Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Author Archive - Paul Ferguson (Senior Threat Researcher)

    On Thursday, the U.S. House of Representatives discussed the Stop Online Piracy Act (SOPA), a proposal that would give the U.S. Government new tools to fight the online sale of infringing or counterfeit goods.

    Trend Micro is aware of the ongoing legal and policy complexities involved in balancing protection of intellectual property rights with censorship concerns, and does not advocate a particular solution to that challenge. Yet, as a trusted security advisor and online crime fighter, we would like to inject some caution into the discussion.

    SOPA has real and serious implications that could undermine the overall health and security of the Internet. It could actually make life easier for the criminals it is supposed to thwart.

    This is because SOPA could negatively affect the Domain Name System (DNS), which is a fundamental building block of the Internet. Indeed, DNS is critical to everything that makes the Internet function.

    DNS links numerical Internet addresses (such as into friendly Uniform Resource Locator (URL) addresses that humans can easily use and understand.

    Our URL,, is certainly easier to remember than our numeric IP address.

    Making changes to how DNS works, especially sudden changes, could inadvertently undermine everyone’s Internet security.

    Read the rest of this entry »


    As our colleague Jorge Mieres over at Kaspersky recently noted, cybercriminals appear to be using Amazon Web Services (AWS) to host quite a large volume of SpyEye Trojans and exploit kits. In fact, another colleague in my group, Ranieri Romera, recently collected approximately 22Mb of malware hosted on AWS for analysis and detection.

    My advice is to avoid clicking any suspicious link either in an unsolicited email message or an apparently benign link embedded in a Web page hosted on AWS (e.g.,, et al.) until this problem is resolved. We recently saw about 30–50 various subdomains and specific URLs created on AWS that appear to harbor malicious content.

    We reported this to Amazon Security folks but in the meantime, these malicious links are being blocked by the Trend Micro™ Smart Protection Network™.


    As I mentioned in a blog post last week, the e-healthcare (electronic healthcare) industry is quite possibly a ticking time bomb for various reasons. And today, I read a memorable quote about the state of security in this segment (Neil Versel, InformationWeek):

    “Electronic medical records haven’t fulfilled their promise of safer, more efficient, lower-cost care, and won’t until usability improves for physicians and nurses and until systems are more interoperable…”

    Of course, this quote is regarding EHRs/EMRs (electronic health records or electronic medical records, terms that seem to be used interchangeably in the industry) and their ability to simplify and streamline health record-keeping processes, reduce costs, and improve healthcare quality—however, it is also true with regard to the security benefits that the entire e-healthcare framework brings to the table.

    Insofar as “usability” is an issue for EHRs/EMRs, so too is the fact that much of the healthcare industry is now experiencing another security conundrum with regard to mobility—many doctors and healthcare workers want to access patient data “on the go,” via their iPads, iPhones, and other mobile devices. If the IT staff has not properly planned for this contingency, serious security problems will definitely present themselves.

    And to make mobility in the healthcare sector even more interesting, the FDA is now exploring the possibility of regulating mobile applications in the healthcare industry in the United States.

    Brian Krebs pointed out today yet another potential security nightmare facing the healthcare industry—compromised hosts, which are controlled by criminals. Of course, Brian’s article references spambots—particularly in the healthcare industry—but regardless of what type of bot is used, the point is that the end system is compromised and under the control of criminals. It can just as easily collect and exfiltrate data and login credentials or modify critical patient records.

    Read the rest of this entry »


    The various security issues inherently unique to the healthcare sector is an area that I have been following pretty closely over the course of the past couple of years for a few reasons.

    First—and thankfully—there appears to be increasing concern in the healthcare industry that the recent spate of security breaches could bleed over into the healthcare sector and could have an adverse effect on the already-troubled industry. As reported in The New York Times on Monday, there is a renewed emphasis on the protection of patient medical data in the face of an onslaught of consumer privacy data breaches.

    As stated in The New York Times article, “… in the last two years, personal medical records of at least 7.8 million people have been improperly exposed, according to government data.”

    These numbers seem to grow with time and it is especially troubling that these “improper exposures” have not received the same notoriety that similar data breaches have received in other industries.

    Read the rest of this entry »


    The cybercrime underground saw relatively few really revolutionary developments in 2010. However, while the rest of the world was in the economic doldrums, the cybercrime underground kept growing.

    Researchers who monitored the cybercrime underground noted that the number of Trojans targeting information and credential theft significantly rose in 2010. This was not surprising, as we noted earlier that the number of new information-stealing malware families was on the rise.

    One development in 2010, however, was the complete failure of certain domain registrars to properly police their customers. This allowed certain top-level domains to be heavily abused and used to host hundreds of thousands of malicious domains. Because of this, blocking a single domain name has been of limited value, as the domains became essentially disposable for the criminals using them.

    While, in theory, these registrars are “legitimate,” their lax policies allow widespread abuse of their services by cybercriminals. To illustrate the scale of the problem, one of these registrars claimed on its front page that it had more than 7.5 million domains, very few of which are actually legitimate.

    On a more positive note, there were some high-profile arrests and takedowns of cybercrime networks in 2010. In March, the Spanish authorities arrested the ringleaders of what was called the Mariposa botnet, which stole information from approximately 12.7 million users around the world. An even bigger operation codenamed Trident Breach led to arrests in the United States, Britain, and the Ukraine of more than 50 individuals involved in a ZeuS gang that targeted small and medium-sized businesses (SMBs). In late October, Armenian and Dutch law enforcement agencies worked together to arrest a 27-year-old man that was behind the Bredolab botnet.

    Those arrests were noteworthy in large part because they arrested actual ringleaders of the gangs involved and not just low-ranking money mules. More than arresting mules or shutting down servers, arresting the criminals behind these attacks was necessary to stop these activities.

    The futility of takedowns was seen when Pushdo/Cutwail was taken down earlier this year. Within days, it was back in business. Similarly, security researchers were able to take down the Waledac botnet in March but, as we noted at the time, the spam levels remained unchanged.

    The lesson is that shutting down a botnet by purely technical means doesn’t do anything in the long term; arresting the people responsible is key to fixing the cybercrime threat.

    Trend Micro partners with many law enforcement agencies around the world. Together with these partners, we continuously work to help bring those responsible for today’s online threats to a court of law. We expect these partnerships to be busier than ever in the upcoming year.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice