Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2014
    S M T W T F S
    « Jul   Sep »
  • Email Subscription

  • About Us

    Archive for August 4th, 2014

    When you work for a security company, sometimes people think you must know everything there is to know about technology. So sometimes I get asked, “Will Bitcoin and other cryptocurrencies succeed?”

    Unfortunately, I’m an engineer, not an economist. I can’t speak to how big central banks like the Federal Reserve in America, the Bundesbank here in Germany, or the Bank of England in Britain will react to it. Maybe they’ll try to regulate it. Maybe they’ll try to ban it. Who knows? Ask an economist or a banker; they might know better.

    What I do know is that more and more brands are accepting cryptocurrencies as payment. In America, for example, online tech stores like Dell and Newegg have started to accept bitcoins. Not only can you buy your gadgets with bitcoins, but you can also go on vacation with them — online travel agencies like and airlines like airBaltic accept bitcoins as well.

    However, they’re not the only ones who have embraced Bitcoin. Cybercriminals have embraced it too. If you’re affected by ransomware, you can pay for your ransom with bitcoins. Cybercriminals buying goods and services from each other are using it, too.

    Why are these crooks using Bitcoin? One reason may be they think that it’s safe and anonymous. Certainly, many of its biggest supporters say the same thing. However, that’s not really accurate. Yes, your Bitcoin address doesn’t directly say anything about you, but all transactions are part of the blockchain – which means anyone can see it.

    Any organization with skills in organizing large data sets and gathering information from various sources could – if they wanted to, de-anonymize Bitcoin transactions. It’s not as safe as people think. Let’s not even go into detail about how malware is trying to steal bitcoins from the wallets of users.

    So, is Bitcoin the future of cryptocurrencies? What I do know is that cybercriminals like it just as much as real-world currency, and it has its own share of risks too. In some ways, the new digital currency is just like the old ones.

    For more of my thoughts on Bitcoin and other cryptocurrencies, watch the video below titled Bitcoin: Here today, gone tomorrow?.


    We have previously discussed an Android vulnerability that may lead to user data being captured or  used to launch attacks. We discovered that the popular Android app for Evernote contained the said vulnerability. We disclosed the details to Evernote, and they took action by issuing an update to the Android version of their app. Evernote has added additional controls to protect user data in Evernote for Android 5.8.5. Android users who are running versions below 5.8.5 should update to the latest version.

    The Content Providers Vulnerability

    The patched vulnerability is related to the Android component that stores application data. This component has an attribute (android:exported) which may allow other apps to read or write certain data on the affected app.

    The previous version of Evernote has defined two permissions to protect the content provider that is used to store almost all of the user’s data. However, the protection level of these two permissions has been set as “normal,” which means other applications on the device can be granted these two permissions.

    Figure 1. Sample Evernote entry

    Figure 2. Content shown by exploiting the content provider vulnerability

    Cybercriminals may create malicious applications that may be used to capture the data stored in the Evernote app. For users who rely on Evernote to store sensitive information such as user accounts and passwords, this could lead to data theft, identity fraud, and more.

    Exposed, Unencrypted Data

    Apart from the vulnerability explained above, we’ve also found another vulnerability that may allow malicious apps to see all the notes in the affected device because of where the notes are stored.

    The Evernote app stores all the user’s notes in external storage under the directory /sdcard/Android/data/con.evernote/files/. Unfortunately, the files stored in this folder are not encrypted and can be read by other apps.

    Figure 3. Sample note

    Figure 4. The note is accessed by exploiting the SD card vulnerability

    The Android OS version of the affected device also affects the amount of access given to apps. For Android 4.3 and earlier versions, an app doesn’t even require special permission to access the said folder. For Android 4.4 and later versions, the READ_EXTERNAL_STORAGE permission is required. However, this permission is common for most apps so a malicious app requesting this permission will not arouse suspicion.

    Malicious users can write a simple code snippet to read/write files stored by the said app and inject it to repackaged applications that have the READ_EXTERNAL_STORAGE permission. Attackers can then use these repackaged apps to trick users into giving them the said permission.

    We are disclosing this information in order for developers who may have likewise incorrectly implemented this external storage provision to modify their apps. Developers should also define their permissions in the signature level to protect their important components. We also encourage developers to implement encryption for any content the app creates, handles, and transmits. If possible, any sensitive information should not be stored in external storage.

    We have notified Evernote of this new vulnerability. We are not currently aware of any active attacks using this flaw.

    Posted in Mobile, Vulnerabilities | Comments Off on Evernote Patches Vulnerability in Android App

    Backdoors are an essential part of targeted attacks, as they allow an external threat actor to exercise control over any compromised machines. These allow the threat actor to collect information and move laterally within the targeted organization.

    Our investigations into various targeted attacks have showed that a wide variety of tactics are used by backdoors to carry out their routines, as well as remain undetected by network administrators and security products. Over time, these techniques have evolved as more sophisticated defenses become available to network administrators.

    Initially, all that was needed for an attacker to connect to a compromised machine was an open TCP/IP port. However, as firewalls became more commonplace, other techniques became necessary. Techniques evolved so that it would be clients first connecting to servers, since blocking outbound traffic was, initially, less common.

    Over time, as the possible defenses have become more sophisticated, so have the techniques in use. For example, publicly available blogs have become command-and-control (C&C) servers of a sort:

    Figure 1. Blog used for command and control (click to enlarge image)

    This free “blog” contains ciphertext that, when decrypted by the backdoor, reveals the actual C&C servers. Using free services for C&C functions is not new; we noted just recently how Dropbox was being used in a similar way.

    This paper titled Backdoor Use in Targeted Attacks is based on the experience we have gathered in investigating various targeted attacks. It details some of the various techniques we’ve seen in use to connect backdoors with their C&C servers. In addition. it provides IT administrators with accepted best practices to help prevent these techniques from taking root in their organizations. Other resources to help deal with targeted attacks can be found in our Threat Intelligence Resources on Targeted Attacks.

    Posted in Targeted Attacks | Comments Off on Backdoor Techniques in Targeted Attacks


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice