Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    January 2014
    S M T W T F S
    « Dec   Feb »
  • Email Subscription

  • About Us

    Archive for January, 2014

    Last month, we published a blog post describing how Control Panel malware was being distributed via malicious attachments to Brazilian users. We have continued to look into these threats, and we have now released a research paper titled CPL Malware: Malicious Control Panel Items covering the structural aspects of CPL files and how criminals are using it to spread malware mainly in Brazil.

    Currently, this particular threat is being commonly used to spread banking malware in Brazil. Typically, these users are sent financial-themed mails that contain a link to a malicious compressed file. When the contents of this file are uncompressed, the user sees several the malicious .CPL file(s).

    Figure 1. Typical CPL Malware Behavior

    In terms of analysis, looking at a CPL file is essentially identical to a DLL file. However, unlike the latter, it is automatically run when double-clicked. This makes it similar to EXE files; however uneducated users may be more likely to try to execute CPL files if they do not know any better. Most CPL malware from Brazil were written in Delphi, which is a popular programming language in the country.

    In Brazil, CPL files are used for banking malware almost as frequently as EXE files, with both file types combining for almost 90% of the banking malware seen in Brazil from March to November 2013. For the past two years (2012 and 2013), we have detected approximately a quarter million CPL malware in the country. It is currently a significant problem for Brazilian users and organizations.

    Posted in Malware, Spam | Comments Off on A Look Into CPL Malware

    10:21 pm (UTC-7)   |    by

    We noted in our 2014 predictions that we believed that there would be one major data breach per month. Reports of data breaches against retailers ushered in the new year, where the credit card information of several million shoppers was stolen. There is no denying the scale and severity of breaches of this kind. While much ink–online and offline–has been focused on matters like who the author of the malware was, in the longer view what’s important to note is that there were many ways this attack might have been prevented–or security steps that could have been taken to thwart this kind of attack.

    For example, POS systems represent a near-ideal situation for whitelisting and/or locked down systems: there is no compelling need to run general-purpose applications on a POS system. A locked down system would have made it more difficult to run malware on the POS devices.

    Alternately, it is highly unlikely that such a large-scale attack was carried out with malware installed onto POS systems on an individual basis. It’s almost certain that some form of remote management software was used to install the malware onto the POS systems. This isn’t the first time that systems used to automatically install software onto systems has been compromised; last year the auto-update system of several applications in South Korea was used to plant malware onto affected systems.

    The movement of such significant amounts of data across networks should also have been detectable as well. Network defense solutions would have been able to detect the internal network traffic used by this attack, or the data exfiltration traffic, or both.

    The broad outlines of this attack are known, but specifics – such as what exact security procedures were in place and how/if they were evaded – are not yet public. However, businesses that handle critical data can take this incident and use it to determine if they, too, are at risk from similarly well-executed attacks. Companies in such a situation should double-check that all possible security procedures and products are in use and set up correctly, as well as for trained IT personnel to handle incidents as they happen.

    One thing that is clear is that for high-value targets, simple endpoint security is no longer sufficient. As we mentioned earlier, protections based on detecting network and system behavior (such as Deep Discovery and Deep Security) would have been very useful in dealing with these kinds of threats. Enterprises that do not have these solutions in place should consider implementing them in order to be able to guard against similar attacks; there is a good chance that other companies in similar situations will now have to deal with copycat attacks.

    We detect the malware that we believe was used in this attack as TSPY_POCARDL.AB and TSPY_POCARDL.U; if any related threats are found we will release further protection as necessary. Frequently asked questions about this incident are answered in the Simply Security blog.

    For more details on various targeted attacks, as well as best practices for enterprises, you may visit our Threat Intelligence Resources on Targeted Attacks.


    In the past few weeks, we have seen increasing numbers of infections related to the TROJ_GATAK, especially in the North American region. This malware family is not particularly well known; we discussed it in 2012 in relation with file infectors that were hitting Dutch users.

    In checking for its possible causes, we’ve found the malware is currently deployed in the wild as key generators for various applications. They range from expensive, specialized engineering and scientific software, to multimedia editing tools, to benchmarking software, and even to games:

    • AVEVA_PDMS_v12_0_keygen.exe
    • AllData_10_40_keygen.exe
    • Bigasoft_MKV_Converter_3_7_18_4668_keygen.exe
    • CambridgeSoft_ChemBioOffice_Ultra_v13_0_Suite_REMEDY_keygen.exe
    • Cockos_REAPER_4_581_Final_keygen.exe
    • Fireplace_3D_Screensaver_and_Animated_Wallpaper_3_0_keygen.exe
    • GeekBench_2_2_3_keygen.exe
    • Guaranteed_PDF_Decrypte_v3_11_keygen.exe
    • Macrium_Reflect_Professional_5_2_6433_keygen.exe
    • Magical_Diary_Horse_Hall_keygen.exe
    • Nuance_Dragon_Naturallyspeaking_12_0_Premium_Iso_keygen.exe
    • Oloneo_PhotoEngine_v1_0_400_306_keygen.exe
    • RadioSure_Pro_2_2_1004_0_keygen.exe
    • Reg_Organizer_6_11_Final_Portable_keygen.exe
    • The_Bat_Home_Edition_5_0_24_keygen.exe
    • The_Precursors_1_1_keygen.exe
    • Wolfram_Mathematica_9_keygen.exe

    We detect this malware as TROJ_GATAK.FCK. If users download and run this file – in the belief that it is a key generator – it will drop a file under the %AppData% folder (also detected as TROJ_GATAK.FCK) and create a corresponding autostart registry entry.

    This dropped file poses as a legitimate file related to Google Talk or Skype; alternately it might use the generic name AdVantage.exe. It drops an encrypted file in a randomly created folder under %Application Data%\Microsoft. This will later be decrypted in memory.

    This decrypted file contains shell code and the URLs where to download the payload. Some variants download an image file that contains the encrypted code, with the image looking like this. It appears to be a stock photo from Sri Lanka:

    Figure 1. Downloaded image

    The payload in this particular attack is fake antivirus software (FAKEAV) that, as is the case with all FAKEAV malware, displays fake virus detection alerts and asks the user to pay in order to successfully clean the machine. This variant is detected as TROJ_FAKEAV.SMWV.

    Fake antivirus software has declined significantly from its heyday several years ago (in part due to crackdowns on their payment systems).  Since then, it has been overshadowed by first police ransomware and then in more recent months by CryptoLocker. The tips we shared back then remain valid against threats like this if they should be spotted in the wild again.

    The Trend Micro™ Smart Protection Network™ protects users from this threat by blocking access to all related malicious URLs and preventing the download and execution of the malicious file.

    Posted in Bad Sites, Malware | Comments Off on Keygens For Engineering, Scientific Software Leads To FAKEAV

    People are seldom an entirely open book. It’s common sense and rational to keep some stuff like financial and medical records away from prying eyes. For others, it can be something trivial and silly (say, an embarrassing taste in music) to the more serious (like a traumatic event in one’s past).

    With so many methods of sharing, keeping things private is increasingly becoming more  difficult. Websites and services often ask for personal information and track users’ online habits to provide a more “customized” experience. Despite methods of sharing within a select group, sharing online has practically become synonymous with sharing with the public. No matter the privacy level of an account, anything posted online will sooner or later find its way to the public.

    This kind of activity is driving some users to reconsider the amount of information they are willing to share. In 2014, we will see users exert more effort in learning tools that can protect their data and control what they share online. This year will be about making sure that secrets remain secret.

    It’s not just individuals who have secrets to keep. So do businesses. These can include their future plans and strategies, to their current procedures, to personnel records of their employees and clients. Exposed to the public – and their competitors – these can cost a business millions, and perhaps in an absolute worst case, drive them out of business completely.

    Protecting data should become every organization’s top priority this year, considering that we will see one major data breach incident per month. 2013 was marked by several major data breaches and we will see such incidents continue this year.

    As part of our 2014 predictions, we developed this video, with the help of our CTO Raimund Genes, to talk about what users and organizations can do to protect themselves and keep their secrets secret in today’s digital landscape:

    So what can you do to protect your secrets? Our advice to users will help here: avoid oversharing on social media. Don’t bank or shop online on sites that you don’t trust. Keep track of you data, wherever it is – whether it’s in the cloud, or on one of your devices. In short, being a good citizen of the Internet will help in keeping your secrets away from cybercriminals and other such bad actors found online.

    For more concrete steps that outline what you can do to protect your secrets, you can visit the Secrets website, which is part of our broader 2014 predictions.


    At the risk of sounding repetitious, there is yet another basic internet protocol that is seeing increased use in distributed denial of service (DDoS) attacks. This time it is NTP, or the Network Time Protocol. It’s not nearly as well known as DNS or HTTP, but just as important. NTP is used to synchronize the time across multiple networked devices  – without it, we’re back to the days where setting the time on your computer had to be done manually. A solution to these attacks has been known for ten years, but unfortunately has not seen widespread adoption.

    The main function of NTP is to distribute the time from high precision sources such as GPS or cesuim clocks to compatible devices. I’m sorry to have to tell you this, but the clock inside your computer sucks. Quartz crystal based clocks usually have an error-rate of about 1 ppm (part per million), or the loss or gain of one microsecond per second. This translates to about a half second of clock-drift per month, which doesn’t sound all that bad.

    Unfortunately, we don’t know which way the clock is drifting at any given time and slight temperature changes can really throw quartz crystals for a loop. In addition, in that half second a 1GHz processor (slow by modern standards) has undergone 500 million clock cycles. With clustered and distributed systems, having a good idea what time it is becomes critical.

    NTP peers exchange UDP packets to compare notes about what time they think it is. A well-configured client will look to three or more peers with better time accuracy then it has. When a peer further from a reference clock believes that its time is no longer accurate, it will make a tiny correction to its clock rate. This allows the system time to change slowly, so that any running software won’t be disrupted. It’s a straightforward solution to an important problem.

    Unfortunately, miscreants are using this critical service to launch DDoS attacks. NTP servers are generally public facing, and will often accept connections from anyone. There is a monlist command that can be sent via UDP to an NTP server that will ask the server to reply with the peers it has recently had contact with.

    This is useful for troubleshooting, but it’s a perfect tool for attackers. Send a small packet with the source address forged to your target and the server will happily send your target a nice blob of data. The busier the server, the more the attack is amplified.

    IT administrators can do some things to avoid becoming an inadvertent accomplice for these attacks. (One thing that will not solve this problem is IPv6, as NTP also functions over it.) First, disable unused services. You would be shocked to know how many systems out there still offer chargen. If a computer is not acting as an NTP server, it does not need to be running the NTP server software. This goes for other unused services and protocols as well.

    Second, consider your configuration of the services you do run. It turns out that at least in the versions of NTP I have here, the monlist command is enabled by default. Unfortunately, this takes time and research on the part of users to find out the risks of every option. A better solution is for applications to provide sensible and secure defaults.

    Third, and most importantly, IP spoofing should be detected and blocked at the network edge. Implementation of BCP-38 often sounds impossible, but it is really not that bad. I know of global backbones that had it in use ten years ago. The key is to focus only on the network edge (this will not scale if done in the core).

    The simplified version is to configure your edge routing devices to only allow incoming packets from an interface IF a reply to that packet could reasonably be routed to that interface. Not only does this prevent NTP, chargen and DNS spoofing attacks from using your network assets to attack others, it prevents all IP spoofing that would cross your network.

    Protocol whack-a-mole is getting old. BCP-38 is to Internet security what hand-washing is to medicine. As more networks become compliant, your security resources can divert their resources from DDoS attacks and start to focus on problems that we don’t have good solutions for yet.

    BCP-38 was published in May 2000. We have known how to remove most current DDOS activity for over 13 years! While it is free ‘as in beer’, it does require technical resources to implement. Consider the savings, however, when you can be confident that your network is NOT participating in a spoofed DDoS attack?

    Unfortunately, implementation of BCP-38 only prevents your assets from being used in an attack. It does not prevent you from being attacked. Spread the word and encourage others to practice good Internet hygiene as well, and perhaps these spoofing attacks can be minimized in the long run.

    Update as of 01:00 PM PST, February 27, 2014:

    We have released new Deep Security rules that provide protection against this vulnerability, namely:

    • 1005907 – NTP Server Unrestricted Query Reflected Denial Of Service Vulnerability
    • 1005910 – Identified ntpd ‘monlist’ Query Reflected Denial Of Service Attack

    For more details on various targeted attacks, as well as best practices for enterprises, you may visit our Threat Intelligence Resources on Targeted Attacks.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice