Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    October 2014
    S M T W T F S
    « Sep    
  • About Us

    6:45 pm (UTC-7)   |    by

    PoS malware has been in the news lately due to data breaches in various high-profile retailers. Card information stolen from these attacks have ended up on the well-known underground shop Rescator. We prefer to refer to the people behind this shop as the Lampeduza gang, as Rescator is not the only person running this business.

    We have found that other cybercrime gangs are using the fame of the Lampeduza gang to lure other cybercriminals into accessing fake online credit card shops.

    C&C Intelligence

    During one of our research projects, we came across a C&C server hosting a KINS control panel at This was registered on May 9, 2014, with the email address The same email address was used to register other domains that hosted host a fake version of the Lampeduza card shop.

    Some of these domains included


    Included in the above list was one fake jobs site ( and two fake shipping sites ( and

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    There are many mobile app developers today who want to develop the next hot mobile app. After all, if you pay your cards right, you could end up being bought by a much larger company like Facebook, Google, or Microsoft for billions of dollars.

    It’s hard enough to build a mobile app that will have the features and ease of use that will make it popular with millions of users. There are other things that apps can compete on, however: this includes the privacy and security of their users.

    How can developers do this? First of all, consider how the app is written. Are best practices being followed? Developers on PCs and Macs have already learned that their apps can suffer from vulnerabilities that can be exploited. Are you doing your best to avoid these issues?

    One reason to harden your apps against possible exploitation is repackaging. This is when the bad guys take a legitimate app and add their own malicious code to it. This added code can be anything – premium SMS abuse, cryptocurrency mining, even information theft. Not only does this harm the end user, it also damages your good name as well. (For more in-depth information about app repackaging, read our relevant paper, Fake Apps: Feigning Legitimacy.)

    If your business model revolves around ads served by third-party ad networks, be careful in choosing which ad networks you choose to partner with. Some ad networks are less reputable than others, either asking for too much user information to target their ads or allowing malicious ads to run on their networks. Remember: it’s not just their reputation on the line, it’s yours as well.

    Another issue is how you integrate with various social networks. It’s become very popular to integrate social networks into mobile apps. This is perfectly safe, so long as it’s done correctly. Social networks generally use some sort of API to allow third-party apps to access their information; use these APIs instead of just asking for your user’s private login credentials.

    In terms of privacy, consider what you’re asking from the user. We’ve all seen how some apps ask for permissions that have absolutely nothing to do with their main purpose. Why would a flashlight app need access to your calendar or contacts? Consider what you actually need from your users and don’t just ask for anything and everything just because you can.

    We offer tools that will help mobile app developers check if their apps are secure. The Mobile App Reputation Service checks apps based on their behavior and identifies any potentially problematic behavior on their apps. We hope that these tools will help developers realize that protecting the privacy and security of their users should be something that is an integral part of creating the next mobile app.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Since the discovery of Shellshock, Trend Micro has continuously monitored the threat landscape for any attacks that may leverage these vulnerabilities. So far, we have identified an active IRC bot, exploit attempts in Brazil and China, botnet attacks, and a wide variety of malware payloads such as ELF_BASHLITE.A, ELF_BASHLET.A, and PERL_SHELLBOT.WZ among others.  It is reported that other vulnerable protocols like HTTP, SMTP, SSH, and FTP are also affected by Shellshock.

    We found that one of the payloads of Bash vulnerabilities, which we detect as TROJ_BASHKAI.SM, downloaded the source code of KAITEN malware, which is used to carry out denial-of-service attacks. Based on our analysis, when TROJ_BASHKAI.SM is executed, it connects to the following malicious URLs:

    • http://www[dot]computer-services[dot]name/b[dot]c
    • http://stablehost[dot]us/bots/regular[dot]bot

    When it connects to http://www[dot]computer-services[dot]name/b[dot]c, it downloads the KAITEN source code, which is then compiled using the common gcc compiler. This means that once connected to the URL, it won’t immediately download an executable file. Instead, it builds and compiles the source code, resulting in an executable file detected as ELF_KAITEN.SM.

    The act of downloading and compiling on the infected system can be seen as a precautionary measure. Downloaded directly as an executable file, the ELF file may have compatibility issues with different Linux OS distributions. Compiling on the infected system ensures that the malware executes properly.

    This routine could also be viewed as an evasion technique as some network security systems filter out non-executable files from scanning, due to network performance concerns. Systems configured this way may skip the scanning of the source code because it’s basically a text file. In addition, the recompilation of the source code can also have an effect of having differing binary files (which will have different hashes) across different Unix platforms. This will make detecting compiled binaries more difficult.

    ELF_KAITEN.SM connects to an IRC server at x[dot]secureshellz[dot]net where it joins the IRC channel #pwn and waits for commands. Some of the commands the attackers issued are:

    • Perform UDP flood
    • Perform SYN flood
    • Download files
    • Send raw IRC command
    • Start remote shell
    • Perform PUCH-ACK flood
    • Disable, enable, terminate client

    On the other hand, when it connects to http://stablehost[dot]us/bots/regular[dot]bot, it downloads three separate files. One of these is KAITEN source code, which is similarly compiled into ELF_KAITEN.A. This behaves similarly to ELF_KAITEN.SM, except it connects to linksys[dot]secureshellz[dot]net[colon]25 and to the channel #shellshock.

    The second downloaded file is a Mac OS X malware detected OSX_KAITEN.A, which behaves similarly to ELF_KAITEN.A. The third file is a shellbot detected as PERL_SHELBOT.SMO. This is a powerful IRC-controlled shellbot that connects to the same server as the two previous files, but to a different channel (#scan). However, unlike KAITEN that doesn’t scan for vulnerable servers, PERL_SHELLBOT.SMO scans for vulnerable websites through various search engines.

    Aside from downloading KAITEN and Shellbot, (detected as TROJ_BASHKAI.SM) creates a file /tmp/c which is used to schedule the download a file from the second URL weekly. This ensures that the payload is up to date.


    Figure 1. Screenshot of BASHKAI source code


    KAITEN is old IRC-controlled DDoS malware and as such, there is a possibility that the attackers employed Shellshock to revive its old activities like DDoS attacks to target organizations. Another theory we have is that the attackers behind Shellshock would like to expand their infection chain to include DDoS activities via KAITEN malware.

    Typically, systems infected with Shellshock payloads become a part of their botnet, and therefore can be used to launch DDoS attacks. In addition,  the emergence of a downloaded file that targets Mac OS clearly show that attackers are broadening their target platform.

    It was earlier reported that the “vast majority” of Mac OS X users are “safe by default” from Shellshock. However, users who configured to enable the Advanced Unix Services are still affected by this vulnerability. The Advanced Unix services enables remote access via Secure Shell (SSH) which offers ease of access to system or network administrators in managing their servers. This service is most likely enabled for machines used as servers such as web servers, which are the common targets Shellshock attacks.

    Trend Micro is continuously monitoring the threat landscape for any developments regarding Shellshock. For more information about threats exploiting Shellshock, , you can refer to our summary post.

    With additional analysis from Rhena Inocencio, Lenart Bermejo, Anthony Melgarejo, and Dexter To

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Late last month, we reported about a backdoor vulnerability that we discovered in Netcore/Netis brand routers, a backdoor that made any network attached to a router of the same brand vulnerable to online infiltration and man-in-the-middle attacks.

    We also reported on how our friends at the ShadowServer Foundation have been kind enough to scan for IP addresses affected by this vulnerability, with their findings readily available in website form. At the time, the number of affected IP addresses numbered to more than a million – which meant that more or less, the same number of devices were at risk (we note that the number has risen at the time of this writing).

    Now, it seems that Netis has addressed the vulnerability with a firmware update for the router models vulnerable to the backdoor (downloadable from their official website’s download page). This is of course great news for anyone who has a Netis/Netcore brand router – after all, this would allow them to keep the routers in their networks and be assured that the security issue has been taken care of. Unfortunately, from our analysis of the updates themselves, this may not exactly be the case.

    So, what does the update actually do? Well, instead of removing the code that pertains to the backdoor (which is in essence an open UDP port), the update instead closes the port and hide its controls. What this basically means is that the backdoor is still in the router – just that it’s closed by default, and only someone who already knows about the backdoor itself and has the technical knowledge to open it can access it.


    Figure 1. Netis router code before and after update

    Figure 2. Additions to Netis router code

    Figure 1 shows how in the previous router code, the command /bin/igdmtp -d is present; in the current code it has been commented out (and thus, no longer runs). Figure 2 shows, however, how code has been added that allows the backdoor to be controlled via a hidden function on the web portal of the router.

    Doesn’t this fix the problem? Not quite. The fact that the port is still there means it can still be opened and used for malicious purposes, especially if the attackers manage to get a hold of the password to the router’s web console and can obtain access to the LAN side of the router (via, say, malware on a client PC).

    It still leaves the router (and the network tied to it) open to attack. It’s like patching up a hole in the wall with a door and then just giving the owner of the house a key to that door – the keys can still be stolen, and the hole can still be used to break into the house.

    Should you still update? Yes.  We highly recommend installing the update if you still wish to use your Netcore/Netis router, as it does at least give you access control over the port (if you know what you’re doing), and overall makes the router more secure.

    However, we want to stress that users should also make their router passwords stronger as well. immediately after applying this update - or, if their routers do not require password access, then for them to activate that feature through the web console and THEN make the password as strong as they can possibly be. Strong passwords practices include making it as long as the password form allows, as well as using special symbols and numbers along with letters.

    We will continue to monitor this particular issue and update as necessary.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Earlier this year we discussed how Gizmodo’s Brazilian site was compromised and used to spread online banking malware to approximately 7,000 victims in a two-hour span. The site was compromised via WordPress plugin vulnerabilities that allowed the attacker to add a script that redirected users to a second compromised site, which eventually led users to download the malware.

    These types of attacks are unfortunately common, but the underlying details may not be clear to all.  Attacks like these are quite capable of delivering different payloads to users, depending on the system configuration of the target.

    For example, in this attack, Firefox and Internet Explorer users were hit with a proxy auto-configuration (PAC) script that redirects some of the user’s Internet traffic through a malicious proxy. Chrome users get a malicious extension that is actually a copy of BOLWARE detected as BKDR_QULKONWI.GHR; this particular family targets certain features of Brazilian payment systems in order to carry out fraudulent schemes.

    The video below describes how the attack was carried out. It shows how the site was compromised, the details of the attack, as well as a demonstration the capabilities of the payloads (particularly BOLWARE). This will hopefully let users become more aware of these threats and learn how to avoid them accordingly.

    Our previous entries dealing with this topic are:

    The SHA1 hash of BOLWARE mentioned in this post is:

    • cd9efd3652b69be841c2929ec87f3108571bf285
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice