Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    October 2013
    S M T W T F S
    « Sep   Nov »
  • Email Subscription

  • About Us

    Archive for October, 2013

    Traditional antivirus has always been every company’s first line of defense. They protect employees who still commit the usual mistakes that security experts tell everyone to avoid: opening malicious attachments, clicking unknown URLs, and visiting untrustworthy websites. In this context, these products may seem sufficient: they can identify bad files and known malware before they enter computers. Some may even think that free products represent a satisfactory solution for these threats.

    Hoever, there are many threats today that use sophisticated tools and techniques to bypass these techniques. These techniques are used in order to aggressively pursue and compromise chosen targets to steal sensitive information.

    Protecting your computer with antivirus software helps in blocking known malicious files, but what about lower-profile attacks that slip under the radar? These types of attacks may be attributed to “risky” employee behavior, some of which involve falling for social engineering tactics in the form of phishing scams and shortened or disguised URLs. Without more sophisticated and complete solutions that go beyond simple antivirus, users are at risk from these threats.

    More complete products are able to deal with the sophisticated threats of today. For example, exploits can be minimized through the use of products with deep packet inspection (DPI) which block these threats at the network layer. Other tools block various threats at the browser/endpoint layer. To meet today’s complete threats, complete solutions are needed as well. Meeting these challenges is not free, but compared to the costs of a breach, they are minuscule.

    Our primer for small and medium-sized businesses (SMBs) 5 Reasons Why Your Antivirus Software Is Not Enough” offers insights on the risks of solely relying on antivirus software. Our e-guide Why Free Antivirus Is Not Enough also details the security issues that computers face with free software.

    Posted in Malware | Comments Off on Is Free Antivirus Software Enough?

    11:50 pm (UTC-7)   |    by

    Over the past few weeks, we’ve been seeing an increase in the number of spreading CryptoLocker malware. This new kind of ransomware has been hitting more users over the past few weeks. Compared to the month of September, the number of identified cases in October has almost tripled.

    CryptoLocker infections were found across different regions, including North America, Europe Middle East and the Asia Pacific. Almost two-thirds of the affected victims – 64% – were from the US. Other affected countries include the UK and Canada, with 11% and 6% of global victims, respectively.

    Previously, we discussed how these threats were arriving via email. CryptoLocker can be viewed as a refinement of a previously known type of threat called ransomware. Such “improvements” are in line with our 2013 Security Predictions, where we mentioned that the focus of cybercriminals would be the refinement of existing tools, rather than the creation of entirely new threats.

    What can I do?

    There are different ways an individual or an organization can handle the CryptoLocker threat. Since this threat starts as spam carrying TROJ_UPATRE (a downloader), its success depends on the social engineering lures used in the message and how users would respond to it.

    Let us start off first with simple (but frequently ignored) safe computing practices to consider when opening emails and file attachments, in general:

    • Always check who the email sender is. If the email is supposedly coming from a bank, verify with your bank if the received message is legitimate. If from a personal contact, confirm if they sent the message. Do not rely solely on trust by virtue of relationship, as your friend or family member may be a victim of spammers as well.
    • Double-check the content of the message. There are obvious factual errors or discrepancies that you can spot: a claim from a bank or a friend that they have received something from you? Try to go to your recently sent items to double-check their claim. Such spammed messages can also use other social engineering lures to persuade users to open the message.
    • Refrain from clicking links in email. In general, clicking on links in email should be avoided. It is safer to visit any site mentioned in email directly. If you have to click on a link in email, make sure your browser uses web reputation to check the link, or use free services such as Trend Micro Site Safety Center.
    • Always ensure your software is up-to-date. Currently there are no known CryptoLocker that exploits vulnerabilities to spread, but it can’t be ruled out in the future. Regularly updating installed software provides another layer of security against many attacks, however.
    • Backup important data. Unfortunately, there is no known tool to decrypt the files encrypted by CryptoLocker. One good safe computing practice is to ensure you have accurate back-ups of your files. The 3-2-1 principle should be in play: three copies, two different media, one separate location. Windows has a feature called Volume Shadow Copy that allows you to restore files to their previous state, and is enabled by default. Cloud storage services (such as SafeSync) can be a useful part of your backup strategy.

    For enterprise customers, review your policies regarding email attachments. It is generally considered bad form to send an executable file using email. Most organizations also have strict attachment blocking policies – if you don’t have one right now, it would be a good time to consider creating one.

    Configuring devices for specific purposes is another method to reduce chances of Cryptolocker infection. For example, if the user is only required to use Microsoft Word, a system and user account with limited privileges would be adequate. Most enterprises may already have this approach, but this can be enhanced to use a list of whitelisted software applications and take advantage of certain Windows features like AppLocker.

    This can complement an organization’s overall security strategy. Users can implement an antimalware solution that not only protects users from executing malicious files, but provides protection even before the malware arrives in your system.

    Our email reputation service is able to block these spammed messages with malicious attachments. Specifically, the True File Type Filtering feature can alert users if an email attachment is potentially malicious:


    In addition, our web reputation service can also block access to the related URLs. A combination of antimalware solution plus a solid list of applications allowed to run reduces the surface area of attack on a desktop.


    While not presenting anything new to the table, CryptoLocker has taken the scare tactics effectively used before by ransomware and fake antivirus attacks to a new level. Most users rely nowadays on good antimalware software, but it is important to note that user education, regular software update, and a strict computer usage policy are crucial defense against CryptoLocker and similar threats.

    As malware nowadays are being refined by cybercriminals, computer systems must be likewise hardened to resist these attacks. A holistic approach in addressing malware infections aims not only to address to reduce the rate of the infection itself, but can help in breaking the whole cycle of the malware infection chain by providing a defense in depth strategy that covers multiple facets of an attack.

    Trend Micro customers who use OfficeScan (OSCE) and Worry-Free Business Security/Services (WFBS/WFBS-SVC) can follow these best practices to prevent ransomware infection.


    The Chinese underground has played host to many cybercriminals over the years. In the research brief titled Beyond Online Gaming Cybercrime: Revisiting the Chinese Underground Market, we provide some details of the current state of the Chinese underground economy. Last year, we looked into this underground sector, and this brief is a continuation of those efforts.

    Gathering knowledge about the Chinese underground economy is not particularly difficult, but does pose some challenges. The sites and markets that make up this underground economy are not visible to the public, but are hidden in forums and QQ chat groups. While many underground economies are organized via underground forums, the use of QQ chat groups is unique to China. These sites use their own jargon to name and describe their groups, but cybercriminals familiar with their jargon can easily find what they want.

    In some ways, the Chinese underground is similar to other legitimate economies: it offers a wide variety of products and services at a variety of price points. The services offered include:

    • Distributed Denial of Service (DDoS) kits and servers
    • Remote Access Tools (RATs)
    • Detection evasion services
    • Compromised webhosts
    • Phishing kits
    • Stolen user information
    • Webshells

    In all of these cases, a robust and healthy ecosystem exists, with cybercriminals being able to purchase their chosen product at a variety of price points.

    For example, for denial of service attacks, cybercriminals can choose to rent dedicated servers to mount more large-scale attacks. A modest Atom-based server can cost 599 RMB (US$98.50) a month; a more powerful Xeon server with a 1Gb/s connection can cost 2100 RMB (US$345) a month.

    The variety of prices is most evident in the sale of webshells, scripts that allow an attacker to maintain control over a compromised site. Sites with low page rankings on Baidu and Google can cost around 220-300 RMB (US$36-49) for a bundle of 270 sites; sites with higher page ranks can go for as much as 999 RMB (US$164).

    We hope that this paper will help readers understand the Chinese underground, in order to understand the kind of threats that users are likely to face from these threat actors and prepare the necessary defenses accordingly.

    Posted in Malware | Comments Off on A Tour Through The Chinese Underground

    Four men were arrested a week ago in the Netherlands for spreading the so-called TorRAT malware. This malware only targeted Dutch speaking users and utilized the Tor for is command and control (C&C) servers. Its primary goal was financial theft from online banking accounts. Our Threat Encyclopedia entry for TROJ_INJECT.LMV provides a more in-depth description of the malware. Users fell victim to this threat by clicking fake invoices in specially crafted spammed messages. These invoices did not have the usual grammar and spelling errors like the ones in typical spam runs sent by fellow con men who are not native speakers.

    Leave No Trace

    The Dutch threat actors were careful in hiding their tracks. As mentioned earlier, they used Tor hidden C&C servers. They had a account for e-mail communications and they used underground crypting services to evade detection from antivirus software. The digital currency Bitcoin was used to launder their stolen money and make payments to fellow cybercriminals.

    These made investigation into the identity of the actors difficult; however, the Dutch National High Tech Crime Unit (NHTCU) was able to arrest them. We don’t know exactly what fatal errors the gang made, but we know that just a couple of mistakes on their end can reveal their true identities.

    Masked and (Not So) Anonymous

    We have been following the gang for some time and we were able to draw a few useful conclusions. The first obvious one was that we were really dealing with a native Dutch speaker. Looking at one of the 300+ malware binaries the gang has spread, we believe they made use of an Armenian crypting service called “SamArt”. Crypting malware makes detection by antivirus companies more difficult, but when you want to hide your identity, contact with a third-party tool puts you at risk. In addition, during the fall of 2012, some of the C&C servers were not hosted on Tor hidden services, but in a Turkish data center.

    More importantly, the gang faced a classic problem, which their pre-Internet fellow thieves have also faced: stealing money is the easy part. Getting stolen money in your pocket as your own is the difficult part. It is relatively straightforward to manipulate bank transactions on an infected computer. But you need mules for laundering stolen money. The Dutch gang allegedly laundered money through bitcoin transactions and even set up their own bitcoin exchange service, FBTC Exchange that went dark after the arrests.

    Buying a service from a crypting service, using, and recruiting and abusing money mules puts cybercriminals at risk of getting caught. A single error can lead to the unraveling of the whole cybercrime operation. Tor offers a high degree of anonymity, but Tor tools are not immune to data leaks.

    Additionally, at some point the bad actor has to appear from behind the Tor curtain to put stolen assets to actual use. This means that the cybercriminals hiding behind Tor are not untraceable per se. This was proven by the recent arrest of the operator of Silk Road, an underground marketplace for illegal drugs. The Silk Road owner used Tor, but was caught by the FBI by a thorough investigation of bits of evidence left on the Internet.

    The Mevade botnet, responsible for a sudden increase of Tor users in August 2013, was traced back by us to be the work of a Ukrainian/Israeli adware company. And now, the Dutch NHTCU has tracked down a gang who abused Tor for stealing money from Dutch Internet users. We congratulate our friends at NHTCU with this great and impressive result.

    Posted in Malware | Comments Off on Dutch TorRAT Threat Actors Arrested

    This is a continuation of our previous post on Hadoop security.

    As we mentioned in our earlier post, we can use OSSEC to monitor for the file integrity of these existing Hadoop and HBase systems. OSSEC creates logs which a system administrator can use to check for various system events.

    It’s worth noting that big data systems of all kinds, not just Hadoop and HBase, produce significant amounts of log data.  Installing a big data cluster is non-trivial, to say the least, and these logs play a crucial role in helping IT staff set up clusters and diagnose system problems. Big data system administrators are, in effect, already used to checking log files for potential problems.

    Some of the important Hadoop security events that OSSEC can monitor are:

    • Failed HDFS operations
    • HBase logins
    • Kerberos ticket granting
    • Root logins to nodes

    Configuring an OSSEC agent to monitor one or more Hadoop log files involves adding the paths of the log file directories to the agent’s ossec.conf file.  For a HDFS namenode we want to monitor the hadoop-hdfs-namenode-{host}.log file, where {host} is the name or IP address of the name node. This file is normally located in the /var/log/hadoop-hdfs/ directory.  Similarly, for an HMaster node we are interested in monitoring hbase-hbase-master-{host}.log file in the /var/log/hbase directory.  This gets our Hadoop and HBase log files from OSSEC agents to the server.

    The next step is to write decoder rules to parse the logs and alert rules to generate alerts based on the content of the logs. Decoders consist of regular expressions that the OSSEC server uses to find log lines of interest and map words to standard fields recognized by the server. Rules enable the server to examine the decoded fields to find content that is indicative of important security events.  When event data from a decoder for a given rule is found, the server generates an alert defined by the rule.

    Visualizing Hadoop Security Events

    The simplest way to visualize OSSEC security alerts is to continually display the alerts log file.  Although this sort of works, it’s like looking at raw data in a spreadsheet. It is difficult to impossible to spot trends in the data.

    OSSEC comes equipped to send alert data via syslog to any SIEM (security information and event management) tool that provides syslog compatibility.  One SIEM that we like to use is Splunk, together with an open source application called Splunk for OSSEC. This can be installed on the OSSEC server directly from the Splunk application console.

    Splunk for OSSEC is designed to take OSSEC alerts and then release a summary, as well as perform trend analysis. An example of an OSSEC dashboard on Splunk is shown below. Here you see summaries of events over time, including the HBase and HDFS events discussed earlier.

    Figure 2. Splunk for OPSSEC

    (Image originally from


    Big data systems can benefit from the host intrusion detection services provided by a HIDS like OSSEC. These systems ensure the safety and security of big data systems, which is essential to organizations adopting big data. We are contributing the OSSEC rules for Hadoop back to the OSSEC Project to promote their use in the OSSEC and Hadoop communities, in line with our previous support for open source projects.

    Posted in Bad Sites | Comments Off on Improving Hadoop Security with Host Intrusion Detection (Part 2)


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice