Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    May 2015
    S M T W T F S
    « Apr    
  • Email Subscription

  • About Us

    Author Archive - Trend Micro

    Companies risk losing all their customers if they continue neglecting their app store presence. While malicious mobile apps do bring serious security concerns to the fore, (70% of top free apps have fake and mostly malicious versions in app stores) companies and developers also face another challenge in the form of copycats.

    For a company that needs to maintain an official mobile app on Google Play, fake or impostor apps can mean trouble for both their credibility and revenue. For users, the impact is similar, although on a more personal level. If users get fooled into downloading these apps, it can eventually lead to information theft, reputation damage, and overall dissatisfaction with the company’s brand and service.

    Companies that maintain official apps in app stores like Google Play have a big role to play in minimizing the risk of their users installing fake apps. By properly establishing their identity and their apps, they can greatly help their users sort out the real apps from the fake ones. For example: ideally, all apps are released under one developer, as is the case for the various Trend Micro apps:

    Figure 1. Trend Micro apps on Google Play

    However, we have noticed that some organizations are not able to do this. Instead, multiple developers all publish various versions of official apps.

    Figure 2. Various banking apps with different developer names

    Why is this the case? Android requires that all apps should be signed (even with a self-signed certificate). Large organizations will, of course, have different teams responsible for developing different apps. Different private keys may be used to sign any created apps, even if they are consolidated under one account. Furthermore, different accounts may be used to upload the apps, even if they’re all related to the same company.

    The practice can cause confusion among users (as seen in Figure 2), where it is not clear which is the official account. Even if the apps are consolidated under one account, outside of the Google Play store there is no way to identify that these apps as legitimate or not (since the certificate is used to identify the author). This can cause confusion if an app is legitimate or not in third-party stores.

    For developers, the main impact here is that their customers might not be able to properly identify their app and they may lose potential install base. For users, however, this can turn into a big risk, since this makes it harder to spot “legitimate” versions of the app (e.g., the developer name used might not make it clear who published the app). In addition, if the user checks what other apps were published by a specific developer there may not be other apps to be found. In and of themselves, these are not necessarily bad, however malicious apps can share these traits as well.

    How do we know who is faking it?

    Companies need to ensure that they properly identify themselves as the credible source for their apps. It is not extraordinarily difficult for organizations to adopt proper key management to allow all apps released to be signed by one key: many large companies are able to do exactly this. The solution is to implement proper key management practices; the IT department of a large organization should be capable of arranging this correctly. Ideally, all official apps should be signed by one certificate, tied to one developer account.

    For consumers, this has one benefit: all apps from an organization would show up as from one developer in Google Play, as well as third-party app stores. With official apps properly identified, this will help users identify fake apps  and prevent from inadvertently downloading them. This protects them from various problems such as information theft.

    For now, we strongly advise users to be careful in choosing which app to download. Checking all details related to the app — developer name, rating, reviews — can help identify fake apps. Additionally, installing a security app such as the Trend Micro Mobile Security and Antivirus can detect fake apps and prevent them from getting installed.

    Posted in Mobile |

    9:22 pm (UTC-7)   |    by

    Analysis by Marshall Chen, Yi Lee, and Joe Wu

    Brand owners frequently use SPF and DKIM to protect their brands from email forgery. For example, a brand owner could register the same domain name under multiple top-level domains (TLDs) (such as, etcetera) and announce SPF/DKIM records for all of these domains (even if they were not actively being used). While generally effective, there is one loophole: what about the .gov TLD?

    This loophole was recently exploited in a massive phishing attack against American Express, which started on March 4. The attackers sent out emails that imitated American Express notifications, which contained a link to a phishing site. We identified more than 50 distinct phishing sites used in this spam run. These were hosted on various compromised domains, and all had the format of hxxp://{compromised website}/amerrricaneaxpress/security.html.

    Figure 1. Phishing email (address and phishing URL highlighted)

    So far, this has been a fairly ordinary attack. What we found unusual was one of the supposed email addresses used by the attacker. Three addresses were frequently used in this attack:


    The first two domain names ( and are both registered by American Express, and have SPF/DKIM records published. Emails with these addresses would fail SPF verification, as their IP address would be inconsistent with the authentic ones in the SPF record.

    In the third case, however, no SPF records would be published at all. Only US government bodies can register .gov domains. An SPF verification attempt would return none instead of fail, as there is no SPF record to authenticate at all (the domain is not even registered). Therefore, an email system checking for SPF records would not rule this message to be spam on those grounds alone. This may increase the risk that users would receive these spammed messages.

    Our own sources identified more than 430,000 phishing mails sent from more than 4,600 IP addresses as part of this spam run. These IP addresses were located in more than 120 countries. This spam run took place from March 4 to March 11, with most of the senders located in the United States.

    Figure 2. Distribution of spam-sending IPs by country

    Read the rest of this entry »

    Posted in Spam | TrackBacks (2) »

    12:00 am (UTC-7)   |    by

    Ransomware SeriesAnalysis by Jaaziel Carlos, Jonh Chua, and Rodwin Fuentes

    Ransomware has become one of the biggest problems for end users are as of late. In the past months alone, we have reported on several variants of both ransomware and crypto-ransomware, each with their own “unique” routines. We recently came across one malware family, detected as PE_VIRLOCK, as that not only locks the computer screen but also infects files—a first for ransomware.

    Ransomware Routine

    VIRLOCK variants may arrive bundled with other malware in infected computers. We have even seen one VIRLOCK variant in the CARBANAK/ANUNAK targeted attack campaign.

    Figure 1. VIRLOCK infection diagram

    Once inside the computer, VIRLOCK creates and modifies registry entries to avoid detection and ensure execution. It then locks the screen of the affected computer, disabling explorer.exe and preventing the use of taskmgr.exe. Meanwhile, it also checks the location of the affected system to display the appropriate image for the ransom message.

    Figure 2. Sample ransom message

    Read the rest of this entry »


    Information about the overall threat landscape can be gathered from many sources. One useful method is by looking at the overall activity of command-and-control (C&C) servers, as used in botnets, targeted attacks, and in attacks against the broader Internet user base.

    We are able to combine various threat intelligence sources, including feedback from the Trend Micro™ Smart Protection Network™, to get a glimpse of C&C server activity. (these are displayed in real time on the Global Botnet Map). Our findings below reflect the information we gathered throughout all of 2014. We are able to examine the location of C&C servers, the location of endpoints, as well as the malware families that use these servers.

    So what can we learn from these numbers, and can IT professionals help reduce this threat?

    Malware using more ways to ensure server communication

    We measured the most commonly used malware families, as measured by the number of command-and-control servers tied to these specific families. For all C&C server activity, these were the most commonly used families:

    1. CRILOCK
    2. RODECAP
    3. ZEUS
    4. FAKEAV

    For targeted attacks, these were the most commonly seen families:

    2. XTREME
    3. NJRAT
    5. START

    Some trends can be seen from these numbers:

    • Malware families that use domain generation algorithms (DGAs) like CRILOCK are well-represented in the lists, highlighting their popularity.  Despite the differences in underlying behavior (crypto-ransomware versus information stealers), DGAs are popular as they make blocking of malicious domains more difficult with relatively little added expenditure of effort on the part of attackers.
    • Compromised sites are also popular C&C servers. ZeuS/ZBOT and RODECAP are both known to use compromised sites for their C&C servers, and both families are known to use this particular tactic extensively.
    • Similarly, free web hosting providers and dynamic IP redirection services are commonly used by some malware families such as NJRAT and DarkComet.
    • Many remote access tools (RATs) that were initially used in targeted attacks have now been used in various cybercrime-related attacks as well. This highlights the increased availability of these RATs, as well as the low entry barrier to registering and setting up C&C domains.

    Taken together, these developments show how attackers are adopting more techniques to try and obfuscate the C&C servers under their control. This can make forensic analysis of these attacks much more difficult, making detection and attribution potentially problematic.

    Read the rest of this entry »

    Posted in Targeted Attacks |

    9:28 pm (UTC-7)   |    by

    Analysis by Kenney Lu

    In recent years, we have seen a lot of reports about home routers being vulnerable to attacks. Our research as early as 2008 shows malware rigging routers to redirect users to different sites. Other attacks we have seen include backdoors and possible DNS rebinding attacks. In these scenarios, the intent and goal of the attacks are pretty straight-forward.

    Snooping Around Your Network

    We recently came across one malware, detected as TROJ_VICEPASS.A, which pretends to be an Adobe Flash update. Once executed, it attempts to connect to the home router to search for connected devices. It then tries to log in to the devices to get information. Should it be successful, it will send the information to a command-and-control (C&C) server and deletes itself from the computer.

    Figure 1. Infection chain

    A Closer Look at its Routines

    Users may encounter this malware when visiting suspicious or malicious sites hosting a supposed Flash update. Users are encouraged to download this update and install it in their computers.

    Figure 2. Site hosting fake Adobe Flash update

    Figure 3. Fake Flash update

    Once the malware is executed, it attempts to connect to the connected router through its admin console, using a predefined list of user names and passwords. If successful, the malware will attempt to scan the network to look for connected devices.

    Figure 4. Scanning for connected devices

    The malware scans for devices using HTTP, with a target IP range of 192.168.[0-6].0-192.168.[0-6].11, which are IP addresses which are assigned by home routers. The target range is hard-coded. A look at the internal log format reveals such:

    Find router IP address – start

    Searching in –

    [0] connect to 192.168. 0.0

    URL: ‘’, METHOD: ‘1’, DEVICE: ‘Apple’

    …. (skip)

    Find router IP address – end

    We noticed that the malware checks for Apple devices such as iPhones and iPads, even though those devices cannot have an HTTP open panel. However, it should be noted that the strings focus more on routers. We found that the malware uses the following strings in its search:

    • dlink
    • d-link
    • laserjet
    • apache
    • cisco
    • gigaset
    • asus
    • apple
    • iphone
    • ipad
    • logitech
    • samsung
    • xbox

    Figure 5. The search for Apple devices

    Once the malware finishes scanning, the results of the search are encrypted using base64 and a self-made encryption method. Base64 is only an encoding technique so the scan results still require an encryption method. The encrypted result will be sent to a C&C server via HTTP protocol.

    Figure 6. Encryption of scan results

    Figure 7. Sending results to the C&C server

    After it has sent the results, it will delete itself from the victim’s computer, removing any trace of it. It uses the following command to do so:

    • exe /C ping -n 1 -w 3000 > Nul & Del “%s”

    Gathering Intelligence

    Based on its routines, the malware might be used by cybercriminals as a “scout” for bigger campaigns. The intelligence gathering could be the first step in more severe attacks. The information could be stored and used for future cross-site request forgery (CSRF) attacks similar to the one discussed here. If they have previous log in credentials for specific IPs, the attack would be easier to perform. Of course, we cannot be truly certain but this seems to be the likeliest scenario for malware with this type of routine.

    Protecting Routers and Other Devices

    Whatever its ultimate goal, this malware shows the importance of securing devices—even those that might not seem like likely targets. Users should always change their routers’ default login credentials; strong passwords or passphrases are a must. Users can also opt for password management software to help them with all their passwords.

    Aside from good password habits, users should always remember other security practices. For example, they should avoid clicking links on emails as much as they can. If they need to go to a site, typing the address or using a bookmark is preferred. If their software requires updates, users can directly visit the official site for downloads. They can also opt for their applications to automatically install updates once they are available. Lastly, users should always protect their devices with security solutions. For example, they can use Trend Micro security for their computers and Trend Micro Mobile for Android and iOs for their smartphones.

    User names and passwords

    This malware uses the following list of possible user names:

    • admin
    • Admin
    • administrator
    • Administrator
    • bbsd-client
    • blank
    • cmaker
    • d-link
    • D-Link
    • guest
    • hsa
    • netrangr
    • root
    • supervisor
    • user
    • webadmin
    • wlse

    It uses the following list of passwords:

    • _Cisco
    • 0000
    • 000000
    • 1000
    • 1111
    • 111111
    • 1111111
    • 11111111
    • 111111111
    • 112233
    • 1212
    • 121212
    • 123123
    • 123123Aa
    • 123321
    • 1234
    • 12345
    • 123456
    • 1234567
    • 12345678
    • 123456789
    • 1234567890
    • 1234qwer
    • 123ewq
    • 123qwe
    • 131313
    • 159753
    • 1q2w3e4r
    • 1q2w3e4r5t
    • 1q2w3e4r5t6y7u8i9o0p
    • 1qaz2wsx
    • 2000
    • 2112
    • 2222
    • 222222
    • 232323
    • 321123
    • 321321
    • 3333
    • 4444
    • 654321
    • 666666
    • 6969
    • 7777
    • 777777
    • 7777777
    • 88888888
    • 987654
    • 987654321
    • 999999999
    • abc123
    • abc123
    • abcdef
    • access
    • adm
    • admin
    • Admin
    • Administrator
    • alpine
    • Amd
    • angel
    • asdfgh
    • attack
    • baseball
    • batman
    • blender
    • career
    • changeme
    • changeme2
    • Cisco
    • cisco
    • cmaker
    • connect
    • default
    • diamond
    • D-Link
    • dragon
    • ewq123
    • ewq321
    • football
    • gfhjkm
    • god
    • hsadb
    • ilove
    • iloveyou
    • internet
    • Internet
    • jesus
    • job
    • killer
    • klaster
    • letmein
    • link
    • marina
    • master
    • monkey
    • mustang
    • newpass
    • passwd
    • password
    • password0
    • password1
    • pepper
    • pnadmin
    • private
    • public
    • qazwsx
    • qwaszx
    • qwe123
    • qwe321
    • qweasd
    • qweasdzxc
    • qweqwe
    • qwerty
    • qwerty123
    • qwertyuiop
    • ripeop
    • riverhead
    • root
    • secret
    • secur4u
    • sex
    • shadow
    • sky
    • superman
    • supervisor
    • system
    • target123
    • the
    • tinkle
    • tivonpw
    • user
    • User
    • wisedb
    • work
    • zaq123wsx
    • zaq12wsx
    • zaq1wsx
    • zxcv
    • zxcvb
    • zxcvbn
    • zxcvbnm

    Hash of related file:

    • a375365f01fc765a6cf7f20b93f13364604f2605
    Posted in Malware |


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice