Today is one of those days when security news finds its way to the front page of mainstream news. The New York Times announced in a very detailed report that their network had been breached starting about four months ago in an Advanced Persistent Threat (APT) attack. Their story explains that the attackers have been repelled from their network with help from an outside security company.

What makes this story interesting and important reading is the scope of detail it provides around the attack. Because they’re disclosing an attack after it’s been thwarted, the story provides a broad view into the full lifecycle of an APT attack. The report also provides a level of detail that is rare in these situations. Anyone interested in security and protecting against APTs should take some time and read the full New York Times’s story.

One thing that the New York Times does is to call out that they had security products in place and that those failed to prevent the attack. They go so far as to name the vendor. Some have characterized this as “pointing the finger” at the vendor (who has defended themselves publicly). We don’t have detailed specifics around what products were deployed and how they were maintained. But the New York Times’ story and the vendor’s response would seem to imply that the protection regimen was focused on signature-based endpoint-security. Presumably there were other protections like firewalls and possibly intrusion prevention systems (IPS) that also failed to prevent the attack but there is no specific mention of that.

With that information and what we know about the attacks, we can draw some lessons from that around what it takes to adequately defend an environment against APTs.

Read the rest of this entry »

The past few months have been a busy one for Blackhole spam attackers. The last time we discussed Blackhole spam runs, we noted that it had returned from its New Year break and was hitting users again. Previously, we’d reported in September about how a new version of the Blackhole Exploit Kit had been introduced by attackers into the underground. Since September we observed upgrades and new developments in this area, which this post will tackle.

Upgrade to Blackhole Exploit Kit 2.0

Cybercriminals have stopped using the older 1.x version of the Blackhole Exploit Kit entirely and moved to version 2.0 since last September. Most significantly, the URLs no longer have the eight-character-long random strings that were a key part of the 1.x version. These strings made discovering and monitoring websites that were connected to various spam runs easier for researchers.

New vulnerabilities have also been added to the Blackhole Exploit Kit as they have been made “public”. For example, the recent Java zero-day was added to BHEK’s arsenal within days of the vulnerability becoming known to the security industry.

Clearly, these cybercriminals are continuously enhancing this toolkit to evade detection as well as to generate profit from users. Accordingly, Blackhole Exploit Kit was used to distribute known information stealing malware such as ZeuS and Cridex variants.

Increased Usage of Different Infection Chains

One development we have seen is that different browsers are receiving different infection chains, with more distinct differences from browser to browser. For example, there are situations where users running Chrome may receive malicious files, but Firefox and Internet Explorer do not.

Why this is being done remains unclear. It’s possible that this is being done to lower the profile of these threats; this makes sense in combination with the next development. What is clear is that this makes analysis by researchers and security vendors more complicated. It increases the number of test cases that have to be looked at thus increasing the effort that must be dedicated to any individual attack.

Read the rest of this entry »

Mobile malware continues to grow not only in number but in sophistication. We recently spotted botnet malware running on over a million infected smartphones. And while Android users are the main targets, Apple users could soon find themselves victims with reports of pirated apps finding their way on iOS devices. With these recent developments, our prediction of 1 million malicious detections by the end of 2013 hardly seems far-fetched.

But should users be concerned about malware only? No, they should also be concerned about their data. Given some of the activities done on smartphones involve a lot of information—email, gaming, and social networking—protecting data on mobile devices should be a priority.

While data stealing malware is a threat to privacy, legitimate apps can also put user data at risk. But these aren’t the only ways that information can go public. Common user behavior such as connecting to public WiFi networks and playing games on social media sites can allow others to view online activities. Browsing histories can be collected to send targeted ads to users. Even online profiles can become a risk, if users post too many details.

Read the rest of this entry »

In 2010, we noted CARBERP’s noteworthy features, including its capability to install itself without Administrator Privileges, effectively defeating Windows 7 and Vista’s User Account Control (UAC) feature. In 2012, however, a positive turn of events occurred as 8 individuals involved with CARBERP operations were arrested by Russia’s Ministry of Internal Affairs. This arrest should have put the final nail into CARBERP’s coffin.

But just recently, CARBERP is making news again, with an improved (and costly) versions and mobile app variants available in the wild.

Detected as BKDR_CARBERP.MEO, this malware downloads new plugins to complement its information stealing routines, including vnc.plug and vncdll.plug that help a possible attacker to remotely access an infected system and Ifobs.plug used in monitoring Internet banking.

This backdoor also connects to certain control-and-command (C&C) servers to get commands from a possible remote user. Like other CARBERP variants, it targets Russian banks.

In an attempt to take advantage of the growing number of mobile device users, mobile versions of CARBERP were also found on certain app providers including Google Play (first seen around December last year). These apps (detected as ANDROIDOS_CITMO.A) check for specific SMS messages like authentication codes sent by banks and forward this to a remote server.

Read the rest of this entry »

Malicious schemes promising free or discounted items are effective because everyone likes a great offer. More so, if the offered item is a much-talked about product like Windows 8.

Last year, we unraveled some fake Windows 8 generators, fake Windows 8 antivirus programs, and phishing email that surfaced right after the platform’s release. Though it’s been months since it was launched, we found out that certain bad guys are continuously using the brand to lure users into their ruse. This time, however, they are offering Windows 8 “activators” amidst news of Microsoft’s limited offer of discounted Windows 8 upgrade.

During our research, we found several websites using Windows 8 as keywords. The first site purportedly offers free Windows 8 “activator”, which is actually fake (detected by Trend Micro as HKTL_KEYGEN).

Figure 1. Screenshot of site offering fake Windows 8 activator

The other site we looked into also offers free Windows 8 activator, dubbing it the “Windows 8 Activator Loader Extreme Edition 2013”.

Read the rest of this entry »