Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    July 2014
    S M T W T F S
    « Jun    
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Ryan Certeza (Technical Communications)

    Five years ago, Conficker/DOWNAD was first seen and quickly became notorious due to how quickly it spread and how much damage it caused.

    Remarkably, after all that time, it’s still alive. It can still pose a serious problem, as it can propagate to other systems on the same network as an infected machine – a factor that may explain its high rate of infection to this day.

    Based on feedback from the Smart Protection Network, DOWNAD has been a leading threat for years. It has been the most prolific threat – as measured by the number of infections seen in the wild – since 2011. It has beat out a wide variety of threats – from crack key generators to ZeroAccess – for this dubious distinction.

    It also popularized the use of domain generation algorithms. This technique generates multiple (hundreds, in the case of DOWNAD) domains on a daily basis. It uses these domains to connect to its command-and-control servers. The sheer number of generated domains makes blocking this C&C much more difficult. Since then, it has been adopted by other malware families as well.

    In order to propagate across networks, it used a zero-day vulnerability, which was later designated by Microsoft as MS08-67.  Despite the availability of a patch, many users remain vulnerable due to negligent patching practices as well as piracy. Pirated versions of Microsoft Windows, are often unable to download and install security patches.

    In the long-term, as Windows XP machines are retired due to its end of extended support period next year, DOWNAD is destined to recede into the background. However, some systems may still be at risk. The simplest solution is simple: ensure that the software you ran – particularly your operating system – has the latest security updates. You should also check out our tips on how to see if your system is in fact infected.

    We have prepared a full malware profile which describes the capabilities, the spread, and the risks of DOWNAD/Conficker.


    Patch-Tuesday_grayIt’s Patch Tuesday again, and Microsoft has served up eight bulletins this month, three of them rated Critical. One of the three critical bulletins – MS13-090 – deserves special mention, as it fixes a zero-day vulnerability (CVE-2013-3918) found just last week in an Internet Explorer ActiveX control. Separately, IE itself fixed ten vulnerabilities as part of MS13-088.

    It’s worth noting that another recent TIFF-related zero-day that we discussed has not been patched as part of this month’s update, so the recommendations and work-arounds that were suggested at that time remain in effect.

    We strongly urge all users to apply these updates as soon as possible. Trend Micro users may also use the following Deep Security rules to protect themselves from threats exploiting these patched vulnerabilities.

    • 1005705 Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-3871)
    • 1005784 Internet Explorer Information Disclosure Vulnerability (CVE-2013-3908)
    • 1005778 Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-3910)
    • 1005781 Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-3911)
    • 1005782 Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-3912)
    • 1005774 Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-3914)
    • 1005775 Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-3915)
    • 1005777 Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-3916)
    • 1005773 Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-3917)
    • 1005783 Microsoft Windows Graphics Device Interface Integer Overflow Vulnerability (CVE-2013-3940)
    • 1005779 Microsoft Internet Explorer ActiveX Control Code Execution Vulnerability (CVE-2013-3918)
    • 1005785 Restrict Information Card Signin Helper ActiveX Control
    Posted in Vulnerabilities | Comments Off

    Social networking websites have actively been used in different malicious campaigns by cybercriminals in the past –  most of which incorporate techniques such as phishing and spam.  One of these campaigns are the Blackhole Exploit Kit (BHEK) spam campaign, which has been plaguing Internet users for quite a while. BHEK spam campaigns are known to use popular brand names and websites to lure users.

    It’s no surprise, then, that we are now seeing a BHEK spam campaign targeting social networking website Pinterest and its users. Prior to this campaign, the website has also been the target of other threats, such as survey scams and spammed mails that lead to malicious websites.

    We received a sample of the messages being spammed, and upon analysis, discovered how its infection chain goes. Here is the entire infection chain, as follows:

    • The user receives the spammed mail in his inbox. It is tailored to resemble a legitimate mail from Pinterest, and notifies the user about a successful password change. It also presents a link that would allow him to see his new password.
    • Should the user click on the link, he is put through a series of website redirects. This redirection is detected as HTML_IFRAME.USR.
    • HTML_IFRAME.USR then downloads another malware onto the system, TROJ_PIDIEF.USR, which in turn drops BKDR_KRIDEX.KA. This final payload, being backdoor malware, has the ability to perform commands from a remote malicious user, and therefore can compromise a system’s security.

    While there is nothing new in this routine, users are still advised to always perform account-related changes only the websites they subscribe to. We also point towards the usage of CRIDEX as a final payload – a malware family that we’ve written about as one of the two families used in BHEK attacks. Like ZBOT, CRIDEX is used mainly to steal online banking information.

    To further protect themselves from these sort of threats, users should ensure that all software in their systems are updated and patched (namely Java, Adobe Acrobat, Adobe Reader, and Flash). This is because BHEK operates by exploiting vulnerabilities in popular software, and having those software plus their browser of choice updated can help prevent users from becoming victims. Avoiding links presented in suspicious mails and verifying the mail’s content first by contacting the supposed sender through other means (phone call, visitation) can also go a long way.

    The security solutions provided by Trend Micro™  protects users from all the elements of this threat.

    With additional analysis from Threat Response Engineers Alvin Bacani and Anti-Spam Research Engineer Mark Aquino.

    Posted in Bad Sites, Exploits, Malware, Social, Spam | Comments Off

    One of the biggest issues of the Android OS is its fragmentation problem. We’ve covered this before – about how almost all Android updates have to pass through both device manufacturers and service providers before getting to end users. Unfortunately, this process is not quick or assured, which results in fragmentation: multiple versions of Android are present and in use.

    This results in a many users being stuck with an outdated version of Android that may be riddled with vulnerabilities and security flaws. As of May 1, only 2.3% of Android devices in use are actually on the latest version, with more than a third still using Gingerbread – a version last updated in September 2011, and known to have 3-11 vulnerabilities, with the exact number depending on the specific version.

    Leaving users on older versions of Android has two consequences: vulnerabilities are left unpatched, and new features won’t reach them. At this year’s Google I/O developer conference, Google announced plans to fix at least part of this problem: instead of rolling out a new version, they instead announced updates to core apps. This allows them to add new features to Android, while at the same time not needing to push a completely new version out to users. It does not solve all potential problems due to fragmentation, but it’s a step in the right direction.

    Out latest monthly mobile report looks at this issue in full. It discusses the root of the problem itself, why it’s become a long-standing complaint, and how it may be a problem that may take Google a very long time to straighten out. Find out what you can do to help secure yourself and your device better if you are affected by this problem.  We also have our infographic for an illustrated glance at the issue.

    Posted in Mobile | Comments Off

    Recent incidents highlight how frequently – and creatively – cybercriminals try to steal data. From “homemade browsers” to million-user data breaches, to the daily theft carried out every day by infostealers and phishing attacks, every day.

    All this stolen information ends up for sale in the underground to the highest bidder. From there, it can be used in many uniformly illegal ways - from identity theft, to credit card fraud, to launching attacks on other users. They can also be used to buy either expensive goods (which are then shipped to the cybercriminals), or pay for “bulletproof” web hosting that is frequently used for malicious sites. These may not cost that much individually, but the losses to users can be significant.

    It’s not just the fruits of cybercrime that are bought and sold in the underground – so are the tools, like exploit kits, vulnerabilities, and malware toolkits as well. Price tags here can reach the thousands of dollars, particularly for more advanced and sophisticated tools.

    There is so much money in the underground that it has become organized and systematic, much like real-world businesses. While the specifics of how the underground has organized itself varies from region to region, the mere fact that it has organized itself is noteworthy – both to allow for more information and tools to be sold, as well as reducing the risks of getting caught.

    Our new infographic – The Cybercriminal Underground: How Cybercriminals Are Getting Better At Stealing Your Money – explores what items are being sold and bought in the cybercrime underground, how the underground is organized, and how users are directly affected. It’s an excellent way to understand what users are up against in securing their information online. It may be viewed by clicking oh the thumbail below:

    To view all infographics from TrendLabs, visit

    We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice