Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    November 2012
    S M T W T F S
    « Oct   Dec »
     123
    45678910
    11121314151617
    18192021222324
    252627282930  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Archive for November 19th, 2012




    It’s been weeks now since we’ve watched the destructive effects of Hurricane Sandy to the environment and to the folks living in affected areas. Trend Micro and the security industry have been in the lookout for scams and threats using Sandy as a social engineering ploy to infiltrate targets.

    During our tracking of targeted attacks and cybercrime, we have uncovered such a campaign. It seems that during the commotion caused by Sandy, some groups used this event as a social engineering bait to target NATO Special Operations Headquarters (NSHQ) last October 31.

    The email message we spotted has the subject “Did Global Warming Contribute to Hurricane Sandy’s Devastation” and contains a .DOC file with the same title. The people behind this scheme appears to have used the title of a recent New York Times blog post about Hurricane Sandy. The sender IP seen ({BLOCKED}.{BLOCKED}.241.144) is found in at least 3 blacklists.

    The said attachment, which Trend Micro detects as TROJ_ARTIEF.SDY, exploits the RTF Stack Buffer Overflow Vulnerability (CVE-2010-3333) which was addressed by Microsoft in November 2010 in MS10-087  to drop the backdoor BKDR_DLDR.A. If you can recall, this vulnerability was the top vulnerability exploited this April. Despite being patched last 2010, attackers have been using this MS Word software bug hence. This proves that attacks need not use zero-day exploits to be effective.

    The dropped malware, BKDR_DLDR.A, connects to its command-and-control (C&C) server, domain.{BLOCKED}2.us to send and receive commands from remote attackers. Some of the commands that it can execute include downloading, copying, modifying, creating files and folders, stealing file information, and acquiring time zone information among others. According to senior threat researcher Nart Villeneuve, this backdoor is an Enfal/Lurid variant, which we have documented in the past to have been or is still being used in targeted attack campaigns.

    Read the rest of this entry »

     
    Posted in Targeted Attacks | Comments Off



    Smartphone users in Japan are able to download a wide variety of apps, many of which are either inexpensive or free. Not all of these actually meet what users expect in terms of features, and some of these even introduce risks that users may not fully understand. In this series of blog posts, I will try to show how to evaluate the risks of these apps, focusing on the threats usually seen in Japan. In the first of the three blog entries,  I will examine the current situation of info-stealing apps targeting Japanese users.

    What is an “Ego App”?

    Some apps have unwanted routines which we consider high-risk; for example some violate the user’s privacy by accessing the user’s personal information. Frequently, this is done by apps which display ads (i.e., adware). (In Japanese English, these are referred to as “ego apps.”) Examples of routines that may cause an app to be classified as such include:

    • Consuming system resources
    • Displaying pop-up advertising
    • Violating the user’s privacy

    Users who continue to use these apps may encounter unexpected behavior, and may suffer problems without any notice. These apps have both been getting plenty of attention lately.  We will discuss the case of aggressive mobile adware in part 2 of this series of blog posts.

    Law enforcement actions

    On October 30, 2012, several police agencies in Japan arrested a number of suspects for violating the newly implemented cybercrime law. The Japan National Police Agency announced the arrest of five suspects, including an IT company executive for creating malicious apps. (Trend Micro detects these as ANDROIDOS_DOUGALEK variants and are known as  “the movie virus.”) In another case, the Kyoto Prefectural Police together with its Fushimi Police Station announced the arrest of one company executive who allegedly created the malicious apps Longer Battery Life, Signal Improvement, Sma Solar, Power Charge, or Solar Charge. We detect these as ANDROIDOS_CONTACTS variants.

    In both of these incidents, the suspects targeted smartphone users in Japan. We hope that these arrests will act as an effective deterrent to these kind of cybercrimes. In this entry, I will look at the apps used in these attacks.

    Read the rest of this entry »

     


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice