Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Author Archive - David Sancho (Senior Threat Researcher)

    In the previous post, we talked about the definition and categories of wearables. We will now focus our attention at possible attacks for such devices.

    The possibility of attacks varies largely, depending on the broad category we are focusing on. The probability of attack will increase depending on where the attack can take place. Conversely, the possibilities of physical damage are much more remote as you go further from the physical device. As the attack moves further away from the device, the focus shifts towards stealing the data.

    Low User Risk, High Feasibility Attacks

    These attacks are the easiest to pull off but they have the most limited application against the user. In this scenario, the attacker compromises the cloud provider and is able to access the data stored there.

    Figure 1. Hackers are accessing the cloud provider to get the data

    Read the rest of this entry »

    Posted in Internet of Things | Comments Off on The Security Implications of Wearables, Part 2

    The Internet of Everything (also known as Internet of Things) has given rise to new gadget categories in every electronics retailer shop. Smart wearables are rapidly becoming more commonplace than you think. While not everyone has Google Glass, you can bet that a lot of people have fitness trackers and even smart watches.

    With ‘wearable devices,’ we mean those pieces of equipment that people can have on themselves as they go about their day. The purpose of these devices is usually measuring bodily functions or serving as output of other devices. These two functions can overlap to provide a more rounded experience of the user’s everyday reality as it happens.

    In this series of posts, we are going to review possible attacks and risks associated with wearable devices. Bear in mind that these are largely theoretical and/or conceptual. They are not current attacks and therefore they may or may not happen depending on how the electronics market evolves and how other attack vectors keep criminals on different juicier targets. Our intent here is not scare users into avoiding this new device category but to encourage vendors to add security in them from the get-go.

    The Three Categories

    There are three very broad categories that we can use to describe what we are talking about.

    1. The ‘IN’ devices. These are sensors that capture a user’s data at all moments. Here, we find fitness sensors that measure the user’s steps, distance, effort, calories, heartbeat, GPS coordinates, etc. These devices usually store the information locally in the device and synchronize with mobile phones or PCs to upload that data and afterwards to the user’s cloud account for historical logging and statistical display. Future devices that we have not yet seen are medical devices that could monitor health parameters, such as body temperature, oxygen in blood, etc.

    2. The ‘OUT’ devices. These are devices that output data coming from other devices, usually mobile phones. Here, we find smartwatches and the like, which are able to display texts and any application data for ease of use. Data displayed usually comes from internet sources by means of the intermediate device.

    3. The ‘IN and OUT’ devices. These are devices that capture data and use filters to display it differently. In here we find display devices such as Google Glass that have cameras that capture reality but they also feed data to the user by means of retina projection. These devices have the ability to enhance the user experience by filling in information on top of reality. Simpler devices also act as ‘IN and OUT’ by both gathering user data (steps, distance, etc.) and streaming data from their companion mobile phone.

    While these are distinct categories, the tendency is for devices to coalesce into IN and OUT because makers want to add as much value as possible. One example would be devices that record fitness information but also notify users of text messages, events, and other information from mobile devices.

    The Security Standpoint

    From a security standpoint, it’s hard to say which category is more secure than the other. This is because the difference among the categories is primarily about attack vectors. The more things a device can do, the most possibilities exist for attackers. In this case, IN and OUT devices have a larger attack surface, and the most potential for attacks.  However, this doesn’t mean that they are more unsecure. Security will depend on the implementation and the “track record” of the device. By track record, we mean the amount of attacks it has withstood over time. For newly introduced devices, cybercriminals may take a longer time to “test” them. However, as devices mature over time and hackers fully understand the inner workings of these devices, the platform isn’t as secure anymore.

    In the next blog posts, we will look at the possible attacks and risks associated with wearable devices. 

    You may read the next entries for “The Security Implications of Wearables:”

    For more information about wearables, you may check out the article “Are You Ready for Wearables?” and the infographic, “The Ins and Outs of Wearable Devices.” For more information about smart devices, you may visit our Internet of Everything hub.

    Posted in Internet of Things | Comments Off on The Security Implications of Wearables, Part 1

    The biggest security headache that consumers face on a regular basis may well be… the password. You need one to do just about anything online nowadays. This makes them very valuable targets of theft – as the news that “1.2 billion” passwords were stolen highlights. Unfortunately, remembering passwords for all the sites that people use every day can be a challenge.

    With that in mind, I was interested when I heard about a paper that discussed how users manage multiple passwords. Unfortunately, this paper from Microsoft and Canadian researchers doesn’t actually provide very good advice, and may in fact promote dangerous practices.

    Let me summarize the paper for those who haven’t read it: they suggest that users are incapable of following both of the key tenets of password security: that passwords must be secure (i.e., not easily found with a dictionary-based search), and that they must not be shared. The researchers suggest that users decide which accounts need to be protected with secure passwords; the other accounts can be protected with ordinary passwords that don’t have to be unique or secure.

    This idea only works if you accept as a fact that the user is incapable of remembering secure passwords. However, that’s why password managers exist. This idea that a user must rely on their unaided memory is simply wrong. The computer – whether it’s a PC, tablet, or smartphone – is an extraordinarily powerful tool. Why not use it?

    Yes, these managers are not perfect. Just last month, another group of researchers found vulnerabilities in several online password managers. However, they’re still a significant improvement over trying to remember passwords by rote memory, and it’s a gigantic improvement over using poor passwords. The perfect should not be the enemy of the good.

    I try to make the advice I give as clear as possible. Whether or not that was their intention, studies like this muddle the water and send the message that bad passwords are okay. It depends on the user discriminating between what needs to be secure and what isn’t. However, many users are likely to trade convenience for security and choose weak passwords instead. It’s human nature to do so. Sadly enough, the users most likely to choose weak passwords are also the ones who are likely to fall victim to various online threats.

    Let’s say, however, that someone really doesn’t want to use a password manager. That doesn’t mean you need to use a bad, recycled password. Consider this procedure:

    1. Choose a simple password you already use. Let’s take “Snoopy2″ as an example.
    2. Create an algorithm in your mind that uses the full domain name of the website you’re protecting. So, for example, it can be: “two first letters, two last letters and the number of letters it has, first letter in uppercase”. “” becomes “Twer7″. It can be any algorithm you want, so long as you remember it.
    3. Choose a number has means something to you. Your birthday, the age at which you met your husband, whatever. Let’s say I use the number “32”.
    4. Put it all together. My password for twitter would be “Twer7snoopy232″. My next password for “” would be “Awum19Snoopy232″. If I ever need to change it, just add one to the last number… or 7. It’s up to you.

    The bottom line is: one day we won’t have to use passwords to log into sites anymore. That day, however, is not today. We’re still stuck with passwords, and we need to provide the best advice to users on how to create good passwords. A mixed message – like the one promoted by these researchers – is unhelpful at best, and wrong-headed at worst.

    Posted in Social | 1 TrackBack »


    Like Swiss Emmental cheese, the ways your online banking accounts are protected might be full of holes. Banks have been trying to prevent crooks from accessing your online accounts for ages. Passwords, PINs, coordinate cards, TANs, session tokens – all of these were created to help prevent banking fraud. We recently come across a criminal operation that aims to defeat one of these tools: session tokens. Here’s how they pull it off.

    This criminal gang intents to target banks that use session tokens sent through SMS (i.e., text messaging). This is a two-factor authentication method that utilizes users’ phones as a secondary channel. Trying to log into the banking site should prompt the bank to send users an SMS with a number. Users need to enter that number along with their regular username and password in order to transact with the bank. By default, this is used by some banks in Austria, Sweden, Switzerland, and other European countries.

    Cybercriminals spam users from those countries with emails spoofing well-known online retailers. The users click a malicious link or attachment and get their computers infected with malware. So far, all this is fairly typical and from a threat perspective, a bit boring.

    But here’s where it gets interesting. The users’ computers don’t really get infected—not with the usual banking malware, anyway. The malware only changes the configuration of their computers then removes itself. How’s that for an undetectable infection? The changes are small…. but have big repercussions.

    Here’s how it works: the users’ computers’ DNS settings are changed to point to a foreign server controlled by the cybercriminals. The malware installs a rogue SSL root certificate in their systems so that the malicious HTTPS servers are trusted by default and they see no security warning.

    Normal two factor

    Figure 1. What happens in the 2-factor authentication process when the PC is infected in Operation Emmental

    Now, when users with infected computers try to access the bank’s website, they are instead pointed to a malicious site that looks like that of their bank. So far, this is just a fancy phishing attack but these criminals are much more devious than that. Once the users enter their credentials, they are instructed to install an app on their smartphone.

    This malicious Android app is disguised as a session token generator of the bank. In reality, it will intercept SMS messages from the bank and forward them to a command-and-control (C&C) server or to another mobile phone number.  This means that the cybercriminal not only gets the victims’ online banking credentials through the phishing website, but also the session tokens needed to bank online as well. The criminals end up with full control of the victims’ bank accounts.

    How’s that for a big malware operation? Localized spam runs, nonpersistent malware, rogue DNS servers, phishing pages, Android malware, C&C servers, and the real back-end servers. You can’t say these criminals are lazy.

    The criminals behind this particular operation target Internet users in Switzerland, Austria, and Sweden. Just this May, they added Japanese Internet users to their list of potential victims. We were able to trace the operators back to online nicknames: -=FreeMan=- and Northwinds. These actors has been active since 2011. Back then, they spread off-the-shelf malware like SpyEye and Hermes. Looking at the binaries that were recently deployed, we think the actors made use of at least two different crypting services. One of these crypting services is run by an individual from Uzbekistan.  We have not been able to identify the other crypting service.

    More information about this attack may be found in our Finding Holes: Operation Emmental white paper, where we discuss this technique in depth. SWITCH.CH, the CERT for Universities in Switzerland, also did research on Emmental and published their findings on their site.

    Posted in Malware, Mobile | Comments Off on Finding Holes in Banking Security: Operation Emmental

    Every now and then, we get questions about password crackers. Usually, these questions are something like, why do you detect these password crackers? They’re not malicious! Well, now is as as good a time as any to address the topic.

    Obviously, password-cracking programs are not terribly malicious. Unless they have been trojanized or manipulated somehow, they just… crack passwords. Usually, given a password-protected file, they try different possibilities to recover that pesky password you forgot. I’m the first to admit that even though it might not be the best use of your computing power, it’s not terribly bad either.

    However, there is a catch. Password-crackers and other software made for network administrators are often seen as part of attacks. This applies to other administration tools as well.

    We have seen everything being used as tools in the attacker’s arsenal: from remote session helpers to file server programs and, yes, password crackers. Often times, a trojan will spearhead the attack and once it’s into the victim’s network, it will download other tools to help it further its objectives. For instance, if the attacker stumbles upon a password-protected file, he might think that’s precisely where the interesting stuff is, and use… a password cracker.

    This brings me to the second (though admittedly similar) malicious use of admin tools: targeted attacks. These usually allow the attacker to connect remotely to the victim and then move laterally inside the network looking for information to steal. In this mission, the attacker might drop in several reconnaissance and offensive tools. Among these – yes, you guess it – password crackers.

    A targeted attack is not just about the “tools” used, even if they are legitimate. It is about who is carrying out the attack. Just because a particular tool started out as a legitimate product does not mean it is always used that way.

    Because of how password crackers are abused in the wild, it makes perfect sense for us to detect them and prevent our customers from running them on their machines. At the end of the day, our customers are masters of their own machines – they can always create an exception for a password cracker if they have a legitimate use for it on their networks.

    We don’t think the freedom of letting common hacker’s tools loose in your network is worth the risk they involve. Dynamite has good uses too, but we try not to store it in our homes.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice