Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Zero-Day Alerts

  • Hacking Team Leak

  • Recent Posts

  • Calendar

    July 2015
    S M T W T F S
    « Jun    
  • Email Subscription

  • About Us

    Author Archive - JM Hipolito (Technical Communications)

    Along with my colleagues, I was able to attend this year’s RSA Conference held at the Moscone Center in San Francisco, and the experience was definitely enlightening, especially in terms of the current state of our industry.

    “Security of Things” before “Internet of Things”

    Many new technological frontiers have emerged through the years, and with them, the attack surface also widened dramatically. With the mobile computing boom, threats against critical infrastructure, and now the emergence of the Internet of Things, the industry is now struggling in trying to build defenses. For example, in Eric Vyncke’s talk about IoT, he discussed the risks around the Internet of Things, their impact on privacy and human life in general, and the need to address them. These risks, he said, are as critical as they are varied – with different devices, software, protocols all entailing different risks. He discussed different factors that need to be considered in securing the Internet of Things, such as the lifetime of the device (expected duration of device usage vs. expected duration of device security), its means of identification (device identity vs. group membership), the nature of the infrastructures it will be under, and others. Vyncke raised a very important point here, especially since a widespread adaptation of Internet-enabled devices will lead us to the same problems we have with mobile computing – wherein platforms were being developed faster than the means to protect them.

    Two Sides of the Same Bitcoin

    Uri Rivner’s and Etay Maor’s Bitcoin Thief Tutorial was a very entertaining threat-centric talk that oriented the audience on how Bitcoin works, how to handle them, and the opportunities that Bitcoin offers to criminals, both as a tool and a target. To bring the latter point across, they turned the audience into witnesses to a Bitcoin robbery through a real-time demo of a Bitcoin being stolen through a SpyEye variant. In the end, the duo recommended that even though Bitcoin brings about a lot of risks (the recent Mt. Gox incident being a prime example), it is still worth exploring, if only to understand the risks better, and most importantly, because it’s fun.

    Fighting Fire with Fire

    Ziv Mador’s and Ryan Barnett’s session took on a different approach on going to a new frontier, by encouraging the option of turning the bad guys against themselves. In their presentation, they showed how the security industry can use the very techniques used by cybercriminals to disrupt their routines.  For example, they showed how code obfuscation – a technique frequently used in exploit kits to evade detection – can be used to prevent the webinjects done by ZeuS variants. The researchers admitted that the ethical and legal aspects of this concept may raise concerns, and that more research needs to be done.

    Drawing Lines and Creating Norms

    As expected, the matter of state monitoring was tacked onto various conversations throughout the conference. There were several statements about the topic, and most have said that they are willing to provide information to governments, given that it is legally justified, and is limited to specific information only (as opposed to bulk data). However, it is in the legal justification where the problem exists – the lack of clarity in terms of what is justified or not has created a lot of issues and will continue to do so. We are at a point in time where technologies allow a great deal of information gathering (to the point that it affects the concept of privacy), and this calls for a great need to establish standards and limitations. Until such is achieved, the tension around the issue is likely to continue.


    Gone are the days of focusing on achieving complete security, and rightfully so. The question of whether there is a threat or not has been answered long ago, and the name of the game now is threat intelligence – gaining knowledge of threats and using that knowledge to act accordingly. Successful targeted attacks have taught us just how good attackers can get in infiltrating perimeters, and now the way to security is no longer achieved by just building the best walls, but through knowing who’s trying to get past them.

    Posted in Internet of Things, Malware | Comments Off on Notes from the RSA Conference 2014: Coming Together and Breaking New Ground

    In the course of our threat research, we’ve encountered different types of social engineering lures that aim to trigger different emotions such as fear and happiness. These lures are often effective, as we’ve seen happen in several incidents in the past. However, they are also easily recognizable as they often use a common theme, be it a recent event or an ongoing season.

    There are also other techniques that use different, more sober approach. These techniques do not aim to trigger alarm, but instead to try to avoid it. They try to blend into their intended victims’ normal behavior or use their interests in order to get the them into schemes. And though these techniques are far less alarming in terms of the message they bring, they are harder to detect, and often more sinister.

    An example of this is the watering hole technique, which was used recently in an attack that ended up affecting companies such as Facebook and Apple. Choosing to use a mobile developer forum as the watering hole, the lure was almost passive — it did not need any means to get the victims to visit the site. The site was strategically chosen because visiting it was already known to be a part of the victim’s normal routine.

    Earlier this week, we also saw reports of an attack wherein the name of the report recently released by Mandiant is being used as the lure. The message in related to the attack comes as a recommendation from the sender to read the article, along with a PDF file which supposedly is the report itself (of course in reality the file is malicious — a PDF exploit we detect as TROJ_PIDIEF.EVF). We were also alerted of news regarding another threat using the Mandiant report, which supposedly targeted journalists. Detected as TROJ_PIDIEF.EVE, this malware drops the non-malicious .PDF file, Mandiant_APT2_Report.pdf and a backdoor detected as BKDR_POISON.EVE.


    Figure 1. Screenshot of the dropped .PDF file


    Figure 2. TROJ_PIDIEF.EVE drops this non-malicious .PDF file

    Read the rest of this entry »

    Posted in Bad Sites, Targeted Attacks | Comments Off on From Alarming to Familiar: Different Social Engineering Techniques

    Late last week, the Council on Foreign Relations website was compromised and modified to host a 0-day exploit affecting Internet Explorer. Analysis revealed that the attack was set to affect a specific set of users, as it was set to work only if the browser language was set to English (US), Chinese (China), Chinese (Taiwan), Japanese, Korean, or Russian.

    Microsoft has then issued a security advisory for the vulnerability and provided some workarounds, to serve as protection until a solution is released. Trend Micro users, however, are already protected through Trend Micro Deep Security, specifically through the following rules:

    • 1005297 – Microsoft Internet Explorer CDwnBindInfo Object Use-After-Free Vulnerability (CVE-2012-4792)
    • 1005301 – Identified Suspicious JavaScript Encoded Window Location Object
    • 1005298 – Microsoft Internet Explorer CDwnBindInfo Object Use-After-Free Vulnerability (CVE-2012-4792) Obfuscated

    The abovementioned rules are set to detect all known variants of exploits.

    The use-after-free vulnerability in Microsoft Internet Explorer enables remote attackers to execute arbitrary code execution. As stated in Microsoft’s blog, we have also observed that all the reported targeted attacks so far have been triggered by an encoded or obfuscated JavaScript Window Location objects which is generally used to change the location object of the current window. The vulnerability is with cButton object which has been freed but its reference was used again during the page reload will point to an invalid memory location yielding arbitrary code execution under the context of the current user. Microsoft Internet Explorer versions 6, 7, and 8 are affected, but newer versions such as IE9 & IE 10 are not affected by this vulnerability.

    Read the rest of this entry »

    Posted in Exploits, Vulnerabilities | Comments Off on Why is the Watering Hole Technique Effective?

    The quality of user experience in terms of mobile apps is directly related to the amount of user information entered into it. And now that we are at a time being considered as the “post-privacy era”, people need to be aware of the pros and cons in entering their information into mobile apps.

    Developers are continuously trying to improve mobile apps, which have started to play big parts in our lives. Apps make things more convenient for us, and at times more fun: from apps that help us organize our tasks, apps that let us see all the latest news in a glance, to apps that allow us to have fun by slicing fruits or killing green pigs.

    Trend Micro Researcher Robert McArdle also explained that apps create a better user experience for users. He states, “The other big reason for the popularity of apps is their ease of use. Browsing the internet on your mobile phone is not the same experience as doing it on a laptop. In most cases apps are specially crafted browsers for a particular site.”

    The amount of user information entered into apps is a known privacy issue, one that was heavily discussed because of the recent Carrier IQ issue. As we mentioned before, the biggest issue with Carrier IQ was informed consent — something that is well-taken into consideration with apps since users must knowingly install an app before it gains access to any information. So for apps, the choice to whether volunteer their information or not, in exchange for certain services, is really on the users’ hands.

    To help users out in making such a decision, we’ve listed here 3 truths about applications that users can consider before installing an app, and volunteering their personal information:

    Sometimes, apps really do require/need user information to function

    Apps have become customizable, wherein the programs are designed to function based on users’ input. Good examples of these are location-based apps like Shopkick and Foursquare. Such apps were among the top tech trends for 2011, and are expected to boom more in 2012.

    For such apps, it is only logical to require user information upon signing up. But of course, the amount of information required should be limited only to those necessary in order for the app to function properly. Android built their “permissions” model on this concept, and is something that should be utilized by the users.

    Read the rest of this entry »


    Adobe released an out-of-band security update to address six critical vulnerabilities, all affecting Adobe Flash Player.

    One of the six, a cross-site scripting (XSS) vulnerability identified as CVE-2011-2444, is reportedly being exploited in the wild. The bug is reportedly being used in targeted attacks that involve malicious links sent out to targets via email.

    Adobe attributed the discovery of CVE-2011-2444 to Google, who, in response to finding the vulnerability, issued an update for the Google Chrome browser to prevent attackers from exploiting the security hole.

    Users are strongly advised to apply the patches as soon as possible, especially since exploiting any of the addressed vulnerabilities can lead to either remote code execution or to information disclosure.

    Note that users who utilize multiple browsers may need to separately update their other browsers. Users can visit this page for all of their browsers to check if they have the latest version of Adobe Flash Player installed and this page to update. Here is the list of Adobe Flash Player versions affected by vulnerabilities addressed by this update:

    • Flash Player and earlier
    • Flash Player and earlier for network distribution
    • Flash Player and earlier for Android
    • Flash Player and earlier for Chrome

    We will update this post once we find more information about the exploit.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice