Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Author Archive - JM Hipolito (Technical Communications)

    This year’s Black Hat and DEF CON gave us a good glimpse of the future: what we can expect, what we need to fear, and most especially what we need to do.

    The Dream of Internet Freedom

    Jennifer Granick’s keynote speech during the first day of Black Hat 2015 captured the theme of this year’s conference. Granick is the Director of Civil Liberties at the Stanford Center for Internet and Society and is known for representing Kevin Poulsen and Aaron Swartz before US criminal courts. In her speech, entitled The Lifecycle of a Revolution, she spoke of the dream of Internet freedom: the freedom to exist without judgment (be it based on age, race, class, or gender), the freedom to communicate with anyone, anywhere, the freedom to access information, and the hands-on imperative – the freedom to explore and understand the technologies around us.

    She talked about how that dream does not seem to fit into the Internet today and how we will most likely see the end of that dream if we don’t act now. We’re now seeing a centralized, regulated Internet – one that is controlled based on decisions of those in power. This shouldn’t be the case; it goes against the values that started the Internet years ago. Globalization through the Internet should not be regulated by those with local concerns.

    Figure 1. The way to achieve Internet Freedom, from Jennifer Garnick’s Black Hat keynote speech

    This point was also driven home by CloudFlare CEO Matthew Prince in his talk The Battle for Free Speech on the Internet. He discussed how he’d repeatedly encountered instances whereas governments and companies tried to define what is good and bad, based on their own needs. As the CEO of a company that provided services to deal with denial-of-service attacks, his talk highlighted the need for a more objective sense of control around the policies that decide which content ends up online.

    The State of Android (In)security

    The dismal state of Android security was in the spotlight in many different ways throughout both Black Hat and DEF CON. Adrian Ludwig’s talk on the Android Security State of the Union discussed the various security strategies and solutions that Google has put in place to secure the OS. As expected, however, there were more talks about threats than solutions.

    Joshua Drake presented how he was able to find Stagefright. The vulnerability in Android had made the news prior to Black Hat, primarily because it can be used to install malware on an Android device through a multimedia message. Trend Micro researchers, who also independently discovered the vulnerability, reported that Stagefright can also be exploited through an app, or a specially crafted URL. Wen Xu’s talk on universal rooting in Android tackled how their team was able to use a kernel UAF (User-After-Free) vulnerability in Linux to root most Android devices. This was particularly interesting as Xu shared how they are able to root even 64-bit Android devices – something that hasn’t been done before.

    Another talk that discussed Android threats was Certifi-gate. The research by Ohad Bobrov and Avi Bashan focused on how the customization done on the Android platform by different vendors lead to vulnerabilities that leave millions of users at risk. These findings add to the recent string of vulnerabilities being reported affecting Android users, making the issue of fragmentation more relevant now. As more vulnerabilities are being found, it is much more critical for Google and the device manufacturers to be able to roll out updates as soon as possible. (In fact, during the week of Black Hat/DEF CON, it was announced that Google, Samsung, and LG would all start pushing regular monthly security updates.)

    Car Hacking and Beyond

    As Charlie Miller and Chris Valasek put it, saying that anything is unhackable will just make one look ridiculous, and this was proven in various ways throughout the week.

    Car hacking was one of the main themes in both Black Hat and DEF CON, with the latter even introducing a new Car Hacking Village to allow people to explore vehicle electronic systems. The Remote Exploitation of an Unaltered Passenger Vehicle talk by Miller and Valasek was well attended at both conferences. Their presentation went into detail on how they were able to achieve such control, from studying vulnerabilities in the car’s system, to leveraging mobile networks to achieve remote access. Samy Kamkar’s presentation delved more into other stages involved in stealing cars, such as hacking garage door openers to achieve physical access.

    Another key highlight was Marc Rogers’s and Kevin Mahaffey’s talk on hacking a Tesla Model S. Calling the Tesla “the most connected car in the world”, the researchers shared how they were able to achieve control of the vehicle, primarily through tinkering with the vehicle’s hardware. Rogers and Mahaffey also noted how difficult it was for them to successfully achieve this, highlighting the strategies taken by Tesla in to keep the Model S secure. (A surprise attendee at the talk: Tesla’s CTO JB Straubel, who thanked the pair for their efforts.)

    Cars weren’t the only ones that were hacked during the week. Runa A. Sandvik and Michael Auger presented how they were able to hack a Linux-powered TrackingPoint TP750 sniper rifle. Although their research indicated that remotely pulling the trigger through the system is not possible, changing the information returned to the scope was. Our own GasPot research showed that fuel tanks are being attacked as well.


    Overall, both Black Hat and DEF CON showed good examples of how researchers exercise the hands-on imperative – the right to explore, disassemble, analyze, and understand the technologies around us. Done for the sake of security, such research will help us secure the different platforms that are increasingly being used in our everyday lives.

    Posted in Social |

    Along with my colleagues, I was able to attend this year’s RSA Conference held at the Moscone Center in San Francisco, and the experience was definitely enlightening, especially in terms of the current state of our industry.

    “Security of Things” before “Internet of Things”

    Many new technological frontiers have emerged through the years, and with them, the attack surface also widened dramatically. With the mobile computing boom, threats against critical infrastructure, and now the emergence of the Internet of Things, the industry is now struggling in trying to build defenses. For example, in Eric Vyncke’s talk about IoT, he discussed the risks around the Internet of Things, their impact on privacy and human life in general, and the need to address them. These risks, he said, are as critical as they are varied – with different devices, software, protocols all entailing different risks. He discussed different factors that need to be considered in securing the Internet of Things, such as the lifetime of the device (expected duration of device usage vs. expected duration of device security), its means of identification (device identity vs. group membership), the nature of the infrastructures it will be under, and others. Vyncke raised a very important point here, especially since a widespread adaptation of Internet-enabled devices will lead us to the same problems we have with mobile computing – wherein platforms were being developed faster than the means to protect them.

    Two Sides of the Same Bitcoin

    Uri Rivner’s and Etay Maor’s Bitcoin Thief Tutorial was a very entertaining threat-centric talk that oriented the audience on how Bitcoin works, how to handle them, and the opportunities that Bitcoin offers to criminals, both as a tool and a target. To bring the latter point across, they turned the audience into witnesses to a Bitcoin robbery through a real-time demo of a Bitcoin being stolen through a SpyEye variant. In the end, the duo recommended that even though Bitcoin brings about a lot of risks (the recent Mt. Gox incident being a prime example), it is still worth exploring, if only to understand the risks better, and most importantly, because it’s fun.

    Fighting Fire with Fire

    Ziv Mador’s and Ryan Barnett’s session took on a different approach on going to a new frontier, by encouraging the option of turning the bad guys against themselves. In their presentation, they showed how the security industry can use the very techniques used by cybercriminals to disrupt their routines.  For example, they showed how code obfuscation – a technique frequently used in exploit kits to evade detection – can be used to prevent the webinjects done by ZeuS variants. The researchers admitted that the ethical and legal aspects of this concept may raise concerns, and that more research needs to be done.

    Drawing Lines and Creating Norms

    As expected, the matter of state monitoring was tacked onto various conversations throughout the conference. There were several statements about the topic, and most have said that they are willing to provide information to governments, given that it is legally justified, and is limited to specific information only (as opposed to bulk data). However, it is in the legal justification where the problem exists – the lack of clarity in terms of what is justified or not has created a lot of issues and will continue to do so. We are at a point in time where technologies allow a great deal of information gathering (to the point that it affects the concept of privacy), and this calls for a great need to establish standards and limitations. Until such is achieved, the tension around the issue is likely to continue.


    Gone are the days of focusing on achieving complete security, and rightfully so. The question of whether there is a threat or not has been answered long ago, and the name of the game now is threat intelligence – gaining knowledge of threats and using that knowledge to act accordingly. Successful targeted attacks have taught us just how good attackers can get in infiltrating perimeters, and now the way to security is no longer achieved by just building the best walls, but through knowing who’s trying to get past them.

    Posted in Internet of Things, Malware | Comments Off on Notes from the RSA Conference 2014: Coming Together and Breaking New Ground

    In the course of our threat research, we’ve encountered different types of social engineering lures that aim to trigger different emotions such as fear and happiness. These lures are often effective, as we’ve seen happen in several incidents in the past. However, they are also easily recognizable as they often use a common theme, be it a recent event or an ongoing season.

    There are also other techniques that use different, more sober approach. These techniques do not aim to trigger alarm, but instead to try to avoid it. They try to blend into their intended victims’ normal behavior or use their interests in order to get the them into schemes. And though these techniques are far less alarming in terms of the message they bring, they are harder to detect, and often more sinister.

    An example of this is the watering hole technique, which was used recently in an attack that ended up affecting companies such as Facebook and Apple. Choosing to use a mobile developer forum as the watering hole, the lure was almost passive — it did not need any means to get the victims to visit the site. The site was strategically chosen because visiting it was already known to be a part of the victim’s normal routine.

    Earlier this week, we also saw reports of an attack wherein the name of the report recently released by Mandiant is being used as the lure. The message in related to the attack comes as a recommendation from the sender to read the article, along with a PDF file which supposedly is the report itself (of course in reality the file is malicious — a PDF exploit we detect as TROJ_PIDIEF.EVF). We were also alerted of news regarding another threat using the Mandiant report, which supposedly targeted journalists. Detected as TROJ_PIDIEF.EVE, this malware drops the non-malicious .PDF file, Mandiant_APT2_Report.pdf and a backdoor detected as BKDR_POISON.EVE.


    Figure 1. Screenshot of the dropped .PDF file


    Figure 2. TROJ_PIDIEF.EVE drops this non-malicious .PDF file

    Read the rest of this entry »

    Posted in Bad Sites, Targeted Attacks | Comments Off on From Alarming to Familiar: Different Social Engineering Techniques

    Late last week, the Council on Foreign Relations website was compromised and modified to host a 0-day exploit affecting Internet Explorer. Analysis revealed that the attack was set to affect a specific set of users, as it was set to work only if the browser language was set to English (US), Chinese (China), Chinese (Taiwan), Japanese, Korean, or Russian.

    Microsoft has then issued a security advisory for the vulnerability and provided some workarounds, to serve as protection until a solution is released. Trend Micro users, however, are already protected through Trend Micro Deep Security, specifically through the following rules:

    • 1005297 – Microsoft Internet Explorer CDwnBindInfo Object Use-After-Free Vulnerability (CVE-2012-4792)
    • 1005301 – Identified Suspicious JavaScript Encoded Window Location Object
    • 1005298 – Microsoft Internet Explorer CDwnBindInfo Object Use-After-Free Vulnerability (CVE-2012-4792) Obfuscated

    The abovementioned rules are set to detect all known variants of exploits.

    The use-after-free vulnerability in Microsoft Internet Explorer enables remote attackers to execute arbitrary code execution. As stated in Microsoft’s blog, we have also observed that all the reported targeted attacks so far have been triggered by an encoded or obfuscated JavaScript Window Location objects which is generally used to change the location object of the current window. The vulnerability is with cButton object which has been freed but its reference was used again during the page reload will point to an invalid memory location yielding arbitrary code execution under the context of the current user. Microsoft Internet Explorer versions 6, 7, and 8 are affected, but newer versions such as IE9 & IE 10 are not affected by this vulnerability.

    Read the rest of this entry »

    Posted in Exploits, Vulnerabilities | Comments Off on Why is the Watering Hole Technique Effective?

    The quality of user experience in terms of mobile apps is directly related to the amount of user information entered into it. And now that we are at a time being considered as the “post-privacy era”, people need to be aware of the pros and cons in entering their information into mobile apps.

    Developers are continuously trying to improve mobile apps, which have started to play big parts in our lives. Apps make things more convenient for us, and at times more fun: from apps that help us organize our tasks, apps that let us see all the latest news in a glance, to apps that allow us to have fun by slicing fruits or killing green pigs.

    Trend Micro Researcher Robert McArdle also explained that apps create a better user experience for users. He states, “The other big reason for the popularity of apps is their ease of use. Browsing the internet on your mobile phone is not the same experience as doing it on a laptop. In most cases apps are specially crafted browsers for a particular site.”

    The amount of user information entered into apps is a known privacy issue, one that was heavily discussed because of the recent Carrier IQ issue. As we mentioned before, the biggest issue with Carrier IQ was informed consent — something that is well-taken into consideration with apps since users must knowingly install an app before it gains access to any information. So for apps, the choice to whether volunteer their information or not, in exchange for certain services, is really on the users’ hands.

    To help users out in making such a decision, we’ve listed here 3 truths about applications that users can consider before installing an app, and volunteering their personal information:

    Sometimes, apps really do require/need user information to function

    Apps have become customizable, wherein the programs are designed to function based on users’ input. Good examples of these are location-based apps like Shopkick and Foursquare. Such apps were among the top tech trends for 2011, and are expected to boom more in 2012.

    For such apps, it is only logical to require user information upon signing up. But of course, the amount of information required should be limited only to those necessary in order for the app to function properly. Android built their “permissions” model on this concept, and is something that should be utilized by the users.

    Read the rest of this entry »



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice