Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:


  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    February 2014
    S M T W T F S
    « Jan   Mar »
     1
    2345678
    9101112131415
    16171819202122
    232425262728  
  • Email Subscription

  • About Us


    Archive for February, 2014




    RTF (Rich Text Format) files have been used before by cybercriminals, but of late it seems their use of this format is becoming more creative.

    We’d earlier talked about how CPL files were being embedded in RTF files and sent to would-be victims as an e-mail attachment. These CPL files would then proceed to download malicious files which would be run on the affected samples.

    Earlier samples used instructions in Portuguese, but newer samples now use German:

    Figure 1. German-language RTF document

    Overall, the tactics are still the same – the RTF file contains an embedded “receipt” with instructions to double-click the receipt. Double-clicking this file runs the CPL malware, which downloads the payload.

    Figure 2. Code of RTF document

    In this particular case, the URL is no longer accessible so we cannot be 100% sure what the payload was. However, previous incidents have used information stealers, so in all likelihood that would have been the case here as well. We detect this variant of CPL malware as TROJ_CHEPRTF.SM2.

    A separate case also embedded malware into a RTF file, but this time the embedded malware belonged to the ZBOT malware family. This ZBOT variant is detected as TSPY_ZBOT.KVV; this variant has the capability to steal user names and passwords such as from various sources such as email, FTP and online banking.

    These incidents highlight how cybercrime techniques are always improving. RTF files may have been used in these cases because users may not know that RTF files can be used to spread malware, and even if they do know they may not be able to easily determine which files are malicious and which are not.

    In addition, using RTF files to spread ZBOT is unusual, as it’s typically spread via other means such as downloaders, malicious sites, or spam.  This shows how cybercriminals are willing to embrace new tactics to achieve their goals.

    We encourage users to be careful when opening email messages and attachments. Never download and open attachments unless they can be verified. Businesses should employ a mail scanning solution implemented on the network and enable the scanning of email messages.

    The Trend Micro™ Smart Protection Network™ protects users from this threat by blocking access to all related malicious URLs, and preventing the download and execution of the malicious file.

    Update as of 7:00 PM PST, March 6, 2014

    The hashes of the files involved in this attack are:

    • 38575dba3ef61f3f2ddf0e923e115fb715167498
    • 64865ccf8bac950111de261c9137f336a873c753
    • 114527673e8a89c5eae25d6aad2fcffc52770029
    • ee140fa0683d18cd570c5ea206a3bc54259240e6
     



    A new zero-day vulnerability in certain versions of Internet Explorer has been identified and is being used in targeted attacks. Microsoft has not released an official bulletin acknowledging this vulnerability yet, but has spoken to news sites and confirmed that both Internet Explorer 9 and 10 are affected. The newest version, Internet Explorer 11, does not suffer from this vulnerability.

    If exploited, this vulnerability allows an attacker to target users with a drive-by download, allowing files to be downloaded and run user systems without any user input needed, beyond visiting a website.

    Two versions of Windows are not affected by this threat: Windows 8.1 (because it includes IE11), and Windows XP (because it only supports up to IE8.) All other versions of Windows are at potential risk, depending on the version of Internet Explorer present on the system.

    This attack was initially spotted on the website of a non-profit organization in the United States. The files used in this exploit are detected as HTML_EXPLOIT.PB, HTML_IFRAME.PB, and SWF_EXPLOIT.PB. The backdoor that was planted on affected machines using this zero-day is detected as BKDR_ZXSHELL.V. No formal bulletin or workarounds have been issued by Microsoft; we recommend that users of Windows 7 or 8 consider upgrading to Internet Explorer 11 to avoid this problem.

    We are currently analyzing both the exploit itself and the payloads used in this attack, and will provide further information as appropriate.

    Update as of 5:00 PM PST, February 16, 2014:

    We have released new Deep Security rules that provide protection against this vulnerability, namely:

    • 1005908 – Microsoft Internet Explorer Remote Code Execution Vulnerability (CVE-2014-0322)
    • 1005909 – Microsoft Internet Explorer Remote Code Execution Vulnerability (CVE-2014-0322) – 2
    • 1005911 – Microsoft Internet Explorer Remote Code Execution Vulnerability (CVE-2014-0322) – 3

    Update as of 11:00 PM PST, February 19, 2014:

    Microsoft has released an advisory acknowledging this attack and confirming that it is limited to Internet Explorer 9 and 10. A workaround has also been provided in the form of a Microsoft Fix It solution.

     



    Patch-Tuesday_gray

    This month’s Patch Tuesday features seven bulletins, with four rated as critical. Updates for Internet Explorer take the spotlight as one bulletin, MS14-010, addresses 24 vulnerabilities in Internet Explorer. These vulnerabilities could result in remote code execution, which could allow an attacker the same user rights as the current user.

    A second bulletin, MS14-007, addresses a separate vulnerability in Direct2D that can trigger remote code execution by opening a malicious website in Internet Explorer or opening an email attachment.

    The remaining critical vulnerability of most importance for most users is MS14-011, which patches a vulnerability in the VBScript scripting engine. If exploited, this could also trigger remote code execution.

    Another critical bulletin, MS14-008, affects Microsoft Forefront for Exchange. While this product is now discontinued, Microsoft has promised security updates until December 2015. Three other bulletins released today were rated as important by Microsoft.

    Other vendors have also been busy patching flaws in their software. Last week, Adobe released a patch to Flash Player to deal with reported in-the-wild vulnerabilities, and this week Shockwave Player received an update as well.

    Users are advised to apply these security updates as soon as possible, as well as visit the Trend Micro Threat Encyclopedia page for further information. Appropriate rules for Trend Micro Deep Security have also been created and are available for use by system administrators.

     
    Posted in Vulnerabilities | Comments Off on Four Critical Bulletins for February 2014 Patch Tuesday



    2013 was another year marked by many changes – for good and bad – in the threat landscape. Some threats waned, others grew significantly, while completely new threats emerged and made life difficult for users. What remained constant, however, were the threats against the safety of digital information. In this entry, we present some of these threats that were seen last year. These are described in more detail in our roundup titled Cashing In On Digital Information

    Cybercrime: Banking Malware, CryptoLocker Grow; Blackhole Exploit Kit Tumbles

    Some malware types linked to cybercrime grew significantly in 2013. We saw almost a million new banking malware variants, which was double what we saw in 2012. Much of this growth occurred in the latter half of the year:

    Figure 1. Volume of new banking malware

    Two countries – the United States and Brazil – accounted for half of all banking malware victims:

    Figure 2. Countries most affected by banking malware

    We saw ransomware become far more potent in the latter part of the year as CryptoLocker emerged as a new threat that hit users hard. This new threat – an evolution of previous ransomware attacks – encrypted the data of users, requiring a one-time payment of approximately $300 (payable in cryptocurrencies like Bitcoin) before their data would be decrypted. In some ways, CryptoLocker became as serious a problem for end users as fake antivirus malware had in previous years.

    The fall of the Blackhole Exploit Kit in 2013 due to the arrest of its creator, Paunch, was a significant event that appreciably changed the threat landscape. It significantly cut the use of malicious links in spam messages by attackers. While other exploit kits have emerged into the threat landscape since then, no other kit has achieved BHEK’s levels of prominence.

    Targeted Attacks and Data Breaches: Still In Operation

    Despite reduced media attention, targeted attacks continued to hit organizations across the world last year. We observed attacks in many parts of the world, with countries in Asia at particular risk from these coordinated targeted attacks. Well-organized campaigns like EvilGrab and Safe highlighted the capabilities and sophistication of modern targeted attacks.

    Figure 3. Countries affected by targeted attacks

    Data breaches also continued to plague organizations. Companies like Adobe, Evernote, and LivingSocial were all hit by various breaches that exposed the customer data of millions of users. Breaches like these not only cause a loss of face for the affected organizations, but may also put them at legal risk for failing to protect the data of their users.

    Mobile Threats: Mobile Banking Under Fire

    Mobile threats continued to flourish last year, with an estimated one million malicious and high-risk apps found in the year alone. Significantly, we saw increasing use of mobile banking threats like the PERKEL and FAKEBANK families, both of which put users of mobile banking apps and websites at the same risk of fraud and financial loss that other users face. Information stealers like banking malware are now the third most common type of malicious/high-risk app found, behind traditional standbys like premium service abusers and adware:

    Figure 4. Types of mobile malware threats

    Digital Life: Privacy at Risk

    Revelations about government spying made many question if online privacy was still alive, or even possible. Previously, users had always worried that cybercriminals could get their hands on one’s personal information; now they worry about large, previously trusted organizations – both government and private – doing the same thing.

    Attacks delivered via social media (combined with social engineering) have now become the norm, with newer social networks like Instagram, Pinterest, and Tumblr suffering from their own scams as well. Indeed, attacks on all social media platforms have become so common, it may almost be considered “business as usual.”

    For a more comprehensive analysis of these threats, check our 2013 roundup titled Cashing In On Digital Information.

     
    Posted in Bad Sites, Exploits, Malware, Mobile, Social, Spam, Targeted Attacks | Comments Off on 2013 Security Roundup: Cashing In On Digital Information



    The interesting turn of events surrounding the game Flappy Bird has had the Internet buzzing: after becoming massively popular (downloaded more than 50 million times), the developer suddenly announced that he will take down the game from app stores, and then actually did it. The decision brought the interest around the game to an even greater scale, with similar apps seen emerging in app stores, and even auctions for devices with the app installed.

    The next development we saw, however, is a less desirable one: we found a bunch of fake Android Flappy Bird apps spreading online.

    Especially rampant in app markets in Russia and Vietnam, these fake Flappy Bird apps have exactly the same appearance as the original version:

    140212comment01

    All of the fake versions we’ve seen so far are Premium Service Abusers — apps that send messages to premium numbers, thus causing unwanted charges to victims’ phone billing statements. As seen below, the fake Flappy Bird app asks for the additional read/send text messages permissions during installation — one that is not required in the original version.

    140212comment02

    After the game is installed and launched, the app will then begin sending messages to premium numbers:

    140212comment03

    And while the user is busy playing the game, this malware stealthily connects to a C&C server through Google Cloud Messaging to receive instructions. Our analysis of the malware revealed that through this routine, the malware sends text messages and hides the notifications of received text messages with certain content.

    Apart from premium service abuse, the app also poses a risk of information leakage for the user since it sends out the phone number, carrier, and Gmail address registered in the device.

    Other fake versions we’ve seen have a payment feature added into the originally free app. These fake versions display a pop up asking the user to pay for the game. If the user refuses to play, the app will close.

    These fake Flappy Bird apps are now detected as ANDROIDOS_AGENT.HBTF, ANDROIDOS_OPFAKE.HATC, and ANDROIDOS_SMSREG.HAT.

    We advise Android users (especially those who are keen to download the now “extinct” Flappy Bird app) to be careful when installing apps. Cybercriminals are constantly cashing in on popular games (like Candy Crush, Angry Birds Space, Temple Run 2, and Bad Piggies) to unleash mobile threats. Our past entry, Checking the Legitimacy of Android Apps, enumerates some tips on how to do avoid suspicious or malicious apps. Users may also opt to install a security app (such as Trend Micro Mobile Security) to be able to check apps even before installation.

     
    Posted in Mobile | Comments Off on Trojanized Flappy Bird Comes on the Heels of Takedown by App Creator


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice