Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    April 2015
    S M T W T F S
    « Mar    
  • Email Subscription

  • About Us

    This month’s Patch Tuesday release appears moderately light compared with the previous month’s, with only 11 security bulletins with four rated ‘Critical’, while the rest are rated as ‘Important’. Microsoft addressed a total of 26 vulnerabilities this April.

    The critical security updates issued by Microsoft all deal with remote code execution (RCE) vulnerabilities. One of the updates rated as ‘Critical’ is MS15-033 or Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3048019) addresses flaws that could be exploited across several versions of Microsoft Office including Microsoft Word 2007, Microsoft Office 2010, Microsoft Word 2010 Microsoft Word Viewer, Microsoft Office Compatibility Pack, etc.

    A summary of our Patch Tuesday coverage for April 2015 is posted at our Threat Encyclopedia Page: April 2015 – Microsoft Releases 11 Security Advisories.

    Users and system administrators are strongly advised to issue the appropriate patches for these system vulnerabilities. Trend Micro Deep Security and Vulnerability Protection protect user systems from threats that may leverage these vulnerabilities following DPI rules:

    • 1006609 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1652)
    • 1006610 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1657)
    • 1006611 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1659)
    • 1006612 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1660)
    • 1006613 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1661)
    • 1006614 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1662)
    • 1006615 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1665)
    • 1006616 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1666)
    • 1006617 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1667)
    • 1006618 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1668)
    • 1006623 – Microsoft Office Memory Corruption Vulnerability (CVE-2015-1641)
    • 1006625 – Microsoft Office Component Use After Free Vulnerability (CVE-2015-1649)
    • 1006626 – Microsoft Office Component Use After Free Vulnerability (CVE-2015-1650)
    • 1006627 – Microsoft Office Component Use After Free Vulnerability (CVE-2015-1651)
    • 1006620 – Microsoft Windows HTTP.sys Remote Code Execution Vulnerability (CVE-2015-1635)
    • 1006619 – Microsoft Windows EMF Processing Remote Code Execution Vulnerability (CVE-2015-1645)
    • 1000552 – Generic Cross Site Scripting (XSS) Prevention
    • 1006628 – MSXML Same Origin Policy Security Bypass Vulnerability (CVE-2015-1646)
    • 1006629 – Microsoft Windows ASP.NET Information Disclosure Vulnerability (CVE-2015-1648)

    Solution for “Re-Direct To SMB” Vulnerability

    In addition to the DPI rules for this month’s Patch Tuesday, we are also issuing an update that addresses a newly-disclosed vulnerability that is said to affect 31 application from Adobe, Apple, Microsoft, among other software. More about this vulnerability known as the “Re-Direct To SMB” vulnerability can be found at this page: Vulnerability Note VU#672268 

    Trend Micro Deep Security and Vulnerability Protection protect user systems from this vulnerability through the following DPI rule:

    • 1006631 – Identified File Protocol Handler In HTTP Location Header
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    7:13 pm (UTC-7)   |    by

    2014 was a year in which we saw further refinements in targeted attack methodologies. As more organizations upgraded to newer versions of Windows, we saw the increased use of 64-bit malware in several campaigns. Examples of 64-bit malware include HAVEX, a remote access Trojan (RAT) used in a campaign that targeted industrial control systems (ICS), and WIPALL, the notorious malware behind the Sony Pictures hack.

    The move to newer versions of Windows also led to the abuse of legitimate tools/features in attacks. An example is Windows PowerShell®, a feature in versions for Windows 7 and higher that allows system administrators to access other features without the use of graphical user interfaces (GUIs). PowerShell commands were abused to download malicious files and bypass execution policies, which allowed the downloaded files to be executed.

    A document exploit template, detected as TROJ_MDROP.TRX, was found in several targeted attacks. This exploit was most likely sold and distributed underground because of its use in several campaigns. Threat actors could simply modify the exploit template to fit their intended payload.

    Based on our data, .RTF and .DOC files were the two most frequently used email attachments, most likely because Microsoft Word® is used in any organization.

    Figure 1. Most frequently used email attachment file types in targeted attacks in 2014

    Old and New Vulnerabilities in Attacks

    Several zero-day exploits were used in targeted attacks in 2014. For example, two Taidoor-related zero-day exploit attacks targeting CVE-2014-1761 hit government agencies and an educational institution in Taiwan, with a window of exposure of 15 days. Exploiting new vulnerabilities has been proven to be more effective because security vendors have yet to create patches. Zero-day exploits can catch vendors and victims alike unawares.

    The use of new vulnerabilities doesn’t mean that threat actors have done away with older ones. In fact, targeting old vulnerabilities also proved reliable because attackers can just use tried-and-tested exploits that may be easily bought.

    Despite being patched via MS12-027, CVE-2012-0158 remained a favored vulnerability for attackers. Additionally, it was the most exploited vulnerability used by targeted attacks in the first half of 2014. Two notable campaigns, PLEAD and Operation Pawn Storm, abused this vulnerability to infiltrate target networks.

    A Global Problem

    Government agencies remained the most favored attack targets in 2014. In the second half of the year, we saw a spike in the number of attacks that targeted hardware/software companies, consumer electronics manufacturers, and health care providers.

    We also determined the global distribution of targets accessing C&C servers. As shown in the heat map below, the United States, Russia, and China were no longer the only favored targets. Other targets included Taiwan, South Korea, France, and Germany.

    Figure 2. Top countries that communicated with targeted attack C&C servers in 2014 (click the image to enlarge)

    Keeping Up with Threats

    Given the increased volume of targeted attacks, ease of mounting them, and difficulty to protect against them, network defenders must be able to adapt a shift in mindset from prevention to detection. This means accepting that targeted attacks will eventually hit their networks; without an assurance that a suite of blacklisting technologies will be able to keep determined threat actors at bay.

    Building threat intelligence is crucial in the fight against targeted attacks. Knowledge of the tools, tactics, and procedures that threat actors use based on external reports and internal historical and current monitoring can help create a strong database of indicators of compromise (IoCs) that can serve as basis for action. But organizations shouldn’t limit themselves to simply knowledge of the attacks. Establishing and empowering incident response teams and training employees, partners, and vendors on social engineering and computer security can also help mitigate the risks involved with targeted attacks.

    For full details on our findings, you may read our Targeted Attack Trends: 2014 Annual Report.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    We have been able to identify a new point-of-sale (PoS) malware family that has affected more than 100 victim organizations in Brazil. We have dubbed this new malware family as “FighterPOS”. This name is derived from BRFighter, the tool used by the author to create this new threat. This one-man operation has been able to steal more than 22,000 unique credit card numbers.

    Its creator appears to have had a long history in carding, payment scams, and malware creation; in addition we believe that this malware author acted independently and without any accomplices or associates. FighterPOS is not cheap. It is currently priced at 18 bitcoins (currently worth around US$5,250). However, its control panel is well-designed and it supports a wide variety of features that may be useful to attackers.

    This blog post outlines the behavior of FighterPOS, with more technical details available in our paper entitled FighterPOS: The Anatomy and Operation of a New POS Malware Campaign.


    At first glance, the advertisement is not particularly unusual. What piqued our interest was the professional nature of the ad and the malware’s supported features.

    Figure 1. Advertisement selling FighterPOS
    (Click to enlarge)

    The control panel and malware is currently being sold for 18.3823 BTCs, or roughly US$5,250. While this may seem expensive, the opportunity to make that money back is relatively easy. The buyer could potentially resell each credit card received right away, or use it at a later time. If the buyer wants an additional executable and panel instance, the author charges an additional US$800.

    Figure 2. FighterPOS Control Panel

    The author, who went by the username cardexpertdev, clearly stated in the ad that the executable is not fully undetectable (FUD), stating that the individual will need to use a crypting service to ensure the malware is undetectable by antivirus scanners. This is common when PoS malware is created, and crypting services are traditionally required to bypass many defensive security controls.

    FighterPOS was not the only product related to credit card fraud that cardexpertdev was selling. He was also selling credit card numbers, EMV chip recorders, and other similar fraud-related products and tools to other cybercriminals.


    Data obtained from the C&C servers indicate that FighterPOS has infected approximately 113 PoS terminals, more than 90% of which were found in Brazil. Evidence of system infection in other countries, including the United States, Mexico, Italy, and the United Kingdom was also found.

    Figure 3. Distribution of FighterPOS-affected machines

    Together, the infected systems have sent 22,112 unique credit card dumps for a single month (late February to early April) to the FighterPOS operator. Many of the victims of FighterPOS are users of Linx MicroVix or Linx POS systems – both popular software suites in Brazil.

    FighterPOS Functionality

    The functionality of FighterPOS is similar to other PoS malware families we’ve seen in the past. It is capable of collecting credit card track 1, track 2, and CVV codes. The malware also contains a RAM scraping functionality, commonly seen in many PoS malware families. Additionally, its keylogger functionality allows the attacker to log all keystrokes on the infected terminal. The code for the RAM scraping functionality is similar to that found in NewPosThings.

    Two malware samples that gained our attention were IE.exe (MD5 hash: 55fb03ce9b698d30d946018455ca2809, detected as TSPY_POSFIGHT.SM) and IEx.exe (MD5 hash: 55fb03ce9b698d30d946018455ca2809), which both connect to the C&C server located at hxxp://

    Both of the samples are written in Visual Basic 6. Although Visual Basic 6 is considered outdated and antiquated, applications written in this language still work, even on fully patched systems.

    One may ask why a “new” PoS malware family is built on such an old platform as Visual Basic. We believe that this is because FighterPOS code is not entirely new. Instead, the vnLoader malware (designed for botnets) was modified to add PoS-specific features. It retains its botnet-oriented capabilities, which include:

    • Malware auto-update
    • File download and execution
    • Sending out credit card data
    • Sending out keylogged data
    • Layer 7 or layer 4 DDoS attacks

    The DDoS capability effectively turns this POS family into a very flexible and attractive tool for prospective buyers.


    FighterPOS is a full-featured piece of malware, carefully developed using strong encryption. It supports multiple ways to talk with its C&C infrastructure. Its keylogging capabilities allow for DDoS attacks and gaining full control of victim machines. We currently estimate that each infected machine sends back ten new credit card numbers to the attackers.

    We are continuously evaluating this threat, and are still performing research not only on the malware family, but also the C&C infrastructure. For endpoint monitoring and validation for possibly active infections, Trend Micro Deep Discovery Inspector can use indicators of compromise, C&C servers and sites listed below.

    Indicators of Compromise

    SHA1 MD5 Compile Time (UTC) Size (in bytes) DDI Detection
    b0416d389b0b59776fe4c4ddeb407239 2/4/2015 21:29 618,496 TSPY_POSFIGHT.SM
    e3db204be71efe8a41d949f2d3fdfa18 3/27/2015 23:01 618,496 TSPY_POSFIGHT.SM
    e29d9560b6fcc14290f411eed9f4ff4f 9/8/2014 17:37 143,360 HTTP Download Executable File
    55fb03ce9b698d30d946018455ca2809 2/10/2015 17:55 618,496 TSPY_POSFIGHT.SM
    6cb50f7f2fe6f69ee8613d531e816089 11/24/2014 17:21 178,688 TSPY_POSFIGHT.B
    e647b892e3af16db24110d0e61a394c8 3/4/2015 20:54 618,496 TSPY_POSFIGHT.SM
    7b011dea4cc53c1099365e0b5dc23558 2/21/2015 13:37 618,496 TSPY_POSFIGHT.SM
    af15827d802c01d1e972325277f87f0d 1/28/2015 12:06 614,400 TSPY_POSFIGHT.SM
    361b6fe6f602a771956e6a075d3c3b78 12/19/2014 0:53 581,632 TSPY_POSFIGHT.SM
    b99cab211df20e6045564b857c594b71 2/4/2015 16:37 618,496 TSPY_POSFIGHT.SM

    We have seen the following C&C servers and sites in use:

    • 69[dot]195[dot]77[dot]74
    • ctclubedeluta[dot]org
    • msr2006[dot]biz
    • sitefmonitor[dot]com
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    11:03 pm (UTC-7)   |    by

    The collaboration between Trend Micro, INTERPOL, Microsoft, Kaspersky Lab, and the Cyber Defense Institute resulted in a triumph for the security industry earlier this week: the takedown of the SIMDA botnet. Trend Micro provided information such as the IP addresses of the affiliated servers and statistical information about the malware used, which led to the disruption of the botnet activities.

    SIMDA, the Malware Behind the Botnet

    The botnet relies on the backdoor SIMDA for its operations. One notable feature of the malware is that it modifies HOSTS files, which redirects users to malicious sites whenever they try to access legitimate sites. Our research shows that the malware targeted popular sites including Facebook, Bing, Yahoo, and Google Analytics, as well as their regional counterparts: e.g., Yahoo Singapore, Bing Germany, etc. This shows that the botnet creator wanted to affect as many users as it can, on a global scale. Here’s a sample screenshot of a modified HOSTS file.

    Figure 1. Modified HOSTS file

    Figure 1. Modified HOSTS file

    Analysis also reveals that the malware collects information about the affected system. It also checks for the presence of certain processes, including those used for malware analysis. The latter could be seen as a detection precaution.

    Further research shows that the botnet activity spanned the globe. We found that the redirection servers were located in 14 countries, among which include the Netherlands, Canada, Germany, Russia, and the United States. Botnet victims were also scattered. Feedback from the Trend Micro™ Smart Protection Network™ lists at least 62 affected countries, including the United States, Australia, Japan, Germany, Italy, among others. Below is a visualization of the redirection servers located in several countries:

    Figure 2. Redirection IPs

    Figure 2. Redirection IPs

    (Click to enlarge)

    Botnets in the Threat Landscape

    Botnets have deep ties throughout the threat landscape. For most cybercriminals, creating a botnet is the precursor for other malicious activities. Botnets can be used to send spamperform distributed denial-of-service (DDoS) attacksperform click fraud, or attack targeted domains.

    For cybercriminals to launch these attacks, they need to be in constant communication with all their infected computers, whose numbers can reach the thousands and above. This is where command-and-control (C&C) servers come in. A C&C infrastructure allows cybercriminals to have a dedicated connection between themselves and their victim’s network. Our Global Botnet Map shows the connection between bots and C&C servers, highlighting the location of the C&C servers and the victimized computers they control.

    Botnets are harmful to users in two ways: they push threats to users and they force victims to be unwitting accomplices to malicious activities. Being part of a botnet means a user is no longer in control of his computer; the bot master can dictate what the infected computers can and will do.

    Addressing Botnets

    Cybercriminals employ different tricks to add more victims to their botnets. For example, they often take advantage of peer-to-peer (P2P) networks to distribute disguised malware. Spammed messages are another go-to method for adding more computers to their botnets.

    We advise users to be cautious when opening emails. Avoid opening emails and attachments from senders who are unknown or who cannot be verified. P2P networks aren’t inherently malicious but users should be aware that dealing with these sites can increase their chances of encountering malware. Users should also invest in a security solution that goes beyond simple malware detection; features such as spam detection and URL blocking can go a long way in protecting users from threats.

    We mentioned that SIMDA modifies HOSTS files as part of its redirection routines. There might be instances where the modified HOSTS files may remain even after detecting and removing SIMDA from the affected computer. The presence of these modified files might lead to further infections. We advise users to manually check HOSTS files and to remove any suspicious record in these files.

    Trend Micro protects users from the SIMDA botnet by detecting malware variants as BKDR_SIMDA.SMEP and BKDR_SIMDA.SMEP2, and other BKDR_SIMDA variants. TROJ_HOSIMDA.SM is the Trend Micro detection name for the modified HOSTS files. All associated URLs have been blocked as well. Non-Trend Micro customers may use Trend Micro Housecall for scanning.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    A malware that is being tied to the recent cyber attack in France is detected by Trend Micro as a variant of the NJWORM/Kjw0rm remote access Trojan (RAT). This malware (with the MD5 hash of 2962c44ce678d6ca1246f5ead67d115a), which we detect as VBS_KJWORM.SMA, is backdoor that may have been around since 2014.

    Ties to previous targeted attacks

    Our initial analysis showed that VBS_KJWORM.SMA was created by a hacking tool named Sec-wOrm 1.2 Fixed vBS Controller. This is a RAT generator that we detect as HKTL_KJWORM.

    It should be noted that the Kjw0rm family is already known to us; in January we had written about this family when it emerged from the NJWORM source code leak. Kjw0rm was found in the Arabic-language section of

    Figure 1. Sample screenshot of the RAT generator “Sec-wOrm 1.2 Fixed vBS Controller”. (SECWORM)
    Hat tip goes out to the Dev4dz forum

    Using data from the Trend Micro™ Smart Protection Network we found that VBS_KJWORM.SMA is observed in at least 12 countries in the past week, including South Africa and India. This is not surprising, since this malware is available in underground forums and can be used by anyone.

    This particular malware can be used as a backdoor into the infected system. In addition, the C&C server reportedly used in the attack has been tied to another backdoor, BKDR_BLADABINDI.C. Our investigation leads us to believe the actors behind Kjw0rm and BLADABINDI are the same.

    Further information from the Smart Protection Network suggests that other VBS malware variants are currently circulating in the wild. Four separate C&C servers (distinct from those used by NJWORM) were also found. These different samples, in turn, are connected to previous NJRAT/JENXCUS attacks. NJRAT has been tied to DUNIHI attacks in the Latin American region.

    Note: The SECWORM malware is a RAT derived from KJw0rm with some modifications and improvements. 

    Understanding the impact of a cyber attack on a company outage

    The massive cyber attack that hit the French TV5Monde television network this past April 9, according to reports, began at approximately 10:00 P.M. local time (4:00 P.M. Eastern time) , when 11 of their channels went off the air.

    In addition to this, TV5Monde’s website, company email, as well as their social media outlets came under attack. The network’s Facebook page was used to post propaganda messages allegedly from the Islamic State (ISIS). One of the network’s Twitter accounts was also accessed and posted messages against the United States and France, as well as issued threats to families of French soldiers. Copies of French soldiers’ IDs and passports were also published.

    It should be noted that the technical background of this attack is not yet clear. However, the RAT generator is currently available in several hacker forums and can be used by any threat actor. Therefore, one does not need a lot of technical skill to use it.

    Trend Micro solutions

    Trend Micro detects all related malware at the endpoint level. In addition, Trend Micro products block connections to C&C servers for these malware.

    At the network level,Trend Micro is able to proactively detect these threats. Trend Micro Deep Discovery is able to detect VBS-based malware, providing additional protection to organizations facing these kinds of attacks today.


    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice