With millions of users going online every second, the Internet isn’t exactly the safest place to be. In light of this, have you ever asked yourself: how much do I know about my virtual neighbors?

Make no mistake about it: cybercriminals are out there lurking around your online neighborhood. They may pretend to be a trusted contact, a well-known vendor, or even a new friend you made online.

Here at Trend Micro, we believe in empowering users through knowledge and awareness. Though investing on a trusted security suite is highly recommended, every netizen should also know who they are dealing with. By knowing who your online enemies are, you’re already protecting yourself from becoming a victim of cybercrime information theft and actual money loss. To know more about the enemies in your virtual neigbohood, check out our latest infographic.

Post from: TrendLabs | Malware Blog - by Trend Micro

Know Your Enemies Online [INFOGRAPHIC]

Here, you can see the developer’s name which appears to be quite similar to the one who developed the popular game, Angry Birds. You’ll notice, though, that the said popular game is not on the list of this particular developer’s offered apps.

It is quite tricky and easy to miss. Users would really have to check the developer’s name closely on the “More from developer” tab to see the real name.

However, it seems that cybercriminals are now learning to play the apps stores’ reputation system. The popularity of the game Temple Run was used to trick users before, and this time, the reputation of the app developer Rovio Mobile Ltd. was used. We expect that more cybercriminals will continue with this method, so it is very important for users to be informed of how they can avoid being victimized.

Read our entry, Checking the Legitimacy of Android Apps to learn more about installing apps onto Android-based devices or visit our Mobile Threat Information Hub for more tips on keeping your mobile devices safe.

Trend Micro already detects the apps shown above as ANDROIDOS_FAKECLICK.ER. The said apps have already been taken off the Android Market.

Post from: TrendLabs | Malware Blog - by Trend Micro

Trending Scams Seen in the Android Market

The server, located in Germany, is managed by a hosting provider known as a haven for cyber criminals.

We found a total of 1,351 websites hosted on the said server and categorize the sites into five segments based on the type of guise they use for the distributed malware:

• Android Market apps
• Opera Mini/ Phone Optimizer apps
• Pornographic apps (sites were unavailable during time of checking)
• App storage sites
• Others (sites that were inaccessible during time of checking)

As for the unavailable sites, it seems that the attacker is still setting them up, or has permanently taken them down. The domains listed under App storage sites, which hosts Apps featured in the other domains, are inaccessible. However, the hosted Apps were still up thus making them available for download through the Android Market App and the Opera Mini/Photo Optimizer App sites.

The sites under Android Market apps displayed a website very much similar to the legitimate one. They feature popular applications like WhatsApp, Facebook, Facebook Messenger, Barcode Scanner, Skype, Google Maps, Gmail, YouTube, and others. The files downloaded from such sites are now detected as ANDROIDOS_FAKENOTIFY.A.

On the other hand, the sites that feature download links for Opera Mini and Phone Optimizer lead to J2ME_SMSSEND.E - a malware that can run on devices that support MIDlets.

Among all the categories mentioned, most of sites promoted Opera Mini updates and Photo Optimizer Apps compared with others. Here is a graph showing the distribution of domains based on the categories:

Trend Micro Mobile Security users (both Android and Symbian) are already protected from this threat. All of the malicious domains and files are blocked and detected respectively.

Post from: TrendLabs | Malware Blog - by Trend Micro

Malicious Mobile Apps Found in Server Hosted in Germany

This copy of Temple Run (or so it claims) is seen as available on the Android Market. But if you’ll check the information on the game developer, you’ll see that it is not the same developer as the one in indicated in the iOS version, which is Imangi Studios.

The usage of popular games is not really new, as we’ve already encountered other Android malware that have used them to hide their malicious activities:

• New Android Malware on the Road: GoldDream “Catcher”
• Trojanized Android App Checks for Keywords in SMS Messages

Imangi Studios, the developer of Temple Run, announced that they will release the Android version of the game this February 2012. Users can monitor updates about the release via the apps legitimate developer/fan page.

With more than 10 billion app downloads  last year from the Android Market, the Android  OS is undoubtedly one of the most popular mobile platforms around. Naturally, its popularity makes it a likely target for cybercrime. In our 12 Security Predictions for 2012, we are expecting that smartphones, tablets and particularly the Android OS will suffer more attacks this year.

Users need not worry as their mobile devices are protected from this threat with Trend Micro Mobile Security via pattern 1.187.00. Trend Micro Mobile Security is powered by the Trend Micro™ Smart Protection Network™.

On the other hand, to avoid being tricked into downloading fake apps, users may follow the tips we shared in our post, Checking the Legitimacy of Android Apps, as well as the information in our Mobile Threat Information Hub.

Post from: TrendLabs | Malware Blog - by Trend Micro

Fake Version of Temple Run Unearthed in the Android Market

Sendspace was recently used for dropping stolen data but wasn’t done automatically by malware. As reported late last year, hackers used Sendspace for rounding up and uploading stolen data.

However, this is the first time we’re seeing malware being used to upload stolen data to the file hosting and transfer site.

In this attack, the infection starts off with a malicious file, Fedex_Invoice.exe, detected as TROJ_DOFOIL.GE. The file name used for this particular malware suggests that it is being used for a spam campaign, specifically one that uses messages disguised as a FedEx shipment notification. We are currently trying to find a sample of the mentioned spammed message.

Once executed, TROJ_DOFOIL.GE downloads and executes  TSPY_SPCESEND.A.

TSPY_SPCESEND.A is a “grab and go” Trojan that searches the local drive of an affected system for MS Word and Excel files. The collected documents are then archived and password-protected using a random-generated password in the user’s temporary folder. Here’s an example of an archive of collected documents:

Malware utilizing free online services are definitely not unheard of. Utilizing a public file hosting site is yet another clever way for cybercriminals to store stolen data as they do not need to set up a server that will store large amount of data.

Trend Micro Solutions Evangelist Ivan Macalintal shared that this technique of posting stolen/exfiltrated data to ‘extended networks’ or external file storage infrastructures can fast become a trend with the criminals. “We’ve seen dropsites/dropzones for stolen/exfiltrated data that are hosted also within domains owned by the cybercriminals. Now, we’re seeing legitimate ‘clouds’ being used by criminals where they can drop and pickup their loot,” he explained.

In addition, this highlights a serious concern for the security industry and users alike. Document theft and exfiltration are now not only seen in targeted attacks, but in mass campaigns as well.

Trend Micro Smart Protection Network™  protects users from this threat by blocking the malicious files, and the C&C URL. We will update this entry once we’ve gained more information about the related spammed messages.

Post from: TrendLabs | Malware Blog - by Trend Micro

Malware Uses Sendspace to Store Stolen Documents

We thought that there was nothing much to see when we looked at the downloader’s sample at first glance. It’s a VB-compiled executable file which does nothing but perform an HTTP GET request to an HTML page.

When accessed using via a browser it looks like a harmless web page until you decode it.

As pointed out by Microsoft, this downloader turns out to be different from others. Instead of downloading another binary to execute, it merely executes the downloaded code in the harmless-looking file’s context. To do this, the malware converts it to functional code, then executes it via DllFunctionCall.

The executed shellcode is actually a variant of the BKDR_POISON malware family which was used in a number of targeted attacks last year.

A Brief Background on BKDR_POISON

Also known as PoisonIvy, the BKDR_POISON family has been rampant for years. This could be attributed to the fact that its builder is easy to use and is freely available for download from their website. Its auto-start mechanism, as well as the mutex and file names of the malware copy is configurable via the builder, so each generated sample does not necessarily have exactly the same behaviors.

Its backdoor functionalities include keylogging, monitoring audio/video, capturing screenshots, managing processes and services, accessing or uploading files, and many more. In other words, it basically gives the person on the client side full access of the infected system.

Integrating BKDR_POISON with another malware is easy, since the backdoor’s builder gives the user an option to generate the shellcode instead of an entire executable file.

In the case of the downloader we mentioned above, once it executes BKDR_POISON’s shellcode, it inherits the backdoor’s behaviors as a result.

As opposed to downloaded binary files that can be detected and analyzed independently, a shellcode needs to be analyzed with the executable file which inherits its behaviors. If security researchers don’t get the right pair of shellcode and executable (e.g., if the executable file is hidden or encrypted), then the shellcode might be left undetected.

According to Threat Research Manager Jamz Yaneza, another difference between the two files is the way they are executed. “The Poison Ivy builder outputs either: a Windows executable binary, or a Windows shellcode. The only difference between the two outputs is that the shellcode version needs to be injected directly into memory using a separate process (ex. via an exploit) versus having it activated using the regular file execution flow of a full binary file.”

He also added that “because shellcode does not require a full file download, it can instead be used directly in an attack, and can even sport some of the usual obfuscation tricks used in a full executable format such as encryption — all of this in memory and bypassing many of the more traditional file-based scanners.”

BKDR_POISON Poses A Bigger Risk In the Future

Here’s what we know so far about the downloader:

• It accesses a plain text file from a certain URL which contains shellcode. This is then converted by the downloader to become a functional code
• Shellcode is NOT saved
• Trojan downloader executes the malicious code

Here’s what we know about BKDR_POISON:

• It is easy to integrate with other threats
• It has backdoor functionalities that have been used in targeted attacks in the past

With the downloader’s dynamic behaviors and the fact that it is still currently in its simple version, cybercriminals may still improve on it and turn it into something more problematic. Mixing it with BKDR_POISON, which we know is notorious for being related to targeted attacks, could pose challenges for the security researchers’ side. Here are some of the possible scenarios which could make this combination a noteworthy threat:

Scenario 1: If HTML is encrypted or shellcode is hidden in pictures, such as in steganography. From a threat analyst point-of-view, a security researcher might find the URL as unnecessary as it only points to a picture. By not blocking the said URL, users are left unprotected. In fact, steganography was actually already used by TDL4.

Simply encrypting the shellcode itself may give this malware a greater chance of making analysis harder. If the decryption routine is placed in the downloader, then a security researcher will not be able to analyze the shellcode without a copy of the downloader.

This technique is already being done by cybercriminals in ZBOT. ZBOT’s configuration files are encrypted and can only be analyzed properly if done so with its corresponding binary file.

Scenario 2: Server side checks user IP address or location which returns different payloads depending on the location. In a situation that an infected user is in China and the malware analyst is from the US, they could end up getting different shellcodes. The analysis would not match with infection, making it difficult to clean a system if the user and analyst yields two types of infection chains. For example, if they see that the malware is accessing the URL via Trend Micro’s IP, the malware may not reveal its actual payload.

Scenario 3: The customer is already infected, but the related URL becomes inaccessible. The threat analyst may end up having no idea what really happened since the shellcode is no longer available. This type of downloader may keep us in the dark.

Surely, there are still ways to get around these routines, but doing so may not be easy. The fact that the downloaded binary is NOT saved as a physical file makes it even more challenging. However, using technology such as reputation and cloud can definitely help remedy this situation. Trend Micro users are protected via the Smart Protection Network™ with Web Reputation Technology which blocks malicious URLs. File Reputation Technology detects the related malicious file BKDR_POISONDLD.A

Post from: TrendLabs | Malware Blog - by Trend Micro

BKDR_POISON: More Challenges Ahead

Increasingly, threats to users are “going mobile” – and quite comfortably it seems. The mobile threat landscape has grown exponentially ever since the first proof-of-concept Palm Trojan was found. Mobile and tablet users are now seeing the same kinds of threats seen in the PC-world. Here are some scenarios that show the increasing similarities:

1. More than five years ago, a common tactic that cybercriminals used was getting reconfigured modems to call out to premium service and long distance numbers. Today, mobile malware frequently attempts to sign up users to premium services with regular subscription fees. Other times, they will transmit pilfered credentials and data to attackers, not caring about the user’s (limited) data plan, a potentially unsecured WiFi hotspot, or roaming with an expensive data plan.
2. For twenty-odd years the predominant malware threats were viruses, then it was worms and today its mostly one-time use Trojan downloaders. All this was just a means to an end; to keep your systems infected and compromised and prolong the threat. On mobile platforms, we already have data stealing Trojans tucked away in the guise of a useful mobile app but which silently record and transmit your data in the background.
3. Multi-staged and cross-platform threats from PC-to-mobile and back are already happening. Some variants of the ZeuS banker malware monitor your PC and online transactions; when it detects a request for secondary verification will send a Facebook link to your mobile phone to retrieve the data and thus fully get access to your online financial records.
4. Almost everybody I know receives some form of email on their mobile device, which basically mirrors whatever they get on your desktop. They are therefore subject to all the same phishing and spam that one gets on the PC-platform.
5. Exploits and threats such as man-in-the-middle attacks and broken SSL connections are things one hears about on PCs. However, today’s smartphones run more than ten times faster than PCs did in the 1980s. Together with the smaller screens and lack of full fledged tools to investigate things that are running in the background, this means that mobile/tablet users will be even more unaware to the fact that they are under attack or are victims.

These same devices are being brought into companies and increasingly adapted with BYOD (bring-your-own-device) policies that increases productivity. However, many companies do not treat these “mobile PCs” with the same caution as full-fledged laptops and desktops that follow policies and guidelines.

The rash of mobile apps that monitor and steal user information, and applications that are able to bypass even the most stringent vetting processes is proof that the mobile threat is here and now. As technology continues to integrate and make online access ubiquitous, everyone should become more aware of safe computing guidelines no matter what platform they are on.

How can users avoid becoming the next victim? Even when using mobile devices, there are anti-malware and content filtering solutions available. When partnered with some safe computing common sense, this adds another extra layer of protection against many of the common threats out there. Don’t forget to upgrade/update your firmware and your mobile apps as soon as they become available. They aren’t just there to make things pretty, but are released as bug fixes to reported issues.

Our previous thoughts about the mobile malware threat may be found in the following posts:

• How Big will the Android Malware Threat Be in 2012?
• 2011 in Review: Mobile Malware

Post from: TrendLabs | Malware Blog - by Trend Micro

Mobile Threat Landscape: A Decade Later

Other external reports tell of the millions of app downloads with similar suspect code, which led to coining it as the “largest Android malware outbreak ever”. In that report, the analyzed application is a puzzle game. It starts a service that can create a shortcut, get/set bookmarks, post device information to its server (including IMEI, brand, device, model, operating system, OS version, display metrics, locale), set notifications, and set browser homepage.

Our findings show us that this application can be categorized as adware since it appears to be simply used for advertisements. A more appropriate term may be “mobile app adware” with the SDK (software development kit) being used for legitimate download upfront revenues so that people can download them from various mobile app distribution sites. The app’s basic functionality is as was claimed: install a search shortcut and serve ads through that app. Its behavior does not send any private personal data to external server. In short, it turns out to be a monetizing ad service so that app developers can make more money from their free apps. This is basic search monetization.

“Mobile App Adware”

At this point this is a perfect example of “mobile app adware.” This is bolstered from the fact that the current business model is for an SDK integrated into the app and is used for legitimate download affiliate revenue. In today’s content-serving business and marketing model, this makes it practically the same as what is being done on desktop PCs.

Threat Response Engineer Erika Mendoza adds “taking ad networks into consideration, I think it makes more sense now that a lot of applications are bundled with code similar to this. This mobile adware is quite aggressive, but it still depends on the user if they consider this annoying behavior malicious.”

But researchers at Lookout Mobile Security don’t think that this behavior means it’s a malware attack, rather, it is an “aggressive form of an ad network.” We agree with the claim that it isn’t malware per se, however, the issues regarding this involve how mobile information is gathered and stored. There are also potential privacy issues down the line which today users may not understand the possible ramifications of until much later.

It is common for any installed app to retain whatever install rights provided as well as whatever social network or interaction it is allowed. These settings can be retained even if the initial app is removed and reused as a default. In reality, with several hundred apps downloaded with varying purposes and with each mobile device having varying user set protection levels, there are just too many variables to track.

We will consistently provide information about the threat potential, however it’s up to the user’s consent to make an informed decision whether to proceed with downloading the app or not.

The Risks of Search Monetization for Mobile

Of course, there are a lot of potential issues with search monetization hitting the mobile platform. As previously discussed in our 12 Security Predictions for 2012 report, the smaller screens and limited user interface make it a bit more difficult even for the most tech-savvy researcher to figure out what’s going on in the background. This makes it even more difficult and impossible for a regular user to manage. With the recent reported privacy and information theft incidents last year, it is even more critical that users be aware who has their metadata (product preferences, search history, etc) and how its being managed, wherein right now, exists predominantly in the cloud.

Over and over, it’s been said that we are living in the post-PC era. One indication is that tablets were one of the most gifted things last holiday season. As such, this poses as a natural progression of where the money and people’s attention is: ads in the daily newspaper to magazine ads in the magazines, to cable TV, desktop PCs, and now on mobile devices. Who knows where search monetization could land next? Clearly, search monetization is here to stay.

Everyone should be concerned about installing any app on their phones. Your phone stores data, and depending on the level of which you’ve patched it, the best defense anyone has is to be aware of the sort of information you put out.

Post from: TrendLabs | Malware Blog - by Trend Micro

Search Monetization As a New Threat to the Mobile Platform

The said attack begins with a post on affected users’ wall inviting other users to install a Valentine’s theme into their Facebook profile.

It also installs itself on the users’ browsers as an extension named  Facebook Improvement |Facebook.com.

Once this malicious browser extension is installed, it will monitor the users’ browsing activities and redirect their page to a survey page asking them for their mobile number. Users who clicked on the post using Internet Explorer (IE) will be redirected to the same survey, without them being asked to download anything.

Upon further analysis, we discovered that the attack is much more effective if the users are employing either Google Chrome or Mozilla Firefox. It resembles a legitimate extension download, thus requiring less user interaction than in the case where Internet Explorer is used (in which case the user is redirected to surveys).

With the focus of the attack mainly built around the concept of pretending to be a valid Chrome extension, we can reasonably conclude that Chrome users are the main target of this particular attack, with the IE redirection as more of an afterthought. But while there may be browser activity monitoring involved, TROJ_FOOKBACE.A does not seem to have any information theft techniques.  It fits the criteria of a clickjacking attack more, where it automatically ‘likes’ several Facebook pages as well as automatically posts a message on the affected user’s wall.

The fact that the attack itself is focused on Chrome and Firefox may mean that cybercriminals are targeting extension-compatible browsers, as well as going after more popular browser choices. This is not the first attack of its kind, but considering that extension-capable browsers are coming to the forefront now, it serves as a warning to all of us that this may be a continuing a trend that the malicious entities of the Internet are going to follow in the foreseeable future.

Trend Micro protects users from this attack via Trend Micro™ Smart Protection Network™  that detects the malicious file and blocks all related malicious URLs.

Post from: TrendLabs | Malware Blog - by Trend Micro

Facebook Valentine’s Theme Leads to Malware

You’ve probably also heard of Trend Micro’s research of the Lurid attacks which showed that the attackers are interested in non-US targets but more importantly,  such attacks should be seen as “campaigns” and not isolated attacks.

But what about all the great APT related research that you probably haven’t heard about?

Here is my personal Top 10 11:

1. The “Contagio Dump” and “Targeted Email Attacks” Blogs – Mila Parkour and Lotta Danielsson-Murphy have been posting information that fuels much of the research in this area. While malicious binaries are often available for analysis, the content of the socially engineered email is often elusive. These blogs have been providing a unique insight into the realm of targeted attacks.
2. The CyberESI Blog – The team at CyberESI has been posting detailed analysis (and I mean detailed) of some of the most prolific malware families. In my view, their analysis has set the bar for reverse engineering in this area.
3. Htran –Joe Stewarts research on Htran was over shadowed by the ShadyRAT report but I think it was the most innovative research papers this year because it tackled the attribution problem by looking behind the source IP’s of attacks to reveal the actual location of the attackers.
4. Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains – Hutchins, Cloppert, and Amin explain how to track the phases on an attack and group multiple incidents into a “campaign”. This is a must-read for anyone tracking APT.
5. “1.php” – This report by Zscaler on a particular campaign thoroughly maps out and analyzes the command and control infrastructure (C&C) and presents the results in a way that is actionable for defenders. Moreover, it contains insightful commentary on information disclosure in this area.
6. APT Secrets in Asia – Xecure’s presentation at this year’s BlackHat demonstrated their research in clustering malware into groups based on common attributes. I really like the clustering technology they are working on as well as the term they introduced “NAPT” (Non-Advanced Persistent Threat).
7. M-Trends – This report by Mandiant is an excellent overview of the attackers’ methodology as well as remediation strategies. In addition, it contains Mandiant’s work on investigating persistence mechanisms, particularly “DLL search order hijacking.”
8. Sykipot – AlienLabs documented the trends in targeting (UCAVs) surrounding the Sykipot campaign as well as exploits, malware and command and control infrastructure used by the attackers.
9. “What is an APT without a sensationalist name?” – Seth Hardy’s presentation at SecTor provided a much needed critical look at the hype surrounding APT along with a detailed technical analysis of a particular malware “SharkyRAT”.
10. “Moli Hua” – Greg Walton documented an attack on journalists that leveraged Facebook and an MHTML exploit for Gmail that allowed attackers to add their own email addresses as “delegated accounts”.
11. “My Lovely Wood” – This paper by Frankie Li provides a detailed technical analysis of malware used in a targeted attack.

Post from: TrendLabs | Malware Blog - by Trend Micro

Top APT Research of 2011 (That You Probably Haven’t Heard About)