SecurityFeed.info » TrendLabs | Malware Blog - by Trend Micro

Feeds

57036 items (57036 unread) in 90 feeds

• Aviv Raff On .NET (29 unread)
• Bugtraq (bugtraq) Mailing List (2860 unread)
• CGISecurity.com: Your Web Site and Application Security Resource (415 unread)
• christian's weblog (25 unread)
• Irongeek's Security Site (344 unread)
• Jeremiah Grossman (191 unread)
• Heorot.net (19 unread)
• milw0rm.com (1332 unread)
• Nmap Hackers (nmap-hackers) Mailing List (27 unread)
• Rootsecure.net (3262 unread)
• SecuriTeam.com (645 unread)
• Security Vulnerability Research & Defense (147 unread)
• SecurityFocus News (435 unread)
• SecurityFocus Vulnerabilities (2707 unread)
• Securityvulns news channel (1735 unread)
• SecWatch - Latest Exploit Alerts (10 unread)
• Taking Network Security to the Streets (28 unread)
• The One And Only Matt Parnell.com (86 unread)
• The Register - Security (2360 unread)
• The Register - Software (2742 unread)
• VulnWatch (vulnwatch) Mailing List (19 unread)
• Web App Security (webappsec) Mailing List (433 unread)
• IceСμbeς (15 unread)
• Linmagazine (757 unread)
• ‫netcraft Bytes :) (130 unread)
• Blonde 2.0 (218 unread)
• The Microsoft Security Response Center (MSRC) (175 unread)
• (IN)SECURE Magazine Notifications RSS (45 unread)
• 0x000000 Security (95 unread)
• ----- Anti-Malware ----- Analysis and Defense (16 unread)
• Apple Fun (25 unread)
• Technorati Search for: aviv.raffon.net (368 unread)
• C.I.S.R.T. (25 unread)
• Determina Zero-Day Protection (6 unread)
• Didier Stevens (157 unread)
• eEye Digital Security - Research Blog (12 unread)
• Ryan Naraine's Security Watch (488 unread)
• Security - RSS Feeds (1100 unread)
• Exploit Prevention Labs (28 unread)
• Software Vulnerability Exploitation Blog (22 unread)
• F-Secure Antivirus Research Weblog (470 unread)
• Full Disclosure (1289 unread)
• George Ou (10 unread)
• GNUCITIZEN Media Portfolio (157 unread)
• ha.ckers.org web application security lab (135 unread)
• heise security (1864 unread)
• invisiblethings' blog (57 unread)
• Jeff Jones's blog (13 unread)
• JScript Blog (26 unread)
• Matasano Chargen (74 unread)
• McAfee Avert Labs (354 unread)
• Michael Howard's Web Log (46 unread)
• PandaLabs (227 unread)
• Zero Day (867 unread)
• SANS Internet Storm Center, InfoCON: green (1115 unread)
• Latest Secunia Security Watchdog Blog Entries (71 unread)
• SecuriTeam Blogs (248 unread)
• Security Fix (494 unread)
• HP ASC Portal (30 unread)
• Strike Center (12 unread)
• Sunbelt Blog (909 unread)
• Sunnet Beskerming Security Advisories (149 unread)
• Technobabylon
• The Recurity Lablog (34 unread)
• Wired: Threat Level (1460 unread)
• TrendLabs | Malware Blog - by Trend Micro (636 unread)
• Uninformed Journal (49 unread)
• WabiSabiLabi's blog (23 unread)
• WatchGuard Wire (134 unread)
• Latest Blog Entires From WebSense Security Labs (164 unread)
• Hackszine.com (664 unread)
• DVLabs: Blogs (145 unread)
• Errata Security (177 unread)
• Robert Hensing's Blog (93 unread)
• PaulDotCom Community Blog (14 unread)
• David LeBlanc's Web Log (34 unread)
• Billy (BK) Rios (29 unread)
• David Litchfield's blog (22 unread)
• Farfromr00tin (27 unread)
• aut disce, aut discede (17 unread)
• pwn* (26 unread)
• hackademix.net (106 unread)
• SecurityDot Vulnerabilities (1939 unread)
• Vulnerabilities & Exploits (87 unread)
• Malicious Code (100 unread)
• Security Risks (66 unread)
• Digg / Security / upcoming (17371 unread)
• digg.com: News / Security / Popular (395 unread)
• DarkReading - Security News (926 unread)
• DarkReading - All Stories (148 unread)

