In the past year, we’ve noticed many changes in how toolkits and exploit kits are being used.  For starters, the bad guys are spending more time securing their creations , as well as the servers where their malware will be installed. They do this to prevent leaks, as well as to make things harder for security researchers.

Here are some of the more well-known names, and what’s happened to them recently.

ZeuS

ZeuS has technically always been purchased and installed in a relatively secure way. Many of its users tended to be more technically capable; its author (Monstr/Slavik) was also selective about to whom he sold ZeuS to. ZeuS is secure, stable and able to manage thousands of bots. This is why it became famous in the underground, and why its use remains frequent to this day.

Citadel, IceIX

Citadel and IceIX are both malware toolkits that were created using the leaked ZeuS source code as a starting point. They took advantage of ZeuS’s popularity and leaked source code to create their own versions. Aquabox, the author and seller of Citadel, has made improvements to the original ZeuS source code and admin panel, making it attractive to other cybercriminals.

Read the rest of this entry »

Apart from keeping servers and endpoints secure, IT teams in enterprises also make sure that day-to-day business operations run smoothly. With this in mind, IT groups often delay installing security updates once software vendors release them for several reasons. For one, applying patches often require restarts for mission critical servers and at times these may require services to go offline. Tests and actual deployment on patches may also take up to 30 days or more because IT teams also need to research on the effects of these patches.

Ultimately, the need to avoid business disruption in order to meet SLAs and reduce operation costs can force IT teams in charge of security to deprioritize patch management. In short, operational concerns and compliance mandates tend to prevail over security.

As a result, this introduces windows of exposure leading to these security risks:

• Zero-day exploits: exploits that leverage vulnerabilities before vendor announcement and patch release
• “Buggy” or incomplete vendor patch: flawed patch released by software vendor to fix a vulnerability
• In-the-wild exploit: cybercriminals often use exploits as an infection vector or delivery mechanism

Read the rest of this entry »

Some malware are more persistent than others – like WORM_VOBFUS. This recent heap of WORM_VOBFUS variants seen spreading on Facebook does not exhibit new routines, but it is a good reminder for users about well-known but easily forgotten safe computing practices.

Based on our initial analysis, these WORM_VOBFUS variants that do not show any advanced routine or propagation technique. However, based on our Smart Protection Network™ feedback, the infection of these malware grew the past days.

Aside from spreading on Facebook, there is nothing new so far about WORM_VOBFUS. So why is it still a problem? Below are some persistent issues surrounding WORM_VOBFUS.

Read the rest of this entry »

We discussed last week the risks that out-of-office notifications pose for organizations – namely, that they could serve as leaks that an attacker could use to conduct successful attacks.

However, the threats from automatic e-mail replies don’t stop with out-of-office notifications. Two other types of automatic replies also pose a threat: bounce messages, and read notifications. Let’s deal with them one at a time.

Bounce messages – more formally known as non-delivery reports (NDRs) – have long been known to be a spam problem. However, they too can become a source for information leakage: improperly configured mail servers can leak details such as their host name, IP address, and software configuration. A skilled attacker can use this information in various ways – whether it’s technical (i.e., attack the server) or non-technical (build an org chart).

However, the primary usage of bounce messages would be to provide real-time confirmation of e-mail addresses. While e-mail addresses found online will probably work, bounce messages can be a more effective and accurate way to confirm email addresses.

Read receipts are even more problematic. For an attacker, it tells them whether an attack “succeeded” or not: i.e., if a human read the email. (Implicitly, it also tells the attacker that the email address does exist.) This is some of the most valuable information an attacker can get – he can use this information to gauge what kind of email his victims will read. In combination with web bugs, the attacker can even determine what software the victim is running.

Read the rest of this entry »

In the discussion of targeted attacks, it is usually taken for granted that they arrived via some sort of spear-phishing attack. The discussion then goes into an analysis of the malware involved and/or the servers used or compromised in the attack.

However, to avoid attacks in the first place, it is of value to look at the spear-phishing attacks themselves. More information about these attacks would allow administrators to consider which emails could pose a security risk, and design their defenses accordingly.

With that in mind, we wrote our paper titled Spear-Phishing Email: Most Favored APT Attack Bait. In addition to looking at the attachments and file types used, we also looked at the industries/sectors that are targeted, and investigated the importance of good reconnaissance in launching targeted attacks.

Among our key findings are just who is targeted by APTs, and how attackers can find them. Just under two-thirds, or 65 percent, of APT campaigns targeted governments. Just over one-third (35 percent) targeted activists.

In addition, we found that a disturbing number of email addresses can be found online rather easily. Three-fourth of all e-mail addresses that were targets of spear phishing could be found online. This indicates that for would-be attackers, it is very easy to build up a “target list” for any spear-phishing campaigns.

For our full findings, you can read our paper, which you can download by clicking the link below: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-spear-phishing-email-most-favored-apt-attack-bait.pdf