We have been closely monitoring developments on the DUQU malware since our initial blog post when the threat broke the news. And just recently, the Hungary-based security laboratory that initially reported about DUQU released more information that sheds more light into the nature of the said threat.

Their report indicates that a Microsoft Word document that triggers a zero-day kernel exploit was identified as the dropper for DUQU. Upon successful exploitation, the Microsoft Word file drops the installer files that load the DUQU components that were initially reported a couple of weeks back.

The installer files are composed of a .SYS file detected as RTKT_DUQU.B, and a .DLL file detected as TROJ_DUQU.B. RTKT_DUQU.B loads TROJ_DUQU.B into the system. TROJ_DUQU.B, on the other hand, drops and decrypts the DUQU components, RTKT_DUQU.A, TROJ_DUQU.ENC, and TROJ_DUQU.CFG. Below is a simple behavior diagram of the threat.

Read the rest of this entry »

The security industry is currently buzzing with talks about a threat dubbed as the precursor to the next STUXNET.

According to a Symantec analysis, portions of the code are very similar to STUXNET, and was likely written by the same cybercriminals as the well-known threat. Unlike STUXNET, however, Duqu does not have code that suggests it was developed to access SCADA systems. Instead, its final payload appears to be inclined toward information theft.

Duqu is made up of several components. The SYS file, which is detected as RTKT_DUQU.A, is responsible for activating the malware, and triggering the execution of its other routines. Based on analysis, however, the main goal of the said files is to establish a connection with its C&C server. It is said that Duqu delivered an information-stealing malware, detected as TROJ_SHADOW.AF, into the affected systems through this connection. We have also verified that DUQU has codes very similar to that of STUXNET.

Upon execution, TROJ_SHADOW.AF enumerates the processes currently running on the system. It also checks if it matches any of the following security-related processes:

• avp.exe (Kaspersky)
• Mcshield.exe (McAfee)
• avguard.exe (Avira)
• bdagent.exe (Bitdefender)
• UmxCfg.exe (CA)
• fsdfwd.exe (F-Secure)
• rtvscan.exe and ccSvcHst.exe (Symantec)
• ekrn.exe (ESET)
• tmproxy.exe (Trend Micro)
• RavMonD.exe (Rising)

If found, TROJ_SHADOW.AF launches the same process in a suspended state, then patches the malware code before resuming the execution. In effect, there will be two AV processes; the first being the original, and the second being the patched one.

Read the rest of this entry »

Newer and more complicated Android malware variants are expected to emerge, along with the rising number of malicious Android apps. A new backdoor that we were able to analyze proves just that. Malware targeting the Android platform are continuously improving in performance as well as using new techniques to thwart analysis and to avoid detection.

This Android malware, which Trend Micro detects as ANDROIDOS_ANSERVER.A, arrives as an e-book reader app and can be downloaded from a third-party Chinese app store. It asks for the following permissions upon installation:

Based on the permissions requested alone, it is easy to see that this particular malware has a lot of capabilities. Once granted, the permissions can be used to execute the following:

• Access network settings
• Access the Internet
• Control the vibrate alert
• Disable key locks
• Make a call
• Read low-level log files
• Read and write contact details
• Restart apps
• Wake the device
• Write, read, receive, and send SMS

Read the rest of this entry »

Trend Micro recently came across a botnet that turns an infected system into an involuntary Bitcoin miner. Bitcoin is a digital currency that uses peer-to-peer (P2P) networks to track and verify transactions. Bitcoins are generated by a free Bitcoin miner application.

The malware, detected as BKDR_BTMINE.MNR, installs the mining software in systems. It uses the system’s resources to solve Bitcoin blocks in order to generate more Bitcoins.

A Bitcoin “block” is a complex cryptographic problem. Solving a block currently pays out 50 Bitcoins and blocks are created every time a Bitcoin transaction is made. The process of solving these blocks is called “mining.” The only way to solve a block is by brute forcing, which eats up system resources. To speed up the computation of a block, mining pools are created. The equation is split up into pieces and is solved by multiple systems. The incentive is based on how much a miner contributes to the solution.

Here, BKDR_BTMINE.MNR installs three different mining software that run whatever the system’s processing speed allows. To help speed up processing, the malware downloads necessary drivers for the infected system’s GPU and CPU. If blocks are solved, attackers gain ownership of the generated Bitcoins.

Read the rest of this entry »

We recently reported about a blackhat search engine optimization (SEO) campaign that targeted not only Windows  but Mac users as well. It has just been a few weeks since the role of Mac users as potential victims in the threat landscape has been increasingly established but more and more threats targeting Mac users are being found.

FAKEAV for Mac

The first case that got the attention of the security industry was a rogue antivirus called MacDefender, which is detected as OSX_FAKEDEF.M. The said malware reportedly affected a large number of Mac users.

Other variants of rogue antivirus software made especially for Macs followed, bearing different names such as MacSecurity (detected as OSX_FAKEAV.A) and MacProtector.

In a recent development, we found a fake Mac antivirus variant spreading through Facebook (detected as OSX_DEFMA.B).

MacDefender and its variants aren’t the first rogue antivirus seen targeting Mac users. In 2008, scareware applications called MacSweeper and iMunizator were seen, both of which had the same standard rogue antivirus routines.

This time around, however, it seems that the number of variants are exponentially increasing and are affecting more and more users. As a course of action, Apple issued an update to its OSs to prevent MacDefender from executing.

Solution Strategy

According to Trend Micro senior threat researcher Joey Costoya, the solution Apple provided is not limited to MacDefender but also covers Mac malware starting from 2009. From what he gathered from the vendor’s “pattern file,” it includes detections for other popular Mac malware such as OSX_RSPLUG, OSX_KROWI, and OSX_OPINIONSPY.A.

So it appears that although Apple marketed the “update” to solve only the Mac Defender FAKEAV issue, the update actually checks for other known Mac malware.

Read the rest of this entry »