Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    October 2014
    S M T W T F S
    « Sep    
  • About Us

    Three out of nine security bulletins in today’s Microsoft Patch Tuesday are marked as Critical while the rest are tagged as Important The patches address vulnerabilities found in Internet Explorer, and Microsoft .NET Framework, including the zero-day exploit affecting Microsoft Windows. MS14-060 discusses the Sandworm zero-day vulnerability, which was reported hours earlier.

    Based on our analysis, attackers may use this vulnerability to create/execute malware payloads, given that it not too difficult to exploit. Attackers can just know the format and create their own PowerPoint exploit. Trend Micro detects the exploit as TROJ_MDLOAD.PGTY, and its payloads as INF_BLACKEN.A and BKDR_BLACKEN.A. Currently, it is believed that this zero-day was used in cyber attacks against European sectors and industries.

    Another critical vulnerability that users need to note is MS14-056 which fixes several vulnerabilities in Internet Explorer. Once successfully exploited, this could possibly lead to remote code execution. Similarly, MS14-057, another bulletin tagged as Critical could lead to remote code execution when successfully exploited by remote attackers.

    Adobe also released security updates today to address vulnerabilities affecting certain versions of ColdFusion and Adobe Flash Player. These are covered under the following CVEs:

    • CVE-2014-0558
    • CVE-2014-0564
    • CVE-2014-0569
    • CVE-2014-0570
    • CVE-2014-0571
    • CVE-2014-0572

    We highly recommend users to patch their systems and update their Adobe products to its latest versions. The Sandworm zero-day highlights the importance of patching as this can be used by cybercriminals and threat actors to infiltrate the network and potentially steal confidential company data and other type of information.

    Trend Micro Deep Security and Office Scan with the Intrusion Defense Firewall (IDF) plugin protect user systems from threats that may leverage these vulnerabilities following DPI rules:

    • 1006267 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4126)
    • 1006268 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4127)
    • 1006269 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4128)
    • 1006270 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4129)
    • 1006271 - Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4130)
    • 1006282 - Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4132)
    • 1006274 - Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4133)
    • 1006279 - Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4134)
    • 1006273 - Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4138)
    • 1006283 - Microsoft Word And Office Web Apps Remote Code Execution Vulnerability (CVE-2014-4117)
    • 1000552 - Generic Cross Site Scripting(XSS) Prevention
    • 1006290 - Microsoft Windows OLE Remote Code Execution Vulnerability (CVE-2014-4114)
    • 1006291 - Microsoft Windows OLE Remote Code Execution Vulnerability (CVE-2014-4114) – 1

    Users may visit our Threat Encyclopedia page for more details on these security bulletins.

    Update as of October 16, 2014, 5:45 P.M.:

    The Sandworm vulnerability has been linked to attacks against specific SCADA systems. Read more about this in our post titled Sandworm to Blacken: The SCADA Connection.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    In the two previous parts of this series of blog posts, we discussed the kinds of threats that we’re seeing on Twitter, as well as the scope and scale of these threats. In this part, we will discuss their motivations, and what end users can do.

    The first question is: why do cybercriminals bother doing this? Social media accounts are valuable in their own right. These accounts can typically be used to make money in many ways for cybercriminals; any form of personally identifiable information (PII) can be monetized by attackers.

    One way that stolen social media accounts are used is to send spam. One reason that social media spam can be considered superior to email spam is simple: more people click on links from social media than email. The click-through rate for email spam is estimated at anywhere from 0.003% to 0.02%. How does Twitter spam fare?

    It’s difficult to exactly compare numbers for the effectiveness of Twitter spam with those for e-mail spam. One measure we can use is the number of clicks we saw for every spammed Tweet. This varies depending on the type of abuse. Some Twitter spam campaigns could be spectacularly successful: one viral campaign aimed at Japanese users had a 0.269 clicks per Tweet. However, more typical rates varied from 0.01 clicks per Tweet for Twitter-specific spam to 0.03 for malware-linked Tweets. These numbers suggest that Twitter spam is more effective than conventional email spam.

    So now we’ve established that Twitter spam is a legitimate threat. How is Twitter responding? We are happy to say that this is a problem Twitter is getting on top of. Earlier this year, they disclosed the existence of BotMaker, their anti-spam bot infrastructure which has cut the spam problem by 40%. Other social networks can study Twitter as an example in how to deal with threats on their sites.

    For users, the lessons are clearer. First of all, do not believe any claims that you can buy followers/views/likes/friends/etcetera. The numbers you buy will almost certainly come from compromised accounts. This will bring no, or even negative value, towards your own social media efforts. Your own account may also be compromised in the process. Shortcuts to social media popularity don’t exist.

    Secondly, you should already be careful about clicking on links posted on social media in general, but be particularly careful about links that say that you have to log in again because your original log in timed out. Close your browser and start again; if you see the same message it’s almost certainly a phishing page.

    Lastly, if the social media services you use support it, turn on two-factor authentication. Just about all large online services today offer some support for two-factor authentication. Turning it on makes compromising your account much harder, as an attacker has to somehow compromise your phone as well. It’s not impossible – other Trend Micro research has shown how this can be done with online banking. However, it is still a useful security precaution to take against most attacks targeting social media.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Prior to the release of Microsoft’s monthly patch Tuesday, a new zero-day exploiting Windows vulnerability covered in CVE-2014-4114 was reported by iSight. The said vulnerability affects desktop and server versions of Vista and Sever 2008 to current versions. It was believed to be associated in cyber attacks related to NATO by Russian cyber espionage group.

    Based on our analysis, the vulnerability exists in PACKAGER.DLL, which is a part of Windows Object Linking and Embedding (OLE) property. By using a crafted PowerPoint document, an .INF file in embedded OLE object can be copied from a remote SMB share folder and installed on the system. Attackers can exploit this logic defect to execute another malware, downloaded via the same means.

    The severity of the vulnerability is highly critical because it fairly simple to exploit. Since it is a logic defect, attackers need not to create Shellcode or Return Oriented Programming (ROP), a method to bypass DEP protection. DEP prevents the execution of code (including malicious Shellcode) from certain regions of computer memory (non-executable).If they (attackers) know the format then they can craft a PowerPoint exploit directly. Furthermore, since it has no heap spray, ROP, Shellcode, most of heuristic detection methods would have difficulty in detecting it.

    The original logic includes two potential risky behaviors without user’s knowledge or consent, which should be carefully designed:

    1. Copy file from remote shared folder
    2. Install downloaded .INF fileWe analyzed the PPSX sample (MD5 hash: 330e8d23ab82e8a0ca6d166755408eb1) to investigate how it happens. We unzip the .PPSX file file to see the content files of this PPT exploit as seen below:

    We analyzed the PPSX sample (MD5 hash: 330e8d23ab82e8a0ca6d166755408eb1) to investigate how it happens. We unzip the .PPSX file file to see the content files of this PPT exploit as seen below:


    Figure 1. Folder structure of PPSX file

    The following is the content of oleObject1.bin and oleObject2.bin. It indicates that the said OLE objects are resident in remote shared folder.



    Figures 2-3 Content of oleObject1.bin and oleObject2.bin

    And in slide1.xml, we can see it refer to two Packager Shell Object “rId4” and “rId5.”


    Figure 4. Content of slide1.xml (part 1)

    In slide1.xml.resl, “rId4” and “rId5” are defined as two OLE object above.


    Figure 5. Content of slide1.xml.resl

    When slide1 is opened, the files “slide1.gif” and “slides.inf” are copied to local by packager.dll. And in slide1.xml, some actions are described such as “-3”, and another is “3”. These two actions are called when loading two OLE objects. This routine is seen in packager!CPackage::DoVerb() function.


    Figure 6. Content of slide1.xml (part 2)

    In slide1.gif, if the parameter is “-3”, and the function will do nothing. However, if “slides.inf” is loaded and the parameter is “3”, it installs the .INF file. The screenshot below is the call stack when InfDefaultInstall.exe is executed:


    Figure 7. Call stack of INF installation

    After which, INF renames slide1.gif to slide1.gif.exe, and adds registry runonce value for it. This is done so that in the next system boot up, the Trojan is executed automatically.

    We detect the exploit as TROJ_MDLOAD.PGTY, which in turn leads to the download of INF_BLACKEN.A when successfully exploited. This malware, on the other hand, downloads and executes the backdoor, which we detect as BKDR_BLACKEN.A.

    Because of this vulnerability are not arduous to exploit, attackers may abuse this so as to create new malware payload. Trend Micro secures users from this threat via detecting the exploit and malware payload via its Smart Protection Network.  Trend Micro Deep Security and Office Scan with the Intrusion Defense Firewall (IDF) plugin protect user systems from threats that may leverage this vulnerability via the following DPI rules:

    • 1006290 – Microsoft Windows OLE Remote Code Execution Vulnerability (CVE-2014-4114)
    • 1006291  Microsoft Windows OLE Remote Code Execution Vulnerability (CVE-2014-4114) – 1

    Users are strongly advised to patch their systems once Microsoft releases their security update for this. In addition, it is recommended for users and employees not to open Powerpoint files from unknown sources as this may possibly lead to a series of malware infection.

    Update as of October 15, 2014, 11:30 P.M.:

    Microsoft has included the patch for the Sandworm vulnerability in its October 2014 Patch Tuesday.

    Update as of October 16, 2014, 5:45 P.M.:

    The Sandworm vulnerability has been linked to attacks against specific SCADA systems. Read more about this in our post titled Sandworm to Blacken: The SCADA Connection.

    With additional analysis from Kai Yu

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Microsoft has announced the discovery of a zero-day vulnerability affecting all supported versions of Microsoft Windows and Windows Server 2008 and 2012. Reports are also coming in that this specific vulnerability has been exploited and used in attacks against the North Atlantic Treaty Organization (NATO) and several European industries and sectors.

    According to reports, this vulnerability (CVE-2014-4114) was exploited as part of a cyber-espionage campaign of attackers dubbed as the “Sandworm Team.” This particular vulnerability has allegedly been in use since August 2013, “mainly through weaponized PowerPoint documents.”  Details of the vulnerability have been made available, including the following:

    • This vulnerability exists in the OLE package manager in Microsoft Windows and Server.
    • The OLE packager can download and execute INF files. “In the case of the observed exploit, specifically when handling Microsoft PowerPoint files, the packagers allow a Package OLE object to reference arbitrary external files, such as INF files, from untrusted sources.”
    • If exploited, the vulnerability can allow an attacker to remotely execute arbitrary code.

    Microsoft has announced that it will release a patch for this vulnerability as part of this month’s Patch Tuesday. We encourage both users and admins to immediately download and install the patches as soon as they are made available.

    We are currently analyzing the related sample. We will update this entry as soon as more details and solutions are available.

    Update as of October 15, 2014, 11:24 P.M. (PDT):

    Further analysis of this zero-day vulnerability can be found in our entry, An Analysis of Windows Zero-day Vulnerability ‘CVE-2014-4114′ aka “Sandworm.” You may also read the entry October 2014 Patch Tuesday Fixes Sandworm Vulnerability for information regarding the corresponding patch.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Malicious ads are a common method of sending users to sites that contain malicious code. Recently, however, these ads have showed up on a new attack platform: YouTube.

    Over the past few months, we have been monitoring a malicious campaign that used malicious ads to direct users to various malicious sites. Users in the United States have been affected almost exclusively, with more than 113,000 victims in the United States alone over a 30-day period.

    Figure 1. Countries affected by this malicious ad campaign

    Recently, we saw that this campaign was showing up in ads via YouTube as well. This was a worrying development: not only were malicious ads showing up on YouTube, they were on videos with more than 11 million views – in particular, a music video uploaded by a high-profile record label.

    The ads we’ve observed do not directly lead to malicious sites from YouTube. Instead, the traffic passes through two advertising sites, suggesting that the cybercriminals behind this campaign bought their traffic from legitimate ad providers.

    In order to make their activity look legitimate, the attackers used the modified DNS information of a Polish government site. The attackers did not compromise the actual site; instead they were able to change the DNS information by adding subdomains that lead to their own servers. (How they were able to do this is unclear.)

    The traffic passes through two redirection servers (located in the Netherlands) before ending up at the malicious server, located in the United States.

    The exploit kit used in this attack was the Sweet Orange exploit kit. Sweet Orange is known for using four vulnerabilities, namely:

    Based on our analyses of the campaign, we were able to identify that this version of Sweet Orange uses vulnerabilities in Internet Explorer. The URL of the actual payload constantly changes, but they all use subdomains on the same Polish site mentioned earlier. However, the behavior of these payloads are identical.

    The final payloads of this attack are  variants of the KOVTER malware family, which are detected as TROJ_KOVTER.SM. This particular family is known for its use in various ransomware attacks, although they lack the encryption of more sophisticated attacks like Cryptolocker. The websites that TROJ_KOVTER.SM accesses in order to display the fake warning messages are no longer accessible.

    Users who keep their systems up to date will not affected by this attack, as Microsoft released a patch for this particular vulnerability in May 2013. We recommend that read and apply the software security advisories by vendors like Microsoft, Java, and Adobe, as old vulnerabilities are still being exploited by attackers. Applying the necessary patches is essential part of keeping systems secure. Backing up files is also a good security practice to prevent data loss in the event of an attack like this.

    In addition to blocking the files and malicious sites involved in this attack, our browser exploit prevention technology prevents attacks that target these vulnerabilities.

    With additional insight from Rhena Inocencio

    The following hashes are detected as part of this attack:

    • 09BD2F32048273BD4A5B383824B9C3364B3F2575
    • 0AEAD03C6956C4B0182A9AC079CA263CD851B122
    • 1D35B49D92A6E41703F3A3011CA60BCEFB0F1025
    • 32D104272EE93F55DFFD5A872FFA6099A3FBE4AA
    • 395B603BAD6AFACA226A215F10A446110B4A2A9D
    • 6D49793FE9EED12BD1FAA4CB7CBB81EEDA0F74B6
    • 738C81B1F04C7BC59AD2AE3C9E09E305AE4FEE2D
    • A1A5F8A789B19BE848B0F2A00AE1D0ECB35DCDB0
    • A7F3217EC1998393CBCF2ED582503A1CE4777359
    • C75C0942F7C5620932D1DE66A1CE60B7AB681C7F
    • E61F76F96A60225BD9AF3AC2E207EA340302B523
    • FF3C497770EB1ACB6295147358F199927C76AF21

    We have already notified Google about this incident.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice