Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    April 2014
    S M T W T F S
    « Mar    
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Mark Joseph Manahan (Threat Response Engineer)

    Out with the old, in with the new? When it comes to cybercrime, that’s rarely the case. We often seen old malware get upgrades with new techniques, payloads, and even targets. This is certainly the case for an old Java remote access Trojan (RAT) detected as JAVA_OZNEB.B.

    Users may encounter this threat as an attachment to spammed emails. These emails are often financial in nature. One such email pretends to be from American Express, informing recipients that their accounts have been suspended due to suspicious activity. To reactivate, they must fill out the attachment and send it back to American Express. The attachment is actually the malware in disguise. Users may also encounter the malware online pretending to be catalogues, product lists, or receipts.

    Figure 1. Sample spammed message

    Once it infects the computer, the RAT can perform a variety of routines, such as take screenshots, display messages, and load additional plugins, including one for mining Litecoins. The option for additional plugins makes the malware a high risk threat as cybercriminals can update and tweak routines as they wish. Making the malware a bigger threat is the fact that it can run on multiple platforms. It should be noted that this is not the first Java RAT that affects multiple platforms; we first spotted one in 2012.

    JAVA_OZNEB.B was previously known as Adwind then later renamed to UNRECOM (Universal Remote Control Multi-Platform). Aside from the new name, the malware also experienced an upgrade: it can now run on the Android platform. The inclusion of Android in the set-up is highly notable because aside from running in Android, this malware now also works as an APK binder. Put simply, the malware can be used to Trojanize legitimate apps, like an Android malware we’ve previously discussed.

    The inclusion of a Litecoin miner plugin is highly notable, given the slew of threats targeting cryptocurrencies we’ve seen recently. Litecoin is a cryptocurrency that’s often considered as a popular alternative to Bitcoin. The Litecoin plugin can allow a remote malicious user to use an infected computer to mine Litecoins. Mining digital currencies requires a lot of computing power so victims may experience sluggish performance from their infected computers.

    Feedback from the Smart Protection Network that affected countries includes the United States, Turkey, Australia, Taiwan, Singapore, and Japan. We advise users to be cautious when opening emails, even if they appear to come from reputable senders. For matters related to finance, it’s best to call the financial institution involved to resolve potential issues.

    With additional insights from Lala Manly.

    Posted in Malware, Spam |

    The ZeuS/ZBOT malware family is probably one of the most well-known malware families today . It is normally known for stealing credentials associated with online banking accounts. However, ZBOT is no one-trick pony. Some ZBOT variants perform other routines like downloading or dropping other threats like ransomware.

    We recently came across one variant detected as TROJ_ZCLICK.A, which seemingly “locks” the desktop to display websites. This kind of behavior is out of the ordinary for a ZBOT variant. Once it infiltrates the system, this occurs every time the user performs any activity, such as opening a window or file. These sites occupy the entire desktop screen, hindering access to any open windows or files. There have been instances wherein the user can still see the open windows, but with the sites running in the background. Users can bypass this inconvenience by performing the “show desktop” command but the malware will continue to display windows.

    Figure 1. Sites are displayed full-screen in the background of the running program Space Cadet

     It should be noted that the sites being displayed are all legitimate–running from gaming sites, ticketing sites, music sites to search engines. Users can actually navigate these displayed sites. One curious feature of this malware is that it also performs various mouse movements and scrolling when the mouse is idle.

    It is noteworthy to say that this variant doesn’t perform traditional routines associated with this malware family like stealing information. However, analysis reveals that the sample does contain the ZBOT code and this only means that this ZBOT variant only loads the clickbot routine. In this light, it’s only logical to assume that the main motivation for this variant is to generate income via the pay-per-click model.

    This malware proves that cybercriminals are continuously tweaking familiar or known malware to deliver new payloads, all in the name of generating income from victimizing users. As such, users should always remember key safety practices when going online. Habits like installing the latest software updates or deleting spammed messages can go a long way in protecting computers from threats.

    Posted in Malware |

    Cybercriminals can certainly be resourceful when it comes to avoiding detection. We have seen many instances wherein malware came equipped with improved evasion techniques, such as preventing execution of analysis tools, hiding from debuggers, blending in with normal network traffic, along with various JavaScript techniques. Security researchers have now come across malware that uses a legitimate compression technique to go unnoticed by security solutions.

    This malware, detected as TROJ_SHELLCOD.A, is an exploit that targets an Adobe Flash Player vulnerability (CVE-2013-5331). The malware is a document file with an embedded Flash file, which has been compressed using ZWS. Released in 2011, ZWS uses the Lempel-Ziv-Markove Algorithm (LZMA) to compress data with no data loss. We now take a look at how this legitimate technique was used by this particular malware.

    Figure 1. Compressed malware

    Figure 1 shows the malware in its compressed form, which allows it to evade detection. To decompress the content, we used a SWFCompression Python script.

    Figure 2. The shellcode has been extracted in ASCII form

    Figure 3. ASCII shellcode

    After converting it to hex code, we see a URL that it most likely accesses. Unfortunately, we cannot acquire the code it is supposed to download as the URL is no longer accessible at the time of analysis.

    Figure 4. Binary shellcode

    Loading the code into a debugger software produces the following outcome.

    Figure 5. Code execution

    As you can see in Figure 5, this malware uses a different approach for executing its payload. Typically, malware is often downloaded and executed, which means a physical copy of the malware is dropped in the infected machine. This allows security solutions to detect the malware.

    However, this particular malware allots memory using VirtualAlloc and executes it, acting like a backdoor. Doing so makes it harder to trace the routines of the malware as there is no physically dropped file; instead the payload is copied directly into memory. This is the reason why this malware is able to evade most security solutions, even those that support ZWS compression.

    We urge users to regularly install security updates as soon as they are made available. These patches can mean the difference between protection and infection. For example, the vulnerability used in this attack was patched by Adobe in December 2013.

    Trend Micro detects all threats related to this attack.

    Posted in Malware, Vulnerabilities | Comments Off

    The presence of a security product is normally seen as a deterrent or challenge for cybercriminals. However, that is not the case with this banking Trojan, specifically, a BANLOAD (also known as BANKER or BANBRA) variant. This malware actually limits its range of victims to online banking clients of Banco do Brasil. It does so by checking for the presence of a specific security product before it executes its malicious routines.

    Infection Through Security 

    BANLOAD malware often uses several techniques that allows them to avoid detection and spread within Latin America, specifically Brazil:

    • Deletion of anti-fraud software like the G-buster Plugin (GbPlugin) and anti-virus products
    • Limiting targets to systems with Portuguese (the official language of Brazil) as the default system language
    • Disguising itself as anti-fraud software, specifically GbPlugin

    Most Brazilian banks encourage their online banking customers to install the G-buster Plugin onto their computers. G-buster Plugin prevents malicious code from running during a banking session.

    Typically, banking malware will attempt to disable or delete this plugin. However, this new BANLOAD malware, detected as TROJ_BANLOAD.GB, actually checks for this plugin before performing any routines. It goes so far as to check that the installed version of GbPlugin is meant to protect Banco do Brasil customers.

    This variant uses the plugin as an indicator that the targeted system is being used for online banking. If a system does not have the plugin installed, it will simply delete itself, leaving no trace of infection.  In this particular case, GbPlugin does not stop the malware from downloading and executing malicious files; the downloaded malware is detected as TSPY_BANKER.GB. This attempts to get information from certain banks and financial institutions.

    The Brazilian and Latin American Connection

    Online banking Trojans like BANLOAD and BANCOS have been hitting Latin American users for more than a decade. One major reason behind the presence of banking Trojans in the region is that online banking is quite popular in the region. Physical constraints—like a shortage of brick-and-mortar branches—have contributed to the adoption of online banking.

    Brazil has been in the forefront of online banking in the region. While the country may enjoy advanced online banking systems, that doesn’t necessarily mean it is technologically prepared for it. A recent report shows that the country suffers heavily from DOWNAD, a malware associated with unpatched systems and pirated software. This implies users who may not be as vigilant with their computer’s security as they should be—perfect victims for cybercriminals.

    We’ve  noticed several improvements in banking Trojans, such as testing for the PC’s system language, and phishing sites using IP address and browser user-agent tests. These are used to check if the affected computer is in Brazil.

    If these tests determine that that the user may not be from Brazil, the phishing site may instead redirect users to a legitimate banking site. Banking Trojans also use proxy auto-config (PAC) proxy scripts and phishing pages to filter out their intended victims.

    Trend Micro protects users by detecting all threats related to this attack.

    With additional insights from Fernando Merces

    Posted in Malware | Comments Off

    Early this year, Trend Micro researcher Kyle Wilhoit observed an increase in the use of AutoIt in several hacker tools and malware, which were typically uploaded on sites like Pastebin and Pastie. In the said blog post, Kyle noted that because of AutoIt’s easy-to-learn language, we can expect more threat actors to incorporate this scripting language in their schemes. Now we’ve learned that he was right, as we are seeing more malware using AutoIt.

    We recently encountered a ZeuS variant that arrives with a malicious AutoIt file and garbage files. It arrives via spammed email message and the unpacked file it arrives with is detected as TSPY_ZBOT.SMIG.  Like any ZeuS/ZBOT variant, TSPY_ZBOT.SMIG drops a configuration file that contains a list of its targeted banks and other financial sites. It also steals information from different FTP sites and steals personal certificates from the infected system

    In addition, we also spotted two other malware that use the same packer, which Trend Micro detects as TSPY_CHISBURG.A and TSPY_EUPUDS.A.  When TSPY_CHISBURG.A is loaded into memory, it steals user names and passwords from Yahoo, Hotmail, Pidgin, FileZilla, and VPN/ISP credentials among others.  Similarly, TSPY_EUPUDS.A gets data from the infected system such as user ID, browser and version, and OS version.  It also steals information like user names and passwords stored in certain browsers.  Cybercriminals may use the gathered information to sell in the underground cybercrime or to launch other attacks.

    The new AutoIt packer tool code found online contains the ability to propagate via removable drives, has installation routines and checks installed antivirus software on the system. Furthermore, its code has garbage codes and obfuscated  functions to make it harder to analyze. And while these malware (TSPY_CHISBURG.A and TSPY_EUPUDS.A) are old, they remain to be an effective means to steal information especially with the added capability of the AutoIt packer.

    With the incorporation of malware to a scripting language such as AutoIt, it makes analysis arduous especially if there is no decompiler that can aid in the analysis.  AutoIt is also used by normal applications, thus there is need for malware which are compressed to be unpacked so as to get only the malicious routines/behavior.

    To avoid these malware, we advise users to be wary of the email messages they receive and avoid executing the attachment(s) that goes along with them. Users are also encouraged to regularly update their systems and anti-malware software to ensure protection. Trend Micro detects and deletes all the malware reported in this post through the Smart Protection Network.

    With additional insights from Rika Gregorio.

    Posted in Malware | Comments Off


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice