Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    May 2015
    S M T W T F S
    « Apr    
  • Email Subscription

  • About Us

    Steganography will only become more popular, especially among the more industrious malware groups out there. For an attacker, the ability to hide stuff in plain sight is like peanut butter on chocolate: it makes their favorite thing even better.

    In the first two entries of this series, we explored which steganographic techniques are used by attackers to keep malware from being detected, and how they are used to hide command-and-control (C&C) commands, as well as executable code. This time, we’ll discuss the impact of steganography use in the future.

    But first, let me call out several things that came out in the last couple of weeks:

    1. Banking Trojan uses Pinterest as a C&C communication channel – Again, this is not purely steganography, but this is an interesting case since it shows how cybercriminals will try to use common yet unexpected traffic as communication channels. In this case, the banker client is just reading comments in certain pins and decoding them to get the botmaster’s commands.
    2. Janicab Trojan uses YouTube comments as C&C communication channel – This one is self-explanatory. It’s so similar to the previous one that they might even belong to the same criminals, except that this doesn’t have any clear ties with South Korea. Who knows, perhaps steganography is in fashion in the Far East?
    3. Operation Tropic Trooper downloads executable images embedded in image files – This is similar to what we talked about in the last two blog posts of this series, with the main difference being that steganography was used in a targeted attack against organizations sitting in very specific geographical areas. This goes to show that all sorts of attackers are using the very techniques we’ve been discussing here. And the more they do so, the more popular these techniques get. You can get more information on Operation Tropic Trooper in our white paper.

    So when is steganography especially useful for attackers?

    The full impact of steganography use is most felt in targeted attacks. By definition, these kind of attacks aren’t widespread; their specificity may take researchers some time to discover any new techniques used. In a sense, we can think of steganography use in a targeted attack as a zero-day vulnerability: the longer it stays undiscovered, the more useful it is to the attacker. In the case of an actual zero-day vulnerability, it’s also more damaging to the victim.

    Until then, what can we researchers do to try and find new unknown steganographic attacks in the wild?

    The main weakness of steganography in malware is that the “client” software—the part that looks for the data that’s being concealed in unexpected places—is public. And with cybercriminals trying to spread their malware far and wide, it will eventually fall into the hands of good guys like me and other researchers. At that point, it is only a matter of whether or not the researcher knows where and how to look, decode, and decrypt the data. In essence, steganography only helps the malware stay undetected until security researchers get a sample.

    By their very design, these techniques hide stuff in unexpected places. Therefore, we researchers must look in data files and data streams for stuff that’s out of place. Double-checking for protocol messages that are longer than usual, trying to find extraneous encoded data, or even applying machine learning rules to network trace datasets can all be starting points.

    None of this is easy, and we may even receive the malware sample before we spot the hidden data stream. However, if we never try, we will never know. This is my bottom line: searching regular data and trying to find irregularities or anomalies is the only way to beat the attackers. This may not seem doable (or even worth our time) but it’s certainly a good challenge to tackle. Improvements in available algorithms may help in reducing the burden down the road.

    You can check the previous 2 parts of this blog series here:

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    9:10 am (UTC-7)   |    by

    For the past couple of days the security industry has been discussing claims that the systems of a commercial aircraft was “hacked” via the on-board inflight entertainment system (IFE). This became public after a search warrant was obtained by media outlets which revealed that the Federal Bureau of Investigation had applied for a search warrant targeting Chris Roberts, a researcher looking into airplane security. The warrant alleged that Roberts could “hack” the IFE systems of various commercial planes and issued what he called the “CLB” or climb command. At the time of this warrant, Robert had made the following tweet:

    This led to Roberts being escorted off his flight and various electronic items (including his iPad, his laptop, and various USB keys) being seized.

    Reaction from both the security and aviation communities was swift. Some viewed Roberts’s actions as unethical. Many were upset that Roberts had chosen to perform his “attack” on a plane during an actual commercial flight. The veracity of his claims was doubted by many as well, and this was a reaction shared by many in the aviation community.

    What do I think happened? I don’t think he hacked into the airplane’s critical systems. Other technical factors aside, he was on the plane. Unless we’re supposed to believe he was some sort of suicide hacker, he would probably not want to cause any actual harm.

    Security research should be carried out in a controlled environment. We’ve carried out research into AIS systems, and we are currently carrying out research into in-car systems. We did not start out right away with real-life boats. For our car research, we rented cars and started out in parking lots, gradually making the environment more closely resemble real-world environments. (We are now working with the car manufacturer in question.) Doing any actual “tests” in a scenario without the consent of the parties concerned (such as the airline or other passengers) is not the way to go about this.)

    Of course, sometimes vendors do not respond well to researchers who want to work with them. When we were conducting our own AIS research, we were rebuffed because Trend Micro is not a country, and the organization in question only dealt with member-countries. We went ahead and publicized our research anyway, and now the first organizations took action and switched to encrypted AIS to protect themselves against the threats we talked about.

    The reaction to this incident reminds me of earlier days in software security, when companies were reluctant to admit that their products could contain vulnerabilities, when security through obscurity was viewed as a proper defense. The response of the FBI (to shut down the research) and by airplane/IFE manufacturers (refuse to disclose details) are natural responses. Adding security costs real money, and vendors are reluctant to spend resources that they do not have to.

    Whatever you think of Roberts and what he did or didn’t do, the fact is that the topic of airplane security is now out in the open. Like any other system, there are bugs somewhere in this system; no human-built system is 100% error-free. It will be up to governments and regulators to force vendors (both of airplanes and IFE systems) to move beyond simple security-through-obscurity and demonstrate that existing systems are secure, and to fix any vulnerabilities that do come to light. Who knows, perhaps the systems that are in place have been designed in a robust and secure manner and do a good job of keeping attackers out. Until the mindset changes, though, we can’t be 100% sure.

    If you think this is only relevant to aviation, you’re wrong. It just happens to be one of the most visible aspects of the computerization of everything, what others would call the Internet of Things. Other sectors will have to deal with their own challenges soon enough, and the quicker we learn how to do just that, the better it turns out for everybody.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Best practices are failing. No matter how good you are at sticking to them, they can no longer guarantee your safety against the simplest threats we saw last quarter. Malicious advertisements are in the sites you frequent, data-leaking apps come preinstalled in your gadgets, and data-encrypting malware run silently in your office networks. Even the macro threats that were supposedly long gone are now back in the wild. Today’s threats leave zero room for error.

    For instance, we saw a surge in malvertisements—pesky online ads users normally consider more annoying than dangerous. But at the start of the year, we found that bad guys have found various ways to abuse these advertising platforms to deploy malware. These malicious advertisements, displayed on legitimate websites, exposed users to zero-day exploits. Regardless if these users followed good security practices like visiting only trusted sites and patching their software, since the malvertisements were displayed in reliable sites and used zero-days, they would’ve still been infected.

    Figure 1. Malvertisements redirected victims to sites that automatically infected their computers with various kinds of malware such as BEDEP and ROZENA.

    In the same vein, critical security issues were found in Superfish, an ad-related browser add-on pre-installed in consumer-grade Lenovo laptops. Considering that this add-on was pre-installed—making it invasive by default—Superfish also had the capability to alter search results based on users’ browsing histories. What made Superfish more alarming, however, was that it was not securely designed. This created opportunities for bad guys to launch man-in-the-middle attacks.

    The uptick in macro malware last quarter, on the other hand, proved that we can’t let old threats slip out of our minds just yet. The number of macro malware in Microsoft® Word files more than doubled since the last quarter of 2014. This showed a clear trend in cybercriminals’ weapons of choice.

    Figure 2. The number of macro malware infections has been constantly increasing since the first quarter of 2014. This could be attributed to the release of new variants and the rise in number of spam carrying malicious-macro-laden attachments.

    Targeted Attacks and Breaches Ramp Up Tools and Targets

    Operation Pawn Storm, an ongoing economic and political cyber-espionage operation exploited vulnerable iOS™ devices to infiltrate target networks. The use of mobile malware isn’t new, but Pawn Storm was the first to target iOS devices.

    Both the retail and healthcare industry were hit hard with data breaches last quarter. PoS malware attacks remained prominent threats to retailers, while health care service providers such as Premera Blue Cross and Anthem, experienced data breaches that exposed nearly a hundred million customer and employee records combined.

    Is Security Fated to Rely on Luck?

    When thinking about security, there are always loopholes to consider, especially if the threats aren’t within your control. Threat communications manager Christopher Budd reiterates this in the case of malvertisements:  “More than any other threat, malvertisements can hurt people even when they’re doing all the right things. Malvertisements can affect people who don’t click links, have fully updated security solutions, and only go to trusted sites. In short, there’s no amount of caution that can protect you from malvertisements, just luck.”

    The best defense, in light of all this, is to equip yourself with the right threat intelligence and keep adjusting the way you implement security. Traditional best practices may no longer work, but if they continue to evolve with today’s threats, you may still have a fighting chance.

    Read our 1Q 2015 Security Roundup here.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Companies risk losing all their customers if they continue neglecting their app store presence. While malicious mobile apps do bring serious security concerns to the fore, (70% of top free apps have fake and mostly malicious versions in app stores) companies and developers also face another challenge in the form of copycats.

    For a company that needs to maintain an official mobile app on Google Play, fake or impostor apps can mean trouble for both their credibility and revenue. For users, the impact is similar, although on a more personal level. If users get fooled into downloading these apps, it can eventually lead to information theft, reputation damage, and overall dissatisfaction with the company’s brand and service.

    Companies that maintain official apps in app stores like Google Play have a big role to play in minimizing the risk of their users installing fake apps. By properly establishing their identity and their apps, they can greatly help their users sort out the real apps from the fake ones. For example: ideally, all apps are released under one developer, as is the case for the various Trend Micro apps:

    Figure 1. Trend Micro apps on Google Play

    However, we have noticed that some organizations are not able to do this. Instead, multiple developers all publish various versions of official apps.

    Figure 2. Various banking apps with different developer names

    Why is this the case? Android requires that all apps should be signed (even with a self-signed certificate). Large organizations will, of course, have different teams responsible for developing different apps. Different private keys may be used to sign any created apps, even if they are consolidated under one account. Furthermore, different accounts may be used to upload the apps, even if they’re all related to the same company.

    The practice can cause confusion among users (as seen in Figure 2), where it is not clear which is the official account. Even if the apps are consolidated under one account, outside of the Google Play store there is no way to identify that these apps as legitimate or not (since the certificate is used to identify the author). This can cause confusion if an app is legitimate or not in third-party stores.

    For developers, the main impact here is that their customers might not be able to properly identify their app and they may lose potential install base. For users, however, this can turn into a big risk, since this makes it harder to spot “legitimate” versions of the app (e.g., the developer name used might not make it clear who published the app). In addition, if the user checks what other apps were published by a specific developer there may not be other apps to be found. In and of themselves, these are not necessarily bad, however malicious apps can share these traits as well.

    How do we know who is faking it?

    Companies need to ensure that they properly identify themselves as the credible source for their apps. It is not extraordinarily difficult for organizations to adopt proper key management to allow all apps released to be signed by one key: many large companies are able to do exactly this. The solution is to implement proper key management practices; the IT department of a large organization should be capable of arranging this correctly. Ideally, all official apps should be signed by one certificate, tied to one developer account.

    For consumers, this has one benefit: all apps from an organization would show up as from one developer in Google Play, as well as third-party app stores. With official apps properly identified, this will help users identify fake apps  and prevent from inadvertently downloading them. This protects them from various problems such as information theft.

    For now, we strongly advise users to be careful in choosing which app to download. Checking all details related to the app — developer name, rating, reviews — can help identify fake apps. Additionally, installing a security app such as the Trend Micro Mobile Security and Antivirus can detect fake apps and prevent them from getting installed.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    As a result of the increase in cyber-attacks launched by nation-states, cybercriminals, hacktivist groups and other entities, it has become increasingly important to understand the ecosystem of hardware, O/S, software, and services that are used in each organization’s network, including the data/telemetry that is collected and sent outside the organization’s network.

    This problem is especially magnified with the emergence of the Internet of Things (IoT), which is turning “heterogeneous networks” into “super-heterogeneous networks” of intelligent devices.

    Figure 1. Corporate network then (L) vs the corporate network now (R): The Internet of Things (IoT) is turning “heterogeneous networks” into “super-heterogeneous networks” of intelligent devices

    Lifecycle Management

    In the past, IT personnel have had to manage the deployment life cycle of a seemingly diverse array of PCs, notebooks, smartphones, tablets, printers, routers, etc., within their business environment.

    This includes initial configuration, adaptation/optimization, updating, and securing these devices over their deployment lifetime. Several decades ago, the word “heterogeneous” was used to describe networks with a “mind boggling” variety of largely PC’s, notebooks, routers, printers, etc.

    Now consider that this same task must be done to an increasingly more diverse “super-heterogeneous” collection of intelligent devices that will have a broader diversity based on several different factors such as an organization’s industry and region.

    Device Discovery

    Consider the possibility that there will not only be coordinated smart device deployments on the corporate network, but also arbitrary deployments of devices by employees – Bring Your Own Thing (BYOT).

    Just as many have traditionally deployed their own routers or printers within their office environment, employees may arbitrarily deploy other, less traditionally-understood smart devices on the organization’s network. At first glance, it may not be entirely clear as to what these devices actually do- the benefits they bring, vs. the perils.

    Knowing about the existence of a smart device deployed on a corporate network will be an increasing challenge for an IT administrator. This is because, beyond having a basic Media Access Control (MAC) address, many smart devices today don’t have a common way to identify themselves on the network. Due to the current lack of standardization for identifying these devices, a series of methods will be needed to properly identify each individual device. Historically NMAP has proven useful for this task, but tracking down the physical location of a device will be a challenge in many cases, due to the lack of device discovery information available, along with possible challenges visually identifying the device due to its form factor.

    Knowing about Device Problems

    Knowing about issues related to specific brands and models of IoT devices is critical. An IT administrator will need to be more proactive about monitoring additional sources of information about smart devices deployed across their network, including but not limited to government entities (ex: CERT’s), hacker forums and organizations, industry groups, media, and manufacturer web sites.

    Availability of Updates

    iot-noupdateOnce a problem is known, the next challenge is how to correct the issue. For instance, if a firmware update is needed, how to obtain it?

    Currently, there are no “Patch Tuesday” bulletins or “Windows Update” notifications available for IoT devices. These relatively well organized schedule and deployment instruments were implemented only after years of pain, along with a mass of complaints from affected organizations. Due to the variety of device manufacturers, an IT administrator will need to spend more time tracking down and downloading available firmware updates.

    How to Apply Updates and Policy Changes

    Once you know there is a problem with a smart device, the next step is how to apply the solution (if one exists). Consider that there may be several thousand of these affected devices deployed across the organization’s global network. Given that many smart devices have their own proprietary way to apply firmware updates and policies, evolved tools will be needed to perform this patching and policy correction to smart devices en masse In addition, we can assume many devices will have limitations as to how much “policy” can be applied. For instance, you might need to change the hostname of a smart device, so that it conforms to an IT policy, or eases identification and manageability. The device may or may not let you do this.

    Data Collection and Transmission

    Another issue is the collection and transmission of data from the organization. Most smart devices include some form of communication with their manufacturer and possibly other providers.


    There are several ways that devices collect data about the organization’s day-to-day operations. For instance, a motion sensor on a thermostat may collect telemetry about the presence of people in an office.

    Another example might be devices that listen for “hot words”, and have the ability distinguish between different voices, and possibly, people. The company that manufactures this device, along with their partners that may also have access to this data, can monetize/trade using this refined “data revenue”. More significantly, this telemetry can be used as part of a coordinated attack on a company.


    It’s important to understand what type of data is being transmitted outside of the organization, and whether or not it is properly encrypted. Additionally these devices use new types of protocols that allow them to be more accessed from outside the organization. Monitoring systems within an organization might sound alarm bells when this communication is attempted, since it may vary from what is considered to be normal. This may in turn also trigger automatic blocks or lockdowns as networks and systems act to protect themselves.


    iot-storageTypically, attacks against cloud infrastructure are popular as they can yield a high amount of “data revenue”. Organizations need to consider how securely their device-collected data is in the manufacturers or their partners cloud. What if the manufacturer or one of their partners goes out of business—what happens to this data? Will it be scrubbed, sold to another organization, or will it end up lying in an arbitrary bay of servers at a computer auction?

    For more information, refer to my previous post titled Is Your Data Safe In The Internet of Everything?.


    Over time, the device must be regularly updated to assure continued operation. How does the collection and transmission of the data change with each update? This is a time consuming process, but needs to be understood.

    Spying in the Workplace

    IoT empowers more covert spying within the workplace through the emergence of an increasingly diverse range of inconspicuous, Internet-connected monitoring devices. Though these highly consumer-friendly devices have been built with the best intentions, they can very easily be deployed, controlled, and monitored via a smartphone or tablet for nefarious purposes.

    Some examples are:

    1. Placing an inconspicuous-looking home environment monitor, or even a baby monitor on a shelf within a conference room to listen in, watch, or record a confidential meeting
    2. Deploying a series of activity sensors on doors & windows in strategic locations within the workplace to monitor employee presence and activities
    3. Deploying a power line-based Ethernet extender to make the corporate Ethernet network accessible via a power outlet in an external area such as a parking lot that is subject to less physical monitoring

    It is critical for the IT personnel to be able to fully identify new devices on their network, and understand the implications.


    Aside from security specific issues, the overall increase in the diversity of devices on the corporate network will also bring additional unforeseen administrative burdens on IT staff – such as the need to replace batteries in devices on a regular basis as an example these issues are further discussed in the Administrator of Things.


    A more user-friendly and diverse “super-heterogeneous” range of devices with more permutations of hardware, OS, software, and cloud platforms means more work is required, more frequently to continue to protect the organization.

    Device visibility and intelligence is crucial to empower IT staff to proactively protect their organization from the additional risks incurred deployment of smart devices across their organization’s network.

    Organizations need to weigh the value being delivered by the new technology vs. the costs required to use it, and the risks that it brings to their organization. The knowledge gained from this process will help to continually evolve the existing IT policy to properly accommodate IoT devices.

    For some key security considerations for IoT devices, please refer to our guide titled What to Consider When Buying a Smart Device.


    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice