However, its apparent simplicity and low cost comes with a downside. The Raspberry Pi is not a simple “device” with limited capabilities; it is a fully capable computer. The same pitfalls that befall normal desktop computing can  hit the Raspberry Pi, if it is not properly secured.

Some uses of the Raspberry Pi actually turn them into servers, and that is something that users may not really know how to secure. For example, some people have made the Raspberry Pi into a server that controls their home automation system, or allows users to watch videos served by the Pi remotely.

For many uses of the Raspberry Pi, security isn’t much of a concern – it will never be online or even exposed to external input that could be used as an infection vector. The trouble comes when it’s used in situations where it is online – particularly as a server – where it’s at potential risk. For example, some automated scanners are already trying to log in with the pi user.

In short, the Raspberry Pi is only as secure as the uses you use it for. Good server security is not always easy; consider that even IT professionals make mistakes. Look into known server best practices if you do use a Raspberry Pi for these uses. Considering its origin as an educational tool, learning how to secure a server would be an appropriate use for a Raspberry Pi.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Is The Raspberry Pi Secure?

We’re keeping track of the GAMARUE infection for the past weeks and observed some noteworthy activities. For the past 30 days, we noticed a sudden spike of its variants on May 17. In particular, there was a 82% increase from May 16 – May 17 and another 32% on May 18. A significant bulk of these malware, specifically 63%, is WORM_GAMARUE variants.

Figure 1. GAMARUE detection for the past 30 days (April 20 – May 31)

In my initial blog entry, I reported that the bulk of infection came from Australia. Last year, Germany was also one of the most GAMARUE-affected countries. However, just months after my first post, we are seeing a trend in which a majority of WORM_GAMARUE variants are affecting India, Turkey, and Mexico.

Figure 2. Top countries affected by WORM_GAMARUE

Currently, we can not readily determine why GAMARUE variants increased on the said dates. If anything, this trend shows that the botnet is still active and poses risks to users.

Andromeda Botnet: Old Threat Repackaged

In our 2013 1Q Security Roundup, we concluded that during this quarter, cybercrime was characterized by old threats made new. The Andromeda spam botnet is a good example of this trend, this time with aid of the Blackhole Exploit kits (BHEK) and some new neat tricks.

This threat arrives as a spammed message containing a malicious attachment (GAMARUE variants) or links leading to certain sites, which now include those compromised by the notorious Blackhole Exploit kit. GAMARUE variants are known to propagate via removable drives. It also drops component files instead of copies of itself to make detection difficult. Taking cue from threats like DUQU and KULUOZ, GAMARUE variants also uses certain APIs to inject itself to normal process to evade detection.

Propagating techniques aside, GAMARUE variants have backdoor capabilities since it communicates with certain C&C servers to send and receive commands. This communication, in effect, gives a remote malicious user control over the infected system. Some of the commands the malware can execute include downloading other malware onto the system, most notably info-stealing threats like ZeuS/ZBOT variants.

Because some Andromeda-related spam messages eerily looks like legitimate email notification from commercial services (flight, hotel, courier services etc.), the usual criteria for determining a spam are not sufficient. As an alternative, you can verify to see if the email you’ve received is legitimate or not. Since BHEK is known to exploit software vulnerabilities like Java, you must always update your system with the latest security patch or re-consider your use of Java. For better protection, install antimalware software like Trend Micro, which protects your system from spam, malicious URLs, and malware.

We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Keeping Up With the Andromeda Botnet

Why Are Separate Attacks “Related”?

Before a cybercriminal or threat actor can launch an attack, many things have to be prepared in advance. The list of recipients have to be compiled, command-and-control (C&C) servers brought online, malware payloads chosen, etcetera. Ideally, attackers would use separate ones, but that isn’t the case: they are just as prone to reuse items or tactics that have worked before. Knowing these similarities between attacks can help determine what is an appropriate response.

There are many ways that seemingly independent attacks can be correlated, but here are some of the most common ones:

1. Same IP address sends different email messages
2. Same email address sends different messages
3. The same malware is attached to different messages
4. Multiple (similar) backdoors use the same C&C server
5. Different backdoor types use the same C&C server
6. Multiple domains registered using the same email address
7. Similarities in the way command-and-control network traffic is organized

How can this information be used?

Typically, organizations face two kinds of threats: highly sophisticated attacks that target them specifically, or more “random” attacks that are aimed at wider audiences. It can be difficult to tell just by examining the specifics of a particular attack which it is, but examination of the similarities above – using additional information provided by the Smart Protection Network – may be useful. It’s best to illustrate this with a hypothetical example.

A company received an apparently targeted email that contained a malicious attachment. The malware installed tries to contact an external C&C server for instructions using HTTP. It would appear, at first, that this was a sophisticated targeted attack.

However, more in-depth analysis would reveal that the malware only accessed two files on the C&C server: /kc1/data.bin and /kc1/gate.php. Accessing two files located in the same directory with the .BIN and .PHP extensions is common behavior by ZeuS/ZBOT variants. In addition, the domain of the C&C server was registered using an email address that was also used to register another domain on the well-known ZeuS Tracker blacklist. All this strongly suggests that it was not a sophisticated attack, but instead a more ordinary ZeuS/ZBOT infection. This can still pose a threat, but it’s a different nature compared to a sophisticated attack.

This information can also be used to gauge the seriousness of an attack. For example, in October, we found a new Poison Ivy variant (BKDR_POISON.AB) had infected 15 different machines, belonging both to individuals and various organizations. What we also found was that there had been a similar attack earlier in the year which distributed a very similar Poison Ivy variant (BKDR_POISON.BJX). Similarities included the malware’s mutexes and the emails used to spread the attack.

From there, one can conclude that both attacks were not meant to directly target anyone, but more to gather information across a wide number of possible targets that could be used for more direct attacks at a later time.

The links between attacks can also be used to discover other potential attacks as well. For example, examining the email and IP addresses linked to domains used as C&C servers in a current attack can lead to other domains. The added information can be used as indicators for potential attacks that may not have been detected at the time.

Conclusion

Gathering information about the connections between attacks can reveal much about the attacks in the first place. Organizations that use this kind of threat intelligence can use it to gain a more accurate picture of the attacks facing them. It can reveal that apparently unrelated attacks may turn out to be related, and have been launched by a single group of attackers. Alternately, it can make clear if an organization is under attack from multiple groups – which may or may not be working together. Whatever the case, this kind of information can be useful in creating a proportional response to threats.

For more discussions on malicious network traffic, you can read our report titled Malicious Network Communications: What Are You Overlooking?.

We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

What Connections Between Attacks Say About Them

Lately, we have seen a slew of spam crafted as a notice from the popular retail chain Walmart. However, this spam run offers something different.

Figure 1. Notice supposedly from Walmart

In this campaign, some of the URLs lead to Cyrillic domain names.  These domains were translated into the English alphabet through punycode. Punycode is a way to convert Unicode characters into a smaller character set. URLs in punycode have to be decoded first in order to see its original format.

The use of international domain names (IDNs) can pose additional security risks to users. Users can be redirected to a phishing page that appears to have the same URL as a legitimate site. IDNs also allow spammers to create more spam domains not limited to English characters. This can make blocking malicious sites more difficult.

This technique is not new, but seeing punycode used in a BHEK email campaign is unusual. Users who click the links are redirected to several sites, until they are lead to the site hosting a malware (detected as TROJ_PIDIEF.SMXY), which exploits a in Adobe Reader and Acrobat (CVE-2009-0924) to download and execute other malware onto the vulnerable system.

This attempt at evading detection is not surprising, given how 2013 is shaping up to be the year of refining existing tools. In our 1Q 2013 Security Roundup, we already noticed how dated threats like Asprox and banking Trojans like CARBERP were returning to the scene with new and improved features. We can expect this trend to continue this year, though new threats can always appear anytime soon.

Whether facing old or newly-improved threats, several computing practices can provide your best defense. Always be cautious of email messages before clicking the links or downloading attached files. Always verify with the vendor to check if these emails are legitimate. Regularly install the latest security updates from software vendors to avoid threats targeting dated vulnerabilities.

We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Blackhole Spam Run Evades Detection Using Punycode

Whether considered advanced persistent threats (APTs) or malware-based espionage attacks, successful and long-term compromises of high-value organizations and enterprises worldwide by a consistent set of campaigns cannot be ignored. Because “noisier” campaigns are becoming increasingly well-known within the security community, new and smaller campaigns are beginning to emerge.

This research paper documents the operations of a campaign, which was able to compromise the following types of organizations:

• government ministries
• technology companies
• media outlets
• academic research institutions
• nongovernmental agencies

The distribution method of this campaign involves spear-phishing emails that contain a malicious attachment exploiting a Microsoft Office vulnerability (CVE-2012-0158).

During our investigation of the C&C servers associated with this campaign we discovered archives that contained the PHP source code the attackers used for the C&C server and the C code they used to generate the malware used in attacks.

While determining the intent and identity of the attackers remains difficult, we assessed that this campaign is targeted and uses malware developed by a professional software engineer who may be connected to the cybercriminal underground in China. However, the relationship between the malware developers and the campaign operators themselves remains unclear.

This white paper has been written to help understand and document the tools, tactics and techniques used in this campaign. Our full findings, including indicators of compromise and recommendations, are contained in our research paper, which can be downloaded here.

Please note that there are references in the attack itself to “SafeNet”; there is no connection between this attack and SafeNet, Inc., a global leader in data protection and a valued partner of Trend Micro.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Hiding in Plain Sight: A New Targeted Attack Campaign

I found the following accounts who wanted to ‘follow’ me on Instagram. This is the standard if your Instagram account is set to private. While checking these requests, the security researcher inside me noticed something off with some of the accounts.

Figure 1. Screenshot of Instagram request

To my validate my suspicions, I checked the page of these Instagram accounts and noticed that they all posted this “Get Free Followers!” photo. This post reminded me of the Pinterest free items promo survey scam we blogged in the past.

Figure 2. Get Free Followers Post on Instagram

Another thing that I found dubious is that these Instagram followers have repetitive account names like “Tawna Tawna” and “Concetta Concetta”.

Figure 3. Screenshot of sample spamming account

Given these suspicious signs, I then checked this “Get Free Followers” picture (which is actually clickable) and was lead to this page that supposedly offers the “Get Followers” app. This app is detected by Trend Micro as ANDROIDOS_GCMBOT.A, which can be used to launch malicious webpages or send SMS from the device.

Figure 4. Page offering ‘Get Free Follower’ app

Whether users download the said app or not (in my case, I tried to), in the end they are redirected to your run-of-the-mill survey scams. Since Instagram can also be accessed via a PC, we tried to access the malicious website and survey scam using a desktop. Fortunately, this ruse didn’t work.

Cybercriminals profit from these survey scams via ad-tracking sites, which users are redirected to before the actual survey page. Plus, these bad guys can also use the data gathered from these scams by either peddling them to other cybercriminal groups or using them in their future schemes.

Facebook, Pinterest, Tumblr, and now Instagram. The people behind these scams are jumping on every popular networking sites and potential engineering hooks like the Google Glass contest. To protect yourself against this scam, you must always double-check posts on your social media accounts, even if they come from friends, family members, or known acquaintance. Caution is your best defense. Trend Micro protects users from this threat by blocking the related URLs.

To know more about how these scammers (or online crooks in general) use and benefit from your data, you can check out our infographic How Cybercriminals Are Getting Better At Stealing Your Money.

We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Get Free Followers! on Instagram? Get Free Malware, Survey Scams Instead

We first looked at the sites that hackers had compromised as part of the OpUSA campaign. It quickly became apparent that there were patterns in the compromised URLs: the attackers had frequently uploaded files with names like islam.php, muslim.htm, jihad.htm, and usa.htm to the compromised site. A legitimate visitor would never visit or see these particular URLs, as they were completely separate from the main site and, in effect, “hidden”.

Looking at the feedback data provided by the Smart Protection Network, we found something very curious. We found that the URLs that fit the pattern had been accessed the day before the alleged attacks, on May 6. Legitimate users would not be visiting these sites, as we said above. So who was visiting these URLs?

Based on other evidence, we were able to determine that the sites had been compromised at least two days before May 7. This indicated that the traffic we saw was probably malicious – the attacker, perhaps, checking that the (compromised) site was still up.

Figure 1. Near-identical lists of compromised sites

However, the attacker was not doing so directly. We believe that the attacker was doing so via an infected machine that he was using as a proxy; one particular machine that was used this way had detected 89 malicious or suspicious files and accessed 173 malicious websites in the past 30 days. This indicates this particular machine had already been extensively affected by malware, and was in use by cybercriminals for all sorts of purposes – including as a proxy “service”.

Figure 2. Number of malicious files detected

What can users learn from this event? Primarily, it’s to treat the damages claimed in these sort of “campaigns” with some skepticism. Based on what we saw, attackers can “stockpile” compromised sites and release them when a major “campaign” like this is conducted, to make their claims of damage more impressive.

For security professionals, it’s a reminder that campaigns like OpUSA are not always a good indicator of when threats are likely to escalate. Preventing infection ahead of time can ensure you’re not caught up when attackers “flip the switch” on these high-profile campaign.

We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Failed OpUSA Attacks Show How Hackers Operate

This roster of updates include two Critical bulletins addressing Internet Explorer (IE). The first one resolves around a vulnerability found on IE versions 6 to 10 on all Windows OSs, from Windows XP to Windows 8. It also addresses the vulnerability in IE 10 uncovered during the Pwn2Own contest last March.

The other critical IE bulletin deals with a vulnerability limited to IE 8, which made the headlines recently because of a related zero-day exploit found in a US Department of Labor webpage. Based on our own investigation, users visiting this compromised site are lead to a series of redirections until their systems are infected with a BKDR_POISON variant.

Even before this month’s release, Trend Micro Deep Security has been protecting users from this vulnerability via rule 1005491 – Microsoft Internet Explorer Use-After-Free Remote Code Execution Vulnerability (CVE-2013-1347).

The rest of the bulletins were tagged as Important, which includes a security flaw in Windows that may lead to a denial of service (DoS) attack.

Just like last month, Adobe also released their security bulletins today, which include fixes for Adobe Reader and Acrobat, Flash Player. The software vendor also issued a “security hotfix” for a ColdFusion vulnerability, which is reportedly being exploited in the wild.

Users are advised to implement these bulletins as soon as possible to avoid exploits similar to the US DoL incident. For more details about how Trend Micro can protect users, you may refer to this Threat Encyclopedia page.

We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

May 2013 Patch Tuesday Includes Critical IE 8 Zero-Day Issue

We recently spotted a fraudulent website which is pushed by ads found in multiple Android apps. (Some of these apps were downloaded from the Google Play store, while others were found from third-party stores.) These ads use popular brands as hooks like “iPhone 5” and “Samsung Galaxy Note II” and supposedly selling these items for a ridiculously low price. Once users click the ad, it will lead them to a website which shows many means to buy the said phones.

Figure 1. Ad for Samsung Galaxy Note II

Figure 2. Ad for iPhone 5

In reality, these sites are just scam sites that try to defraud users out of their money. They do not actually sell the devices they are promoting.

Figure 3. Fraudulent website advertising Samsung Galaxy Note II

Figure 4. Fraud website with iPhone 5 ad

These ads are being delivered by a large, mainstream ad network, which claims to be used by more than 90,000 apps. While this attack is currently limited to Chinese users, because of the large number of apps on this particular ad network it is possible that similar attacks will be delivered to other users in the future.

Last March, we blogged about Google’s decision to remove apps that block ads and the potential risks this may pose on unsuspecting users. No doubt the insufficient audit of ads on the Android platform may lead to more fraud, phishing attacks or even malware distribution. We recommend ad providers to provide more powerful audit mechanisms to protect users from attacks leveraging ads.

Trend Micro protects users from this attack by blocking the said malicious website. We also advise Android users to be cautious in clicking ads on their devices as this may potentially lead to information and identity theft. For better protection of your devices, users should also be wary of other mobile threats like malicious URLs and mobile phishing sites.

We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Mobile Ads Pushed by Android Apps Lead to Scam Sites

Overall, CeCOS featured 23 sessions divided into eight tracks, including two panel discussions. Aside from attending interesting talks, I also participated as a speaker at the event.

I was very much interested in attending two talks: the National Field Reports and Mobile Attack Sessions. The National Field report particularly intrigued me, as it argues that the threat landscape of a particular country is a reflection of what’s happening globally.

By now, it’s pretty much established that the mobile platform is the latest cybercrime battlefield, so I think it’s crucial to know what’s happening in the mobile threat front.

As I mentioned earlier, I also participated as a speaker. As the representative of the anti-phishing council of Japan (CAPJ), I gave the talk Finding the Banking Trojan in Eastern Asia.

Speaking at CeCOS VII

Japanese-language phishing emails were first spotted in 2004 and since then, these mails have poured in and caused serious damage. As technology developed, these emails took more subtle forms, which made detection more difficult. In addition, instead of direct links to phishing sites or a malicious attachment, phishing sites instead contain links to compromised sites that eventually lead users to malicious sites that contain exploit kits.

As we all know, attackers are already expanding their threats to other platforms, particularly mobile. Thus, I presented my analysis of ANDROIDOS_CHEST, which targets Android OS and was reportedly found affecting South Korea. Users would receive text messages offering free coupons for either movie tickets, fast food, or coffee if the user downloaded an app, which was actually ANDROIDOS_CHEST.

The malware monitors and gathers text messages in order to defeat two-factor authentication done via text messaging. ANDROIDOS_CHEST then sends the gathered messages to the attacker.

The most important question though is, how can users protect themselves from the threats of phishing? The CAPJ has these tips:

1. Keep your computer safe.
2. Beware of suspicious emails.
3. Access and bookmark legitimate URLS.

Another helpful advice is to always keep your systems updated with the latest security patches for your system. As Banking Trojans are usually delivered through exploit kits (by way of phishimg emails), users are protected from exploits that target old vulnerabilities.

Trend Micro provides tools and technologies that help protect users against security breaches and data theft. Trend Micro DirectPass manages your passwords so that using and remembering unique passwords for multiple accounts is no longer difficult. Trend Micro Mobile Security protects against threats like ANDROIDOS_CHEST that are on mobile devices. The Smart Protection Network provides both email and web reputation, blocking these threats before they arrive on user systems.

We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Finding Banking Trojans in Eastern Asia – Report From CeCOS VII