Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    March 2015
    S M T W T F S
    « Feb    
  • Email Subscription

  • About Us

    Recently, both HP’s Zero Day Initiative (ZDI) and Google’s Project Zero published vulnerabilities in Microsoft products (specifically, Internet Explorer and Windows 8.1) because Redmond did not fix them within 90 days of the vulnerabilities being reported.

    This has resulted in an argument between security researchers and software vendors on how vulnerabilities should be disclosed. A case where a vulnerability was disclosed without a patch has mixed results for end users:

    • It pushes vendors to respond more quickly when vulnerabilities are disclosed to them in the future;
    • However, it also increases the time window when attacks can be carried out using these unpatched vulnerabilities.

    This is a long and complicated discussion that it would not be productive for me to jump into. Instead, we should look at why this particular debate has become more pointed recently. This is because the landscape of vulnerability research is changing.

    For a long time, most vulnerabilities were discovered (and disclosed) by independent researchers (like white-hat hackers). At some level, they treat vulnerability research as a hobby. They have no incentive (or capability) to force vendors to fix vulnerabilities.

    However, since 2010, many targeted attack campaigns have been discovered and documented. Professionals everywhere are now aware that everyone can be the victim of targeted attacks.  Many of these incidents use zero-day vulnerabilities to compromise user systems.

    This has resulted in both established security vendors as well as startups expanding their ability to discover vulnerabilities in applications and websites.  In effect, the ecosystem surrounding vulnerability research has been changed by the need to deal with targeted attacks.

    Trend Micro vulnerability research

    Trend Micro has also been expanding its own vulnerability research capabilities. In 2014, we discovered 19 critical vulnerabilities in various applications that could be exploited  for remote code execution. Eleven of these affected Internet Explorer, three Adobe Flash Player, and two each affected Adobe Reader/Acrobat and Java. We also found one vulnerability in Netcore/Netis routers.

    Figure 1. Discovered vulnerabilities in 2014

    The 19 critical vulnerabilities (and affected software) which we found and reported to the appropriate vendors in 2014 are:

    Why vulnerability research matters

    Vulnerability research has the following benefits for security vendors:

    1. It allows vendors to anticipate the exploit landscape, and craft solutions in advance accordingly.

    In 2013, the biggest source of exploit trouble was Java. However, we predicted that Internet Explorer and Adobe Flash would be the next targets. The reason was simple: attackers focus on the applications with the least security protection. Java had been forced by the events of 2013 to improve their security; other platforms would now be the focus of attackers.

    We put our resources into investigating Internet Explorer and Flash from late 2013 onwards. As a result, we are able to discover zero-day vulnerabilities (like CVE-2014-8439, CVE-2015-0311, or CVE-2015-0313) as well as improve our ability to detect various commonly used exploit kits.

    1. Validate solution effectiveness on unknown threats

    Research into unpublished vulnerabilities will help confirm which solutions are or are not effective. For example, after Internet Explorer introduced “delay free”, most of UAF vulnerabilities could no longer be exploited with current techniques. This did not render attacks impossible to do, only difficult.

    If a new method is found – whether discovered by attackers or disclosed by researchers – how can we know right away if our protection is effective of it can be bypassed without a sample? Our own findings can be used to simulate the condition in such a situation.

    1. Respond effectively to zero-day and N-day exploits

    Every solution has its own inherent difficulties and limitations. Some exploits like CVE-2014-6332 require multiple solutions that cover various aspects of the threat. Studying vulnerabilities in detail allows us to identify the root causes of the vulnerabilities and deliver the best solutions.

    The exploit landscape of 2015

    My colleague Pawan Kinger had earlier discussed the exploit landscape of 2014.  At the 2015 began, Google revealed three vulnerabilities in Mac OS X. This may serve as a significant sign to attackers that it’s worthwhile to investigate the code of open source projects. Users should consider using security products even on Macs, as well as mobile devices like iOS and Android smartphones/tablets.

    Microsoft did a lot to improve the security of their products. Internet Explorer has been strengthened with various anti-exploit techniques. Windows 10 will add the Spartan browser, as well as more OS-level protection techniques like Control Flow Guard (CFG).  This will slow down attackers, as they need to understand these new mechanisms before creating new exploits,

    However, Adobe Flash Player is less secure and exploits targeting it are very popular, as the multiple vulnerabilities in use (CVE-2014-0569, CVE-2014-8439, CVE-2014-2014-9163, and CVE-2015-0311) show. In those cases, more and more obfuscation and evasion are in use.

    Trend Micro Deep Discovery contains a powerful sandbox that can detect and analyze threats entering the network perimeter, even without any pattern or engine updates. This allows IT administrators to detect threats – including attacks that use zero-day exploits – that attempt to target their organization. This information can be used by administrators to craft an appropriate response as necessary. The Browser Exploit Prevention feature in our endpoint products such as Trend Micro™ SecurityOfficeScan, and Worry-Free Business Security blocks the exploit once the user accesses the URL it is hosted in. Browser Exploit Prevention also protects against exploits that target browsers or related plugins.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Today we’re releasing our research paper on the operations of the Yanbian Gang—a Chinese cybercriminal group that use mobile malware to siphon off money from account holders of South Korean banks. They are able to transfer up to US$1,600 worth of local currency from victims’ accounts every single day since 2013.

    This investigation is the result of our continuous monitoring of the threat landscape. We are always on the lookout for new threats, and the Chinese underground is a particularly active source of these problems. In particular, many mobile threats are found to have been from the larger Chinese underground market.

    The Tools Behind the Theft

    This group, dubbed the “Yanbian Gang,” has successfully been siphoning millions from their victims’ accounts since 2013. The group used a variety of Android malware for their schemes.

    • Fake banking apps: In our research, we saw fake versions of apps of five South Korean banks—KB Kookmin Bank, NH Bank, Hana Bank, Shinhan Bank, and Woori Bank. These apps steal user information and credentials. They also have the ability to uninstall and take the place of the real apps they are spoofing. This allows them to run undetected while obtaining what they are after—victims’ personal account credentials that translate to financial gain for the fake apps’ operators.
    • Apps that hijack banking sessions: They mimic their targets’ icons to dupe bank customers into thinking they are the real thing. The fake app’s UI then logs all of the affected user’s inputs—account number, user name, password, and other personally identifiable information (PII).
    • Fake versions of popular apps: The Yanbian Gang also created fake versions of apps that are popular with Android users. Examples of these are the Google Play and Search and the Adobe® Flash® Player as well as porn apps. The fake apps download and install other malicious apps, delete files and folders, record text messages, take photos, steal files, and others, depending on what their creators want them to do.

    The group used fake Internet Police apps to victimize South Korean users. Potential victims received SMS phishing messages that scared them with supposed investigations if they did not click a given link. When clicked, however, the link installed a malicious app in their devices.

    “QQ” Communications

    For recruitment, communication and coordination, the group used QQ Chat, a popular Chinese instant messaging service. We noted in 2013 that QQ was rapidly becoming the mode of communication for cybercrooks in China. In our report, The Chinese Underground in 2013, we revealed that the number of messages showed that the amount of underground activity in China doubled in the last 10 months of 2013 compared with the same period in 2012.

    For more details, on how Yanbian Gang conducts their operations, read our Trend Micro research paper, The Yanbian Gang:  Using Mobile Threats to Go after South Korean Targets.

    Existing Trend Micro products like Trend Micro Mobile Security are able to detect these apps before they are installed onto user devices, protecting them attacks of this nature.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    We recently talked about recent improvements to the CTB-Locker ransomware. To recap, the malware now offers a “free decryption” service, extended deadline to decrypt the files, and an option to change the language of the ransom message.

    We are seeing another wave of CTB-Locker ransomware making their way into the wild. What’s highly notable about this current batch of crypto-ransomware is that they are using “big names” like Facebook and Google Chrome as social engineering lures.

    The New Lures

    We observed that the CTB-Locker ransomware arrives through spammed emails pretending to be from Google Chrome and Facebook.

    The fake Google Chrome email pretends to be a notification about updating the recipient’s Chrome browser. Upon clicking the link, the user will be directed to a site hosting the malware.  The malware uses a Google Chrome icon to disguise itself as a legitimate installer package. This is actually a variant detected as TROJ_CRYPCTB.YUX.

    Figure 1. Fake Google Chrome email

    Another lure used by cybercriminals is Facebook. The email arrives as an account suspension notificaiton. The email instructs the user to click on an embedded link.  This link will lead to the download of the malware.

    Figure 2. Fake Facebook email

    The malware uses a .PDF icon to disguise itself as a legitimate file. This malware is detected as TROJ_CRYPCTB.NSA.

    Our findings show that both variants are hosted in compromised sites. And interestingly enough, each variant is hosted on a group of compromised sites that is linked to one IP address.

    Connections to Phishing

    Digging deeper into these compromised sites, we discovered that some of these URLs are associated with phishing spam, specifically those using PayPal as their lure.

    Figure 3. Fake PayPal email

    The spammed email arrives with the subject, “Take Action PayPal.” The email instructs the recipient to log in to their PayPal account to settle an issue by clicking a link in the email.

    Upon clicking, the link redirects to a phishing site. The site asks not only for the user’s login credentials, but other important, sensitive information like contact details and credit card information.

    Figure 4. Fake PayPal site

    Figure 5. Information requested by the phishing site

    Once the user completes all the information, the site then redirects the person to the legitimate PayPal login page. To avoid suspicion, it uses the excuse of needing to log in again for the changes to fully reflect in the PayPal account.

    Using the same URLs as those of the CTB-Locker malware suggests that the threat actors distributing the ransomware are also dabbling in phishing.

    Updates on CTB-Locker

    In our previous entry, CTB-Locker Ransomware Includes Freemium Feature, Extends Deadline, we noted that the CTB-Locker variants included language support for four languages: English, German, Italian, and Dutch. This new batch of ransomware now supports seven languages, namely, French, Spanish, Latvian, German, Dutch, Italian, and English.

    Figure 6. Ransom message

    The malware also now arrives in a Windows installer package. The two new variants identified were wrapped in an installer using using NSIS.  Cybercriminals leverage NSIS, which is an open source installer like InstallShield, to make analysis difficult. When executed, the malware drops an encrypted version of the CRYPCTB malware and a library (.DLL) file. The library file will decrypt and execute the ransomware. After the routine, the library file will delete itself.

    In a surprising move, the cybercriminals adjusted the ransom payment for the decryption of files to 2 BTC, a fee lower than the 3 BTC ransom fee of previous variants.

    The malware also uses  new set of Tor Addresses to communicate with the affected system.

    Trend Micro™ Smart Protection Network™ Data

    We’ve noted here that the added languages are all for countries based in Europe. This suggests that these variants may be targeting the EMEA region.

    Additionally, this theory is supported by data from the Smart Protection Network gathered January 21 – February 6, 2015. Four countries in the top ten affected countries come from that the EMEA region.

    Figure 7. Top countries affected by CRYPCTB malware family


    From what we’ve seen, the threat actors focused more on improving their chances of spreading the malware than improving the design of the code itself. Once the malware is in the system, it can be very challenging to recover the files without getting their help.

    As we have mentioned in previous entries, it might be tempting to give in and pay the ransom fee to get back encrypted files. However, there is no guarantee that the cybercriminals will actually honor the exchange. At the very worst, the victim is left with no files and no money.

    Most of these types of malware use spam as their gateway to infection, which is why users need to be cautious when dealing with suspicious-looking emails. We advise users to scrutinize each email, even those that come from seemingly legitimate senders.  For this incident, the cybercriminals used the following email addresses to appear legitimate:


    These email addresses might appear legitimate at first glance. But looking closer, we see a typo for the supposed Google email address. Facebook actually uses the domain but only as its corporate email domain. In short, Facebook will never use it to communicate with Facebook users. Meanwhile, PayPal uses the domain, not

    Users should also remember to routinely back up their data. The 3-2-1 principle should be in play: three copies, two different media, one separate location.

    Related hashes:

    • 5a9f78f075a3a5f6442d2b956e499330502eb641
    • 1e6957decefa207c2289f2b578414e4b6d97ff03
    • 6aef7d5a462268c438c8417ee0da3f130b8aa84a

    With additional insight from Jon Oliver and Mary Ermitano-Aquino

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    This month’s Microsoft Patch Tuesday lists nine security bulletins released for February 2015, among which include a roll out for several vulnerabilities in Internet Explorer. This round of security updates includes three updates rated as Critical, while the remaining six were rated Important as Microsoft addressed a total of 56 CVEs. Last month’s Patch Tuesday notification did not include patches for Internet Explorer and only had one update with a Critical rating.

    Critical Updates for February Patch Internet Explorer

    MS15-009, MS15-010, and MS15-011 are the bulletins rated “critical” as they deal with vulnerabilities in Internet Explorer, Windows Kernel-Mode Driver, and Microsoft Group Policy, respectively. The MS15-009 bulletin is most alarming as the update applies to versions of Internet Explorer that date back all the way to versions 6 to 11. The update addresses a total of 41 different CVEs.

    Important Bulletins Fix Vulnerabilities in Microsoft Office, among others
    Microsoft released six bulletins rated “important,” which addresses security flaws in Microsoft Office, Windows, Group Policy, Microsoft Graphic Component, and System Center Manager. The bulletins associated with these updates are MS15-012, MS15-013, MS15-014, MS15-015, MS15-016, and MS15-017.

    MS15-014 is particularly important as it addresses a single, privately reported vulnerability within Windows Group Policy (CVE-2015-0009). Microsoft describes CVE-2015-0009 as a possible security feature bypass vulnerability that exists in the Group Policy application of Security Configuration policies “that could cause Group Policy settings on a targeted system to revert to their default, and potentially less secure state.” Microsoft further writes: “An attacker could accomplish this by way of a man-in-the-middle attack that modifies domain controller responses to client requests.”

    Solutions and Best Practices

    Users and system administrators are strongly advised to issue the appropriate patches for these system vulnerabilities. Trend Micro Deep Security and Vulnerability Protection protect user systems from threats that may leverage these vulnerabilities following DPI rules:

    • 1006403- Microsoft Internet Explorer ‘display:run-in’ Use-After-Free Remote Code Execution Vulnerability (CVE-2014-8967)
    • 1006475- Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0017)
    • 1006476- Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0018)
    • 1006478- Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0019)
    • 1006480- Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0020)
    • 1006483- Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0021)
    • 1006474- Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0022)
    • 1006477- Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0023)
    • 1006502- Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0025)
    • 1006511- Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0026)
    • 1006479- Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0029)
    • 1006481- Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0030)
    • 1006484- Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0035)
    • 1006489- Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0036)
    • 1006504- Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0037)
    • 1006505- Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0038)
    • 1006508- Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0038) -1
    • 1006487- Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0039)
    • 1006488- Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0040)
    • 1006490- Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0041)
    • 1006492- Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0042)
    • 1006501- Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0043)
    • 1006495- Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0044)
    • 1006497- Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0045)
    • 1006499- Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0046)
    • 1006491- Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0048)
    • 1006493- Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0049)
    • 1006503- Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0050)
    • 1006494- Microsoft Internet Explorer ASLR Bypass Vulnerability (CVE-2015-0051)
    • 1006496- Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0052)
    • 1006498- Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0053)
    • 1006500- Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0067)
    • 1006507- Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0068)
    • 1006510- Microsoft Internet Explorer ASLR Bypass Vulnerability (CVE-2015-0069)
    • 1006486- Microsoft Internet Explorer Cross Domain Information Disclosure Vulnerability (CVE-2015-0070)
    • 1006506- Microsoft Internet Explorer ASLR Bypass Vulnerability (CVE-2015-0071)
    • 1006470- Microsoft Excel Remote Code Execution Vulnerability (CVE-2015-0063)
    • 1006471- Microsoft Office Remote Code Execution Vulnerability (CVE-2015-0064)
    • 1006473- Microsoft OneTableDocumentStream Remote Code Execution Vulnerability (CVE-2015-0065)
    • 1006482- Microsoft Windows TIFF Processing Information Disclosure Vulnerability (CVE-2015-0061)

    More information about these bulletins and their corresponding Trend Micro solutions are posted at our Threat Encyclopedia Page: February 2015 – Microsoft Releases 9 Security Advisories.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    With analysis and research by Stephen Hilt (Independent Researcher)

    Even as attacks on SCADA devices has become more public, devices are constantly being reported as Internet-facing and thus, vulnerable to attacks.  Very little security is implemented on these devices, making them perfect targets of opportunity. Recently, Internet-facing gas station pumps have gained some attention, when several articles exposing the availability of these devices were published online.

    Figure 1. Webserver of some of the pump monitoring systems

    After performing our own research, independent researcher Stephen Hilt and I wondered if attackers are actively attempting to compromise these Internet-facing gas pump monitoring systems.  We began searching for these devices to see if we could glean any intelligence on attacks that have occurred against these devices.

    Pump Overview

    The Guardian AST Monitoring System is a device designed to monitor inventory, pump levels, and assorted values of pumping systems typically found in gas stations. The pump systems support a variety of products and data points to monitor within the device, which are often easily accessed through the Internet. These are typically deployed online for easy remote monitoring and management of gas providers.

    These monitoring devices are deployed at many U.S. and worldwide-based gas stations. One important note is these devices support six-digit PINs for security access to devices.

    Figure 2. List of products monitored by the Guardian Pump Monitoring System

    Gas Pump Hunting

    When investigating and hunting for gas pumps, attackers use a multitude of tools and techniques to find and track these devices. One of these tools, which is quite prominent, is the site Shodan, which is a “search engine for Internet-connected devices.” Queries in Shodan will show a multitude of data points including tank name, command issued, volume, height, water, and the temperature of the tank.

    Figure 3. Example of Shodan output for a pump monitoring system

    In addition to using Shodan for hunting, attackers have been witnessed using Nmap, the popular port-scanning tool on Port 10001.

    Overall statistics derived from Shodan are concerning. At the time of writing, there were over 1,515 gas pump monitoring devices Internet exposed worldwide, all of them lacking security measures that prevent access by unauthorized entities. The U.S. accounts for 98% of Internet-facing devices.

    Figure 4. Percentage of exposed pump monitoring systems on the Internet by country

    Possible Anonymous Attacks Against Gas Pump Monitoring Systems

    With the increased notoriety of SCADA systems, attacks have increased at a dramatic pace. This also holds true for the Guardian ASTs.  When investigating possible attacks, we first went to Shodan, our trusty search engine. Fairly quickly, we found evidence of tampered devices.

    Figure 5. Possible Anonymous attack against a pump name at a US gas station

    It became apparent that an attacker had modified one of these pump-monitoring systems in the U.S. This  pump system was found to be Internet facing with no implemented security measures. The pump name was changed from “DIESEL” to “WE_ARE_LEGION.” The group Anonymous often uses the slogan “We Are Legion,” which might shed light on possible attributions of this attack. But given the nebulous nature of Anonymous, we can’t necessarily attribute this directly to the group.

    An outage of these pump monitoring systems, while not catastrophic, could cause serious data loss and supply chain problems. For instance, should a volume value be misrepresented as low, a gasoline truck could be dispatched to investigate low tank values. Empty tank values could also be shown full, resulting in gas stations have no fuel.


    We have previously discussed problems that unsecured, personal IoE devices, such as surveillance cameras, come with their own set of security issues. But those issues pale in comparison to unsecured SCADA devices, where one vulnerability can result in critical errors and damage.

    The results of our investigation are interesting in two levels. One would be the fact that an attack was possibly carried out by the group Anonymous or people claiming to be part of the group. But on another level, our investigation reveals that Internet-facing devices are actually being attacked. Discussions regarding Internet-facing devices often revolve around possible, hypothetical scenarios. We now have proof that these scenarios are possible, and worse, actually occurring in real life.

    Our investigation shows that the tampering of an Internet-facing device resulted in a name change. But sooner or later, real world implications will occur, causing possible outages or even worse. Hopefully, with continued attention to these vulnerable systems, the security profile will change. Ideally, we will start seeing secure SCADA systems deployed, with no Internet facing devices.

    We are continuing to monitor these concerning events, and will report additional findings in a forthcoming report.


    We would like to thank Independent Researcher Stephen Hilt for his contributions and expertise to this article.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice