Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    September 2014
    S M T W T F S
    « Aug    
  • About Us

    One resounding – but unsurprising – message from this year’s DEF CON conference in Las Vegas, Nevada was the increase in hacks against IoT devices.

    The lineup of hacked IoT devices was extensive. Many sessions focused on individual device hacks of consumer devices such as media players, IP cameras, cars, and home automation systems. Other sessions focused on industry-specific hardware such as traffic control systems, mesh camera networks, medical devices, and Industrial Control Systems (ICS)/SCADA. Other sessions focused on how to enumerate the devices and the implications of the data they collected.

    One very popular session - Hack All the Things: 20 Devices in 45 Minutes - ended up outdoing itself by covering 22 consumer oriented devices within its allotted time. The researchers - made famous by the Google TV Hack - reiterated the use of a hands-on approach, including physically cracking open the case, and tapping into key data signal interfaces on the devices circuit board to access points where the key data flows occurred.

    One very common example of these data signal interfaces is UARTs - Universal Asynchronous Receiver Transmitters – interfaces provided on the circuit board to allow manufacturers and service technicians to develop, prototype, test and even service these devices.

    Many device manufacturers don’t understand the security implications of exposing and labeling the data interfaces on their finished system boards. These can be useful if the devices have to be serviced in the future, but sometimes they’re still left on devices that are not meant to be repaired at all. Leaving the labels intact significantly cuts down the time taken for a hacker to reverse-engineer the device.

    This hands on approach, while requiring physical access to the device and a fair amount of hardware knowledge, can yield an extensive amount of information about the device’s attack surface. This includes critical information like passwords, keys, firmware images, privilege levels, as well as operating system and component versions (and their resultant vulnerabilities).

    An attacker can use the information gleaned from this process to enable remote and local attacks on users with the same vulnerable device installed. Depending on the information gathered, similar devices from the same manufacturer – or even other manufacturers – may also be affected if they share components and services.

    From a manufacturer’s perspective, a high profile vulnerability or hack of their device would provide plenty of motivation to get key security issues addressed. Unfortunately, many of the vendors of these devices are relatively small, and may not have sufficient resources to correct these issues in the best possible way.

    Thankfully, several of the presenters made note of the fact that they, along with other groups in the industry, are already reaching out to the device vendors. Groups like have been formed to help facilitate this important cooperation, and we believe that this healthy engagement between security researchers and manufacturers is key to ensuring the continued improvement of security in IoT devices.

    Check out our Internet of Everything buyer’s guide titled What to Consider When Buying a Smart Device. This discusses the things you need to know, from a security perspective, about buying smart devices. Doing your homework on these devices before buying them will save you more grief down the road.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Patch-Tuesday_grayMicrosoft has rolled out nine security bulletins for their August Patch Tuesday. Two bulletins are rated as Critical, while the rest are rated as Important. Microsoft Windows, Internet Explorer, Microsoft SQL Server, and Microsoft .NET Framework are some of the affected applications that these bulletins covered.

    One of the most notable bulletins in this month’s cycle is MS14-051, which addresses 26 vulnerabilities found in Internet Explorer. The other Critical bulletin is MS14-043, which resolves problems in Windows Media Center, a component of Microsoft Windows. The vulnerabilities resolved in these bulletins, if exploited, could lead to arbitrary code being run on affected systems. Many of these vulnerabilities are in older versions of Internet Explorer (versions 6-8), which

    The bulletins rated as Important covered a wide variety of applications, including Microsoft SharePoint Server, Microsoft SQL Server, and Microsoft Windows. It’s also worth noting that from this point forward, users of Windows 8.1 and Windows Server 2012 R2 must have installed the April update to these operating systems in order to receive security updates.

    Adobe also follows the same second-Tuesday-of-the-month patching cycle as Microsoft; they released released patches for vulnerabilities affecting Adobe Reader/Acrobat and Adobe Flash Player. These vulnerabilities are covered under the following CVEs:

    • CVE-2014-0538
    • CVE-2014-0540
    • CVE-2014-0541
    • CVE-2014-0542
    • CVE-2014-0543
    • CVE-2014-0544
    • CVE-2014-0545

    Users are highly recommended to update their Adobe Flash Player and Adobe Reader and Acrobat to its latest versions. Trend Micro Deep Security and Office Scan with Intrusion Defense Firewall (IDF) plugin protect user systems from threats that may leverage these vulnerabilities discussed in MS14-051 via the following DPI rules:

    • 1006175 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-2823)
    • 1006176 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-2824)
    • 1006165 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4050)
    • 1006177 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4057)
    • 1006166 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4063)

    We encourage users to immediately apply these patches on their systems. For more information on these security bulletins, visit our Threat Encyclopedia page.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Security researchers from Bluebox Labs recently uncovered a vulnerability that may allow malicious apps to impersonate legitimate ones. This vulnerability, dubbed as “FakeID,” is involved with the checking of certificate signatures to prove the legitimacy of applications. What makes this highly notable is that all Android devices running on platforms starting from Android 2.1 (“Éclair”) to 4.4 (“KitKat”) are affected by this vulnerability.

    Certificates and Signatures

    Android applications must be “signed” before they are published and released for installation. Signing apps involves the use of certificates. Like the HTTP/SSL certificate model, app certificates are issued by trusted certificate authorities. The certificates are used to ensure the integrity of the application after its release, to avoid any tampering from attackers. These certificates are used by the app as its “package signature.” These signatures are used by Android to identify applications.

    How does Android go about assigning these signatures? For every app installed on the device, a class called PackageInfo is created to profile the app. PackageInfo contains a property, called “signatures,” which plays an important role for apps. With the same signatures, one application can work as another app’s update package, or two apps can share their data with each other (as some form of shared mechanism). In some special cases, Android can decide if it will grant privileges to an application by comparing if the app has the same signatures in its “signatures” property as the signatures hardcoded in the Android source code.

    Bluebox Labs cited two examples of how this works. One example is payment-related apps being allowed to access the NFC SE hardware of a mobile device because these have the signatures specified in the device’s NFC-related file. Another is an app being allowed to act as a webview plugin (for example, Adobe Flash plugin) for other apps because the app has the signature of Adobe Systems.

    Flaws in the Certificate Chain

    Once an app is installed in a device, the Android platform creates its PackageInfo signatures by creating a certificate chain using the app’s certificate file. However, because of the vulnerability, Android does not verify the authenticity of the certificate chain. It will only rely on the correspondence between the signer certificate’s “Subject” and the signed certificate’s “Issuer.” Unfortunately, these two are clear text string type, which can be easily forged by malicious individuals.

    Exploiting the Vulnerability

    Because the vulnerability deals with the “authenticity” of apps, cybercriminals can create malicious apps that will be able to access sensitive data without arousing any suspicion. For example, NFC-related payments often use Google Wallet. If a malicious app is granted NFC privilege, it will be able to steal the user’s Google Wallet account information, replace designated payment accounts, and steal the user’s money.

    A malicious app can also take advantage of the Webkit plugin privilege, provided it has the associated permission and the required signature. The app will automatically run as a Webkit plugin process whenever the victim browses a site using a browser app or uses other applications that require a webview component. Because the malware is running as a component process inside the browser (or other applications using webview), the malware has almost complete control over the application’s data. All related data such as user credentials, bank account, and email details can be accessed, leaked, or tampered.

    Majority of Android Users Affected

    As we stated earlier, all Android devices without patches from OEM vendors are affected by this vulnerability. Current data from Google shows that the devices running on the affected platforms represent around 82% of all Android devices. The large number of affected Android users echoes that of the master key vulnerability discovered last year.

    Google has released a fix for this bug. However, the fragmentation of the Android ecosystem means that not all users might be able to have their devices protected against this vulnerability. Should the update become available, we advise users to immediately update their devices.

    Google has issued a statement saying that they have “scanned all applications submitted to Google Play as well as those Google has reviewed from outside of Google Play, and…have seen no evidence of attempted exploitation of this vulnerability.”

    To protect our users, we are watching out for possible threats and attacks that may take advantage of this vulnerability. Apps that take advantage of this vulnerability are detected as ANDROIDOS_FAKEID.A.

    With additional insight from Veo Zhang.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    The incidents that cropped up in the months of April to June 2014—from the data breaches, DDoS attacks, to malware improvements and threats to privacy—highlighted the need for enterprises to craft a more strategic response against and in anticipation of security threats.

    There were plenty of threats to be found in the quarter. There was the major vulnerability, Heartbleed, in the widely used cryptographic library OpenSSL. We saw both tech companies and restaurant chains fall victim to data breaches. We saw Windows XP patched one last time by Microsoft post-EOS. We saw major decisions in the judicial systems of the United States and Europe that could affect how data is handled and protected for years to come.

    Other parts of the threat landscape continued to become a bigger problem. Both online banking malware and mobile malware continued to affect many users:

    Figure 1. Online banking malware detection volume

    Figure 2. Cumulative mobile malware threat volume

    Some organizations will deal with these incidents in an exemplary manner. Others will fail. Most will be somewhere in between. Part of this quarter’s roundup discusses how several organizations dealt with various online threats that affected them, and what others can learn from these examples.

    Of course, cybercrime and targeted attacks are not the only perceived “threats” in the world. Increasingly, large Internet companies and government surveillance are perceived as “threats” as well. Here, too, we see how these threats are being addressed: both the EU’s “right to be forgotten” and Riley v. California, a US Supreme Court decision that held that searching the information on a cellphone requires a warrant, can be viewed as responses of the American and European legal systems to the situations in both regions. As digital problems intrude more on the daily lives of users, it is nearly certain that courts will have to weigh in moving forward.

    More details about the threats found in the second quarter—as well as how these threats were dealt with—can be found in TrendLabs report entitled Turning the Tables on Cyber Attacks.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    In the early 2000s, Africa gained notoriety due to the 419 “Nigerian” scam. This scam involved making payments in exchange for a reward for helping so-called high-ranking Nigerian officials and their families. While all the scams may not have necessarily originated from Africa, the use of Nigerian officials was imprinted upon the public consciousness, thereby forever associating this scam with the continent.

    Web Defacement as a Popular Form of Protest

    The 419 scam isn’t the only cybercrime activity in the area. Web defacement is a major cybercrime activity among hackers in North Africa, with several groups from Morocco, Algeria, Tunisia, and Egypt leading the region. These groups aim to deface sites based in the United States, Europe, and pretty much any country with poor security. Their messages are often related to current events or some cause. These North African groups also use defacement as some form of competition. It’s not rare to see one group deface another country’s sites when a political event occurs.

    In 2013, we discussed website defacement, which occurred during April Fools’ Day. A group of Algerian hackers, known as “Algeria to the core,” defaced websites including German and Australian ones. Web defacement is an old hacking technique that consists of breaking into websites with weak security and replacing the content with customized messages.

    Hackers have used defacement as a form of protest or to send a message for a particular cause. Defacement has also been used as an act of cyber warfare among hacker groups from different countries.

    Attacks in a Larger Scale: Botnets, RATs, and Targeted Attack Techniques

    Cybercriminals in the region are moving from web defacement to more lucrative forms of cybercrime that involve the use of botnets, remote access Trojans (RATs), and banking/finance-related malware.

    In November 2013, we found that several Ice IX servers were tied to a group of individuals located in Nigeria. Ice IX is a banking Trojan, used with the better-known ZeuS/ZBOT malware. These malware are used to steal online banking credentials, email addresses, and information related to social media accounts. Earlier this year, an arrest involving the SpyEye banking malware showed that one of the key players was an Algerian cybercriminal who went by the alias bx1. Bx1 was also known for a history of defacing websites.


    Figure 1: Web defacement by Algerian cybercriminal “bx1”

    Apart from banking/finance-related malware, cybercriminals have begun operating botnets using RATs, such as in the case of the Blackshades RAT. Sold as a toolkit, Blackshades can steal passwords, log keystrokes, launch denial-of-service (DoS) attacks, and download and run malware onto affected systems. Several Blackshades infections may then form a botnet for distributed denial-of-service (DDoS) attacks or sell the stolen information and documents.

    We are also seeing a shift toward the use of targeted attack techniques for malware campaigns. One methodology is the use of malicious email attachments and exploits for known vulnerabilities, such as CVE-2012-0158, to deliver malware like ZeuS/ZBOT. They are also using RATs, like the aforementioned Blackshades, in targeted attack-like campaigns.

    Beyond Africa

    Africa isn’t the only region experiencing this type of cybercriminal expansion. We are seeing the same indicators in India, which may possibly mean that more and more people are turning to cybercrime as a lucrative business. The adoption of such methodologies could be traced back to the society these cybercriminals live in, wherein some of them are highly educated but without any employment prospects. With a lot of time on their hands, they can easily pick up the skills for cybercrime and earn money. Moreover, the shortage of laws related to cybercrime—and the lack of enforcement for existing laws—in these countries make it difficult to catch and apprehend these criminals.

    These developments show that cybercriminals will always adopt to new trends and situations whether in the use of new malware or targeted attacks techniques to continue their attacks. However, only time will tell if these cybercriminals will shift yet again—this time, to being major players in targeted attack groups.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice