Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    July 2014
    S M T W T F S
    « Jun    
  • About Us

    In the previous part of this post, we explained what the “smartification” of the home is, why people are adopting it, and looked into some of the factors that can influence how people choose to add home automation into their daily lives.

    What are some additional factors that influence whether smart devices are accepted into homes?

    Replacement of Existing Equipment

    As existing devices and appliances in the home need replacement, homeowners may choose to replace these with smart devices. Of course, users may not actually use the “smart” features of the equipment, at least not initially.

    “Keeping things dumb” is a valid security consideration for a consumer that ultimately can’t or won’t make use of the features provided by smart devices, or doesn’t want to bother with the ongoing need to administer and maintain a security infrastructure for their home.

    The reason is that they would be increasing the attack surface of their home, without a corresponding perceived benefit. However, all this means that devices which have a shorter life cycle are more likely to become “smart” compared to more durable, long-lasting devices.

    Broadband Provider Bundles

    In many cases, broadband providers not only provide Internet access but phone and TV services as well. As consumers renew their contracts, many will increasingly be enticed into adding smart home services to their existing contracts. Examples of these in the United States include Time Warner’s IntelligentHome, AT&T’s Digital Life, and Verizon Home Control. All these offers include products for the smart home that covers automation, security and energy efficiency.

    This means that users who may not have even thought of acquiring smart devices in the past may find themselves buying these products: after all, it’s now just a small part of the bigger bundle they pay for.

    Tangible Benefits and Ease of Use

    One of the biggest factors in determining whether smart technology is adopted or not is whether it delivers needed or wanted benefits to consumers. Broadly speaking, devices and gadgets fall into somewhere along the following continuum when it comes to perceived benefits:

    Figure 1. Sliding scale of perceived benefits

    I won’t give examples of the “nice to have” and “unused gizmos”, since many of us have drawers full of items that would qualify in these categories. Some products can be considered a “fundamental enhancement” – i.e., something that significantly improves an existing experience. Examples include remote monitoring camera, thermostat, automatic lighting, or smart TVs.

    Others can be “mission critical” and provide completely new services to consumers, such as doctor-prescribed health monitoring or security devices.

    Of course, beyond any classification based on benefits, any device that does not provide simplistic and reliable operation in the hands of the average consumer may also become, simply put, useless.

    Regional and Cultural Mindset

    Local factors – such as the regional and cultural mindset of consumers – will be a significant factor in determining whether smart devices succeed or fail in individual markets. Different regions may come to different conclusions about the trade-off between the value of smart devices and their possible consequences. Factors such as culture, religion and way of life may come into play.

    In addition, the role of smart devices in potential cyber-attacks from other nation-states may cause consumers to become aware and opinionated about where there devices come from – and may judge the acceptance of smart devices accordingly. Politics may play a key role in whether the smart home is accepted in different countries.


    The combination of all of these factors will influence how quickly smart devices will proliferate in homes around the world. This will influence how the threat landscape surrounding smart devices evolves; market decisions today will influence the threats of tomorrow. In addition, other technical factors may influence this as well. We will be monitoring this market for threats, and will discuss them in future posts.

    Stay tuned for our upcoming Threat Intelligence Resource – Internet of Everything hub, which will provide the latest updates and information about the Internet of Everything.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    12:49 pm (UTC-7)   |    by

    The recent introduction of ransomware in the mobile threat landscape was followed by a new development: the usage of TOR to hide C&C communication.

    In our analysis samples we now detect as AndroidOS_Locker.HBT, we found that this malware  shows a user interface that notifies the user that their device has been locked down, and that they need to pay a ransom of 1000 rubles to unlock it. The interface also states that failure to pay would result in the destruction of all data in the mobile device.

    Examples of apps we’ve seen display this routine are found in third-party app stores, bearing names such as Sex xonix, Release, Locker, VPlayer, FLVplayer, DayWeekBar, and Video Player. Non-malicious apps with these names are available from various app stores.

    Here is the warning shown to the user, which is in Russian:

    Figure 1. Warning to user (Click to enlarge)

    Here is a rough translation of the warning:

    For downloading and installing software nelitsenzionnnogo your phone has been blocked in accordance with Article 1252 of the Civil Code of the Russian Federation Defence exclusive rights.

     To unlock your phone pay 1000 rubles.

     You have 48 hours to pay, otherwise all data on your phone will be permanently destroyed!

     1. Locate the nearest terminal payments system QIWI

     2. Approach to the terminal and choose replenishment QIWI VISA WALLET

     3. Enter the phone number 79660624806 and press next

     4. Window appears comment – then enter your phone number without 7ki

     5. Put money into terminal and press pay

     6. Within 24 hours after payment is received, your phone will be unlocked.

     7. So you can pay via mobile shops and Messenger Euronetwork

     CAUTION: Trying to unlock the phone yourself will lead to complete full lock your phone, and the loss of all the information without further opportunities unlock.

    The user will be asked to pay to account 79660624806/79151611239/79295382310 by QIWI or 380982049193 by Monexy within 48 hours. This UI will also keeping popping out, thus preventing the user from being able to use their device properly. At the same time, files on device (both in internal and external storage) with following format are encrypted:

    • jpeg
    • jpg
    • png
    • bmp
    • gif
    • pdf
    • doc
    • docx
    • txt
    • avi
    • mkv
    • 3gp
    • mp4

    While the above-mentioned routines are typical of ransomware, we found that it communicates to its command-and-control server via TOR. Although this is not the first time we’ve seen Android malware use TOR, this is the first ransomware we’ve seen that uses it. Considering the amount of data that users now store in their mobile devices, we predict that this is just the start of the continuous development of mobile ransomware.

    How to Remove this Ransomware?

    For users whose devices are infected with this ransomware, the malicious app can be manually removed through the Android Debug Bridge. The adb is part of the Android SDK, which can be freely downloaded from the Android website. The process would proceed as follows:

    1. Install the Android SDK on a PC, including the adb component.
    2. Connect the affected device via USB to the PC.
    3. Run the following command from the command line:
      adb uninstall “org.simplelocker” 

    This procedure will work without problem for devices with Android versions lower than 4.2.2. For 4.2.2 and later users, however, there is a problem: the phone will prompt the user with a dialog to accept a key to allow debugging. However, the ransomware’s own UI will keep interrupting this, making it difficult to use adb to remove the phone.

    Note that in all cases, the user must have enabled USB debugging on their device before being infected; doing this may be difficult as the steps differ from device to device. In addition, turning USB debugging on is a security risk in and of itself, as it means an attacker who gets physical access to a device can easily get files from it without having to enter information in the Android lockscreen.

    The above step-by-step procedure will remove the ransomware, but not recover any locked files. Recovering the files is difficult, as is the case with ransomware on PCs. We recommend that users recover their files from their backups, whether these are online or offline.

    The SHA1 hashes of the samples used to analyze this attack are as follows:

    • 3313e82160fe574b4d4d83ec157d96980c0e88c4
    • 4824c957b7804d27c56002c93496182c8ec2840d
    • 5a102f0e6238418d8c73173752e20a5914ec4958
    • 725e9553040845d4b7ad2b0fd806597666d61605
    • 808df267f38e095492ebd8aeb4b56671061b2f72
    • 979020806f6fcb8a46a03bb4a4dcefcf26fa6e4c
    • b4bc70e7f046894ef12b5836f70b0318ca7ad06f
    • b5aab4bdb6bbb5914b1860c47080ccb558f07e5b
    • c85e49e0e99c2c0e531f723bf14d84339919985d
    • e6ee6dac2e6bd97c93a6a746442bfc0930e637af
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    The use of contextually-relevant emails is one of the most common social engineering tactics employed in targeted attacks.  Emails still being the primary mode of business communications are often abused to deliver exploits to penetrate a network that consequently lead to other stages of a targeted attack cycle.

    In one of the targeted attacks we’re monitoring, threat actors used the news of a plane crash that killed the deputy prime minister of Laos.  The email message bore the subject line BREAKING: Plane Crash in Laos Kills Top Government Officials. Attached in this therein are documents purporting to be news clips of the crash to lure users. We have also observed that the email addresses of the real recipients are masked in the To header by using a Yahoo! email address to hide the intended targets of the said malicious email. Although this technique is an old one, we frequently see this maneuver in other targeted attack-related cases we have analyzed.

    The email attachments comprised of two legitimate .JPG files and an archive file which in some cases contain TROJ_MDROP.TRX. When executed, both malware exploit CVE-2012-0158, which is used in several attacks in the past, despite being patched in MS12-027 last 2012. Based on our data, CVE-2012-0158 is the most exploited vulnerability by targeted attacks in the second half of 2013.



    Figure 1. Most commonly exploited vulnerabilities related to targeted attacks

    Again, this attack highlights the importance of patching and upgrading systems with the latest security updates, given that threat actors usually leveraged old vulnerabilities. Once exploited, it drops a backdoor detected as a BKDR_FARFLI variant. This backdoor executes several commands, including stealing specific information such as:

    • Processor/System Architecture Information
    • Computer Name/Username
    • Network Information
    • Proxy Settings

    It also uses the following command-and-control (C&C) server, one of which is located in Hong Kong:

    • {BLOCKED} ({BLOCKED}.{BLOCKED}.68.135)
    • {BLOCKED} ({BLOCKED}.{BLOCKED}.68.135)

    For data exfiltration, this targeted attack used the technique POST http request via port 443 (SSL) to avoid network detection. As such, it enables them to move laterally in the network without being notice by IT administrators.

    What is interesting about this is that the document exploit it employed has also been seen in other targeted attacks, such as HORSMY, ESILE, and FARFLI campaigns. ESILE targets government institutions in APAC.

    Threat actors use this ‘template’ document exploit and modify it according to their intended payload on the system. We can surmise here that the threat actors behind this exploit could have distributed or sold it underground, which would explain why this has also been used in other targeted attack campaigns.  Based on our investigation, a person with Asian-like name may be behind or was the first one to create the “template” exploit document we detected as TROJ_MDROP.TRX.

    While targeted attacks are hard to detect, the risks it poses to sensitive data can be prevented by an advanced security platform, such as Trend Micro Deep Discovery, that can identify malware, C&C communications, and attacker activities signaling an attempted attack.

    For more details on various targeted attacks, as well as best practices for enterprises, you may visit our Threat Intelligence Resources on Targeted Attacks.

    With additional analysis from Maria Manly


    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Over the past few years, there has been proliferation of intelligent connected devices introduced into homes across the globe. These devices can range from the familiar - such as tablets, smart phones, and smart TVs – to the less familiar, such as utility meters, locks, smoke and carbon monoxide detectors, motion detectors and scales.

    Other devices, like wearable technologies, or wearables, such as fitness and lifestyle monitoring devices, and smart glasses are making an entrance into our regular way of life.

    This effect, known as “smartification” of the home, becomes very apparent, when comparing a visual snapshot of the typical home now, with say one of 5-7 years ago.

    Figure 1. Home networks before

    Figure 2. Home networks today

    Our understanding of the global prevalence of smart devices and their implications to the attack surface of the home is critical, as it allows us to better understand the security demands of the connected home. We had earlier discussed the possibility of threats against the Internet of Everything in our 2014 predictions. Below, we discuss some interesting forces that can influence – for good or bad - the prevalence of these smart devices.

    Market Pressure

    In the United States, there is already a large amount of effort going into marketing around household smart devices with a focus on convenience, security, and energy conservation. It is now fairly common to see smart hubs and smart devices (including home appliances) being sold in electronics, department and hardware stores, such as Home Depot, Lowes, Best Buy and Sears. Online retailers like Amazon, as well as specialty vendors like, are also selling a broad range of smart devices for the home.

    Broadband providers, such as AT&T, Verizon, Comcast, Time Warner, and others are now providing consumer smart home automation packages as well. These are based on a subscription model, and can be added on to the existing Internet service of customers. Independent providers such as Vivint, Iris, Nexia, Savant, and others also provide similar subscription-based services to manage one’s home.

    Non-service based smart hub offerings, such as SmartThings, Revolv, Vera, and Loxone provide equipment bundles that allow the consumer to enhance their home – without having to pay subscription charges. Apple’s upcoming HomeKit, currently slated for fall 2014, appears to make use of the smart phone, as the primary “hub” for orchestrating devices at home.

    It may be surprising to realize that much of the functionality of these smart home offerings have actually existed for many years. However, in the past, these systems had less focus on simplicity, openness, and compatibility. Newer devices that have these characteristics, and as a result tech-averse consumers can deploy and manage these devices over their life span.

    Regional Availability

    Regional availability of smart devices will affect the rate at which homes become smarter over time. In the US and Europe, for example, there are already a significant number of smart devices available on the market. Global companies such as GE, LG, and Samsung, are already providing smart versions of appliances that they have traditionally produced for many years, in many different regions of the globe. Apple is another example of a brand with global outreach potential.

    By contrast, local or regional brands — ones that have historically been focused on one country or region, which may be trusted more by their base of local customers — may be slower to introduce “smart devices” into their product lineup. They may also not have the immediate ability or even local demand to justify competing with global brands. Customers loyal to these brands may not be as keen to embrace smart devices.

    Regional Cost

    The cost of a smart device will affect its availability to the average consumer in different regions of the globe. Though cost is just one factor, as these devices become more affordable in each region, they will likely become more attractive for consumers to purchase, resulting in an increased prevalence of these devices in a given region.

    Typically, costs of smart devices will vary in different regions due to factors such as logistics, local taxes and import duties, This results in regional price differences. In markets where prices are relatively low, adoption will be rapid; expensive markets will see the opposite. It is safe to assume however, that historically as the technology improves and becomes commoditized, the cost of these devices will fall.

    Regional Requirements

    Limiting the prevalence of smart devices globally is the fact that each country or region has their own regulatory requirements, including safety and security codes. For example, devices available in a specific region may need operate on a specific voltage and frequency, and have a specific plug type and also undergo certification by safety groups (such as Underwriters Laboratories in the US).

    Not all competitors in the smart devices space may be willing (or able) to bear the costs of re-engineering and and recertification necessary to meet these needs; this may be particularly true of smaller startups that lack the resources of their better-established competitors.

    In addition, global companies that manufacture and distribute smart home devices, including ad-hoc products and services, may encounter challenges at the political level that set back their products’ market potential in a given region.

    In the next blog post, we will look at some additional factors that may influence the prevalence of smart devices, and the resulting attack surface.

    Stay tuned for our upcoming Threat Intelligence Resource – Internet of Everything hub, which will provide the latest updates and information about the Internet of Everything.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    In our 1Q Threat roundup report, we noted that the number of mobile malware and high-risk applications reached the two-million mark and is rapidly growing. In our monitoring of the mobile threat landscape, we have recently discovered an Android malware that is spreading fast in Taiwan, detected as ANDROIDOS_RUSMS.A.

    Mobile users fall victim via SMS spam attack. Users receive an SMS in order to lure them to install the malicious app. The messages read as follows:

    您正在申請網上支付103年3月電費共計480元,若非本人操作,請查看電子憑證進行取消 (malicious link)

    您的快遞簽收通知單, (malicious link)

    Translated into English, these read as:

    • You are applying to have your March 2014 electricity bill paid online with a total amount of 480 Yuan. If you did not apply for this, please see the electronic certificate to cancel this action (malicious link)
    • Your express delivery notice, (malicious link)

    It’s worth noting that the first message uses security as its social engineering lure. Cybercriminals may have opted to use security warnings as the lure  because users will be more inclined to click links in order to stop the supposed activity.

    The links lead to the malicious app. Once installed, the malicious app may send SMS, as well as intercept incoming ones. To profit from this, the attackers try to use micropayment schemes provided by mobile carriers. These schemes are similar to premium SMS program, however, they require a confirmation message from the user.

    In a normal micropayment scheme, a user who shops online would have to fill out the online site’s electronic information sheet (including phone numbers). Online transactions would then have to be verified and confirmed via SMS with which a confirmation code is included to finalize the entire transaction.

    Because this malware intercepts the SMS confirmation, the victims are not aware of the charges they incur. The malware blocks the SMS if the SMS address contains any of the specific characters listed below:

    • mopay
    • boku
    • bezahlcode
    • holyo
    • 6279
    • 33235
    • 46645
    • 55496
    • 55498
    • 66245
    • 1232111

    The blocked SMS is then forwarded to a specified IP address, allowing the attacker to complete the fraudulent transaction.

    In addition, the malware also sends the contents of the user’s contacts list to a remote server. As part of its social engineering tactic, this malware is disguised as a Google app named Google Service Framework. However, the legitimate app is named Google Services Framework. They are so similar that most people will not notice.

    When installed, this malware starts a service that periodically checks a remote server. If data is returned, the data is parsed to form an SMS, which it sends out immediately. This allows the attacker to sign the victim up for various premium services without their consent.

    The malware has two features to make detection and analysis more difficult. First, it requests the user to give them administrator privileges.

    Figure 1. Requesting administrator privileges

    If the user chooses ‘Activate’, the malicious app cannot be uninstalled directly. Users need to disable it first in the Settings>Security>Device administrators.

    Second, it is designed to check whether it runs inside an Android emulator. It does not perform any of its malicious behavior if it is running inside; this behavior is similar to some techniques we’ve seen done by desktop malware.

    Another malware uses a similar disguise. This one disguises itself as Google Services Framework, the same name as the legitimate app. However, the version is different. The malicious app uses version 1.0, while the legitimate Google application uses part of the Android version (like,for instance, 4.2.2-721232). This was detected as ANDROIDOS_RUSMS.HAT.

    Figure 2. Incorrect version number

    This particular variant also uses techniques to make detection and analysis more difficult. It is protected by an APK packer, which employed a self-modification technology. This means that the original code is encrypted and the unpacker code injected. When the app is launched, the unpacker code is run first.  It then dynamically decrypts itself and recovers the original code in the memory.

    Since the original code cannot be run or analyzed directly, this makes detection and analysis difficult. However, this technique is not limited to malicious apps: legitimate apps also use this to protect their apps. Ironically, this is meant to prevent malicious app developers from acquiring a legitimate app and tampering with it to add malicious code.

    These threats are most prevalent in Taiwan, with more than 97% of all victims being locals. The malicious links leading to ANDROIDOS_RUSMS.A alone have been visited almost 32,000 times.

    To avoid mobile devices being infected by this type of Android malware, we recommend against installing apps from suspicious third-party app stores. Users can protect their devices from being automatically installed with unknown apps by unchecking the option in Setting>Security>Unknown Sources. Trend Micro protects users from this threat with Trend Micro Mobile Security that detects malicious apps.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice