Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    May 2013
    S M T W T F S
    « Apr   Jun »
  • Email Subscription

  • About Us

    Archive for May, 2013

    For cybercriminals everywhere, it’s still business as usual. The recent global ATM heist that stole a total of $45M showed that orchestrated targeted attacks continue to plague organizations globally.  Legacy approaches to identifying threats are not keeping up with the tactics being used to exfiltrate precious assets and corporate secrets. Although it took money mules withdrawing cash from ATMs in 27 countries to pull off the heist, we will likely see that this was made possible by a very sophisticated targeted attack on third-party card processors in India and the US – as initial reports indicate.

    The real debate is how much collateral damage and fallout we’ll see as a result of this attack.  Many of the same technologies and processes are used by other financial institutions.  A weakness here could be used by attackers to target other banks with similar architectures.

    It’s a safe bet to assume the attackers were able to acquire  and maintain a persistent foothold in these banking institutions. The attackers carefully picked their target to increase the chances their attack would be successful without being discovered.  Weeks and months of reconnaissance work was more than likely carried out, coupled with covert, clandestine operations once their marks had been made and a foothold was achieved.

    These types of targeted attacks are not like other day-to-day threats we information security professionals face.  They are more likely targeted attacks that have a specific purpose in mind. A recent white paper we’ve published discusses the lateral movement that takes place occurs within networks during these types of attacks, and looks at the tools and techniques utilized.

    Online banking is increasingly important today, with nearly 94% of the world’s wealth is housed in some form of electronic currency.  It’s no wonder cyber heists are on the rise and the payouts are reaching epic proportions. DDoS (Distributed Denial of Service) attacks as increasing as well, which impacts how we conduct online banking as consumers and businesses.  These attacks can also consume an organization’s technical and human resources, ultimately acting as a distraction.

    These incidents show that targeted attacks and cybercrime can act hand in hand. All organizations have to consider this as they incorporate their countermeasures and mitigations moving forward. How can they determine if they are in the cross hairs of a targeted attack and understand the dynamics of any threats they are currently facing?

    Organizations need to understand that “targeted attacks” can involve more than just information theft, but can actively damage systems and cause significant financial losses. Tools that are valuable in this field include “padded cells” to test incoming threats that use virtualization sandboxing techniques. Threat intelligence and feedback provided by the Smart Protection Network is invaluable to provide organizations with the tools needed to deal with these attacks and protect their networks.

    We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

    Posted in Targeted Attacks | Comments Off on How Targeted Attacks And Cybercrime Go Together

    Two Brazilian government websites have been compromised and used to serve malware since April 24. We spotted a total of 11 unique malware files being distributed from these sites, with filenames that usually include “update”, “upgrade”, “Adobe”, “FlashPlayer” or combinations thereof.  Besides the different filenames, these samples also have different domains where they can connect to download other malicious files, as well as varying command-and-control (C&C) servers.

    Based on Smart Protection Network feedback, 90% of the affected customers are from Brazil. Other affected countries include the United States and Angola.


    Figure 1. Top affected countries

    Infection Chain

    The general behavior of these malicious files (detected as TROJ_BANDROP.ZIP) are similar. They drop two files: one executable file (detected as TSPY_BANKER.ZIP) and a supposed GIF file (detected as JAVA_BANKER.ZIP) file in the system’s temporary folder.  The executable file modifies the Windows registry to lower system’s security settings, and ultimately loads the .GIF file.

    The “GIF file” is actually a Java file, loaded using the javaw.exe executable, which is part of the Java Runtime Environemnt. JAVA_BANKER.ZIP contains commands that can download and execute files from several pre-configured URLs. The downloaded files are then saved as %User Profile%\update.gif (also detected as JAVA_BANKER.ZIP) and executed. These JAR files use several open source libraries such as Java Secure Channel (JSch) and Java Native Access (JNA). These libraries and can be used for network operations, in particular connecting to an SSH server, port forwarding, file transfers among others.

    The final payload of JAVA_BANKER.ZIP is a .JAR file, which elevates the affected user’s administrator right. Given that the attacker has taken control of the system, modifying the victim’s admin rights enables him to modify the normal system file termsvr.dll. This .DLL is mainly used for remote desktop sessions. The malware will replace this file with %Temp%\update.gif.

    Malicious Component File Leads to Serious Security Compromise

    Based on code analysis, %Temp%\update.gif  is used to enable multiple concurrent remote desktop sessions in the affected system. But what does this mean to users?

    For security reasons, remote desktop sessions are limited to just one session at a time. But %Temp%\update.gif creates its own user account (ADM123), which is set as a system adminstrator. Once the system has been set-up for multiple sessions, it notifies its C&C server of the compromise. The remote malicious user then connects to the affected system using the ADM123 account. The remote attacker has now complete control over the system. The attacker has now the capability to perform more damaging commands onto the infected machine. Trend Micro protects users from this threat by detecting and deleting the related malware if found in the system.

    Compromising and using government sites to deliver malware is not an unusual practice. Earlier this month, a website of the US Department of Labor was compromised to serve zero-day Internet Explorer exploit. This tactic provides a certain social engineering leverage, as government-related sites are usually deemed safe and secure. But as this incident clearly shows, there is no sacred cow when it comes to cybercrime. Everyone is fair game.

    This is the latest development in the rather interesting development in the Brazilian threat landscape, which was lately troubled with a malicious “homemade” browser and other banking Trojans that give Bancos variants a run for their money.

    We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

    Posted in Malware | 1 TrackBack »

    Typically users archive file to lump several files together into a single file for convenience or to simply save storage space. However, we uncovered a worm that creates copies of itself even on password-protected archived files.

    We acquired a sample of a worm (detected as WORM_PIZZER.A) that propagates using a particular WINRAR command line (see below). Once executed, this enables WORM_PIZZER.A to create copy of itself in archived files, particularly in .ZIP, .RAR and .RAR SFX files. The worm does not harvest passwords from these archive files. The said command line is normal, in which a user can add file onto archived files so long as their system is installed with WINRAR. However, the malware abuses this to add copies of itself onto such files.

    WORM-ZIPPER-command-line2 copy

    Figure 1. WINRAR command line

    During our testing, this worm was downloaded by WORM_SWYSINN.SM from a particular site.

    This technique is reminiscent of WORM_PROLACO variants seen in 2010, in which variants were seen to archive certain .EXE files together with a copy of itself. But what makes WORM_PIZZER.A interesting is its clever way of creating copies of itself in archived files, even on password-protected ones. Unsuspecting users who extract these archived files would have no idea that they already contain this worm, thus likely to execute the malware along with their other files.


    Figure 2. WORM_PIZZER.A copy (bot.exe) in an archived file

    Trend Micro detects and deletes WORM_PIZZER.A if found and also blocks access to the site hosting the said malware.

    The first half of the year 2013 is shaping up to be a year of rehash, with dated threats like ZBOT, CARBERP, and GAMARUE using new techniques to evade detection or at least stealthier ways to slip into user’s system unnoticed. WORM_PIZZER.A is no different from this flock of repackaged threats. Because of the protective measure archived files afford, users might be too complacent in extracting and executing these files – providing the perfect cover up to propagate in an infected system.

    For protection, users must observe best computing practices, which include avoiding visiting unknown sites, and downloading files from unverified email messages. Because the malware can create copies of itself on archived files, users must be extra cautious in executing such files.

    With additional insights Threat researchers from Dexter To and Joseph Jiongco.

    Update as of June 7, 2:00 AM PDT

    Our protection against this threat has been updated; we now detect it as WORM_PIZZER.SM.

    Posted in Malware | Comments Off on Worm Creates Copies in Password-Protected Archived Files

    The notorious info-stealing ZeuS/ZBOT variants are reemerging with a vengeance, with increased activity and a different version of the malware seen this year. In our 2013 Security Predictions, we predicted that cybercrime will be characterized by old threats resurfacing, but with certain refinements and new features in tow. The 1Q of the year proved this thesis, as seen in threats like CARBERP and Andromeda botnet.

    We can now include the data-stealing malware ZeuS/ZBOT to this roster of old-but-new threats, which we’ve noted to have increased these past months based from Trend Micro Smart Protection Network feedback.


    Figure 1. Smart Protection Network feedback for ZBOT (Jan – May 7 2013)

    As seen in this chart, ZBOT variants surged in the beginning of February and continued to be active up to this month. It even peaked during the middle of May 2013. These malware are designed to steal online credentials from users, which can be banking credentials/information or other personally identifiable information (PII).

    ZBOT Earlier Versions vs. Current Versions

    Early generation of ZBOT variants creates a folder in %System% folder where it would save the stolen data and configuration file. Users can also find a copy of itself in the said folder. These ZBOT versions modify the Windows hosts file to prevent users from accessing security-related websites. The strings appended to the hosts file can be seen in the downloaded configuration file. An example of earlier ZBOT versions include TSPY_ZBOT.SMD and TSPY_ZBOT.XMAS.

    Current ZBOT variants were observed to create two random-named folders in the %Applications Data% folder. One folder contains the copy of the ZBOT folder while the other folder contains encrypted data. Example of this is TSPY_ZBOT.BBH, which was found to globally on top based from Smart Protection Network.

    ZBOT malware of this generation are found to be mostly either Citadel or GameOver variants. Unlike earlier version, the mutex name is randomly generated.

    Both variants send DNS queries to randomized domain names. The GameOver variant also opens a random UDP port and sends encrypted packets before sending DNS queries to randomized domain names.

    How does this malware steal your credentials?

    ZBOT malware connects to a remote site to download its encrypted configuration file.


    Figure 2. Screenshot of ZBOT communication to C&C server

    The following information can be seen once the configuration file is decrypted:

    • Site where an updated copy of itself can be downloaded
    • List of websites to be monitored
    • Site where it will send the stolen data

    These configuration files contain banks and other financial institutions that ZBOTs monitor in browsers.
    Since configuration files are downloaded from remote sites, the contents of these files may change any time. Malicious actors can change the list of sites they want to monitor on the affected system.

    Trend Micro Solution for ZBOT variants

    There are several avenues for detecting ZBOT variants, such as:

    1. First, as the malware tries to write to the registry “Userinit” entry in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    2. Secondly, detecting the call-back routine to the remote site upon execution, as it acquires its configuration file
    3. Finally, detecting where the site would send the stolen data, or if acquires an updated copy of itself

    In the screen capture below, it demonstrates that the exact behaviour of writing to the registry “Userinit” entry in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon was successfully blocked by OfficeScan’s Behavioural Monitoring function and the malware fails to execute:

    screenshot-Officescan-detection copy

    Figure 3. OfficeScan Scanning Screenshot

    The second opportunity to detect ZBOT variants is when the malware downloads its configuration file, an updated copy of itself, or even with the attempt to upload its stolen information. Trend Micro Web Reputation Services can detect this function:


    Figure 4. Trend Micro blocks the related URL associated with ZeuS

    In the screen capture above, the URL was detected as malicious. With further investigation, we determined that this site is associated with ZeuS/ZBOT. The same is observed if using Trend Micro’s Deep Discovery:



    Figure 5. Screenshot of Deep Discovery detection of malicious network activity

    Similarly, an attempt to connect to any related URL that is related to ZBOT/ZEUS upon performing it’s call-back routine can be detected via DeepDiscovery Inspector.

    For removing the malware, since this malware injects itself into certain processes, there are instances that a reboot is required. As ZeuS/ZBOT malware downloads newer version of itself, the binary itself may not be detected but could generally act the same. As such, certain parts of the infection can be blocked or partially mitigated.


    What we can learn from ZeuS/ZBOT’s spike in recent months is simple: old threats like ZBOT can always make a comeback because cybercriminals profit from these. Peddling stolen banking and other personal information from users is a lucrative business in the underground market. Plus, these crooks can use your login credentials to initiate transactions in your account without your consent. Thus, it is important to be careful in opening email messages or clicking links. Bookmark trusted sites and avoid visiting unknown ones. Always keep your system up-to-date with the latest security releases from software vendors and install trusted antimalware protection.

    To know more about how cybercriminals are getting better at stealing information, you can refer to this infographic.

    With additional inputs from Threat researchers Rhena Inocencio and Roddell Santos.

    We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

    Posted in Malware | Comments Off on ZeuS/ZBOT Malware Shapes Up in 2013

    Since its initial release in February 2012 the Raspberry Pi – a very inexpensive, palm-sized computer meant to help teach computer science in schools –  has become a favorite of hobbyists, makers, and tech enthusiasts everywhere. Why wouldn’t it be? The Raspberry Pi offers tinkerers a very low-cost (both to buy and to run) computer in an extremely compact platform. In addition, because of its origins as an educational tool, it’s easy to use and is versatile. Accordingly, it can be used in all sorts of creative ways.

    However, its apparent simplicity and low cost comes with a downside. The Raspberry Pi is not a simple “device” with limited capabilities; it is a fully capable computer. The same pitfalls that befall normal desktop computing can  hit the Raspberry Pi, if it is not properly secured.

    Some uses of the Raspberry Pi actually turn them into servers, and that is something that users may not really know how to secure. For example, some people have made the Raspberry Pi into a server that controls their home automation system, or allows users to watch videos served by the Pi remotely.

    For many uses of the Raspberry Pi, security isn’t much of a concern – it will never be online or even exposed to external input that could be used as an infection vector. The trouble comes when it’s used in situations where it is online – particularly as a server – where it’s at potential risk. For example, some automated scanners are already trying to log in with the pi user.

    In short, the Raspberry Pi is only as secure as the uses you use it for. Good server security is not always easy; consider that even IT professionals make mistakes. Look into known server best practices if you do use a Raspberry Pi for these uses. Considering its origin as an educational tool, learning how to secure a server would be an appropriate use for a Raspberry Pi. You can also check out the infographic we’ve made about this issue here.

    We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice