Tweet

The problem of mobile device theft has become sufficiently severe that legislators have decided to file bills discussing it. Last week, US Senator Charles Schumer re-filed Mobile Device Theft Deterrence Act of 2013, which makes modifying a device’s International Mobile Equipment Identity (IMEI) number a crime punishable by up to five years in federal prison. In theory, this is supposed to make it more difficult for stolen devices to be reused and thus less appealing. The CTIA, a trade group representing the wireless industry, has spoken out in support of the bill.

Having one’s mobile device stolen has real costs. Replacing a phone can cost hundreds of dollars; any data on the device may be either lost or stolen. Enterprises particularly care about the latter problem, an item we discussed in the report Embracing BYOD: Are You Exposing Critical Data?.

Even if the bill was passed, it’s unclear how much impact it would have, given how many stolen devices end up “exported” abroad. (Stolen goods being “exported” is not limited to electronics; for example, stolen cars have long been exported to places like Albania, Africa, and other less developed parts of the world.)

The bigger issue is that other solutions to try and “fix” this problem may actually weaken mobile device security, not strengthen it. It’s frequently suggested that “remote kill” systems that would remotely disable stolen devices be included in new devices. However, these are very problematic from a security perspective: it would mean that the capability to remotely administer a device would have to be built into the device: i.e., a backdoor. If the capability to remotely kill a device is built into a product, it has to be assumed that a sufficiently determined attacker can access it and do what they with that capability.

There’s also the thorny issue of who would hold the keys: both end user and organizations can be socially engineered and end up with a malicious attacker disabling (or just threatening to disable) a device. We’re supposed to make devices more secure over time, not less; a “remote kill” system brings with it very real potential problems. It may be better to focus on locating the device after it has been stolen; this capability is already built into iOS and Windows Phone, but not Android.

The real solution to the problem of stolen devices may be found by treating it as a police problem and not necessarily a technological one. Any proposed solution to device theft has to take all mobile security problems into consideration; the law of unintended consequences may strike again.

Using technology to solve a crime problem may only go so far.

We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

Tweet

Since its introduction in late 2012, Windows 8 has proven to be perhaps the most controversial version of Windows in recent memory. Much of the controversy is a direct result of its user interface, which represents a departure from the traditional desktop that’s been in use for many years. This debate has caused the other features of Windows 8 and its ARM-based cousin, Windows RT, to receive far less attention. These other features must be considered in deciding whether to migrate to Windows 8.

From a security perspective, the picture is mixed. Some features such as improved Unified Extensible Firmware Interface (UEFI) support, enhanced Address Space Layer Randomization (ASLR) support, picture passwords, and Internet Explorer 10 all help improve the new OS’s security. Windows To Go – a way to incorporate a fully managed Windows 8 image on a USB device – is meant to improve BYOD support. Not all these features work as well as one would think, however. For example, the UEFI protection has been bypassed by proof of concept attacks. In addition, the drastically different UI can make things difficult for users. All these needs to be considered by users and organizations making decisions about whether to migrate or not.

Our new report, Windows 8 and RT: New Beginnings, goes over the new features in Windows 8, paying particular attention to new security features.  The report gives readers a good grasp of these new features and provides the information needed to decide whether to migrate to this new version or not. The full copy of the report may be found by clicking the link here.

We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

Tweet

For cybercriminals everywhere, it’s still business as usual. The recent global ATM heist that stole a total of $45M showed that orchestrated targeted attacks continue to plague organizations globally.  Legacy approaches to identifying threats are not keeping up with the tactics being used to exfiltrate precious assets and corporate secrets. Although it took money mules withdrawing cash from ATMs in 27 countries to pull off the heist, we will likely see that this was made possible by a very sophisticated targeted attack on third-party card processors in India and the US – as initial reports indicate.

The real debate is how much collateral damage and fallout we’ll see as a result of this attack.  Many of the same technologies and processes are used by other financial institutions.  A weakness here could be used by attackers to target other banks with similar architectures.

It’s a safe bet to assume the attackers were able to acquire  and maintain a persistent foothold in these banking institutions. The attackers carefully picked their target to increase the chances their attack would be successful without being discovered.  Weeks and months of reconnaissance work was more than likely carried out, coupled with covert, clandestine operations once their marks had been made and a foothold was achieved.

These types of targeted attacks are not like other day-to-day threats we information security professionals face.  They are more likely targeted attacks that have a specific purpose in mind. A recent white paper we’ve published discusses the lateral movement that takes place occurs within networks during these types of attacks, and looks at the tools and techniques utilized.

Online banking is increasingly important today, with nearly 94% of the world’s wealth is housed in some form of electronic currency.  It’s no wonder cyber heists are on the rise and the payouts are reaching epic proportions. DDoS (Distributed Denial of Service) attacks as increasing as well, which impacts how we conduct online banking as consumers and businesses.  These attacks can also consume an organization’s technical and human resources, ultimately acting as a distraction.

These incidents show that targeted attacks and cybercrime can act hand in hand. All organizations have to consider this as they incorporate their countermeasures and mitigations moving forward. How can they determine if they are in the cross hairs of a targeted attack and understand the dynamics of any threats they are currently facing?

Organizations need to understand that “targeted attacks” can involve more than just information theft, but can actively damage systems and cause significant financial losses. Tools that are valuable in this field include “padded cells” to test incoming threats that use virtualization sandboxing techniques. Threat intelligence and feedback provided by the Smart Protection Network is invaluable to provide organizations with the tools needed to deal with these attacks and protect their networks.

We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

Tweet

Two Brazilian government websites have been compromised and used to serve malware since April 24. We spotted a total of 11 unique malware files being distributed from these sites, with filenames that usually include “update”, “upgrade”, “Adobe”, “FlashPlayer” or combinations thereof.  Besides the different filenames, these samples also have different domains where they can connect to download other malicious files, as well as varying command-and-control (C&C) servers.

Based on Smart Protection Network feedback, 90% of the affected customers are from Brazil. Other affected countries include the United States and Angola.

Figure 1. Top affected countries

Infection Chain

The general behavior of these malicious files (detected as TROJ_BANDROP.ZIP) are similar. They drop two files: one executable file (detected as TSPY_BANKER.ZIP) and a supposed GIF file (detected as JAVA_BANKER.ZIP) file in the system’s temporary folder.  The executable file modifies the Windows registry to lower system’s security settings, and ultimately loads the .GIF file.

The “GIF file” is actually a Java file, loaded using the javaw.exe executable, which is part of the Java Runtime Environemnt. JAVA_BANKER.ZIP contains commands that can download and execute files from several pre-configured URLs. The downloaded files are then saved as %User Profile%\update.gif (also detected as JAVA_BANKER.ZIP) and executed. These JAR files use several open source libraries such as Java Secure Channel (JSch) and Java Native Access (JNA). These libraries and can be used for network operations, in particular connecting to an SSH server, port forwarding, file transfers among others.

The final payload of JAVA_BANKER.ZIP is a .JAR file, which elevates the affected user’s administrator right. Given that the attacker has taken control of the system, modifying the victim’s admin rights enables him to modify the normal system file termsvr.dll. This .DLL is mainly used for remote desktop sessions. The malware will replace this file with %Temp%\update.gif.

Malicious Component File Leads to Serious Security Compromise

Based on code analysis, %Temp%\update.gif  is used to enable multiple concurrent remote desktop sessions in the affected system. But what does this mean to users?

For security reasons, remote desktop sessions are limited to just one session at a time. But %Temp%\update.gif creates its own user account (ADM123), which is set as a system adminstrator. Once the system has been set-up for multiple sessions, it notifies its C&C server of the compromise. The remote malicious user then connects to the affected system using the ADM123 account. The remote attacker has now complete control over the system. The attacker has now the capability to perform more damaging commands onto the infected machine. Trend Micro protects users from this threat by detecting and deleting the related malware if found in the system.

Compromising and using government sites to deliver malware is not an unusual practice. Earlier this month, a website of the US Department of Labor was compromised to serve zero-day Internet Explorer exploit. This tactic provides a certain social engineering leverage, as government-related sites are usually deemed safe and secure. But as this incident clearly shows, there is no sacred cow when it comes to cybercrime. Everyone is fair game.

This is the latest development in the rather interesting development in the Brazilian threat landscape, which was lately troubled with a malicious “homemade” browser and other banking Trojans that give Bancos variants a run for their money.

We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

Tweet

Typically users archive file to lump several files together into a single file for convenience or to simply save storage space. However, we uncovered a worm that creates copies of itself even on password-protected archived files.

We acquired a sample of a worm (detected as WORM_PIZZER.A) that propagates using a particular WINRAR command line (see below). Once executed, this enables WORM_PIZZER.A to create copy of itself in archived files, particularly in .ZIP, .RAR and .RAR SFX files. The worm does not harvest passwords from these archive files. The said command line is normal, in which a user can add file onto archived files so long as their system is installed with WINRAR. However, the malware abuses this to add copies of itself onto such files.

Figure 1. WINRAR command line

During our testing, this worm was downloaded by WORM_SWYSINN.SM from a particular site.

This technique is reminiscent of WORM_PROLACO variants seen in 2010, in which variants were seen to archive certain .EXE files together with a copy of itself. But what makes WORM_PIZZER.A interesting is its clever way of creating copies of itself in archived files, even on password-protected ones. Unsuspecting users who extract these archived files would have no idea that they already contain this worm, thus likely to execute the malware along with their other files.

Figure 2. WORM_PIZZER.A copy (bot.exe) in an archived file

Trend Micro detects and deletes WORM_PIZZER.A if found and also blocks access to the site hosting the said malware.

The first half of the year 2013 is shaping up to be a year of rehash, with dated threats like ZBOT, CARBERP, and GAMARUE using new techniques to evade detection or at least stealthier ways to slip into user’s system unnoticed. WORM_PIZZER.A is no different from this flock of repackaged threats. Because of the protective measure archived files afford, users might be too complacent in extracting and executing these files – providing the perfect cover up to propagate in an infected system.

For protection, users must observe best computing practices, which include avoiding visiting unknown sites, and downloading files from unverified email messages. Because the malware can create copies of itself on archived files, users must be extra cautious in executing such files.

With additional insights Threat researchers from Dexter To and Joseph Jiongco.

Update as of June 7, 2:00 AM PDT

Our protection against this threat has been updated; we now detect it as WORM_PIZZER.SM.