Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Author Archive - Feike Hacquebord (Senior Threat Researcher)

    Since August 19, 2013, there has been remarkable growth in the number of Tor users, which caused much speculation. Was August 19 the starting date to run en masse from the NSA’s PRISM project? Were European internet users downloading the latest American cable TV series via Tor only, thus overcoming blockades of sites like the Pirate Bay by European ISPs? Neither was very likely, so some thought a botnet abusing the Tor network to hide its command and control server must be the reason of the sudden increase of Tor users.

    Yesterday, Fox-IT published evidence for this plausible explanation. The Mevade malware family downloaded a Tor component, possibly as a backup mechanism for its C&C communications. (We will release a second blog post describing in more detail the behavior of the Mevade variants we have encountered.)

    Feedback provided by the Smart Protection Network shows that the Mevade malware was, indeed, downloading a Tor module in the last weeks of August and early September. Tor can be used by bad actors to hide their C&C servers, and taking down a Tor hidden service is virtually impossible.

    The actors themselves, however, have been a bit less careful about hiding their identities. They operate from Kharkov, Ukraine and Israel and have been active since at least 2010. One of the main actors is known as “Scorpion”. Another actor uses the nickname “Dekadent”. Together, they are part of a well organized and probably well financed cybercrime gang.

    We strongly associate these actors with installations of adware and hijacking search results. Therefore, we suspect that one of the ways the Mevade botnet is monetized is by installing adware and toolbars onto affected systems. In fact, we have seen Mevade downloading adware. Adware and toolbars might seem less harmful than e.g. data stealing malware, but the reality is that there is a lot of money to be made in fraudulent advertising.

    We would also like to point out that Mevade also has a backdoor component and communicates over SSH to remote hosts. Therefore, the risk for data theft is still very high.

    Posted in Bad Sites, Malware | Comments Off on The Mysterious Mevade Malware

    Hacktivism and crime is a toxic combination for the health of the Internet. This was shown once again in the recent DDOS attack against that peaked at 300 Gbit/s. Spamhaus is a non-profit anti-spam organization that helps to filter spam for millions of Internet users. When Spamhaus goes down a lot of inboxes will be flooded with spam.

    The DDOS attack was allegedly orchestrated by a Dutch webhosting company called Cyberbunker and CB3Rob. This webhosting company has roots in the hacker scene and has hosted Wikileaks and the Pirate Bay in the past. Cyberbunker claims to have a datacenter in a former NATO bunker in the Netherlands. It is not clear whether that is still true today, and what exact role Cyberbunker had in the DDOS attack against Spamhaus. The owner of Cyberbunker/CB3Rob does act as the spokesman of an attack that tries to blast a company away from the Internet as if that is a normal job. Here is where so called hacktivism on the Internet has derailed totally. The boundary between crime and hacktivism has been blurred. A reality check for Cyberbunker is in order.

    Spamhaus claims that Cyberbunker/CB3rob is among the worst webhosting companies in the world. We do see problems ourselves too, but we wouldn’t rate CB3Rob as the worst webhosting company. However, CB3Rob claims that it will host anything except things related to child abuse and terrorism. This may be inspired by an idealistic view that anybody should have an uncensored access to the Internet and inspired cybercriminals as well. This is where hacktivism meets crime – a toxic combination.

    A good illustration that crime corrupts hacktivsm is that the network of Cyberbunker has been used in a BGP hijack of an IP address of a DNS server of Spamhaus ( The DNS servers of Spamhaus are a vital part of its antispam protection. The hijack was an attempt to inject lots of false positives into the spam reputation system of Spamhaus. Though this hijack did not cause a lot of damage as most networks did not accept the hostile BGP announcement, the intention was clear: someone using Cyberbunker/CB3Rob’s network tried to sabotage the spam reputation system of Spamhaus. It does not resemble hacktivism, but rather resembles crime.

    Read the rest of this entry »


    Trend Micro has been working and collaborating with law enforcement agencies such as Federal Bureau of Investigation and Office of the Inspector General (OIG) in taking down Rove Digital, an Estonia-based cybercriminal gang. Recently, Valeri Aleksejev, one of the members of Rove Digital pleaded guilty to charges of wire and computer intrusion in the District Court for the Southern District of New York in Manhattan last week.

    Aleksejev served as one of the programmers/coders for the Rove Digital operation. He is only the second person to be successfully extradited to the United States as part of the Rove Digital case. The remaining four suspects, including CEO Vladimir Tsastin, remain in Estonia pending extradition. All six were arrested in November 2011; one suspect remains at large. Sentencing for Aleksejev is expected to occur in May of this year.

    Trend Micro took part in the takedown of Rove Digital by providing information to the law enforcement regarding Rove Digital’s infrastructure. The said investigation and collaboration with industry partners and law authorities started in 2010.

    Rove Digital is known for its click-fraud activities and use of malware like DNS changer Trojans and FAKEAV to gain monetary profit to their victims. Based on our investigation, the perpetrators behind this used DNS Trojans to hijack search results, replacing ads on legitimate websites, and installing other malware. Another means for them to earn profit is installing FAKEAV to users systems. This bogus security software can even cost around $100. For more details on Trend Micro’s investigation on Rove Digital, read our paper, Operation Ghost Click: The Rove Digital Takedown.

    Posted in Botnets | Comments Off on Rove Digital Coder Pleads Guilty

    Last Monday, July 9, around 300,000 Internet users lost connectivity because they still had not removed their DNS Changer malware infection. Immediately after the take down of the DNS Changer network infrastructure of Rove Digital on November 8, 2011, the FBI set up clean DNS servers for infected victims. These servers were temporary solutions for the victims who had three months (which was later extended to six months) to clean their infected machines.

    Actually, a major blackout for hundreds of thousands of DNS Changer victims happened before: in fall 2008 when webhosting provider Atrivo went dark. Back then, Rove Digital had most of its computer servers running in the datacenter of Atrivo. In 2008, Atrivo’s going dark resulted in more than half of the rogue DNS servers going down for several days. So during those days, most DNS Changer victims could not use the Internet either.  However soon after, Pilosoft, a webhosting company in New York, came to rescue the criminal operation of Rove Digital. Most of the DNS Changer infrastructure moved to the Pilosoft datacenter. This is just one of the details of the Rove Digital takedown we described in our white paper, which can be downloaded here:

    Some media outlets dubbed July 9, 2012 as Internet doomsday. July 9 has passed and it looks like that doomsday prediction did not come true, just like any other doomsday announced by mortals happens to be a non-event.

    However, let me point out that although doomsday did not have massive repercussions, this doesn’t say that there was no damage done.

    300,000 computers (others estimate it at about 500,000) going offline worldwide may not have any measurable effect, but loss of productivity and computer repair costs are real concerns. This might even translate to millions of dollars. Let me be clear, though: Rove Digital is responsible for this damage, not the FBI, nor any other party. Since the victims are spread all over the world, we do not expect to hear complaints. Moreover, a lot of the large ISPs in the US and Canada have carefully prepared for this Internet doomsday. Some of these ISPs have been very successful with cleaning up machines of infected customers, often with help of the DNS Changer Working Group (DCWG). Trend Micro is one of the first industry partners of DCWG, and the only AV vendor acting as a main contributor during the investigation period before the Rove Digital suspects were arrested in 2011. Later, companies like Google and Facebook joined. On a scale never seen before, both companies showed warning messages to their users who were infected with the DNS Changer malware.

    All the great work of DCWG helped to reduce the number of infections a lot, but the last 300,000 – 500,000 infected users somehow cannot be reached by Facebook, Google, and mainstream media around the world. This remains somewhat a mystery to me.

    Posted in Botnets, Malware | Comments Off on We Survived Internet Doomsday

    …if there’s actual evidence, I have no doubt that law enforcement will act. However, I think this is highly unlikely.
    —Konstantin Poltev (spokesman of Esthost/Rove Digital), October 13, 2008

    In the past, some cybercriminals have been so brazen that they publicly declared chances they will ever be caught are slim. Today, however, it is time for them to think again. In 2011, historic steps were taken in the battle against cybercrime. Collaboration between law enforcement and the security industry led to important takedowns and arrests. Here are some of the highlights of 2011.


    On March 16, 2011, Microsoft took down the Rustock spam botnet. The simultaneous takedown of all of its command-and-control (C&C) servers led to the true death of the Rustock botnet. The Rustock zombies could not be resurrected because Microsoft made sure that all of the hard-coded domains Rustock used were no longer made available to bad actors. The gang behind the botnet was not arrested but Microsoft published advertisements in Russian newspapers offering a US$250,000 reward for anyone who gave information that led to the identification, arrest, and conviction of the minds behind Rustock. Microsoft’s lawyers used novel legal arguments to convince a federal court in Seattle that it had the right to seize the Rustock servers. This set an important legal precedent for future cases.


    Taking down a large spam botnet has a huge impact on the spam volume and makes the Internet a safer place for everyone. However, some bad actors won’t stop committing crimes even if their botnet is taken down and even if bounty hunters are looking for them. Consider the case of the Kelihos spam botnet, believed to have been written by the same people responsible for Waledac, another botnet taken down in 2010.

    In September 2011, Microsoft once again convinced a federal judge to allow it to block all of the IP addresses and domains Kelihos’s C&C servers used without first informing the defendants. One of the defendants was explicitly named in the complaint—the owner of the domain, one of the domains taken offline. This was a remarkable step as was a so-called rogue second-level domain (SLD) name. The takedown of meant that hundreds of thousands of subdomains, which were either illegitimately used or were used for Kelihos’s C&C servers, were taken offline. This sets an example for all other rogue SLDs to be more accountable for abuse incidents.


    CoreFlood was a botnet made up of hundreds of thousands of computers infected with a data-stealing Trojan. This particularly dangerous botnet was dismantled by the FBI in April 2011. The FBI took over its C&C servers and operated these until mid-June 2011. The FBI sent a stop command to the bots in the United States, causing the malware to exit. This was the first time the U.S. government took over the C&C infrastructure of a botnet and pushed a command to the bots so these became unreachable to the botmasters.

    Read the rest of this entry »



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice