Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Gelo Abendan (Technical Communications)

    Reports of an active exploit targeting an unpatched vulnerability in Java 6 recently surfaced. Upgrading to the latest version of Java is the prescribed solution, though for some users, this is easier said than done.

    The said exploit, detected by Trend Micro as JAVA_EXPLOIT.ABC, targets CVE-2013-2463 which Oracle addressed last June. Java 6 is also affected by this vulnerability, but Oracle no longer supports the version since April this year. What is more alarming is that the said exploit has been confirmed integrated into the Neutrino exploit kit threat. Previously, the said exploit kit was found to serve users with ransomware variants, which are known to lock important files and often the system itself until affected users pay a fee or “ransom”.

    Since Oracle no longer supports the said version, they have not stated any intention to patch the said flaw. With more than 50% of users still using Java 6, this can lead to serious implications. Because no patch is (or will be) available, the exploit provides cybercriminals and other attackers an effective vehicle to launch attacks targeting users and organizations using Java 6. This may include the aforementioned Neutrino exploit kit and ransomware variants, which may cause serious business disruption and in some cases, actual money loss (due to users paying the ransom).

    The impact of this threat may be less for usual Internet users than for organizations/entities, who may not be quick to migrate to the latest software version due to business and/or operational continuity issues.

    This incident can also be a sneak peak at what might happen once Microsoft halts its support for Windows XP. Last April, the company reiterated their intention of ending its support for the said OS and Office 2003 by April 2014 and encourage its users to migrate to the more modern Windows 7 and 8.

    For users, the best way is to migrate to the latest version of Java. If not yet started, organizations are strongly encouraged to start migrating to the latest software version, to avoid this and other attacks that might take advantage of the unpatched vulnerability. Trend Micro detects and deletes the exploit and blocks access to sites hosting the malware.

    Update as of 8:00 PM, PDT

    Existing Trend Micro solutions – including our Web Reputation Service and the browser exploit prevention integrated into Trend Micro™ Titanium™ 2013 already provide protection to users out-of-the-box, without requiring any updates to be downloaded.

    Update as of 9:00 AM, PDT Sept. 2, 2013

    Trend Micro Deep Security protects users from the exploits targeting vulnerability cited in this blog via rule 1005652 – Oracle Java SE Remote Code Execution Vulnerability (CVE-2013-2463).

    Posted in Exploits, Malware, Vulnerabilities | Comments Off on Java 6 Zero-Day Exploit Pushes Users to Shift to Latest Java Version

    Malware targeting online banking sites naturally cause alarm among users, as they are designed to steal not only information but also money from its users. Thus it is no surprise that the surfacing of KINS, peddled as “professional-grade banking Trojan” in the underground market, raised concerns that it might become as successful as ZeuS/ZBOT had been in previous years.

    During our investigation, we acquired several KINS variants (detected as TSPY_ZBOT.THY and TSPY_ZBOT.THX) and found that it is not really a “new” Trojan. It uses a different packer and contains sophisticated anti-debugging and anti-analysis routines, but underneath it’s still ZeuS: it uses the same folders and file names, injects the same processes, creates the same registry entries, etcetera.

    To thwart analysis and debugging, these KINS variants search for and stop running if it finds it is being run inside several popular virtual machine servers (specifically, VMWare and VirtualBox) or a Windows emulator (WINE). Similarly, other security tools like Sandboxie will also cause the malware to stop running.

    In terms of functionality, KINS is essentially identical to to ZeuS/ZBOT; for example, it downloads a configuration file that contains the list of targeted banks, drop zone sites, and webinject files. KINS steals online banking data such as user credentials by injecting a specific code onto the user’s browsers when they visit certain URLs in real time. Once done, the malware shows fake but legitimate-looking pop-ups that ask for banking credentials and additional information such as social security number.

    As we are on the latter half of 2013, our prediction of old but reliable threats resurfacing remains true in this year’s threat landscape. In our 2Q Security Roundup, we noted the boost in online banking malware last quarter, in particular of ZeuS/ZBOT variants after being under the radar the past year.

    With KINS, we can see the ongoing efforts of cybercriminals to refine dated threats with methods to avoid antimalware detection. We can also expect that KINS won’t be the last of its kind. As well-known Trojan toolkits like SpyEye and Ice IX are now available for free and the “leaked” source code of CARBERP easily accessible, it will be easier for the bad guys to create and distribute their own versions of these malware.

    Trend Micro detects and deletes the related malware, while Deep Security offers latest protection against exploits that may lead to KINS infection.

    Posted in Malware | Comments Off on Can KINS Be The Next ZeuS?

    Tax-themed spam, particularly in the United States, is already considered a staple in the threat landscape. However, a recent spam run targeting taxpayers in the United Kingdom shows that this threat is never exclusive to a region. Besides being timely, these messages contain TSPY_FAREIT, which download a ZeuS/ZBOT variant, notorious for stealing information related to online banking sites.

    We found sample of an email message that appears to be from HM Revenue and Customs in the UK. It notifies users of their VAT return receipt, something that might appear timely to unsuspecting users since the deadline for VAT returns and payments was last August 7. To further convince users of its validity, the message states that the email was “scanned for viruses”.


    Sample spam with alleged VAT return “receipt”

    The message contains an attachment, which is supposed to be the receipt for the VAT return. But based on our findings, the attachment is (expectedly) a malware detected as TSPY_FAREIT.ADI. Once executed, the malware steals varied information from the system, such as those related to: FTP clients,file managers, and email. It also attempts to steal information stored in the following browsers:

    • FastStone Browser
    • Flock Browser
    • Google Chrome
    • Internet Explorer
    • K-Meleon
    • Mozilla Firefox
    • Opera Browser
    • RockMelt

    The data stealing does not stop there. TSPY_FAREIT.ADI downloads another malware, specifically TSPY_ZBOT.ADD. As expected of any ZeuS/ZBOT variant, the malware downloads configuration file(s) from randomly generated IP addresses. The said file also contains list of targeted online banking and finance-related sites and the URLs where it sends the gathered information.

    The cybercriminals behind this threat are obviously taking advantage of the recent tax return deadline in the UK. But the real concern here is the severity of the information to be stolen. Aside from the email and FTP credentials, which are profitable in the underground market, the bad guys are also gunning for the victims’ online banking accounts. Once they got hold of users’ banking and financial credentials, they can either sell them on the digital underground or use these to initiate unauthorized money transfers leading to actual financial loss.

    In our 2Q Security Roundup report, we noted the increase of online banking malware in the past quarter and how the CARBERP’s “leaked” source code may lead to more variety for this threat. Thus, it is important for users to double-check the messages they receive and to be careful in opening any attachments from unverified sources. As an added precaution, always implement your systems with the latest security updates from vendors.

    For more information on how to avoid threats using social engineering lures, you may refer to our Digital Life e-Guide How Social Engineering Works. Trend Micro blocks these email messages and detects the related malware.

    With additional insights from Threat Response Engineer Anthony Joe Melgarejo

    Posted in Malware, Spam | Comments Off on UK Tax-Themed Spam Leads to ZeuS/ZBOT

    Patch-Tuesday_grayIn today’s Patch Tuesday, users and administrators everywhere are advised to immediately update their systems with the latest security updates from Microsoft, with critical updates for Internet Explorer taking the spotlight.

    For the month of August, Microsoft releases eight bulletins, three of these rated Critical while the rest are tagged Important. Similar to previous Patch Tuesdays, fixes for Internet Explorer may get the most attention. The bulletin addresses eleven vulnerabilities and affects IE versions 6 to 10, the most severe of which may enable an attacker to execute malware once users visit a maliciously-crafted website using Internet Explorer.

    The other critical bulletins include the updates for Exchange server and Windows OS vulnerabilities. Similar to IE, these vulnerabilities may allow a remote attacker to execute a malware onto the system.

    The bulletins rated as Important may not give an attacker the chance to execute malware, but not implementing these can lead to serious repercussions. The vulnerabilities in Windows and Windows Kernel may to an attacker gaining same privilege as current users. The other cited software bugs found in Windows NAT, ICMPv6, and Active Directory Federation Services may result to denial of service (DoS) attack and unwanted data disclosure respectively.

    Microsoft’s update for the browser is a good reminder of the reality of the risks of browsers. In the recently concluded Blackhat Conference, researchers Jeremiah Grossman and Matt Johansen demonstrated the possibility of browser-based botnets and how this can be done using fake online ads. In a previous research, Trend Micro researcher Robert McArdle showed how a similar threat can be done by abusing HTML5.

    On the topic of browsers, Mozilla also released Firefox 23 for Mac, which addresses 13 security issues. Similar to IE, exploiting these Firefox vulnerabilities may also lead to malicious file being executed in a vulnerable system.

    With browsers being the default way to connect to the Web and the growing number of devices dependent on browsers, this continuous attention to IE and browser security shows that we may see more assaults to the browsers in the near future.

    Users are advised to apply these security updates the soonest possible. You may also visit our Trend Micro Threat Encyclopedia page to know more about how Deep Security solution.

    Posted in Bad Sites | Comments Off on August 2013 Patch Tuesday Features Three Critical, Five Important Bulletins

    Though the bulk of mobile threats are in the form of malicious or high-risk apps, mobile devices are also troubled with other threats. Take for example the bugs found in Samsung Galaxy devices and the OBAD malware that exploits vulnerabilities to gain elevated privileges. Unfortunately, these are not the only vulnerabilities that mobile users should be wary of.

    Just recently in BlackHat USA,  three vulnerabilities were discussed :  “master key” vulnerability in Android, the SIM card, and the iPhone charger vulnerability.

    The “master key” vulnerability was initially reported affecting 99% of Android mobile devices. This is related to how Android apps are signed and may allow an attacker to update an already installed app without the developer’s signing key. Taking advantage of this flaw, the attacker can then replace legitimate apps with malicious ones. We saw first-hand just how big its impact can be when our researchers got hand of an attack that used the vulnerability to update and trojanize a banking app.

    The second mobile device vulnerability, on the other hand, stems from the use of old encryption system in most SIM cards today. To abuse the vulnerabilty, the attacker only needs to send an SMS message crafted to intentionally generate error. As a result, the SIM card responds with an error code containing a 56-bit security key. The key can then be used by the attacker to send a message to the device in order to trigger the downloading of malicious Java applets, which may be designed to perform several malicious routines such as sending text messages and spying on the phone’s location.

    Unlike the “master key” vulnerability, the SIM card vulnerability can affect a far bigger set of users since it is not OS- dependent. Furthermore, because the said threat stems from the use of an old decryption method, updating SIM cards with a newer decryption feature can be seen as impractical and expensive by GSM operators and telecommunication firms.

    There are other ways to prevent attacks targeting this vulnerability. Filtering SMS messages can be a good start, but may not be possible with very basic handsets. Some telecommunication providers also offer in-network SMS filtering, but is highly dependent on the mobile carrier.

    The third vulnerability confirms that even the iPhone is not immune from vulnerabilities. Researchers from the Georgia Institute of Technology were able to create a a malicious charger (also called Mactan) that contain mini computers that can initiate USB commands. Presented during the recent BlackHat US, the researchers demonstrated how the malicious charger was able to infect the iPhone and execute commands. Apple has then announced that the vulnerability used to execute the attack will be addressed in their next software update.

    Read the rest of this entry »

    Posted in Exploits, Mobile, Vulnerabilities | Comments Off on Exploiting Vulnerabilities: The Other Side of Mobile Threats


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice