Late last week, the Council on Foreign Relations website was compromised and modified to host a 0-day exploit affecting Internet Explorer. Analysis revealed that the attack was set to affect a specific set of users, as it was set to work only if the browser language was set to English (US), Chinese (China), Chinese (Taiwan), Japanese, Korean, or Russian.

Microsoft has then issued a security advisory for the vulnerability and provided some workarounds, to serve as protection until a solution is released. Trend Micro users, however, are already protected through Trend Micro Deep Security, specifically through the following rules:

• 1005297 – Microsoft Internet Explorer CDwnBindInfo Object Use-After-Free Vulnerability (CVE-2012-4792)
• 1005301 – Identified Suspicious JavaScript Encoded Window Location Object
• 1005298 – Microsoft Internet Explorer CDwnBindInfo Object Use-After-Free Vulnerability (CVE-2012-4792) Obfuscated

The abovementioned rules are set to detect all known variants of exploits.

The use-after-free vulnerability in Microsoft Internet Explorer enables remote attackers to execute arbitrary code execution. As stated in Microsoft’s blog, we have also observed that all the reported targeted attacks so far have been triggered by an encoded or obfuscated JavaScript Window Location objects which is generally used to change the location object of the current window. The vulnerability is with cButton object which has been freed but its reference was used again during the page reload will point to an invalid memory location yielding arbitrary code execution under the context of the current user. Microsoft Internet Explorer versions 6, 7, and 8 are affected, but newer versions such as IE9 & IE 10 are not affected by this vulnerability.

Read the rest of this entry »

Now that knowledge of targeted attacks, including APT activity, has become mainstream within the broader security community, I predict that 2013 will be a year in which our assumptions will be challenged. We have already seen how successful so-called “technically unsophisticated” attacks have been over the last few years, and I predict they will continue to be so as they are designed to exploit the human factor as much as, if not more, than technology.

In his 2013 predictions, our CTO Raimund Genes predicts that there will be increasing sophistication in malware attacks, not necessarily in the technical aspects of the malware itself but in the deployment of an attack. Moreover, he believes that such attacks will increasingly have a destructive capacity and that it will be challenging to determine attribution. Building on these points, I predict the following trends for 2013:

• There will be an increasing specificity in targeted attacks, especially as knowledge of some of the noisier APT campaigns is increasingly publicized. We will see an increase in localized attacks such as malware that will not execute unless certain conditions are met, such as language settings, or “watering hole” attacks that will only affect certain geographic regions or even only specific netblocks.

Read the rest of this entry »

Ever wonder how those pesky pop-up ads end up on your smartphone? More importantly, do you ever consider what this seemingly harmless display of ads can do to you and your data? There are more to these ads than just taking up space and eating up your phone’s bandwidth and battery life.

This month’s Mobile Review sheds light on the overlooked organizations behind these ads, mobile ad networks. Get to know how they operate, their hidden activities, their motivations, and how they directly affect you. Though not intentionally malicious, their processes can still put mobile users at risk.

Late in November, Senior Threat Researcher Noriyaki Hayashi already gave us a concise breakdown of free app ecosystem and the part mobile ad networks play in it. This report gives an update on how these networks have adapted to further aid app developers and, in some way, protect users as well.

Also in this report is a look at mobile malware type called premium service abusers. We analyzed how they get on smartphones, how they behave, and why they are a preferred money-making scheme of cybercriminals. Compared to our midyear stats, premium services abusers remained the top mobile malware threat in November 2012, with FAKE and BOXER variants alone raking up to over 57% of our total accumulated mobile malware detections.

Throughout 2012, we investigated a variety of targeted attacks including several APT campaigns such as LuckyCat and Ixeshe, as well as updates on some long running campaigns such as Lurid/Enfal and Taidoor. There was a lot of great research within the community related to targeted attacks published this year, and I’ve clustered the research I found to be the most interesting into six themes that I think also encapsulate the trends in targeted attacks of 2012:

• Targets and Tools – While targeted attacks were largely equated with APT during 2011, 2012 saw the emergence of a variety of attacks especially those in the Middle East including Shamoon in Saudi Arabia, the Mahdi Campaign, GAUSS and Wiper/Flame which were all well documented by Kaspersky. There were other attacks related to the conflict in the Middle East most notably Syria and Israel and Palestine (also see Norman’s analysis here). APT activity remained a significant concern in 2012, and Dell SecureWorks published a paper on clustering various APT campaigns as well as papers on Mirage and SinDigoo that illustrated the scope of the problem. Bloomberg published a series of articles about the “Comment Crew” that detailed the breadth and impact of an APT campaign.There was also considerable activity targeting Russia, Taiwan, South Korea, Vietnam, India and Japan. In addition to expanded geographic targets, we also saw the expansion of the technologies that were targeted, including Android mobile devices and the Mac platform. Seth Hardy from the Citizen Lab gave a great presentation at SecTor that provides an overview of the various Mac related RATs (SabPub, MacControl, IMULER/Revir and Dokster) that emerged this year. And although we have seen smartcard related attacks in the past, thanks to some great analysis of Sykipot from AlienVault we saw technical details around smartcards that were deliberately targeted.

Read the rest of this entry »

Malware like BKDR_JAVAWAR.JG prove that web servers are viable targets by cybercriminals, as they store crucial data and can be used to infect other systems once unwitting users visit affected websites.

We recently spotted a Java Server page that performs backdoor routines and gains control over vulnerable server. Trend Micro detects this as BKDR_JAVAWAR.JG. This malware may arrive as either a file downloaded from certain malicious sites or as a file dropped by other malware.

For this attack to be successful, the targeted system must be a Java Servlet container (such as Apache Tomcat) or a Java-based HTTP server. Another possible attack scenario is when an attacker checks for websites powered by Apache Tomcat then attempts to access the Tomcat Web Application Manager.

Using a password cracking tool, cybercriminals can access and gain manager/administrative rights allowing the deployment of Web application archive (WAR) files packaged with the backdoor to the server. The backdoor will be automatically added in the accessible Java Server pages. To execute its routine, the attacker can access the Java Server page using the following:

Error! Hyperlink reference not valid. sub-directory inside Tomcat webapps folder}/{malware name}

Read the rest of this entry »