Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    October 2012
    S M T W T F S
    « Sep   Nov »
  • Email Subscription

  • About Us

    Archive for October 9th, 2012

    After the out-of-band update for the IE zero-day reported a few weeks ago, this month’s cycle for patches is fairly a light one. Today, Microsoft released seven bulletins addressing several vulnerabilities for October. Out of the security updates only one is tagged as critical.

    Included in this release is MS12-064 that addresses vulnerabilities existing in Microsoft Office. Accordingly, once this vulnerability is exploited via a specially crafted .RTF file, it could result to remote code execution thus compromising the security of the system. Another notable security update is MS12-070 that patches the vulnerability in Microsoft SQL Server in systems with SQL Server Reporting Services (SSRS). Remote attackers can execute commands when this vulnerability is exploited. Moreover, an attacker can just send a specially crafted link to the users to exploit this vulnerability or create a web page hosting an exploit.

    Trend Micro Deep Security and Office Scan with Intrusion Defense Firewall (IDF) plugin users are protected ever since this security advisory is released. For more information on the bulletins and their IDF rules, visit the Threat Encyclopedia page.

    Posted in Bad Sites | Comments Off on October 2012 Patch Tuesday Includes Update for Vulnerabilities in MS Office

    As reported earlier by Rik Ferguson, users are facing more waves of Skype spammed messages. These attacks are being used to distribute various threats, including ransomware and infostealers.

    These attacks, which arrive as Skype messages, ask if the user has a new profile picture:

    The link (which includes the user name of the recipient) goes to a file hosted at a legitimate file locker service. The file downloaded is a variant of the DORKBOT malware family, which is detected as WORM_DORKBOT.DN. This malware allows an attacker to take complete control of the user’s system. Its capabilities include password theft form various websites (including pornographic sites, social media, file lockers, and financial services), and launching distributed denial-of-service (DDOS) attacks. The behavior that a user may see can vary significantly. It also has the capability to download other malware depending on the link provided by the C&C servers, including ransomware and click fraud malware.

    To spread via Skype, it downloads a separate component (detected as WORM_DORKBOT.IF). This component sends the same message to people in the user’s contact list, restarting the cycle all over again. WORM_DORKBOT.IF checks the system locale and sends the message, lol is this your new profile pic in a language depending on the user’s geolocation.

    As Countermeasures Blog reported, Trend Micro has detected and blocked over 2,800 associated files in a span of 24 hours.

    We’re currently monitoring this threat. We’ll update this blog entry with more details as they become available.

    Update as of October 10, 2012 3:47 am PDT

    The number of blocked and detected files associated with this attack has increased. From 2,800 files recorded on October 9, the total number of blocked and detected files is now at 6,800. Trend Micro product users are actively protected from DORKBOT malware used in these attacks.

    Update as of October 12, 2012 7:25 am PDT

    Based on feedback from the Smart Protection Network, we have seen 13,221 total infections.


    Advanced persistent threats and targeted attacks often use socially engineered email as their point of entry into a target network.* Considering the volume of email traffic that an average business user sends (41) and receives (100) in a single working day and the relative ease by which social engineered emails are crafted and sent, enterprises need to reexamine how they secure this aspect of business communication.

    Different social engineering techniques have been used in past targeted attacks. For instance:

    • Attackers send these email via popular webmail accounts
    • Attackers send these from previously compromised email accounts
    • Attackers use spoofed email addresses that mimic departments or figures of authority

    These email often carry exploit attachments that leverage vulnerabilities in popular software in order to compromise the victim’s computer. Upon compromise, the rest of the APT campaign folds out into the network.

    Enterprises and especially the security groups that defend the network need to become more aware how simplistic it is for attackers to take advantage of email, seeing as email is the most common form of business communication. TrendLabs developed the primer Are Your Business Communications Secure? and the infographic Covert Arrivals: Targeted Attacks Via Employee Boxes, both of which tackle the dangers of email when it comes to advanced persistent threat campaigns. Click on the thumbnails below to download the materials:

    Developing and utilizing external and local threat intelligence is a key enabler in any APT defense strategy. The Threat Intelligence Resources page is a reliable source of the latest in research and analysis on advanced persistent threats for IT, system and network administrators: the enterprise’s network defenders. Visit this page as it will be updated with new content to keep you posted on the latest developments in targeted attacks.

    * This is not to say all APTs arrive via email, as there is definitely a wide range of entry points available to threat actors.

    Posted in Targeted Attacks | Comments Off on Covert Arrivals: Email’s Role in APT Campaigns


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice