Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Author Archive - Jonathan Leopando (Technical Communications)

    People are seldom an entirely open book. It’s common sense and rational to keep some stuff like financial and medical records away from prying eyes. For others, it can be something trivial and silly (say, an embarrassing taste in music) to the more serious (like a traumatic event in one’s past).

    With so many methods of sharing, keeping things private is increasingly becoming more  difficult. Websites and services often ask for personal information and track users’ online habits to provide a more “customized” experience. Despite methods of sharing within a select group, sharing online has practically become synonymous with sharing with the public. No matter the privacy level of an account, anything posted online will sooner or later find its way to the public.

    This kind of activity is driving some users to reconsider the amount of information they are willing to share. In 2014, we will see users exert more effort in learning tools that can protect their data and control what they share online. This year will be about making sure that secrets remain secret.

    It’s not just individuals who have secrets to keep. So do businesses. These can include their future plans and strategies, to their current procedures, to personnel records of their employees and clients. Exposed to the public – and their competitors – these can cost a business millions, and perhaps in an absolute worst case, drive them out of business completely.

    Protecting data should become every organization’s top priority this year, considering that we will see one major data breach incident per month. 2013 was marked by several major data breaches and we will see such incidents continue this year.

    As part of our 2014 predictions, we developed this video, with the help of our CTO Raimund Genes, to talk about what users and organizations can do to protect themselves and keep their secrets secret in today’s digital landscape:

    So what can you do to protect your secrets? Our advice to users will help here: avoid oversharing on social media. Don’t bank or shop online on sites that you don’t trust. Keep track of you data, wherever it is – whether it’s in the cloud, or on one of your devices. In short, being a good citizen of the Internet will help in keeping your secrets away from cybercriminals and other such bad actors found online.

    For more concrete steps that outline what you can do to protect your secrets, you can visit the Secrets website, which is part of our broader 2014 predictions.


    2013 was the year that the Android malware not just grew, but matured into a full-fledged threat landscape. Not only did the number of threats grow, the sophistication and capabilities associated with these threats grew as well.

    As we noted earlier, the number of mobile malware threats has crossed the one million mark, and as of the end of 2013 stood at almost 1.4 million malicious and high-risk apps. We believe that by the end of 2014, this number will be at over 3 million.

    Figure 1. Volume of malicious and high-risk apps

    Not only are there more threats, the threats are becoming more diverse. No longer are mobile-centric cybercriminals content with just premium service abuse; the proportion of mobile malware with some sort of information-stealing ability grew from 17% at the start of 2013 to almost a quarter by year’s end. Overall, about a fifth of all mobile malware had some sort of information theft capability.

    Figure 2. Mobile malware threat type distribution

    New threats and problems also reared their head in 2013. We saw a tenfold growth of one-click billing fraud apps; these apps attempt to register users for paid services that they would normally not be interested in. In addition, we also saw a serious vulnerability – the “master key” vulnerability – which put almost all Android users at risk of installed apps being modified by attackers to include malicious code. Malicious mobile sites also made an appearance in 2013.

    Looking forward to 2014

    These developments will continue into 2014 and make the mobile threat landscape more closely resemble the PC landscape, which is already well-developed and sophisticated. Mobile threats will continue to grow in number and become, in effect, “mass-produced”. In addition, we expect to see more obfuscated and native code in an attempt to evade detection by anti-malware solutions.

    Our complete look back at the 2013 mobile threat landscape, and our view of what 2014 may turn out to be, can be found in our latest Monthly Mobile Report, titled Beyond Apps.

    Posted in Malware, Mobile | Comments Off on Looking Forward Into 2014: What 2013’s Mobile Threats Mean Moving Forward

    Over the holidays, it was reported that malicious ads had appeared on various Yahoo sites and affected users in Europe. Two claims about this attack have been made: first, that it affected “millions” of users, and secondly, that it was used to plant Bitcoin miners on affected computers. Some of these claims may be a bit overstated, and the coverage may not have been able to give a more complete picture of the threat.

