Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    March 2014
    S M T W T F S
    « Feb   Apr »
  • Email Subscription

  • About Us

    Archive for March 17th, 2014

    As more countries join in the search for the missing Malaysia Airlines Flight 370, we are seeing cybercriminals use this highly talked-about topic to unleash different online threats.

    One involves a fake video about this flight, which we believe is spreading via email. The video is supposedly a five-minute clip about MH70 named Malaysian Airlines MH370 5m Video.exe. In reality, it is a backdoor detected as detected as BKDR_OTOPROXY.WR. As is the case with most backdoors, this malware allows a remote attacker to execute various commands on the system, including downloading and running files from its servers  and collect various system information.

    There is one unusual aspect to this backdoor. Its command-and-control (C&C) server at www-dpmc-dynssl-com (replace dashes with dots) was noted by other security researchers in October of last year as being related to a targeted attack. It is unusual for a targeted attack to share the same infrastructure as a more “conventional” cybercrime campaign, yet that appears to be the case here. We currently have no information that this particular backdoor is being used in targeted attacks.

    We also saw survey scams that took advantage of this tragedy. One such incident actually uses the fake breaking news that the missing aircraft has been found at sea. Users who click the link will be directed to a website that closely mimics the layout of Facebook. This site has an embedded video, supposedly of the discovery of the missing plane. Clicking anywhere on the page actually opens another page with a fake video about the sequel of the movie Avatar.

    Figure 1. Malicious site with embedded “video”

    When the user clicks on any of these videos, they will be prompted to share it to their social media followers before viewing.  is restricted unless it is shared. After sharing, the user is required to verify their age by completing a test. These tests are actually nothing more than a survey scam. These scams prompt users to answer multiple surveys in exchange for something (in this case, a supposed video) which doesn’t actually exist. Feedback from the Smart Protection Network indicates that 32% of users accessing this page are in North America; more than 40% are from the Asia-Pacific region.

    Another survey scam incident involves one site mimicking the layout of YouTube to present yet another video of the “discovery” of the missing plane. Like the previous incident, it requires users to share the video and take a “test” before they can watch it. Once again, this test leads to a survey scam site.

    Figure 2. Another site promoting a late-breaking “video”

    Current events and news updates have become go-to social engineering bait of cybercriminals. This has become an unfortunately frequent occurrence – events like the Tohoku earthquake, Boston marathon and Typhoon Haiyan were all abused to spread various threats.

    We advise users to rely on reputable and trusted news sites to get information on current events, rather than through emails or social networking sites. Trend Micro detects and blocks all threats related to these incidents.

    With additional insights from Maela Angeles, Ruby Santos, and Isaac Velasquez. 

    Posted in Bad Sites, Malware, Spam | Comments Off on Malaysia Airlines Flight 370 News Used To Spread Online Threats

    I attended the RSA 2014 Conference in San Francisco, which has held about two weeks ago. This year the conference offered new insights to today’s threat landscape, which will help us all plan for and protect users in 2014 and beyond.

    Largest Security Conference of 2014

    The attendance numbers for RSA are always impressive: this year had more than 25,000 attendees, 400+ sponsors and exhibitors, with more than 550 speakers. Such was the number of vendors that two large Exposition Halls – one each in the Moscone Center’s North and South buildings were used for vendor exhibits. The various sessions – including most of the technical track talks I attended – were in the Moscone West hall.

    Earlier my colleague JM Hipolito shared her own thoughts about RSA; here is what I found most interesting there.

    Opening Keynote: Finding a Path Forward in an Increasingly Conflicted Digital World

    The Executive Chairman of RSA, Art Coviello, delivered the opening keynote. He gave his first public comment on the RSA and NSA controversy, as well as the need to separate the NSA’s offensive and defensive functions. But what I will remember most on his keynote is his call to governments and the security industry as a whole to adopt four guiding principles to help maintain a safer Internet for everyone:

    1. Renounce the use of cyberweapons, and the use of the Internet for waging war
    2. Cooperate internationally, in the investigation, apprehension and prosecution of cyber criminals
    3. Ensure that economic activity on the Internet can proceed unfettered and that intellectual property rights are respected
    4. Respect and ensure the privacy of all individuals

    He also reiterated the need for the security industry and governments to work hand in hand to create a safer digital world that will benefit this and the generations to come.

    All of the guiding principles are all equally important, but I would like to highlight the first and second ones as being the most important.

    The topic of cyberwar and cyberweapons is very sensitive, but I found the correlation between cyberweaponry and nuclear weapons compelling. I totally agree with Coviello’s statement that “we must have the same abhorrence to cyberwar as we do nuclear and chemical war.”

    As for cooperation in prosecuting cybercrime, this is a topic where Trend Micro’s positions are well-known. We’ve frequently spoken about the need for researchers and law enforcement agencies to work together to prosecute the actual “threat actors”, as we believe that this is the most effective way to catch cybercriminals.

    These partnerships allow researchers and police to combine their strengths and ensure that
    Our efforts have netted effective results, most recently being the arrest of the creator of SpyEye.

    Bitcoin Is Here: How to Become a Successful Bitcoin Thief

    Uri Rivner of Biocatch and Etay Maor of Trusteer co-presented the one technical session at RSA dedicated to Bitcoins. They discussed the basics of cryptocurrency and how one can use it. They also discussed the usual use cases of Bitcoin: from creating a wallet and having your very own address, to filling the wallet with Bitcoins using an online Bitcoin exchange.

    The highlight of the session for me was the a live demonstration of a hack using a SpyEye variant. In the demo, they performed a man-in-the-browser (MiTB) attack and stole the user’s Bitcoin from his wallet.

    They also discussed the top cybercriminal activities that Bitcoin has been tied to. These include phishing attempts to steal Bitcoin-related website credentials, deploying RATs (Remote Access Trojans) to have direct access to desktop wallets, up to using botnets to mine Bitcoins (even though this is no longer particularly attractive).

    They also explained why cybercriminals are interested in cryptocurrencies like Bitcoin. Because the cybercriminals believe that cryptocurrencies offers anonymity, they think that these will help in laundering money made from illegal activites. In addition, advanced services available in the cybecrime underground (like Bitcoin fogging services) may enable threat actors to further increase their anonymity tenfold.

    In summary, the presenters said that Bitcoin is a new exciting frontier and encouraged everyone in the room to try and delve into it so that they understand its potential. They warned about the increasing phishing and malware attacks related to cryptocurrencies. They also pointed out that online Bitcoin exchanges and online wallets are low hanging fruit that may be a big opportunity for the cybercriminals. (The troubles of many online exchanges recently, including erstwhile leader Mt. Gox, have only reinforced this last point.)

    The talk mirrored many of the points we have discussed. In December, we had discussed the possibility of Bitcoin’s then-record prices causing thefts of Bitcoin wallets. We had also earlier discussed how users can help secure their cryptocurrency. Overall, we share their sentiments: Bitcoin is the object of much potential, but is the subject of multiple threats as well.

    Posted in Malware | Comments Off on RSA Conference 2014: The Way Forward


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice