Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    December 2013
    S M T W T F S
    « Nov   Jan »
  • Email Subscription

  • About Us

    Archive for December, 2013

    Nelson Mandela, one of Africa’s most recognizable figures, passed away last December 5. This unfortunate event did not stop cybercriminals from spewing their usual spam campaigns, this time attempting to leverage the African leader’s demise. What is interesting is that even before Mandela’s death, spammers were already using his name to capture users’ attention. Typically, scammers spur such campaigns after a newsworthy event occurred, but we already saw an activity even before Mandela’s passing. We found this particular sample in November:


    Figure 1. Sample of spam found before Mandela’s death

    The said email is purportedly from the “Nelson Mandela Foundation”. In the said message, recipients are informed that they are one of the winners of a significant cash prize (more than $5.5 million).  To claim the money, users must provide their full name, address, and other personally-identifiable information (PII) and send these to a specific email address. After Mandela’s death, we found another spam campaign that is essentially a copycat of the previous spam we cited, though with minor modifications.


    Figure 2. Sample of spam found after the African leader’s death was announced

    Providing these information can be risky for users, as spammers may use these in their other, more menacing schemes. These spam are reminiscent of the classic Nigerian or 419 scams, which are known to offer users a chance to profit from a money transfer in exchange of their bank information. This scam eventually took on other forms, which include fake London Olympics and FIFA World Cup promos.   Though dated, the scam remains a staple in the threat landscape. Just recently, we found  several Ice IX servers that are also engaged in distributing Nigerian scams.

    An effective spam campaign is not just defined by the exploit employed or the sophistication of the malware component. The strength of the social engineering lure can be a deciding factor whether a user would unwittingly fall into cybercriminals’ trap or not. This typically falls on the ability of the campaign to tap into users’ vulnerability such as their emotions and curiosity.

    Mandela’s popularity, the news of his death, and the promise of cash prize may be convincing enough for some users to act against their better judgment, like divulging information to unverified parties. The same can be said to the recent typhoon Haiyan scams found on Facebook and spam campaigns.

    To avoid this ruse, users must always be wary of the email messages they receive. If the message comes from an unknown source or is offering something too good to be true, it is best to delete it from your inbox. Trend Micro protects users from this threat by blocking such messages. For more information on how social engineering works, you may read our paper here.

    Posted in Spam | Comments Off on Nelson Mandela Spam Run: Before and After His Demise

    The past year has been an interesting one in the world of cyber security. Mobile malware has become a large-scale threat, government surveillance has users asking “does privacy still exist?”, cybercrime continues to steal money from individuals and businesses, and new targets for hackers like AIS and SCADA have been identified. 2013 was many things, but boring was not one of them.

    So, what do we have to look forward to in 2014 and beyond?

    We expect mobile malware to not just keep growing, but to indirectly affect other platforms and devices as well. What do we mean? Consider how we’re using our smartphones not just for banking, but for authentication (using either apps or text messages). It’s a logical step forward that cybercriminals will systematically go after these as well. 2014 will be about mobile banking. Two-factor authentication is not a cure all – while it can improve IT security, it also introduces new attack vectors that have to be considered and make secure as well.

    Mobile was the “next big thing” a few years ago. What about today’s “next big thing”, the Internet of Everything? Attackers and cybercriminals always go where the money – and the users – are. In the absence of a “killer app” that will get most users to welcome it with open arms, the Internet of Everything is probably not going to see much in the way of threats – for now.

    What is going to see threats are old systems – specifically those running Windows XP. By the time Microsoft stops supporting Windows XP next year, more than twelve and a half years will have passed since it was released. In the world of technology, that is an eternity. Unfortunately, however, many businesses are still using Windows XP. Once the patches stop being released, they will have no protection from Microsoft against zero-day exploits. We just saw a new zero-day target only Windows XP and Server 2003; there are certainly more that haven’t been used or discovered yet.

    Working with other Trend Micro researchers and analysts, we’ve put together our look at the threat landscape for 2014 and beyond, titled Blurring Boundaries. There are many interesting developments going on today; but these come with their own risks that we must all be aware of.

    Posted in CTO Insights | Comments Off on 2014 Predictions: Blurring Boundaries

    By now, most IT administrators are aware that their networks and systems may require defenses against targeted attacks carried out by well-equipped, knowledgeable attackers. As companies prepare their plans for the upcoming year, some may ask: how does one develop a strategy on how to help defend against these attacks?

    Earlier today, Japan’s Information Technology Promotion Agency (IPA) released a guide titled System Design Guide for Thwarting Targeted Email Attacks. The IPA is under the Ministry of Economy, Trade and Industry (METI) and is responsible for promoting information technology, including security best practices, in Japan.

    This multipage document provides administrators with an in-depth strategy for helping deal with these attacks. While implementation details are left to IT departments to consider, the document provides ten separate steps that administrators can consider to help secure their networks.

    In addition, the document does not just consider purely technical concerns: it is the work of malware analysts, security operations center (SOC) operators, researchers, forensics, penetration testers, operations managers, and crisis managers. This multidisciplinary approach ensures that all aspects of a potential attack can be recognized and the appropriate countermeasures and defenses put in place.

    One aspect of targeted attacks that is useful to understand is that the attackers have a clear goal in mind – i.e., to infiltrate the networks of the target and acquire information. By understanding their goals and their psychology, it becomes easier to understand the tactics of attackers. This makes it easier to defend or detect their attacks, as well as force attackers to make mistakes.

    Representing Trend Micro, I was part of the group that created this document; our expertise in malware, threat intelligence, and targeted attacks was useful in crafting effective techniques against these new threats.

    Many countries – including Japan – have had government agencies and companies within their borders face targeted attacks. The response to these attacks has frequently been full of difficulties and challenges, making the task of attackers easier. We believe that documents like this that allow organizations to respond in a reasoned, systematic manner are valuable in reducing the threat from targeted attacks.

    Posted in Targeted Attacks | Comments Off on Planning for 2014: A Guide To Targeted Attack Defense

    Threats have evolved to try and circumvent advances in analysis and detection. Every improvement by security vendors is met with a response from cybercriminals. Stuxnet, for example, paved the way for the other threat families to use the LNK vulnerability. Using Conficker/DOWNAD popularized the use of a domain generation algorithm (DGA). This is now used by other malware families as well, including ZeroAccess and TDSS.

    The goal of these evasion techniques is simple: to avoid early detection and allow an attacker to establish a foothold on target machines.

    In our paper Network Detection Evasion Methods, we discuss how some threats attempt to thwart detection by blending in with normal network traffic. This includes connections to Google and Microsoft Update, as well as traffic produced by popular instant messengers such as Yahoo! Messenger. Below are some of the remote access Trojans (RATs) we found to have used this method in an attempt to remain under the radar:

    • FAKEM. This RAT is typically spread via spear-phishing emails and was found to disguise its network communication to mimic Windows Live Messenger, Yahoo! Messenger, and HTML traffic among others.
    • Mutator. Also known as Rodecap, which is reportedly associated with Stealrat botnet. It downloads Stealrat modules or components, and in some instances, may spoof its HTTP header by using “” to blend with normal traffic.

    While the list is not particularly long and the methods are simple, the paper shows the cybercriminals’ ability to adapt and upgrade their techniques. This stresses how they are continuously improving their methods and strategies to bypass network security in an attempt to take over systems and remain hidden from security researchers. For more information about these threats and tips on how to effectively detect malicious network traffic, you may read the full paper, Network Detection Evasion Methods: Blending with Legitimate Traffic.

    Additional insights by Jessa De La Torre

    Posted in Targeted Attacks | Comments Off on How Threats Disguise Their Network Traffic

    Around this time of the year, many people are finding themselves on the move visiting friends and family, or just playing tourist somewhere in the world. Since it is 2013, however, one new problem has come up: “how do I get online while I’m on the go?”

    Many travelers now expect wi-fi as part of their trip – whether at the airport, in the air, at their hotel, or at tourist attractions. A 2013 study found that 64% of hotels worldwide offered some form of free wi-fi. For some flights “gate to gate” wi-fi access is now available, ensuring you never have to be offline.

    Unfortunately, there is a big problem. The wi-fi offered for travelers is frequently open wi-fi: this means that it is completely insecure against just about any attacker. It is trivial for an attacker to capture the traffic off an open access point, or even set up a fake one and conduct man-in-the-middle attacks. Wi-fi Protected Access (WPA) may prevent others from seeing your traffic but only if the access point is configured to do so.

    Even “secure” wi-fi, if it is offered, is no assurance of security: you could be connecting to a rogue access point with the same access point name and password as the real network. Creating rogue access points is easy: if the password is known, anyone can create a duplicate access point. Even if you do connect to the real network, attackers can be on the very same network as you are. Being “secure” on any network with others that you may not trust is incredibly difficult.

    On the other hand, there are good reasons to use free wi-fi. Many users face either strict data caps or high roaming costs. Getting data access if you’re travelling internationally is not always easy or cheap.  Travel apps can be very useful on the go – for example they can provide directions in unfamiliar places, or point the way towards which places you want to specifically visit or eat at.

    So, how can users stay safe on free wi-fi? Increasingly, there’s really only one way to do so: use a virtual private network (VPN).

    VPNs have usually been the preserve of business travelers who wanted to connect to their company’s network securely. Now, however, they represent a relatively inexpensive way of securing one’s wi-fi connection from wi-fi attacks. There are many reputable VPN service providers with both free and paid services, and even paid services are not particularly expensive. Compared to the possible consequences of having one’s accounts compromised (quite possible with open wi-fi), such services are a bargain.

    These services are not difficult to use. VPN support is built into both iOS and Android, and all reputable services should provide some sort of guide on how to set up your mobile device.

    Figures 1-2. iOS and Android VPN setting locations

    Given how much of our digital lives is now in our mobile devices, it is a great idea to protect these as much as possible. As free wi-fi is fundamentally insecure and is increasingly under attack, users who care about their privacy and security should use VPNs to protect their network traffic if they can.

    What if you’re a business that wants to offer free wi-fi to your customers? The solution to this is fairly simple: use secure wi-fi, but make the SSID and password known publicly. It can be a sign in public, a line on the receipt – it can be different for each business. Even a publicly shared password offers security against casual eavesdropping, although some attacks (like rogue access points) can’t be stopped this way. However, it is an improvement over a completely open network.

    Posted in Malware, Mobile | Comments Off on Wi-Fi On The Go: How Safe Is It?


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice