Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Brian Cayanan (Threats Analyst)

    Last week, Trend Micro found malware samples that had been signed with digital certificates belonging to two software companies that develop specialized software. Since the two digital certificates are used by developers making very specialized products, this can increase the chances that this attack will succeed.

    We have identified several samples that were signed with these compromised certificates, which we detect as TROJ_KRYPT.SMMV or TSPY_KRYPTIK.NO. We do not know if the same author was responsible for both attacks, although they do share similarities.

    Both attacks used Java exploits to get onto the affected systems, which we detect as JAVA_EXPLOIT.SO and JAVA_EXPLOIT.EOJ. It’s worth noting that the exploits used here rely on vulnerabilities from early 2012, so a patched Java install would have helped protect users.

    In addition, they also used a similar packaging tool. This allows different types of malware to be launched into the memory of infected system without actually dropping the physical malware file. In addition, it makes it possible to re-use old malware code, since the packaging tool will produce an entirely different file from any original (detecting) malicious code, evading detection.

    Read the rest of this entry »

    Posted in Exploits, Malware | Comments Off on The Security Risks of Compromised Digital Certificates

    We recently found some suspicious looking URLs which suggest that a malicious file named ChromeSetup.exe is hosted in domains like Facebook and Google.

    The finding, which we were able to flag during our analysis of data processed by the Trend Micro™ Smart Protection Network™ definitely caught our attention.

    Looking at data from the Smart Protection Network™, we were able to find 3 different binary files that appear to be downloaded from the following URLs:

    • hxxp://
    • hxxp://
    • hxxp://
    • hxxp://
    • hxxp://
    • hxxp://

    When we took a closer look at the downloads, we identified that all downloads are being redirected to two different IPs, instead of the legitimate IPs of the accessed domains. What’s more noteworthy is the fact were seeing access in clients from the Latin American region, mostly in countries Brazil and Peru.

    An analysis of the file ChromeSetup.exe done by my colleagues Roddell Santos and Roland dela Paz verified that it is a multi-component BANKER malware detected as TSPY_BANKER.EUIQ.

    Once running on a system, TSPY_BANKER.EUIQ sends information such as the infected system’s IP address and operating system name to a specific IP address. It also downloads a configuration file that contains information it uses to redirect access to fake banking pages whenever a user attempts to visit certain banking websites.

    When a user opens a targeted bank’s site, TSPY_BANKER.EUIQ intercepts the page request and displays the following message, tricking users into thinking that the website is loading security software where in fact it is already redirecting users to the spoofed banking website:

    It then opens Internet Explorer to go to the new link depending on the browser’s title. Screenshot of a fake site is below. Notice the “_” before the name in the window title, as well as the URL of the banking site:

    TROJ_KILSRV.EUIQ, a component of this TSPY_BANKER.EUIQ, on the other hand, uninstalls a software called GbPlugin–a software that protects Brazilian bank customers when performing online banking transactions. It does this through the aid of gb_catchme.exe–a legitimate tool from GMER called Catchme, which was originally intended to uninstall malicious software. The bad guys, in this case, are using the tool for their malicious agendas.

    Further Investigation

    A more in-depth investigation allowed us to gain access on the page index where TSPY_BANKER.EUIQ downloaded configuration files from. The same index page hosted the three binary files that the malware used aside from the configuration file that we saw in the same location.

    Roland analyzed the IP to where TSPY_BANKER.EUIQ sends the infected system’s IP address and operating system name, and found a panel that appears to show logs related to the attack.

    During the time the C&C panel was analyzed, we have observed an abrupt increase on the registered logs. In fact, the phone home logs jumped from around 400 to nearly 6000 in a span of 3 hours. These logs are comprised of 3000 unique IP addresses which translates to the number of machines infected by the malware.

    The server, unfortunately, soon became inaccessible. However, the abrupt increase in the malware C&C logs could either mean that there was an outbreak of the malware or they might be migrating their C&C server at the time. It also appears that the attack is targeting Brazilian users and it is targeting Brazilian banks.

    Since the start of this analysis, we have also been seeing variations of the BANKER malware we analyzed during this investigation in the wild. The first few samples that we got installed the three components separately, but now we are getting new samples that are able to install the different components in one package. It looks like this malware is still under development and we may still see improvements in future variants. Roland also mentions that he came across a likely related C&C that surface last October 2011 which indicates that the perpetrators behind this threat aren’t new in the scene.

    Missing Piece

    While we may have a complete picture of this particular attack, the one missing piece now is the same thing that made us notice this malware from the millions of data that we have from our threat intelligence – how it is able to redirect user accesses from normal websites like Facebook or Google to its malicious IP to download malware. We will continue our investigation related to this incident and will update this blog with our findings.

    Online threats will continue to evolve and find ways into systems. As such, traditional web blocking technologies may fail to block access to malicious URLs, especially when these are masked with the use of legitimate domains like those of Facebook or Google.

    This is where a telemetry such as the Trend Micro™ Smart Protection Network™, which provides intelligence derived from a global network of threat data, becomes vital. This technology not only allows us to identify and correlate emerging attacks worldwide, but also lets us instantly deploy the proper threat mitigation solutions on customer environments.


    2011 has been dubbed as the year of specialized attacks. This fact has been very prominent in this year’s RSA Conference held this month in San Francisco, where we saw the different leading security companies shifting focus from protecting the traditional enterprise architecture to its next evolutionary stage, which is more susceptible to targeted attacks.

    New advances in technology have initiated big changes on how people work in the enterprise world. These changes are also bringing in new security challenges in the workplace. What does consumerization, BYOD, and cloud computing bring to the enterprise security scene and how should we approach these new challenges?

    The New Workforce Generation

    Enrique Salem’s (President and CEO of Symantec) keynote discussing the differences of today’s workforce (which he termed “digital natives”), as opposed from earlier generations, is a good way of describing the current situation being experienced by enterprises today.

    Salem describes this new workforce generation as the people born during and after the Internet boom of the 1990s. They have been raised in a world where everything is connected through the web and everything is done through the web. They are natural networking people that do everyday things in ways that were never done before, using tools such as social media and cloud computing. They are mobile, able to do anything, anywhere, any time, but exhibit continuous partial attention due the volume of information that they consume every day.

    This whole new generation has just started entering the workplace in the last few years. They have brought with them demands to change the traditional enterprise architecture to fit their own working methodologies.

    Blurring the Lines

    As more and more people start embracing new technologies from the “digital native” mindset, they are slowly integrating these technologies into their own lifestyles. Mobile, always connected, always informed… these are all very helpful capabilities to have for our everyday tasks; more and more people are applying these same concepts in the workplace. Consumer devices–which is how most people are first introduced to mobility and connectivity–start finding their way into enterprise networks. People start bringing them in and demanding their network administrators to support them because they make their work easier and faster. More and more systems are being integrated into the cloud in order to give people access to their data wherever and whenever.

    New technologies and devices are starting to blur the lines between people’s personal and professional lives. RSA Chairman Art Coviello even said that we are already past the tipping point of separating the two. The end result is that IT organizations end up having to learn how to manage things that they cannot directly control; security organizations end up having to learn how to protect things that they cannot directly control.

    Read the rest of this entry »

    Posted in Bad Sites | Comments Off on The Future of Enterprise Security According to RSA 2012


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice