Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    April 2014
    S M T W T F S
    « Mar    
  • About Us

    Macro-based attacks were popular in the early 2000s, but they gained much notoriety with the much publicized coverage of the Melissa virus. However, macro-based attacks soon began to drop off the radar. One major reason for this would be the security measures implemented by Microsoft to address malicious macro files. Another probable reason would also be that cybercriminals simply moved on.

    However, it seems like macro-based attacks are making their way into the threat landscape yet again. We recently encountered attacks that use macro-enabled files to deliver threats to users.

    Macro-enabled Files Carry ZBOT

    TSPY_ZBOT.DOCM arrives via an email attachment, which is detected as W97M_SHELLHIDE.A. This email is disguised as a notification from a law society about “possible fraudulent activity” involving the recipient.

    Figure 1. Sample spammed message


    If they open the document, it contains the following message, “This sample [redacted] message requires Macros in order to be viewed. Please enable Macros to be able to see this sample.” Aside from this set of instructions, the document appears to be blank. Analysis shows that the blank document actually contains the malware embedded and hidden in white font. The malware is first written in ASCII-hex form.

    Enabling the macro feature runs the script that drops the malware. The macro script converts the ASCII-hex form to its traditional binary. The malware can then run in the infected system, stealing information from the user’s machine.

    Figure 2. The document appears blank but the malware is actually hidden using white font

    Macro File Leads to Backdoor

    Another malicious macro-enabled (.DOC) file was found as an attachment of an email related to payment remittance. Like the other file, the document appears blank save for a message instructing the user to enable macros. Once enabled, the attachment—detected as W97M_SHELLHIDE.B—connects to the Internet to download and execute BKDR_NEUREVT.DCM.

    Using .DOCM files as an effective attack vector

    These attacks show that old techniques can still be as effective as newer ones. These might require users to enable macros in order to succeed, but this is addressed by social engineering. The email messages are meant to convey a sense of urgency and importance. While there are other applications that employ macros, cybercriminals may have used Microsoft Word files as Microsoft Office is still the most-widely used productivity software suite.

    The use of .DOCM files is interesting as they are uncommon infection vectors, given that they are relatively new; Microsoft introduced this file extension with Office 2007, which is also when the current .DOCX format was introduced. Users who are accustomed to looking out for possibly malicious .PDF or .DOC files may be unfamiliar with this file type.

    Users must always exercise caution when opening email attachments, even those from familiar or known senders. If you receive a .DOCM file from someone you don’t know, the safest thing to do is not open it. Since the easiest way to open a .DOCM file is to double-click it, malicious .DOCM files loaded with malware such as ZBOT can easily run as well.

    File extensions shouldn’t be used as the sole indicator of safety. File type extensions and icons can be easily spoofed. Additionally, Microsoft Office can read and open files even if the extension has been changed. For macro-based attacks, it’s still best to make sure to enable the macro security features in Office applications.

    With additional analysis by Mark Manahan.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    6:09 am (UTC-7)   |    by

    A key part of our cybercrime research focuses on the communities that cybercriminals form. These are used in much the same way that communities of other shared “interests” are – to socialize, to get together, and to buy and sell various items of interest.

    For security researchers, the activities of these underground communities – and the corresponding economies that they form – is a valuable source of threat intelligence. This allows us to examine current trends in the threat landscape, as well as look into and prepare for future threats.

    Our research in the past has highlighted the wide variety of good and services available in the cybercrime underground. These range from crypters, exploit kits, and Trojans – to denial of service (DoS) attacks, proxy servers, and web traffic, and everything in between. Our research into the underground has included findings related to malicious traffic management, the reaction to the fall of the BlackHole Exploit Kit, as well as overviews of the Chinese and Russian undergrounds.

    One consistent trend has been the continuing fall in prices of most goods and services. The average price of items has been dropping across the board, making these items accessible to more would-be cybercriminals. Pricier, more effective versions of these goods are available, of course – but the “average” versions of these tools are more than adequate for their purposes.

    There is no shortage of targets either, with much of the world today now online. The following chart shows the number of countries with the most Internet users and thus, potential victims:

    Figure 1. Countries with largest online population

    There are multiple cybercrime communities around the world with various ties to each other, but they have unique characteristics that differentiate them as well. Throughout the year, we will be publishing various papers that describe various communities, as well as the economies that they create. These papers are all part of our Cybercriminal Underground Economy Series, or CUES. These papers will highlight the unique characteristics of each market, provide a summary of the good and services available, and the prices for these items.

    The first paper of CUES, covering the mobile cybercrime underground in China, was released earlier this month. The CUES portal will be updated as more papers covering other economies such as those in Russia and Brazil are released.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    There are now less than two weeks left until Microsoft terminates support for the incredibly long-lived Windows XP. Rarely has a tech product lasted as long as XP has – from XP’s launch on  October 25, 2001 to its last Patch Tuesday on April 8, 2014 a total of 12 years, 5 months, and two weeks will have passed. Despite that, as of the month of February, StatCounter data indicated that almost one in five PCs still used Windows XP.

    There has been plenty of concern—and in some quarters, hysteria—over this event. When it would happen has been known for some time. Informed users also know that Windows XP was developed in very different circumstances—the famous Bill Gates trustworthy computing memo was sent after Windows XP had been developed and released to the public.

    The end of support for Windows XP concretely means two things: newly discovered vulnerabilities in Windows XP will not be patched anymore, nor will they be documented and acknowledged by Microsoft. This represents an increase in the risk of using Windows XP. Over time, this risk will increase as more issues are found and exploited –  although it may also fall, as the ever-decreasing numbers of Windows XP users means it will no longer be worthwhile to create exploits for an aging operating system.

    However, managing and mitigating risks is what security is all about. We will continue to provide our customers with the necessary tools to help manage the risks facing Windows XP systems. The most valuable tool in managing these risks is virtual patching/vulnerability shielding; products like Deep Security and OfficeScan with the Intrusion Defense  Firewall (IDF) module  scan and inspect network traffic before they reach the user’s applications, providing an opportunity to protect servers and endpoints from vulnerabilities.

    Another solution can be in hardening the endpoints. Endpoint security software will still protect users, if the security software vendor provides continued support for their products. (Trend Micro will continue to provide support for our endpoint software on Windows XP until 2017.) In addition, locking down these systems may be even more appropriate. For example, Trend Micro Endpoint Application Control can help lock down systems by preventing unwanted and unknown applications and processes from running.

    The underlying point is this: yes, Windows XP’s end of support is something that people should worry about—but it  is something that can be planned and prepared for. The tools and expertise are available for users to help protect their systems and networks as needed. We have prepared a primer titled Managing Your Legacy Systems to go into this topic in more detail.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    GnuTLS is a secure communications library implementing the SSL, TLS, and DTLS protocols. It provides applications a way to use the above protocols without having to create their own cryptographic code. It is aimed to be portable and efficient with a focus on security and interoperability. In many cases, it is used instead of other libraries because GnuTLS is distributed under the GNU Lesser General Public License.

    However, it was found that the GnuTLS X.509 certificate verification code fails to properly handle certain error conditions that may occur during the certificate verification process. While verifying the certificate, GnuTLS would report it as successful verification of the certificate, even though verification should have resulted in a failure. This means that invalid certificates may be accepted as valid,

    What makes this flaw truly problematic is that GnuTLS is used in many applications and software packages, including Exim, Weechat, Mutt, Lynx, CUPS, and gnoMint. It could be used for web applications, e-mail programs, and other code that use the library. Therefore, it’s very difficult to ascertain the number of affected applications. Some of the few operating systems that support GnuTLS include:

    • Red Hat Enterprise Linux Desktop (v. 6)
    • Red Hat Enterprise Linux HPC Node (v. 6)
    • Red Hat Enterprise Linux Server (v. 6)
    • Red Hat Enterprise Linux Server AUS (v. 6.5)
    • Red Hat Enterprise Linux Server EUS (v. 6.5.z)
    • Red Hat Enterprise Linux Workstation (v. 6)
    • Ubuntu 12.10
    • Ubuntu 12.04 LTS
    • Ubuntu 10.04 LTS
    • openSUSE 11.4

    An attacker can use a specially crafted invalid security certificate and it will be accepted as valid by an application (e.g., browser, email client, feed reader, etc.) that uses GnuTLS. This can lead to disclosure of confidential information and may lead to complete control of victim’s system through a combination with another vulnerability.

    A Brief Look at the X.509 Code

    The X.509 protocols rely on a hierarchical trust model. Certification Authorities (CAs) are used to certify entities. Usually, more than one certification authorities exist, and certification authorities may certify other authorities to issue certificates as well. One needs to trust one or more CAs for secure communications. In that case, only the certificates issued by the trusted authorities are accepted.

    The root cause is a simple coding flaw that might have been present in several applications, including Linux OSs, for many years. More specifically, the bug involves GnuTLS’s library functions which are used for processing certificate verification of X.509 certificates.

    The main issue of the bug is the goto statement along with an uninitialized variable. goto is an infamous statement which has been criticized by many security researchers. In this instance, if the goto statement is being executed under certain error conditions, it can short-circuit the verification checks and bypass the certificate authentication process, allowing certificates to be presented as verified.

    In the verify.c function, check_if_ca returns “true” or rather 1, when the certificate is genuine or issued by the certified authority (CA). The return value should be zero if the certificate is not genuine or not issued by a certified authority. Few other functions return a negative value when they fail. In most programming languages, 0 evaluates to “false” and any other [integer] value to “true” . So the function is used by gnutls_x509_crt_verify, which verifies X509 certificates, passes the invalid certificate as genuine.

    In C, the programming error handling return codes are checked through the following:

    1. Return zero for success and non-zero (or less than zero mostly) for failure.
    2. Return code explicitly and check them later (for example, “yes”, “no,” etc.)
    3. Return 1 for success and 0 for failure.

    It appears that for GnuTLS , methods 1 and 3 are used together for return codes.

    For the bug fix, the “goto cleanup;” is replaced with “goto fail;”

    Label fail is defined as under
    result = 0;

    Before the bug fix, the cleanup label is defined as under cleanup:

    gnutls_datum_t cert_signed_data = { NULL, 0 };
    gnutls_datnum_t cert_signature = { NULL, 0 };
    gnutls_x509_crt_t issuer = NULL;
    int issuer_version, result;

    After the bug fix, the cleanup label has been changed as under cleanup:

    gnutls_datum_t cert_signed_data = { NULL, 0 };
    gnutls_datnum_t cert_signature = { NULL, 0 };
    gnutls_x509_crt_t issuer = NULL;
    int issuer_version, result=0;

    A comparison of of the fix can be viewed below:

    Figure 1. Screenshot of corrected return codes taken from Gitorious

    Methods of Attack

    An attacker could exploit this issue in many ways, depending on the usage of the vulnerable library. The bug may be exploited in man-in-the-middle attacks. If a victim tries to log in to a site, the attacker can present his own certificate, pretending to be that site. The fake certificate will pass the verification process and will be presented as an authentic certificate. It will thus appear as normal to the victim while the attacker will be able to intercept confidential data. Attacks like these are highly effective and often difficult to detect.

    An attacker could also host his own web server, with some web application having a fake certificate pretending to be any site of his choice. Through social engineering, he can then exploit this vulnerability.

    Mitigating Attacks 

    GnuTLS developers has issued an advisory regarding this issue. Any application using digital certificate verification libraries with other than latest patched version of GnuTLS are affected by this vulnerability. Users of GnuTLS are advised to upgrade to the following version to address the issue:

    • GnuTLS version (3.2.12 or 3.1.22)

    Users can also apply the patch for GnuTLS 2.12.x. All applications linked to the GnuTLS library must be restarted for the update to take effect.


    Hat tip to Nikos Mavrogiannopoulos of the Red Hat Security Technologies Team for spotting this flaw.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Malware targeting Word and Excel files has been around for some time, but we recently encountered a new malware family, CRIGENT (also known as “Power Worm”) which brings several new techniques to the table. (We detect these files as W97M_CRIGENT.A and X97M_CRIGENT.A.)

    Most significantly, instead of creating or including executable code, CRIGENT uses the Windows PowerShell to carry out its routines. PowerShell is a powerful interactive shell/scripting tool that is available for all current versions of Windows (and is built-in from Windows 7 onwards); this malware carries out all its behavior via PowerShell scripts. IT administrators that are normally on the lookout for malicious binaries may overlook this, as malware using this technique is not particularly common.

    Arrival and Additional Components

    This particular threat arrives as an infected Word or Excel document, which may be dropped by other malware or downloaded/accessed by users. When opened, right away it downloads two additional components from two well-known online anonymity projects:  the Tor network, and Polipo, a personal web cache/proxy.

    The attacker disguised both what these files were (by changing their file name), and where they are hosted by hiding this information in DNS records. Copies of these files are stored using legitimate cloud file hosts (in this case, Dropbox and OneDrive). The URLs of these files were hidden in DNS records. How was this done?

    He had access to the DNS records of two separate domains, and created one subdomain under each of these domains. However, he did not point the subdomains to any particular IP address at all. Instead, he stored text inside the DNS records and queried specifically for TXT records. (To evade local DNS blocking, he made these queries directly to public Google DNS servers.) The command to do so in Windows would have been:

    • nslookup -querytype=TXT {malicious domain}

    Each of the two queries returned a text string with a URL pointing to a legitimate cloud storage provider. One of these links went to Dropbox, the other to Microsoft’s OneDrive. To someone examining the network traffic without looking at the actual files, all that would have been apparent was a pair of DNS queries to Google’s public DNS servers, and a file downloaded from two well-known cloud services. Neither would be found particularly suspicious.

    Command and Control

    Using the installed Tor and Polipo software, it accesses its command-and-control server. The URL it uses contains two GUIDs, as seen below:

    • {C&C server}/get.php?s=setup&mom={GUID #1}&uid={GUID #2}

    Curiously, if the above website is accessed with missing or incorrect GUIDs, the C&C server delivers the following slightly profane message in German:

    Figure 1. C&C server

    However, if the fields are correct, a PowerShell script (detected as VBS_CRIGENT.LK or VBS_CRIGENT.SM) is downloaded which includes all the code necessary to carry out CRIGENT’s malicious behavior. For starters, the following information about the user’s system is sent back to the C&C server:

    • IP Address
    • Country code
    • Country name
    • Region code
    • Region name
    • City
    • Zipcode
    • Latitude
    • User account privilege
    • OS version
    • OS architecture
    • Domain
    • OS Language
    • Microsoft Office applications
    • Microsoft Office versions

    In addition to the above behavior, the script also communicates with the server at every system startup where it listens for commands. Ports related to Polipo and Tor are also opened.

    Infecting Word and Excel files

    The downloaded PowerShell script also contains the necessary code to infect other Word and Excel documents with the malicious CRIGENT code. To do this, it uses PowerShell scripts to modify registry entries, which lowers the security settings of Microsoft Office.

    Figure 2. Script modifying registry entries

    It then searches for all document files of either Microsoft Word or Microsoft Excel – *.DOC, *.DOCX, *.XLS, and *.XLSX – in all available drives. It also disables the ‘alerts’ and ‘macros’ of the files to be infected, so as not to alert the users.

    Any existing .DOCX and .XLSX files are converted to the previous .DOC and .XLS formats, respectively, with the originals being deleted. A Visual Basic module (which contains the malicious macro) is created and saved together with all the .DOC and .XLS files; opening any of these restarts the infection chain.

    Figure 3. Script searching for Word/Excel files

    Aside from compromising the security of the infected system, CRIGENT also infects documents (which may contain critical information) and may render them useless due to their new “format”. Enterprises and individual users may lose crucial data.

    Detecting CRIGENT

    There are several ways to detect the presence of CRIGENT within a network. For starters, the presence of Polipo and Tor within an internal network should be suspicious. We had earlier discussed how to detect and block Tor traffic; this is something that network administrators should consider looking into to deter CRIGENT and other threats using TOR.

    In addition, it’s worth noting that the file extensions that CRIGENT uses to save infected files as – .DOC and .XLS – are no longer the default file types. The versions of Office from Office 2007 onward use, by default, the .DOCX and .XLSX file extensions, with support for the earlier file formats being kept for legacy and backward compatibility purposes. The presence of large numbers of new files using older formats may be a possible sign of the presence of CRIGENT.

    We noted in our 2014 Security Predictions that cybercriminals will use Tor to hide their activities more deeploy, which is what happened here. They also used PowerShell, a key feature of versions of Windows from Windows 7 onwards, to carry out their routine. That, combined with the use of legitimate cloud storage sites, highlights how cybercriminals want to use legitimate services and features for their attacks.

    Trend Micro protects users from this malware via blocking all related URLs and detecting the malware involved.

    Update as of 2:30 AM PDT, March 28, 2014

    The hashes of some of the files used in this attack are:

    • DE59D4F265599C1931807DF6D506BA11E1DBA2DC
    • FFEF3D961C9729660A0009AFC8A149800B84D8F1
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice