Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    April 2015
    S M T W T F S
    « Mar    
  • Email Subscription

  • About Us

    12:00 am (UTC-7)   |    by

    Ransomware SeriesAnalysis by Jaaziel Carlos, Jonh Chua, and Rodwin Fuentes

    Ransomware has become one of the biggest problems for end users are as of late. In the past months alone, we have reported on several variants of both ransomware and crypto-ransomware, each with their own “unique” routines. We recently came across one malware family, detected as PE_VIRLOCK, as that not only locks the computer screen but also infects files—a first for ransomware.

    Ransomware Routine

    VIRLOCK variants may arrive bundled with other malware in infected computers. We have even seen one VIRLOCK variant in the CARBANAK/ANUNAK targeted attack campaign.

    Figure 1. VIRLOCK infection diagram

    Once inside the computer, VIRLOCK creates and modifies registry entries to avoid detection and ensure execution. It then locks the screen of the affected computer, disabling explorer.exe and preventing the use of taskmgr.exe. Meanwhile, it also checks the location of the affected system to display the appropriate image for the ransom message.

    Figure 2. Sample ransom message


    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Information about the overall threat landscape can be gathered from many sources. One useful method is by looking at the overall activity of command-and-control (C&C) servers, as used in botnets, targeted attacks, and in attacks against the broader Internet user base.

    We are able to combine various threat intelligence sources, including feedback from the Trend Micro™ Smart Protection Network™, to get a glimpse of C&C server activity. (these are displayed in real time on the Global Botnet Map). Our findings below reflect the information we gathered throughout all of 2014. We are able to examine the location of C&C servers, the location of endpoints, as well as the malware families that use these servers.

    So what can we learn from these numbers, and can IT professionals help reduce this threat?

    Malware using more ways to ensure server communication

    We measured the most commonly used malware families, as measured by the number of command-and-control servers tied to these specific families. For all C&C server activity, these were the most commonly used families:

    1. CRILOCK
    2. RODECAP
    3. ZEUS
    4. FAKEAV

    For targeted attacks, these were the most commonly seen families:

    2. XTREME
    3. NJRAT
    5. START

    Some trends can be seen from these numbers:

    • Malware families that use domain generation algorithms (DGAs) like CRILOCK are well-represented in the lists, highlighting their popularity.  Despite the differences in underlying behavior (crypto-ransomware versus information stealers), DGAs are popular as they make blocking of malicious domains more difficult with relatively little added expenditure of effort on the part of attackers.
    • Compromised sites are also popular C&C servers. ZeuS/ZBOT and RODECAP are both known to use compromised sites for their C&C servers, and both families are known to use this particular tactic extensively.
    • Similarly, free web hosting providers and dynamic IP redirection services are commonly used by some malware families such as NJRAT and DarkComet.
    • Many remote access tools (RATs) that were initially used in targeted attacks have now been used in various cybercrime-related attacks as well. This highlights the increased availability of these RATs, as well as the low entry barrier to registering and setting up C&C domains.

    Taken together, these developments show how attackers are adopting more techniques to try and obfuscate the C&C servers under their control. This can make forensic analysis of these attacks much more difficult, making detection and attribution potentially problematic.


    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Stealing payment card data has become an everyday crime that yields quick monetary gains. Attackers aim to steal the data stored in the magnetic stripe of payment cards, optionally clone the cards, and run charges on the accounts associated with them. The topic of PoS RAM scraper malware always prompts businesses and retailers to ask two important questions: “How do I protect myself?” and “What new technologies are vendors introducing to protect businesses and consumers?

    This blog entry seeks to answer these questions by discussing a PoS Defense Model and new technologies that can protect businesses and consumers from PoS RAM attacks.

    PoS Defense Model

    Based on our analysis of the PoS RAM scraper attack chain and PCI-DSS and PA-DSS requirements, we have created a multi-tiered PoS Defense Model that businesses and retailers can implement to defend against PoS RAM scraper malware attacks.

    Figure 1. Multi-tiered PoS Defense Model

    The four layers of the PoS Defense Model are:

    1. Infection Layer – this is the first and most important line of defense against PoS RAM scrapers as it aims to prevent initial infection, or block the malware’s execution before it causes damage.
    2. Lateral Movement Layer – if the infection layer fails to stop the malware, then the next layer of defense aims to identify suspicious or malicious behavior when the malware attempts to spread and blocks it.
    3. Data Collection Layer – PoS RAM scraper attacks might involve other information stealing components that sniff network traffic and keylogs, and steal sensitive files. This layer of defense aims to prevent data theft.
    4. C&C and Data Exfiltration Layer – the stolen credit card data is only valuable after it has been exfiltrated from the victim machine. The final layer of defense aims to prevent the malware from communicating with the C&C servers and prevent exfiltration of stolen data.

    We have identified 26 defensive technologies and strategies that businesses and retailers can implement in their environments to defend against PoS RAM scraper attacks. The following Venn diagram shows these defensive technologies and strategies placed within the PoS Defense Model.

    Figure 2. Defensive technologies and strategies (click on the image to embiggen)

    Next Generation Payment Technologies

    The new reality is that any Internet-connected device that processes payment card data should be viewed as a data theft target. Buyer security rests on the shoulders of several key players – device manufacturers, service providers, businesses, banks, and even credit card brands. Strong IT defense goes a long way in preventing PoS system breaches but it is not a magic bullet. New secure payment technologies must also be deployed alongside strong IT defenses to protect against PoS RAM scrapers. Two technologies that are being widely deployed are:

    EMV or Chip-and-PIN cards

    Figure 3. Encrypted data stored in chip (outlined in red)

    EuroPay, MasterCard, and Visa (EMV) is the global standard for Integrated Circuit Cards (ICC). EMV cards store encrypted Tracks 1 and 2 data on a chip in the card. This chip stores a cryptogram that allows banks to determine if cards or transactions have been modified. It also stores a counter that gets incremented with each transaction. Duplicate or skipped counter values indicate potential fraudulent activities. The EMV cards interact with PoS terminals that have ICC readers and use the EMV-defined protocol for transactions. Similar to debit cards, cardholders need to input a PIN for authentication before the transaction is processed.

    Encryption plus Tokenization

    PoS RAM scrapers will have nothing to steal if credit card Tracks 1 and 2 data are not present in the PoS system’s RAM. This is the underlying principle behind the new payment processing architectures being developed and deployed today. One implementation uses tokenization, a process that replaces a high-value credential such as a credit card with a surrogate value that is used in transactions in place of the high-value credential, and encryption.

    Figure 4. Process flow for Encryption and Tokenization

    The workflow is as follows:

    1. Customer swipes their credit card at the merchant’s PoS terminal to complete the purchase.
    2. The PoS terminal reads and encrypts the credit card data and transmits it to the Payment Service Provider (PSP) for processing.
    3. The PSP forwards the credit card data to the banks (acquirers & issuers) for authorization.
    4. The PSP uses a tokenization algorithm to replace the actual credit card data with a token.
    5. The generated token and bank authorization status is send back to the merchant’s PoS system.
    6. The merchant’s PoS system stores the token instead of the actual credit card data in all places.

    The Future for PoS RAM Scraper Attacks

    As PoS RAM scrapers become more prominent threats, big businesses will heavily invest in cybersecurity to prevent attacks against their PoS environments. Attackers will thus refocus on SMBs, as these may not necessarily have the cybersecurity budgets that enterprises have to prevent PoS system breaches. We expect to see more SMBs get compromised, which will collectively be a bigger breach than compromising a few enterprises.

    Rollout of new security measures will significantly change the PoS playing field for attackers. As businesses upgrade to new secure payment systems, attackers will attempt to come up with new strategies against improved systems and environments.

    For an in-depth analysis about protecting your business against the threat of PoS RAM Scraper malware, please read the Trend Micro paper, Defending Against PoS RAM Scrapers – Current and Next-Generation Technologies.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Today Microsoft released their monthly Patch Tuesday posting, with a total of 14 security bulletins that include 5 bulletins that were listed as Critical. This batch of patches addresses vulnerabilities in Microsoft Windows, Microsoft Office, Microsoft Exchange, and Internet Explorer.

    Fixes for FREAK

    One of the more notable bugs covered by this posting include the recent FREAK (Factoring RSA Export Keys) vulnerability seen in early March, which forces a secure connection to use weaker encryption—making it easier for attackers to decrypt and sniff data encrypted by SSL. The FREAK vulnerability is patched by MS15-031 and was given an Important rating.

    FREAK was discovered by Karthikeyan Bhargavan at INRIA in Paris and the mitLS team. Initially, it was thought that only OpenSSL (versions prior to 1.0.1k) and Apple TLS/SSL clients were vulnerable to man-in-the-middle (MITM) attacks, but later research revealed that Microsoft products were at risk as well.

    Critical Bulletins Include Updates for Internet Explorer- Again

    Last month’s Patch Tuesday update included a critical update for different versions of Internet Explorer. The same goes for this month’s patches, but this time, MS15-018 only addresses a total of 12 CVEs, while the MS15-009 update last month addressed 41 different CVEs.

    MS15-021 is another update rated as Critical and addresses eight vulnerabilities in the Adobe Font Driver that could lead to remote code execution (RCE). Other updates that were given the Critical rating addressed holes in Microsoft Office and SharePoint (MS15-022), and an RCE vulnerability in the VBScript scripting engine in Microsoft Windows (MS15-019).

    One bulletin that received a Critical rating (MS15-020) also deserves to be highlighted due to its history: this particular bulletin is an updated fix for the original shortcut vulnerability that was targeted by Stuxnet that was first patched in August 2010 with MS10-046. It is now believed that the original fix was not complete; it is unclear if attacks targeted systems with the incomplete patch were ever seen in the wild.

    Solutions and Best Practices

    Users and system administrators are strongly advised to issue the appropriate patches for these system vulnerabilities. Trend Micro Deep Security and Vulnerability Protection protect user systems from threats that may leverage these vulnerabilities following DPI rules:

    • 1006563 – Microsoft Windows VBScript Memory Corruption Vulnerability (CVE-2015-0032)
    • 1006571 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0056)
    • 1006564 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0099)
    • 1006570 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0100)
    • 1006565 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1622)
    • 1006567 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1623)
    • 1006569 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1624)
    • 1006566 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1625)
    • 1006568 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1626)
    • 1006573 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1634)
    • 1006563 – Microsoft Windows VBScript Memory Corruption Vulnerability (CVE-2015-0032)
    • 1006577 – Microsoft Windows Text Service Remote Code Execution Vulnerability (CVE-2015-0081)
    • 1006554 – Microsoft Windows DLL Planting Remote Code Execution Vulnerability (CVE-2015-0096)
    • 1006550 – Adobe Font Driver Remote Code Execution Vulnerability (CVE-2015-0090)
    • 1006551 – Adobe Font Driver Remote Code Execution Vulnerability (CVE-2015-0091)
    • 1006553 – Adobe Font Driver Remote Code Execution Vulnerability (CVE-2015-0092)
    • 1006548 – Adobe Font Driver Remote Code Execution Vulnerability (CVE-2015-0093)
    • 1006578 – Microsoft Office Remote Code Execution Vulnerability (CVE-2015-0086)
    • 1006472 – Microsoft Internet Explorer Same Origin Policy Bypass Vulnerability (CVE-2015-0072)
    • 1006547 – Adobe Font Driver Information Disclosure Vulnerability (CVE-2015-0087)
    • 1006549 – Adobe Font Driver Information Disclosure Vulnerability (CVE-2015-0089)
    • 1006552 – Microsoft Office Remote Code Execution Vulnerability (CVE-2015-0085)
    • 1006574 – Microsoft Office Local Zone Remote Code Execution Vulnerability (CVE-2015-0097)
    • 1000552 – Generic Cross Site Scripting(XSS) Prevention
    • 1006575 – Microsoft Windows Malformed PNG Parsing Information Disclosure Vulnerability (CVE-2015-0080)
    • 1000552 – Generic Cross Site Scripting(XSS) Prevention (CVE-2015-1628)
    • 1000552 – Generic Cross Site Scripting(XSS) Prevention (CVE-2015-1632)
    • 1006576 – Microsoft Windows JPEG XR Parser Information Disclosure Vulnerability (CVE-2015-0076)
    • 1003716 – Identified Too Many Remote Desktop Protocol (RDP) Connection Request
    • 1006562 – Identified Usage Of TLS/SSL EXPORT Cipher Suite In Request (CVE-2015-1637)

    More information about these bulletins and their corresponding Trend Micro solutions are posted at our Threat Encyclopedia Page: March 2015 – Microsoft Releases 14 Security Advisories.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    2014 was a year in flux for the Deep Web. We briefly discussed this in our annual security roundup, but this is a topic worth exploring in some detail.

    In late 2013, the operator of the Silk Road marketplace, Ross Ulbricht (also known as Dread Pirate Roberts) was arrested, and recently he was convicted on various charges by a US federal court. Naturally, because the market abhors a vacuum, replacement marketplaces have shown up. Of course, many of these have led short – and colorful – lives before collapsing.

    Figure 1. Timeline of the Deep Web

    This was not the only factor that led to chaos and disorder within the Deep Web. Law enforcement actions also shut down multiple market places, and technical developments in anonymity and cryptocurrency technology have also changed the Deep Web in 2014.

    Law enforcement strikes back – Operation Onymous

    Ulbricht may have been one of the first high-profile arrests related to the Deep Web, but he was far from the last. In what was called Operation Onymous, 17 people were arrested and 414 different .onion domains seized by various law enforcement authorities from various countries. The seized sites included underground marketplaces as well as money laundering sites.

    Law enforcement has not said how they were able to locate the servers and persons involved in these underground sites. One of the developers of Tor, Jacob Applebaum, has stated the he believes that the arrests were due to confessions from at least one Deep Web site operator.

    One side effect from the Operation Onymous may be the emergence of businesses specifically tailored for Deep Web site hosting. Merely hosting a site on the Deep Web is no guarantee of anonymity and safety on the part of users (a single Bulgarian ISP was responsible for hosting 129 of the seized domains). Some hosting providers and e-commerce platforms may choose to provide advanced services to Deep Web clients such as cryptocurrency support, escrow services, and two-factor authentication.

    Let a hundred marketplaces bloom

    Even before Operation Onymous took place, multiple marketplaces had appeared in the Deep Web offering all sorts of (mostly illegal) wares. Not all of these marketplaces proved to be particularly enduring. Sheep Marketplace shut down after claiming that they had been robbed of bitcoins, but users alleged that far more money had been stolen by site owners. Atlantis Marketplace shut down, citing security concerns.

    Much as had happened before, the shutdown of high-profile Deep Web marketplaces sent users scurrying to various replacement sites. One key difference with the post-Onymous cycle was where these marketplaces were “located”.  Some of these sites used the Invisible Internet Project (I2P) network, in addition to or supplementing Tor.

    Some of the most popular marketplaces today are Agora, Evolution, WhiteRabbitmarket (present on I2P), Themarketplace (exclusively on I2P), Tortuga (present on I2P) , and an I2P-exclusive version of Silk Road.

    New technology and cryptocurrencies

    The technology used in the Deep Web has also evolved. We’ve already noted the adoption of I2P by some deep web sites. In addition to this, we have also seen new cryptocurrencies that attempt to use blockchain technology in interesting ways that add features.

    One of these new currencies is Cloakcoin, which claims full anonymity and untraceability of the transaction chain. It scrambles requests across various open wallets (similar to Tor’s onion routing). To entice users to keep their wallets open, a 6% annual interest fee is offered. Cloakcoin also natively includes an escrow function; this allows two parties to securely perform a commercial transaction using a third-party escrow wallet that guarantees money only gets transferred when both sides of the transaction are satisfied.

    Another emerging project was OpenBazaar, which was aimed at building a platform for anonymous, untraceable marketplaces. It also used blockchain technology to implement escrow, order management, user identities, and reputation management.


    2014 was a year of much turmoil in the Deep Web. Law enforcement took down many high-profile sites, doubts about Tor’s actual anonymity grew, and new tools were deployed by Deep Web actors. We can only expect to see more of the same in the months to come. The arms race between law enforcement and threat actors will only continue to intensify, and we can expect more marketplaces and tools to make their appearance and advance the state of the art in this field.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice