Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    August 2014
    S M T W T F S
    « Jul    
     12
    3456789
    10111213141516
    17181920212223
    24252627282930
    31  
  • About Us

    The biggest security headache that consumers face on a regular basis may well be… the password. You need one to do just about anything online nowadays. This makes them very valuable targets of theft – as the news that “1.2 billion” passwords were stolen highlights. Unfortunately, remembering passwords for all the sites that people use every day can be a challenge.

    With that in mind, I was interested when I heard about a paper that discussed how users manage multiple passwords. Unfortunately, this paper from Microsoft and Canadian researchers doesn’t actually provide very good advice, and may in fact promote dangerous practices.

    Let me summarize the paper for those who haven’t read it: they suggest that users are incapable of following both of the key tenets of password security: that passwords must be secure (i.e., not easily found with a dictionary-based search), and that they must not be shared. The researchers suggest that users decide which accounts need to be protected with secure passwords; the other accounts can be protected with ordinary passwords that don’t have to be unique or secure.

    This idea only works if you accept as a fact that the user is incapable of remembering secure passwords. However, that’s why password managers exist. This idea that a user must rely on their unaided memory is simply wrong. The computer – whether it’s a PC, tablet, or smartphone – is an extraordinarily powerful tool. Why not use it?

    Yes, these managers are not perfect. Just last month, another group of researchers found vulnerabilities in several online password managers. However, they’re still a significant improvement over trying to remember passwords by rote memory, and it’s a gigantic improvement over using poor passwords. The perfect should not be the enemy of the good.

    I try to make the advice I give as clear as possible. Whether or not that was their intention, studies like this muddle the water and send the message that bad passwords are okay. It depends on the user discriminating between what needs to be secure and what isn’t. However, many users are likely to trade convenience for security and choose weak passwords instead. It’s human nature to do so. Sadly enough, the users most likely to choose weak passwords are also the ones who are likely to fall victim to various online threats.

    Let’s say, however, that someone really doesn’t want to use a password manager. That doesn’t mean you need to use a bad, recycled password. Consider this procedure:

    1. Choose a simple password you already use. Let’s take “Snoopy2″ as an example.
    2. Create an algorithm in your mind that uses the full domain name of the website you’re protecting. So, for example, it can be: “two first letters, two last letters and the number of letters it has, first letter in uppercase”. “twitter.com” becomes “Twer7″. It can be any algorithm you want, so long as you remember it.
    3. Choose a number has means something to you. Your birthday, the age at which you met your husband, whatever. Let’s say I use the number “32″.
    4. Put it all together. My password for twitter would be “Twer7snoopy232″. My next password for “awesomecyclingforum.com” would be “Awum19Snoopy232″. If I ever need to change it, just add one to the last number… or 7. It’s up to you.

    The bottom line is: one day we won’t have to use passwords to log into sites anymore. That day, however, is not today. We’re still stuck with passwords, and we need to provide the best advice to users on how to create good passwords. A mixed message – like the one promoted by these researchers – is unhelpful at best, and wrong-headed at worst.

     
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon  

    Aug6
    4:05 am (UTC-7)   |    by

    Last week, the US Computer Emergency Readiness Team (US-CERT) reported about a newly discovered malware, dubbed “Backoff”, which targets point-of-sale (PoS) systems. Similar to other PoS malware such as Dexter and Scraper, Backoff is also used to steal financial information for malicious purposes.

    Based on our analysis, when Backoff is executed, it copies itself into %Application Data%\OracleJava\javaw.exe and launches the copy in %Application Data% with parameter -m <path_to_original_backoff>.  This will terminate the original Backoff process and delete the initial copy of itself. We have seen the same installation technique used in the Alina family of PoS RAM-scraping malware. More details of its routines can be found in the US-CERT article. This entry, however, focuses on the scope and breadth of its infection.

    We analyzed Backoff and discovered that it has multiple versions, ranging from 1.4 to 1.55. The 1.55 build has multiple versions as well, differentiated by nicknames such as “backoff”, “goo” and “MAY.” The “goo” version connects to three malicious domains that we cannot disclose just yet as we are still looking into them.

    Connection Patterns

    Checking with our internal data, we also saw that these domains communicated a lot with the affected IP addresses, with the first two domains getting hits from the US. The first domain alone has had more than 46,000 hits since June 14, 2014. Interestingly, we found less hits from June 28 to July 25, with only 52 unique IPs.

    backoff_pos1

    Figure 1. Number of hits on the malicious domain #1

    The second domain, meanwhile, scored more than 59,000 hits since April 26, 2014, with the same decline in the number of hits from May 8 to June 2, with only 60 unique IPs this time.

    backoff_pos2

    Figure 2. Number of hits on the malicious domain #2

    We also noticed an interesting pattern when we changed the time frame to one-week increments.

    backoff_pos3

    Figure 3. Decreasing pattern in the number of hits. Pattern is similar for both domains.

    We saw a clear decrease in the hits during “dead hours”, specifically at 2:00 AM. The hits went back up at 10:00 AM. This follows typical business operating hours wherein PoS devices are in active use — the number of hits rises as business operating hours begin and drops as businesses close for the day. Looking at the week-by-week statistics, the last week of July alone registered more than 10,000 hits.

    US as Top Target

    What does this all mean, then? For one, it cements the fact that Backoff is a very active and persistent threat that has already infected a lot of point-of-sale devices. Based on our Smart Protection Network data, the top country that accessed the malicious domains is the United States. Clearly, the US market is a favored target for those behind Backoff. As such, we recommend that businesses in the US have their PoS devices analyzed and secured.

    heatmap3

    Figure 4. Heat map of malicious communications found in affected US states

    PoS malware could be one of the many constants in life that we would have to deal with, like social engineering scams and mobile malware. Cybercriminals obviously see this as profitable, which was exemplified in data breach incidents in the retail industry in 2013. An old vulnerability residing in PoS systems was exploited in order to carry the said attacks, which resulted in the loss of credit and debit card information of at least 40 million customers. Also, cybercriminals have begun to cut middlemen out, as some are actually mass-manufacturing pre-compromised PoS devices. We need to stop viewing PoS devices as mere tools or gadgets but as systems that also require tight security.

    Trend Micro protects users via its Smart Protection Network that blocks all malicious domains and detects this PoS malware as:

    Below are the hashes of the malicious files discussed in this entry:

    • 0607CE9793EEA0A42819957528D92B02
    • 12C9C0BC18FDF98189457A9D112EEBFC
    • 17E1173F6FC7E920405F8DBDE8C9ECAC
    • 21E61EB9F5C1E1226F9D69CBFD1BF61B
    • 927AE15DBF549BD60EDCDEAFB49B829E
    • F5B4786C28CCF43E569CB21A6122A97E

    For more details about PoS malware in general, check out our whitepaper, Point-of-Sale System Breaches:  Threats to the Retail and Hospitality Industries.

     
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon  

    Earlier this year, the Federal Bureau of Investigation disrupted the activities of the Gameover botnet. That disruption had a significant effect on the scale of the ZBOT threat, but it was unlikely that cybercriminals would not respond in some fashion.

    The use of domain generation algorithms (DGAs) is a key part of Gameover, but new variants like TROJ_ZBOT.YUYAQ have made this tactic even more powerful. How exactly does this variant use this technique?

    The domains are based on the results of an MD5 hash generated by the system. The factors that go into computing the hash are:

    • current day/month/year
    • hardcoded value of 0×35190501
    • tick count (time since the system was started)

    How does the malware generate a domain name from this hash value? This is best demonstrated with a sample hash value. Let us suppose that the resulting MD5 value is 0xf1d73a971e50a68419c7f70764f34f1e. This can be split into four 4-byte words: from most significant to least significant, these would be:

    • 0xf1d73a97
    • 0x1e50a684
    • 0x19c7f707
    • 0x64f34f1e

    Each word is processed using the same algorithm with the word as the initial value, as follows:

    1. Divide the input number by 0×24.
    2. Take the remainder from #1 and add this value to the numbers 0×30 and 0×57. Let’s call these x and y.
    3. Convert x and y to ASCII characters using standard values. Of the two resulting characters, use the result which is either a number or a lower-case character.
    4. To generate the next character, repeat the algorithm with the quotient from step #1 as the input. If the quotient is zero, the algorithm is finished running and the resulting string is complete.

    The above algorithm converts 0xf1d73a97 into the string tdcly51. The malware reverses this string, resulting in 15ylcdt.

    Each word is converted into a string in this manner, and then the resulting strings are concatenated together into one longer string: in this case, our MD5 hash is converted into 15ylcdt10t00m627l7a18es4f8. This string is used as the hostname for the command-and-control server.

    The top-level domain (TLD) used is one of the following: .biz, .com, .net, or .org. Which TLD is used depends on the tick count of the system.

    Every time this malware is run, it generates up to 500 distinct domain names, with up to 1500 unique domains generated per day. While it may be capable of generating this large number of domains, in practice relatively few are used. We have found only 23 domains related to this specific variant of Gameover. More than three-fourths of the victims of this variant are located in the United States. The heat map below shows the distribution of the victims around the world, with the blue circles showing where the C&C servers are located:

    Figure 1. Heat map of victims and C&C servers

    This incident was not the first time that a DGA was used by malware to try and hide its network traffic, and it won’t be the last. So long as it is an effective way to help make detection of C&C traffic difficult, malware will continue to use this technique – to the detriment of users.

    The hash involved in this attack is :

    • 591567291435e4e1394aac27a0c4bbb1d5bdd47e

    With additional analysis from Marilyn Melliang and Marco Dela Vega

     
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon  

    We have discovered a vulnerability that affects versions of the Spotify app for Android older than 1.1.1. If exploited, the vulnerability can allow bad guys to control what is being displayed on the app interface.  This vulnerability can be potentially abused by cybercriminals to launch phishing attacks that may result to information loss or theft.

    Spotify quickly responded to our discovery by fixing the flaw in the 1.1.1 version of the app. Users are encouraged to make sure they are using the latest version of Spotify for Android.

    Affected Activity

    The vulnerability affects a specific activity (com.spotify.mobile.android.ui.activity.TosTextActivity), which is designed to retrieve and show Spotify web pages on the app. The vulnerability causes the content of these exported web pages to be visible to other apps installed in the phone. Furthermore, the bug can allow a separate app, process, or thread to trigger the activity without the need for additional permissions.

    Using a malicious app, an attacker can exploit this activity to alter the content being shown by the app to users. For example, we were able to show the Google home page on the Spotify app. Far more malicious pages can also be displayed within the app.


    Figure 1. Official Spotify app displaying Google home page


    Figure 2. “Malicious” page that could be displayed by the app

    It should be noted that the malicious app can trigger and “minimize” the activity at will. If a user tries to stop the Spotify app by using the “Back” button, the malicious content will show up on the screen. Users who may not be overly familiar with the app might view this action as a normal routine for the app.

    Because potential attacks do not require additional permissions, users may not be aware of any suspicious activity that may arise from this situation. No additional permissions also mean that AV solutions and threat researchers may find it harder to detect and analyze malicious activity.

    Potential for Phishing Attacks

    Attackers may take advantage of this vulnerability to create phishing pages that ask for sensitive information such as user names, passwords, contact details, and even payment information. The latter is especially plausible considering Spotify offers both free and premium services. A well-crafted phishing page might cause users to assume that the request for financial information is part of a routine or process. A phishing page is often just the first step to other schemes. The stolen information could be used for other schemes such as identity theft, fraud, or even targeted attacks.

    Cybercriminals may also create pages that will lead users to other threats such as malware. Because the vulnerability lies within the official app—compared, say, to a fake Spotify app—users will be prone to believe the malicious pages being displayed. These scenarios are similar to ones we previously discussed in our blog entry, Android App Components Prone to Abuse.

    Spotify has fixed the flaw in Version 1.1.1 of the Android app. We advise Spotify users to upgrade to that version or download the latest version to help protect themselves against this issue or visit the Google Play store to automatically get the latest update. At the time of publishing, the latest version is 1.1.2.

    As of this writing, we are not aware of any attacks using this vulnerability.

     
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon  

    When you work for a security company, sometimes people think you must know everything there is to know about technology. So sometimes I get asked, “Will Bitcoin and other cryptocurrencies succeed?”

    Unfortunately, I’m an engineer, not an economist. I can’t speak to how big central banks like the Federal Reserve in America, the Bundesbank here in Germany, or the Bank of England in Britain will react to it. Maybe they’ll try to regulate it. Maybe they’ll try to ban it. Who knows? Ask an economist or a banker; they might know better.

    What I do know is that more and more brands are accepting cryptocurrencies as payment. In America, for example, online tech stores like Dell and Newegg have started to accept bitcoins. Not only can you buy your gadgets with bitcoins, but you can also go on vacation with them — online travel agencies like Expedia.com and airlines like airBaltic accept bitcoins as well.

    However, they’re not the only ones who have embraced Bitcoin. Cybercriminals have embraced it too. If you’re affected by ransomware, you can pay for your ransom with bitcoins. Cybercriminals buying goods and services from each other are using it, too.

    Why are these crooks using Bitcoin? One reason may be they think that it’s safe and anonymous. Certainly, many of its biggest supporters say the same thing. However, that’s not really accurate. Yes, your Bitcoin address doesn’t directly say anything about you, but all transactions are part of the blockchain – which means anyone can see it.

    Any organization with skills in organizing large data sets and gathering information from various sources could – if they wanted to, de-anonymize Bitcoin transactions. It’s not as safe as people think. Let’s not even go into detail about how malware is trying to steal bitcoins from the wallets of users.

    So, is Bitcoin the future of cryptocurrencies? What I do know is that cybercriminals like it just as much as real-world currency, and it has its own share of risks too. In some ways, the new digital currency is just like the old ones.

    For more of my thoughts on Bitcoin and other cryptocurrencies, watch the video below titled Bitcoin: Here today, gone tomorrow?.

     
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon  



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice