Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    March 2015
    S M T W T F S
    « Feb    
  • Email Subscription

  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Trend Micro

    OpenSSL said last Tuesday, March 17, that they plan to release several code fixes address a number of vulnerabilities, which include those that have been classified as “high” severity. There had been speculation building around these vulnerabilities, as the bug was hinted as “the next Heartbleed” according to reports.

    The fix was released today, two days after their announcement. Today’s security bulletin noted that the following just-released versions are all secure:

    • OpenSSL version 1.0.2a (addresses CVE-2015-0209, CVE-2015-0285, and CVE-2015-0288)
    • OpenSSL version 1.0.1m (addresses CVE-2015-0288)
    • OpenSSL version 1.0.0r (addresses CVE-2015-0288)
    • OpenSSL version 0.9.8zf (addresses CVE-2015-0288)

    According to the OpenSSL advisory, these versions are now available for download via HTTP and FTP from the following master locations: and

    Server administrators should update their versions of OpenSSL to the appropriate versions, depending on what they have installed.

    OpenSSL is one of the most commonly used implementations of Secure Sockets Layer (SSL) (also known as “transport layer security” or TLS), which is the backbone of secure Internet communications today. SSL/TLS allows for communications between computers to be encrypted, preventing traffic from being eavesdropped by attackers. This is essential for any transaction online that requires secrecy and integrity.

    OpenSSL is widely available for various Unix-like operating systems (such as Linux and Mac OS X), so any vulnerability could put many secure communications at risk.

    We will update this blog post with solutions deployed by Trend Micro Deep Security.

    Posted in Bad Sites |

    A study conducted around June last year revealed a malware-based fraud ring that infiltrated one of Brazil’s most popular payment methods – the Boleto Bancário, or simply the boleto. While the research and analysis was already published by RSA, we’ve recently discovered that this highly profitable fraud is still out in the wild and remains an effective way for cybercriminals for online banking theft in Brazil.

    The boleto malware campaign had a reported potential loss of US$3.75 billion. The recent detections we found comprise malicious Mozilla Firefox and Google Chrome extensions cleverly installed in victims’ machines. Spammed messages with fake threats of debt that must be paid to governments are used to get users to install these extensions.

    What is a “boleto”?

    The boleto (or “ticket” in English) is a type of payment slip that serves as a method of payment in Brazil regulated by the Brazilian Federation of Banks (FEBRABAN). Each boleto has a printed bar code and number associated with the person’s bank account, among other details. For instance, when users shop online, they may opt to use the boleto method of payment instead of credit cards and direct money transfers. If users decide to choose the boleto payment method, the shopping website generates a payment slip with a bar code that users can view, copy, or print in order to issue the payment. Here’s an example of a boleto.

    Figure 1. Example of a boleto for R$934.23 (Brazilian Real). The bar code matches the number on the top. Both can be used to pay the boleto. Other items in the boleto include the person’s full name and phone number.

    The use of the boleto payment method isn’t limited to online shopping websites. Government fees, car and house taxes, and almost any kind of payment can also be paid using it. It is a very common payment method in Brazil, a country where 18% of total bank transactions take place online.

    How does the boleto infection take place?

    To give an overview about how the infection takes place, here’s a diagram that shows how the attack plays out starting from the users receiving spammed messages to money ending up with the money mules.

    Boleto fraud attack flow

    Read the rest of this entry »


    2014 was a year where cybercriminal attacks crippled both likely and unlikely targets. A year rife with destructive attacks, 2014 proved to be a difficult one for individuals and companies who were victimized by these threats.

    Massive data breach disclosures came one after another in 2014 in much more rapid succession than past years. The Sony Pictures breach in December, along with the other big breaches of the year illustrated the wide spectrum of losses that can hit a company that has failed to secure its network.

    Point-of-sale (PoS) RAM scrapers were almost a cybercrime staple in 2014, as several high-profile targets lost millions of customer data to attackers. The Ponemon Institute reports a significant increase in the cost of stolen records in 2014 from the previous year, which shows that using PoS RAM scrapers to target retailers is a thriving business. For the entire 2014 we observed that most PoS malware hit retailers in the United States, followed by Canada and the United Kingdom.

    Software and platforms previously considered secure proved otherwise in 2014- this was made evident by high-profile vulnerabilities Heartbleed and Shellshock that affected Linux systems. Security holes were also found in various commercial software like Windows®, Adobe®, and Java™ all throughout the year.

    Figure 1. Timeline of Major Zero-Day Vulnerabilities in 2014

    Online banking was still a major problem for last year. Operation Emmental added to this growing problem and proved that two-factor authentication was no longer enough to secure sensitive transactions. According to data from the Trend Micro™ Smart Protection Network™, we observed around 145,000 computers infected by online banking malware by the tail end of 2014. Mobile users were also hit by online banking threats with as much as 2,069 mobile banking/financial malware seen in 3Q alone.

    2014 Annual Security Roundup Cover

    Ransomware made the headlines early in the year with CTB-locker infections, but we’ve been seeing ransomware victimize users all throughout 2014. Traditional ransomware like REVETON and RANSOM dominated 2013 with a 97% share, crypto-ransomware took the stage in 2014, as their share increased 27.35%.

    Threat actors and cybercriminal economies continued to thrive last year. With Operation Pawn Storm. threat actors used next-level spear-phishing tactics to obtain the email credentials of primarily military, embassy, and defense contractor personnel from the United States and its allies.

    2014 also saw campaigns like Regin target victims in Belgium and Plead in Taiwan.

    As cybercrime becomes more attractive to the unscrupulous and as targeted attack campaigns become much easier to mount, the pressure to reassess the breadth and quality of cybersecurity investments must only intensify.

    For more details about these and other security threats in 2014, check our security roundup titled Magnified Losses, Amplified Need for Cyber-Attack Preparedness.


    12:54 am (UTC-7)   |    by

    Home surveillance/security cameras have been available for quite some time, and can be used to keep track of one’s home, children, pets, or business.  These devices are, in some ways, the first exposure of people to the Internet of Things.

    For most people, home surveillance means setting up a camera and using the Internet to access the camera feed in real-time. Higher end camera models can even be controlled remotely, making them useful for monitoring a large area with a single camera. This is a marked difference from previous iterations of home surveillance, which had restrictions or limitations in terms of accessibility.

    Online and Open Accessibility

    The older generation of security cameras required the configuration of the home router such as port forwarding, so that you can view the video feed remotely. While convenient, this set-up means that the camera is also accessible to pretty much anyone with an Internet connection.

    There are websites that scour the Internet for Internet-connected security cameras. One such site is Shodan. By logging in to Shodan, a person can find a specific camera based on the brand and IP address.

    Figure 1. Search results from Shodan

    There are even sites that offer streaming videos of publicly accessible cameras. A now-inaccessible Russian site took advantage of default usernames and passwords to access and upload camera feeds online. According to an article by CNN, the site featured streams from 4,600 cameras in the U.S. and thousands more in 100 countries. A quick online search revealed the existence of other, similar sites. There are even mobile apps that provide real-time streaming from cameras across the world.

    Figure 2. Camera feeds all over the world

    Managing Access

    Perhaps in a direct response of this issue, the newer generation of security cameras usually provides some form of cloud management and/or viewing functions.  Once configured, the camera communicates to the vendor cloud servers, allowing users to view the feed by logging into a web portal or by using mobile apps published by the vendor.

    In this set-up, the camera communicates to the vendor cloud servers only.  Connections initiated from the Internet cannot reach the camera, as the home router blocks them.  The camera is more secure from activities like unauthorized remote viewing.

    Vendor and User Security

    Accessibility issues aside, another important issue for these cameras is data protection. Vendors should provide strong encryption for all data/video feed from device to cloud servers to protect user privacy.  However, we found that some popular camera brands are still lacking in their security implementation.

    For example, the screenshot below is the packet capture between a D-Link DCS-932L camera communicating with the D-Link cloud server.  Certain traffic from the camera to the cloud servers is encrypted, but not all. There is still clear text communication over the Internet. Such an issue can only be addressed by the vendor, not the users.

    Figure 3. Clear text communication between server and camera

    The Importance of User Initiatives

    While some issues can only be addressed by camera vendors, this doesn’t mean that users should rely on security features offered by the cameras. The existence of the live stream sites shows the importance of changing default login credentials and using strong usernames and passwords. Strong authentication should be also used for home networks, to avoid any unauthorized access.  Users can also refer to our entry, Security Considerations for Consumers Buying Smart Home Devices, for a comprehensive discussion on buying smart devices.



    Our engineers were investigating a case involving a targeted attack when they came across a custom tool called vtask.exe. Once executed, vtask.exe hides Windows tasks in the current session. What’s curious about this attacker-created tool is that it appears to have been compiled in 2002—twelve years ago.

    A Look at Vtask

    The compiler time shows that Vtask is a tool written in Visual Basic (VB) and compiled on November 2002. We can image the situation 12 years ago: Decompilers for VB programs were not available yet, which made analysis of this tool difficult.

    Vtask.exe requires an .OCX component generated by the old VB compiler. In this case, the required .OCX component is mshflxgd.ocx. A compiler is not necessary but the .OCX file is in order for Vtask to run. It bears stressing that mshflxgd.ocx is a common library. Other software may use it as well. The presence of this component doesn’t automatically mean the computer also has Vtask.

    Vtask is not a rootkit, so it can only hide windows of executables, not processes. We can still see the processes running in the background via Task Manager.

    Hiding Running Tasks

    Vtask is used to hide windows of executable programs. This tool is especially useful when the platform of the targeted computer is not a Windows Server version. Windows Server allows multiple users to log in, with each login having a different version of the desktop, even if they use the same login credentials.

    If the targeted computer runs on Windows Server, the users will not be able to see the desktop of the attacker.

    Figure 1. Desktop before Vtask is launched

    Figure 2. Desktop after Vtask has launched

    However, if the computer runs on platforms other than Windows Server, only one user can be logged at a time. Thus, when the user logs on, the attacker loses the view of the desktop. Vtask is used to automatically hide the ongoing tasks conducted by the attacker.

    Read the rest of this entry »



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice