Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    April 2015
    S M T W T F S
    « Mar    
  • Email Subscription

  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Trend Micro

    11:03 pm (UTC-7)   |    by

    The collaboration between Trend Micro, INTERPOL, Microsoft, Kaspersky Lab, and the Cyber Defense Institute resulted in a triumph for the security industry earlier this week: the takedown of the SIMDA botnet. Trend Micro provided information such as the IP addresses of the affiliated servers and statistical information about the malware used, which led to the disruption of the botnet activities.

    SIMDA, the Malware Behind the Botnet

    The botnet relies on the backdoor SIMDA for its operations. One notable feature of the malware is that it modifies HOSTS files, which redirects users to malicious sites whenever they try to access legitimate sites. Our research shows that the malware targeted popular sites including Facebook, Bing, Yahoo, and Google Analytics, as well as their regional counterparts: e.g., Yahoo Singapore, Bing Germany, etc. This shows that the botnet creator wanted to affect as many users as it can, on a global scale. Here’s a sample screenshot of a modified HOSTS file.

    Figure 1. Modified HOSTS file

    Figure 1. Modified HOSTS file

    Analysis also reveals that the malware collects information about the affected system. It also checks for the presence of certain processes, including those used for malware analysis. The latter could be seen as a detection precaution.

    Further research shows that the botnet activity spanned the globe. We found that the redirection servers were located in 14 countries, among which include the Netherlands, Canada, Germany, Russia, and the United States. Botnet victims were also scattered. Feedback from the Trend Micro™ Smart Protection Network™ lists at least 62 affected countries, including the United States, Australia, Japan, Germany, Italy, among others. Below is a visualization of the redirection servers located in several countries:

    Figure 2. Redirection IPs

    Figure 2. Redirection IPs

    (Click to enlarge)

    Botnets in the Threat Landscape

    Botnets have deep ties throughout the threat landscape. For most cybercriminals, creating a botnet is the precursor for other malicious activities. Botnets can be used to send spamperform distributed denial-of-service (DDoS) attacksperform click fraud, or attack targeted domains.

    For cybercriminals to launch these attacks, they need to be in constant communication with all their infected computers, whose numbers can reach the thousands and above. This is where command-and-control (C&C) servers come in. A C&C infrastructure allows cybercriminals to have a dedicated connection between themselves and their victim’s network. Our Global Botnet Map shows the connection between bots and C&C servers, highlighting the location of the C&C servers and the victimized computers they control.

    Botnets are harmful to users in two ways: they push threats to users and they force victims to be unwitting accomplices to malicious activities. Being part of a botnet means a user is no longer in control of his computer; the bot master can dictate what the infected computers can and will do.

    Addressing Botnets

    Cybercriminals employ different tricks to add more victims to their botnets. For example, they often take advantage of peer-to-peer (P2P) networks to distribute disguised malware. Spammed messages are another go-to method for adding more computers to their botnets.

    We advise users to be cautious when opening emails. Avoid opening emails and attachments from senders who are unknown or who cannot be verified. P2P networks aren’t inherently malicious but users should be aware that dealing with these sites can increase their chances of encountering malware. Users should also invest in a security solution that goes beyond simple malware detection; features such as spam detection and URL blocking can go a long way in protecting users from threats.

    We mentioned that SIMDA modifies HOSTS files as part of its redirection routines. There might be instances where the modified HOSTS files may remain even after detecting and removing SIMDA from the affected computer. The presence of these modified files might lead to further infections. We advise users to manually check HOSTS files and to remove any suspicious record in these files.

    Trend Micro protects users from the SIMDA botnet by detecting malware variants as BKDR_SIMDA.SMEP and BKDR_SIMDA.SMEP2, and other BKDR_SIMDA variants. TROJ_HOSIMDA.SM is the Trend Micro detection name for the modified HOSTS files. All associated URLs have been blocked as well. Non-Trend Micro customers may use Trend Micro Housecall for scanning.

    Posted in Botnets |

    A malware that is being tied to the recent cyber attack in France is detected by Trend Micro as a variant of the NJWORM/Kjw0rm remote access Trojan (RAT). This malware (with the MD5 hash of 2962c44ce678d6ca1246f5ead67d115a), which we detect as VBS_KJWORM.SMA, is backdoor that may have been around since 2014.

    Ties to previous targeted attacks

    Our initial analysis showed that VBS_KJWORM.SMA was created by a hacking tool named Sec-wOrm 1.2 Fixed vBS Controller. This is a RAT generator that we detect as HKTL_KJWORM.

    It should be noted that the Kjw0rm family is already known to us; in January we had written about this family when it emerged from the NJWORM source code leak. Kjw0rm was found in the Arabic-language section of

    Figure 1. Sample screenshot of the RAT generator “Sec-wOrm 1.2 Fixed vBS Controller”. (SECWORM)
    Hat tip goes out to the Dev4dz forum

    Using data from the Trend Micro™ Smart Protection Network we found that VBS_KJWORM.SMA is observed in at least 12 countries in the past week, including South Africa and India. This is not surprising, since this malware is available in underground forums and can be used by anyone.

    This particular malware can be used as a backdoor into the infected system. In addition, the C&C server reportedly used in the attack has been tied to another backdoor, BKDR_BLADABINDI.C. Our investigation leads us to believe the actors behind Kjw0rm and BLADABINDI are the same.

    Further information from the Smart Protection Network suggests that other VBS malware variants are currently circulating in the wild. Four separate C&C servers (distinct from those used by NJWORM) were also found. These different samples, in turn, are connected to previous NJRAT/JENXCUS attacks. NJRAT has been tied to DUNIHI attacks in the Latin American region.

    Note: The SECWORM malware is a RAT derived from KJw0rm with some modifications and improvements. 

    Understanding the impact of a cyber attack on a company outage

    The massive cyber attack that hit the French TV5Monde television network this past April 9, according to reports, began at approximately 10:00 P.M. local time (4:00 P.M. Eastern time) , when 11 of their channels went off the air.

    In addition to this, TV5Monde’s website, company email, as well as their social media outlets came under attack. The network’s Facebook page was used to post propaganda messages allegedly from the Islamic State (ISIS). One of the network’s Twitter accounts was also accessed and posted messages against the United States and France, as well as issued threats to families of French soldiers. Copies of French soldiers’ IDs and passports were also published.

    It should be noted that the technical background of this attack is not yet clear. However, the RAT generator is currently available in several hacker forums and can be used by any threat actor. Therefore, one does not need a lot of technical skill to use it.

    Trend Micro solutions

    Trend Micro detects all related malware at the endpoint level. In addition, Trend Micro products block connections to C&C servers for these malware.

    At the network level,Trend Micro is able to proactively detect these threats. Trend Micro Deep Discovery is able to detect VBS-based malware, providing additional protection to organizations facing these kinds of attacks today.


    Posted in Targeted Attacks |

    OpenSSL said last Tuesday, March 17, that they plan to release several code fixes address a number of vulnerabilities, which include those that have been classified as “high” severity. There had been speculation building around these vulnerabilities, as the bug was hinted as “the next Heartbleed” according to reports.

    The fix was released today, two days after their announcement. Today’s security bulletin noted that the following just-released versions are all secure:

    • OpenSSL version 1.0.2a (addresses CVE-2015-0209, CVE-2015-0285, and CVE-2015-0288)
    • OpenSSL version 1.0.1m (addresses CVE-2015-0288)
    • OpenSSL version 1.0.0r (addresses CVE-2015-0288)
    • OpenSSL version 0.9.8zf (addresses CVE-2015-0288)

    According to the OpenSSL advisory, these versions are now available for download via HTTP and FTP from the following master locations: and

    Server administrators should update their versions of OpenSSL to the appropriate versions, depending on what they have installed.

    OpenSSL is one of the most commonly used implementations of Secure Sockets Layer (SSL) (also known as “transport layer security” or TLS), which is the backbone of secure Internet communications today. SSL/TLS allows for communications between computers to be encrypted, preventing traffic from being eavesdropped by attackers. This is essential for any transaction online that requires secrecy and integrity.

    OpenSSL is widely available for various Unix-like operating systems (such as Linux and Mac OS X), so any vulnerability could put many secure communications at risk.

    We will update this blog post with solutions deployed by Trend Micro Deep Security.

    Posted in Bad Sites |

    A study conducted around June last year revealed a malware-based fraud ring that infiltrated one of Brazil’s most popular payment methods – the Boleto Bancário, or simply the boleto. While the research and analysis was already published by RSA, we’ve recently discovered that this highly profitable fraud is still out in the wild and remains an effective way for cybercriminals for online banking theft in Brazil.

    The boleto malware campaign had a reported potential loss of US$3.75 billion. The recent detections we found comprise malicious Mozilla Firefox and Google Chrome extensions cleverly installed in victims’ machines. Spammed messages with fake threats of debt that must be paid to governments are used to get users to install these extensions.

    What is a “boleto”?

    The boleto (or “ticket” in English) is a type of payment slip that serves as a method of payment in Brazil regulated by the Brazilian Federation of Banks (FEBRABAN). Each boleto has a printed bar code and number associated with the person’s bank account, among other details. For instance, when users shop online, they may opt to use the boleto method of payment instead of credit cards and direct money transfers. If users decide to choose the boleto payment method, the shopping website generates a payment slip with a bar code that users can view, copy, or print in order to issue the payment. Here’s an example of a boleto.

    Figure 1. Example of a boleto for R$934.23 (Brazilian Real). The bar code matches the number on the top. Both can be used to pay the boleto. Other items in the boleto include the person’s full name and phone number.

    The use of the boleto payment method isn’t limited to online shopping websites. Government fees, car and house taxes, and almost any kind of payment can also be paid using it. It is a very common payment method in Brazil, a country where 18% of total bank transactions take place online.

    How does the boleto infection take place?

    To give an overview about how the infection takes place, here’s a diagram that shows how the attack plays out starting from the users receiving spammed messages to money ending up with the money mules.

    Boleto fraud attack flow

    Read the rest of this entry »


    2014 was a year where cybercriminal attacks crippled both likely and unlikely targets. A year rife with destructive attacks, 2014 proved to be a difficult one for individuals and companies who were victimized by these threats.

    Massive data breach disclosures came one after another in 2014 in much more rapid succession than past years. The Sony Pictures breach in December, along with the other big breaches of the year illustrated the wide spectrum of losses that can hit a company that has failed to secure its network.

    Point-of-sale (PoS) RAM scrapers were almost a cybercrime staple in 2014, as several high-profile targets lost millions of customer data to attackers. The Ponemon Institute reports a significant increase in the cost of stolen records in 2014 from the previous year, which shows that using PoS RAM scrapers to target retailers is a thriving business. For the entire 2014 we observed that most PoS malware hit retailers in the United States, followed by Canada and the United Kingdom.

    Software and platforms previously considered secure proved otherwise in 2014- this was made evident by high-profile vulnerabilities Heartbleed and Shellshock that affected Linux systems. Security holes were also found in various commercial software like Windows®, Adobe®, and Java™ all throughout the year.

    Figure 1. Timeline of Major Zero-Day Vulnerabilities in 2014

    Online banking was still a major problem for last year. Operation Emmental added to this growing problem and proved that two-factor authentication was no longer enough to secure sensitive transactions. According to data from the Trend Micro™ Smart Protection Network™, we observed around 145,000 computers infected by online banking malware by the tail end of 2014. Mobile users were also hit by online banking threats with as much as 2,069 mobile banking/financial malware seen in 3Q alone.

    2014 Annual Security Roundup Cover

    Ransomware made the headlines early in the year with CTB-locker infections, but we’ve been seeing ransomware victimize users all throughout 2014. Traditional ransomware like REVETON and RANSOM dominated 2013 with a 97% share, crypto-ransomware took the stage in 2014, as their share increased 27.35%.

    Threat actors and cybercriminal economies continued to thrive last year. With Operation Pawn Storm. threat actors used next-level spear-phishing tactics to obtain the email credentials of primarily military, embassy, and defense contractor personnel from the United States and its allies.

    2014 also saw campaigns like Regin target victims in Belgium and Plead in Taiwan.

    As cybercrime becomes more attractive to the unscrupulous and as targeted attack campaigns become much easier to mount, the pressure to reassess the breadth and quality of cybersecurity investments must only intensify.

    For more details about these and other security threats in 2014, check our security roundup titled Magnified Losses, Amplified Need for Cyber-Attack Preparedness.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice