Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    July 2014
    S M T W T F S
    « Jun    
     12345
    6789101112
    13141516171819
    20212223242526
    2728293031  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Trend Micro




    2013 was another year marked by many changes – for good and bad – in the threat landscape. Some threats waned, others grew significantly, while completely new threats emerged and made life difficult for users. What remained constant, however, were the threats against the safety of digital information. In this entry, we present some of these threats that were seen last year. These are described in more detail in our roundup titled Cashing In On Digital Information

    Cybercrime: Banking Malware, CryptoLocker Grow; Blackhole Exploit Kit Tumbles

    Some malware types linked to cybercrime grew significantly in 2013. We saw almost a million new banking malware variants, which was double what we saw in 2012. Much of this growth occurred in the latter half of the year:

    Figure 1. Volume of new banking malware

    Two countries – the United States and Brazil – accounted for half of all banking malware victims:

    Figure 2. Countries most affected by banking malware

    We saw ransomware become far more potent in the latter part of the year as CryptoLocker emerged as a new threat that hit users hard. This new threat – an evolution of previous ransomware attacks – encrypted the data of users, requiring a one-time payment of approximately $300 (payable in cryptocurrencies like Bitcoin) before their data would be decrypted. In some ways, CryptoLocker became as serious a problem for end users as fake antivirus malware had in previous years.

    The fall of the Blackhole Exploit Kit in 2013 due to the arrest of its creator, Paunch, was a significant event that appreciably changed the threat landscape. It significantly cut the use of malicious links in spam messages by attackers. While other exploit kits have emerged into the threat landscape since then, no other kit has achieved BHEK’s levels of prominence.

    Targeted Attacks and Data Breaches: Still In Operation

    Despite reduced media attention, targeted attacks continued to hit organizations across the world last year. We observed attacks in many parts of the world, with countries in Asia at particular risk from these coordinated targeted attacks. Well-organized campaigns like EvilGrab and Safe highlighted the capabilities and sophistication of modern targeted attacks.

    Figure 3. Countries affected by targeted attacks

    Data breaches also continued to plague organizations. Companies like Adobe, Evernote, and LivingSocial were all hit by various breaches that exposed the customer data of millions of users. Breaches like these not only cause a loss of face for the affected organizations, but may also put them at legal risk for failing to protect the data of their users.

    Mobile Threats: Mobile Banking Under Fire

    Mobile threats continued to flourish last year, with an estimated one million malicious and high-risk apps found in the year alone. Significantly, we saw increasing use of mobile banking threats like the PERKEL and FAKEBANK families, both of which put users of mobile banking apps and websites at the same risk of fraud and financial loss that other users face. Information stealers like banking malware are now the third most common type of malicious/high-risk app found, behind traditional standbys like premium service abusers and adware:

    Figure 4. Types of mobile malware threats

    Digital Life: Privacy at Risk

    Revelations about government spying made many question if online privacy was still alive, or even possible. Previously, users had always worried that cybercriminals could get their hands on one’s personal information; now they worry about large, previously trusted organizations – both government and private – doing the same thing.

    Attacks delivered via social media (combined with social engineering) have now become the norm, with newer social networks like Instagram, Pinterest, and Tumblr suffering from their own scams as well. Indeed, attacks on all social media platforms have become so common, it may almost be considered “business as usual.”

    For a more comprehensive analysis of these threats, check our 2013 roundup titled Cashing In On Digital Information.

     
    Posted in Bad Sites, Data, Exploits, Malware, Mobile, Social, Spam, Targeted Attacks | Comments Off


    Jan26
    10:21 pm (UTC-7)   |    by

    We noted in our 2014 predictions that we believed that there would be one major data breach per month. Reports of data breaches against retailers ushered in the new year, where the credit card information of several million shoppers was stolen. There is no denying the scale and severity of breaches of this kind. While much ink–online and offline–has been focused on matters like who the author of the malware was, in the longer view what’s important to note is that there were many ways this attack might have been prevented–or security steps that could have been taken to thwart this kind of attack.

    For example, POS systems represent a near-ideal situation for whitelisting and/or locked down systems: there is no compelling need to run general-purpose applications on a POS system. A locked down system would have made it more difficult to run malware on the POS devices.

    Alternately, it is highly unlikely that such a large-scale attack was carried out with malware installed onto POS systems on an individual basis. It’s almost certain that some form of remote management software was used to install the malware onto the POS systems. This isn’t the first time that systems used to automatically install software onto systems has been compromised; last year the auto-update system of several applications in South Korea was used to plant malware onto affected systems.

    The movement of such significant amounts of data across networks should also have been detectable as well. Network defense solutions would have been able to detect the internal network traffic used by this attack, or the data exfiltration traffic, or both.

    The broad outlines of this attack are known, but specifics – such as what exact security procedures were in place and how/if they were evaded – are not yet public. However, businesses that handle critical data can take this incident and use it to determine if they, too, are at risk from similarly well-executed attacks. Companies in such a situation should double-check that all possible security procedures and products are in use and set up correctly, as well as for trained IT personnel to handle incidents as they happen.

    One thing that is clear is that for high-value targets, simple endpoint security is no longer sufficient. As we mentioned earlier, protections based on detecting network and system behavior (such as Deep Discovery and Deep Security) would have been very useful in dealing with these kinds of threats. Enterprises that do not have these solutions in place should consider implementing them in order to be able to guard against similar attacks; there is a good chance that other companies in similar situations will now have to deal with copycat attacks.

    We detect the malware that we believe was used in this attack as TSPY_POCARDL.AB and TSPY_POCARDL.U; if any related threats are found we will release further protection as necessary. Frequently asked questions about this incident are answered in the Simply Security blog.

     



    In late November, Microsoft revealed that a zero-day vulnerability was in use in targeted attacks against Windows XP and Server 2003 systems. From samples of the exploit examined, it has a backdoor payload that possesses sophisticated anti-analysis techniques.

    Further research of this earlier attack – discussed in the blog posts above – has revealed that the exploit was deployed via email to at least 28 embassies in a Middle Eastern capital.  The malicious payload arrived as an attachment to a blank email sent to the target embassies. The subject line of the email and the name of the attachment referred to the ongoing conflict in Syria, to induce its recipients to open the email.

    Apart from the targeting and the anti-analysis techniques, there does not appear to be other particularly unusual or unique behaviors in this attack. The anti-analysis techniques in the backdoor (detected as BKDR_TAVDIG.GUD) were designed to hide from or freeze debuggers, making analysis and attribution more difficult.

    Whoever was responsible for this attack had the means, motivation and opportunity to carry out a targeted attack across multiple targets. This suggests a level of organization and available resources beyond ordinary cybercriminals. Beyond that, we are unable to draw any other conclusions. We do not know if the embassies were indeed affected by the malware mentioned or if there are other sets of targets, only that the samples received strongly suggest that the embassies were the intended recipients.

    As part of our 2014 predictions, we mentioned that obsolescent and unpatched operating systems and applications may cause issues in the coming year. This incident highlights that problem, particularly if used in targeted attacks. Similarly, zero-days are frequently first used in targeted attacks; earlier this year another Internet Explorer zero-day was first used in targeted attacks. Malicious attachments are a favored infection vector for targeted attacks; the same technique was used to target Asia-Pacific governments and G20 meeting attendees earlier this year.

    It is also important to remember that all is not lost when it comes to defending against targeted attacks. In his paper Suggestions to Help Companies with the Fight Against Targeted Attacks, Trend Micro researcher Jim Gogolinski stated that there is much that can be done to defend a company against targeted attacks. Trend Micro also participated in the development of the guide System Design Guide for Thwarting Targeted Email Attacks along with  Japan’s Information Technology Promotion Agency (IPA), which provides in-depth strategy for helping deal with email attacks.

     
    Posted in Targeted Attacks, Vulnerabilities | Comments Off



    The third quarter of the year shone the spotlight on parts of the hidden Internet that would have preferred to remain hidden. Services favored by cybercriminals such as the digital currency Liberty Reserve and the online marketplace Silk Road were all shut down during the quarter. Right after the quarter ended, the notorious creator of the Blackhole Exploit Kit, Paunch, was arrested as well, severely curtailing related spam campaigns.

    Cybercrime Continues Unabated

    Despite these steps, however, cybercrime continued to grow during the quarter. The number of online banking Trojans detected reached record levels, with more than 200,000 infections reported in the quarter. Three countries – the United States, Brazil and Japan – accounted for over half of these infections.

    Figure 1. Number of online banking infections

    Mobile Malware Crosses 1 Million Mark

    Our 2013 predictions noted that we believed the number of high-risk and malicious Android apps would exceed 1 million sometime in the year. That was exactly what happened this quarter. Premium service abusers remained  the most common threat. These sign up users for paid “premium services” without their consent and highlights how mobile malware has become mainstream, continuously growing and affecting more users around the world.

    As a sign of the growing maturity of mobile platforms, a major vulnerability was found in Android with correspondingly serious risks. The so-called “master key” vulnerability allowed an attacker to “update” a legitimate app with a malicious version.

    Java 6 Becomes a Permanent Threat

    Older, unpatched versions of software have always posed serious security risks. This was shown when a new exploit targeting a vulnerability in Java 6 was seen. This came after Oracle officially declared Java 6′s end-of-life (EOL), highlighting the risks of using EOLed software that will no longer receive patches. This serves as a potential preview of what will happen next year, when Windows XP – still in use in many systems and networks all over the world.

    Read more about the goings-on in the third quarter in the full report, titled The Invisible Web Unmasked.

     
    Posted in Exploits, Malware, Mobile, Vulnerabilities | Comments Off



    Further analysis by Trend Micro researchers on the reported defacement of the Singapore Prime Minister Office website revealed that the website was not actually defaced  – attackers abused the search function of the Singapore PMO website to display an image that looks like a hacked version of the site.

    Sing_PMO

    Figure 1. Image shown from within the PMO website that falsely claims the site was hacked

    The attackers exploited an XSS vulnerability in the website’s search page by entering the code triggering the display of the image as the search string. This caused the web page to execute the code and display the image, along with text that said “ANONYMOUS SG WAS HERE BIATCH~”, giving the impression that the website was defaced.

    We’d like to point out that the Singapore PMO website remains intact, and was not compromised in any way. Visitors of the site will not be able to see the image, since it is only accessible if the URL with the injected script embedded is accessed. The attackers drove users into the link with the displayed image by distributing the URL through social media.

    This attack is a form of cross-site scripting or XSS and has been seen in many attacks in the past, including those that affected other government websites. XSS vulnerabilities are low-hanging fruits for attackers since the likelihood of a website having them is very high, thus it is seen as one of the easier routes in terms of attacking a website.

    This ease in execution for hackers, however, is paralleled by great risks for the potential targets. While the attack on the PMO website only triggered the display of an image, we have seen other attacks that triggered redirections to malicious sites, leading visitors to malware.

    We strongly recommend website developers to make sure that their sites are fully secure against XSS attacks through the following means:

    1. Review the website code regularly to make sure that it is configured to prevent code injection. This can be done by setting up limitations for input contents in order to reject special characters, as well as sanitizing output byHTML-encoding user input/strings.
    2. Scan for web application vulnerabilities to identify possible attack vectors and address them immediately.
     


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice