Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    February 2014
    S M T W T F S
    « Jan   Mar »
  • Email Subscription

  • About Us

    Archive for February, 2014

    A few weeks ago, we received a rather unusual malicious attachment, which we detect as TROJ_UPATRE.SMAI. This particular attachment, when uncompressed and executed, displays the following error message:

    Figure 1. Error message

    At first glance, this may lead users to think it is not malicious. However, if we look into its code, one item stands out: it checks for the system time.

    Figure 2. Malware code

    Looking further, what we found was interesting: the value of the month has been added to a specific memory location, which is in turn contains the memory address and decryption key of code this malware needs to proceed. However, this will only return correct results when it is January.

    Figure 3. Code for decryption

    Figure 4. Incorrect result

    Figure 5. Correct result

    The images above show the decryption routine of this malware and the possible results. The decrypted string in Figure 4 is unreadable, since the system time of the machine is incorrect. This causes the error message to be displayed.

    However, in Figure 5, when the system’s clock has been set to January, the correct address is retrieved and execution proceeds as normal, leading to its payload (a ZBOT variant, detected as TSPY_ZBOT.ADXK).

    Beyond this date-checking routine, this spam run and payload is not particularly unusual. It arrives either as a fake fax or document submission message. All other behavior of TROJ_UPATRE.SMAI is consistent with UPATRE malware, which has become a very common threat to arrive via email since September 2013.

    Both the spam messages and the malicious attachments used in this attack are now blocked by the appropriate Trend Micro products.

    Additional information by Merianne Polintan.

    Posted in Malware, Spam | Comments Off on ZeuS Downloader Runs in January, Crashes Rest of the Year

    The popular messaging application WhatsApp recently made headlines when it was acquired by Facebook for a staggering $16 billion. Cybercriminals didn’t waste much time to capitalize on this bit of news: barely a week after the official announcement, we saw a spam attack that claims that a desktop version of the popular mobile app is now being tested.

    Figure 1. Screenshot of spammed message

    Our engineers found a spam sample that mentions Facebook’s purchase of WhatsApp, and also says that a version of WhatsApp is now available for users on Windows and Mac PCs. The message also provides a download link to this version, which is detected as TROJ_BANLOAD.YZV, which is commonly used to download banking malware. (This behavior is the same, whether on PCs or mobile devices.)

    That is the case here; TSPY_BANKER.YZV is downloaded onto the system. This BANKER variant retrieves user names and passwords stored in the system, which poses a security risk for online accounts accessed on the affected system. The use of BANKER malware, coupled with a Portuguese message, indicates that the intended targets are users in Brazil. Feedback from the Smart Protection Network indicates that more than 80 percent of users who have accessed the malicious site do come from Brazil.

    Although the volume of this spam run is relatively low, it is currently increasing. One of our spam sources reported that samples of this run accounted for up to 3% of all mail seen by that particular source, which indicates a potential spam outbreak.

    We strongly advise users to be careful of this or similar messages; WhatsApp does not currently have a Windows or Mac client, so all messages that claim one exists can be considered scams. Trend Micro protects users from this spam attack via detecting the malicious file and spam, as well as blocking the related web site.

    With additional analysis from Sabrina Sioting.

    Posted in Malware, Spam | Comments Off on WhatsApp Desktop Client Doesn’t Exist, Used in Spam Attack Anyway

    Places in the Internet where cybercriminals come together to buy and sell different products and services exist. Instead of creating their own attack tools from scratch, they can instead purchase what they need from peers who offer competitive prices. Like any other market, the laws of supply and demand dictate prices and feature offerings. But what’s more interesting to note is that recently, prices have been going down.

    Over the years, we have been keeping tabs on major developments in the cybercriminal underground. Constant monitoring of cybercriminal activities for years has allowed us to gather intelligence to characterize the more advanced markets we have seen so far and come up with comprehensive lists of offerings in them.

    In 2012, we published “Russian Underground 101,” which showcased what the Russian cybercriminal underground market had to offer. Later that year, we worked with the University of California Institute of Global Conflict and Cooperation to publish “Investigating China’s Online Underground Economy,” which featured the Chinese cybercriminal underground.

    Last year, we revisited the Chinese underground and published “Beyond Online Gaming: Revisiting the Chinese Underground Market.” We learned then that every country’s underground market has distinct characteristics. So this year, we will add another market to our growing list: Brazil.

    The barriers to launching cybercriminal operations have greatly lessened in number. Toolkits are becoming more available and cheaper; some are even offered free of charge. Prices are lower and features are richer. Underground forums are thriving worldwide, particularly in Russia, China, and Brazil. These have become popular means to sell products and services to cybercriminals in the said countries.

    Cybercriminals are also making use of the Deep Web to sell products and services outside the indexed or searchable World Wide Web, making their online “shops” harder for law enforcement to find and take down.

    Our first cybercrime economy update for the year will focus on the burgeoning market for mobile malware/scam-related tools and software in China, to be released next week on March 3.

    All of these developments mean that the computing public is at risk of being victimized more than ever and must completely reconsider how big a part security should play in their everyday computing behaviors. In the coming months we will dig deeper into these, and present our findings to educate users.

    Posted in Malware | Comments Off on Cybercriminal Underground Economy Series: Russia, China, and Brazil

    11:45 am (UTC-7)   |    by

    In these times, embracing consumerization is not only inevitable for any company; it is now, at some level, necessary. It’s become a powerful business tool, providing efficiency to the company, as well as convenience to the employees. The usage of mobile devices in corporate environments is a primary example of how enterprises apply consumerization, a practice that enterprises apply more and more each day.

    With continued adoption comes challenges. The risks around mobile threats are typically focused on malicious apps, but for enterprises there are other problems. Since the devices are used to store, send, and receive corporate data, protecting them from unauthorized access is critical to the company. So how can we maintain enterprise-level security in consumer-level devices?

    The risks entailed by consumerization has proven to be difficult to deal with — the complexity of managing multiple platforms, separating personal and corporate data, avoiding data leakage, and addressing privacy concerns has enterprises struggling to find the balance between convenience and security. And as the balance remains to be achieved, the risk grows. Mismanaging consumerization has proven to be costly for enterprises, as cybercriminals now see the inclusion of mobile devices in enterprise networks as an addition to their attack surface — a new vector that they can use to infiltrate.

    In the past we’ve talked about a three-step plan to consumerization, which includes having a plan, identifying a set of policies to implement, and putting in the right infrastructure to apply the identified policies.

    Our Trend Micro Safe Mobile Workforce is an example of the infrastructure that can be used in embracing consumerization. It is a virtual mobile infrastructure solution that aims to answer the needs of both IT managers and employees in consumerization by providing a clear infrastructure that separate corporate and personal data. It hosts the mobile operating system on centralized servers to provide a safe infrastructure whenever users need to access corporate information.

    What does this mean for users? It means that their corporate mobile environment is not stored in their device, so their data remains secure even if the device gets lost. They can also access their environment from any location, without being tied to a single device. This also means that there is no limitation in terms of functionality when the employee uses the device for personal purposes.

    What does this mean for IT administrators? it means that they will be able to fully manage and maintain all corporate environments connected to the network (Android and iOS) through the centralized server. And since Safe Mobile Workforce completely separates corporate and user data, administrators get to have full control of the corporate environment without worrying about privacy concerns from the employees.

    To get a better idea of how the Trend Micro Safe Mobile Workforce works, check out our infographic, Split Screen: Separating Corporate from Personal Data on Mobile Devices.

    Posted in Mobile | Comments Off on Balancing Freedom and Control in Consumerization

    Attackers continuously leverage vulnerabilities in popular software like Microsoft Windows and Adobe products.  Just recently, Adobe released an out-of-band update addressing three critical vulnerabilities in Flash Player. The said update APSB14-07 resolves the following issues in Flash Player:

    • Stack-based buffer overflow vulnerability (CVE-2014-0498) allows attackers to execute arbitrary code via unspecified vectors.
    • Out-of-bound read vulnerability (CVE-2014-0499) does not prevent access to address information, which in turn makes it easier for attackers to evade existing mitigation technology like Address Space Layout Randomization (ASLR). Successful exploitation results in information disclosure.
    • Double free vulnerability (CVE-2014-0502) can be exploited to cause memory corruption. Once successfully exploited, it allows remote attackers to execute arbitrary code. Adobe confirms that this is a zero-day actively exploited in the wild.  It is reported several websites being affected which redirected visitors to a malicious server containing a malicious Flash file. Based on our investigation, once users visit the compromised websites  they will unknowingly download a malicious .SWF file detected by Trend Micro as SWF_EXPLOYT.LPE.  This SWF exploit then downloads a PlugX variant detected as BKDR_PLUGX.NSC. PlugX is a remote access tool known for its stealth mechanism.

    These are the affected platforms:

    Product Updated version Platform Priority rating
    Adobe Flash Player Windows 1 Internet Explorer 10 for Windows 8.0 1 Internet Explorer 11 for Windows 8.1 1 Chrome for Windows and Linux 1
    11.7.700.269 Windows 1 Linux 3

    Trend Micro Deep Security has released the following new deep packet inspection (DPI) rules to protect against exploits leveraging these vulnerabilities:

    • 1005918 – Adobe Flash Player Stack-based Buffer Overflow Vulnerability (CVE-2014-0498)
    • 1005919 – Adobe Flash Player Out Of Bound Read Vulnerability (CVE-2014-0499)
    • 1005922 – Adobe Flash Player Remote Code Execution Vulnerability (CVE-2014-0502)

    Aside from Deep Security solutions, our browser exploit prevention technology in Titanium 7 also protects from exploits targeting CVE-2014-0498 and CVE-2014-0502. As for CVE-2014-0499, we recommend you to update to the latest version.

    Trend Micro blocks all related threats and URLs associated with this attack. We advise users to keep updating the latest version of installed software.

    With additional analysis from Kai Yu.

    Posted in Bad Sites | Comments Off on New Adobe Flash Player Zero-day Exploit Leads to PlugX


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice