Lately, we have seen a slew of spam crafted as a notice from the popular retail chain Walmart. However, this spam run offers something different.

Figure 1. Notice supposedly from Walmart

In this campaign, some of the URLs lead to Cyrillic domain names.  These domains were translated into the English alphabet through punycode. Punycode is a way to convert Unicode characters into a smaller character set. URLs in punycode have to be decoded first in order to see its original format.

The use of international domain names (IDNs) can pose additional security risks to users. Users can be redirected to a phishing page that appears to have the same URL as a legitimate site. IDNs also allow spammers to create more spam domains not limited to English characters. This can make blocking malicious sites more difficult.

This technique is not new, but seeing punycode used in a BHEK email campaign is unusual. Users who click the links are redirected to several sites, until they are lead to the site hosting a malware (detected as TROJ_PIDIEF.SMXY), which exploits a in Adobe Reader and Acrobat (CVE-2009-0924) to download and execute other malware onto the vulnerable system.

This attempt at evading detection is not surprising, given how 2013 is shaping up to be the year of refining existing tools. In our 1Q 2013 Security Roundup, we already noticed how dated threats like Asprox and banking Trojans like CARBERP were returning to the scene with new and improved features. We can expect this trend to continue this year, though new threats can always appear anytime soon.

Whether facing old or newly-improved threats, several computing practices can provide your best defense. Always be cautious of email messages before clicking the links or downloading attached files. Always verify with the vendor to check if these emails are legitimate. Regularly install the latest security updates from software vendors to avoid threats targeting dated vulnerabilities.

We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Blackhole Spam Run Evades Detection Using Punycode

Whether considered advanced persistent threats (APTs) or malware-based espionage attacks, successful and long-term compromises of high-value organizations and enterprises worldwide by a consistent set of campaigns cannot be ignored. Because “noisier” campaigns are becoming increasingly well-known within the security community, new and smaller campaigns are beginning to emerge.

This research paper documents the operations of a campaign, which was able to compromise the following types of organizations:

• government ministries
• technology companies
• media outlets
• academic research institutions
• nongovernmental agencies

The distribution method of this campaign involves spear-phishing emails that contain a malicious attachment exploiting a Microsoft Office vulnerability (CVE-2012-0158).

During our investigation of the C&C servers associated with this campaign we discovered archives that contained the PHP source code the attackers used for the C&C server and the C code they used to generate the malware used in attacks.

While determining the intent and identity of the attackers remains difficult, we assessed that this campaign is targeted and uses malware developed by a professional software engineer who may be connected to the cybercriminal underground in China. However, the relationship between the malware developers and the campaign operators themselves remains unclear.

This white paper has been written to help understand and document the tools, tactics and techniques used in this campaign. Our full findings, including indicators of compromise and recommendations, are contained in our research paper, which can be downloaded here.

Please note that there are references in the attack itself to “SafeNet”; there is no connection between this attack and SafeNet, Inc., a global leader in data protection and a valued partner of Trend Micro.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Hiding in Plain Sight: A New APT Campaign

I found the following accounts who wanted to ‘follow’ me on Instagram. This is the standard if your Instagram account is set to private. While checking these requests, the security researcher inside me noticed something off with some of the accounts.

Figure 1. Screenshot of Instagram request

To my validate my suspicions, I checked the page of these Instagram accounts and noticed that they all posted this “Get Free Followers!” photo. This post reminded me of the Pinterest free items promo survey scam we blogged in the past.

Figure 2. Get Free Followers Post on Instagram

Another thing that I found dubious is that these Instagram followers have repetitive account names like “Tawna Tawna” and “Concetta Concetta”.

Figure 3. Screenshot of sample spamming account

Given these suspicious signs, I then checked this “Get Free Followers” picture (which is actually clickable) and was lead to this page that supposedly offers the “Get Followers” app. This app is detected by Trend Micro as ANDROIDOS_GCMBOT.A, which can be used to launch malicious webpages or send SMS from the device.

Figure 4. Page offering ‘Get Free Follower’ app

Whether users download the said app or not (in my case, I tried to), in the end they are redirected to your run-of-the-mill survey scams. Since Instagram can also be accessed via a PC, we tried to access the malicious website and survey scam using a desktop. Fortunately, this ruse didn’t work.

Cybercriminals profit from these survey scams via ad-tracking sites, which users are redirected to before the actual survey page. Plus, these bad guys can also use the data gathered from these scams by either peddling them to other cybercriminal groups or using them in their future schemes.

Facebook, Pinterest, Tumblr, and now Instagram. The people behind these scams are jumping on every popular networking sites and potential engineering hooks like the Google Glass contest. To protect yourself against this scam, you must always double-check posts on your social media accounts, even if they come from friends, family members, or known acquaintance. Caution is your best defense. Trend Micro protects users from this threat by blocking the related URLs.

To know more about how these scammers (or online crooks in general) use and benefit from your data, you can check out our infographic How Cybercriminals Are Getting Better At Stealing Your Money.

We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Get Free Followers! on Instagram? Get Free Malware, Survey Scams Instead

We first looked at the sites that hackers had compromised as part of the OpUSA campaign. It quickly became apparent that there were patterns in the compromised URLs: the attackers had frequently uploaded files with names like islam.php, muslim.htm, jihad.htm, and usa.htm to the compromised site. A legitimate visitor would never visit or see these particular URLs, as they were completely separate from the main site and, in effect, “hidden”.

Looking at the feedback data provided by the Smart Protection Network, we found something very curious. We found that the URLs that fit the pattern had been accessed the day before the alleged attacks, on May 6. Legitimate users would not be visiting these sites, as we said above. So who was visiting these URLs?

Based on other evidence, we were able to determine that the sites had been compromised at least two days before May 7. This indicated that the traffic we saw was probably malicious – the attacker, perhaps, checking that the (compromised) site was still up.

Figure 1. Near-identical lists of compromised sites

However, the attacker was not doing so directly. We believe that the attacker was doing so via an infected machine that he was using as a proxy; one particular machine that was used this way had detected 89 malicious or suspicious files and accessed 173 malicious websites in the past 30 days. This indicates this particular machine had already been extensively affected by malware, and was in use by cybercriminals for all sorts of purposes – including as a proxy “service”.

Figure 2. Number of malicious files detected

What can users learn from this event? Primarily, it’s to treat the damages claimed in these sort of “campaigns” with some skepticism. Based on what we saw, attackers can “stockpile” compromised sites and release them when a major “campaign” like this is conducted, to make their claims of damage more impressive.

For security professionals, it’s a reminder that campaigns like OpUSA are not always a good indicator of when threats are likely to escalate. Preventing infection ahead of time can ensure you’re not caught up when attackers “flip the switch” on these high-profile campaign.

We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Failed OpUSA Attacks Show How Hackers Operate

This roster of updates include two Critical bulletins addressing Internet Explorer (IE). The first one resolves around a vulnerability found on IE versions 6 to 10 on all Windows OSs, from Windows XP to Windows 8. It also addresses the vulnerability in IE 10 uncovered during the Pwn2Own contest last March.

The other critical IE bulletin deals with a vulnerability limited to IE 8, which made the headlines recently because of a related zero-day exploit found in a US Department of Labor webpage. Based on our own investigation, users visiting this compromised site are lead to a series of redirections until their systems are infected with a BKDR_POISON variant.

Even before this month’s release, Trend Micro Deep Security has been protecting users from this vulnerability via rule 1005491 – Microsoft Internet Explorer Use-After-Free Remote Code Execution Vulnerability (CVE-2013-1347).

The rest of the bulletins were tagged as Important, which includes a security flaw in Windows that may lead to a denial of service (DoS) attack.

Just like last month, Adobe also released their security bulletins today, which include fixes for Adobe Reader and Acrobat, Flash Player. The software vendor also issued a “security hotfix” for a ColdFusion vulnerability, which is reportedly being exploited in the wild.

Users are advised to implement these bulletins as soon as possible to avoid exploits similar to the US DoL incident. For more details about how Trend Micro can protect users, you may refer to this Threat Encyclopedia page.

We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

May 2013 Patch Tuesday Includes Critical IE 8 Zero-Day Issue

We recently spotted a fraudulent website which is pushed by ads found in multiple Android apps. (Some of these apps were downloaded from the Google Play store, while others were found from third-party stores.) These ads use popular brands as hooks like “iPhone 5” and “Samsung Galaxy Note II” and supposedly selling these items for a ridiculously low price. Once users click the ad, it will lead them to a website which shows many means to buy the said phones.

Figure 1. Ad for Samsung Galaxy Note II

Figure 2. Ad for iPhone 5

In reality, these sites are just scam sites that try to defraud users out of their money. They do not actually sell the devices they are promoting.

Figure 3. Fraudulent website advertising Samsung Galaxy Note II

Figure 4. Fraud website with iPhone 5 ad

These ads are being delivered by a large, mainstream ad network, which claims to be used by more than 90,000 apps. While this attack is currently limited to Chinese users, because of the large number of apps on this particular ad network it is possible that similar attacks will be delivered to other users in the future.

Last March, we blogged about Google’s decision to remove apps that block ads and the potential risks this may pose on unsuspecting users. No doubt the insufficient audit of ads on the Android platform may lead to more fraud, phishing attacks or even malware distribution. We recommend ad providers to provide more powerful audit mechanisms to protect users from attacks leveraging ads.

Trend Micro protects users from this attack by blocking the said malicious website. We also advise Android users to be cautious in clicking ads on their devices as this may potentially lead to information and identity theft. For better protection of your devices, users should also be wary of other mobile threats like malicious URLs and mobile phishing sites.

We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Mobile Ads Pushed by Android Apps Lead to Scam Sites

Overall, CeCOS featured 23 sessions divided into eight tracks, including two panel discussions. Aside from attending interesting talks, I also participated as a speaker at the event.

I was very much interested in attending two talks: the National Field Reports and Mobile Attack Sessions. The National Field report particularly intrigued me, as it argues that the threat landscape of a particular country is a reflection of what’s happening globally.

By now, it’s pretty much established that the mobile platform is the latest cybercrime battlefield, so I think it’s crucial to know what’s happening in the mobile threat front.

As I mentioned earlier, I also participated as a speaker. As the representative of the anti-phishing council of Japan (CAPJ), I gave the talk Finding the Banking Trojan in Eastern Asia.

Speaking at CeCOS VII

Japanese-language phishing emails were first spotted in 2004 and since then, these mails have poured in and caused serious damage. As technology developed, these emails took more subtle forms, which made detection more difficult. In addition, instead of direct links to phishing sites or a malicious attachment, phishing sites instead contain links to compromised sites that eventually lead users to malicious sites that contain exploit kits.

As we all know, attackers are already expanding their threats to other platforms, particularly mobile. Thus, I presented my analysis of ANDROIDOS_CHEST, which targets Android OS and was reportedly found affecting South Korea. Users would receive text messages offering free coupons for either movie tickets, fast food, or coffee if the user downloaded an app, which was actually ANDROIDOS_CHEST.

The malware monitors and gathers text messages in order to defeat two-factor authentication done via text messaging. ANDROIDOS_CHEST then sends the gathered messages to the attacker.

The most important question though is, how can users protect themselves from the threats of phishing? The CAPJ has these tips:

1. Keep your computer safe.
2. Beware of suspicious emails.
3. Access and bookmark legitimate URLS.

Another helpful advice is to always keep your systems updated with the latest security patches for your system. As Banking Trojans are usually delivered through exploit kits (by way of phishimg emails), users are protected from exploits that target old vulnerabilities.

Trend Micro provides tools and technologies that help protect users against security breaches and data theft. Trend Micro DirectPass manages your passwords so that using and remembering unique passwords for multiple accounts is no longer difficult. Trend Micro Mobile Security protects against threats like ANDROIDOS_CHEST that are on mobile devices. The Smart Protection Network provides both email and web reputation, blocking these threats before they arrive on user systems.

We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Finding Banking Trojans in Eastern Asia – Report From CeCOS VII

All this stolen information ends up for sale in the underground to the highest bidder. From there, it can be used in many uniformly illegal ways - from identity theft, to credit card fraud, to launching attacks on other users. They can also be used to buy either expensive goods (which are then shipped to the cybercriminals), or pay for “bulletproof” web hosting that is frequently used for malicious sites. These may not cost that much individually, but the losses to users can be significant.

It’s not just the fruits of cybercrime that are bought and sold in the underground – so are the tools, like exploit kits, vulnerabilities, and malware toolkits as well. Price tags here can reach the thousands of dollars, particularly for more advanced and sophisticated tools.

There is so much money in the underground that it has become organized and systematic, much like real-world businesses. While the specifics of how the underground has organized itself varies from region to region, the mere fact that it has organized itself is noteworthy – both to allow for more information and tools to be sold, as well as reducing the risks of getting caught.

Our new infographic – The Cybercriminal Underground: How Cybercriminals Are Getting Better At Stealing Your Money – explores what items are being sold and bought in the cybercrime underground, how the underground is organized, and how users are directly affected. It’s an excellent way to understand what users are up against in securing their information online. It may be viewed by clicking oh the thumbail below:

To view all infographics from TrendLabs, visit http://about-threats.trendmicro.com/infographics.

We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

How Cybercriminals Are Getting Better At Stealing Your Money

We found this particular threat via feedback provided by the Smart Protection Network; we detect it as BKDR_TENGO.A. It passes itself off as a legitimate system DLL file, winmm.dll, like most of the Winnti samples. We believe that this was done using a legitimate tool called Aheadlib, which is a legitimate analysis tool. Aheadlib accepts any DLL file and is able to construct C code to hook all the functions provided by the original library. This is very useful in analyzing malware, but can also be abused to help create files that pass themselves off as legitimate system libraries.

We suspect that this was used in a targeted attack. Despite this, however, the file is not encrypted and neither was it particularly hard to analyze. Its main behavior is to steal Microsoft Office, .PDF, and .TIFF files from USB drives inserted into the system. These stolen files are stored in the $NtUninstallKB080515$ under the Windows folder. It also creates a log file named Usblog_DXM.log. The files can be retrieved by the attacker at a later time. Aside from retrieving files, it has several backdoor commands which allow the attacker to take control of the system. (The full list of commands can be seen in its Threat Encyclopedia entry, which we’ve linked to above.)

Two of the commands - Help and MainInfo – will show the name of the backdoor, as well as the C&C servers it is using. The full list of possibly malicious IP addresses and servers we’ve seen it connecting to is:

• 50.93.204.62
• 98.143.145.118
• 100.42.216.249
• 108.62.10.239
• 192.154.102.244
• 199.180.103.42
• 216.70.128.124
• 216.70.255.201
• banana02.myz.info
• songcai89.ddns.info
• thaifruit.myz.info

Two of these IP addresses proved to be of particular interest, namely 50.93.204.62 and 98.143.145.118. They are located in the United States, but multiple Chinese-language domains point to them. All of these have been blocked as command-and-control servers.

This attack highlights how information theft can be performed even with malware that is not particularly advanced or sophisticated. It also shows some of the challenges in attributing attacks of this nature.

We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Backdoor Built With Aheadlib Used In Targeted Attacks?

Figure 1. Homemade browser ad

Users that clicked the download link download a zip file. Inside this compressed file, there two executable files: one was the browser itself, which is called Navegador BB, and another which has the file name Plugin_Navegador_2.1.3.exe. (We detect these as PE_PARITE.A and WORM_LUDER.USR, respectively.)

The third file is a text file which contains instructions to run Plugin_Navegador_2.1.3.exe first, and then run the browser. The “plugin” actually steals the user’s bank information. Meanwhile, the browser fools the bank site into not needing the usual security plugin by pretending that it is a mobile browser, as can be seen by examining the User-Agent HTTP header (click on the thumbnail to see the full strings):

Figure 2. Strings used to spoof the User-Agent header

It’s also worth noting that this homemade browser doesn’t even have an address bar, or any other place to enter a URL. It only has a single button that sends the user directly to the bank’s site.

Figure 3. The homemade browser accessing the mobile Banco de Brasil site

This is not the first time that cybercriminals have tried to fool users in Brazil with fake apps to make accessing sites more convenient. Previously, we found an application that claimed to get the credit scores and criminal records of Brazilians.

One more thing to note. The author of this “browser” also created a version of BANCOS that ““outsourced” its distribution to lower level cybercriminals.

We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Homemade Browser Targeting “Banco do Brasil” Users