    We can’t say for certain just how many users were exposed to this attack. However, it’s worth noting that users with up-to-date versions of Java would have been protected. We identified two Java vulnerabilities – CVE-2012-0507 and CVE-2012-4681 – that were used in this attack to plant various malicious payloads on user systems. (It is believed that these vulnerabilities were delivered by the Magnitude Exploit Kit, one of the successors to the infamous Blackhole Exploit Kit.) However, both of these vulnerabilities have been patched for a fairly long time: the first vulnerability was patched in February 2012; the other was patched in August 2012.

    Similarly, while Bitcoin miners may have been part of the potential payloads, it was far from the only one. We identified multiple malware threats as payloads. These included DORKBOT and GAMARUE variants, as well as TROJ_OBVOD.AY, which is used in click fraud schemes. The payloads that were delivered to users were quite diverse.

    Aside from keeping their software patched, well-designed security products can help keep users safe. For example, the browser exploit technology that is part of our existing products is able to protect users against this particular attack.  This technology analyzes scripts and other web objects that runs in the browser and uses heuristic analysis to determine if these are malicious. This protects users even if the updated software is not present on a user’s system. It is not a replacement for keeping software up to date, but well-thought out endpoint security is very useful in increasing the available “defense in depth” for users.

    While the infection vector may have been out of the ordinary, the attack itself was not. Basic good computing practices – such as keeping software updated and using a well-built security product – would have helped reduce the risk for end users tremendously. It’s an excellent reminder for users to practice safe computing practices.

    With additional analysis from Kai Yu.


    The past few weeks have been rather exciting for Bitcoin owners and speculators, with prices peaking at over $1200 per BTC. Some commentators – including former Fed Chairman Alan Greenspan – have called Bitcoin prices a “bubble”, with a former Dutch central banker comparing it to the tulip mania of the 17th century. Other cryptocurrencies, like Litecoin, have seen similar gains as well.

    We’ve covered Bitcoin extensively in the blog in the past, including earlier this year when the total value of all Bitcoins was approximately $1 billion. It now stands at more than twelve times that value. Basic information about Bitcoin-related malware may be found in the Threat Encyclopedia entry discussing Bitcoin.

    How much Bitcoin mining malware is there?

    Bubble or not, there is plenty of value in Bitcoin. This is giving rise to more Bitcoin-related threats. Victims are now being used to “mine” Bitcoins; in addition the Bitcoin wallets of existing users are now tempting targets for theft as well.

    From September to November, feedback from the Smart Protection Network indicated that more than 12,000 PCs globally had been affected by Bitcoin-mining malware. More than half of all infections came from one of three countries: Japan, the United States, and Australia.

    Bitcoin mining – the process by which new Bitcoins are created – is computationally intensive. The recent boom in Bitcoin prices may have made using malware viable again for cybercriminals. Both CPU and even GPU-based miners have been eclipsed in recent months by application-specific integrated circuit (ASIC)-based dedicated miners, which boast of hash rates that are orders of magnitude faster than what can be achieved using even high-end PC hardware.

    However, because any mined bitcoin nowadays has such high value, even “slow” miners are now worth it for cybercriminals. For users,  the problem is that Bitcoin mining is always resource-intensive and can slow down the system due to the increased CPU load. We detect a variety of Bitcoin malware as BKDR_BTMINE, TROJ_COINMINE and HKTL_BITCOINMINE.

    Is Your Money At Risk?

    This “bubble” has also made stealing Bitcoins much more lucrative. For example, the Deep Web site Sheep Marketplace shut down earlier this month – with users losing as much as $100 million in Bitcoins to thieves. So what can users do?

    There’s not much that users can deal with corrupt sites and exchanges except not to do business with them. What users can do is take care of is their own personal Bitcoin wallets.

    It’s important to recognize that there are two factors that make defending against Bitcoin theft particularly important. First of all, all Bitcoin transactions are permanent. There is no “undo” button here. If a thief is able to take control of your Bitcoin wallet and transfer all your funds, you have no technical recourse.

    That brings us to the second factor: there is no regulator or other authority that one can appeal to in the Bitcoin world. If you’re the victim of credit card fraud, you can appeal to your bank to reverse the charges – and in many cases, they will. That option is not available in the world of Bitcoin; if your wallet is compromised by an attacker you have no recourse. Any Bitcoin wallet on a system is exceptionally vulnerable to being affected by malware on that same system.

    Protecting Bitcoin

    Aside from avoiding being infected by malware in the first place, what users can do to prevent any damage from Bitcoin thieves? Consider the real-world wallet. If one had millions or billions in real-world money, you wouldn’t carry all of it with you all the time. Some would be with you, but most would be securely stored somewhere.

    That would work with Bitcoin as well. Keeping everything in just one wallet is very dangerous. A division of wallets into at least one “spending” wallet (which you use for sending money via Bitcoin) and one or more “receiving” wallets. (It would even be a good idea to keep these wallets offline to more thoroughly protect them as well.)

    One more thing to note. Bitcoin is promoted as being “anonymous”, but in a way nothing could be further from the truth. Because all Bitcoin transactions are public, it is possible to see all the transactions a user has made. Therefore, given enough circumstantial evidence, it may be possible to get the identity of a user. This is something that users should keep in mind before adopting Bitcoin as a currency.

    Simply put, while Bitcoin may be a product of the 21st century, at the same time it is something that has been around for centuries – cash. The same caution and prudence that applies to handling cash should be applied here as well.

    Posted in Malware | Comments Off on Bitcoin Price Hike Spurs Malware, Wallet Theft

    Around this time of the year, many people are finding themselves on the move visiting friends and family, or just playing tourist somewhere in the world. Since it is 2013, however, one new problem has come up: “how do I get online while I’m on the go?”

    Many travelers now expect wi-fi as part of their trip – whether at the airport, in the air, at their hotel, or at tourist attractions. A 2013 study found that 64% of hotels worldwide offered some form of free wi-fi. For some flights “gate to gate” wi-fi access is now available, ensuring you never have to be offline.

    Unfortunately, there is a big problem. The wi-fi offered for travelers is frequently open wi-fi: this means that it is completely insecure against just about any attacker. It is trivial for an attacker to capture the traffic off an open access point, or even set up a fake one and conduct man-in-the-middle attacks. Wi-fi Protected Access (WPA) may prevent others from seeing your traffic but only if the access point is configured to do so.

    Even “secure” wi-fi, if it is offered, is no assurance of security: you could be connecting to a rogue access point with the same access point name and password as the real network. Creating rogue access points is easy: if the password is known, anyone can create a duplicate access point. Even if you do connect to the real network, attackers can be on the very same network as you are. Being “secure” on any network with others that you may not trust is incredibly difficult.

    On the other hand, there are good reasons to use free wi-fi. Many users face either strict data caps or high roaming costs. Getting data access if you’re travelling internationally is not always easy or cheap.  Travel apps can be very useful on the go – for example they can provide directions in unfamiliar places, or point the way towards which places you want to specifically visit or eat at.

    So, how can users stay safe on free wi-fi? Increasingly, there’s really only one way to do so: use a virtual private network (VPN).

    VPNs have usually been the preserve of business travelers who wanted to connect to their company’s network securely. Now, however, they represent a relatively inexpensive way of securing one’s wi-fi connection from wi-fi attacks. There are many reputable VPN service providers with both free and paid services, and even paid services are not particularly expensive. Compared to the possible consequences of having one’s accounts compromised (quite possible with open wi-fi), such services are a bargain.

    These services are not difficult to use. VPN support is built into both iOS and Android, and all reputable services should provide some sort of guide on how to set up your mobile device.

    Figures 1-2. iOS and Android VPN setting locations

    Given how much of our digital lives is now in our mobile devices, it is a great idea to protect these as much as possible. As free wi-fi is fundamentally insecure and is increasingly under attack, users who care about their privacy and security should use VPNs to protect their network traffic if they can.

    What if you’re a business that wants to offer free wi-fi to your customers? The solution to this is fairly simple: use secure wi-fi, but make the SSID and password known publicly. It can be a sign in public, a line on the receipt – it can be different for each business. Even a publicly shared password offers security against casual eavesdropping, although some attacks (like rogue access points) can’t be stopped this way. However, it is an improvement over a completely open network.

    Posted in Malware, Mobile | Comments Off on Wi-Fi On The Go: How Safe Is It?


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice