Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    October 2013
    S M T W T F S
    « Sep   Nov »
  • Email Subscription

  • About Us

    Archive for October 29th, 2013

    11:50 pm (UTC-7)   |    by

    Over the past few weeks, we’ve been seeing an increase in the number of spreading CryptoLocker malware. This new kind of ransomware has been hitting more users over the past few weeks. Compared to the month of September, the number of identified cases in October has almost tripled.

    CryptoLocker infections were found across different regions, including North America, Europe Middle East and the Asia Pacific. Almost two-thirds of the affected victims – 64% – were from the US. Other affected countries include the UK and Canada, with 11% and 6% of global victims, respectively.

    Previously, we discussed how these threats were arriving via email. CryptoLocker can be viewed as a refinement of a previously known type of threat called ransomware. Such “improvements” are in line with our 2013 Security Predictions, where we mentioned that the focus of cybercriminals would be the refinement of existing tools, rather than the creation of entirely new threats.

    What can I do?

    There are different ways an individual or an organization can handle the CryptoLocker threat. Since this threat starts as spam carrying TROJ_UPATRE (a downloader), its success depends on the social engineering lures used in the message and how users would respond to it.

    Let us start off first with simple (but frequently ignored) safe computing practices to consider when opening emails and file attachments, in general:

    • Always check who the email sender is. If the email is supposedly coming from a bank, verify with your bank if the received message is legitimate. If from a personal contact, confirm if they sent the message. Do not rely solely on trust by virtue of relationship, as your friend or family member may be a victim of spammers as well.
    • Double-check the content of the message. There are obvious factual errors or discrepancies that you can spot: a claim from a bank or a friend that they have received something from you? Try to go to your recently sent items to double-check their claim. Such spammed messages can also use other social engineering lures to persuade users to open the message.
    • Refrain from clicking links in email. In general, clicking on links in email should be avoided. It is safer to visit any site mentioned in email directly. If you have to click on a link in email, make sure your browser uses web reputation to check the link, or use free services such as Trend Micro Site Safety Center.
    • Always ensure your software is up-to-date. Currently there are no known CryptoLocker that exploits vulnerabilities to spread, but it can’t be ruled out in the future. Regularly updating installed software provides another layer of security against many attacks, however.
    • Backup important data. Unfortunately, there is no known tool to decrypt the files encrypted by CryptoLocker. One good safe computing practice is to ensure you have accurate back-ups of your files. The 3-2-1 principle should be in play: three copies, two different media, one separate location. Windows has a feature called Volume Shadow Copy that allows you to restore files to their previous state, and is enabled by default. Cloud storage services (such as SafeSync) can be a useful part of your backup strategy.

    For enterprise customers, review your policies regarding email attachments. It is generally considered bad form to send an executable file using email. Most organizations also have strict attachment blocking policies – if you don’t have one right now, it would be a good time to consider creating one.

    Configuring devices for specific purposes is another method to reduce chances of Cryptolocker infection. For example, if the user is only required to use Microsoft Word, a system and user account with limited privileges would be adequate. Most enterprises may already have this approach, but this can be enhanced to use a list of whitelisted software applications and take advantage of certain Windows features like AppLocker.

    This can complement an organization’s overall security strategy. Users can implement an antimalware solution that not only protects users from executing malicious files, but provides protection even before the malware arrives in your system.

    Our email reputation service is able to block these spammed messages with malicious attachments. Specifically, the True File Type Filtering feature can alert users if an email attachment is potentially malicious:


    In addition, our web reputation service can also block access to the related URLs. A combination of antimalware solution plus a solid list of applications allowed to run reduces the surface area of attack on a desktop.


    While not presenting anything new to the table, CryptoLocker has taken the scare tactics effectively used before by ransomware and fake antivirus attacks to a new level. Most users rely nowadays on good antimalware software, but it is important to note that user education, regular software update, and a strict computer usage policy are crucial defense against CryptoLocker and similar threats.

    As malware nowadays are being refined by cybercriminals, computer systems must be likewise hardened to resist these attacks. A holistic approach in addressing malware infections aims not only to address to reduce the rate of the infection itself, but can help in breaking the whole cycle of the malware infection chain by providing a defense in depth strategy that covers multiple facets of an attack.

    Trend Micro customers who use OfficeScan (OSCE) and Worry-Free Business Security/Services (WFBS/WFBS-SVC) can follow these best practices to prevent ransomware infection.


    The Chinese underground has played host to many cybercriminals over the years. In the research brief titled Beyond Online Gaming Cybercrime: Revisiting the Chinese Underground Market, we provide some details of the current state of the Chinese underground economy. Last year, we looked into this underground sector, and this brief is a continuation of those efforts.

    Gathering knowledge about the Chinese underground economy is not particularly difficult, but does pose some challenges. The sites and markets that make up this underground economy are not visible to the public, but are hidden in forums and QQ chat groups. While many underground economies are organized via underground forums, the use of QQ chat groups is unique to China. These sites use their own jargon to name and describe their groups, but cybercriminals familiar with their jargon can easily find what they want.

    In some ways, the Chinese underground is similar to other legitimate economies: it offers a wide variety of products and services at a variety of price points. The services offered include:

    • Distributed Denial of Service (DDoS) kits and servers
    • Remote Access Tools (RATs)
    • Detection evasion services
    • Compromised webhosts
    • Phishing kits
    • Stolen user information
    • Webshells

    In all of these cases, a robust and healthy ecosystem exists, with cybercriminals being able to purchase their chosen product at a variety of price points.

    For example, for denial of service attacks, cybercriminals can choose to rent dedicated servers to mount more large-scale attacks. A modest Atom-based server can cost 599 RMB (US$98.50) a month; a more powerful Xeon server with a 1Gb/s connection can cost 2100 RMB (US$345) a month.

    The variety of prices is most evident in the sale of webshells, scripts that allow an attacker to maintain control over a compromised site. Sites with low page rankings on Baidu and Google can cost around 220-300 RMB (US$36-49) for a bundle of 270 sites; sites with higher page ranks can go for as much as 999 RMB (US$164).

    We hope that this paper will help readers understand the Chinese underground, in order to understand the kind of threats that users are likely to face from these threat actors and prepare the necessary defenses accordingly.

    Posted in Malware | Comments Off on A Tour Through The Chinese Underground


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice