Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    July 2014
    S M T W T F S
    « Jun    
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Trend Micro

    5:04 am (UTC-7)   |    by

    With the 2014 FIFA World Cup in Brazil about to kick off in less than a week, it should be no surprise that phishing sites have intensified their own spam campaigns targeting Brazilians as well.

    Some of these spam runs are fairly basic, as far as these go. This particular one, for example, tries to lure users with a lottery with a jackpot prize of 5 million Brazilian reais (just short of 2.2 million US dollars).

    Figure 1. Lottery phishing message

    A typical phishing attack like this consists of three stages. First, the user visits the phishing site where their information is collected. In this particular case, the stolen information includes:

    • Credit Card Number
    • CVV code
    • Month and year of card expiry
    • Name of issuing bank
    • Online banking password
    • Owner’s email address

    In the second stage, a PHP file stores all of the captured information in a text file stored on the malicious site.

    Figure 2. PHP code

    In this particular case, the text file is named CCS.TXT. In the third stage, this file is emailed to an address under the control of the attacker.

    Figure 3. Stored information

    We have found other attacks that use similar bait, although they are more obviously tied to the World Cup. Here is an example, which we first saw about a month ago:

    Figure 4. World Cup-related phishing site

    In addition to the usual information stolen in phishing attacks, the persons behind this also targeted two pieces of information that are not commonly stolen:

    • the card’s credit limit
    • the user’s Cadastro de Pessoas Físicas (CPF, or personal identification number)

    The CPF is an 11-digit identification number used to identify taxpayers (both Brazilians and resident aliens) in Brazil. Like credit cards, the CPF has a defined format and algorithm that checks if the number is valid.

    How big are these scams? Through our underground research, we were able to identify the size of the “hoard” of stolen credentials one of the cybercriminals using these attacks possessed. We believe that this particular cybercriminal has approximately 5000 credit cards available to sell at any given time. Some of these cards are identified by their network (i.e., Visa or Mastercard), while others are identified by their issuing bank (Bank of America was explicitly mentioned).

    For stolen e-mail accounts, our cybercriminal has plenty of those too. We identified more than 80,000 accounts whose credentials had been stolen. It is particularly telling that almost 83% of these credentials were for providers with domain names in the .br top-level domain. The most common domains for these stolen credentials are in the table below:

    Table 1. Distribution of stolen e-mail account credentials

    This should not be a surprise, as many of these phishing scams are explicitly targeted at users in Brazil. The first example cited here used the name of the largest payment card operator in Brazil, Cielo. The CPF, as we noted earlier, is something issued only to Brazilians or foreigners who live in the country. As is the case with other scams, spam runs are the favored way to spread these attacks to users.

    We are closely monitoring the threat actors behind some of these attacks, and will release more information in future blog posts.

    The Race to Security hub contains aggregated TrendLabs content on security stories related to major sporting events, including the 2014 FIFA World Cup.

    Posted in Bad Sites, Spam |

    The first quarter of the year saw cybercrime hit targets that may not have been considered worthwhile in previous quarters. Multiple Bitcoin exchanges found themselves the victims of various attacks and were forced to close shop. The most high-profile victim Mt. Gox, which had been, at one time, the leading Bitcoin exchange in the world.

    Exchanges were not the only target. With more than 12 million Bitcoins in existence – with a value of 6-8 billion US dollars – it was only a matter of time before Bitcoins were targeted for theft in the same way that real-world currencies are. Multiple malware families targeted the Bitcoin wallets of users in order to steal their contents.

    Despite the best intentions of the creators and many users of Bitcoin, its perceived anonymity and privacy has meant that many cybercriminal elements have adapted the cryptocurrency as well. For example, CryptoLocker ransomware frequently asks for payment in Bitcoin. In many cybercrime marketplaces, underground tools are also bought and sold with Bitcoin as the form of payment.

    This shouldn’t be taken to mean that ordinary cybercrime threats have gone away. Take conventional online banking malware: it is up over the same period last year, with the United States, Japan, and India the three most affected countries.

    Figure 1. Countries Most Affected by Online Banking Malware

    Ransomware in the form of CryptoLocker also continued to affect users. As has been the case with previous ransomware threats (like the Police Trojan), CryptoLocker and similar threats have become “regional”, with variants specifically targeting users in Hungary and Turkey. Only 28% of ransomware victims are in the United States, so these tactics make perfect sense.

    Figure 2. Countries Most Affected by Ransomware

    Large-scale cybercrime threats continued as well. Multiple large-scale incidents of malware affecting point-of-sale (POS) terminals resulted in millions of credit card credentials being stolen, resulting in millions of dollars of losses. These attacks used techniques that would not be out of place in a more sophisticated targeted attack; they highlighted the importance of custom defence strategies.

    Mobile malware continued its inexorable growth, with the total number of mobile malware and high-risk apps exceeding two million. More than 647,000 apps of these were found in the first quarter alone. Adware surpassed premium service abusers in number, in part due to pushback from cellular service providers. In addition, security vulnerabilities were also found in Android that could leave users in an infinite boot loop.

    For more details about these and other security threats in the first quarter, check our security roundup titled Cybercrime Hits the Unexpected.


    4:05 am (UTC-7)   |    by

    Industry experts have previously estimated that, on average, a compromised machine remains infected for 6 weeks. However, our latest research indicates that this estimate is far from accurate. During the analysis of approximately 100 million compromised IP addresses, we identified that half of all IP addresses were infected for at least 300 days. That percentage rises to eighty percent if the minimum time is reduced to a month. This data can be seen graphically below:

    Click for larger view
    Figure 1. Infection data by country

    The news only gets worse from that point. While three-fourths of the IP addresses in our study were identified with consumer users, the remaining quarter belongs to enterprise users. Because a single IP address for these users is typically identified with a single gateway which may, in turn, be connected to multiple machines in an internal network, the actual percentage of enterprise machines affected by malware may be higher than the IP address data suggests.

    Once a machine becomes compromised, it is not unusual to find it has become part of a wider botnet. Botnets frequently cause damage in the form of malware attacks, fraud, information theft and other crimes. In 2009, virtually all malware tracked by Trend Micro experts are used by cybercriminals to steal information.

    Currently, the three most dangerous botnets in relation to information, financial and identity theft are:

    • Koobface
    • ZeuS/Zbot
    • Ilomo/Clampi

    Overall, botnets control more compromised machines than had been previously believed. Only a handful of criminals (likely a few hundred) have more than 100 million computers under their control. This means that cybercriminals have more computing power at their disposal than the entire world’s supercomputers combined. It’s no wonder then that more than 90 percent of all e-mail worldwide is now spam.

    While there isn’t exactly a 1:1 correlation between the top ten countries with compromised machines and the top spamming countries, some correlation does exist:

    Click for larger view
    Figure 2. Compromised systems by country

    Using Koobface as an example of a typical botnet, Trend Micro threat experts have established that about 51,000 compromised machines are currently part of this particular botnet. At any time, Koobface uses 5 or 6 command and control centers (C&C) to control these compromised machines. If one C&C domain is taken down by a particular provider, the Koobface gang simply re-registers the same C&C domains with other providers. Between mid-March 2009 and mid-August Trend Micro researchers recorded around 46 Koobface C&C domains.

    In comparison, while studying the Ilomo botnet, 69 C&C domains were identified. However this number is difficult to confirm as new domains are added while others removed daily. In addition, the number of infected machines within the Ilomo botnet cannot be ascertained owing to the structure of the botnet itself.

    Trend Micro threat experts are committed to ongoing technical research and analysis. Technical reports of the Koobface and Ilomo botnets have been published and can be found in the research and analysis section of TrendWatch.

    Fortunately, new technologies are becoming available to counter these ever growing threats. The Trend Micro Smart Protection Network prevents over 1 billion threats from infecting its customers daily.

    Trend Micro uses the power of Smart Protection Network to detect and protect against infections. The Smart Protection Network is made up of 3 core areas: Email Reputation, Web Reputation and File Reputation combined with more traditional endpoint anti-spam and anti-malware protection techniques.

    Processing over 5 billion customer queries per day, the Trend Micro Smart Protection Network is a next generation cloud-client content security infrastructure designed to block threats before they reach a network. By combining in-the-cloud technologies with smaller, lighter-weight clients, users have immediate access to the latest protection.


    5:12 am (UTC-7)   |    by

    TrendLabs experts are regularly asked what—in their opinion—are the most dangerous malware of all time. While the question begs more questions, TrendLabs experts give out recurring answers based on high-level assessments of malware effectiveness in endangering users’ online experiences relative to the technologies available during the time the malware reached peak prevalence. As MSBLAST celebrates its sixth year anniversary of plaguing the Internet, we’ve highlighted the worst we’ve seen so far, along with the runners-up, of which MSBLAST is one.

    1. DOWNAD: Multiple Propagation, Multiple Damage – Found in November 2008, this massive threat took advantage of the MS08-067 vulnerability. It spawned several other variants, each new variant an improvement over the last. It impacted LAN traffic in several corporate networks.
      The attack was also notable for generating up to 50,000 domains and connecting to 500 of these, strategically evading efficient domain takedown (or even monitoring potentially malicious sites) and taking advantage of low-cost domain name registration.
    2. KOOBFACE: The Scourge on Social Networks – Initially found in August 2008, KOOBFACE leveraged on the connectivity serviced by social networking sites like Facebook and MySpace. It infects user profiles so that cybercriminals are able to break into users’ circle of trust, increasing chances of propagation (infected user’s contacts assume posted links are harmless because they trust the profile owner)
      KOOBFACE possesses a dynamic update capability, allowing it to spread to other social networking sites and perform more malicious routines
    3. ZBOT: Organized Information Theft – Also known as variants of Zeus malware, ZBOT Trojan spyware are usually delivered via the Web either by email or Web exploits. Underground research and documented cases reveal it is a thriving business where infected computers give up their owners’ personal information (credit card info) to remote servers / cybercriminals.
      ZBOT variants are especially damaging due to their ever-changing social engineering techniques that are often understated (not sensational)
    4. SQL Slammer: Single-Handed Internet Sabotage – This attack is notorious for drastically slowing down general Internet traffic in the early morning of January 25, 2003 (UTC). Noteworthy is the fact that this was achieved despite it being a solitary packet worm in memory, attacking without a file system component, and exploiting an already patched buffer overflow bug in MS SQL Server and Desktop Engine (MS02-039).
      However, what is more notable is that trickling effects of this threat are still being seen in present-day Internet.
    5. VBS_LOVELETTER: Internet Love Bug – This attack with a remarkably simple yet effective social engineering (the string “ILOVEYOU” in the subject heading) that triggered curiosity of recipients first plagued email inboxes in May 4, 2000. It infected 10% of computers worldwide, with each harboring an average of 600 infected files.

    Here are other notable attacks that though not as severely as the ones listed above, affected users from around the globe with their remarkable routines:

    • Melissa Virus – The first mass-mailer (started in March 1999); shut down entire Internet mail systems clogged with infected emails
    • MSBLAST – One of the more memorable network worms to take advantage of system vulnerabilities. It was first triggered around this time in the year 2003.
    • SDBOT/AGOBOT – Pioneered modular IRC-based botnets; current IRC bots still use the same codebase; still alive today
    • Web Toolkits – Collective term for commercial-grade software that aid cybercriminal activity; allegedly responsible for high-profile web compromises like the “Italian Job”
    • ILOMO – Trojans arriving via Web-based exploits that stay active in memory even after the binary has been deleted from the system resulting to multiple, recurring reinfections (first appeared March 2009)

    Each of the top threats were the most dangerous during their time and within their respective fields. Notably, all of them are attacks that gained momentum via the Internet.

    The most dangerous is still likely the newest one to come out of the malware underground markets. In the majority there can only be better versions of already detected variants so users should be most involved in keeping their personal information safe from theft. Companies likewise should safeguard company information and assets with the same vigilance as a country at war.

    These days the most likely way threats come in is the Internet. Thus we consider that the most obvious and effective way to stop them is to control/proof the URL being recalled by the browser or applications. For your safety we hope you already had switched on the Web Reputation Service in your Trend Micro product. In case you are still uncertain you may test it for free by using TrendProtect Toolbar with your Internet Explorer browser or install try our Web Protection Add-On which may work along with your existing security solution.


    8:28 pm (UTC-7)   |    by

    TrendLabs researchers have recently published their research on two of the most prevalent botnets in the threat landscape to date:

    Infiltrating WALEDAC Botnet’s Covert Operations

    waladec_spamSpam is not a mere inbox annoyance anymore but is the first step toward executing more dangerous kinds of system infiltration. Malware are no longer discrete executables but a motley group of related components and files that work together to surreptitiously get inside systems. The technologies malware crime fighters are using are—in some cases—being used against us. The people behind these cybercrimes are no longer fame-seeking script kiddies, they are now professional criminals who have created robust cybercrime businesses.

    This paper provides a comprehensive view of the WALEDAC botnet—its activities, methodology, involved technologies, purpose, and business model—in order to paint a picture of the complex and intricate nature of the threats that we see today.

    Pushdo / Cutwail Botnet

    pushdo_spamThe Pushdo botnet has been with us since January 2007, and while it does not grab as many headlines as its attention-seeking peers such as Storm or Conficker, it is the second largest spam botnet on the planet – sending approximately 7.7 Billion emails per day, making it single-handedly responsible for about 1 out of every 25 emails sent.

    There are several reasons for Pushdo’s lack of notoriety – the authors have actively used several techniques to help keep its activity “under the radar.” Not only is Pushdo responsible for a huge amount of spam activity, it also is one of the primary conduits for other criminal gangs to spread their malware creations.

    The two abovementioned papers, as well as other previously released white papers can be downloaded from this page.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice