Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    October 2014
    S M T W T F S
    « Sep    
  • About Us

    I prefer using the phrase “Internet of Everything” when discussing what most people call the Internet of Things because in many ways, the latter term isn’t enough. What makes the Internet of Everything so powerful is the data about you and me that these devices can gather.

    Consider how these devices actually work. They almost always need to “phone home” to some central server run by the service provider. This means that anything that you do on the device is seen by the provider. You have to trust that they will keep your data secure and not misuse it or neglect it over time.

    Unfortunately, there are many ways your data can be misused or compromised. For example, the devices themselves can be insecure and be compromised by an attacker. The modules that are used by these devices, likely borrowed from open source, are susceptible to exploitation over time, and the vendor may not have thought too much about how to get them quickly and seamlessly updated. The servers themselves can be compromised and breached in a targeted attack.

    This doesn’t even enter into what the service provider can do with your data. You don’t really realize the extent of the data that an IoE device can take until you read the privacy policy. These policies, however, are difficult to comprehend, and may change over time without any notification to the consumer.

    Privacy policies will at least be able to say what data is collected, but in general they don’t disclose the full reality of what can be done with your information. As an example, many will have provisions stating that the data will be used to deliver the services provided. In practice, this broad generalization can be used as a legal basis to justify many different ways to use and possibly exploit your data.

    So, what should users do? Before purchasing an Internet-connected hardware device, make sure that you are comfortable with the fact that any data you provide them with, could potentially be stored on unsecured servers in data centers situated in different countries, over a long period of time. Your personal “data at rest” on the manufacturer’s servers represent an increased risk to you over time. Some risks include the possibility of data breaches, sharing or reselling of your data, along with general neglect of the data in scenarios such as company security lapses, or events such as sale or merger of the company.

    If you’re the type of consumer who is concerned about privacy, it is recommended that you should find out what type of data (personal identifiable information, user credentials etc.) is being gathered on the device and sent to the vendor by inquiring to the sales/support of the vendor. And if you’re considering different service providers for the same kind of service, compare their privacy policies and see which one you feel comfortable with. Reviewing the privacy policy is a good start to make you aware of what they may be doing with your data.

    Consider, too that many startup funded companies may not have fleshed out their business model yet. Your data is a key part of how they may be initially, or additionally monetize the service that they provide. These pressures can result in the misuse of your data. One could argue that a company that is charging more for their service up front would be less prone to attempt to monetize further employing your data, but again there is no guarantee — data is a key element of IoE. A more reputable company that has a brand to protect may be a better choice, though this neither is fully guaranteed as well. An example is the recent gleaning of data from USB drives plugged into LG TVs.

    To know more on how to be safe in the Internet of Everything, read our “Security Considerations for Consumers Buying Smart Home Devices,” which can guide you in making decisions on the Internet connected devices you introduce into your daily life.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Three out of nine security bulletins in today’s Microsoft Patch Tuesday are marked as Critical while the rest are tagged as Important The patches address vulnerabilities found in Internet Explorer, and Microsoft .NET Framework, including the zero-day exploit affecting Microsoft Windows. MS14-060 discusses the Sandworm zero-day vulnerability, which was reported hours earlier.

    Based on our analysis, attackers may use this vulnerability to create/execute malware payloads, given that it not too difficult to exploit. Attackers can just know the format and create their own PowerPoint exploit. Trend Micro detects the exploit as TROJ_MDLOAD.PGTY, and its payloads as INF_BLACKEN.A and BKDR_BLACKEN.A. Currently, it is believed that this zero-day was used in cyber attacks against European sectors and industries.

    Another critical vulnerability that users need to note is MS14-056 which fixes several vulnerabilities in Internet Explorer. Once successfully exploited, this could possibly lead to remote code execution. Similarly, MS14-057, another bulletin tagged as Critical could lead to remote code execution when successfully exploited by remote attackers.

    Adobe also released security updates today to address vulnerabilities affecting certain versions of ColdFusion and Adobe Flash Player. These are covered under the following CVEs:

    • CVE-2014-0558
    • CVE-2014-0564
    • CVE-2014-0569
    • CVE-2014-0570
    • CVE-2014-0571
    • CVE-2014-0572

    We highly recommend users to patch their systems and update their Adobe products to its latest versions. The Sandworm zero-day highlights the importance of patching as this can be used by cybercriminals and threat actors to infiltrate the network and potentially steal confidential company data and other type of information.

    Trend Micro Deep Security and Office Scan with the Intrusion Defense Firewall (IDF) plugin protect user systems from threats that may leverage these vulnerabilities following DPI rules:

    • 1006267 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4126)
    • 1006268 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4127)
    • 1006269 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4128)
    • 1006270 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4129)
    • 1006271 - Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4130)
    • 1006282 - Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4132)
    • 1006274 - Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4133)
    • 1006279 - Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4134)
    • 1006273 - Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4138)
    • 1006283 - Microsoft Word And Office Web Apps Remote Code Execution Vulnerability (CVE-2014-4117)
    • 1000552 - Generic Cross Site Scripting(XSS) Prevention
    • 1006290 - Microsoft Windows OLE Remote Code Execution Vulnerability (CVE-2014-4114)
    • 1006291 - Microsoft Windows OLE Remote Code Execution Vulnerability (CVE-2014-4114) – 1

    Users may visit our Threat Encyclopedia page for more details on these security bulletins.

    Update as of October 16, 2014, 5:45 P.M.:

    The Sandworm vulnerability has been linked to attacks against specific SCADA systems. Read more about this in our post titled Sandworm to Blacken: The SCADA Connection.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    In the two previous parts of this series of blog posts, we discussed the kinds of threats that we’re seeing on Twitter, as well as the scope and scale of these threats. In this part, we will discuss their motivations, and what end users can do.

    The first question is: why do cybercriminals bother doing this? Social media accounts are valuable in their own right. These accounts can typically be used to make money in many ways for cybercriminals; any form of personally identifiable information (PII) can be monetized by attackers.

    One way that stolen social media accounts are used is to send spam. One reason that social media spam can be considered superior to email spam is simple: more people click on links from social media than email. The click-through rate for email spam is estimated at anywhere from 0.003% to 0.02%. How does Twitter spam fare?

    It’s difficult to exactly compare numbers for the effectiveness of Twitter spam with those for e-mail spam. One measure we can use is the number of clicks we saw for every spammed Tweet. This varies depending on the type of abuse. Some Twitter spam campaigns could be spectacularly successful: one viral campaign aimed at Japanese users had a 0.269 clicks per Tweet. However, more typical rates varied from 0.01 clicks per Tweet for Twitter-specific spam to 0.03 for malware-linked Tweets. These numbers suggest that Twitter spam is more effective than conventional email spam.

    So now we’ve established that Twitter spam is a legitimate threat. How is Twitter responding? We are happy to say that this is a problem Twitter is getting on top of. Earlier this year, they disclosed the existence of BotMaker, their anti-spam bot infrastructure which has cut the spam problem by 40%. Other social networks can study Twitter as an example in how to deal with threats on their sites.

    For users, the lessons are clearer. First of all, do not believe any claims that you can buy followers/views/likes/friends/etcetera. The numbers you buy will almost certainly come from compromised accounts. This will bring no, or even negative value, towards your own social media efforts. Your own account may also be compromised in the process. Shortcuts to social media popularity don’t exist.

    Secondly, you should already be careful about clicking on links posted on social media in general, but be particularly careful about links that say that you have to log in again because your original log in timed out. Close your browser and start again; if you see the same message it’s almost certainly a phishing page.

    Lastly, if the social media services you use support it, turn on two-factor authentication. Just about all large online services today offer some support for two-factor authentication. Turning it on makes compromising your account much harder, as an attacker has to somehow compromise your phone as well. It’s not impossible – other Trend Micro research has shown how this can be done with online banking. However, it is still a useful security precaution to take against most attacks targeting social media.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Prior to the release of Microsoft’s monthly patch Tuesday, a new zero-day exploiting Windows vulnerability covered in CVE-2014-4114 was reported by iSight. The said vulnerability affects desktop and server versions of Vista and Sever 2008 to current versions. It was believed to be associated in cyber attacks related to NATO by Russian cyber espionage group.

    Based on our analysis, the vulnerability exists in PACKAGER.DLL, which is a part of Windows Object Linking and Embedding (OLE) property. By using a crafted PowerPoint document, an .INF file in embedded OLE object can be copied from a remote SMB share folder and installed on the system. Attackers can exploit this logic defect to execute another malware, downloaded via the same means.

    The severity of the vulnerability is highly critical because it fairly simple to exploit. Since it is a logic defect, attackers need not to create Shellcode or Return Oriented Programming (ROP), a method to bypass DEP protection. DEP prevents the execution of code (including malicious Shellcode) from certain regions of computer memory (non-executable).If they (attackers) know the format then they can craft a PowerPoint exploit directly. Furthermore, since it has no heap spray, ROP, Shellcode, most of heuristic detection methods would have difficulty in detecting it.

    The original logic includes two potential risky behaviors without user’s knowledge or consent, which should be carefully designed:

    1. Copy file from remote shared folder
    2. Install downloaded .INF fileWe analyzed the PPSX sample (MD5 hash: 330e8d23ab82e8a0ca6d166755408eb1) to investigate how it happens. We unzip the .PPSX file file to see the content files of this PPT exploit as seen below:

    We analyzed the PPSX sample (MD5 hash: 330e8d23ab82e8a0ca6d166755408eb1) to investigate how it happens. We unzip the .PPSX file file to see the content files of this PPT exploit as seen below:


    Figure 1. Folder structure of PPSX file

    The following is the content of oleObject1.bin and oleObject2.bin. It indicates that the said OLE objects are resident in remote shared folder.



    Figures 2-3 Content of oleObject1.bin and oleObject2.bin

    And in slide1.xml, we can see it refer to two Packager Shell Object “rId4” and “rId5.”


    Figure 4. Content of slide1.xml (part 1)

    In slide1.xml.resl, “rId4” and “rId5” are defined as two OLE object above.


    Figure 5. Content of slide1.xml.resl

    When slide1 is opened, the files “slide1.gif” and “slides.inf” are copied to local by packager.dll. And in slide1.xml, some actions are described such as “-3”, and another is “3”. These two actions are called when loading two OLE objects. This routine is seen in packager!CPackage::DoVerb() function.


    Figure 6. Content of slide1.xml (part 2)

    In slide1.gif, if the parameter is “-3”, and the function will do nothing. However, if “slides.inf” is loaded and the parameter is “3”, it installs the .INF file. The screenshot below is the call stack when InfDefaultInstall.exe is executed:


    Figure 7. Call stack of INF installation

    After which, INF renames slide1.gif to slide1.gif.exe, and adds registry runonce value for it. This is done so that in the next system boot up, the Trojan is executed automatically.

    We detect the exploit as TROJ_MDLOAD.PGTY, which in turn leads to the download of INF_BLACKEN.A when successfully exploited. This malware, on the other hand, downloads and executes the backdoor, which we detect as BKDR_BLACKEN.A.

    Because of this vulnerability are not arduous to exploit, attackers may abuse this so as to create new malware payload. Trend Micro secures users from this threat via detecting the exploit and malware payload via its Smart Protection Network.  Trend Micro Deep Security and Office Scan with the Intrusion Defense Firewall (IDF) plugin protect user systems from threats that may leverage this vulnerability via the following DPI rules:

    • 1006290 – Microsoft Windows OLE Remote Code Execution Vulnerability (CVE-2014-4114)
    • 1006291  Microsoft Windows OLE Remote Code Execution Vulnerability (CVE-2014-4114) – 1

    Users are strongly advised to patch their systems once Microsoft releases their security update for this. In addition, it is recommended for users and employees not to open Powerpoint files from unknown sources as this may possibly lead to a series of malware infection.

    Update as of October 15, 2014, 11:30 P.M.:

    Microsoft has included the patch for the Sandworm vulnerability in its October 2014 Patch Tuesday.

    Update as of October 16, 2014, 5:45 P.M.:

    The Sandworm vulnerability has been linked to attacks against specific SCADA systems. Read more about this in our post titled Sandworm to Blacken: The SCADA Connection.

    With additional analysis from Kai Yu

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Microsoft has announced the discovery of a zero-day vulnerability affecting all supported versions of Microsoft Windows and Windows Server 2008 and 2012. Reports are also coming in that this specific vulnerability has been exploited and used in attacks against the North Atlantic Treaty Organization (NATO) and several European industries and sectors.

    According to reports, this vulnerability (CVE-2014-4114) was exploited as part of a cyber-espionage campaign of attackers dubbed as the “Sandworm Team.” This particular vulnerability has allegedly been in use since August 2013, “mainly through weaponized PowerPoint documents.”  Details of the vulnerability have been made available, including the following:

    • This vulnerability exists in the OLE package manager in Microsoft Windows and Server.
    • The OLE packager can download and execute INF files. “In the case of the observed exploit, specifically when handling Microsoft PowerPoint files, the packagers allow a Package OLE object to reference arbitrary external files, such as INF files, from untrusted sources.”
    • If exploited, the vulnerability can allow an attacker to remotely execute arbitrary code.

    Microsoft has announced that it will release a patch for this vulnerability as part of this month’s Patch Tuesday. We encourage both users and admins to immediately download and install the patches as soon as they are made available.

    We are currently analyzing the related sample. We will update this entry as soon as more details and solutions are available.

    Update as of October 15, 2014, 11:24 P.M. (PDT):

    Further analysis of this zero-day vulnerability can be found in our entry, An Analysis of Windows Zero-day Vulnerability ‘CVE-2014-4114′ aka “Sandworm.” You may also read the entry October 2014 Patch Tuesday Fixes Sandworm Vulnerability for information regarding the corresponding patch.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice