Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    December 2014
    S M T W T F S
    « Nov    
  • Email Subscription

  • About Us

    The celebration of Thanksgiving and Black Friday last week marks the start of the holiday shopping season for majority of the world. For most, this means vacations, family, friends, traveling, and of course, shopping. This is also the time for watching feel-good holiday movie reruns on television. One of my favorite movies is a Steve Martin comedy from the ‘80s called “Planes, Trains & Automobiles.” This blog post is not about that movie but it does borrow heavily from its title.

    PoS Malware, Now Mainstream

    It should be remembered that it was around this time last year that U.S. retailer Target suffered one of the largest data breaches in history in a targeted attack that used the BlackPOS malware. Since the start of this year, point-of-sale or PoS malware have become mainstream and attacked merchants both big and small. 2014 is also the year when we saw PoS malware mature as a threat. New PoS threats have emerged in time for this year’s holiday shopping season and we even managed to get a peek inside a PoS scammer’s toolbox.

    PoS malware have been mostly constrained to retailers and merchants, but it now looks like PoS malware have branched out from shopping malls to airports, metro stations, and parking lots.


    Researchers from security firm Census presented an interesting paper about point-of-sale attacks targeting travelers at DEFCON2014 last August. Census extends the definition of PoS in airports to include check-in kiosks, Wi-Fi credit kiosks, luggage locator kiosks, etc. Their investigations were carried out inside an airport in Greece. They targeted a centrally located kiosk in the terminal’s public space. The kiosk supported functionality for passengers to purchase Wi-Fi credits, make VoIP calls, and scan their tickets to check flight times. They found the kiosk had Internet connectivity, exposed USB ports, poor keyboard input sanitization, no installed antivirus software, and administrator privileges.

    The researchers created custom malware and infected the kiosk using a simple web attack. Airlines use the Bar Coded Boarding Pass (BCBP) on tickets, which contain passenger information; BCBP specifications can be found using a simple Google search. The scanned BCBP data—either printed ticket or QR code on mobile phones—is decoded in the kiosk’s RAM. Knowing the BCBP format allowed the researchers to scrape the data from the kiosk’s RAM using the same techniques PoS RAM Scrapers use to steal payment card data. Their experiments demonstrate an attacker could easily infect the kiosks with payment card data stealing PoS malware.


    Security firm IntelCrawler recently blogged about a PoS malware called “d4re|dev1|” (daredevil), which was targeting Mass Transit System (MTS) locations. The malware had remote administration, remote updating, RAM scraping, and keylogging functionalities. IntelCrawler displayed a picture of a compromised ARST ticket-vending kiosk in Sardinia, Italy. The attackers gained access into the ticket-vending kiosk using Virtual Network Computing (VNC). Customers purchase bus and train tickets from these ticket-vending kiosks, making them lucrative targets for harvesting payment card data. One of the recently discovered PoS RAM scraper families, NewPosThings, attempts to harvest VNC passwords from compromised systems. Other PoS RAM scrapers like BrutPOS and Backoff use Remote Desktop Protocol (RDP) to access the compromised systems.


    News came out last week on Friday that a professional parking facility service provider suffered from a compromise of their payment processing systems in 17 parking facilities in the US. A third-party vendor maintains the parking facility’s payment card systems. The attacker used the third-party vendor’s Remote Access Tool (RA) to gain access to the payment processing systems. The attacker then installed malware that harvested the payment card data collected at the parking facilities. The third-party vendor was not using two-factor authentication for remote access, which made it easier for the attacker to gain entry and exploit the systems. The company’s parking facilities were infected in Chicago, Cleveland, Evanston, Philadelphia, and Seattle—basically, a coast-to-coast infection.

    New Targets

    From these three cases, we can make the following observations:

    • The cybercriminals are incorporating remote administration functionalities in the PoS malware. This is because the RAT + RDP/VNC functionality allows them entry into payment/e-services kiosks.
    • Any Internet-connected device that processes payment card data should be viewed as a target, regardless of its location. Users should never assume that e-service kiosks in airports, train stations, or even parking lots have the same or right level of security as in other kiosks.
    • In a connected world, security policies need to transcend borders. The responsibility of security rests on several key players: the device manufacturer, the service providers/vendors, and even the banks and credit card brands–all to protect consumers.

    Additional information and appropriate solutions for PoS malware can be found in our paper, “PoS RAM Scraper Malware: Past, Present, and Future.”

    Update as of December 17, 2014, 12:08 PM PST

    Reports say that a data breach recently hit another parking service or some component of its online card processing system. The Atlanta-based offsite airport parking service, Park ‘N Fly, allows customers to reserve parking spaces slots via an online reservation system. According to Park ‘N Fly’s statement: “While we believe that our systems are very secure, including SLL encryption, we have recently engaged multiple outside security firms to identify and resolve any possible gaps in our systems and as always will take any action indicated.”

    Park ’N Fly provides parking related services all over the United States and owns, leases, and manages 16 off-airport parking properties in 14 markets, in addition to operating a network for pre-booked parking for 85 affiliates across the US.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Applications that have been frequently targeted by exploits frequently add sandboxes to their features in order to harden their defenses against these attacks. To carry out a successful exploit, an attacker will have to breach these sandboxes to run malicious code. As a result, researchers will pay particular attention to exploits that are able to escape sandboxes.

    In both October and November Patch Tuesday cycles, Microsoft addressed several vulnerabilities that were used by attackers to escape the Internet Explorer sandbox. One of these was CVE-2014-6349, which was addressed by Microsoft as part of MS14-065, November’s cumulative Internet Explorer patch. We chose this particular vulnerability for two reasons: exploiting it is relatively easy, and its methodology – using shared memory to escape the Internet Explorer sandbox – has not been seen before. A separate vulnerability that also allowed for sandbox escapes – CVE-2014-6350 – was also fixed in the same patch, and Google released details about this second vulnerability earlier this week.

    Internet Explorer 11 exposes a shared memory section object to all tab process (which are sandboxed). This is used to store various Internet Explorer settings. Normally, the tab processes only read this to see these settings. However, in Enhanced Protected Mode (EPM, which is IE’s sandbox mode), the shared memory section‘s DACL (Discretionary Access Control List) is not configured correctly. The tab processes have “write” permission to modify the shared memory section content. This can be used by an attacker to break the IE sandbox. How can this be done? We will explain this in the rest of this post.

    To understand the concepts covered in this post, background knowledge about Protected Mode (PM) and EPM is necessary. These MSDN documents and HITB presentations provide background information on these topics. I carried out my tests on a system running Windows 8.1 with Internet Explorer 11.0.9600.17107.

    After enable IE 11’s EPM mode,  we run IE. The broker process and tab process are seen below:

    Figure 1. Internet Explorer broker and tab processes

    The parent iexplore.exe broker process’s integrity is Medium. The iexplore.exe tab process’s integrity is AppContainer. This means the web page rendering in the sandboxed tab process is in the sandbox and its privilege is controlled. Both process share a memory section: \Sessions\1\BaseNamedObjects\ie_ias_<frame process id>-0000-0000-0000-000000000000.


    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    TrendLabs engineers were recently able to obtain a malware sample of the “destructive malware” described in reports about the Federal Bureau of Investigation (FBI) warning to U.S. businesses last December 2. According to Reuters, the FBI issued a warning to businesses to remain vigilant against this new “destructive” malware in the wake of the recent Sony Pictures attack. As of this writing, the link between the Sony breach and the  malware mentioned by the FBI has yet to be verified.

    The FBI flash memo titled “#A-000044-mw” describes an overview of the malware behavior, which reportedly has the capability to override all data on hard drives of computers, including the master boot record, which prevents them from booting up.

    Below is an analysis of our own findings:

    Analysis of the BKDR_WIPALL Malware 

    Our detection for the malware detailed in the FBI report is BKDR_WIPALL. Below is a quick overview of the infection chain for this attack.

    The main installer here is diskpartmg16.exe (detected as BKDR_WIPALL.A). BKDR_WIPALL.A’s overlay is encrypted with a set of user names and passwords as seen in the screenshot below:

    Figure 1. BKDR_WIPALL.A’s overlay contains encrypted user names and passwords

    These user names and passwords are found to be encrypted by XOR 0x67 in the overlay of the malware sample and are then used to log into the shared network. . Once logged in, the malware attempts to grant full access to everyone that will access the system root.

    Figure 2. Code snippet of the malware logging into the network

    The dropped net_var.dat contains a list of targeted hostnames:

    Figure 3. Targeted host names

    The next related malware is igfxtrayex.exe (detected as BKDR_WIPALL.B), which is dropped by BKDR_WIPALL.A. It sleeps for 10 minutes (or 600,000 milliseconds as seen below) before it carries out its actual malware routines:

    Figure 4. BKDR_WIPALL.B (igfxtrayex.exe) sleeps for 10 minutes

    Figure 5. Encrypted list of usernames and passwords also present in BKDR_WIPALL.B

    Figure 6. Code snippet of the main routine of igfxtrayex.exe (BKDR_WIPALL.B)

    This malware’s routines, aside from deleting users’ files, include stopping the Microsoft Exchange Information Store service. After it does this, the malware sleeps for another two hours. It then forces the system to reboot.

    Figure 7. Code snippet of the force reboot

    It also executes several copies of itself named taskhost{random 2 characters}.exe with the following parameters:

    • taskhost{random 2 characters}.exe -w – to drop and execute the component Windows\iissvr.exe
    • taskhost{random 2 characters}.exe -m – to drop and execute Windows\Temp\usbdrv32.sys
    • taskhost{random 2 characters}.exe -d – to delete files in all fixed or remote (network) drives

    Figure 8. The malware deletes all the files (format *.*) in fixed and network drives

    The malware components are encrypted and stored in the resource below:

    Figure 9. BKDR_WIPALL.B malware components

    Additionally, BKDR_WIPALL.B accesses the physical drive that it attempts to overwrite:

    Figure 10. BKDR_WIPALL.B overwrites physical drives

    We will be updating this post with our additional analysis of the WIPALL malware.

    Analysis by Rhena Inocencio and Alvin Bacani

    Update as of December 3, 2014, 5:30 PM PST

    Upon analysis of the same WIPALL malware family, its variant BKDR_WIPALL.D drops BKDR_WIPALL.C, which in turn, drops the file walls.bmp in the Windows directory. The .BMP file is as pictured below:

    Figure 11. Dropped wallpaper

    This appears to be the same wallpaper described in reports about the recent Sony hack last November 24 bearing the phrase “hacked by #GOP.” Therefore we have reason to believe that this is the same malware used in the recent attack to Sony Pictures.

    Note that BKDR_WIPALL.C is also the dropped named as igfxtrayex.exe in the same directory of BKDR_WIPALL.D.

    We will update this blog entry for more developments.

    Additional analysis by Joie Salvio


    Our coverage of the Sony attack continues as we spot more developments. Here is a list of our stories related to this incident:

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Our report on the threats seen in 3Q 2014 shows us that once again, software vulnerabilities are the most favored cybercriminal targets. Following the second quarter’s infamous Heartbleed vulnerability came another serious vulnerability in open-source software: Shellshock. Having gone unnoticed for years, the Shellshock incident suggests that there might be more vulnerabilities in Bash or in applications previously thought safe. Below is a timeline of events that Shellshock unraveled.

    Figure 1. A timeline of events that illustrate the Shellshock exploitation that took place last quarter.

    Apart from threatening to wreak havoc on over half a billion servers and Linux and UNIX systems worldwide, Shellshock also proves that cybercriminals and attackers still target systems that users may tend to overlook. Case in point, the third quarter also exposed several loopholes in point-of-sale (PoS) systems, whose threats appear to be growing as evidenced by last quarter’s Home Depot data breach.

    Vulnerabilities were also seen in Android-based devices with over 75% of Android users affected by both FakeID vulnerability and Android browser flaws. Here’s a breakdown of the  Android OSes affected by these vulnerabilities that we’ve also included in our report:

    Figure 2. Android Operating Systems Affected by FakeID and Android Browser Vulnerabilities.


    Apart from targeting the mobile platform, threat actors also utilized vulnerabilities to launch attacks, which signaled a dire need for network administrators to be able to spot indicators of compromise (IOCs) and implement effective network monitoring.

    For more details about these and other security threats in the third quarter, check our security roundup titled Vulnerabilities Under Attack: Shedding Light on the Growing Attack Surface.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Last November 25, Adobe issued an out-of-band patch for the CVE-2014-8439 vulnerability, which impacts Adobe Flash Player versions on Windows, Mac OS, and Linux. Adobe’s advisory describes this vulnerability as a “de-referenced memory pointer that could lead to code execution.”

    Despite efforts by Adobe to quickly patch their software vulnerabilities, we noticed that exploit kit authors seem to be one step ahead. This is very dangerous to ordinary home users who rarely patch their software, let alone Adobe Flash Player, which users may configure for updates every seven days to 60 days, maximum. This gives the cybercriminals more than enough time to exploit the vulnerabilities they find in the software in order to reach their targeted users.

    As we’ve continuously mentioned in our blog, attackers are always looking for the weakest part in any software. However, Adobe Flash seems to be the ripest target for cybercriminals after moving their attention away from Java, which issued a security warning popup whenever any Java applet is executed from the browser. Attackers are also attacking Internet Explorer (IE), but after the browser introduced isolated-heap and delay-free against user after free (UAF) exploits, Adobe Flash is left as the ‘weakest’ application to exploit.

    Exploitation by Various Exploit Kits: An Analysis of CVE-2014-8439

    According to other security researchers, this vulnerability has already been previously exploited by popular exploit kits, such as Angler, Nuclear, and Astrum.

    We checked the sample used in Nuclear exploit kit and found out that it has a different exploitation method from CVE-2014-0515, another critical Adobe Flash Player vulnerability that was found in April this year.

    We consider this a new exploit for two reason. First, the exploit is successful in Flash versions released before October 14 this year. This exploit may also lead to the disruption or crashing of Flash versions prior to the November 25 update.

    The more compelling reason lies in the method of exploitation. As mentioned earlier, Adobe Flash has become a prime target after improvements made to Java and Internet Explorer, and exploit kit authors are quite familiar with the structure and logic of the application. It would only make sense that they use a method that would be considered “stable.”  Instead, we found that the attackers used an old and unstable method to exploit CVE-2014-8439. We are curious why the author used this method instead of the stable method.

    The flow used in this exploit can be seen below:

    Figure 1. The main flow of the exploit for CVE-2014-8439


    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice