Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    May 2013
    S M T W T F S
    « Apr   Jun »
  • Email Subscription

  • About Us

    Archive for May, 2013

    Last March, I blogged about the Andromeda, a well-known botnet that surfaced in 2011 and is making a comeback this year. Just months after my report, we are still seeing notable activities from the said botnet, in particular a sudden boost of GAMARUE variants last week. The Andromeda botnet is a spam botnet that delivers GAMARUE variants, which are known backdoors and have a noteworthy way of propagating via removable drives.

    We’re keeping track of the GAMARUE infection for the past weeks and observed some noteworthy activities. For the past 30 days, we noticed a sudden spike of its variants on May 17. In particular, there was a 82% increase from May 16 – May 17 and another 32% on May 18. A significant bulk of these malware, specifically 63%, is WORM_GAMARUE variants.

    gamarue-chart-30days copy

    Figure 1. GAMARUE detection for the past 30 days (April 20 – May 31)

    In my initial blog entry, I reported that the bulk of infection came from Australia. Last year, Germany was also one of the most GAMARUE-affected countries. However, just months after my first post, we are seeing a trend in which a majority of WORM_GAMARUE variants are affecting India, Turkey, and Mexico.


    Figure 2. Top countries affected by WORM_GAMARUE

    Currently, we can not readily determine why GAMARUE variants increased on the said dates. If anything, this trend shows that the botnet is still active and poses risks to users.

    Andromeda Botnet: Old Threat Repackaged

    In our 2013 1Q Security Roundup, we concluded that during this quarter, cybercrime was characterized by old threats made new. The Andromeda spam botnet is a good example of this trend, this time with aid of the Blackhole Exploit kits (BHEK) and some new neat tricks.

    This threat arrives as a spammed message containing a malicious attachment (GAMARUE variants) or links leading to certain sites, which now include those compromised by the notorious Blackhole Exploit kit. GAMARUE variants are known to propagate via removable drives. It also drops component files instead of copies of itself to make detection difficult. Taking cue from threats like DUQU and KULUOZ, GAMARUE variants also uses certain APIs to inject itself to normal process to evade detection.

    Propagating techniques aside, GAMARUE variants have backdoor capabilities since it communicates with certain C&C servers to send and receive commands. This communication, in effect, gives a remote malicious user control over the infected system. Some of the commands the malware can execute include downloading other malware onto the system, most notably info-stealing threats like ZeuS/ZBOT variants.

    Because some Andromeda-related spam messages eerily looks like legitimate email notification from commercial services (flight, hotel, courier services etc.), the usual criteria for determining a spam are not sufficient. As an alternative, you can verify to see if the email you’ve received is legitimate or not. Since BHEK is known to exploit software vulnerabilities like Java, you must always update your system with the latest security patch or re-consider your use of Java. For better protection, install antimalware software like Trend Micro, which protects your system from spam, malicious URLs, and malware.

    We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

    Posted in Botnets, Malware | Comments Off on Keeping Up With the Andromeda Botnet

    In the process of investigating and analyzing targeted attacks, we have seen that attacks which may not be related at first glance may in fact be linked; conversely attacks that may seem unrelated may turn out to be connected. Knowing which is which can provide useful information in determining how to respond to an attack.

    Why Are Separate Attacks “Related”?

    Before a cybercriminal or threat actor can launch an attack, many things have to be prepared in advance. The list of recipients have to be compiled, command-and-control (C&C) servers brought online, malware payloads chosen, etcetera. Ideally, attackers would use separate ones, but that isn’t the case: they are just as prone to reuse items or tactics that have worked before. Knowing these similarities between attacks can help determine what is an appropriate response.

    There are many ways that seemingly independent attacks can be correlated, but here are some of the most common ones:

    1. Same IP address sends different email messages
    2. Same email address sends different messages
    3. The same malware is attached to different messages
    4. Multiple (similar) backdoors use the same C&C server
    5. Different backdoor types use the same C&C server
    6. Multiple domains registered using the same email address
    7. Similarities in the way command-and-control network traffic is organized

    How can this information be used?

    Typically, organizations face two kinds of threats: highly sophisticated attacks that target them specifically, or more “random” attacks that are aimed at wider audiences. It can be difficult to tell just by examining the specifics of a particular attack which it is, but examination of the similarities above – using additional information provided by the Smart Protection Network – may be useful. It’s best to illustrate this with a hypothetical example.

    A company received an apparently targeted email that contained a malicious attachment. The malware installed tries to contact an external C&C server for instructions using HTTP. It would appear, at first, that this was a sophisticated targeted attack.

    However, more in-depth analysis would reveal that the malware only accessed two files on the C&C server: /kc1/data.bin and /kc1/gate.php. Accessing two files located in the same directory with the .BIN and .PHP extensions is common behavior by ZeuS/ZBOT variants. In addition, the domain of the C&C server was registered using an email address that was also used to register another domain on the well-known ZeuS Tracker blacklist. All this strongly suggests that it was not a sophisticated attack, but instead a more ordinary ZeuS/ZBOT infection. This can still pose a threat, but it’s a different nature compared to a sophisticated attack.

    This information can also be used to gauge the seriousness of an attack. For example, in October, we found a new Poison Ivy variant (BKDR_POISON.AB) had infected 15 different machines, belonging both to individuals and various organizations. What we also found was that there had been a similar attack earlier in the year which distributed a very similar Poison Ivy variant (BKDR_POISON.BJX). Similarities included the malware’s mutexes and the emails used to spread the attack.

    From there, one can conclude that both attacks were not meant to directly target anyone, but more to gather information across a wide number of possible targets that could be used for more direct attacks at a later time.

    The links between attacks can also be used to discover other potential attacks as well. For example, examining the email and IP addresses linked to domains used as C&C servers in a current attack can lead to other domains. The added information can be used as indicators for potential attacks that may not have been detected at the time.


    Gathering information about the connections between attacks can reveal much about the attacks in the first place. Organizations that use this kind of threat intelligence can use it to gain a more accurate picture of the attacks facing them. It can reveal that apparently unrelated attacks may turn out to be related, and have been launched by a single group of attackers. Alternately, it can make clear if an organization is under attack from multiple groups – which may or may not be working together. Whatever the case, this kind of information can be useful in creating a proportional response to threats.

    For more discussions on malicious network traffic, you can read our report titled Malicious Network Communications: What Are You Overlooking?.

    We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

    Posted in Targeted Attacks | Comments Off on What Connections Between Attacks Say About Them

    The Blackhole Exploit Kit (BHEK) spam run has already assumed various disguises during its course. Some variants have taken various forms, such as official bank notice, cable provider email update, social networking email, and fake courier notification.

    Lately, we have seen a slew of spam crafted as a notice from the popular retail chain Walmart. However, this spam run offers something different.

    Figure 1. Notice supposedly from Walmart

    In this campaign, some of the URLs lead to Cyrillic domain names.  These domains were translated into the English alphabet through punycode. Punycode is a way to convert Unicode characters into a smaller character set. URLs in punycode have to be decoded first in order to see its original format.

    The use of international domain names (IDNs) can pose additional security risks to users. Users can be redirected to a phishing page that appears to have the same URL as a legitimate site. IDNs also allow spammers to create more spam domains not limited to English characters. This can make blocking malicious sites more difficult.

    This technique is not new, but seeing punycode used in a BHEK email campaign is unusual. Users who click the links are redirected to several sites, until they are lead to the site hosting a malware (detected as TROJ_PIDIEF.SMXY), which exploits a in Adobe Reader and Acrobat (CVE-2009-0924) to download and execute other malware onto the vulnerable system.

    This attempt at evading detection is not surprising, given how 2013 is shaping up to be the year of refining existing tools. In our 1Q 2013 Security Roundup, we already noticed how dated threats like Asprox and banking Trojans like CARBERP were returning to the scene with new and improved features. We can expect this trend to continue this year, though new threats can always appear anytime soon.

    Whether facing old or newly-improved threats, several computing practices can provide your best defense. Always be cautious of email messages before clicking the links or downloading attached files. Always verify with the vendor to check if these emails are legitimate. Regularly install the latest security updates from software vendors to avoid threats targeting dated vulnerabilities.

    We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

    Posted in Exploits, Malware, Spam | Comments Off on Blackhole Spam Run Evades Detection Using Punycode

    With added text by Threat Researcher Nart Villeneuve 

    Whether considered advanced persistent threats (APTs) or malware-based espionage attacks, successful and long-term compromises of high-value organizations and enterprises worldwide by a consistent set of campaigns cannot be ignored. Because “noisier” campaigns are becoming increasingly well-known within the security community, new and smaller campaigns are beginning to emerge.

    This research paper documents the operations of a campaign, which was able to compromise the following types of organizations:

    • government ministries
    • technology companies
    • media outlets
    • academic research institutions
    • nongovernmental agencies

    The distribution method of this campaign involves spear-phishing emails that contain a malicious attachment exploiting a Microsoft Office vulnerability (CVE-2012-0158).

    During our investigation of the C&C servers associated with this campaign we discovered archives that contained the PHP source code the attackers used for the C&C server and the C code they used to generate the malware used in attacks.

    While determining the intent and identity of the attackers remains difficult, we assessed that this campaign is targeted and uses malware developed by a professional software engineer who may be connected to the cybercriminal underground in China. However, the relationship between the malware developers and the campaign operators themselves remains unclear.

    This white paper has been written to help understand and document the tools, tactics and techniques used in this campaign. Our full findings, including indicators of compromise and recommendations, are contained in our research paper, which can be downloaded here.

    Please note that there are references in the attack itself to “SafeNet”; there is no connection between this attack and SafeNet, Inc., a global leader in data protection and a valued partner of Trend Micro.


    The popular photosharing app Instagram is the latest social networking site targeted by the ubiquitous survey scams seen on Facebook and Twitter. This time, we found that these survey scams may also lead users to download an Android malware.

    I found the following accounts who wanted to ‘follow’ me on Instagram. This is the standard if your Instagram account is set to private. While checking these requests, the security researcher inside me noticed something off with some of the accounts.


    Figure 1. Screenshot of Instagram request

    To validate my suspicions, I checked the page of these Instagram accounts and noticed that they all posted this “Get Free Followers!” photo. This post reminded me of the Pinterest free items promo survey scam we blogged in the past.


    Figure 2. Get Free Followers Post on Instagram

    Another thing that I found dubious is that these Instagram followers have repetitive account names like “Tawna Tawna” and “Concetta Concetta”.


    Figure 3. Screenshot of sample spamming account

    Given these suspicious signs, I then checked this “Get Free Followers” picture (which is actually clickable) and was lead to this page that supposedly offers the “Get Followers” app. This app is detected by Trend Micro as ANDROIDOS_GCMBOT.A, which can be used to launch malicious webpages or send SMS from the device.


    Figure 4. Page offering ‘Get Free Follower’ app

    Whether users download the said app or not (in my case, I tried to), in the end they are redirected to your run-of-the-mill survey scams. Since Instagram can also be accessed via a PC, we tried to access the malicious website and survey scam using a desktop. Fortunately, this ruse didn’t work.

    Cybercriminals profit from these survey scams via ad-tracking sites, which users are redirected to before the actual survey page. Plus, these bad guys can also use the data gathered from these scams by either peddling them to other cybercriminal groups or using them in their future schemes.

    Facebook, Pinterest, Tumblr, and now Instagram. The people behind these scams are jumping on every popular networking sites and potential engineering hooks like the Google Glass contest. To protect yourself against this scam, you must always double-check posts on your social media accounts, even if they come from friends, family members, or known acquaintance. Caution is your best defense. Trend Micro protects users from this threat by blocking the related URLs.

    To know more about how these scammers (or online crooks in general) use and benefit from your data, you can check out our infographic How Cybercriminals Are Getting Better At Stealing Your Money.

    We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

    Posted in Mobile | Comments Off on Get Free Followers! on Instagram? Get Free Malware, Survey Scams Instead


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice