Cybercriminals tend to leverage what’s popular and new. Case in point, the much-anticipated Google Project Glass is being used as a social engineering lure to trick unsuspecting users into scams.

We found that one of the top results for the search term “free Google glasses” is an eye-catching YouTube link with the title [{FREE}] Google Project Glass [[FREE GOOGLE GLASSES]:

Figure 1. Search results for ‘free Google glasses’

The video was copied from the original Google Glass YouTube advertisement. The YouTube video also contains information on how to get the Google Glass for free as seen in the screenshot below:

Figure 2. Youtube video

Read the rest of this entry »

The popular Japanese word processor software Ichitaro is no stranger to threats, particularly exploits taking advantage of the software’s vulnerabilities. Since 2007, we have reported the malware targeting Ichitaro’s security flaws.

This time, however, we uncovered an attack that employs an old trick that even Microsoft Office was previously vulnerable to (CVE-2011-1980). Typically, when an application or document is executed, it loads several .DLL files. It first checks the current directory where it was opened and if the .DLL is present, it then loads that file; but if not, it checks other folders such as System folder.

An attacker can take advantage of this to get an application to load a malicious DLL file instead of a legitimate one; this particular attack is known as DLL preloading. The samples we found only refers to the filename of the DLL file, so it will first search the current directory before checking the other folders in the system. While this vulnerability could be used to access a malicious DLL that is in a remote folder, that was not the case here.

The attack arrives as a malicious compressed file, attached to an email message. Inside the compressed file are two Ichitaro documents and JSMISC32.DLL. Using the vulnerability cited above, the Ichitaro software loads the modified .DLL (detected as PTCH_ETUMBOT.AV) once users open the document. We have been detecting this DLL file and its subsequent payload since January of this year.

Read the rest of this entry »

Last year, we reported about PlugX a breed of Remote Access Trojan (RAT) used in certain high-profile APT campaigns. We also noted some of its noteworthy techniques, which include its capability to hide its malicious codes by decrypting and loading a backdoor “executable file” directly into memory, without the need to drop the actual “executable file”.

Recently, we uncovered a RAT using the same technique. The new sample detected by Trend Micro as BKDR_RARSTONE.A is similar (but not) PlugX, as it directly loads a backdoor “file” in memory without dropping any “file”. However, as we proceeded with our analysis, we found that BKDR_RARSTONE has some tricks of its own.

We obtained the sample through a spear phishing email that contains a specially-crafted .DOC file (detected as TROJ_ARTIEF.NTZ). This Trojan drops and executes BKDR_RARSTONE.A, which in turn drops the following files:

• %System%\ymsgr_tray.exe – copy of BKDR_RARSTONE.A
• %Application Data%\profile.dat – blob file containing malware routines

BKDR_RARSTONE.A then executes the dropped copy ymsgr_tray.exe. This backdoor then opens a hidden Internet Explorer process, in which it injects the codes contained in profile.dat.

As with PlugX, the injected code decrypts itself in memory. Once decrypted it “downloads” a .DLL file from its C&C server and again loads it in the memory space of the hidden Internet Explorer process. This “downloaded” file is actually not dropped onto the system, but instead directly loaded in memory, making file-based detection ineffective.

Typical of a backdoor, BKDR_RARSTONE.A connects to specific sites and can perform several routines, which include enumerating files and directories, downloading, executing, and uploading files, and updating itself and its configuration.

Worth noting among its backdoor routine is its ability to get installer properties from Uninstall Registry Key entries. It does this to get hold of information about the installed applications in the affected system, as well as to know how to uninstall certain applications. This can be handy in silently uninstalling applications, which may interfere with the backdoor’s routine, e.g. anti-malware software and the likes.

Another interesting feature of this backdoor is the communication method it uses, specifically SSL. This use of SSL has a two-fold advantage: it guarantees that communication between the C&C and infected system is encrypted, at the same time it blends in with normal traffic.

Read the rest of this entry »

PostgreSQL is a fully featured object-relational database management system. It supports a large part of the SQL standard and is designed to be extensible by users in many aspects.  Graphical user interfaces and bindings for many programming languages are available as well.

Earlier this month, I discovered a denial of service vulnerability in versions of PostgreSQL that caused a crash if a function was called with invalid arguments in a SQL query. In theory, one could examine the contents of the server’s memory after the crash using this vulnerability. Currently, no threats in the wild are exploiting this vulnerability.

The following versions of PostgreSQL are vulnerable:

• 8.3.x before 8.3.23
• 8.4.x before 8.4.16
• 9.0.x before 9.0.12
• 9.1.x before 9.1.8
• 9.2.x before 9.2.3

The function in question is the  enum_recv function, which is not properly declared in backend/utils/adt/enum.c. The current fix bars calling the function from SQL; the declaration of the function will be fixed in a future release by PostgreSQL. The function should accept inputs of the type “internal” not as “cstring”.

Read the rest of this entry »

Just like other businessmen, scammers operate using certain business models. In my previous post, I wrote about the typical scammer, their trust model, and the strategies they use to get, hold, and sustain customers. In this post, we’ll look at their business model, and how users can avoid their schemes.

Scammers Business Model

While scammers typically don’t use a formalized business model, we can easily determine how these guys operate. This model is similar to traditional business models in that it focuses on gaining and keeping customers and sending referrals. Though this model may not be true to all operations/operators of scams, this template is based on the common behavior exhibited by these operators.

In this business model sample, scammers first scout for customers. Once they are able to ascertain these customers, they develop loyalty programs to keep them around, which include selling items in bulk. They also attempt to grow their customer base either through referrals or by verifying their fellow scammers (“back scratching”).

Figure 1. Sample scammer business model

We have seen this type of business model used several times in scams and continue to see its prevalence in 2013. In the 2013 security predictions, we stated that these sellers will become more motivated as 2013 progresses, and this is just further proof that we will continue to see this type of business development these coming years.

Read the rest of this entry »