Transcript
THREAT ROUNDUP
g
The Trend Micro Quarterly Roundup reports present key security highlights and developing trends in the current threat landscape.
A Quarterly Trend Micro Report | 2011
�In thIs Issue
Trend Micro researchers and analysts were instrumental in uncovering various cybercriminal operations this quarter. In an effort to aid law enforcement authorities, they uncovered some popular FAKEAV affiliate networks and a particular SpyEye operation, which may bring authorities one step closer to catching the perpetrators. Similar to the previous quarters, in the past three months, we witnessed an increase in the Android malware volume, more enhancements to notorious crimeware toolkits such as ZeuS and SpyEye, as well as the proliferation of survey scams in social media. As in the previous months, cybercriminals continued to employ very enticing social engineering tactics to lure targets. Unlike in the past half of the year, however, mass compromises seemingly decreased in number, most probably due to the shift to launching targeted attacks, particularly against large enterprises and government institutions.
data Breaches and hIghly targeted attacks
South Korea Data Breaches
The SK Communications data breach this July affected at least 35 million users in South Korea. Cyworld and NATE, subsidiaries of SK Communications, one of the most popular social networking, telecommunications, and instant-messaging service providers in the country, were among those greatly affected by the incident. Client information such as email addresses, user names, and contact details, among others, were stolen. SK Communications sent out an advisory soon after the breach’s discovery. A week after reports of the SK Communications data breach came out, Trend Micro analysts discovered a malware now detected as BKDR_SOGU.A, which may have been related to the incident. Upon analysis, we found that when executed, the backdoor had the capability to access databases stored in infected systems in order to gather data. It also allowed remote malicious users to send commands to infected systems, thus compromising their security. After another week, ESTsoft, a South Korean software vendor, came forward and disclosed that it may have also suffered the same fate. In a public statement, the company admitted that one of its software update servers was also compromised with the aid of the same backdoor program used in the SK Communications attack. Based on ESTsoft’s investigation, one of its DLL update modules had a common vulnerability that allowed attackers to drop BKDR_SOGU.A onto the systems of its product users. In an effort to resolve the issue, ESTsoft released a patch for the said vulnerability and pushed it as an update on August 4.
2
| Quarterly threat roundup
3Q 2011 threat roundup
�Spate of Highly Targeted “LURID Downloader” Attacks
More recently, variants of the LURID malware family were used in what was dubbed the “LURID Downloader attacks” that targeted major companies and institutions in 61 countries, including Russia, Kazakhstan, and the Ukraine. Considered an advanced persistent threat (APT), the cybercriminals behind the attacks launched over 300 malware campaigns to collect data from their targets. Based on Trend Micro researchers’ analysis, the perpetrators sent out email that urged targets to open a malicious file attachment. Users who were tricked into doing so ended up executing a malicious code that exploited vulnerabilities in Microsoft Office and Adobe Reader (i.e., CVE-2009-4324 and CVE-2010-2883). Infection allowed attackers to obtain confidential data from and to take full control of affected users’ systems over an extended period of time. The backdoor program also had the ability to access a network of command-and-control (C&C) servers that made use of 15 domain names and 10 IP addresses, which allowed the attackers to issue commands to compromised systems. The targeted nature of the campaigns for specific geographic locations and entities added to the success of this spate of attacks, allowing them to compromise as many as 1,465 systems. Rank 1 2 3 4 5 6 7 8 9 10 Country Russia Kazakhstan Ukraine Vietnam Uzbekistan Belarus India Kyrgyzstan Mongolia China Infection Count 1,063 325 102 93 88 67 66 49 42 39
Table 1. Most targeted countries in the LURID Downloader attacks
A more detailed discussion of the LURID Downloader attacks can be found in the Trend Micro research paper, “The ‘Lurid’ Downloader.” The data breaches and highly targeted attacks mentioned above show that the threat landscape is indeed changing. Cybercriminals are limiting their focus in terms of target—by region as in the South Korea data breaches or by industry as in the LURID Downloader attacks.
3
| Quarterly threat roundup
3Q 2011 threat roundup
�VulneraBIlIty exploIts
osCommerce Mass Compromise
The exploitation of various vulnerabilities in the osCommerce software led to a mass compromise in July. An estimated 90,000 Web pages have been injected with an iframe that pointed to malicious sites hosting an exploit kit. Several e-commerce websites fell prey to the attack. According to a Trend Micro threat response engineer, the malware used in this attack, TROJ_JORIK.BRU, gathered the information it needed then immediately deleted itself from infected systems to evade detection. To resolve the vulnerabilities exploited in the attack, osCommerce’s developers strongly advised the owners of sites that use their software to update to the latest version and to check their sites for signs of code injection.
Targeting Defense Companies
This quarter, cybercriminals staged exploit attacks targeting defense companies in several countries, including the United States and Japan. The first attack involved spam with malicious .PDF attachments that Trend Micro detects as TROJ_PIDIEF.EED. Analysis showed that when executed, this Trojan drops a backdoor program we detect as BKDR_ZAPCHAST.QZ. This backdoor can receive commands from a remote malicious user, compromising the security of victims’ systems. The attackers commanded compromised systems to gather network information and to download certain custom .DLL files that Trend Micro now detects as BKDR_HUPIG.B. They also commanded the compromised systems to download certain tools that would permit them to move about the victims’ networks. The said tools turned out to be remote access Trojans (RATs) that we detect as BKDR_HUPIGON.ZXS and BKDR_HUPIGON.ZUY. These RATs allowed remote malicious users to take full control of compromised systems. A few days after, Adobe also released an out-of-band security patch to address CVE-2011-2444, another vulnerability cybercriminals have been abusing in a targeted attack in order to compromise victims’ systems and/or networks.
4
| Quarterly threat roundup
3Q 2011 threat roundup
�Vulnerability Statistics
From being the top vendor in terms or reported vulnerabilities in products in the second quarter, Microsoft dropped to the third post this quarter. Google ousted last quarter’s top vendor after several reports of existing vulnerabilities in Chrome. Note, however, that none of the vulnerabilities in Chrome were as severe as some of those found in Microsoft products. The increase in the number of attacks targeting Chrome may primarily be due to the browser’s increasing usage and popularity. The speed by which Chrome is developed, which limits the amount of time for internal and external bug testing prior to product release, may have something to do with Google’s rise in ranking as well. The number of reported vulnerabilities in Oracle products also rose, most probably due to the vendor’s acquisition of Sun Microsystems and its Java products. The fact that Oracle’s codebase is rather large and complicated to maintain may have also contributed to the rise in the number of exploitable bugs in its products, causing it to climb from the top 5 spot in the second quarter to the top 2 spot this quarter. 2Q 2011 Number of Vendor Reported Vulnerabilities Microsoft Google Adobe HP Oracle IBM Mozilla Linux Cisco Sun 96 65 62 57 50 48 38 31 30 29 3Q 2011 Number of Vendor Reported Vulnerabilities Google Oracle Microsoft Apple Adobe IBM Mozilla Opera HP Cisco 82 63 58 49 39 39 36 25 20
Source: http://cve.mitre.org/ Source: http://cve.mitre.org/
Rank 1 2 3 4 5 6 7 8 9 10
43
Table 2. Top 10 vendors in terms of number of distinct reported vulnerabilities
In the second quarter, we observed a continuous drop in the number of exploitable bugs from April to June. This quarter, meanwhile, the number of exploitable bugs intermittently rose and fell from month to month. 2Q 2011 Number of Month Reported Vulnerabilities April May June 312 295 294 3Q 2011 Number of Month Reported Vulnerabilities July August September 307 294 389
Table 3. Overall number of reported vulnerabilities per month
5
| Quarterly threat roundup
3Q 2011 threat roundup
�MoBIle attacks
Third-Generation DroidDreamLight Variant
Trend Micro threat analysts came across a new DroidDreamLight variant with enhanced capabilities and routines. Disguised as battery-monitoring or task-listing tools or apps that allow users to see a list of permissions installed apps utilize, copies of this new Android malware littered a Chinese third-party app store. This particular variant, which Trend Micro now detects as ANDROIDOS_DORDRAE.N, had the ability to obtain call logs, text messages, contact details, Google account details, and other information saved in infected devices. Apart from having additional data theft routines, this new variant’s code also featured other changes, one of which allowed it to update its configuration file. Like previous variants, this malware sends stolen data to a specific URL.
Other Notable Android Malware Attacks
Trend Micro security experts also came across several other Android malware in both the Android Market and third-party app stores. Two of these malware were Trojanized versions of games, namely, “Fast Racing,” which Trend Micro now detects as ANDROIDOS_SPYGOLD.A aka GoldDream, and “Coin Pirates,” detected as ANDROIDOS_PIRATES.A. Trend Micro engineers also came across Android malware types that came in the guise of a variety of apps. These include ANDROIDOS_LUVRTAP.B, which came in the form of either a love test, an e-book reader, or a location tracker app; a premium service abuser, which we detect as ANDROIDOS_AUTOSUBSMS.A; and fake spying tools such as ANDROIDOS_NICKISPY.A and ANDROIDOS_NICKISPY.C, which gather confidential information from infected devices. NICKISPY variants are known for monitoring affected users’ activities and whereabouts, including their text messages, phone call logs, and geographic locations. For a long time, we wondered what happens to the information stolen from infected Android-based devices. In August, a Trend Micro researcher found a Chinese site that offers access to information stolen from Android-based devices for a certain fee. This site provides one example of how cybercriminals can monetize stolen data from users’ infected mobile devices. For more details on the various Android malware we have seen so far, check out “A Snapshot of Android Threats [INFOGRAPHIC].”
Fake Opera Apps
Two mobile malware posing as Opera Mini (aka ANDROIDOS_FAKEBROWS.A) and as Opera Mobile (aka J2ME_FAKEBROWS.A) were recently found in the wild. Both malware were premium service abusers that sent out text messages to premium service numbers without the users’ knowledge. J2ME_FAKEBROWS.A affects mobile devices that support MIDlets—applications that use the Mobile Information Device Profile (MIDP) of the Connected Limited Device Configuration (CLDC) for the Java ME environment. Cybercriminals are clearly not limiting their range of targets in terms of platform, as they also create malware for devices running mobile OSs other than Android.
6
| Quarterly threat roundup
3Q 2011 threat roundup
�socIal networkIng scaMs
Celebrity Deaths and Natural Disasters
This quarter, we were met with three Facebook scams that leveraged probably two issues that usually piqued users’ interest—celebrity news and natural disasters. One scam abused news of Amy Winehouse’s death while another leveraged Lady Gaga’s supposed death. Both scams employed the use of Wall posts that led to either a survey page or to an advertising site, which put users at risk. The huge following of “The Twilight Saga” movies did not escape cybercriminal interest as well. As early as August, attackers spread Facebook Wall posts that enticed users to click a malicious link in order to get free tickets to “The Twilight Saga: Breaking Dawn Part 2.” As in other survey scams, of course, all the users ended up with were potential security risks. Cybercriminals also did not pass up the opportunity to lure Facebook users in search of news of Hurricane Irene into their traps. This particular scam led users who wanted to watch a supposed video to advertising sites instead.
More Social Networking Sites, More Threats
Despite Facebook’s continuing reign in terms of social media popularity, less-known social networking sites like Google+ and LinkedIn, also had their time in the cybercrime spotlight. In the first half of July, Trend Micro engineers came across a page that enticed users to click a link to get free invitations to Google’s latest stab at taking a slice of the social media pie—Google+. Instead of invitations to join the site, however, all the users got was an “opportunity” to take part in a survey that put them at risk. A week earlier, LinkedIn also had its time in the spotlight when cybercriminals used it as a redirector. Users who were tricked into clicking the malicious link to a supposed Justin Bieber video were redirected to a page under LinkedIn’s domain before landing on another survey page with the aid of a malicious script that Trend Micro detects as JS_FBJACK.D.
Other Notable Social Media Attacks
Apart from the various survey scams seen this quarter, Trend Micro threat experts also found Facebook scams that used fake friend request notifications to infect users’ systems with a ZBOT variant we detect as TSPY_ZBOT.FAZ. To know more about the threats users commonly encounter in social networking sites, check out “The Geography of Social Media Threats [INFOGRAPHIC].”
7
| Quarterly threat roundup
3Q 2011 threat roundup
�top systeM Infectors
Spam Runs and Banking Trojans
The most notorious spam runs this quarter led to the download and execution of two banking Trojans. The first campaign featured a spam that supposedly came from the Spain National Police. Users who clicked the link embedded in the message’s body downloaded TROJ_BANLOD.QSPN onto their systems. When executed, this malware downloads another malware Trend Micro detects as TSPY_BANCOS.QSPN. Like other BANKER Trojans, this gathers personal information, particularly related to financial institutions such as Caixa, Cajasol, and Banco Popular, from affected users’ systems. The most notable factor, however, in this attack was the cybercriminals’ use of compromised sites and phone-home URLs, which allowed them to confirm the success of system infections and to update the spyware so it can more effectively evade detection. The second campaign featured a spam that supposedly came from the Internal Revenue Service (IRS). Users who clicked a link embedded in the message’s body downloaded a LICAT variant we detect as TSPY_ZBOT.WHZ onto their systems. Like other LICAT variants, this malware generates URLs to access in order to update its configuration file, which contains a list of sites it will monitor and to which it will send stolen information. Apart from the two data theft-related spam runs above, we also saw a noticeable spike in the volume of spam with malicious attachments, some of which were vacation related.
Spam Statistics
As in the previous quarter, India and South Korea continued to be part of the top 3 spamsending countries. Surprisingly, however, the United States, which commonly takes the top spot was not on the top 10 spam-sending countries list. As the top spam-sending countries are also the most spambot-infected ones, the United States’s drop in ranking possibly indicates a lower infection level. This may be a result of the botnet takedowns that occurred in the last few months.
Figure 1. Top 10 spam-sending countries in 3Q 2011
8
| Quarterly threat roundup
3Q 2011 threat roundup
�The top 3 spam languages this quarter remained English, German, and Russian compared with the two previous quarters.
Figure 2. Top 10 spam languages in 3Q 2011
For a more comprehensive discussion of the current state of the spam landscape, check out “Spam in Today’s Business World.”
ZeuS Updates and Stealthier Variants
ZeuS’s source code leakage may have led to the proliferation of variants that have been dubbed “Ice IX.” This new type of ZeuS variant boasts of better protection against tracking. Trend Micro researchers also got hold of an updated ZBOT sample, now detected as TSPY_ZBOT.IMQU, which may have been created with ZeuS version 2.3.2.0. This particular variant exhibited enhanced decryption and encryption routines, making its configuration file more difficult to analyze compared with previous variants. It also showed signs of possible use for a global campaign targeting financial institutions from countries such as the United States, Germany, Brazil, Spain, and Hong Kong.
9
| Quarterly threat roundup
3Q 2011 threat roundup
�Other Notable Malware Attacks
This quarter, Trend Micro engineers came across several other notable malware, including a rootkit, two worms, and Bitcoin miners. The rootkit, detected as RTKT_POPUREB.A, is capable of overwriting an infected system’s Master Boot Record (MBR). The rootkit, along with TROJ_POPUREB.SMB, is written by TROJ_POPUREB.SMA on an infected system’s disk. These malware arrive on systems when users visit malicious sites and steal personal information stored on infected systems. Although not as notorious as ZeuS and SpyEye operations these days, the KOOBFACE gang has taken to spreading Trojanized applications, which we detect as WORM_KOOBFACE.AV, in torrent peer-to-peer (P2P) sharing networks. This malware allows a torrent client process to run on infected systems without the users’ knowledge, turning them into “peers” that seed or host malicious binaries. The shift to spreading via P2P networks from social media may be a result of the social networking sites’ efforts to prevent the KOOBFACE botnet from abusing their framework. This does not, however, mean the gang has stopped luring victims via social networking sites. Our engineers also found WORM_MORTO.SMA that spread via the Remote Desktop Protocol (RDP). This worm, with the aid of a .DLL component—WORM_MORTO.SM, can give attackers full control of infected systems and of entire networks by allowing them to log in using administrator accounts. We have also been seeing various Bitcoin-related attacks featuring a number of what have been dubbed “Bitcoin miners.” In the last three months, we came across Bitcoin miners such as BKDR_BTMINE.MNR and BKDR_BTMINE.DDOS as well as a related grayware, HKTL_BITCOINMINE. Cybercriminals turned users’ systems into Bitcoin miners so they would not overwork their own systems due to the resource-intensive mining process. For more detailed information on what Bitcoins are, how Bitcoin mining works, and why we are seeing more Bitcoin miners in the threat landscape, check out “Cashing in on Cybercrime: New Malware Target Bitcoin.”
Malware Statistics
As in the previous quarters, WORM_DOWNAD.AD and CRCK_KEYGEN (a serial key generator) remained the top 2 malware. It is interesting to note that although the URLs that DOWNAD/Conficker uses to call home have long been dead, a DOWNAD variant continued to rank first in the top malware list. This may, however, not be about system protection against malware but about setting and enforcing good security policies. Meanwhile, HKTL_KEYGEN (a hacking tool) ousted ADW_SAHAGENT (an adware) from the top 3 spot and out of this quarter’s top 5. Rank 1 2 3 4 5 Malware Detection Name WORM_DOWNAD.AD CRCK_KEYGEN HKTL_KEYGEN PE_SALITY.RL HKTL_ULTRASURF
Table 4. Top 5 malware in 3Q 2011
10
| Quarterly threat roundup
3Q 2011 threat roundup
�how has the threat landscape changed?
Apart from the changes that ZeuS underwent in order to better evade detection and takedown, Trend Micro researchers also noticed marked improvements in mobile malware. Traditional malware such as TDL4 also underwent more enhancements in terms of malicious routines and tactics. Even though we noted a decrease in Anonymous and LulzSec attacks, probably due to various law enforcement efforts, we also saw an increase in the number and scope of highly targeted attacks. Cybercriminals are setting their sights for bigger and better targets than ever before.
notaBle securIty wIns
Soldier’s SpyEye Operation Uncovered
Trend Micro researchers discovered a SpyEye operation controlled by a cybercriminal who used the handle “Soldier.” This botnet operation mainly targeted large enterprises and government institutions in the United States though it also affected organizations in Canada, the United Kingdom, India, and Mexico. Through monitoring since March of this year, our researchers found that Soldier’s operation has amassed more than US$3.2 million in a span of six months. The discovery of such an operation is a Trend Micro attempt to show how many users can be exposed to this threat and how damaging successful compromises can become. We also showed just how profitable a single SpyEye botnet can be for cybercriminals. For more details on this recent Trend Micro win, check out our research paper, “From Russia to Hollywood: Turning Tables on a SpyEye Cybercrime Ring.”
FAKEAV Affiliate Networks Exposed
Apart from uncovering a SpyEye operation, Trend Micro researchers were also able to gather in-depth information on two of the largest FAKEAV affiliate networks to date—BeeCoin and MoneyBeat, through careful monitoring of the servers FAKEAV suppliers used. Our researchers found that between January and June 2011 alone, BeeCoin and its affiliates were able to install FAKEAV malware in more than 214,000 systems. They also found that one in every 44 people that installed the malware actually purchased the full version of the rogue antivirus software, allowing BeeCoin to collect US$123,475. Through the exposure of the relationships among FAKEAV affiliate networks, botnets, and other malicious activities, our researchers hope that the security community and that law enforcement agencies can better understand the challenges that this malicious monetization strategy poses for traditional defenses and investigations. More details on how FAKEAV affiliate networks work can be found in the Trend Micro research paper, “Targeting the Source: FAKEAV Affiliate Networks.”
11
| Quarterly threat roundup
3Q 2011 threat roundup
�LURID Downloader Attacks Unearthed
In an effort to keep up with the shift in focus to highly targeted attacks, Trend Micro researchers discovered a series of highly targeted attacks leveraging what has been dubbed the “LURID Downloader.” Our researchers found that related campaigns successfully compromised 1,465 computers in 61 different countries. They were able to identify 47 victims, including diplomatic missions, government ministries, space-related government agencies, as well as other companies and research institutions. The use of Enfal, the malware family to which LURID belongs, has been historically linked with threat actors in China. In this particular case, the attack vector (a malicious email with an attachment) we analyzed was related to the Tibetan community, which many believe indicates an association with China. However, as Chinese entities were also victimized, we dared not make a final attribution. For more information on the LURID Downloader attacks, check out our research paper, “The ‘Lurid’ Downloader.”
what the future spells
Trend Micro researchers surmised that the volume of mobile malware, specifically those targeting Android-based devices, along with the number of highly targeted attacks (aka APTs), will continue to increase in the near future. However, in an attempt to not just keep up with but to stay ahead of cybercriminal efforts, Trend Micro researchers are striking deals with law enforcement agencies worldwide to gain even more wins this year. Should these efforts push through, we may even become instrumental to cybercriminal arrests. To stay abreast of developing threat trends and to constantly keep employees’ systems and your corporate networks safe from the impending doom that can spell disastrous results for your organization, watch out for the release of the “4Q 2011 Threat Roundup” this coming December.
12
| Quarterly threat roundup
3Q 2011 threat roundup
�appendIx a: MalIcIous url statIstIcs
The following tables show the top 10 malicious URLs and IP domain addresses blocked by the Trend Micro™ Smart Protection Network™ infrastructure in the third quarter of 2011. Rank
1 2 3
Malicious URL Blocked
www . bit89 . com : 80 / download / dpclean / ibdp . exe trafficconverter.biz:80/4vir/ antispyware/loadadv.exe trafficconverter.biz:80/ serw.clicksor.com:80/newserving/ getkey.php serw.myroitracking.com:80/ newserving/tracking_id.php ad.globe7.com:80/imp cherry-lovepour.com:80/con1.php www . myroitracking . com : 80 / newserving / tracking _ id . php 221.8.69.25:80/search zs11.cnzz.com:80/stat.htm
Description
Distributes malware Distributes malware, particularly DOWNAD variants Distributes malware, particularly DOWNAD variants Included in the list of domains associated with the proliferation of pirated applications, Android malware, and rogue antivirus software as well as with other malicious activities Contacts various servers to download and aggressively display pop-up ads Distributes TDSS and ZBOT malware Distributes malware Contacts various servers to download and aggressively display pop-up ads Distributes malware, particularly DOWNAD variants Distributes malware
4
5 6 7 8 9 10
Table A-1. Top 10 malicious URLs blocked in 3Q 2011
Please help us improve our articles and other write-ups by participating in a quick survey. Just click the image above to start.
Rank
1 2
Malicious IP Address Blocked
www . bit89 . com trafficconverter.biz
Description
Distributes malware Distributes malware, particularly DOWNAD variants Included in the list of domains associated with the proliferation of pirated applications, Android malware, and rogue antivirus software as well as with other malicious activities Contacts various servers to download and aggressively display pop-up ads Distributes malware Distributes TDSS and ZBOT malware Downloads malware Distributes malware Distributes malware Contacts various servers to download and aggressively display pop-up ads
3
serw.clicksor.com
4 5 6 7 8 9 10
serw.myroitracking.com d3lvr7yuk4uaui.cloudfront.net ad.globe7.com dl.91rb.com cherry-lovepour.com conf.baidupapa.com www . myroitracking . com
Table A-2. Top 10 malicious domain IP addresses blocked in 3Q 2011
TREND MICRO™
Trend Micro Incorporated is a pioneer in secure content and threat management. Founded in 1988, Trend Micro provides individuals and organizations of all sizes with award-winning security software, hardware, and services. With headquarters in Tokyo and operations in more than 30 countries, Trend Micro solutions are sold through corporate and value-added resellers and service providers worldwide. For additional information and evaluation copies of Trend Micro products and services, visit our website at www.trendmicro.com.
TRENDLABSSM
TrendLabs is Trend Micro’s global network of research, development, and support centers committed to 24 x 7 threat surveillance, attack prevention, and timely and seamless solutions delivery.
©2011 by Trend Micro, Incorporated. All rights reserved. Trend Micro, the Trend Micro t-ball logo are trademarks or registered trademarks of Trend Micro, Incorporated. All other product or company names may be trademarks or registered trademarks of their owners.
13
| Quarterly threat roundup
3Q 2011 threat roundup
