Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    September 2014
    S M T W T F S
    « Aug    
  • About Us

    Our friends at the ShadowServer Foundation are now scanning for the Netcore/Netis router backdoor which we found in August.  Their findings are in line with what we published then: that the vast majority of those affected in China, with more than a million scanned IP addresses currently affected by this threat.

    The devices at these IP addresses are vulnerable to being taken over by attackers due to an open port on the external side of the router; accessing this port and entering a fixed password (which is hard-coded in the firmware) allows an attacker to gain access and completely compromise the user’s network.

    On a positive note, the numbers of affected devices (around 1.35 million) is down significantly from the numbers we found initially (more than 2 million). The biggest fall was from August 31 to September 1, with more than 430,000 IP addresses no longer responding to ShadowServer’s probes.

    We wish to reiterate that in the absence of firmware updates, there is no effective way of mitigating this vulnerability for most users. While the number of vulnerable devices has gone down significantly, 1.35 million devices is still a large number of devices and users at risk. Netscore/Netis has not yet gotten back to us, and we are unaware of any patched firmware versions that have been released.

    We would like to thank ShadowServer for providing this service to the Internet at large and helping protect individual users. This kind of  cooperation between researchers is invaluable in helping deal with emerging threats, as different parties can each bring something valuable and work together towards common goals.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    In the past couple of weeks, the effectiveness of PGP as a way to encrypt the emails of users has been a subject of much debate. This latest round was kicked off by Matthew Green, a professor of cryptography at Johns Hopkins University, who criticized PGP primarily for flaws in key management and for its lack of forward secrecy.

    It’s very important for the industry, as a whole, to get encryption right. It’s fundamental to securing online lives in the 21st century. PGP has been a key part of securing email for many years, so suggestions that it needs to be revised because it’s broken need to be taken seriously.

    While the encryption of PGP itself is regarded as sound, it has always been regarded as not particularly user-friendly. However, it has never really been considered to be aimed at ordinary users. Before, it was always more technically capable users who found themselves relying on PGP. These users were capable of using the PGP clients available at the time, despite their lack of polish.

    Now, things are different; it is conceivable that people might be interested in using PGP, but not have the technical capability to use the existing clients. These users want software that is “click and forget”. There is a fundamental disconnect between “what is secure” and “what is easy” that is not easily bridged.

    One particular aspect of PGP that does deserve criticism is how it manages keys. Simply put, PGP puts all the burden of managing keys on the user. This is in contrast to other encryption solutions like SSL/TLS, where this process is essentially invisible to the end user.

    There’s a fundamental tradeoff between convenience and security, and here PGP was designed with security as the highest priority: key exchange was handled directly by the users. This meant that users could decide whose keys they could trust. That’s the most basic decision in security, and PGP put it directly in the hands of users. That may have been fine for tech-savvy individuals, but for ordinary users, that’s far more difficult.

    Other email encryption solutions (like those we offer) rely on some sort of Trusted Authority (TA) to manage the keys. The TA has to authenticate users, but this takes the burden of key management away from end users. Of course, this means that the end users have to trust the TA server – this is fine for corporate environments, but for individuals this is probably not acceptable.

    There is nothing stopping a vendor from implementing PGP in a way that is more palatable to an ordinary user. This is exactly what Google and Yahoo are trying to do, and it will be interesting to see just how they meet the challenges of making PGP acceptable to the ordinary user.

    One more thing to say about PGP. Whatever its flaws, it has been proven to be reliable – and trusted – since it was introduced. Yes, it has its own problems, but to a large degree those are because it is being used by markets that it was never aimed at. In addition, as computing power increases, key length will have to be increased as needed – but this is an understood problem.

    However, the core of PGP is still sound. Saying it needs to “die” is counterproductive, as all that might do is push users towards other “solutions” that may promise security, but are actually insecure. What needs to happen is for PGP to be improved and built on in order to serve the evolving needs of users. Done properly, these can mean PGP will continue to be a strong security standard for a long time to come.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    For the past year or so, I’ve noticed that people are getting increasingly concerned about how protected their information is – not just from hackers, but from governments and large Internet companies as well. Individual users and organizations are now saying – more than ever before – that privacy and security matters.

    Of course, the desire for privacy and security is sometimes trumped by the desire for added convenience and features. However, one thing that will cause changes in how data is protected is government regulation. In some quarters, it is perceived – rightly or wrongly – that private companies cannot be trusted with the data of their users, and that the government must step in.

    The European Union is well on its way with a new set of rules that will control how organizations that do business in Europe will have to store, manage, and control user data. A company does not have to be located in Europe to be affected, making the scope of these regulations larger than immediately apparent.

    Will this be enough to make consumers trust that their data is in safe hands? Not entirely. Some users will not trust companies that protect their data just to comply with regulations. Companies that hold the personal data of their users need to go above and beyond what regulations call for, to reassure their users that they are doing all they can to protect their users.

    The Internet has been an amazingly valuable tool to connect people all over the world with each other. However, recent events have unfortunately shaken the confidence we once had in our online lives. Both individuals and organizations need to take steps to rebuild that trust and confidence to keep the Internet safe and open for everyone. We are all digital natives now. The Internet is too important in all our lives to be treated any other way.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    We recently reported about a large spike of commercial spam that employed micro-sized salad words or random gibberish words found in the email body to bypass spam filters. The content of these messages varied from hair loss cures to car sales to retailer coupons. Most of the samples contained links to websites they themselves advertise.

    Aside from the tactic used, this particular spam run is notable because its two primary sources are hosting services providers and newly-registered domains that were not previously associated with known or detected spam activity. Service providers are often considered trustworthy but it now seems that they are being openly abused by spammers.

    New Spam Sources

    Majority of the spam-sending IPs were sourced from a company associated with a Canadian hosting service provider. The remaining IP addresses belong to US-based providers.

    Newly-registered domains were another noteworthy spam source.  Spammers created these newly-born domains and wasted no time in using these new domains as the sender address and URL inside the mail body, as seen in the table below. They started spamming only minutes after registering the new domains. When unsuspecting users clicked these domains found in the email message, they are redirected to spam websites.

    Spammers may have used new domains with no spam history because these may not arouse suspicion. Analysis from our engineers shows that all the domains were filed under the same registrar by one organization.

    Figure 1. Time between domain registration and first known spamming activity

    Figure 2 shows the peak spam volume associated with this campaign within a 24-hour period. Closer inspection reveals that the spam run was composed of multiple short burst of spamming activity, shown in Figure 3. Each burst came from one IP address, followed by another burst from another IP address, and so on. Such behavior is most likely an attempt to evade IP-based filtering solutions.

    Figure 2. Peak spam volume within specific hours

    Figure 3. Multiple IPs contribute to the spam runs

    Based on our IP statistics, 85% of the affected victims came from the US. Other top affected countries include Germany, Canada, Great Britain, and New Zealand.


    As spam techniques continue to adapt and evolve, users are advised to be on guard when opening their emails. Never open messages, download attachments and click links from unknown senders. Security solutions, such as spam filtering, can help protect users from such threats.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    We recently spotted a brand new BlackPOS (point-of-sale) malware detected by Trend Micro as TSPY_MEMLOG.A.  In 2012, the source code of BlackPOS was leaked, enabling other cybercriminals and attackers to enhance its code.  What’s interesting about TSPY_MEMLOG.A is it disguises itself as an installed service of known AV vendor software to avoid being detected and consequently, deleted in the infected PoS systems. This routine is different from previous PoS malware such as TSPY_POCARDL.U and TSPY_POCARDL.AB (BlackPOS) that employed the targeted company’s own installed service.

    The malware can be run with options: -[start|stop|install|uninstall]. The –install option installs the malware with service name =<AV_Company> Framework Management Instrumentation, and the –uninstall option deletes the said service. The RAM scraping routine begins as a thread when the installed service starts. It may only start its main routine if it has successfully been registered as a service.

    Apart from masquerading itself as an AV software service, another new tactic of TSPY_MEMLOG.A is its updated process iteration function. It uses CreateToolhelp32Snapshot API call to list and iterate all running processes. BlackPOS variants typically use the EnumProcesses API call to list and iterate over the processes.

    It drops and opens a component t.bat after it has read and matched the track data. This track data is where the information necessary to carry out card transactions is located; on the card this is stored either on the magnetic stripe or embedded chip.

    The data will eventually get written out to a file called McTrayErrorLogging.dll. This is similar to what happened in the PoS malware attack involving the retail store, Target last December 2013.



    Figure 1. CreateToolhelp32Snapshot to enumerate processes

    Based on our analysis, this PoS malware uses a new custom search routine to check the RAM for Track data. These custom search routines have replaced the regex search in newer PoS malware. It samples 0x20000h bytes [the 0x and h implies hex bytes] in each pass, and continues scanning till it has scanned the entire memory region of the process being inspected.


    Figure 2. Screenshot of reading process memory


    Figure 3. Logging of data

    It has an exclusion list that functions to ignore certain processes where track data  is not found. It gathers track data by scanning the memory of the all running processes except for the following:

    • smss.exe
    • csrss.exe
    • wininit.exe
    • services.exe
    • lsass.exe
    • svchost.exe
    • winlogon.exe
    • sched.exe
    • spoolsv.exe
    • System
    • conhost.exe
    • ctfmon.exe
    • wmiprvse.exe
    • mdm.exe
    • taskmgr.exe
    • explorer.exe
    • RegSrvc.exe
    • firefox.exe
    • chrome.exe

    This skipping of scanning specific processes is similar to VSkimmer (detected as BKDR_HESETOX.CC).

    In TSPY_MEMLOG.A, the grabbed credit card Track data from memory is saved into a file McTrayErrorLogging.dll and sent to a shared location within the same network. We’ve seen this routine with another BlackPOS/Kaptoxa detected as TSPY_POCARDL.AB. However, the only difference is that TSPY_MEMLOG.A uses a batch file for moving the gathered data within the shared network while TSPY_POCARDL.AB executes the net command via cmd.exe. It is highly possible that the server is compromised since the malware uses a specific username for logging into the domain.

    Data Exfiltration Mechanism

    The malware drops the component t.bat which is responsible for transferring the data from McTrayErrorLogging.dll to a specific location in the network, t:\temp\dotnet\NDP45-KB2737084-x86.exe. It uses the following command to transfer the gathered data:


    Figure 4. Screenshot of command used to transfer data

    The “net use” command was used to connect from one machine to another machine’s drive. It uses a specific username to login to the domain above (IP address). It will open device t: on drive D.

    In one the biggest data breach we’ve seen in 2013, the cybercriminals behind it, offloaded the gathered data to a compromised server first while a different malware running on the compromised server uploaded it to the FTP. We surmise that this new BlackPOS malware uses the same exfiltration tactic.


    PoS malware can possibly arrive on the affected network via the following means:

    • Targeting specific servers by point of entry and lateral movement
    • Hacking network communication
    • Infect machine before deployment

    As such, we recommend enterprises and large organizations implement a multi-layered security solution to ensure that their network is protected against vulnerabilities existing in systems and applications as this may be used to infiltrate the network. In addition, check also when a system component has been modified or changed as criminals are using known in-house software applications to hide their tracks. IT administrators can use the information on malware routines and indicators of compromise (IoCs) here to determine if their network has been compromised already by this new BlackPOS malware. For more information on PoS malware, read our white paper, Point-of-Sale System Breaches: Threats to the Retail and Hospitality Industries.

    Trend Micro protects enterprises from threats like PoS malware by detecting the malicious file.

    The related hash to this threat is  b57c5b49dab6bbd9f4c464d396414685.

    With additional analysis from Numaan Huq

    Update as of 9:44 AM, September 8, 2014

    During the course of our investigation, we spotted the following anti-American messages embedded in the binary:


    Figure 5. Screenshot of the messages embedded in the binary

    (Click image above to enlarge)

    Note that these are not used anywhere in the code and we surmise that these may be like a signature used by the group developing this malware.

    Update as of 2:27 PM, September 11, 2014

    Even though BlackPOS ver2 has an entirely different code compared to the BlackPOS which compromised Target, it duplicates the data exfiltration technique used by the Target BlackPOS. It is an improved clone of the original, which is why we decided to call this BlackPOS ver2.

    It is also being reported in the press that some security vendors called this malware as “FrameworkPOS.”  This is a play of the service name <AV_Company> Framework Management Instrumentation with which the malware installs itself.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice