Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    April 2014
    S M T W T F S
    « Mar    
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Trend Micro

    On March 20, several attacks hit various South Korean government agencies and corporations, resulting in major disruptions to their operations. The incident started when several of their computer screens went black, while others were showing images of a skull and a “warning”.

    However, Trend Micro was able to protect our enterprise users in Korea against this threat. We have determined two separate scenarios that are related to this event and how our solutions averted and can help customers prevent the said threat.

    Two of our threat discovery solutions – Deep Discovery Inspector and Deep Discovery Advisor – heuristically detected and reported malicious traffic and messages sent to two Trend Micro customers, which we later determined to be related to this attack. Because our solutions were able to detect this attack, this gave customers actionable intelligence (information such as malware’s dropped files, malicious URL, to name a few) that enabled them to take appropriate actions and mitigate the risk of the attack. Our threat discovery solutions detected this threat as HEUR_NAMETRICK.B in ATSE 9.740.1012.

    In a different scenario, we have acquired several samples (detected as TROJ_KILLMBR.SM), which we believe were responsible for the reported blank computer screens that occured in certain South Korean entities. This malware overwrites the Master Boot Record (MBR), with a series of the words HASTATI. and PRINCPES. In normal usage, the MBR contains information necessary for any operating system to boot correctly. It then automatically restarts the system. When the system restarts, due to the damaged MBR, the system is unable to boot.

    Read the rest of this entry »


    11:52 pm (UTC-7)   |    by

    Zero-day season is far from over as reports indicate that an exploit was found targeting zero-day vulnerabilities for certain versions of Adobe Reader. This discovery came on the heels of the recent Adobe Flash Player incident that occurred last week.

    In the related samples we gathered, the exploit is disguised as a .PDF file (detected by Trend Micro as TROJ_PIDIEF.KGM), which is crafted to target still unpatched vulnerabilities (CVE-2013-0640, CVE-2013-0641) in Adobe PDF Reader versions 9, 10, and 11. Once executed, it drops the .DLL file TROJ_INJECT.CPX along with the non-malicious file %User Temp%\Visaform Turkey.pdf. The said file is dropped as a way to hoodwink users into thinking that the specially crafted .PDF file is non-malicious.

    However, in the exploit sample we analyzed, we noticed that it also drops malicious .DLL file designed for 64-bit machines (detected by Trend Micro as TROJ64_INECT.CPX). The people behind this threat may have included this 64-bit malware in an attempt to evade detection by anti-malware programs.

    To address this issue, Adobe is currently working on a security advisory. The software vendor promises to release updates to address this issue. For the latest developments regarding this incident, readers may check Adobe’s blog.

    Read the rest of this entry »

    Posted in Exploits, Vulnerabilities | Comments Off

    11:35 pm (UTC-7)   |    by

    2013 has seen some significant changes in the way that attackers use the Blackhole exploit kit in spam attacks. To understand what these changes are, however, let us first go into what Blackhole did in late 2012.

    Last year, the majority of URLs found in Blackhole-related phishing messages had the following format:

    • http://{compromised or abused site}/{eight-digit code}/index.html

    For example, a spam run in November contained a link to the website at:

    • http://{domain #1}/Pz1Fa7u/index.html

    Users were redirected by the above link to two URLs:

    • http://{domain #2}/9WFM1cgc/js.js
    • http://{domain #3}/0s3FmfEC/js.js

    Both of these URLs were hosted on compromised sites. While the webhosting account of domain #2 was suspended, the redundancy of using two redirection pages allowed the attack to continue. The URL at domain #3 led to the malicious landing page, which was located at:

    • http://{malicious site}/links/created_danger.php

    It’s not unusual for multiple redirection pages to lead to a single malicious URL. Frequently, even different spam runs will lead to the same malicious landing page.

    Read the rest of this entry »


    5:00 am (UTC-7)   |    by

    The “post-PC era” is a phrase which has been a veritable buzzword for some time. However, 2012 saw cybercrime expanding to mobile platforms, highlighting how threats have entered the post-PC era, too.

    Mobile Threats: 350,000 and Growing

    By the end of 2012, the number of Android malware grew to 350,000. This was a monumental growth from the 1,000 mobile malware we saw at the end of 2011. Much of this growth was driven by adware and premium service abusers, which accounted for a sizable majority of the seen growth.

    The popularity of Android in the mobile space means that it is now facing threats similar to what has faced Windows in the desktop space. This threat grew and became more sophisticated throughout the entire year, and we expect that this will continue into 2013.

    Data breaches and Malware: Business as Usual

    The year saw a continuation and evolution of many familiar threats. Data breaches and APTs continued to hit organizations large and small. Increasingly, the question is no longer if  a system will suffer a data breach, but when. Throughout the year, we discovered and looked into various information theft campaigns, as well as the tools used.

    Similarly, “conventional” threats mostly saw a gradual evolution in 2012. Phishing messages became harder to tell from real ones and were combined with the Blackhole Exploit Kit to mount highly effective attacks. Banking malware was significantly improved with the addition of automatic transfer systems which sped up the actual process of moving money to criminal bank accounts. Ransomware took the place of fake antivirus as the primary threat facing consumers. We also saw what we’ve dubbed the “children” of Stuxnet—Flame, Flamer, Gauss, and Duqu—due to similarities such as in code.

    Vulnerabilities and Exploits: Exploits Kits and Java

    Many of these attacks were made possible by vulnerabilities and exploits. We saw extensive usage of the aforementioned Blackhole Exploit Kit, which made it relatively easy for attackers to compromise targeted systems. The year saw the introduction of version 2.0 of the exploit kit, which was at least in part a response to successes in investigating the earlier 1.x version by security vendors (including Trend Micro).

    Java proved to be a serious security problem throughout the entire year. A zero-day vulnerability in Java 7 was found and exploited in August; our own data indicates that Java was the most targeted program via browsers in 2012. These problems were severe enough that vendors have taken steps to reduce the use of Java, with Apple going so far as to remove it from browsers on OS X computers.

    We have prepared two reports that outline the threats we saw in 2012. One, our Annual Security Roundup titled Evolved Threats in a “Post-PC” World, outlines the threats that we saw in the overall security landscape in the past year. The second, our Mobile Threat and Security Roundup titled Repeating History, examines the threats in greater depth the threats in the mobile landscape in the past year. You can read these reports by clicking on their titles, or their respective covers below:

    Posted in Exploits, Malware, Mobile, Social, Vulnerabilities | Comments Off

    In 2012 small businesses globally were making the shift towards cloud-based applications and smart mobile devices, impacting the way they do business. These trends towards greater consumerization of IT and cloud adoption look likely to continue and pick up momentum in 2013.

    Our experts here at Trend Micro have looked at these changes through the lens of our SMB customers to predict the security implications these developments bring. The goal is to help smaller businesses understand what these predictions mean for them in terms of threats in the coming year and what they can do to prepare and protect against these threats.

    Our new report, 5 Predictions for 2013 and Beyond: What Should SMBs Look Out For? boils our predictions down into areas that SMB customers should specifically focus on and outlines specific steps they can take today to protect themselves against threats this 2013.

    Read the rest of this entry »

    Posted in Bad Sites | Comments Off


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice