Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2013
    S M T W T F S
    « Aug   Oct »
  • Email Subscription

  • About Us

    Archive for September 5th, 2013

    Since August 19, 2013, there has been remarkable growth in the number of Tor users, which caused much speculation. Was August 19 the starting date to run en masse from the NSA’s PRISM project? Were European internet users downloading the latest American cable TV series via Tor only, thus overcoming blockades of sites like the Pirate Bay by European ISPs? Neither was very likely, so some thought a botnet abusing the Tor network to hide its command and control server must be the reason of the sudden increase of Tor users.

    Yesterday, Fox-IT published evidence for this plausible explanation. The Mevade malware family downloaded a Tor component, possibly as a backup mechanism for its C&C communications. (We will release a second blog post describing in more detail the behavior of the Mevade variants we have encountered.)

    Feedback provided by the Smart Protection Network shows that the Mevade malware was, indeed, downloading a Tor module in the last weeks of August and early September. Tor can be used by bad actors to hide their C&C servers, and taking down a Tor hidden service is virtually impossible.

    The actors themselves, however, have been a bit less careful about hiding their identities. They operate from Kharkov, Ukraine and Israel and have been active since at least 2010. One of the main actors is known as “Scorpion”. Another actor uses the nickname “Dekadent”. Together, they are part of a well organized and probably well financed cybercrime gang.

    We strongly associate these actors with installations of adware and hijacking search results. Therefore, we suspect that one of the ways the Mevade botnet is monetized is by installing adware and toolbars onto affected systems. In fact, we have seen Mevade downloading adware. Adware and toolbars might seem less harmful than e.g. data stealing malware, but the reality is that there is a lot of money to be made in fraudulent advertising.

    We would also like to point out that Mevade also has a backdoor component and communicates over SSH to remote hosts. Therefore, the risk for data theft is still very high.

    Posted in Bad Sites, Malware | Comments Off on The Mysterious Mevade Malware

    Compromised websites are part of many attacks online. They can be used to host a variety of threats, ranging from simple spam pages, to redirection pages, to actual malicious files.

    We recently came across a case that highlighted the scale of this threat. A backdoor (detected as BKDR_FIDOBOT.A), was being used to brute-force many WordPress blogs. It tries to log into Joomla and WordPress administrator pages at /administrator/index.php and /wp-login.php. To do this, it connects to a C&C server, where it downloads a list of sites to target as well as passwords to use. (It consistently uses admin as the user name.) Successful logins are also uploaded to the same C&C server.

    Over the course of a single day, this backdoor was used to try and attack more than 17,000 various domains. This would total more than 100,000 domains in the course of a single week. This was from a single infected machine alone; with any botnet of decent size many more sites would have been at risk from this attack.

    The targeted sites were mostly found in the United States, with almost two-thirds of the attacked sites being from that country. Countries in Europe made up the rest of the top five. Majority of the sites affected are either owned by individuals or small businesses, as they are the sectors likely to use WordPress and Joomla as content management system.


    Figure 1. Distribution of targeted sites

    This attack in itself is particularly troubling. However, when looked at a bigger picture, such massive attempts to login into numerous WordPress sites can be a possible precursor of a more menacing attack. The Stealrat botnet operation, for example, uses several compromised WordPress sites to generate spam and conceal its operations.  The notorious Blackhole Exploit kit has also used several WordPress sites to redirect users to its final payload.

    Threats like these highlight how important it is for site administrators to properly secure content management systems (CMSes) like WordPress. Best practices like keeping the software up to date as well as using strong passwords are a must to prevent sites from being compromised. A compromised site could affect many thousands of users, so it is much more important for administrators to secure their passwords. Settings and plug-ins to help secure CMSes are available to administrators, and they should use them appropriately.

    One more interesting thing about the backdoor that was used to carry out this attack. Its file properties claim that it was published by a legitimate software vendor, as well as making a reference to the NSA’s PRISM program:

    Figure 2. File properties

    The Smart Protection Network was able to provide the information necessary to help us analyze this threat, as well as protect our users against it. In addition, we use the Smart Protection Network to provide multiple layers of defense against this threat – including blocking the malicious C&C server and detecting the malicious backdoor.

    Posted in Bad Sites | Comments Off on Joomla and WordPress Sites Under Constant Attack From Botnets


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice