Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    July 2013
    S M T W T F S
    « Jun   Aug »
  • Email Subscription

  • About Us

    Archive for July, 2013

    3:00 am (UTC-7)   |    by

    We recently reported on an unusual attack involving exploit kits and file infectors. What makes the attack even more notable is that the file infectors used also have information theft routines, a behavior uncommon among file infectors. These file infectors are part of the PE_EXPIRO family, which was first spotted in 2010. It’s possible that this specific attack was intended to steal information from organizations or to compromise websites.

    Further analysis shows that the attack used Styx as its exploit kit. Styx has gotten much press over its role in delivering malware onto systems. The use of Styx in this particular attack may be due to differences between Styx and other exploit kits, namely:

    • Multiple Exploit Pages – Styx distributes the malicious script in multiple pages, which are connected by HTTP redirecting
    • Across IFRAME Data Access – Styx accesses data across IFRAMES via JavaScript

    The act of distributing malicious script across multiple pages is quite unusual given that most exploit kits only use one page. Additionally, while exploit kits commonly store data in a HTML tag and access it via JavaScript, Styx does it differently. Other exploit kits store it in the same HTML page; Styx puts the tags in another IFRAME. These two techniques could be seen as methods of avoiding detection.

    The initial report mentioned several vulnerabilities exploited by this attack. Continuous analysis showed that TROJ_PIDIEF.XJM used an old vulnerability, CVE-2010-0188, which affects specific versions of Adobe Reader and Acrobat. The use of an old vulnerability and the enhancement of the PE_EXPIRO malware is further proof that older, though more refined, threats are still present in today’s landscape.

    Regularly updating systems can help prevent infections from attacks such as these. Trend Micro blocks all related URLs in this attack. Trend Micro Deep Security blocks the associated Java files using the following rules:

    • 1005598 – Identified Malicious Java JAR Files – 3
    • 1005599 – Identified Malicious PDF Document – 10
    • 1005410 – Oracle Java Runtime Environment Remote Code Execution Vulnerability (CVE-2013-1493)

    Screenshot of Deep Security log

    Additional analysis by Kai Yu, Mark Tang, Michael Du, Pavithra Hanchagaiah, and Manoj Subramanya


    Posted in Malware, Vulnerabilities | Comments Off on More Details on EXPIRO File Infectors

    Instant messaging apps are battling it out and trying to become the next popular means of communication that people will use. For example, in Japan, both Line and KakaoTalk – two popular chat apps – both claim to have more than 100 million users in Japan.

    It shouldn’t be a surprise that cybercriminals are using the names of these apps for their own attacks; in this post we’ll show how KakaoTalk is being targeted by attackers. (However, let’s be clear that KakaoTalk is not being the only brand targeted; other brands and apps are also targets as well.) Users need to understand the threats posed by these malicious apps.

    First example: Trojanized App

    One common way to create malicious apps is to take a legitimate version of the app and add malicious code to it. This creates a Trojanized app which, to the user, can appear to be normal. However, it actually contains malicious code.

    This particular Trojanized version of KakaoTalk is detected as ANDROIDOS_ANALITYFTP.A, and was distributed via email. If one examines the details of the app, one can see the differences between the legitimate app and the modified one:

    Table 1: Differences between legitimate and Trojanized versions

    In addition, when we examine the permissions used by the app, it’s worth noting that the Trojanized app asks for more permissions than the legitimate app.

    Figure 1: Permissions of “ANDROIDOS_ANALITYFTP.A”

    ANDROIDOS_ANALITYFTP.A seems to be a Trojanized app that can be used by eavesdroppers. This app regularly sends out contact information, text messages, and some phone settings to a command-and-control server from where the attacker can retrieve it.

    This process of Trojanizing is made easier because most Android apps are written using the Java programming language. Unless steps are taken to obfuscate it, the source code of any Java app is relatively easy to obtain; the attacker can then add or modify the code to introduce malicious behavior into the app.

    Second example: Fake app

    Aside from Trojanized apps, fake apps have used KakaoTalk’s name as well. About a month ago, KakaoTalk warned users via their official Twitter account of a “KakaoTalk Security Plugin”:

    Figure 2: Twitter alert from KakaoTalk

    We detect the fake security as ANDROIDOS_FAKEKKAO.A. Many users have fallen victim to this not just because it uses KakaoTalk’s brand, but also because it uses “Security” in its name as well.

    What does this malicious app do when it’s installed? It reads the user’s contacts and uses the phone’s text messaging feature to send messages to all contacts. Because of this, it is quite easy to notice that something has gone wrong with their device.

    What’s most interesting about this fake app, however, was how it was distributed. The attackers used a hacked Google Play developer account to distribute a redirector app:

    Figure 3: Redirector app

    This redirector app contained ads that led to a variety of apps – including the fake security plugin. By doing it this way, the attacker was attempting to avoid scanners like Google’s integrated Bouncer service.

    Best Practices

    The best way to protect against these threats is to avoid downloading apps from outside of Google Play – a tip we mentioned earlier when talking about the recent Android security vulnerability. Apps arriving from outside the somewhat curated Google Play store have frequently been a source of security problems for Android devices. Even then, users should check the developer of the app they’re downloading, as well as any reviews, to verify that they are downloading legitimate apps.

    On-device security solutions (like Trend Micro Mobile Security) detect even threats which arrive outside of authorized app stores, providing an additional layer of protection.

    Developers, meanwhile, need to seriously consider the possibility that their apps can be Trojanized and used for malicious purposes. They need to consider putting in place the necessary defenses: obfuscation (to make analysis and Trojanizing of their apps harder) and code integrity monitoring (to ensure that alerts are raised if/when the app’s code is modified and run). In addition, if the app can be built in such a way that sensitive information is handled online – so that stealing information becomes more difficult – it would also help make apps more secure and resistant to these attacks.


    Posted in Malware, Mobile | Comments Off on KakaoTalk Targeted By Fake and Trojanized Apps

    After Liberty Reserve’s shutdown, small or big–time cybercriminals had to scurry for an alternative currency. Some cybercriminals exclusively used Liberty Reserve (LR) as an e-currency to fuel their businesses, but its sudden shutdown took the underground scene by surprise. While many of them had a hard time believing this was indeed happening, others thought that LR would be back any time soon.

    To respond to this event, some online crooks had to find an immediate alternative (which they did). Based on what we’ve been seeing around underground forums, these guys are now jumping onto the BitCoin bandwagon, as they feel it is a more secure way to buy and sell their products and services.  However, there are still skeptics who doubt BitCoin’s security and think that it can still be taken down by law enforcement agencies.

    Screen Shot 2013-07-11_1

    Sample underground forum post

    As mentioned in our previous blog, other e-currencies such as Perfect Money and Web Money are getting more popular in the underground scene, giving bad guys more ways to get paid. If you have an account for each e-currency mentioned above, you can pretty much buy whatever you like from anyone. And in case you don’t have the right e-currency you can still use an exchanger.

    Based on our research on several underground forums, here are the most preferred e-currencies used:

    • Perfect Money (PM)
    • BitCoin (BTC)
    • Web Money (WM)

    LiteCoin (LTC) is starting to get some interest, but still limited due to the fact that LiteCoin are not as portable as Bitcoin. Russian cybercriminals accept more currencies such as yandex money, liqpay, qiwi.

    As it was expected, cyber criminals quickly found other ways to continue their operation, even though some of them lost money due to Liberty Reserve take down. It is hard to determine how much the underground economy suffered, but it never did completely stop their operations.


    Over the last number of years there has been a noticeable rise in the number of reported targeted attacks, which are also commonly referred to as advanced persistent threats (APTs). Notable examples of said attacks include the Red October campaign or the IXESHE APT.

    What sets a targeted attack apart from a widespread attack is purely the motivation behind the attackers and their victims. The actual tools used are largely irrelevant; the tools are identical, but the motivations of the attackers and the targeted victims set a targeted attack apart. For example, a Remote Access Tool (RAT) that infects users across 50 countries would be considered a widespread attack – while the same attack against two nuclear power plants against no one else is an example of a targeted attack. The tool is identical but the motivation of the attackers and their chosen targets set the attacks apart.

    One thing that clear about targeted attacks is that they are difficult to detect, and not much research has been conducted so far in detecting these attacks.

    Our paper discusses a new system we’ve called SPuNge that processes threat information gathered via feedback provided by the Smart Protection Network to detect potential targeted attacks for further investigation.

    We use a combination of clustering and correlation techniques to identify groups of machines that share a similar behavior with the respect to the malicious resources they access and the industry in which they operate (e.g. oil & gas).

    The techniques we adopt include a text-based hierarchical clustering aimed at finding clusters of similar malicious URLs, i.e. having common patterns in hostnames, paths or query strings. We correlate them with information on the users machine, such as their IP address, to identify groups of customers affected by the same threat. Finally, we automatically correlate these groups with both the industry and the geographical information to discover potential targeted attacks.

    We used SPuNge to examine existing feedback from more than 20 million Trend Micro customers to see if the system was effective and useful in identifying threats. The tests were able to show that SPuNge is a powerful and useful tool in assisting cybercrime investigation.

    The methodology of SPuNge is described in the paper Targeted Attacks Detection with SPuNge. In addition, we discussed this topic at PST2013, the eleventh International Conference on Privacy, Security and Trust which was recently held in Tarragona, Catalonia.


    Trend Micro researchers have uncovered a targeted attack launched against government agencies in various countries. The email claimed to be from the Chinese Ministry of National Defense, although it appears to have been sent from a Gmail account and did not use a Chinese name.

    Figure 1. Fake message

    The document contains a malicious attachment, which exploits a vulnerability (CVE-2012-0158) in Microsoft Office (all versions from Office 2003 to Office 2010 were affected) that was patched more than a year ago. The exploit is used to drop a backdoor onto the system, which steals login credentials for websites and email accounts from Internet Explorer and Microsoft Outlook. (It also opens a legitimate “dummy” document, to make the target believe that nothing malicious happened.) Any stolen information is uploaded to two IP addresses, both of which are located in Hong Kong.

    This particular attack was aimed primarily at both personnel belonging to Europe and Asia governments. The message was sent to 16 officials representing European countries alone. The topic of the email – and the attached document – would be of interest to these targets. In addition, the information stolen and where it was stolen from – is very consistent with targeted attacks aimed at large organizations that use corporate mainstays like Internet Explorer and Outlook.

    It’s worth noting, however, that Chinese media organizations were also targeted by this attack. The backdoor itself has also been detected in the wild – but, interestingly, it has been most frequently seen in China and Taiwan, with a more limited presence in other Asian countries.

    The vulnerability used in this attack is one that is commonly used by targeted attacks. High-profile campaigns like Safe and Taidoor have made use of this vulnerability; if anything it’s a commonly targeted flaw in sophisticated campaigns.

    Trend Micro products already detect all aspects of this threat – the message and C&C servers are now blocked; the malicious attachment is detected as TROJ_DROPPER.IK and the backdoor itself as BKDR_HGDER.IK. In addition, Deep Discovery was able to protect our customers by heuristically detecting the malicious attachment using the ATSE (Advanced Threats Scan Engine).

    Based on analysis by Jayronn Bucu.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice