Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    July 2015
    S M T W T F S
    « Jun    
  • Email Subscription

  • About Us

    Adobe may have already patched a Flash Player vulnerability last week, but several users—especially those in the US, Canada, and the UK —are still currently exposed and are at risk of getting infected with CryptoWall 3.0. The Magnitude Exploit Kit included an exploit, detected as SWF_EXPLOIT.MJTE, for the said vulnerability, allowing attackers to spread crypto-ransomware into their target systems. We first saw signs of this activity yesterday, June 15, through our monitoring of threat intelligence from the Trend Micro™ Smart Protection Network™.

    This particular vulnerability, identified as CVE-2015-3105, was fixed as part of Adobe’s regular June Update for Adobe Flash Player which upgraded the software to version However, many users are still running the previous version (, which means that a lot of users are still at risk.

    As of this week, these are the top 10 countries most affected by this threat:

    1. United States
    2. Canada
    3. UK
    4. Germany
    5. France
    6. Australia
    7. Italy
    8. Turkey
    9. India
    10. Belgium

    Ongoing Exploit Problem

    This is another example of how cybercriminals rapidly take advantage of recently-patched vulnerabilities through exploit kits. We saw a similar incident in March, where exploits for an Adobe Flash Player vulnerability were added to the Nuclear Exploit Kit just a week after the patch was released. We also noted earlier this month that Flash Player was being targeted more frequently by exploit kits, and that shows no sign of changing soon.

    Figure 1. Flash version used in testing

    The SWF sample we acquired is heavily obfuscated using secureSWF, and uses two shaders for the actual exploit code.

    Figure 2. Shaders used in exploit code

    Widely-used exploit kits such as Magnitude are often well-maintained with new vulnerabilities. Our research on these tools reveals that Magnitude is one of the most used exploit kits by cybercriminals along with SweetOrange and Angler.

    CryptoWall is also another notable threat in and of itself. We initially saw CryptoWall last year spreading through spam, and again later this year partnering with information stealing malware FAREIT.

    Figure 3. Ransomware demand page

    Trend Micro is already able to protect users against this threat. The existing Sandbox with Script Analyzer engine, which is part of Trend Micro™ Deep Discovery, can be used to detect this threat by its behavior without any engine or pattern updates.  Meanwhile, the Browser Exploit Prevention feature in the Endpoint Security in Trend Micro™ Smart Protection Suite blocks the exploit once the user accesses the URL it is hosted in. Browser Exploit Prevention protects against exploits that target browsers or related plugins.

    We recommend that users stay up-to-date with the latest Flash Player version, and this incident is an excellent reminder of just how important it is to do so. We also note that Google Chrome automatically updates its own included version of Flash Player.

    The malicious Adobe Flash exploit is detected as SWF_EXPLOIT.MJTE. Below is its SHA1:

    • 16ad317b7950c63720f9c7937a60ee3ea78cc940

    With Additional analysis by Brooks Li and Joseph C Chen

    Update as of June 16, 2015, 8:30 A.M. PST:

    We have updated the entry to include the detection name for the exploit.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Windows XP reached end of support last year and now it’s time for another end of life—Windows Server 2003. On July 14, 2015, this widely deployed Microsoft operating system will reach its end of life—a long run since its launch in April 2003. Estimates on the number of still-active Windows Server 2003 users vary from 2.6 to 11 million.

    But this new end of life will raise a whole new set of challenges. Unlike Windows XP, Windows Server 2003 is a server operating system. While Windows XP is used in home PCs and enterprise workstations/laptops, Windows 2003 offers a deeper attack surface across enterprise servers. Windows Server 2003 is (still) widely deployed for core business functions as Directory Server, File Server, DNS Server, and Email Server. Organizations depend on it to run critical business applications and support their internal services like Active Directory, File Sharing, and hosting internal websites.

    When support ends for Windows Server 2003, there won’t be a mechanism to keep it up to date, which is critical in preventing security issues. Typically, security issues would be resolved by regular support for an operating system, which involves:

    • Getting security updates to protect against vulnerabilities
    • Getting regular support on almost any issue with the product
    • Getting non-security updates, i.e., the ‘regular’ bug fixes

    Understanding the risk

    End of life for an operating system—specifically for Windows Server 2003—means the beginning of a lot of effort for your IT department. Organizations like yours must prepare to deal with missing security updates, compliance issues, fighting malware, and other non-security bugs. You will no longer receive patches for security issues or notifications of vulnerabilities. And you will no longer know when there are vulnerabilities that affect your servers.

    At the time of launch, Windows 2003 was as a much safer alternative to Windows 2000. Over time, it became clear that it had its own share of vulnerabilities. CVE Details notes that organizations with Windows Server 2003 faced close to 403 vulnerabilities with 27% of them being remote code execution vulnerabilities. Without notifications to help monitor and measure the risk associated with these vulnerabilities, you may be left facing a big hole in your server security.

    To understand the risk further, let’s see how a similar situation played out for Windows 2000, which reached its end of support on July 13, 2010. There have been several vulnerabilities reported in other versions of Windows operating systems since then. But how many of them affected Windows 2000? One example would be the vulnerability MS10-061, which did affect Windows 2000. It should be noted that there was no security patch for it.

    Unfortunately, you could be facing a similar situation for Windows Server 2003. After July 14, you will no longer be notified of new vulnerabilities and there will no longer be any notifications or patches available to help protect your systems. But you can still take action to keep your out-of-date systems secure before it’s too late. Now is the time for serious planning and careful risk assessment.

    What should system administrators do?

    Migrating to a more recent operating system is definitely the preferred option. But many organizations may face a number of barriers to timely migration—constraints such as limited budget, lack of technical expertise, and reliance on legacy applications.

    Knowing that many organizations will delay migration, attackers will be actively looking for valuable data on out-of-support servers. To prevent intrusions, you need to assess the risk of the data residing on those servers. You need to determine whether the data is secured by itself. If not, you need to ensure advanced security controls are in place. The security capabilities that will best help you to maximize protection of your Windows Server 2003 environment include intrusion prevention system, integrity monitoring, and anti-malware solutions.

    How can Trend Micro help?

    Trend Micro Deep Security uses a combination of the best technologies to protect all of your servers, whether they are out of support or not. Trend Micro Intrusion Prevention System uses virtual patching to help you protect against vulnerabilities in your operating system and in applications running on those servers. It also helps to keep malware off your servers using the power of the Trend Micro Smart Protection Network (SPN) to share critical information.

    Finally, Deep Security helps you monitor any suspicious system changes to your servers using their integrity monitoring capabilities. You can rest easy knowing that you have maximum protection for your end-of-life servers until you can migrate to newer platforms.

    Stay up to date on vulnerabilities and to learn more about how Trend Micro can help protect your organization.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    This month’s Patch Tuesday can be considered lighter than last month’s, with only eight security bulletins released for June. Of the eight, two are considered Critical while the remaining are rated Important.

    Just like last month, there is a critical, cumulative update for Internet Explorer. MS015-056 aims to resolve vulnerabilities in Internet Explorer that could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. According to the bulletin, the patch addresses the vulnerability by:

    • Preventing browser histories from being accessed by a malicious site
    • Adding additional permission validations to Internet Explorer
    • Modifying how Internet Explorer handles objects in memory

    The first bullet point above is worth paying attention to. Previously, it was possible for an attacker who lured a victim to a malicious (or compromised) web site and access the user’s browser history. Obviously, many users would find this disclosure somewhat troubling. This vulnerability has now been patched, and there are no indications it was exploited in the wild.

    The second critical update addresses a vulnerability found in Windows, specifically Windows Media Player (MS015-057). The vulnerability could allow remote code execution if a specially crafted file is opened in Windows Media Player. The remaining six patches address vulnerabilities that affect several Windows components, Microsoft Office, and Microsoft Exchange Server.

    More information about these bulletins and their corresponding Trend Micro solutions are posted at our Threat Encyclopedia Page: June 2015 – Microsoft Releases 8 Security Advisories.

    Update for Adobe

    Adobe has also released a security update (APSB15-11) for Adobe Flash Player for Windows, Macintosh, and Linux. According to Adobe, the updates “address vulnerabilities that could potentially allow an attacker to take control of the affected system.”

    We urge users to patch their endpoints and servers as soon as possible. Trend Micro Deep Security and Vulnerability Protection protect user systems from threats that may leverage these vulnerabilities with the following DPI rules:

    • 1006657-Adobe Flash Player Remote Integer Overflow Vulnerability (CVE-2014-0569) – 2
    • 1006745-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1687)
    • 1006747-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1730)
    • 1006748-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1731)
    • 1006749-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1732)
    • 1006751-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1735)
    • 1006752-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1736)
    • 1006753-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1737)
    • 1006755-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1740)
    • 1006756-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1741)
    • 1006757-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1742)
    • 1006758-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1744)
    • 1006759-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1745)
    • 1006760-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1747)
    • 1006761-Microsoft Internet Explorer Elevation Of Privilege Vulnerability (CVE-2015-1748)
    • 1006762-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1750)
    • 1006763-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1751)
    • 1006764-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1752)
    • 1006765-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1753)
    • 1006766-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1755)
    • 1006767-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1766)
    • 1006769-Microsoft Office Use After Free Vulnerability (CVE-2015-1759)
    • 1006770-Microsoft Office Use After Free Vulnerability (CVE-2015-1760)
    • 1006771-Microsoft Office Uninitialized Memory Use Vulnerability (CVE-2015-1770)
    • 1006772-Adobe Flash Player Cross Domain Policy Bypass Vulnerability (CVE-2015-3096)
    • 1006773-Adobe Flash Player Cross Domain Policy Bypass Vulnerability (CVE-2015-3098)
    • 1006774-Adobe Flash Player Cross Domain Policy Bypass Vulnerability (CVE-2015-3099)
    • 1006775-Adobe Flash Player Remote Code Execution Vulnerability (CVE-2015-3100)
    • 1006776-Adobe Flash Player Cross Domain Policy Bypass Vulnerability (CVE-2015-3102)
    • 1006777-Adobe Flash Player Use After Free Vulnerability (CVE-2015-3103)
    • 1006778-Adobe Flash Player Integer Overflow Vulnerability (CVE-2015-3104)
    • 1006779-Adobe Flash Player Out Of Bound Write Vulnerability (CVE-2015-3105)
    • 1006780-Adobe Flash Player Use After Free Vulnerability (CVE-2015-3106)
    • 1006781-Adobe Flash Player Memory Corruption Vulnerability (CVE-2015-3108)
    • 1006782-Microsoft Windows HTML Application Denial Of Service Vulnerability
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    critical Mac vulnerability was discovered by OS X security researcher Pedro Vilaca last week. According to his research, any attacker can disable the BIOS lock just by taking advantage of a flaw in Apple’s S3 sleep state (more known as ‘standby mode’) suspend-resume implementation. Once an attacker does this, he can install bootkit malware onto a Mac BIOS without the user’s knowledge.

    This is can be a major issue for Mac owners since the vulnerability gives attackers unfettered access to their device. Since a bootkit loads before the operating system (OS), attackers can use it to bypass passwords and other security measures. What makes things worse is that bootkit malware cannot be removed or cleaned even after users reinstall their OS.

    Mac attack

    We tested out this issue on several MacBook models (specifically the 2012 MacBook Pro, 2011 MacBook Air, among others) and found out that the attack is easily replicable. The issue cannot be recreated in newer models like the 2013 MacBook Pro; it’s likely that the vulnerability has been fixed on newer systems. (Apple has yet to officially acknowledge the vulnerability at this time.)

    However, it should be noted that while this threat is possible at this time, no web-based attack has been demonstrated yet. No attack has been seen in the wild, either. For now, this is an interesting proof-of-concept (POC). In the future, if a bootkit were to be successfully installed, an attacker could take complete control of an affected system.

    A (brief) technical overview

    Here is a possible attack scenario:

    Figure 1. FLOCKDN is mistakenly cleared

    The key point lies in that the flash lockdown (FLOCKDN) bit found in the HSFSTS SPI MMIO register and some BIOS region registers would be mistakenly cleared after one cycle of S3 sleep state and resume, so that the EFI/BIOS flash could be maliciously re-flashed to keep a persistent presence in a Mac as Bootkit.

    The typical attack vector would be as follows:

    Figure 2. Imagined remote attack for UEFI/BIOS Bookit (more…)

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Trend Micro Discovers and Protects against MalumPoS

    We first discovered MalumPoS, a new attack tool that threat actors can reconfigure to breach any PoS system they wish to target. Currently, it is designed to collect data from PoS systems running on Oracle® MICROS®, a platform popularly used in the hospitality, food and beverage, and retail industries.

    Oracle claims that MICROS is used in 330,000 customer sites worldwide. A bulk of the companies using this platform is mostly concentrated in the United States. If successfully deployed by a threat actor, this PoS RAM scraper could put several high-profile US-based companies and their customers at risk.

    In general, PoS RAM scrapers like MalumPoS are designed to scrape off credit card data from an infected systems’ RAM. Every time the magnetic stripe of a credit card is swiped, the malware can steal stored data such as the cardholder’s name and account number. This data can then be exfiltrated and used to physically clone credit cards or, in some cases, commit fraudulent transactions like online purchases.

    MalumPoS was designed to be configurable. This means that in the future, the threat actor can change or add other processes or targets. He can, for example, configure MalumPoS to include Radiant or NCR Counterpoint PoS systems to its target list. With that inclusion, companies running on those systems will also be at risk.

    Other Notable Features

    Compared to other PoS RAM scrapers we’ve seen in the past, this particular MalumPoS threat shows a few interesting characteristics:

    • NVIDIA disguise: Once installed in a system, MalumPoS disguises itself as “the “NVIDIA Display Driver” or, as seen below, stylized to be displayed as “NVIDIA Display Driv3r”. Although typical NVIDIA components play no important parts in PoS systems, their familiarity to regular users may make the malware seem harmless.

    MalumPOS Detection

    Figure 1: Installed service of MalumPOS

    • Targeted systems: Aside from Oracle MICROS, MalumPoS also targets Oracle Forms, Shift4 systems, and those accessed via Internet Explorer. Looking at the user base of these listed platforms, we can see that a major chunk is from the US.
    • Selective credit card scraping: MalumPoS uses regular expressions to sift through PoS data and locate pertinent credit card information. We have seen an older PoS threat called Rdasrv demonstrate the same behavior. In the case of MalumPoS, it selectively looks for any data on the following cards: Visa, MasterCard, American Express, Discover, and Diner’s Club.

    As stated earlier, MalumPoS is configurable so a threat actor can still change or add to this current list of targeted systems and credit card targets.

    A more comprehensive analysis of MalumPoS, including the indicators and YARA rules, can be found in our MalumPoS technical brief.

    Recommendations and Solutions

    Trend Micro now detects all binaries pertinent to this threat. In case you have endpoint monitoring software like Trend Micro Deep Discovery Endpoint Sensor or Smart Protection Suites we are also providing a YARA rule that you can to look for any related indicators. Again, you can find this in our technical brief.

    To see how you can further enhance your security posture, please read Defending Against PoS RAM Scrapers: Current Strategies and Next-Gen Technologies. In addition, specific solutions such as whitelisting may be of value in these situations.

    With Additional analysis by Kenney Lu and insights by Numaan Huq and Kyle Wilhoit.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice