Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    April 2014
    S M T W T F S
    « Mar    
  • About Us

    Out with the old, in with the new? When it comes to cybercrime, that’s rarely the case. We often seen old malware get upgrades with new techniques, payloads, and even targets. This is certainly the case for an old Java remote access Trojan (RAT) detected as JAVA_OZNEB.B.

    Users may encounter this threat as an attachment to spammed emails. These emails are often financial in nature. One such email pretends to be from American Express, informing recipients that their accounts have been suspended due to suspicious activity. To reactivate, they must fill out the attachment and send it back to American Express. The attachment is actually the malware in disguise. Users may also encounter the malware online pretending to be catalogues, product lists, or receipts.

    Figure 1. Sample spammed message

    Once it infects the computer, the RAT can perform a variety of routines, such as take screenshots, display messages, and load additional plugins, including one for mining Litecoins. The option for additional plugins makes the malware a high risk threat as cybercriminals can update and tweak routines as they wish. Making the malware a bigger threat is the fact that it can run on multiple platforms. It should be noted that this is not the first Java RAT that affects multiple platforms; we first spotted one in 2012.

    JAVA_OZNEB.B was previously known as Adwind then later renamed to UNRECOM (Universal Remote Control Multi-Platform). Aside from the new name, the malware also experienced an upgrade: it can now run on the Android platform. The inclusion of Android in the set-up is highly notable because aside from running in Android, this malware now also works as an APK binder. Put simply, the malware can be used to Trojanize legitimate apps, like an Android malware we’ve previously discussed.

    The inclusion of a Litecoin miner plugin is highly notable, given the slew of threats targeting cryptocurrencies we’ve seen recently. Litecoin is a cryptocurrency that’s often considered as a popular alternative to Bitcoin. The Litecoin plugin can allow a remote malicious user to use an infected computer to mine Litecoins. Mining digital currencies requires a lot of computing power so victims may experience sluggish performance from their infected computers.

    Feedback from the Smart Protection Network that affected countries includes the United States, Turkey, Australia, Taiwan, Singapore, and Japan. We advise users to be cautious when opening emails, even if they appear to come from reputable senders. For matters related to finance, it’s best to call the financial institution involved to resolve potential issues.

    With additional insights from Lala Manly.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    In an earlier blog post, we mentioned that mobile apps are also affected by the Heartbleed vulnerability. This is because mobile apps may connect to servers affected by the bug. However, it appears that mobile apps themselves could be vulnerable because of a bundled OpenSSL library.

    OpenSSL Library Present in Android 4.1.1 and Certain Mobile Apps

    We have information that although the buggy OpenSSL is integrated with the Android system, only the Android 4.1.1 version is affected by Heartbleed vulnerability. For devices with that version, any app installed with OpenSSL which is then used to establish SSL/TLS connections is possibly affected and can be compromised to get user information from the device memory.

    However, even if your device is not using the affected version, there is still the matter of the apps themselves. We have found 273 in Google Play which are bundled with the standalone affected OpenSSL library, which means those apps can be compromised in any device.

    In this list, we see last year’s most popular games, some VPN clients, a security app, a popular video player, an instant message app, a VOIP phone app and many others. As you may well know, the OpenSSL library is used by apps for secure communications. Lots of apps are from top developers. We also found the vulnerability in the older versions of Google’s apps.


    Figure 1. Apps vulnerable to Heartbleed include those that are highly popular

    These apps statically link to the vulnerable OpenSSL library as shown below:



    Figure 2. Vulnerable OpenSSL Library

    A reverse client-side Heartbleed attack is possible if the remote servers those apps connect to are compromised. A reverse Heartbleed can of course also expose user device memory to a cybercriminal. The memory may contain any sensitive information stored in these apps locally. If you use a vulnerable VPN client or VOIP app to connect to an evil service, you may lose your private key or other credential information, then the hacker may forge your identity and do other bad things from there.

    We advise the app developer to hasten the speed to upgrade the OpenSSL library, and publish them to end-users. For general users, you need to be aware of the fact that your clients are able to leak information, no matter how secure the remote server is, or the good reputation or trustworthiness of the app developer. You should also update your apps as soon as a fix is made available. Google is currently distributing patching information for the affected Android version—you should also check if an update is made available for your device.

    We will also be creating a tool very soon to check if your apps are vulnerable.

    An Update on Apps Connecting to Servers Vulnerable to Heartbleed

    After we disclosed about the mobile apps connecting to vulnerable servers, we continued to monitor them. We have seen up to 7,000 apps at the time of monitoring that are connecting to Heartbleed-vulnerable servers, while in our latest verification, around 6,000 apps are still affected. Let’s see what types of mobile apps they are:

    Hearbleed Chart

    Figure 3. Distribution of Mobile Apps Vulnerable to Heartbleed, by Category

    For discussion purposes, we highlight only the app categories that we consider possibly sensitive in that they may store users’ private information on the server, which means users may be leaking information by using these apps. We see that a large portion of these kinds of apps are Lifestyle apps. These apps include anything from ordering food, grocery items, equipment, reading books, couponing, clothing, furniture, etc. This also means that if a user for instance orders food or supplies through one of these affected apps, information about their order, including user credentials, their home address—or worse, their credit card information—can be leaked.

    Note that we have informed Google about this issue.

    For other posts discussing the Heartbleed bug, check these other posts:

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    In between the end of support for Windows XP and the Heartbleed OpenSLL vulnerability, one good bit of news may not have been noticed: the Microsoft Word zero-day vulnerability  (CVE-2014-1761) reported in late March was fixed.

    We have since looked into this attack and found that the exploit was created by an attacker with some skill, resulting in what can only be described as a sophisticated exploit.

    It’s quite fortunate that Microsoft was able to patch this vulnerability quickly, as its sophistication and the widespread use of Microsoft Word in enterprises meant that it would have been a highly tempting target for attackers to exploit. While this particular attack is no longer effective (as we will show later), we cannot rule out future attacks that will target the same vulnerability.

    Basic Flow of the Exploit

    This vulnerability is exploited when a user opens an RTF file in Microsoft Word, or previews/opens an RTF email in Outlook (using Word as the RTF viewer).

    The basic flaw at the core of this vulnerability is an out-of-bounds array overwrite. After overwriting, the memory now contains a fake object whose virtual table pointer points to a fake virtual table which is controlled by RTF control words with specially set values chosen by the attacker. The attacker used opcode addresses which point to addresse ranges used by MSCOMCTL.OCX.

    This particular executable is vulnerable to exploitation because it does not have address space layout randomization (ASLR) enabled; why this has been done is unknown. Carefully chosen portions of code (also known as ROP gadgets) from the above .OCX file are used to compose the first stage shellcode, which starts at the 0×40000000 memory address. The first stage shellcode finds the opened RTF file handle in the winword.exe process and maps the buffer into process space, which starts from the file offset 0xF004 and a length of 0×1000, to the process address 0×40002000. This makes up the second stage of shellcode.

    The second set somewhat unusually checks the Windows Update log of the affected system. If it sees that patches have been applied on or after April 8 (the regular Patch Tuesday date), it stops running. Otherwise, it drops its payload (named svchost.exe) and runs it. This particular attack is no longer effective today because of the April 8 date check, but it would be trivial to use similar code without the date check, especially with samples out in the wild to provide guidance to unaware attackers.

    In our analysis, we noticed that this particular sample crashes, but does not successfully exploit, older versions of Office 2010 without the latest updates installed as of late March (we found this using 14.0.4730.1010). Newer versions that were patched as of the discovery of the zero-day were successfully exploited.

    The sample is also similar to exploits for CVE-2012-2539, which also use an invalid value for the RTF control word listoverridecount, like this exploit.

    Solutions and Prevention

    As we noted in our first post on this threat, even before the official Microsoft patch (described in MS14-017) was released, we were able to heuristically detect this particular threat via Deep Dsicovery using the ATSE (Advanced Threats Scan Engine) and prevent users from being affected. However, we still recommend that users apply this patch in order to ensure the security of their systems.

    While other threats like those in online applications (such as browsers and plugins) or online services and protocols (like Heartbleed) may garner more attention, this threat is a reminder that more conventional threats – like exploits in RTF files – have not gone away. If anything, we’ve been observing RTFs used in several attacks recently, as carriers of CPL downloaders (here and here) and backdoors.

    We cannot rule out the possibility that CVE-2014-1761 will continue to be a threat moving forward, especially since many users will forget to update their installed version of Microsoft Word. For these users, our heuristic detection will be able to help reduce the risks of these attacks.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    The severity of the Heartbleed bug has led countless websites and servers scrambling to address the issue. And with good reason—a test conducted on Github showed that more than 600 of the top 10,000 sites (based on Alexa rankings) were vulnerable. At the time of the scanning, some of the affected sites included Yahoo, Flickr, OKCupid, Rolling Stone, and Ars Technica.

    All the extended coverage of the flaw begs the question, “Are mobile devices affected by this?” The short answer: yes.

    Mobile apps, like it or not, are just as vulnerable to the Heartbleed Bug as websites are because apps often connect to servers and web services to complete various functions. As our previous blog entry has shown, a sizable number of domains are affected by this vulnerability.

    Suppose you’re just about to pay for an in-app purchase, and to do so you need to input your credit card details. You do so, and the mobile app finishes the transaction for you. While you’re getting on with your game, your credit card data is stored in the server that the mobile app did the transaction with, and may stay there for an indeterminate period of time. As such, cybercriminals can take advantage of the Heartbleed bug to target that server and milk it of information (like your credit card number). It’s as simple and easy as that.

    What about apps that don’t offer in-app purchases? Are they safe from this vulnerability? Not really—as long as it connects to an online server, it’s still vulnerable, even if your credit card isn’t involved. For example, your app could ask you to ‘like’ them on a social network, or ‘follow’ them on yet another for free rewards.

    Suppose you decide to do so, and tap ‘OK’. Chances are your app will open the website on their own, through their own in-app browser, and have you log into the social network there. While we’re not saying the social networks you go are vulnerable to the Heartbleed bug, the possibility is there, and thus the risk is there as well.

    We looked deeper into the matter, and inspected some web services used by popular mobile apps and the results show that the vulnerability still exists.

    We scanned around 390,000 apps from Google Play, and found around 1,300 apps connected to vulnerable servers. Among them are 15 bank-related apps, 39 online payment-related, and 10 are online shopping related. We also found several popular apps that many users would use on a daily basis, like instant messaging apps, health care apps, keyboard input apps–and most concerning, even mobile payment apps. These apps use sensitive personal and financial information—data mines just ripe for the cybercriminal’s picking.

    What can be done against the Heartbleed bug, then? Not a whole lot, we’re afraid. We can tell you to change your password, but that’s not going to help if the app developers—and the web service providers as well—don’t fix the problem on their end. This means upgrading to the patched version of OpenSSL, or at least turning off the problematic heartbeat extension.

    Until then, what we can advise you to do is to lay off the in-app purchases or any financial transactions for a while (including banking activities), until your favorite app’s developer releases a patch that does away with the vulnerability. We’ll keep you updated in the meantime as to all that’s happening with the Heartbleed bug.

    Update as of April 11, 2014, 8:45 A.M. PDT

    After doing a second round of scanning, we have found that around 7,000 apps are connected to vulnerable servers. 

    For other posts discussing the Heartbleed bug, check these other posts:

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    In trying to gauge the impact of the Heartbleed vulnerability, we proceeded to scanning the Top Level Domain (TLD) names of certain countries extracted from the top 1,000,000 domains by Alexa. We then proceeded to separate the sites which use SSL and further categorized those under “vulnerable” or “safe.” The data we were able to gather revealed some interesting findings.

    As of the moment, we see an overall percentage of around 5% in terms of sites affected by CVE-2014-0160. The TLDs with the largest percentage of vulnerable sites are .KR and .JP. It’s interesting to note that sites from the .GOV TLD rank fifth on the list.

    Figure 1. A breakdown of vulnerable sites per country
    (Click image above to enlarge)

    On the other hand, we have significantly low number of vulnerable sites under .FR and .IN TLDs. We just think of a few theories why this is so. Maybe they haven’t updated to the version of OpenSSL which was vulnerable. They could also have immediately patched vulnerable sites. Another possible reason is in these countries, relatively few servers use the most recent versions of Linux (and so use older versions of OpenSSL without this vulnerability).

    We are going to rescan selected TLDs in a few days to monitor possible changes. In the meantime, we advise website administrators to update OpenSSL to protect their users.

    Update as of April 10, 2014, 10:18 A.M. PDT: The title has been edited for clarity. 

    For other posts discussing the Heartbleed bug, check these other posts:

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice