Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    July 2014
    S M T W T F S
    « Jun    
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Jonathan Leopando (Technical Communications)

    Trend Micro researchers have uncovered a targeted attack launched against government agencies in various countries. The email claimed to be from the Chinese Ministry of National Defense, although it appears to have been sent from a Gmail account and did not use a Chinese name.

    Figure 1. Fake message

    The document contains a malicious attachment, which exploits a vulnerability (CVE-2012-0158) in Microsoft Office (all versions from Office 2003 to Office 2010 were affected) that was patched more than a year ago. The exploit is used to drop a backdoor onto the system, which steals login credentials for websites and email accounts from Internet Explorer and Microsoft Outlook. (It also opens a legitimate “dummy” document, to make the target believe that nothing malicious happened.) Any stolen information is uploaded to two IP addresses, both of which are located in Hong Kong.

    This particular attack was aimed primarily at both personnel belonging to Europe and Asia governments. The message was sent to 16 officials representing European countries alone. The topic of the email – and the attached document – would be of interest to these targets. In addition, the information stolen and where it was stolen from – is very consistent with targeted attacks aimed at large organizations that use corporate mainstays like Internet Explorer and Outlook.

    It’s worth noting, however, that Chinese media organizations were also targeted by this attack. The backdoor itself has also been detected in the wild – but, interestingly, it has been most frequently seen in China and Taiwan, with a more limited presence in other Asian countries.

    The vulnerability used in this attack is one that is commonly used by targeted attacks. High-profile campaigns like Safe and Taidoor have made use of this vulnerability; if anything it’s a commonly targeted flaw in sophisticated campaigns.

    Trend Micro products already detect all aspects of this threat – the message and C&C servers are now blocked; the malicious attachment is detected as TROJ_DROPPER.IK and the backdoor itself as BKDR_HGDER.IK. In addition, Deep Discovery was able to protect our customers by heuristically detecting the malicious attachment using the ATSE (Advanced Threats Scan Engine).

    Based on analysis by Jayronn Bucu.


    Last week, security researchers announced a new vulnerability for Android phones which could allow installed apps to be modified without the user being aware of it. Almost all Android devices are vulnerable, as the vulnerability has existed since Android 1.6 (Donut), and currently only the Samsung Galaxy S4 has been patched to protect against it.

    The vulnerability – known in some quarters as the “master key” vulnerability – has attracted considerable media attention, but it has not always been accurately reported. We have updated Trend Micro Mobile Security to protect our users, but at the same time we wish to clarify what’s going on, what the threat is, and what users can do.

    What’s this “master key” vulnerability?

    The vulnerability is related to how Android apps are signed. All Android apps have a digital signature from their developer, which verifies that the app actually did come from the developer and was not modified en route. An app can only be updated if the new version has a matching signature from the same developer.

    This particular vulnerability is in that last step. What researchers have found is a way for attackers to update an already installed app even if they do not have the original developer’s signing key. In short, any installed app can be updated with a malicious version.

    Note that technically, there is no “master key” that has been breached. Yes, any app can be modified and used for malicious purposes, but there’s no “master key” in the first place.

    What are the risks?

    This vulnerability can be used to replace legitimate apps on an Android device with malicious versions. Apps with many permissions – like those from the phone’s manufacturer or the user’s service provider – are at particular risk.

    Once on the device, they can behave in the way that any malicious app would, except the user would think they were a completely legitimate app. For example, a modified/Trojanized app for a bank would continue to work for the user, but the credentials would have been sent to an attacker.

    What can users do to protect themselves?

    We’ve updated our Trend Micro Mobile App Reputation Service to detect apps that abuse this vulnerability, but so far we have not found any. Nonetheless, for users of Trend Micro Mobile Security, we have released an update to the pattern to ensure that we will detect apps that target this particular vulnerability. (All users with pattern version 1.513.00 or later are covered. Apps found exploiting the vulnerability will be detected as Android_ExploitSign.HRX) This is sufficient to ensure that our users are protected from this threat.

    We strongly suggest disabling the ability to install apps from sources outside of Google Play. This setting can be found under Security in the system settings of Android devices.

    Google has made some steps to protect users. They’ve modified the backend of their online store so that apps that try to exploit this problem are blocked. Thus, users who do not download apps from third-party stores or sideload APK files should not be at risk from this threat. The company also released a fix for the vulnerability and distributed it among OEMs. Hopefully, the importance of this update will prevent delays in its deployment.

    Update as of July 11, 2013 3:43 AM PST

    We were able to find a report that features a different approach for the same attack to bypass Android signature checking, this time using a Java Zipfile implementation vulnerability. We are currently working on the solution, and malicious apps that will be found using this technique will be detected as AndroidOS_ExploitSign.HRXA.

    Posted in Exploits, Mobile | Comments Off

    As part of our 2013 predictions, we predicted that legitimate cloud services would be abused by cybercriminals. Unfortunately, that has proven to be the case – and in today’s current climate, it is unlikely to get any better.

    For example, last week we saw a spam run that used Dropbox to host its malicious payload. It’s not the only case we’ve seen where legitimate cloud services have been utilized for malicious purposes – only the most recent noteworthy one.

    The issue is bigger than just one popular service – others like Evernote and Sendspace have been abused as well. It’s natural to ask if these services can prevent such cases from happening again. However, a competing demand has also been heard from the public: privacy.

    Today, people are much more concerned about whether their data is being read by governments or monetized by service providers themselves. They are likely to demand more privacy. For example, in the case of a cloud storage provider, the demand might be that the cloud provider not know anything about what files are being stored on their servers. To the provider, the customer’s data would merely be a blob of indecipherable bits that means nothing to them.

    Fundamentally, there is a clash between the demands of privacy and the demands of security. Say, for example, a storage provider wanted to ensure that their service wasn’t being used to host malware. They could, for example, use very powerful solutions – file scanning, sandbox testing, etcetera – to test all uploaded files. Notwithstanding the obvious effects on costs and server requirements, this would also be perceived as spying by many users. (In today’s climate, that accusation can quite easily destroy a company.)

    The converse is also true: they could provide completely private storage, where all encryption is performed on user devices, and they have no idea what’s being stored on their sites. A service like that would certainly be abused by criminals. Because cloud providers have to meet legitimate customer demands for secure, private services, this creates a system that also shields illegitimate users’ activities from detection”.

    Both examples above, of course, are at extremes – but they illustrate the tradeoff any cloud provider must make. They must strike a balance that suits their strategy and business model. However, this means that some level of abuse will be inevitable – and might even be viewed as an inevitable cost of doing business.

    What should users take away from this?  As we said above, some abuse will be inevitable. It doesn’t even have to be a vendor you chose; it can be a vendor that either another user or a cybercriminal chose. Some writers have implied that as computing moves to the cloud, users can abdicate some responsibility for their security to other parties (like, say, cloud services of one kind or another.)

    Nothing could be further from the truth. Users must still take responsibility for their own security and adopt security solutions that work for them and put them in control. Obviously, this means different things for a family at home and a corporation with thousands of seats – but the principle remains the same. The user, and not the “cloud”, has ultimate responsibility for keeping themselves safe.

    Posted in Data | 1 TrackBack »

    The past few weeks have seen some very high-profile sites adopt two-factor authentication in one form or another. First was Twitter, followed soon by Evernote and Linkedin.

    For users of these sites, these represent a welcome improvement to their security. In the event that their password is (somehow) compromised, an attacker faces another barrier before they can gain access.

    There is still room for improvement. All three services use text message verification – i.e., they send an access code to the user’s phone when somebody tries to log in. Unfortunately, mobile malware can also intercept text messages: it is possible for a clever attacker to intercept these.

    An alternative which some sites use is an authenticator app, which generates the verification code on the device. Some sites require their own app; other sites are compliant with RFC 6238 so that a single app can authenticate multiple services.

    There are also some usability challenges. Not all apps or operating systems allow the user to enter authentication codes (actually, relatively few do). In these cases, you need to create an application/device-specific password – if the service supports it. (Theoretically, a bad implementation of these could pose a risk as well.) In addition, there is the very real problem of people losing their phones. In the United States alone, 1.6 million people lost their smartphones in 2012. A large service rolling out two factor authentication has to consider some way for users to authenticate if they’ve lost their device.

    This highlights the importance of the stolen device problem we talked about recently. Not only are mobile devices in and of themselves valuable and contain the user’s personal data, they can act as the keys to the rest of the user’s accounts.

    Of course, these three services are not the only ones to introduce two-factor authentication. Many other high-profile companies like Blizzard, Facebook, Google, and Microsoft all support some form of two-factor authentication. Users should check which of their services support it and strongly consider activating it.

    Posted in Social | 1 TrackBack »

    Last week, the US government shut down Liberty Reserve, a digital currency service operating out of Costa Rica. Its founder, Arthur Budovsky, was arrested at the Madrid airport as he tried to return to Costa Rica. Other arrests were made in Spain, Costa Rica, and the United States.  The company is accused of laundering over 6 billion dollars in illegal funds, with more than a million users globally – 200,000 of these being in the United States. The company’s site now sports a notice that it has been seized by US law enforcement.

    Liberty Reserve has long been a favorite way for cybercriminals to exchange money securely without exposing their identity. So how are they taking to the shutdown of Liberty Reserve?

    In a word: poorly. Not only did they lose access to Liberty Reserve, making underground transactions more difficult, but they also lost funds as well. Many cybercriminals are claiming they lost thousands of dollars, if not more: we saw one claim that he’d lost $300,000 in the seizure. We have to take the more extravagant claims with some skepticism, but it’s clear many cybercriminals did lose money thanks to Liberty Reserve’s closure. Somewhat amusingly, some are still in denial about the whole affair, saying that the service would return on June 1 with improved security. Obviously, that didn’t happen.

    What are cybercriminals going to replace Liberty Reserve with? Even in the underground forums, that isn’t clear. Both gold and Bitcoins have both been mentioned as possible substitutes. Other digital currency services like PerfectMoney have been mentioned as well. Coincidentally, some of these services have explicitly banned users from the US, perhaps in an attempt to shield themselves from US law.

    In the short term, we may actually see more online theft occur due to cybercriminals trying to make their money back. In the long run, if other digital currencies are targeted, it could make life for cybercriminals very complicated.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice