Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    February 2013
    S M T W T F S
    « Jan   Mar »
  • Email Subscription

  • About Us

    Archive for February, 2013

    Currently, we have been seeing an uptick in the number of denial-of-service attacks using DNS reflection or amplification. There are many variants, but the general outline of the attack is the same:

    1. An attacker creates a DNS query with a fake source IP address – that of the intended victim. (Consider this as being analogous to a fake return-to-sender address.)
    2. The query is sent to a DNS server that accepts queries from external addresses (i.e., those from a different ISP/network than its own). In addition, the query is crafted to generate the largest reply possible. Frequently, DNSSEC is used, as returns using it  tend to be much larger than other DNS replies.
    3. The intended victim is flooded with packets. These can either be replies from the DNS server, or error messages sent along the way which are sent back to the “sender.”
    4. Using DNS reflection, it is possible to use a relatively small number of hosts (often compromised) to generate huge volumes of traffic aimed at victims. Often, the abused DNS servers don’t even know they are involved in an ongoing attack.
    5. This type of attack is very hard to trace as the source is well masked and you need lots of cooperation from the DNS server operators as well as their network service providers to trace attack to a source.

    Both network operators and the administrators of DNS servers can help mitigate these attacks.

    Network Operators

    It is estimated that 14.1% of netblocks, which total 16.8% of all IP addresses, can be spoofed. That may sound small, but the Internet is a big place. An attack using DNS reflection can cause a large amount of damage, even if much less than 1% of IP addresses are used.

    Ingress filtering applied at the router or firewall is one way to prevent networks from being a source of this type of attack. It prevents packets from transiting the router if the source address of the packet does not belong on the interface on which the packet was received. By analogy, this would be like a post office rejecting outgoing mail that had return addresses from out of town.

    This doesn’t stop spoofing attacks from machines on the same network, it does prevent machines from initiating spoofing-based attacks against outside networks. One of the best resources here is BCP-38, which describes in detail how to implement this type of filtering.

    Read the rest of this entry »

    Posted in Targeted Attacks | Comments Off on Mitigating DNS Reflection Denial-of-Service Attacks

    It’s another big information security story day at the New York Times. Three weeks ago after their big story detailing the Advanced Persistent Threats (APT) attack against their network, today they have a story detailing the ongoing espionage and corporate espionage against companies and organizations around the world.

    It’s a very interesting and very detailed story. It’s well worth the read. And from the overall goal of protecting people, it’s extremely valuable from an industry perspective for sharing a wealth of information that can be used to provide protections broadly. You can be sure our analysts are going through the report and ensuring we have protections for anything we don’t already protect against.

    But for customers, I would argue that while this story is entertaining, last week’s 2012 Advanced Persistent Threat (APT) Awareness Study released by ISACA is a more important read because it has more relevant information on how to protect your company or organization. The New York Times article is a good read but the ISACA report can help keep you from ending up in the next New York Times story.

    The important thing that we saw in this survey is a serious disconnect between people worrying about APT attacks and understanding how they work. 63% said they were likely or very likely to be the target of an APT attack. But at the same time almost as many, 53.4%, said that APT attacks are “similar” to conventional threats. This means that only a little under 10% (9.6% to be exact) of respondents see this as a threat and understand that this is a different kind of threat and requires a fundamentally different kind of approach to meet it.

    When stories like this hit, customers often ask “Am I protected against this attack”? What they really mean in most cases is “Are your signatures up-to-date to catch this attack?” The right answer to that question is that it doesn’t matter: these attacks are designed to be undetected by signature-based endpoint security. We saw this in the attack against the New York Times. In fact, we believe that these attacks generally are tested against signature-based endpoint products to ensure they’re not detected. Yes, we do protect against much of the malware outlined in the report and are building new protections for new malware. But this underscores that reactive, signature-based endpoint security can only be a piece of your overall posture to protect against APTs. These are custom attacks and defending against them requires a different approach, a custom defense that employs advanced detection technologies that can discover an attack before real damage can be done.

    Read the rest of this entry »


    In my last blog post, I covered several topics around how cybercriminals use your stolen information and why these criminals want your information. That entry, along with this entry, is part of a blog series intended to cover the expanding economies in relation to cybercrime, as well as some facts and recommendations to help safeguard your data against information theft.

    In the first part of the two-part intelligence brief series, I will tackle the existing “trust model” in the underground cybercrime arena and some profiling of the gateways/actors that sell these goods.

    Information Theft Business Model

    It’s no secret that scammers are out there to make a quick buck. However, what’s often not known or discussed is how they engage the market to sell their goods.

    These scammers must first engage the market with their goods. They often reach out to Pastebin, underground forums, and several other sites designed to peddle their wares. Furthermore, they also use a popular tactic of posting their “ads” on legitimate forums and sites. This step can be considered the aspect of “gaining your customers”. The next step is establishing a pricing model to fit the marketplace.

    Price Discrimination vs. Penetration Pricing

    During the past five years, there have been a number of incidents outlining price discrimination on underground forums. Price discrimination exists when a provider sells identical goods or services at different prices for several reasons. There are realistically four degrees of price discrimination, all with varying discriminatory fashions.

    However, in the past two years, there has been a shift away from price discrimination and to a more penetration pricing model. Penetration pricing is a tactic used by a seller to attract new buyers in multiple different ways.

    In the penetration pricing model, scammers enter the market and sell their wares at a much lower price to gain market space, and then slowly increase their price until it meets market value with the other sellers. Many of the vendors participating in selling stolen goods enjoy a good market for selling these goods after using this model. Utilizing this will often lead to increased sales volume and higher inventory turnover.

    This penetration pricing upswing has likely occurred as there were many new entrants into the underground marketplace selling goods. These new entrants weren’t following maximum price rules or by unique buyer attributes.

    These scammers are also enjoying a fairly uninhibited marketplace since the ease of hiding their nefarious activities has dramatically improved. For those familiar, see onion routing, and that will easily explain one of the many ways these actors hide their tracks.

    Read the rest of this entry »


    Zombies (the shambling, brain-eating kind, rather than the computer kind) are all the rage these days. They’re on TV shows and video games. There are even real-life zombie walks. For whatever reason, they’re the current, fun way we like to scare ourselves.

    It’s not surprising when people are looking to make a little fun mischief that they would pick zombies. There’s a point where hacking and playing come together, and we’ve seen this lately with zombies. People have hacked roadway signs to warn drivers that zombies are on the road ahead. Last week, we heard about the Emergency Alert System being hacked to warn residents watching TV news in KRTV in Great Falls, Montana that “the bodies of the dead are rising from their graves and attacking the living.”

    We read these stories and share them and laugh because it is clever and funny. But there’s a real danger here that’s no laughing matter.

    Critical Infrastructures Can be Compromised

    At its heart, what’s happening is that critical public safety communications infrastructure is being compromised and used outside its intended purposes.

    We can see some of the more dangerous results when critical public safety communications infrastructure is compromised in the form of “swatting.”  An instance of swatting is when people call the 911 system to submit false calls for help. Typically, these result in fully armed SWAT teams being sent to the houses of unsuspecting, innocent people. No one has been killed in these incidents, but that has more to do with good training and luck. The fact is that the system is being compromised in a way that is putting people at real risk by sending fully armed teams into situations they believe may require deadly force (and where their own lives are at risk).

    To understand the real risks in hacking highway signs and the Emergency Alert System, we have to focus on the fact that all the instructions we’re seeing are false but funny, and also absurd and implausible. We know it’s a joke and we don’t take action. But what happens when the instructions are false but plausible?

    Take the Halloween radio broadcast of War of the Worlds by Orson Wells on October 30, 1938 to get an idea of what can happen here. CBS Radio broadcast a dramatization of H.G. Wells’ War of the Worlds. They chose to do it in the form of a seemingly-real radio news bulletin broadcast. Even though there were announcements that it was a dramatization and even though the idea of an alien invasion may seem implausible to us, enough listeners found the fictional story (false information) to be plausible enough that they believed it and acted on it. The dramatized reading of a classic story caused panic.

    This didn’t cause widespread panic, but enough of a reaction to be noted and cause a discussion about the credibility of the radio (and the wisdom of using such a realistic format). The important lesson for us is that people will trust less plausible information to be real if it comes out of trusted channels.

    Read the rest of this entry »

    Posted in Bad Sites | Comments Off on Zombies are Funny, Until Someone Loses an Eye

    Most of the things our industry has learned about targeted attacks were realized the hard way: through analysis of successful attacks. Our realizations have so far revealed just how unfamiliar we are with the “battle ground” we are currently in, and how that unfamiliarity has caused the industry to be unable to understand what is needed to deal with such attacks. But why is this so? Do the attackers really have the upper hand? The answer, unfortunately, is yes.

    Unfair Advantage

    To put it simply, attackers have a greater level of control and a wider range of resources. They get to decide on the very nature of the threat — how and when the attack will play out. They can employ the use of the numerous tools available on the Internet, including legitimate services. More importantly, they can get intelligence on what they are up against – they can do research on the target and find information that can make infiltration easy and almost undetectable.

    And while attackers are able to utilize such flexibility, targets, on the other hand, are faced with multiple limitations that even by themselves are already difficult to manage. With the dawn of consumerization and rise of mobile computing, it is already a big struggle for companies to identify their own network, even more so to protect it. They can only do so within the limitations of available strategies, whatever control they have over the network, and the awareness of their people.

    Read the rest of this entry »

    Posted in Targeted Attacks | Comments Off on Understanding Targeted Attacks: What Are We Really Up Against?


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice