Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    September 2014
    S M T W T F S
    « Aug    
  • About Us

    Originally created to extend a browser’s functionality, browser extensions have become yet another tool for cybercriminals’ schemes. Earlier this year, Google has addressed the issue of malicious browser extensions by enforcing a policy that only allows installations if the extensions are hosted in the Chrome Web Store.

    While this policy can provide more security for users, it hasn’t completely deterred cybercriminals from attempting to bypass such a feature. We recently came across malware that manages to install an extension on Google Chrome.

    “Facebook Secrets” on Twitter

    We came across one particular post on Twitter that advertises “Facebook Secrets,” along with a shortened link. Clicking the link leads the user to a site that automatically downloads an .EXE file into the user’s system.

    Figure 1. Tweet with malicious link

    This downloaded file, download-video.exe, is actually a downloader malware, which we detect as TROJ_DLOADE.DND. This starts a chain of downloaded and dropped files into the system. In order to avoid suspicion, these files use legitimate-sounding file names like flash.exe.


    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Being able to adapt to change is one of the most important abilities in security today, mostly because attacks to defend against are able to do the same. The sophistication of current threats is mainly seen in their skill to adjust based on the weaknesses of the environment they are targeting.

    In this post, we will try to see networks the way attackers see them — through their vulnerabilities — and turn these around into guides for how IT administrators should protect their network.

    People are the weakest link

    People will always remain vulnerable to external stimuli, especially those that trigger strong emotions. This is why social engineering will always be a part of attacks — there are a lot of techniques to be used, and a high probability of effectiveness. Embracing the assumption that people will always fall victim to social engineering attacks is important for IT admins simply because it is true. Network security needs to be designed with this in mind, regardless of how oriented the employees are. IT administrators can:

    1. Configure the network to not only prevent attackers from getting into the network, but also from getting data out of it. This way, even if an attacker is able to gain control of a machine in the network, exfiltrating any stolen data will be difficult. A properly managed firewall and network access control would greatly help achieve this. Threat intelligence will also play a big part here, also, such as of IPs used as C&Cs in attacks.

    2. Segment the network based on the level of security the systems need. Critical systems need to be isolated from the “normal” ones, either physically or through the network segment they are connected to.

    On top of these, however, employee education is still important and should be done regularly.

    The safest place is the most dangerous

    Even the smallest of security gaps within the network can lead to the biggest of breaches. Attackers know this well, and it is important for IT admins to keep it in mind. The network should be audited on a regular basis to make sure that all areas are properly secured.

    For example, IT admins may not take into consideration that they themselves are potential targets, or that certain devices within the network can also be infection points such as the network printer or even the router.

    The same goes for web administrators. Attackers might not directly breach highly-secured sites such as banking websites, instead checking for other sites in the same DMZ (demilitarized zone), compromise them, and leverage the trust-relationship to conduct a side-channel attack against the banking website.

    People use weak passwords

    It is no secret that password management is a challenge for most users, so working on the assumption that all members of the network have secure passwords is simply not an option. To secure the network under the assumption that users have insecure passwords would require the implementation of other authentication measures such as two-factor authentication or even biometrics.

    The network is haunted by ghost machines

    All networks have ghost machines in them. These are the machines that are not found in the network topology map but are connected to the network. These may consist of employees’ personal devices, external partners’ devices, or machines that should be retired but aren’t. Attackers leverage on these machines because they provide both access to the network and stealth.

    In order to counter this, IT administrators need to be keen on monitoring the systems that are connected to the network. They need to implement a Network Access Control mechanism to monitor and control the level of access these ghost machines are entitled to in the network.

    Old vulnerabilities are reliable and can still be used

    Assessing and addressing software vulnerabilities is a critical process for every IT administrator, and should always cover all bugs — both new and old. IT administrators need to keep in mind that a vulnerability will remain a threat to a network if not addressed, regardless of how long its been since it was discovered.

    For more details on various targeted attacks, as well as best practices for enterprises, you may visit our Threat Intelligence Resources on Targeted Attacks.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Today, spam may not be regarded as the most high-profile concern, but it’s still a serious day-to-day threat. Every month, our users alone have to deal with billions of spam messages. These are also frequently used to deliver malware using attachments or links to malicious sites.

    One of the most powerful tools in dealing with spam is IP reputation. This checks the IP address that sent a particular email against addresses that are known to have sent spam messages before. These addresses come both from external sources and internal threat intelligence sources.

    IP reputation is necessary because of the large volume of spam messages that all organizations have to deal with. The volume is simply too high to try and filter email based strictly on content and/or included links. IP reputation is able to catch large volumes of spam messages with relatively little resources expended by the organization. This also reduces the load on other security solutions like content and file scanning. Error messages can be sent back so the sender of the email can be informed about the reason why their messages were not accepted.

    Many organizations rely on email as a key communications tool. With more and more spam messages arriving in their mailboxes, they are always looking for spam filtering solutions. IP reputation is an excellent solution in this context; the organization’s mail servers check the IP reputation of the sending server during the SMTP handshake. This gives the receiving server an opportunity to reject incoming emails.

    Sometimes, however, even legitimate email senders get affected by this. For example, if the server they are using, or the server used by their email provider was flagged for sending spam in the past, then the emails they send may be tagged as spam. In this post, we’ll explain more why this happens, and how email senders can take action.

    How do legitimate email senders get tagged as spammers?

    There are many more parties involved in email than just “sender” and “recipient”. There are actually multiple “roles” involved, which include the following:

    • Email Service Provider (ESP)
    • ESP customers
    • Spammers
    • Security solution providers
    • Users of email security solutions

    Email service providers are organizations that allow their customers to send large numbers of bulk emails, such as newsletters. ESPs provide a good channel for business owners to be able to communicate with their customers. However, this is also seen by cybercriminals as an opportunity to reach their potential victims. Spammers compromise the account of legitimate email senders or even sign up for the ESP services themselves to abuse it. When this happens and spam messages sent through the ESPs are analyzed by email solutions, the SMTP servers of ESPs can inadvertently end up in IP blacklists.

    More often than not though, when an IP address is added to a blacklist, the registered owner is notified. The notification is sent to the contact information available through whois (In many cases, the ESP will be the listed organization here.). This makes it critical for the whois information to be updated, because if an IP is “wrongfully” added to a blacklist because of spammers using the same ESP, the result will be a false positive – when legitimate email servers are flagged as spam senders.

    Are your emails being flagged as spam?

    If you think your emails are being flagged as spam, the best course of action is to contact the ESP for assistance. The ESPs should serve as the liaison between their customers and security providers with IP reputation technologies. We, for instance, proactively work with various ESPs. In these cases, we provide the information necessary to shut down any abuse to the ESP, so no addresses need to be listed in blacklists and legitimate customers are not affected.

    Email remains to be a very effective tool to communicate via the Internet and we find great importance in making sure that it does not get abused for cybercriminal operations.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    With the entire internet abuzz about the iCloud hacking leak – where more than a hundred celebrities had their private photos leaked online- it would certainly only be a matter of time before some enterprising cybercriminal decided that things were ripe for leveraging with socially-engineered threats. And that’s just what happened, as our scanning brought to our attention some freshly-concocted schemes targeting those looking for the photos borne from the aforementioned leak.

    The first threat we found hails from Twitter, in the form of a tweet being posted with hashtags that contain the name of one of the leak’s victims - Jennifer Lawrence. The tweet spots a shortened link that, if clicked, leads the user to a website offering a video of the actress in question.


    Figure 1. Tweet with malicious link

    Figure 2. Website with offered video


    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    The Chinese underground has continued to grow since we last looked at it. It is still highly profitable, the cost of connectivity and hardware continues to fall, and there are more and more users with poor security precautions in place.

    In short, it is a good time to be a cybercriminal in China. So long as there is money to be made, more people may be tempted to become online crooks themselves.

    How can we measure the growth of the Chinese underground economy? We can look at the volume of their communications traffic. Many Chinese cybercriminals talk via groups on the popular Chinese instant messaging application QQ.

    We have been keeping an eye on these groups since March 2012. By the end of 2013, we had obtained 1.4 million publicly available messages from these groups.  The data we gathered helped us determine certain characteristics and developing trends in the Chinese underground economy.

    First, the number of messages showed that the amount of underground activity in China doubled in the last 10 months of 2013 compared with the same period in 2012. Based on the ID of the senders, we also believe that the number of participants has also doubled in the same period.

    Figure 1. Number of underground-related messages identified on QQ per month

    Figure 1. Number of underground-related messages identified on QQ per month

    Cybercriminals are also going where the users are. Many of the malicious goods being sold in the underground economy are targeted at mobile users, as opposed to PC users. A mobile underground economy is emerging in China (something we noted earlier this year), and this part of the underground economy appears to be more attractive and lucrative than other portions.

    Our latest paper in the Cybercrime Underground Economy Series titled The Chinese Underground In 2013 contains the details of these findings related to QQ, as well as other updates dealing with the Chinese underground.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice