When people discuss the Internet of Everything (IoE), it refers to the introduction of computing power and networking capabilities to previously “dumb” devices like television sets, cars, pedometers, and appliances. Many believe that it is the next big thing in tech, and it offers users a wide array of benefits, allowing them to save time, money, or even improve their lives.  These gadgets range from the merely nice to have, all the way to mission critical tools.

However, the Internet connectivity and computing power of these devices – the very things that makes them “smart” – introduces security risks as well. For instance, in smart TVs facial and speech recognition features are problematic in terms of privacy. Self-driving cars may be hacked and cause injure to their occupants or passers-by. Pervasive wearable tech, while useful to their owners, may be considered a privacy threat by bystanders.

We’ve earlier talked about the factors that will influence the proliferation of smart devices in homes. These factors include market pressures, regional availability and cultural acceptance. Smart home devices are being marketed and are readily available, whether in stores or online. In addition, in some markets broadband providers are also selling these devices to their existing customers, adding home automation to existing Internet and cable TV plans.

Cybercriminals go after the platforms and devices that are popular with users. However, while smart devices may be the “next big thing”, they have not yet been broadly adopted. In our 2014 predictions, we noted that there is no “killer app” that many users will consider a must-have; such an “killer app” would lead to a wide-scale adoption of smart devices.

However, the numbers of people adopting smart devices will only grow. These early adopters need to be aware of the various security risks of these devices – not only to their personal information and privacy, but also to their safety and well-being.

For more information on the security risks and how to secure smart devices, visit our Internet of Everything hub which contains our materials that discuss this emerging field.

Evolution is a continuous process, and nothing can exemplify the process better in our industry than the threats we defend against. From simple pranks and nuisances, they’ve become thieves of information, violators of privacy, destroyers of reputations and even saboteurs of businesses, all for the sake of money. They’ve also become tools for activists and terrorists of the cyber variety, used to make strong statements against governments or organizations.

But as such threats evolve, so must the security solutions that defend against them, or be left in the dust. This is our ethos in Trend Micro – that the protection we provide for our customers not only improve with every version we come out with, but continuously evolve into more powerful, more efficient and more impenetrable to cybercriminal attacks.

Our latest infographic, Trend Micro Endpoint Security Technology Evolution: A Complete Approach to Security, illustrates this. Using the visualization of a tree taking root and sprouting branches from its tree trunk, we catalog the evolution of cybercrime as well as the technologies we developed to address those malicious evolutions.

Take malware, for example, one of the main tools of cybercrime.From its primal state as a prank program to how it’s become a money-making machine, we’ve not only developed one but three technologies to address it:

• Signature-based Scanning, which identifies, isolates and deletes malware by matching it to a specific malware signature/pattern;
• Heuristic Behavior Scanning, which detects polymorphic malware  through its malicious behavior, and;
• File Reputation Services, which identifies and blocks malware through their history, sources, behavior and reputation.

Each of these technologies work in conjunction with each other, as well as those that address the other tools of cybercrime – to provide a well-rounded and balanced approach to security that families and businesses deserve.

With online banking becoming routine for most users, it comes as no surprise that we are seeing more banking malware enter the threat landscape. In fact, 2013 saw almost a million new banking malware variants—double the volume of the previous year. The rise of banking malware continued into this year, with new malware and even new techniques.

Just weeks after we came across banking malware that abuses a Window security feature, we have also spotted yet another banking malware. What makes this malware, detected as EMOTET, highly notable is that it “sniffs” network activity to steal information.

The Spam Connection

EMOTET variants arrive via spammed messages. These messages often deal with bank transfers and shipping invoices. Users who receive these emails might be persuaded to click the provided links, considering that the emails refer to financial transactions.

Figure 1. Sample spammed message

Figure 2. Sample spammed message

The provided links ultimately lead to the downloading of EMOTET variants into the system.

Theft via Network Sniffing

Once in the system, the malware downloads its component files, including a configuration file that contains information about banks targeted by the malware. Variants analyzed by engineers show that certain banks from Germany were included in the list of monitored websites. Note, however, that the configuration file may vary. As such, information on the monitored banks may also differ depending on the configuration file.

Another downloaded file is a .DLL file that is also injected to all processes and is responsible for intercepting and logging outgoing network traffic. When injected to a browser, this malicious DLL compares the accessed site with the strings contained in the previously downloaded configuration file.

If strings match, the malware assembles the information by getting the URL accessed and the data sent. The malware saves the whole content of the website, meaning that any data can be stolen and saved.

EMOTET can even “sniff” out data sent over secured connections through its capability to hook to the following Network APIs to monitor network traffic:

• PR_OpenTcpSocket
• PR_Write
• PR_Close
• PR_GetNameForIndentity
• Closesocket
• Connect
• Send
• WsaSend

Our researchers’ attempts to log in were captured by the malware, despite the site’s use of HTTPS.

Figures 3 and 4. Login attempt captured by the malware

This method of information theft is notable as other banking malware often rely on form field insertion or phishing pages to steal information. The use of network sniffing also makes it harder to users to detect any suspicious activity as no changes are visibly seen (such as an additional form field or a phishing page). Moreover, it can bypass even a supposedly secure connection like HTTPs which poses dangers to the user’s personal identifiable information and banking credentials. Users can go about with their online banking without every realizing that information is being stolen.

The Use of Registry Entries

Registry entries play a significant role in EMOTET’s routines. The downloaded component files are placed in separate entries. The stolen information is also placed in a registry entry after being encrypted.

The decision to storing files and data in registry entries could be seen as a method of evasion. Regular users often do not check registry entries for possibly malicious or suspicious activity, compared to checking for new or unusual files. It can also serve as a countermeasure against file-based AV detection for that same reason.

We’re currently investigating how this malware family sends the gathered data it ‘sniff’ from the network.

Exercising Caution

Latest feedback from the Smart Protection Network shows that EMOTET infections are largely centered in the EMEA region, with Germany as the top affected country. This isn’t exactly a surprise considering that the targeted banks are all German. However, other regions like APAC and North America have also seen EMOTET infections, implying that this infection is not exclusive to a specific region or country.

As EMOTET arrives via spammed messages, users are advised not to click links or download files that are unverified. For matters concerning finances, it’s best to call the financial or banking institution involved to confirm the message before proceeding.

Trend Micro blocks all related threats.

With additional insights from Rhena Inocencio and Marilyn Melliang.

Update as of July 3, 2014, 2:00 A.M. PDT:

The SHA1 hash of the file with this behavior we’ve seen is:

• ba4d56d01fa5f892bc7542da713f241a46cfde85

Monitoring network traffic is one of the means for IT administrators to determine if there is an ongoing targeted attack in the network.  Remote access tools or RATs, commonly seen in targeted attack campaigns, are employed to establish command-and-control (C&C) communications.  Although the network traffic of these RATs, such as Gh0st, PoisonIvy, Hupigon, and PlugX, among others, are well-known and can be detected, threat actors still effectively use these tools in targeted attacks.

Last May we encountered a targeted attack that hit a government agency in Taiwan. In the said attack, threat actors used PlugX RAT that abused Dropbox to download its C&C settings. The Dropbox abuse is no longer new since an attack before employed this platform to host the malware. However, this is the first instance we’ve seen this technique of using Dropbox to update its C&C settings in the cases we analyzed related to targeted attacks.

In the last few weeks, we have reported other threats like Cryptolocker and UPATRE that leveraged this public storage platform to proliferate malicious activities. The samples we obtained are detected by Trend Micro as BKDR_PLUGX.ZTBF-A and TROJ_PLUGX.ZTBF-A.

When BKDR_PLUGX.ZTBF-A is executed, it performs various commands from a remote user, including keystroke logs, perform port maps, remote shell, etc., leading to subsequent attack cycle stages. Typically, remote shell enables attackers to run any command on the infected system in order to compromise its security.

This backdoor also connects to a certain URL for its C&C settings. The use of Dropbox aids in masking the malicious traffic in the network because this is a legitimate website for storing files and documents.  We also found out that this malware has a trigger date of May 5, 2014, which means that it starts running from that date. This is probably done so that users won’t immediately suspect any malicious activities on their systems.

Accordingly, this is a type II PlugX variant, one with new features and modifications from its version 1. One change is the use of “XV” header as opposed to MZ/PE header it previously had. This may be an anti-forensic technique used since it initially loads “XV” header and the binary won’t run unless XV are replaced by MZ/PE. Furthermore, it also has an authentication code from the attacker, which, in this case, is 20140513. However, one common feature of PlugX is the preloading technique wherein normal applications load malicious DLL.  This malicious DLL then loads the encrypted component that contains the main routines. Furthermore, it abuses certain AV products.

Read the rest of this entry »

Cross-platform threats can be dangerous, both at home and in the office. These can ‘jump’ from one platform to another, or target all of them at the same time – potentially infecting a user’s entire network, or even a company’s network if left unchecked. The risk to critical data and system functionality, not to mention overall network security, can be catastrophic if not mitigated properly.

With the mobile device boom, cybercriminals had begun taking the portable platform into consideration with their all-encompassing attacks. We’ve already detected quite a few. Some examples:

• ANDROIDOS_USBATTACK.A, a malicious app that not only can perform information theft routines on the affected device, but also downloads malware that triggers only when the device itself is connected to a PC via USB. While the end payload is the PC’s microphone being turned into a wiretapping device, it could have easily sported much more damaging routines.
• TROJ_DROIDPAK.A, a Trojan that downloads and installs malicious apps onto any Android device connected to the affected PC. The apps are malicious versions of online banking apps, which could compromise a user’s online banking account.

Both examples feature cross-platform infection in opposite directions – from the mobile device to the PC, and vice versa. In the long run, cybercriminals may look to expanding this chain to everything else that the mobile device can connect with (such as home automation systems and other parts of the Internet of Everything). This could also mean that cybercriminals will also be looking to augment their targeted attacks against organizations to also include mobile device attacks (as evidenced by the mobile RAT found in a LuckyCat C&C server).

In our latest Monthly Mobile Report, The Reality of Cross-Platform Mobile Threats, we tackle cross-platform mobile threats, what makes it possible and what we may expect from this particular avenue of cybercrime in the future. We also explore how users and business owners alike can combat this multi-pronged threat before they can be victimized by it.And with cybercriminals currently using the 2014 World Cup to drive desktop and mobile device threats – which could mean cross-platform attacks in the horizon – there’s no better time for users and business owners to catch up and be informed.

Cross-platform mobile threats may seem intimidating, but with the right tools and the right know-how, it can be protected against. Read our latest Monthly Mobile Report at the link above, or on our Mobile Threat Information Hub.