Flame has been noteworthy the past few days. But it’s noteworthy because of the nature of the malware and what appears to be its very limited and specific targets. Flame right now is not a significant threat to users more broadly. Information from our Smart Protection Network™ and working with customers show actual numbers of infections to be extremely low and confined to the Middle East and Africa regions.

The threat from Flame is lessened even more for Trend Micro customers because they are protected against the attack both through current signatures (which detect the malware as WORM_FLAMER.A and the configuration files as TROJ_FLAMER.CFG) and URL blocking of identified command and control (C&C) servers.

In terms of analysis, our focus is on protecting Trend Micro customers, so our ongoing analysis is focused on identifying additional C&C servers because these are geographically disbursed and can move. Interestingly, our analysis is showing C&C servers located primarily in Europe and Asia.

The malware itself is focused on stealing data and is very large, making thorough analysis slow. In this case, the largeness is due to the multi-faceted capabilities of the malware: it has been equipped with a variety of tools to accomplish its mission once it’s made its way into the target network. Some of the components that it includes date back to 2009.

As Rik Ferguson also noted, the malware is also unusual because it appears to be written in the Lua programming language which is often used as a scripting language by game developers (and not typically used for malware).

Our analysts are continuing to work to understand all the components in this malware, particularly to continue adding URL blocking as new C&C servers are identified. While Flame itself doesn’t represent a broad risk right now, there is a risk that the malware will be taken up by others and repurposed for broader attacks like we’ve seen in other attacks like this such as Stuxnet. Our worldwide teams are watching for that and if we see that, will add protections and provide information for Trend Micro customers on this blog as soon as possible.

Post from: TrendLabs | Malware Blog - by Trend Micro

Update on FLAME

Trend Micro detects Flame malware as WORM_FLAMER.A. In our on-going analysis, we’ve found that this worm spreads via removable drives. It is also capable of spreading to other computers in a local network when one machine within that network is infected. Other significant routines of this worm include its ability to terminate running processes that are mostly anti-malware/firewall/security-related, capturing screen shots and audio recording, propagation, and its ability to log and report its activities.

Trend Micro protects users from WORM_FLAMER.A by detecting and removing it from affected computers. The configuration files, TROJ_FLAMER.CFG, used by this worm are also detected and removed from systems. We will regularly update you in succeeding blog entries as we find more results in our investigation.

Update as of May 29, 2012, 8:54 PM PST

In addition to detecting WORM_FLAMER.A and its configuration files, Trend Micro also blocks access to all found related URLs as we move forward with our investigation.

Post from: TrendLabs | Malware Blog - by Trend Micro

FLAME Malware Heats Up The Threat Landscape

One of the most notable characteristics of the IXESHE campaign is the attackers’ use of compromised servers in target organizations as command-and-control (C&C) servers. This tactic allowed them to hide their presence by confusing their activities with data belonging to legitimate individuals. In one particular case, we saw C&C servers hosted on the compromised machines of an East Asian country, making targeted attacks against that government easier. In another case, we received an error message from a C&C server, which indicated that the front-end servers were merely acting as proxies for the actual back-end servers.

Our research also showed that attackers utilized dynamic Domain Naming System (DNS) servers and broadly distributed external C&C servers around the world to make detection and takedowns more difficult to do.

The IXESHE campaign has been underway since at least July 2009 when we first saw samples of this particular malware family. Its primary method of entry into user systems is via malicious .PDF files that exploit Adobe Acrobat, Reader, or Flash Player vulnerabilities. These malicious files are sent as attachments to targeted emails sent to potential victims within target organizations.

In the process of our investigation, we were able to determine that its victims could be broadly classified into three categories:

• East Asian governments
• Electronics manufacturers
• A German telecommunications company

For further details, please consult the full paper which you can download from the Security Intelligence section of the Trend Micro website.

Post from: TrendLabs | Malware Blog - by Trend Micro

Taking a Bite Out of IXESHE

This backdoor is an ELF (executable and linkable format) file under /system/bin/ named “sync_agent”. It has a default “setuid” permission which, after it launches, has the ability to set itself as root.

Upon execution, this backdoor checks the password provided against the password indicated in its code, “ztex1609523” and if verified correct, raises a system call [setuid] with ‘0’ as parameter. Note that since the backdoor has a setuid attribute, even if the user who launched the backdoor does not have root privilege, the system call can still execute successfully. Doing so also sets the backdoor’s EUID (effective UID) to 0, which also means a root privilege.

The backdoor then launches the program /system/bin/sh to get a root shell.

Based on our analysis, it appears this root shell can only be used locally, because this backdoor didn’t open any socket or any other remote communication tunnel.

However, we believe it can be used by other malicious applications to combine a remote root shell. The only thing the malicious app needs to do is provide a bash script to the backdoor, then the said script will be executed.

For instance, if we write a shell script as seen below:

Now we run the backdoor that has been provided our script as a parameter.

In conclusion, a malware can easily use this backdoor in combination with a remote backdoor or bot. The preinstalled backdoor need only receive an SMS command or connect to a remote C&C server to receive commands from a remote attacker, and then call the local backdoor with a certain shell script.

If you own a ZTE Score M you can remove this backdoor by following these instructions:

1. Run the backdoor on an adb shell: /system/bin/sync_agent ztex1609523
2. To check which device your /system dir has mounted, use the command: mount. There should be a print out like below, note the device name underlined in red:
   
3. Remount the system partition as RW with command: mount –o remount,rw /your/device/name /system.
4. Remove the backdoor from the system with command: rm /system/bin/sync_agent.
5. Terminate the backdoor with ctrl+c.

To keep your mobile device safe from malicious applications, make sure you have a trusty mobile security solution installed like the Mobile Security Personal Edition.

To know more on how to better protect yourself from threats related to your mobile devices, you may read our comprehensive e-guides below:

• When Android Apps Want More Than They Need
• 5 Simple Steps to Secure Your Android-Based Smartphones

Update as of May 26, 2012 3:31 AM PST Time

Trend Micro detects this backdoor as ANDROIDOS_GAPUSSIN.CDC.

Post from: TrendLabs | Malware Blog - by Trend Micro

ZTE Score M Scores a Backdoor Vulnerability

By analyzing each stage of an attack, IT groups can gain insight on the tactics and operations of an active attack against their networks. This analysis helps build local threat intelligence—internal threat profiles developed through intimate knowledge and observation of attacks against a specific network. It is key to mitigate future attacks by the same threat actors. The stages our researchers have identified are intelligence gathering, point of entry, command-and-control (C&C) communication, lateral movement, asset/data discovery, and data exfiltration.

Certain realities make dealing with each stage of an APT attack more difficult than dealing with ordinary cybercrimes. For instance, in the asset discovery stage where the attacker is already inside the network enumerating which assets are valuable enough to extract, a data loss prevention (DLP) strategy can prevent access to confidential information. However, according to a survey, while company secrets comprise two-thirds of a company’s information portfolio, only half of security budgets are allocated to protecting these.

More of these realities are highlighted in the infographic, “Connecting the APT Dots.”

Post from: TrendLabs | Malware Blog - by Trend Micro

[INFOGRAPHIC] APT Myths and Challenges

Detected as TROJ_MDROP.ZD, this specially crafted document arrived as an attachment of an email, which used a recent murder case in Korea as social engineering ploy. The email was sent to numerous employees of a prominent Korean company.

After execution, TROJ_MDROP.ZD replaces itself with a non-malicious .HWP document in order to prevent the user from suspecting any malicious activity. This decoy document contains the following Korean text:

Judging from the profile of the target company, a successful infection may lead to mass pilfering of personal data of their customers. Add the fact that .HWP is the Korean government’s de facto standard wordprocessor format, what we may be seeing now is a reconnaissance phase of a future, larger, regional attack.

With this incident, we may be seeing attackers gradually taking advantage of vulnerabilities in local-based applications. Hancom Office is also not the first of its kind to be exploited by attackers. We previously reported a case wherein malicious users abused vulnerabilities found in the Japanese-language word processor Ichitaro. Successfully exploiting these lead to the installation of a backdoor. Both incidents prove that using regional software does not guarantee absence of malware attacks. In this case the Word Processor vendor, who adopted a specific third-party module that may have contained the vulnerability, needs to pay attention to industry’s CVE information too and get ready to update.

This highlights the importance of security, specially for organizations whose services include storing customer information. A successful compromise to an organization not only puts their customers at risk, but also easily tarnishes their reputation. Fortunately in this case, proper mitigation steps were executed immediately. However, we must stay vigilant, as this is not the last time we’ll be seeing threats of this kind.

Trend Micro protects users from this threat via Trend Micro™ Smart Protection Network™ that detects and deletes the related malware. It also blocks the related message and prevents it from even reaching users’ inboxes.

We will update this blog entry once we get more details about the said vulnerability.

With additional insights from Thomas Park

Update as of May 25, 2012 3:23 AM PST

Based on our analysis, TROJ_MDROP.ZD triggers a buffer overflow that stems from the plug-in file HNCTextArt.hplg, which HWP.EXE uses to process .HWP files. HNCTextArt.hplg contains a code that copies a wide character string, including the null termination character, from the source to the destination. The source string must contain a null terminated character. In the case of this malicious .HWP file, the wide character string being copied does not contain the said null terminated character, resulting in an infinite loop.

Because of this, HNCTestArt.hplg copies the data repeatedly until an exception occurs. This triggers the malicious shell code inside the malicious .HWP file. The said code decrypts, drops, and executes the PE file and the non-malicious HWP file, which serves as the decoy.

With additional analysis from Jason Pantig

Post from: TrendLabs | Malware Blog - by Trend Micro

Specially Crafted .HWP File Used for Korean Targeted Campaign

As the app is still in its beta testing, spying on a mobile device using this tool poses certain challenges. First, it should be installed onto the target device without the victim knowing about it. Second, potential attackers would need to setup their own FTP servers, which may be difficult for those with less advanced IT knowledge. However, the developers behind this tool are likely to release an updated version that may include features and improvements to make it easier to use.

Trend Micro users need not worry as their mobile devices are protected from this threat via Mobile Security Personal Edition. Users are advised to activate the lock function of their mobile devices for added security. When installing an app, users should always double-check the required permissions of the app, specially if it requests for permissions beyond its supposed function.

To know more on how to better protect yourself from threats related to your mobile devices, you may read our comprehensive e-guides below:

• When Android Apps Want More Than They Need
• 5 Simple Steps to Secure Your Android-Based Smartphones

With additional input from Noriaki Hayashi

Post from: TrendLabs | Malware Blog - by Trend Micro

Beta Version of Spytool App for Android Steals SMS Messages

In addition, I also spotted posts using URL shorteners such as bit.ly and goo.gl. When clicked, the shortened URLs/the fake posts lead to any of the following URLs:

• http://pinterest.co{BLOCKED}t.info/?419
• http://pinterest.com-{BLOCKED}key.info/Thank-You/fb/
• http://pinterest.co{BLOCKED}s.info
• http://pinterest.{BLOCKED}one.info
• http://pinterestgift.{BLOCKED}hing.info
• http://pinterests.{BLOCKED}onus.info

Upon clicking the link, users are redirected to a Pinterest-like webpage offering prizes, vouchers, gift cards and others:

And Via Email, Too

Another thing I’ve noticed is that the fake site requires an email address:

Pinterest has since removed some of the fake Pinterest posts. Trend Micro users are also protected from these scams by the web reputation technology in our Smart Protection Network™.

Post from: TrendLabs | Malware Blog - by Trend Micro

Bogus Pinterest Pins Lead to Survey Scams

This is not the first time that vulnerabilities have been found in popular webmail providers. We discussed almost a year ago that some of the major webmail providers – Gmail, Hotmail, and Yahoo! Mail – were all found to have some sort of vulnerability that compromised either the user’s email account or their system. It shouldn’t be a surprise that they’ve become targets as well: just about everyone uses these free services, and users don’t expect these services to have security problems of their own.

As we’ve highlighted before, vulnerabilities like these are used in targeted attacks. Whether it’s vulnerabilities in user software or cloud-based services like free webmail, vulnerabilities allow attackers to compromise systems without the target being aware that anything has happened. This is extremely useful to attackers as the content compromised email accounts can be stolen by attackers and the account can be used to launch further attacks against the victim’s contacts.

Post from: TrendLabs | Malware Blog - by Trend Micro

Cloud-based Services Vulnerabilities Also Used in Targeted Attacks

Once executed, this malware (detected as WORM_STEKCT.EVL) terminates services and processes related to antivirus (AV) software, effectively disabling AV software from detection or removal of the worm. WORM_STEKCT.EVL also connects to specific websites to send and receive information.

Another noteworthy routine is that this worm downloads and executes another worm, one detected as WORM_EBOOM.AC. Based on our analysis, WORM_EBOOM.AC is capable of monitoring an affected user’s browsing activity such as message posting, deleted posted messages and private messages sent on the following websites such as Facebook, Myspace, Twitter, WordPress, and Meebo. It is also capable of spreading through the mentioned sites by posting messages containing a link to a copy of itself.

Facebook and IM applications are tools to share and connect. Cybercriminals’ use of these tools is nothing new, but there are users who fall prey to these schemes. We recommend users to be conscious with their online behavior, in particular on social media sites. To know more on how you can prevent these threats targeting Facebook and other social media sites, you may read our comprehensive e-guide A Guide to Threats on Social Media.

Furthermore, with our recent partnership with Facebook, Trend Micro™ protects users via Smart Protection Network™, which blocks access to the related malicious link. The file reputation technology in Smart Protection Network™ detects and deletes both WORM_STEKCT.EVL and WORM_EBOOM.AC.

Post from: TrendLabs | Malware Blog - by Trend Micro

Worm Spreads via Facebook Private Messages, Instant Messengers