TrendLabs | Malware Blog - by Trend Micro (10 unread)

• March 10, 2010
• 12:51

  Multiple Vendors Affected By New Vulnerabilities

   » ‎ TrendLabs | Malware Blog - by Trend Micro

  The number of serious zero-day vulnerabilities and potential exploits discovered in recent days is higher than normal. This can enable cybercriminals to gain more leverage in their attacks, allowing them to target a considerably large number of users while these vulnerabilities remain unpatched.

  As part of its regular Patch Tuesday schedule, Microsoft released two security fixes to address vulnerabilities found in certain versions of Windows Movie Maker and Office Excel. This is the first time in almost two years that Microsoft did not include any critical patch in its release.

  Both vulnerabilities allow remote code execution when a user opens a specially crafted Movie Maker or Microsoft Producer project file and a specially crafted Excel file. More information on the security advisories can be found in this Trend Micro Security Advisory page.

  While this may be good news, this was somewhat balanced out by the discovery of a new zero-day exploit found in Internet Explorer (IE). This exploit is the second found in the last 60 days. The previous one was discovered just this January. This exploit takes advantage of an invalid pointer reference vulnerability to execute arbitrary code. Only IE 6 and 7 are vulnerable. Users of IE 8 are safe from this threat.  Targeted attacks that do exploit this new issue have reportedly been encountered.

  But Microsoft is not alone in being hit by vulnerabilities this week.

  Alternate browser, Opera, was also found to have a flaw in the way it handles the Content-Length HTTP header. At the very least, this can cause the browser to crash.

  Server applications also came under fire. The popular spam blocker, SpamAssassin, was also found to have a security flaw. This flaw can allow code contained in a specially crafted email that was processed by the application to be executed with administrative privileges on an email server. However, as the specially crafted email would have an invalid recipient, it is unclear if properly configured servers are also vulnerable.

  Patching vulnerable applications sounds like a solution but that may not be ideal, particularly for enterprise users. Restarting servers is often not as simple for them as it is for home users. In addition, some individuals who discover vulnerabilities believe, wrongly or not, that software vendors take a long time to issue patches as well as downplay the severity of any known flaw. Because of this, some prefer to reveal the flaws publicly to force vendors to release patches as soon as possible.

  Trend Micro advises users to keep their software updated and to immediately apply patches once they are released by their vendors. Users can download this month’s Microsoft patches from the official Microsoft Security Bulletin page or run Windows Update to automatically download and apply the patches.

  For business users, Trend Micro Deep Security™ and Trend Micro OfficeScan™ users with Intrusion Defense Firewall (IDF) plug-in can be shielded from vulnerabilities, often even before vendor patches are available.

  Post from: TrendLabs | Malware Blog - by Trend Micro
  
  Multiple Vendors Affected By New Vulnerabilities

  
• 7:05

  iPad Giveaway Gives Users’ Identities Away

   » ‎ TrendLabs | Malware Blog - by Trend Micro

  April 3 cannot come soon enough for those who are eager to get their hands on the iPad. If anything, Apple’s recent announcement that the gadget will soon be available in the United States only added to the excitement over the much-talked-about gadget. Unfortunately, spammers are using the current enthusiasm over the iPad to their advantage as well.

  In fact, Trend Micro anti-spam research engineers have already seen a number of spammed messages that promise free iPads to lure unwitting users into their scams. In one such spam sample, recipients are being invited to test the iPad at no cost by simply applying to be part of a “word-of-mouth” marketing campaign. They may not have to shell out a single cent but the price they have to pay will be their identities.

  The spammed messages instruct users to reply to the email with their personal information, which spammers could easily use for further malicious activities. As Trend Micro anti-spam research engineer, Argie Gallego, recommends, “Users should be suspicious of any freebies offered online, particularly those requiring sensitive personal information such as full name and contact numbers. We have only seen a number of iPad-related spam so far but we expect the numbers to rise as April 3 draws near.”

  This recent spam run is no different from how cybercriminals leveraged the iPad launch in January, which led to a FAKEAV variant. Users should thus continue exercising caution in opening email messages from unknown senders. It is also important to be cautious in conducting Web searches on hot topics such as the iPad, as these are often used for blackhat search engine optimization (SEO) attacks as seen in the past. Interestingly, Apple does not own any iPad-related domain names so users should really pay close attention to URLs before they click.

  Trend Micro™ Smart Protection Network™ prevents spammed messages from reaching users’ inboxes via the Web reputation service.

  Non-Trend Micro product users can also stay protected by using eMail ID, which prevents fake messages from reaching their inboxes. It also helps users quickly find legitimate messages.

  Post from: TrendLabs | Malware Blog - by Trend Micro
  
  iPad Giveaway Gives Users’ Identities Away

  
• March 09, 2010
• 14:39

  Oscars 2010 Awards Users with FAKEAV

   » ‎ TrendLabs | Malware Blog - by Trend Micro

  It seems that fans around the world are not the only ones who are hooked on the Oscars. Just a day after this year’s Academy Awards, Trend Micro threat researchers found FAKEAV variants topbilling the search pages.

  This time around, users searching for news on the Oscars fell prey to the latest blackhat search engine optimization (SEO) attack that uses the search terms “oscar winners 2010 live.” Almost 80 percent of the results on the first page alone leads to the download of a FAKEAV binary detected by Trend Micro as TROJ_FAKEAV.ZZH.

  The said variant has been observed to connect to a remote website to send and receive information. It is also able to download other malware, including Mal_Xed-22 and TROJ_VUNDO.SMAT.

  With the continued proliferation of blackhat SEO attacks leading to FAKEAV, it is apparent that cybercriminals intend to continue riding on top Web searches. Users are thus reminded to exercise extreme caution when visiting sites, especially with the Oscar fever still running high.

  Trend Micro™ Smart Protection Network™ protects customers from this and similar threats by blocking user access to all related malicious sites via the Web reputation service. It also detects and prevents the download of TROJ_FAKEAV.ZZH, Mal_Xed-22, and TROJ_VUNDO.SMAT via the file reputation service.

  Non-Trend Micro product users can also stay protected from such threats via free tools like Web Protection Add-On, which prevents user access to potential malicious websites.

  Post from: TrendLabs | Malware Blog - by Trend Micro
  
  Oscars 2010 Awards Users with FAKEAV

  
• 4:03

  USB Battery Chargers with Malware?

   » ‎ TrendLabs | Malware Blog - by Trend Micro

  The United States Computer Emergency Readiness Team (US-CERT) issued a new vulnerability note. However, this particular “vulnerability” concerns a rather unusual product—a USB charger for rechargeable batteries.

  The Energizer DUO is a charger for two AA or AAA batteries that can be plugged into USB ports. While no software is needed to use the charger, Energizer did provide an application that would display the charge level of the batteries inserted into the charger.

  However, the said application goes far beyond that. It also includes a backdoor detected by Trend Micro as BKDR_ARUGIZER.A. This particular backdoor opens port 7777 to incoming connections, allowing it to receive various commands from remote users. Among the possible commands are to:

  • Download and execute files
  • Delete files on affected systems
  • Upload files from affected systems to a server

  While this backdoor does have routines that could cause significant problems, it is not yet clear if these were actually used. Energizer already released an official statement on the issue, announcing the discontinued sale of the charger in question. It is likewise currently working with the US-CERT and U.S. government officials to understand how the code was inserted into the software.

  Trend Micro™ Smart Protection Network™ already protects product users from these threats by detecting and preventing the file’s execution on affected systems via the file reputation service.

  Non-Trend Micro product users, on the other hand, can use free tools like Housecall, which identifies and removes various viruses, Trojans, worms, unwanted browser plug-ins, and other malware from affected systems.

  Post from: TrendLabs | Malware Blog - by Trend Micro
  
  USB Battery Chargers with Malware?

  
• 3:30

  Diet Twitter Spam (on the) Run

   » ‎ TrendLabs | Malware Blog - by Trend Micro

  Spam about diet or weight loss plans have been around for ages now, mostly spreading through email. However, spammed messages recently made their rounds on Twitter, compromising unwitting users’ accounts and spreading via these infected accounts.

  Compromised Twitter accounts post Tweets that tell their followers to click the shortened link to try out a new diet/weight loss plan.

  

  Clicking the given link redirects users to possibly malicious websites that promote Acai Berry.

  Compromised accounts were possibly infected from previous Twitter spam runs previously featured in the following blog entries and are being used again for this new attack:

  • Twitter DM Spam Collects Mobile Numbers
  • Job Spam Uses Twitter
  • A New Twitter Worm Is Making the Rounds

  As of this writing, Twitter is already aware of this latest spam attack and has taken the necessary corrective actions to prevent the spam from spreading further.

  Users are strongly advised to refrain from clicking the links contained in Tweets with similar messages even if they come from a known or a trusted user. On the other hand, users who think their accounts may be one of those that have been compromised should change their passwords as soon as possible.

  Trend Micro™ Smart Protection Network™ protects product users from this kind of attack by blocking user access to the malicious domains and other related sites.

  For Twitter users, follow @TrendMicro to get the latest security information and updates on how to stay protected from new and upcoming threats.

  Post from: TrendLabs | Malware Blog - by Trend Micro
  
  Diet Twitter Spam (on the) Run

  
• 3:24

  Insight: AMTSO’s Reviews

   » ‎ TrendLabs | Malware Blog - by Trend Micro

  Some time ago (February 25–26), the Anti-Malware Testing Standard Organization (AMTSO) had its first meeting this year. This time, it was hosted by McAfee and took place in Santa Clara, California.

  One of the hot topics during the meeting was related to the initiative to review reports published by testing and certification organizations/companies.

  How was this process designed? The Review Analysis Board (RAB) of the AMTSO receives initial requests, makes a decision to conduct a review, and coordinates the work of the Review Analysis Committee (RAC). The RAC comprises volunteer members that analyze reports against the organization’s existing nine principles. The AMTSO’s principles were agreed upon by its members—testers and antivirus vendors—and supported by the AMTSO’s academic advisors. The testing principles mainly refer to how published reports could be presented to their audiences.
  

  The review process does not, however, intend to prove if the right things were done but rather to review whether the things done were done right.

  As such, as long as a test report included an accurate description of how threat samples were gathered and validated, how tests were conducted, and how conclusions were made (including correct and fair communication among all parties involved in the testing), then the report may be deemed compliant with the AMTSO’s testing principles. The actual testing methodology used by a testing lab was not, itself, the subject of the review.

  Take, for instance, a highly innovative test like the one conducted by NSS Labs last year. This was reviewed based on how well the testing methods and conditions were described and whether the conclusions did follow the test results, regardless of the way the test was designed and its methodology.

  The AMTSO’s reviews neither intend to promote nor constrain innovation in anti-malware product testing methodology but to improve output quality.

  Post from: TrendLabs | Malware Blog - by Trend Micro
  
  Insight: AMTSO’s Reviews

  
• March 05, 2010
• 9:21

  Mariposa Botnet Perpetrators Captured

   » ‎ TrendLabs | Malware Blog - by Trend Micro

  Following the shutdown of the Mariposa botnet recently, three alleged members of the group behind the said botnet were finally arrested last week by the Spanish Police, although they are still pursuing another suspect that may still be at large somewhere in South America.

  The Mariposa botnet was one of the largest botnets to date. It was reportedly responsible for attacking millions of businesses around the world, including Fortune 1000 companies, in a mission to steal online banking, business, and personal information from compromised systems.

  Mariposa was discovered in 2009 by the Mariposa Working Group, an informal group of volunteers from the security industry and law enforcement agencies, formed to specifically investigate and to eventually eliminate the said botnet. The group was also responsible for giving out pertinent information on the botnet, which led to the arrest of three of its perpetrators.

  Throughout its lifetime, Mariposa was able to launch several bot variants that were able to compromise up to 12.7 million computers from all over the world. Trend Micro detects  malware related to this botnet as WORM_AUTORUN.ZRO. This worm spreads copies of itself through physical and removable drives as well as through the popular instant-messaging application, MSN Messenger. It also propagates via known peer-to-peer (P2P) file-sharing applications, particularly Kazaa, BearShare, iMesh, Shareaza, DC++, Emule, and LimeWire. It can also perform denial-of-service (DoS) attacks against targeted systems.

  The take-down of the Mariposa botnet may mean less zombies for cybercriminals to operate with. However, there are still other infamous botnets that have not been caught yet and even new ones that are gaining notoriety once again such as ZeuS, SDBOT IRC, Chuck Norris, and DOWNAD/Conficker botnets.

  Trend Micro™ Smart Protection Network™ already protects product users from these threats by detecting and preventing the file’s execution on affected systems via the file reputation service.

  Non-Trend Micro product users, on the other hand, can use free tools like RUBotted, which monitors computers for suspicious activities and regularly checks with an online service to identify behaviors associated with bots. Upon discovering potential infections, it prompts users to scan and clean their computers.

  Post from: TrendLabs | Malware Blog - by Trend Micro
  
  Mariposa Botnet Perpetrators Captured

  
• 3:21

  What’s the Juice on ZeuS?

   » ‎ TrendLabs | Malware Blog - by Trend Micro

  TrendLabs researchers recently published their findings on ZeuS, a botnet that is again making the headlines in today’s threat landscape.

  ZeuS: A Persistent Criminal Enterprise
  

  ZeuS has been entrenched in the cybercriminal business for a long time now and has continuously evolved and improved. Given the vast number of toolkit versions readily available in the underground, the features ZeuS possesses to thwart both antivirus and other security solutions, as well as efforts by the security industry, ZeuS will continue to be used by cybercriminals to steal personal information and even people’s identities.

  The paper provides an extensive view of the ZeuS botnet. From a thorough discussion of its usual routine up to the possible criminal organizations involved, the research is a must read for users who want to get the rundown on this persistent online threat.

  For more information on the above-mentioned subject and other previously released white/research papers, you may download the reports from this page.

  Post from: TrendLabs | Malware Blog - by Trend Micro
  
  What’s the Juice on ZeuS?

  
• March 03, 2010
• 12:54

  New Exploit Bypasses DEP

   » ‎ TrendLabs | Malware Blog - by Trend Micro

  Another Proof-of-Concept (POC) Revealed

  The changing threat landscape has brought about more sophisticated Web threats, and left the online population clamoring for better security features in the systems and applications that they use. This has pushed Microsoft to develop security mechanisms within its applications like Windows’ Data Execution Protection (DEP) and Address Space Layout Randomization (ASLR).

  Both DEP and ASLR are security mechanisms that Microsoft included in its latest Windows releases starting with XP SP2 and Vista, respectively, which should ideally protect systems from being attacked by exploit codes. DEP prevents the execution of code (including malicious shellcode) from certain regions of computer memory (nonexecutable). ASLR, on the other hand, randomizes the layout of regions (data areas) in memory to make guessing the exact location more difficult. But what if these security mechanisms are not so secure after all?

  This is what Berend-Jan Wever, aka Skylined (the security researcher responsible for disclosing the heap-spraying technique), came to discover as he reported a new exploit technique that bypasses DEP if the ASLR feature is disabled. In Wever’s full disclosure of the exploit, he discusses the method on how to go around DEP and ASLR using return-to-libc attacks wherein an attacker uses existing code (of the applications being exploited or of the library functions) to carry out the attack rather than run his/her own code.

  Possibilities Explored

  Although these features make it more difficult to launch code execution on a system, these mechanisms are not perfect and can be bypassed, as revealed in Wever’s exploit codes. This exploit may take advantage of an already-fixed vulnerability in Internet Explorer (IE) but this new technique may pave the way for new exploits that can defeat DEP.

  As Trend Micro researcher, Rajiv Motwani, puts it, “history could repeat itself. After Wever released his heap-spraying exploit codes in 2005, a lot of new exploits started using that technique. It would thus be not farfetched that the release of this new POC could lead to the same scenario—new exploits could start using return-to-libc to achieve DEP bypass.”

  Furthermore, because the exploit affects DEP, which Microsoft only recently introduced with Windows XP SP2, and ASLR was only enabled by default from Windows Vista onward, we can expect to see more reliable code execution vulnerabilities on new versions of Windows.

  Thoughts on Public Disclosures

  Given the increasing number of POCs that have gone public, there seems to be a need to give responsible disclosure considerable thought. Trend Micro global director for education, David Perry, notes that there seems to be a lot of disclosure rather than response on the exploit. Public disclosures currently act as double-edged swords that both contribute and complicate the threat landscape.

  On one hand, disclosures raise public awareness and push developers to act quickly. On the other hand, however, putting such critical information in the hands of the public could lead to significant exploits, as we recently saw with the most recent zero-day IE vulnerability.

  While actual exploits of this vulnerability have yet to be seen in the wild, Trend Micro Deep Security™ already shields users from potential future exploits. Trend Micro OfficeScan™ users with Intrusion Defense Firewall (IDF) plug-in are also protected from this attack if their systems are updated with the latest IDF filters.

  Additional text by Ria Rivera

  Post from: TrendLabs | Malware Blog - by Trend Micro
  
  New Exploit Bypasses DEP

  
• 12:49

  Web Reputation Checks Gone Awry

   » ‎ TrendLabs | Malware Blog - by Trend Micro

  As the security industry evolves, underground cybercriminals are constantly looking for ways to counter the technology challenges presented to them. I recently found out that the bad guys have begun offering services to track the blacklisting of domain names through reputation checks. The number of “businesses” offering this type of service is growing and the service itself has now become semi-automated.

  This semi-automation can trace the list of requested domain names against the different Web reputation databases. The most recent service I studied is found on www.{BLOCKED}ervice.net, which offers customers solutions wherein the list of the domain names are regularly checked for blacklisting against Google BlackList (Firefox), ZeuS Tracker, MalwareDomainList.com, SpamHaus, and others. The monthly fee for such a service is currently around US$30 for 100 domains.

  The message above translates to:

  Zeus TRACKER
  Added cheking on ZEUS TRACKER
  Join now!
  JABBER BOT!
  Now clients of our service can use jabber bot, which can help in code crypting and check if the  domain is in black list, check your domains in a real time for the black listing.
  Join! It’s easy!
  Added API!
  Now clients of our service can use our algorithms via API.
  This means you can now integrate the algorithms into your software products.

  This service offers a Web-based interface for a manual site by site check and a bulk check mechanism. It utilizes an application programing interface (API) and uses Jabber as a communication protocol. Note that this is not the main business of the said site and it still prioritizes bulky JavaScript obfuscation.

  These new services demonstrate how adept the cyber underground is at using new technologies and resource to their advantage. The security industry finally understands the need for and has employed technologies such as reputation checks – and the bad guys have already come along and misused the technology to their advantage, in order to make even more money.

  Trend Micro protects users from potential attacks via the Smart Protection Network™, which blocks user access to all malicious URLs via the Web reputation service and detects all related malware via the file reputation service.

  Post from: TrendLabs | Malware Blog - by Trend Micro
  
  Web Reputation Checks Gone Awry