Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Author Archive - Spencer Hsieh (Threat Researcher)

    The newly discovered Wirelurker malware affecting both OS X and iOS devices has been covered extensively in the media. While this is a significant incident, some of the coverage appears to have been exaggerated, and might lead users to unnecessary panic. Several points would be useful in helping calm down the worst fears of users and distilling what we need to learn from all this.

    First of all, Wirelurker is currently not an active threat. Known variants have already been blocked by OS X, and the command-and-control servers are offline as well. This significantly reduces the threat that this malware poses to users. The stolen certificate that enabled this attack has also been revoked by Apple, mitigating the most novel aspect of this threat (pushing apps onto non-jailbroken devices).

    Secondly, no new vulnerability was used to spread Wirelurker. It arrived on OS X machines via Trojanized (and pirated) apps; pirated apps have been a favored vector to spread malware for many years. We detect these malicious apps as OSX_WIRELURK.A.

    Similarly, the features used to transfer the malware onto iOS devices used features that are part of Apple’s mobile platform. For example, enterprise provisioning is used in enterprise environments to install custom apps onto the organization’s iOS devices. The problem here was that an organization (apparently a Chinese mobile app developer) lost control of their signing certificate, which allowed malicious apps to be signed and therefore, trusted.

    Thirdly, Wirelurker did succeed in installing apps on non-jailbroken devices. However, we haven’t discovered any malicious behavior on the part of these apps. The apps that contain malicious backdoor could only be installed onto jailbroken devices. In addition, iOS shows a pop up and asks for the user’s permission before installing an app via enterprise provisioning app. In non-jailbroken devices, these also run within their own sandbox, so they need permission to access contacts, location information, and other sensitive information.

    We cannot rule out that this was just a test of attacks via enterprise provisioning, and that the attacker may add malicious code in the future. However, such code is not yet present in the apps delivered to non-jailbroken devices. (We detect the malicious apps installed onto jailbroken devices as IOS_WIRELURKER.A.

    Wirelurker does not push malware onto affected, non-jailbrokem devices, only unwanted apps.  It becomes a question of controlling unwanted (but not malicious) apps – essentially an annoyance, but not a significant risk. However, jailbroken phones will be infected by malicious apps.

    Fourth, enterprise provisioning is a known attack vector against mobile devices, and has been for some time. For example, earlier this year at VB there was a demonstration of how a stealth backdoor could be installed onto an iOS device using enterprise provisioning. If Apple is not able to properly lock this aspect of iOS device management down, this could pose a problem in the long run.

    What Wirelurker demonstrates is that Macs and iOS devices can become victims of online threats just as Windows and Android devices are if users engage in unsecure behavior. Software piracy has been risky practically from day 1.Pirated apps aimed at users with jailbroken devices may also become a popular infection vector. The same can be said for iOS apps as well. No computing platform is “secure” if its users behave insecurely.

    We also note that while these attacks initially hit OS X users, we have also seen Windows-based malware that perform similar attacks. We detect these as TROJ_WIRELURK.A.

    Posted in Malware, Mobile | Comments Off on Staying Safe from Wirelurker: the Combined Mac/iOS Threat

    In our efforts around addressing targeted attacks, we often work with IT administrators from different companies in dealing with threats against their network. During these collaborations, we’ve recognized certain misconceptions that IT administrators — or perhaps enterprises in general — have in terms of targeted attacks. I will cover some of them in this entry, and hope that it will enlighten IT administrators on how they should strategize against targeted attacks, also known as APTs.

    A targeted attack is a one-time effort

    Some IT administrators tend to think that targeted attacks are a one-time effort — that being able to detect and stop one run means the end of the attack itself. The truth, however, is that targeted attacks are also known as APTs because the term describes the attack well: advanced and persistent. The attacks are often well-planned and dynamic enough to adapt to changes within the target network. Being able to trace and block an attempt will mean that elimination of the threat. If anything, it can mean that there might be several other attempts not being detected, elevating the need for constant monitoring.

     There is a one-size-fits-all solution against targeted attacks

    The demand for a complete and effective solution against targeted attacks is quite high, but a solution simply can not exist considering the nature of targeted attacks. Attackers spend much time during reconnaissance to understand the target company — its IT environment, and its security defenses — and IT admins need to adapt this mentality in terms of their security strategy. All networks are different, and this means that each one will need to be configured differently. IT admins need to fully understand the network and implement the necessary defense measures to fit their environment.

    Your company is not important enough to be attacked

    Another big assumption that companies have when it comes to targeted attacks is that they are unlikely to be a target because they do not have important data in their systems. Unfortunately, the importance of certain data may be relative to the intention of whoever is trying to get hold of it. For example, an HR personnel in a company may not find much importance in records of the employment history of past applicants, but an attacker might find use for it as a reference for social engineering. As Raimund said in one of his videos earlier this year, enterprises need to identify their core data and protect them sufficiently.

    Targeted attacks always involve zero-day vulnerabilities

    It goes without saying that zero-day vulnerabilities pose a great risk to enterprises, and users in general. However, based on analysis of targeted attacks seen in the past, older vulnerabilities are used more frequently. In our Targeted Attack Trends report from the second half of 2013, the most exploited vulnerability was not only one that was discovered in 2012, but was also patched in the same year. This trend raises the importance of applying security updates to all systems within a network — a missed update for one system may be all it takes to compromise an entire network.

    Targeted attacks are a malware problem

    The last misconception I’ll discuss is quite tricky because it is partly true. IT admins are mostly concerned about having a solution that will prevent malware from getting into their network. Although it is a valid concern,  focusing on malware will only solve part of the problem.  Targeted attacks involve not only the endpoints, but the entire IT environment. For example, many tools involved in lateral movement are legitimate administration tools. If the solution is focused only on detecting malware, it will not be able to detect the malicious activity. IT admins need to consider solutions that cover all aspects of the network.

    For more details on various targeted attacks, as well as best practices for enterprises, you may visit our Threat Intelligence Resources on Targeted Attacks.


    Last month, security researchers released a report about a targeted attack operation which they named Careto, or Mask in Spanish. The attack was noted for encoding its configuration data and encrypting its network traffic, making analysis more difficult.

    However, the capabilities of the Mac malware used in Careto was not as sophisticated as its Windows counterpart. (We detect this as OSX_CARETO.A.) It connects to a hardcoded command-and-control (C&C) server and runs /bin/sh to open a shell, which can then run commands sent from the C&C server. This particular backdoor is only approximately 88 kilobytes in size, which is not particularly large (especially since it contains both 32- and 64-bit code.) However, analysis of this malware is still not easy, due to the mentioned encoding and encryption. In this blog post, we look into the details of this encoding and encryption.

    Figure 1. File structure of OSX_CARETO.A

    Read the rest of this entry »

    Posted in Malware | 1 TrackBack »

    In targeted attacks, during the lateral movement stage attacks try to gain access to other computers on the same local area network (LAN). One useful tool to achieve this is ARP spoofing, which can be used to carry out a variety of attacks to steal information as well as plant backdoors on other machines. We recently came across a tool that automates ARP attacks, as well as using these kinds of attacks to inject IFRAMEs into websites, deliver fake software updates, and disrupt SSL connections.

    ARP Spoofing

    Hacking tools that automate ARP attacks are fairly common, so we well not delve too deep into all aspects. The tool can scan for live hosts on the LAN, which are then saved in an encrypted file. These IP addresses can then become the targets of ARP spoofing attacks.

    For starters, this tool can be used to  intercept network traffic and extract login credentials of network services. This particular tool that we saw, which we also detect as HKTL_ARPSPOOF , supports a variety of protocols. It has ability to steal the credentials from a wide variety of protocols, such as: FTP, HTTP, IMAP, NetBIOS, POP3, SMB, and SMTP.

    For these protocols, the tool scans the network traffic to extract user names and passwords. These are then saved in an encrypted file, which the attacker can upload at their discretion. Because users frequently use the same password across different accounts, these credentials might be used across a wide variety of services, not just the ones they were captured off.

    In addition to this, this tool is also capable of carrying out man-in-the-middle attacks against TLS/SSL traffic. If users are not wary and ignore warnings about invalid certificates, any credentials sent to sites that use TLS/SSL, instead of being “secure”, can be captured and used by an attacker. Many high-profile sites already force the usage of TLS/SSL when users attempt to log into their services.

    IFRAME Injection

    This malware can also inject IFRAMEs into sites the user visits. It monitors the system’s HTTP traffic and injects an invisible IFRAME whenever possible. The results – as gathered in our testing – can be seen below.

    Figure 1. Injected IFRAME

    In this case, a (non-malicious) IFRAME was injected into the default web site of the HTTP server. An attacker could use this “feature” to send users to a malicious URL, where they can host a page with malicious code to exploit various vulnerabilities on the user’s system.

    Fake Update Package

    We constantly warn users to always ensure their software is up to date to help protect themselves. However, this tool exploits that to push malware to other users. This tool is also capable of using ARP spoofing to trick the system into thinking that an update for Windows Media Encoder 9 is being offered to the user; however this file is actually malicious.

    Figure 2. Fake update code

    Possible Target

    One function of this tool offers a potential clue as to the identity of the persons responsible for it. A portion of the code is specifically targeted at users of the Central Tibetan Administration, which relies on Google Apps to provide email for its users.

    Figure 3. Code for specific target


    The capabilities of this tool highlight the effectivity of ARP spoofing to steal information, particularly login credentials. These can be very useful in conducting lateral movement.

    IT administrators should consider retiring old, unencrypted protocols in favor of newer, encrypted ones, as these resist attack better than their predecessors. However, user training should also emphasize the importance of listening to alerts about invalid certificates, as these can indicate serious security problems.

    Posted in Malware, Targeted Attacks | Comments Off on ARP Spoofing and Lateral Movement

    A later stage of  advanced persistent threats (APT) attacks is the  “lateral movement” stage, where attackers typically use legitimate computer features to move within the network undetected. This takes place after the initial breach and the establishment of command-and-control links back to the attacker. We earlier discussed the steps in an APT attack in the infographic, Connecting the APT Dots.

    As shown below, the impact attackers can have on networks grows larger as APTs go deeper. Upon reaching the lateral stage, attackers are now virtually undetected by traditional security methods. This allows them to gain even more access privileges and move on to the next APT attack stages.

    Figure 1. Graph of APT Stage vs. Impact to Network

    Lateral Movement Tactics

    The lateral movement stage of APT attacks can be further divided into three major steps: reconnaissance, credentials stealing, and computer intrusions.

    The first step allows attackers to collect vital intelligence for their next attacks by using built-in OS tools and other popular utilities. These tools may include the netstat command for connection information and port scanning for open ports.

    Once well-informed, APTs will then steal legitimate credentials to establish control. Attackers can do this in various ways, such as: spoofing ARP protocol packets, using keyloggers, pass the hash attacks or hooking login authentication processes.

    After acquiring legitimate credentials, attackers will target other computers to move closer to their real target. They are more likely to use remote access or administration tools that leave few traces to accomplish this.

    What Enterprises Can Do

    The use of legitimate computer features can defeat basic perimeter-based and blacklisting security methods. However, there are many measures enterprises can still use to fortify their security, including: the use of application control, security and information event management (SIEM), and adapting a custom defense solution.

    Enterprises need to establish solid threat intelligence from internal knowledge of their network and other external indicators. Threat intelligence partnered with the use of custom defense technology will empower IT personnel in detecting anomalous use of legitimate computer features; thus, securing their networks from APT-related activities.
    Find out more about these tools and measures as highlighted in the infographic The Danger of Compromise.

    You can also read more about the steps APTs take during the lateral movement stage in the Security in Context paper, How Do Threat Actors Move Deeper into Your Network.

    Posted in Targeted Attacks | Comments Off on Building Threat Intelligence to Detect APTs in Lateral Movement


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice