpg and index.wav. All of these are encrypted and embedded in the component iissvr.exe (detected as BKDR_WIPALL.E).

    Similarly, the infection chain for BKDR_WIPALL.D (via its component BKDR_WIPALL.C)  displays the #GOP message in an image file dropped as walls.bmp.

    Figure 7: Top: walls.bmp dropped by BKDR_WIPALL.C;
    Bottom: Scrolling message in an HTML file loaded by BKDR_WIPALL.E

    There have been reports linking these attacks to North Korea as the culprit, and some claim that the Sony hack may have been an inside job. While nothing is confirmed at the moment, we advise users to exercise vigilance in their online to ensure private data stays that way.

    Read our timeline of events related to the Sony hack in our page: The Hack of Sony Pictures: What We Know and What You Need to Know.

    Analysis by Rhena Inocencio and Joie Salvio

    Related hashes:

    • D1C27EE7CE18675974EDF42D4EEA25C6 as BKDR_WIPALL.A
    • 760C35A80D758F032D02CF4DB12D3E55 as BKDR_WIPALL.B
    • E1864A55D5CCB76AF4BF7A0AE16279BA as BKDR_WIPALL.E
    • B80AA583591EAF758FD95AB4EA7AFE39 as BKDR_WIPALL.C
    • 2618dd3e5c59ca851f03df12c0cab3b8 as BKDR_WIPALL.D
    • 7E5FEE143FB44FDB0D24A1D32B2BD4BB as BKDR64_WIPALL.F


    Our coverage of the Sony attack continues as we spot more developments. Here is a list of our stories related to this incident:

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    The holiday season often means a lot of activity for couriers and parcel services, as people turn to online shopping and begin to send their gifts to far-flung loved ones. As such, it wouldn’t be too surprising to receive a notification or memo about a specific package that’s meant for you.

    Cybercriminals are aware of this and have begun using  parcel delivery as the social engineering lure for recent crypto-ransomware attacks in the EMEA (Europe-Middle East-Africa) region. This is a marked shift as previous attacks involved invoices and financial statements.

    Based on feedback collected via the Trend Micro Smart Protection Network, certain countries have become the top victims of crypto-ransomware for the last three months. Looking at the charts below, we can see that Spain, France, Turkey, Italy, and the UK are among the “consistent” victims of crypto-ransomware.

    Figure 1. Top infected countries in the EMEA region, September 2014


    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice