Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    October 2014
    S M T W T F S
    « Sep    
  • About Us

    Malicious ads are a common method of sending users to sites that contain malicious code. Recently, however, these ads have showed up on a new attack platform: YouTube.

    Over the past few months, we have been monitoring a malicious campaign that used malicious ads to direct users to various malicious sites. Users in the United States have been affected almost exclusively, with more than 113,000 victims in the United States alone over a 30-day period.

    Figure 1. Countries affected by this malicious ad campaign

    Recently, we saw that this campaign was showing up in ads via YouTube as well. This was a worrying development: not only were malicious ads showing up on YouTube, they were on videos with more than 11 million views – in particular, a music video uploaded by a high-profile record label.

    The ads we’ve observed do not directly lead to malicious sites from YouTube. Instead, the traffic passes through two advertising sites, suggesting that the cybercriminals behind this campaign bought their traffic from legitimate ad providers.

    In order to make their activity look legitimate, the attackers used the modified DNS information of a Polish government site. The attackers did not compromise the actual site; instead they were able to change the DNS information by adding subdomains that lead to their own servers. (How they were able to do this is unclear.)

    The traffic passes through two redirection servers (located in the Netherlands) before ending up at the malicious server, located in the United States.

    The exploit kit used in this attack was the Sweet Orange exploit kit. Sweet Orange is known for using four vulnerabilities, namely:

    Based on our analyses of the campaign, we were able to identify that this version of Sweet Orange uses vulnerabilities in Internet Explorer. The URL of the actual payload constantly changes, but they all use subdomains on the same Polish site mentioned earlier. However, the behavior of these payloads are identical.

    The final payloads of this attack are  variants of the KOVTER malware family, which are detected as TROJ_KOVTER.SM. This particular family is known for its use in various ransomware attacks, although they lack the encryption of more sophisticated attacks like Cryptolocker. The websites that TROJ_KOVTER.SM accesses in order to display the fake warning messages are no longer accessible.

    Users who keep their systems up to date will not affected by this attack, as Microsoft released a patch for this particular vulnerability in May 2013. We recommend that read and apply the software security advisories by vendors like Microsoft, Java, and Adobe, as old vulnerabilities are still being exploited by attackers. Applying the necessary patches is essential part of keeping systems secure. Backing up files is also a good security practice to prevent data loss in the event of an attack like this.

    In addition to blocking the files and malicious sites involved in this attack, our browser exploit prevention technology prevents attacks that target these vulnerabilities.

    With additional insight from Rhena Inocencio

    The following hashes are detected as part of this attack:

    • 09BD2F32048273BD4A5B383824B9C3364B3F2575
    • 0AEAD03C6956C4B0182A9AC079CA263CD851B122
    • 1D35B49D92A6E41703F3A3011CA60BCEFB0F1025
    • 32D104272EE93F55DFFD5A872FFA6099A3FBE4AA
    • 395B603BAD6AFACA226A215F10A446110B4A2A9D
    • 6D49793FE9EED12BD1FAA4CB7CBB81EEDA0F74B6
    • 738C81B1F04C7BC59AD2AE3C9E09E305AE4FEE2D
    • A1A5F8A789B19BE848B0F2A00AE1D0ECB35DCDB0
    • A7F3217EC1998393CBCF2ED582503A1CE4777359
    • C75C0942F7C5620932D1DE66A1CE60B7AB681C7F
    • E61F76F96A60225BD9AF3AC2E207EA340302B523
    • FF3C497770EB1ACB6295147358F199927C76AF21

    We have already notified Google about this incident.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    In the threat landscape, it can sometimes be difficult to classify if something should be considered a threat.  Certainly, there are the blatantly obvious threats (read: malware) but there are some that merit discussion. One such example are “cloned” apps or “spoofed” apps.

    As the term suggests, “cloned”  or “spoofed” apps are apps that resemble other apps in functionality and even name. Tech site Ars Technica wrote an article highlighting just how fast spoofed apps can make their way into app stores. Featured in the said article was a photo-collage app that was launched in the Apple App Store mid-May in 2013; by August of the same year, seven clones were available in the App Store.

    Akinator the (Fake) Genie

    We spotted in the Apple App Store yet another spoofed app of the popular application, “Akinator the Genie.” The cloned version is called “Akinator Genie,” attributed to a developer named Jennifer Mendelson who has been known for cloning apps. Users can download this spoofed app via App Store.

    Figure 1. The official “Akinator the Genie” app (top) and the spoofed version (bottom)

    The premise for the apps is the same: a genie named “Akinator” will try to guess what the user is thinking by asking a few questions. The original app guesses a real or fictional character. Meanwhile, the cloned app guesses a shape.

    Figure 2. The spoofed Akinator app tries to guess the shape selected by the user

    The original app has received favorable reviews from users, a stark contrast to the negative ones received by the clone.

    Figure 3. Customer reviews for the cloned app

    The Bigger Picture

    The immediate implication for this particular app is undoubtedly monetary loss given the overwhelming negative feedback posted by its users. The spoofed app costs US$1.99, the same price as the original app. Users who pay for the cloned app will invariably end up disappointed and with a lighter wallet.

    However, the existence of cloned apps has bigger implications in the mobile landscape. For one thing, developers need to be concerned about protecting their code. In our post “Mobile App Developers: Compete on Privacy and Security, Too,” Trend Micro CTO Raimund Genes commented on hardening apps to avoid repackaging. The same sentiment could apply to cloning.

    The existence of spoofed apps can be damaging to the reputation of the developers of the original or imitated app. Users might assume that the spoofed apps came from these developers and forever associate said developers with unfavorable products. Users may shy away from purchasing or trying future or other apps from these developers because of their experience with the spoofed apps.

    These apps, specifically their presence in the App Store have implications for Apple security.  This rare instance of cloned apps, showed how cybercriminals are also targeting Apple users due to its popularity and immense followers. Developers can file complaints, however, takedowns may take some time.

    Best Practices

    Users should always be careful when downloading apps, even if they are being offered in legitimate app stores. Actions like knowing the name of the developer and reading reviews can help weed out the legitimate apps from their spoofed or malicious counterparts.

    Trend Micro protects users from fake apps via its Trend Micro Mobile Security for iPhone, iPad Touch, and iPad. Users can download this security app here.

    Trend Micro has notified Apple of this spoofed app.

    Update as of October 10, 2014, 8:52 P.M. (PDT):

    The spoofed “Akinator” app features social media sharing via Facebook and Twitter. However, this feature does not appear to function.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    7:15 am (UTC-7)   |    by

    In the first part of this series, we discussed both the routines and entry point of the banking malware DYRE. However, information theft isn’t the last step for this malware. It turns out this malware is also involved in yet another scheme—the parcel mule scam.

    The Parcel and the Mule

    During our analysis of DYR malware, Global BlackPoint, a web panel, was uncovered.

    Figure 1. Global BlackPoint site

    A quick search online led to domain listings, which have been leased over a year ago. The intended audience of this site can choose to shop for select items.

    Figure 2. Items for sale

    However, research and intelligence about the contents of this web panel pointed to the fact that it’s being used as a site to purchase items in the United States and re-ship them to different locations. The site indicates this within its terms and conditions of use.

    Figure 3. Terms and conditions

    These goods are delivered to individuals who live within the United States, who then ship them elsewhere in the world. These individuals may have titles such as “Shipping and Receiving Manager” or “Logistics Specialist,” but in reality, they are actually “mules.” Hired from job postings on sites like Craigslist, these individuals were promised around US$50 per parcel or around US$2,000 a month.

    This elaborate scheme is sometimes called parcel mule scam, or reshipping scam. Cybercriminals gain profit from these scams as they use money stolen from bank accounts (courtesy of the banking malware) to buy the items, which are then resold. Mules are hired in order to smuggle the goods out of the country. Hiring mules also lessens the possibility of the smuggling activity being traced back to the criminals. These kinds of scams have been around for some time but people fall for this type of scam due to its “get rich quick” nature.

    Retracing the Steps

    In short, we have a three-step threat story:

    • One possible entry point is spammed commercial or banking email. The main objective is to get lots of people to click on the malware component, and infect as many.
    • These components would get a secondary infection, another malware, to get another component. We call this TSPY_BANKER.DYR, otherwise known as DYREZA, DYRANGES or BATTDIL. The objective here is to grab banking credentials for money.
    • Once money has been pilfered, these goods are delivered to package mules which re-ship these goods for delivery to locations outside the United States. This kind of operations is classically called parcel mule scam or reshipping scam.


    Against spam and BANKER malware:

    • Know your bank policies. If you receive an email and don’t have an account in the said bank, it’s not worth reading, delete it immediately. You can also call the nearest branch if you want to validate details.
      • If you’re reading mail via a web browser (web mail), try to make sure that the mail hosting service is reliable enough and has some sort of built-in anti-spam and anti-phishing capabilities.
      • If you’re reading email via an email client, most would have security features turned on by default. Use them to secure your email reading.
      • The use of an antivirus with web reputation services to block any suspicious link and attachment is also recommended.
    • A full-featured antimalware solution is the best tool against this type of threat scenario. The solution should be able to block malicious files based on signature and behavior and has a firewall to filter inbound and outbound connections. It would be better if it offers client-side utilities like spam and URL filtering. A cloud-based solution is also ideal, in order to have the most up-to-date protection.
    • In unfortunate cases of infection, it’s better to stop it as early as you can. Change passwords immediately and monitor your online banking transactions. If you spot any suspicious activity, call your bank immediately.

    Against parcel mule scams:

    • Work-from-home jobs certainly exist but if they sound too good to be true, check and double-check them first. It’s important to always research the business trying to recruit you, even when in dire need.
    • Be informed about parcel mule scams. The U.S. Postal Inspection Service has a page about reshipping scams.
    • Victims of such scams can file a complaint with the Internet Crime Complaint Center (IC3), which processes online crime complaints from victims and third parties.

    With additional insight from Rhena Inocencio.

    Related hashes of files discussed in this series:

    • 4FD6C74EE50CA470869D8FAB1AB2C3D1C19E20CE
    • 145c82caa303bd141fd6069ab92fefdfac3568bc
    • e32ef7def60a8ccc0c051182f2103dbbfe6de625
    • B2CAF5A18279C1CB10DA174C581A7138FF8B0CF2
    • B9F3D4C1531F128AB032EA6D752BAB008EC59921
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    The Bash vulnerability known as Shellshock can be exploited via several attack surfaces including web applications, DHCP, SIP, and SMTP. With multiple proofs of concept (including Metasploit code) available in the public domain, this vulnerability is being heavily exploited.

    Most discussion of Shellshock attacks have focused on attacks on web apps. There has been relatively little discussion on on other surfaces like DHCP, SMTP, and CUPS. In this post, we’ll  tackle Shellshock exploits over the DHCP protocol. These techniques could be used by an attacker to compromise more machines within the network.

    Dynamic Host Configuration Protocol (DHCP) is a protocol used to dynamically distribute and assign network configuration settings, such as IP addresses.  An attacker can configure a compromised DHCP server or create a rogue DHCP server to send malicious information to the DHCP client. Either technique means that the attacker has already compromised the network using other attack vectors.


    Figure 1. Traffic flow depicting the malicious response to DHCP client

    In addition to standard fields, the DHCP server can provide option fields (identified with a number). In this case, the malicious server sends the commands via option 114, which contains the malicious commands.


    Figure 2. DHCP Server using Tftpf32. An additional option URL (114) is configured to send the malicious payload.


    Figure 3. The malicious payload in the URL field

    The malicious string when received by the DHCP client running on vulnerable BASH results in arbitrary code execution as shown below. As such this could result in compromising other systems in the network.


    Figure 4.  Code execution on the DHCP client due to the malicious response

    This attack vector against DHCP client running on vulnerable bash is very much discussed in the public domain. However, DCHP also has other fields which are always present in each DHCP OFFER and ACK response. The DHCP server may optionally send its name in the Server Host Name field in the DHCP response. This field can also be used to run malicious code, as seen below.


    Figure 5.  Malicious payload in the server hostname field


    Figure 6. Code execution on the DHCP client due to the malicious response

    Boot filename is another field present in the DHCP OFFER and ACK responses. Clients may optionally request a boot file and the server specifies the boot file directory path and file name in its response.  When an attacker configures malicious string here, it can result in code execution as seen below.


    Figure 7.  Malicious payload in the Boot file name field


    Figure 8. Code execution on the DHCP client due to the malicious response

    Various techniques can be used to to exploit Shellshock over DHCP, as we showed here. For exploitation using this attack vector, however, the attacker should already have a foothold in the network using other exploitation techniques.

    Since the emergence of Shellshock vulnerability, Trend Micro Deep Security has been swift in protecting users from attacks that may arise of the said vulnerability. Trend Micro Deep Security has protected customers from Shellshock vulnerability over DHCP protocol as early as during its initial discovery via the following rule:

    • 1006258 – GNU Bash Remote Code Execution Vulnerability Over DHCP

    For more information on Bash bug vulnerability or Shellshock exploit, you can read all previous entries here:

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    12:25 pm (UTC-7)   |    by

    We’re nearing the holiday season and some of you might be going for some early holiday shopping—checking your money to go for a shopping splurge. The holiday season also ushers in cybercrime activities that are typical this time of the year:

    • We have seen a surge of fake bank emails. We’ve also seen other forms of spammed threats, including KELIHOS, VAWTRACK, and even some forms of the 419 scam.
    • We have also witnessed the increase in BANKER malware. Variants of this malware family attempt to steal sensitive information, such as banking credentials and email account details. They employ info-stealing techniques, often times, phishing pages that mimic the official banking sites, to get a user’s bank information, such as user names, passwords, or card codes. The stolen information could then be sent to a predetermined email address, to drop zones in hosted servers or to a URL via HTTP post.

    This series of entries focuses on a particular BANKER malware, detected as TSPY_BANKER.DYR. After taking an in-depth look of the malware itself, we will then place this malware within the whole threat ecosystem, with its ties to spam and even parcel mule scams, which refers to people who send packages in other parts of the world, acting as ‘mules.’  These people typically fall on this scam because of its ‘get rich easy’ nature.

    All About DYR 

    This particular detection is related to DYRE (also known as DYREZA, DYRANGES, or BATTDIL) malware. TSPY_BANKER.DYR has a lot of similarities with DYRE variants, as seen in its routines:

    • It has the capability to perform man-in-the-middle attacks through browser injections. It can also get browser snapshots, steal personal certificates, and steal information like the specific browser versions.
    • It steals bank credentials and monitors sessions involving online transactions to specific banks.
    • It can drop a configuration file that contains the list of targeted banks (via C&C updates) and the bot ID (comprises of the computer name, the OS version, and a unique 32-character identifier). The list of targeted banks include international, American, and European ones.
    • It uses Session Traversal Utilities for NAT (STUN), a method for the end host to discover its public IP address if it’s within a network that does network address translation. It’s a common method for applications of real-time voice, video and other messaging services to discover its public IP address, or the IP address that is publicly visible in the internet. Cybercriminals use this method to know exactly the location of their malware (and possibly know who is trying to run it).

      Figure 1. Screencap of STUN method

    • It also has the capability download a VNC module.

    A look into its network profile confirms details of the routines mentioned above:

    • Connections to C&C servers at Port 443, with a defined string format
    • Connections to STUN Servers
    • Accepting inbound connections
    • Although not presented in the screen capture below, the user agent being used is Opera/9.80

    Figure 2. Network profile for TSPY_BANKER.DYR


    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice