The notorious info-stealing ZeuS/ZBOT variants are reemerging with a vengeance, with increased activity and a different version of the malware seen this year. In our 2013 Security Predictions, we predicted that cybercrime will be characterized by old threats resurfacing, but with certain refinements and new features in tow. The 1Q of the year proved this thesis, as seen in threats like CARBERP and Andromeda botnet.

We can now include the data-stealing malware ZeuS/ZBOT to this roster of old-but-new threats, which we’ve noted to have increased these past months based from Trend Micro Smart Protection Network feedback.

Figure 1. Smart Protection Network feedback for ZBOT (Jan – May 7 2013)

As seen in this chart, ZBOT variants surged in the beginning of February and continued to be active up to this month. It even peaked during the middle of May 2013. These malware are designed to steal online credentials from users, which can be banking credentials/information or other personally identifiable information (PII).

ZBOT Earlier Versions vs. Current Versions

Early generation of ZBOT variants creates a folder in %System% folder where it would save the stolen data and configuration file. Users can also find a copy of itself in the said folder. These ZBOT versions modify the Windows hosts file to prevent users from accessing security-related websites. The strings appended to the hosts file can be seen in the downloaded configuration file. An example of earlier ZBOT versions include TSPY_ZBOT.SMD and TSPY_ZBOT.XMAS.

Current ZBOT variants were observed to create two random-named folders in the %Applications Data% folder. One folder contains the copy of the ZBOT folder while the other folder contains encrypted data. Example of this is TSPY_ZBOT.BBH, which was found to globally on top based from Smart Protection Network.

ZBOT malware of this generation are found to be mostly either Citadel or GameOver variants. Unlike earlier version, the mutex name is randomly generated.

Both variants send DNS queries to randomized domain names. The difference in GamOver variant is that it opens a random UDP port and sends encrypted packets before sending DNS queries to randomized domain names.

How does this malware steal your credentials?

ZBOT malware connects to a remote site to download its encrypted configuration file.

Figure 2. Screenshot of ZBOT communication to C&C server

The following information can be seen once the configuration file is decrypted:

• Site where an updated copy of itself can be downloaded
• List of websites to be monitored
• Site where it will send the stolen data

These configuration files contain banks and other financial institutions that ZBOTs monitor in browsers.
Since configuration files are downloaded from remote sites, the contents of these files may change any time. Malicious actors can change the list of sites they want to monitor on the affected system.

Trend Micro Solution for ZBOT variants

There are several avenues for detecting ZBOT variants, such as:

1. First, as the malware tries to write to the registry “Userinit” entry in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
2. Secondly, detecting the call-back routine to the remote site upon execution, as it acquires its configuration file
3. Finally, detecting where the site would send the stolen data, or if acquires an updated copy of itself

In the screen capture below, it demonstrates that the exact behaviour of writing to the registry “Userinit” entry in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon was successfully blocked by OfficeScan’s Behavioural Monitoring function and the malware fails to execute:

Figure 3. OfficeScan Scanning Screenshot

The second opportunity to detect ZBOT variants is when the malware downloads its configuration file, an updated copy of itself, or even with the attempt to upload its stolen information. Trend Micro Web Reputation Services can detect this funcion:

Figure 4. Trend Micro blocks the related URL associated with ZeuS

In the screen capture above, the URL was detected as malicious. With further investigation, we determined that this site is associated with ZeuS/ZBOT. The same is observed if using Trend Micro’s Deep Discovery:

Figure 5. Screenshot of Deep Discovery detection of malicious network activity

Similarly, an attempt to connect to any related URL that is related to ZBOT/ZEUS upon performing it’s call-back routine can be detected via DeepDiscovery Inspector.

Finally, for removing the malware, here is an example of a clean-up procedure for TSPY_ZBOT.XMAS. Since this malware injects itself into certain processes, there are instances that a reboot is required:

As ZeuS/ZBOT malware downloads newer version of itself, the binary itself may not be detected but could generally act the same. As such, certain parts of the infection can be blocked or partially mitigated.

Conclusion

What we can learn from ZeuS/ZBOT’s spike in recent months is simple: old threats like ZBOT can always make a comeback because cybercriminals profit from these. Peddling stolen banking and other personal information from users is a lucrative business in the underground market. Plus, these crooks can use your login credentials to initiate transactions in your account without your consent. Thus, it is important to be careful in opening email messages or clicking links. Bookmark trusted sites and avoid visiting unknown ones. Always keep your system up-to-date with the latest security releases from security vendors and install trusted antimalware protection.

To know more about how cybercriminals are getting better at stealing information, you can refer to this infographic.

With additional inputs from Threat researchers Rhena Inocencio and Roddell Santos.

We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

ZeuS/ZBOT Malware Shapes Up in 2013

Since its initial release in February 2012 the Raspberry Pi – a very inexpensive, palm-sized computer meant to help teach computer science in schools –  has become a favorite of hobbyists, makers, and tech enthusiasts everywhere. Why wouldn’t it be? The Raspberry Pi offers tinkerers a very low-cost (both to buy and to run) computer in an extremely compact platform. In addition, because of its origins as an educational tool, it’s easy to use and is versatile. Accordingly, it can be used in all sorts of creative ways.

However, its apparent simplicity and low cost comes with a downside. The Raspberry Pi is not a simple “device” with limited capabilities; it is a fully capable computer. The same pitfalls that befall normal desktop computing can  hit the Raspberry Pi, if it is not properly secured.

Some uses of the Raspberry Pi actually turn them into servers, and that is something that users may not really know how to secure. For example, some people have made the Raspberry Pi into a server that controls their home automation system, or allows users to watch videos served by the Pi remotely.

For many uses of the Raspberry Pi, security isn’t much of a concern – it will never be online or even exposed to external input that could be used as an infection vector. The trouble comes when it’s used in situations where it is online – particularly as a server – where it’s at potential risk. For example, some automated scanners are already trying to log in with the pi user.

In short, the Raspberry Pi is only as secure as the uses you use it for. Good server security is not always easy; consider that even IT professionals make mistakes. Look into known server best practices if you do use a Raspberry Pi for these uses. Considering its origin as an educational tool, learning how to secure a server would be an appropriate use for a Raspberry Pi.

We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Is The Raspberry Pi Secure?

Last March, I blogged about the Andromeda, a well-known botnet that surfaced in 2011 and is making a comeback this year. Just months after my report, we are still seeing notable activities from the said botnet, in particular a sudden boost of GAMARUE variants last week. The Andromeda botnet is a spam botnet that delivers GAMARUE variants, which are known backdoors and have a noteworthy way of propagating via removable drives.

We’re keeping track of the GAMARUE infection for the past weeks and observed some noteworthy activities. For the past 30 days, we noticed a sudden spike of its variants on May 17. In particular, there was a 82% increase from May 16 – May 17 and another 32% on May 18. A significant bulk of these malware, specifically 63%, is WORM_GAMARUE variants.

Figure 1. GAMARUE detection for the past 30 days (April 20 – May 31)

In my initial blog entry, I reported that the bulk of infection came from Australia. Last year, Germany was also one of the most GAMARUE-affected countries. However, just months after my first post, we are seeing a trend in which a majority of WORM_GAMARUE variants are affecting India, Turkey, and Mexico.

Figure 2. Top countries affected by WORM_GAMARUE

Currently, we can not readily determine why GAMARUE variants increased on the said dates. If anything, this trend shows that the botnet is still active and poses risks to users.

Andromeda Botnet: Old Threat Repackaged

In our 2013 1Q Security Roundup, we concluded that during this quarter, cybercrime was characterized by old threats made new. The Andromeda spam botnet is a good example of this trend, this time with aid of the Blackhole Exploit kits (BHEK) and some new neat tricks.

This threat arrives as a spammed message containing a malicious attachment (GAMARUE variants) or links leading to certain sites, which now include those compromised by the notorious Blackhole Exploit kit. GAMARUE variants are known to propagate via removable drives. It also drops component files instead of copies of itself to make detection difficult. Taking cue from threats like DUQU and KULUOZ, GAMARUE variants also uses certain APIs to inject itself to normal process to evade detection.

Propagating techniques aside, GAMARUE variants have backdoor capabilities since it communicates with certain C&C servers to send and receive commands. This communication, in effect, gives a remote malicious user control over the infected system. Some of the commands the malware can execute include downloading other malware onto the system, most notably info-stealing threats like ZeuS/ZBOT variants.

Because some Andromeda-related spam messages eerily looks like legitimate email notification from commercial services (flight, hotel, courier services etc.), the usual criteria for determining a spam are not sufficient. As an alternative, you can verify to see if the email you’ve received is legitimate or not. Since BHEK is known to exploit software vulnerabilities like Java, you must always update your system with the latest security patch or re-consider your use of Java. For better protection, install antimalware software like Trend Micro, which protects your system from spam, malicious URLs, and malware.

We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Keeping Up With the Andromeda Botnet

In the process of investigating and analyzing targeted attacks, we have seen that attacks which may not be related at first glance may in fact be linked; conversely attacks that may seem unrelated may turn out to be connected. Knowing which is which can provide useful information in determining how to respond to an attack.

Why Are Separate Attacks “Related”?

Before a cybercriminal or threat actor can launch an attack, many things have to be prepared in advance. The list of recipients have to be compiled, command-and-control (C&C) servers brought online, malware payloads chosen, etcetera. Ideally, attackers would use separate ones, but that isn’t the case: they are just as prone to reuse items or tactics that have worked before. Knowing these similarities between attacks can help determine what is an appropriate response.

There are many ways that seemingly independent attacks can be correlated, but here are some of the most common ones:

1. Same IP address sends different email messages
2. Same email address sends different messages
3. The same malware is attached to different messages
4. Multiple (similar) backdoors use the same C&C server
5. Different backdoor types use the same C&C server
6. Multiple domains registered using the same email address
7. Similarities in the way command-and-control network traffic is organized

How can this information be used?

Typically, organizations face two kinds of threats: highly sophisticated attacks that target them specifically, or more “random” attacks that are aimed at wider audiences. It can be difficult to tell just by examining the specifics of a particular attack which it is, but examination of the similarities above – using additional information provided by the Smart Protection Network – may be useful. It’s best to illustrate this with a hypothetical example.

A company received an apparently targeted email that contained a malicious attachment. The malware installed tries to contact an external C&C server for instructions using HTTP. It would appear, at first, that this was a sophisticated targeted attack.

However, more in-depth analysis would reveal that the malware only accessed two files on the C&C server: /kc1/data.bin and /kc1/gate.php. Accessing two files located in the same directory with the .BIN and .PHP extensions is common behavior by ZeuS/ZBOT variants. In addition, the domain of the C&C server was registered using an email address that was also used to register another domain on the well-known ZeuS Tracker blacklist. All this strongly suggests that it was not a sophisticated attack, but instead a more ordinary ZeuS/ZBOT infection. This can still pose a threat, but it’s a different nature compared to a sophisticated attack.

This information can also be used to gauge the seriousness of an attack. For example, in October, we found a new Poison Ivy variant (BKDR_POISON.AB) had infected 15 different machines, belonging both to individuals and various organizations. What we also found was that there had been a similar attack earlier in the year which distributed a very similar Poison Ivy variant (BKDR_POISON.BJX). Similarities included the malware’s mutexes and the emails used to spread the attack.

From there, one can conclude that both attacks were not meant to directly target anyone, but more to gather information across a wide number of possible targets that could be used for more direct attacks at a later time.

The links between attacks can also be used to discover other potential attacks as well. For example, examining the email and IP addresses linked to domains used as C&C servers in a current attack can lead to other domains. The added information can be used as indicators for potential attacks that may not have been detected at the time.

Conclusion

Gathering information about the connections between attacks can reveal much about the attacks in the first place. Organizations that use this kind of threat intelligence can use it to gain a more accurate picture of the attacks facing them. It can reveal that apparently unrelated attacks may turn out to be related, and have been launched by a single group of attackers. Alternately, it can make clear if an organization is under attack from multiple groups – which may or may not be working together. Whatever the case, this kind of information can be useful in creating a proportional response to threats.

For more discussions on malicious network traffic, you can read our report titled Malicious Network Communications: What Are You Overlooking?.

We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

What Connections Between Attacks Say About Them

The Blackhole Exploit Kit (BHEK) spam run has already assumed various disguises during its course. Some variants have taken various forms, such as official bank notice, cable provider email update, social networking email, and fake courier notification.

Lately, we have seen a slew of spam crafted as a notice from the popular retail chain Walmart. However, this spam run offers something different.

Figure 1. Notice supposedly from Walmart

In this campaign, some of the URLs lead to Cyrillic domain names.  These domains were translated into the English alphabet through punycode. Punycode is a way to convert Unicode characters into a smaller character set. URLs in punycode have to be decoded first in order to see its original format.

The use of international domain names (IDNs) can pose additional security risks to users. Users can be redirected to a phishing page that appears to have the same URL as a legitimate site. IDNs also allow spammers to create more spam domains not limited to English characters. This can make blocking malicious sites more difficult.

This technique is not new, but seeing punycode used in a BHEK email campaign is unusual. Users who click the links are redirected to several sites, until they are lead to the site hosting a malware (detected as TROJ_PIDIEF.SMXY), which exploits a in Adobe Reader and Acrobat (CVE-2009-0924) to download and execute other malware onto the vulnerable system.

This attempt at evading detection is not surprising, given how 2013 is shaping up to be the year of refining existing tools. In our 1Q 2013 Security Roundup, we already noticed how dated threats like Asprox and banking Trojans like CARBERP were returning to the scene with new and improved features. We can expect this trend to continue this year, though new threats can always appear anytime soon.

Whether facing old or newly-improved threats, several computing practices can provide your best defense. Always be cautious of email messages before clicking the links or downloading attached files. Always verify with the vendor to check if these emails are legitimate. Regularly install the latest security updates from software vendors to avoid threats targeting dated vulnerabilities.

We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Blackhole Spam Run Evades Detection Using Punycode

With added text by Threat Researcher Nart Villeneuve 

Whether considered advanced persistent threats (APTs) or malware-based espionage attacks, successful and long-term compromises of high-value organizations and enterprises worldwide by a consistent set of campaigns cannot be ignored. Because “noisier” campaigns are becoming increasingly well-known within the security community, new and smaller campaigns are beginning to emerge.

This research paper documents the operations of a campaign, which was able to compromise the following types of organizations:

• government ministries
• technology companies
• media outlets
• academic research institutions
• nongovernmental agencies

The distribution method of this campaign involves spear-phishing emails that contain a malicious attachment exploiting a Microsoft Office vulnerability (CVE-2012-0158).

During our investigation of the C&C servers associated with this campaign we discovered archives that contained the PHP source code the attackers used for the C&C server and the C code they used to generate the malware used in attacks.

While determining the intent and identity of the attackers remains difficult, we assessed that this campaign is targeted and uses malware developed by a professional software engineer who may be connected to the cybercriminal underground in China. However, the relationship between the malware developers and the campaign operators themselves remains unclear.

This white paper has been written to help understand and document the tools, tactics and techniques used in this campaign. Our full findings, including indicators of compromise and recommendations, are contained in our research paper, which can be downloaded here.

Please note that there are references in the attack itself to “SafeNet”; there is no connection between this attack and SafeNet, Inc., a global leader in data protection and a valued partner of Trend Micro.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Hiding in Plain Sight: A New Targeted Attack Campaign

The popular photosharing app Instagram is the latest social networking site targeted by the ubiquitous survey scams seen on Facebook and Twitter. This time, we found that these survey scams may also lead users to download an Android malware.

I found the following accounts who wanted to ‘follow’ me on Instagram. This is the standard if your Instagram account is set to private. While checking these requests, the security researcher inside me noticed something off with some of the accounts.

Figure 1. Screenshot of Instagram request

To validate my suspicions, I checked the page of these Instagram accounts and noticed that they all posted this “Get Free Followers!” photo. This post reminded me of the Pinterest free items promo survey scam we blogged in the past.

Figure 2. Get Free Followers Post on Instagram

Another thing that I found dubious is that these Instagram followers have repetitive account names like “Tawna Tawna” and “Concetta Concetta”.

Figure 3. Screenshot of sample spamming account

Given these suspicious signs, I then checked this “Get Free Followers” picture (which is actually clickable) and was lead to this page that supposedly offers the “Get Followers” app. This app is detected by Trend Micro as ANDROIDOS_GCMBOT.A, which can be used to launch malicious webpages or send SMS from the device.

Figure 4. Page offering ‘Get Free Follower’ app

Whether users download the said app or not (in my case, I tried to), in the end they are redirected to your run-of-the-mill survey scams. Since Instagram can also be accessed via a PC, we tried to access the malicious website and survey scam using a desktop. Fortunately, this ruse didn’t work.

Cybercriminals profit from these survey scams via ad-tracking sites, which users are redirected to before the actual survey page. Plus, these bad guys can also use the data gathered from these scams by either peddling them to other cybercriminal groups or using them in their future schemes.

Facebook, Pinterest, Tumblr, and now Instagram. The people behind these scams are jumping on every popular networking sites and potential engineering hooks like the Google Glass contest. To protect yourself against this scam, you must always double-check posts on your social media accounts, even if they come from friends, family members, or known acquaintance. Caution is your best defense. Trend Micro protects users from this threat by blocking the related URLs.

To know more about how these scammers (or online crooks in general) use and benefit from your data, you can check out our infographic How Cybercriminals Are Getting Better At Stealing Your Money.

We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Get Free Followers! on Instagram? Get Free Malware, Survey Scams Instead

Last week’s OpUSA attacks resulted with no high-profile sites knocked offline, and damage limited to relatively unknown sites compromised and defaced. Still, the attack did show how hackers operate and “claim” their results in high-profile hacking “operations” like OpUSA. Using information provided both by the Smart Protection Network and the attackers themselves (via Pastebin), we were able to see, in part, how these attacks happen. What we found was that the attackers likely “stockpiled” an arsenal of compromised sites ahead of time to enable them to initiate a broad attack without warning.

We first looked at the sites that hackers had compromised as part of the OpUSA campaign. It quickly became apparent that there were patterns in the compromised URLs: the attackers had frequently uploaded files with names like islam.php, muslim.htm, jihad.htm, and usa.htm to the compromised site. A legitimate visitor would never visit or see these particular URLs, as they were completely separate from the main site and, in effect, “hidden”.

Looking at the feedback data provided by the Smart Protection Network, we found something very curious. We found that the URLs that fit the pattern had been accessed the day before the alleged attacks, on May 6. Legitimate users would not be visiting these sites, as we said above. So who was visiting these URLs?

Based on other evidence, we were able to determine that the sites had been compromised at least two days before May 7. This indicated that the traffic we saw was probably malicious – the attacker, perhaps, checking that the (compromised) site was still up.

Figure 1. Near-identical lists of compromised sites

However, the attacker was not doing so directly. We believe that the attacker was doing so via an infected machine that he was using as a proxy; one particular machine that was used this way had detected 89 malicious or suspicious files and accessed 173 malicious websites in the past 30 days. This indicates this particular machine had already been extensively affected by malware, and was in use by cybercriminals for all sorts of purposes – including as a proxy “service”.

Figure 2. Number of malicious files detected

What can users learn from this event? Primarily, it’s to treat the damages claimed in these sort of “campaigns” with some skepticism. Based on what we saw, attackers can “stockpile” compromised sites and release them when a major “campaign” like this is conducted, to make their claims of damage more impressive.

For security professionals, it’s a reminder that campaigns like OpUSA are not always a good indicator of when threats are likely to escalate. Preventing infection ahead of time can ensure you’re not caught up when attackers “flip the switch” on these high-profile campaign.

We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Failed OpUSA Attacks Show How Hackers Operate

IT administrators and the likes are expected to have a long day today, as Microsoft releases its security bulletin for May that resolves 33 vulnerabilities. Though this is not Microsoft’s biggest release (April 2011′s 17 bulletins addresomg 64 vulnerabilities come to mind), it is crucial for users to apply these security updates, which include a resolution to the zero-day incident involving the US Department of Labor webpage.

This roster of updates include two Critical bulletins addressing Internet Explorer (IE). The first one resolves around a vulnerability found on IE versions 6 to 10 on all Windows OSs, from Windows XP to Windows 8. It also addresses the vulnerability in IE 10 uncovered during the Pwn2Own contest last March.

The other critical IE bulletin deals with a vulnerability limited to IE 8, which made the headlines recently because of a related zero-day exploit found in a US Department of Labor webpage. Based on our own investigation, users visiting this compromised site are lead to a series of redirections until their systems are infected with a BKDR_POISON variant.

Even before this month’s release, Trend Micro Deep Security has been protecting users from this vulnerability via rule 1005491 – Microsoft Internet Explorer Use-After-Free Remote Code Execution Vulnerability (CVE-2013-1347).

The rest of the bulletins were tagged as Important, which includes a security flaw in Windows that may lead to a denial of service (DoS) attack.

Just like last month, Adobe also released their security bulletins today, which include fixes for Adobe Reader and Acrobat, Flash Player. The software vendor also issued a “security hotfix” for a ColdFusion vulnerability, which is reportedly being exploited in the wild.

Users are advised to implement these bulletins as soon as possible to avoid exploits similar to the US DoL incident. For more details about how Trend Micro can protect users, you may refer to this Threat Encyclopedia page.

We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

May 2013 Patch Tuesday Includes Critical IE 8 Zero-Day Issue

App developers often include ads on their applications to increase revenue. These ads feature enticing titles or blurbs to surge more user hits. Typically, clicking these ads either prompt users to download an app or be redirected to a web page. However, cybercriminals who never run out of new ways to spread their deeds, could also use this as a venue to steal user information.

We recently spotted a fraudulent website which is pushed by ads found in multiple Android apps. (Some of these apps were downloaded from the Google Play store, while others were found from third-party stores.) These ads use popular brands as hooks like “iPhone 5” and “Samsung Galaxy Note II” and supposedly selling these items for a ridiculously low price. Once users click the ad, it will lead them to a website which shows many means to buy the said phones.

Figure 1. Ad for Samsung Galaxy Note II

Figure 2. Ad for iPhone 5

In reality, these sites are just scam sites that try to defraud users out of their money. They do not actually sell the devices they are promoting.

Figure 3. Fraudulent website advertising Samsung Galaxy Note II

Figure 4. Fraud website with iPhone 5 ad

These ads are being delivered by a large, mainstream ad network, which claims to be used by more than 90,000 apps. While this attack is currently limited to Chinese users, because of the large number of apps on this particular ad network it is possible that similar attacks will be delivered to other users in the future.

Last March, we blogged about Google’s decision to remove apps that block ads and the potential risks this may pose on unsuspecting users. No doubt the insufficient audit of ads on the Android platform may lead to more fraud, phishing attacks or even malware distribution. We recommend ad providers to provide more powerful audit mechanisms to protect users from attacks leveraging ads.

Trend Micro protects users from this attack by blocking the said malicious website. We also advise Android users to be cautious in clicking ads on their devices as this may potentially lead to information and identity theft. For better protection of your devices, users should also be wary of other mobile threats like malicious URLs and mobile phishing sites.

We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Mobile Ads Pushed by Android Apps Lead to Scam Sites

Last April 23 – 25, I attended the seventh Counter eCrime Operations Summit (CeCOS VII) initiated by the Anti-Phishing Working Group (APWG). This year, the conference was held in Buenos Aires, Argentina. Security experts from Japan, Paraguay, Brazil, North America, Russia, and India flew to the South American city to discuss about the developments in the cybercrime arena. Together with 8 other participants from Japan, I arrived in Buenos Aires after a 38-hour flight. However, the talks and the level of energy in the conference definitely made the whole trip worth it.

Overall, CeCOS featured 23 sessions divided into eight tracks, including two panel discussions. Aside from attending interesting talks, I also participated as a speaker at the event.

I was very much interested in attending two talks: the National Field Reports and Mobile Attack Sessions. The National Field report particularly intrigued me, as it argues that the threat landscape of a particular country is a reflection of what’s happening globally.

By now, it’s pretty much established that the mobile platform is the latest cybercrime battlefield, so I think it’s crucial to know what’s happening in the mobile threat front.

As I mentioned earlier, I also participated as a speaker. As the representative of the anti-phishing council of Japan (CAPJ), I gave the talk Finding the Banking Trojan in Eastern Asia.

Speaking at CeCOS VII

Japanese-language phishing emails were first spotted in 2004 and since then, these mails have poured in and caused serious damage. As technology developed, these emails took more subtle forms, which made detection more difficult. In addition, instead of direct links to phishing sites or a malicious attachment, phishing sites instead contain links to compromised sites that eventually lead users to malicious sites that contain exploit kits.

As we all know, attackers are already expanding their threats to other platforms, particularly mobile. Thus, I presented my analysis of ANDROIDOS_CHEST, which targets Android OS and was reportedly found affecting South Korea. Users would receive text messages offering free coupons for either movie tickets, fast food, or coffee if the user downloaded an app, which was actually ANDROIDOS_CHEST.

The malware monitors and gathers text messages in order to defeat two-factor authentication done via text messaging. ANDROIDOS_CHEST then sends the gathered messages to the attacker.

The most important question though is, how can users protect themselves from the threats of phishing? The CAPJ has these tips:

1. Keep your computer safe.
2. Beware of suspicious emails.
3. Access and bookmark legitimate URLS.

Another helpful advice is to always keep your systems updated with the latest security patches for your system. As Banking Trojans are usually delivered through exploit kits (by way of phishimg emails), users are protected from exploits that target old vulnerabilities.

Trend Micro provides tools and technologies that help protect users against security breaches and data theft. Trend Micro DirectPass manages your passwords so that using and remembering unique passwords for multiple accounts is no longer difficult. Trend Micro Mobile Security protects against threats like ANDROIDOS_CHEST that are on mobile devices. The Smart Protection Network provides both email and web reputation, blocking these threats before they arrive on user systems.

We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Finding Banking Trojans in Eastern Asia – Report From CeCOS VII

Recent incidents highlight how frequently – and creatively – cybercriminals try to steal data. From “homemade browsers” to million-user data breaches, to the daily theft carried out every day by infostealers and phishing attacks, every day.

All this stolen information ends up for sale in the underground to the highest bidder. From there, it can be used in many uniformly illegal ways - from identity theft, to credit card fraud, to launching attacks on other users. They can also be used to buy either expensive goods (which are then shipped to the cybercriminals), or pay for “bulletproof” web hosting that is frequently used for malicious sites. These may not cost that much individually, but the losses to users can be significant.

It’s not just the fruits of cybercrime that are bought and sold in the underground – so are the tools, like exploit kits, vulnerabilities, and malware toolkits as well. Price tags here can reach the thousands of dollars, particularly for more advanced and sophisticated tools.

There is so much money in the underground that it has become organized and systematic, much like real-world businesses. While the specifics of how the underground has organized itself varies from region to region, the mere fact that it has organized itself is noteworthy – both to allow for more information and tools to be sold, as well as reducing the risks of getting caught.

Our new infographic – The Cybercriminal Underground: How Cybercriminals Are Getting Better At Stealing Your Money – explores what items are being sold and bought in the cybercrime underground, how the underground is organized, and how users are directly affected. It’s an excellent way to understand what users are up against in securing their information online. It may be viewed by clicking oh the thumbail below:

To view all infographics from TrendLabs, visit http://about-threats.trendmicro.com/infographics.

We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

How Cybercriminals Are Getting Better At Stealing Your Money

While looking into recent reports about the Winnti malware family, we discovered another backdoor which was built using similar techniques and has other similarities as well. It is also possible that it is being used in similar targeted attacks.

We found this particular threat via feedback provided by the Smart Protection Network; we detect it as BKDR_TENGO.A. It passes itself off as a legitimate system DLL file, winmm.dll, like most of the Winnti samples. We believe that this was done using a legitimate tool called Aheadlib, which is a legitimate analysis tool. Aheadlib accepts any DLL file and is able to construct C code to hook all the functions provided by the original library. This is very useful in analyzing malware, but can also be abused to help create files that pass themselves off as legitimate system libraries.

We suspect that this was used in a targeted attack. Despite this, however, the file is not encrypted and neither was it particularly hard to analyze. Its main behavior is to steal Microsoft Office, .PDF, and .TIFF files from USB drives inserted into the system. These stolen files are stored in the $NtUninstallKB080515$ under the Windows folder. It also creates a log file named Usblog_DXM.log. The files can be retrieved by the attacker at a later time. Aside from retrieving files, it has several backdoor commands which allow the attacker to take control of the system. (The full list of commands can be seen in its Threat Encyclopedia entry, which we’ve linked to above.)

Two of the commands - Help and MainInfo – will show the name of the backdoor, as well as the C&C servers it is using. The full list of possibly malicious IP addresses and servers we’ve seen it connecting to is:

• 50.93.204.62
• 98.143.145.118
• 100.42.216.249
• 108.62.10.239
• 192.154.102.244
• 199.180.103.42
• 216.70.128.124
• 216.70.255.201
• banana02.myz.info
• songcai89.ddns.info
• thaifruit.myz.info

Two of these IP addresses proved to be of particular interest, namely 50.93.204.62 and 98.143.145.118. They are located in the United States, but multiple Chinese-language domains point to them. All of these have been blocked as command-and-control servers.

This attack highlights how information theft can be performed even with malware that is not particularly advanced or sophisticated. It also shows some of the challenges in attributing attacks of this nature.

We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Backdoor Built With Aheadlib Used In Targeted Attacks?

Cybercriminals in Brazil appear to have come up with a new tactic to lure users into giving up their login information. A few days ago, we found a post on a Brazilian forum offering a browser that could access the website of the Banco do Brasil without using the needed security plugin.

Figure 1. Homemade browser ad

Users that clicked the download link download a zip file. Inside this compressed file, there two executable files: one was the browser itself, which is called Navegador BB, and another which has the file name Plugin_Navegador_2.1.3.exe. (We detect these as PE_PARITE.A and WORM_LUDER.USR, respectively.)

The third file is a text file which contains instructions to run Plugin_Navegador_2.1.3.exe first, and then run the browser. The “plugin” actually steals the user’s bank information. Meanwhile, the browser fools the bank site into not needing the usual security plugin by pretending that it is a mobile browser, as can be seen by examining the User-Agent HTTP header (click on the thumbnail to see the full strings):

Figure 2. Strings used to spoof the User-Agent header

It’s also worth noting that this homemade browser doesn’t even have an address bar, or any other place to enter a URL. It only has a single button that sends the user directly to the bank’s site.

Figure 3. The homemade browser accessing the mobile Banco de Brasil site

This is not the first time that cybercriminals have tried to fool users in Brazil with fake apps to make accessing sites more convenient. Previously, we found an application that claimed to get the credit scores and criminal records of Brazilians.

One more thing to note. The author of this “browser” also created a version of BANCOS that ““outsourced” its distribution to lower level cybercriminals.

We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Homemade Browser Targeting “Banco do Brasil” Users

Last month, an article in Dark Reading by Robert Lemos asked if it was “Time To Dump Antivirus As Endpoint Protection?“. It referenced a recent Google research paper that outlined their new reputation technology called CAMP (short for Content-Agnostic Malware Protection), which they claim protects against 98.6% of malware downloaded via their Chrome browser, as opposed to the 25 percent detected by the best performing antivirus engine they tested.

This may sound like magic. Whether you view this as white magic or black magic depends on if you know that Google sends attributes of all the “unknown” files on your computer to their online service for analysis.

To us, however, all this is old news. As early as 2008 we stated that standard detection technologies need to be combined with other methods like reputation services, whitelisting and so on. We’ve invested heavily in the technology needed to detect malicious infrastructures and ecosystems.

Because we collect so much information, we’re able to help law enforcement agencies around the globe put cybercriminals in jail. When Google talked about CAMP, they claimed that their system makes millions of reputation-based decisions every day, and that it identifies and blocks about 5 million malware downloads every month. Great job to make the Internet a safer place!

Then again, this is what the security industry has done for years already, so this is not something brand new. For example, Trend Micro blocks 250 million threats per day (files, websites, and spam), and our systems process more than 16 billion requests per day. These requests generate 6TB of data daily for analytics… that’s what I call Big Data.

The article also talks about what some customers are doing in the face of the problems of traditional antivirus. These are:

Abandon Antivirus

The author himself states this is a bad idea, pointing to the recent Microsoft Security Intelligence Report that said that computers with no endpoint anti-malware protection were 5.5 times more likely to be infected. It’s all well and good that, say, Google Chrome protects me from infections – but what about the latest driver on a CD that I need to install my USB 3.0 PCI card? What about the USB stick I just got from a friend? What about the digital picture frame with malware on it? Let’s not even talk about all the other entry vectors using vulnerabilities and so on. Endpoint protection is still necessary, and a baseline for effective defense.

Beef up the blacklist

We’ve been saying this for years as well. A blacklist can be combined with reputation technology, advanced heuristics, communications monitoring to identify commands by malicious botnets, and all the other new tools we have up our sleeves. Users have to accept that especially a sufficiently determined and sophisticated targeted attack will be able to get in, but there are ways to detect these threats, particularly when they try to “phone home” to malicious servers.

Use a whitelist

Yes! Trend Micro has built up a whitelist with over 220 million known good files, and we use it as part of our reputation services within our products. This can be used in critical endpoints to minimize the risk of running malware as well.

Focus on isolation

This makes sense for critical machines where you have the time and money to manage them in a different way. The users of these machines will have to learn that they can’t execute code from all kind of sources anymore, they need to say goodbye to their personal computer. I see the use cases here in hardening industrial control systems and Windows systems in production environments.

I totally agree that it is easy to avoid traditional antivirus. However, the security industry has known this for quite a while now and have worked hard to find new ways to protect against malware and cybercrime. Do we do a perfect job? No, there is no silver bullet. Our job is to protect our users as best as possible, and that’s what we continue to do. So long live anti-malware – it still is needed.

For users who want to know more about this issue, I came up with a video discussing how anti-malware products are still relevant and crucial in protecting users’ data amidst developments in reputation technology. 

My website CTO Insights contains more discussions about pertinent security issues.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Long Live Endpoint Protection!

AutoIt is a very flexible coding language that’s been used since 1999 by coders looking for a fast, easy, and flexible scripting language in Windows. From simple scripts that change text files to scripts that perform mass downloads with complex GUIs, AutoIt is an easy-to-learn language that allows for quick development. The trend for malicious actors to use AutoIt to code malware and tools however has been increasing, and the trend appears to be getting stronger

AutoIt Hacker Tools

Recently, we have seen an uptick in the amount of nefarious AutoIt tool code being uploaded to Pastebin. One commonly seen tool, for instance, is a keylogger. Grabbing this code, anyone with bad intentions can quickly compile and run it in a matter of seconds.

Figure 1. FTP section of keylogger

Figure 2. Sample Code

Upon compiling and executing the script, it creates two files – one that displays the correlated keystrokes in a local HTML page, and a second file that is a zip file of the first file – likely for exfiltration.

In addition to keyloggers, RAT (Remote Access Trojans) builders and server administrators is becoming more prevalent. One RAT builder identified was particularly interesting, as it showed a relatively professional level of development.

Figure 3. RAT connection tab

Figure 4. RAT server builder

Upon connecting to this RAT builder/administrator, the nefarious actor can get a remote shell and perform a litany of other system tasks on the victim. Further analysis of this RAT builder traces the developer back to several underground forums.

AutoIt Malware

In addition to tools being found on sites like Pastebin and Pastie, we are also seeing a tremendous increase in the amount of malware utilizing AutoIt as a scripting language. One piece of malware that was found in the wild was particularly interesting. This malware is a variant of the popular DarkComet RAT – utilizing AutoIt. This variant runs a backdoor on the victim machine and communicates outbound to a nefarious host at shark18952012.no-ip.info (188.161.9.226 at the time of writing) over port 1604.

Figure 5. RAT communication

In addition to this malware’s outbound communication, it also modifies the local software firewall policies to disable them, in addition to installing itself at startup for persistency. This variant also drops the following file after execution:

File Name

MD5

File Type

tb2323xt.exe

a53056c5afd30f174af928bd44c05c01

PE File

Upon execution of the malware, it immediately disables the Windows Firewall.  After disabling the firewall, the malware then disables the ability to get into the registry of Windows to view or undo the changes performed. Attempting to do so brings up the following error message:

Figure 6. Error message

What’s interesting about this malware isn’t that it’s a DarkComet variant, it’s that it is written utilizing AutoIt and is detected very sparsely by antivirus products. (Trend Micro detects this malware as TROJ_FYNLOSKI.BU).

Why Do Hackers Like It?

The increased usage of AutoIt is likely attributed to the fact that AutoIt is scalable, very similar to Basic, and is outrageously easy to code in. This ease of use takes the learning curve off learning more complex languages such as Python. This opens up a wide array of possibilities to hackers that may not otherwise expose themselves to a scripting language. In addition, the ability to host code on Pastebin, natively compile, and run applications in stand-alone executable files makes it very quick to develop in. Finally, the ability to natively support UPX packing in AutoIt makes obfuscation easy for AutoIt applications.

Conclusion

As scripting languages like AutoIt continue to gain popularity, we expect more of these types of malware to make a migration to using them. The ease of use and learning, as well as the ability to post code easily to popular dropsites make this a great opportunity for actors with nefarious intentions to propagate their tools and malware. We recommend continuing to update your Anti-Virus signatures as well as consider blocking access to Pastebin, Pastie and other code dropsites on your corporate network where applicable.

We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

AutoIt Used To Spread Malware and Toolsets

A new Internet Explorer zero-day exploit has been spotted in a compromised website of the US Department of Labor.

When users visit the compromised website, it loads a malicious script which Trend Micro detects as JS_DLAGENT.USR. This particular script was hosted on the compromised site itself. It loads another script (this time, hosted on a malicious server) detected as JS_KILLAV.AA.

Once executed, JS_KILLAVA.AA obtains specific information from the infected machine such as the installed Adobe Reader and Flash version as well as security applications and browsers. It then initiates a series of redirections, which ultimately leads to malicious websites, including one that leads to the exploit code, which we detect as JS_EXPLOIT.MEA.

This particular exploit is relatively limited in scope; according to the Microsoft bulletin only Internet Explorer 8 is affected by this vulnerability. For Windows XP users, this is the current version of IE available; both Vista and Windows 7 users have newer versions available. Once exploited, it can execute code on the infected systems. In this case, it downloads BKDR_POISON.MEA, which is a variant of the remote access Trojan (RAT) PoisonIvy commonly used in high-profile targeted attacks.

Poison Ivy, also known as POISON,  has been associated with the infamous Nitro attacks that started last July 2011 and targeted certain non-governmental organizations. This RAT, which is available in the underground cybercrime, was also used in the widely-known RSA security breach in 2011.

Based on our investigation, a number of malicious domains were also appended to the said government webpage in the past, most of which lead users into dubious ad sites. We noted that some of these appear as spam hyperlinks advertising fake pharmaceutical products. Apart from this US government page, we also noted another local government site that still contains one of these spam hyperlinks.

This is just the latest in a series of high-profile zero-day attacks to hit users since the start of the year. These exploits are used to deliver a wide variety of attacks, from REVETON, to ransomware, or to Poison Ivy, as was the case in this attack.

We are working with Microsoft to provide protection for our users, as well as monitoring for other threats that use this exploit. We will update this thread with more information as it becomes available.

Update as of 6:30 PM PDT, May 6, 2013

We have released the following Deep Security rule to mitigate any attacks that use this threat

• 1005491 – Microsoft Internet Explorer Use-After-Free Remote Code Execution Vulnerability (CVE-2013-1347)

Update as of 6:30 PM PDT, May 8, 2013

Microsoft has updated their advisory to include a “Fix it” tool that serves as a workaround for the vulnerability. While it prevents known attacks from running exploit code, it is not yet a full patch, which will be released at a later time. The tool can be found here.

We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Compromised US Government Webpage Used Zero-Day Exploit

Mobile malware uses the web in various ways. For one, in many cases, malicious URLs are classified as mobile malware disease vectors. We already discussed how cybercriminals utilize them to infiltrate mobile devices in last month’s Mobile Review, The Dangers of Third-Party Apps Sites.

Through malicious URLs, coupled with social engineering techniques, cybercriminals are able to slip malicious apps onto your devices. Since mobile malware attacks are often two-pronged, the involvement of malicious URLs does not stop there.

Cybercriminals not only use malicious URLs to infect your devices with malware, they also need them for further communication. Mobile malware such as backdoors and malicious downloaders need this communication in order to stay undetected and carry out their malicious activities on your device.

Of all the malicious apps we’ve detected so far, 17% have malicious URLs embedded in them. And among those malicious URLs, 90% are classified as disease vectors. This means that when these malicious apps are installed, they will communicate with these URLs to download other malware or malware components.

Around 60% of the malicious URLs queried by malicious apps use North American domains; while 24% and 16% use EMEA (European, Middle Eastern, and African) and Asia Pacific domains, respectively.

This is discussed in detail in our latest Mobile Review, The Communication Function of Malicious URLs.

Since malicious apps rely on malicious URLs for installation and communication, you will need a security solution that blocks threats using reputation technology. Trend Micro Mobile Security Personal Edition provides just that and protects you against malicious apps and URLs.

We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

How Mobile Malware Uses The Web

Trend Micro, working with the Organization of American States, has released a study outlining the current state of cybersecurity in Latin America. The joint paper is titled Latin American and Caribbean Cybersecurity Trends and Government Responses. The region has a threat landscape that differs from other parts of the world with key differences in the threats seen, the cybercrime underground, and the ability of governments to respond. (We have also created an infographic that looks at the broader cybercrime underground, which can be found here.)

Looking at the feedback provided by the Smart Protection Network, the most common threat in the Americas and the Caribbean was file infectors, as this chart of the top malware threats in 2012 illustrates:

Figure 1. Top Malware Threats in 2012

The continued prevalence of old threats like file infectors is an indicator of a population’s lack of awareness in safe computer and internet usage.

As part of the study, we surveyed representatives from various OAS member-governments. Their responses revealed that citizens remain unconcerned and unaware of the dangers of cybercrime and hacking. Internet users in Latin America do not always keep their anti-malware solutions up-to-date and pay little attention to security concerns.

This may prove problematic in the long run, considering that internet use is increasing at one of the highest rates worldwide. As is happening now, unsafe use of the Internet is feeding the high levels of cybercrime in Latin America.

The region’s threat landscape is filled with organized groups led by a mix of political and financial motives. What makes it stand out are the new techniques and malware that allow attackers to target industrial control systems (ICS), which are critical for the smooth operations of essential services like utilities, banks, and water-purification plants.

On the other hand, the cybercriminal underground remains bent on retrieving sensitive information and profiting with the help of banking Trojans and botnets. The Latin American situation, however, has altered, probably in answer to Eastern Europe botnet crackdowns. For instance, the region’s threat actors use free hosting services instead of hijacked servers to evade law enforcement operations. They also trade cybercrime tools and stolen information over social networks and chat services, most notably Orkut and IRC.

Figure 2. Ads for tools and information

Governments in Latin America realize these dangers and are taking steps to protect their users and critical infrastructures. However, survey responses indicate that measures against cybercrime remain patchy and uneven across the region. Many OAS member states began their cybersecurity efforts by establishing Computer Security Incident Response Teams (CSIRTs) as part of their cybersecurity strategy, as in the case of Colombia and Panama. Other countries like Chile, Peru, Mexico, Trinidad and Tobago, Uruguay, and others are endeavoring to do the same.

On the whole, political leaders are aware of the dangers of cybercrime and hacking but efforts are often restricted by the lack of resources dedicated to building cybersecurity capacity and shortage of specialized knowledge and expertise to implement technical policies.

The study includes three recommendations for governments and organizations in the region to help improve the state of cybersecurity. These are:

1. Raise awareness of safe cyberhabits and general cybersecurity awareness among Internet users, critical infrastructure operators, and government employees, a cheap and effective way to minimize cyber risks and close security gaps that remain wide open.
2. Invest in and promote enrolment in technical-degree programs to ensure an ample pool of qualified candidates from which to draw professionals that will be needed to fill the increasing number of information security careers.
3. Continue strengthening policy mechanisms to assign governmental roles and responsibilities related to cybersecurity and codifying information-sharing and cooperation mechanisms.

You may read the full paper here. For Spanish-speakers, you may also read the full paper in Español.

We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

The State of Cybersecurity in Latin America

While users are trooping to the cinemas to watch Iron Man 3, some may scour the Internet for bootleg copies or free movie streaming. Unfortunately, this gives the bad guys an opportunity to serve users with their dubious schemes.

We conducted a simple Google query and found more than a hundred websites claiming that they provide movie streaming of Iron Man 3. (The movie has already opened in some countries but not the United States, making these claims more credible at first glance.) These supposed streaming sites using popular blog providers, with half of these sites using Tumblr.

Figure 1. Half of the fake Iron Man 3 sites we found use Tumblr

Once visited, these sites would ask users to download a video installer file. Based on our analysis, we found that this file was what it said it was – a legitimate video player. This particular video player has been known to display aggressive ads in the past, although we did not see that behavior this time. In addition, the player could be used to download and view pornographic materials.

However, it’s still possible that these legitimate files would be replaced with malware at a later time. Thus, it won’t be a complete surprise if we find a malware-hosting webpage disguised as an Iron Man 3 streaming or downloading page anytime soon.

Unsurprisingly, some bad guys have also used Facebook to spread links advertised as providers of free Iron Man 3 movie streaming. Users may encounter these as feeds on their Facebook page, together with a link to the said site. But once users click the link, they are redirected to several web pages until lead to another survey scam, not to mention spamming their Facebook contact with the same post. Other similar ruses we documented in the past include the “Facebook Profile Viewer” and the survey scam under the veil of the much talked-about Google Glass competition.

Figure 2. Screenshot of page leading to survey scam

Needless to say, these sites do not lead to the actual Iron Man 3 movie. Some of these sites, however, may ask users to register and ask for their credit card number, which is highly suspicious.

High-profile summer flicks like Iron Man 3 are typical cybercrime baits because they have been effective in tricking users into visiting shady websites, including those the host malware and dabble in survey scams. Because of the clever use of social engineering tactics, users may end up falling into the bad guys’ traps. Thus, it is important to be aware of how social engineering works and be conscious with what you click and share on your Facebook and other social media accounts. Trend Micro blocks the related sites and domains related to this threat.

We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

With insights from Fraud analyst Paul Pajares.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Fake Iron Man 3 Streaming Sites Sprout on Social Media