Research and Analysis

Smartphones are to the early 21st century what the PC was to the late 20th century–a universal tool valued for its productivity and fun factor but hated for the problems it can bring. Since smartphones are handheld computers that communicate, the threats they face are both similar and different from the PC challenges many of us are familiar with. Like the PC, many of today’s mobile malware prey upon the unwary. However, the nature of the mobile malware threat is, in some ways, very different.

Malware targeting Google’s Android platform increased nearly sixfold in the third quarter of 2012. What had been around 30,000 malicious and potentially dangerous or high-risk Android apps in June increased to almost 175,000 between July and September.

This report will examine what led to the increase and what it means for users and developers alike.

Read Android Under Siege: Popularity Comes at a Price

Any kind of business can expose itself to attacks when its employees open themselves up to external threats. Most small businesses are not convinced that bad guys are after them. What they do not know is that everyone is a likely target, regardless of size. Attackers are now carefully selecting their targets, moving away from launching large-scale attacks to focus on more specific and somewhat more “personal” targets.

Read Its Big Business and Its getting Personal

“Mobile technology” is just what the name implies; portable technology that isn’t limited to mobile phones. This also includes devices like laptops, tablets, and global positioning system (GPS) devices. As with any other kind of technology though, there are drawbacks to “going mobile.” Mobile devices can expose users’ and organizations’ valuable data to unauthorized people if necessary precautions are not taken.

Read Security in the Age of Mobility

True to one of our predictions for the year, 2011 has been dubbed the “Year of Data Breaches,” as we witnessed organizations worldwide succumb to targeted attacks and lose what we have come to know as the new digital currency: data. As individuals and organizations alike embark on the cloud journey, we at Trend Micro, along with our fellow cybercrimefighters in law enforcement and the security industry, will continue to serve our customers by providing data protection from, in, and for the cloud.

Read Information is Currency

Trend Micro researchers and analysts were instrumental in uncovering various cybercriminal operations this quarter. In an effort to aid law enforcement authorities, they uncovered some popular FAKEAV affiliate networks and a particular SpyEye operation, which may bring authorities one step closer to catching the perpetrators.

Similar to the previous quarters, in the past three months, we witnessed an increase in the Android malware volume, more enhancements to notorious crimeware toolkits such as ZeuS and SpyEye, as well as the proliferation of survey scams in social media. As in the previous months, cybercriminals continued to employ very enticing social engineering tactics to lure targets.

Unlike in the past half of the year, however, mass compromises seemingly decreased in number, most probably due to the shift to launching targeted attacks, particularly against large enterprises and government institutions.

Read 3Q Threat Roundup

Many businesses are evolving their data centers to include virtualization and cloud computing to improve resource utilization, accelerate development and deployment of computer resources, and reduce costs. However, these new platforms open additional avenues for threats against data, systems, and reputation, and raise new infrastructure issues that security providers must consider when creating a security foundation to protect against these threats.

This report discusses the security threats that enterprises face when deploying and using virtualization and cloud computing infrastructures. The report contains real-world examples of attacks and attack tools that cyber criminals use to exploit vulnerabilities in virtualization and cloud computing environments, as well as recommendations for security best practices.

Read Threats to Evolving Data Centers

To address the security threats and issues relevant to cloud computing and virtualization, an accompanying best practice guide is also available for download: Virtualization and Cloud Computing - A Security Best Practice Guide

Over the years, spam has rapidly become a major security threat. A catalyst for potential financial drain or intellectual property theft to organizations worldwide.

This report discusses current spam trends and related major incidents affecting the spam volume. It highlights how spammers have been leveraging social media as new means to scam users and to launch spear-phishing attacks. It also provides information on our next-generation security solutions to address the changing nature of spam, which goes beyond the scope of traditional email security.

Read Spam Trends in Today’s Business World

Crimeware, another vehicle by which cybercriminals generate profit, remains prevalent in the current threat landscape. In the second quarter of 2011, crimeware toolkits such as ZeuS and SpyEye continued to evolve, which allowed cybercriminals to infect as many systems as possible while evading detection and takedown.

In April, we published the “1Q 2011 Crimeware Report,” our first roundup of news and insights on malware families that targeted financial institutions in the first three months of this year. In this issue, we focused on the notable crimeware-related incidents within the last three months, including developments made to the latest SpyEye version and insights as to how the reported ZeuS code leakage will affect the security industry and the cybercriminal underground.

Read 2Q Crimeware Report

The second quarter of 2011 was marked by a spate of data breaches, vulnerability exploit attacks, the proliferation of new Android malware, improvements in social networking scams, as well as notable developments in traditional system infectors. Closely resembling the first quarter, albeit some improvements and enhancements in tools, targets, tactics, and scale, cybercriminals continued to instigate a myriad of malicious schemes.

As Trend Micro security experts predicted, the beginning of enterprises’ journey to the cloud indeed ushered in data breaches of never-before-seen magnitude. This spelled disaster not only for attack targets such as Epsilon but for clients and customers as well. At the rate cybercriminals are launching attacks, targeted or not, there is no telling how many more companies and users will succumb to the dangers these pose before the year ends.

In line with the rapid shifts in the threat landscape and the never-ending slew of technological developments, we revamped our Threat Roundup reports. Instead of publishing these every month, succeeding issues will now be released on a quarterly basis. This change will allow us to give you a more in-depth view of the ever-evolving threat landscape as the shifts occur and even more valuable insights direct from our experts on what these mean for you.

Read 2Q Threat Roundup

Continuous technological advancements have made the Internet the preferred platform to quickly and easily conduct all kinds of transaction. Banks and other financial institutions are aware of and are taking advantage of these by creating more robust online services to reach out to and to better serve their clients’ needs.

The convenience and ease of using the Internet as a service platform, however, also entails certain security risks. In fact, information theft and the conduct of unauthorized online banking transactions are just two of the security issues that organizations have to deal with on a regular basis. In line with this, we at Trend Micro have decided to compile our findings on the latest threats targeting the financial industry.

Read 1Q Crimeware Report

1. TrendLabs Threat Trends 2010: The Year of the Toolkit or view as an eBook.
2. FAKEAV - The Growing Problem
3. Trend Micro TrendLabs Global Threat Trends 1H 2010
4. The Business of Cybercrime: A complex business model

Advanced persistent threat (APT) campaigns comprise a growing part of the current threat landscape. Some APT campaigns remain active, in fact, even after drawing extensive media attention. Campaigns’ routines may vary over time but their primary goal remains the same—to gain entry to a target organization’s network and obtain confidential information.

Read Spear-Phishing Email: Most Favored APT Attack Bait

A ransomware is a kind of malware that withholds some digital assets from victims and asks for payment for the assets’ release. Ransomware attacks were first seen in Russia in 2005–2006 and have since changed tactics and targets.

Read Police Ransomware Update

This research paper provides a brief summary of the cybercriminal underground and sheds light on the basic types of hacker activity in Russia. The bulk of the information in this paper was based on data gathered from online forums and services used by Russian cybercriminals. We also relied on articles written by hackers on their activities, the computer threats they create, and the kind of information they post on forums’ shopping sites.

Read Russian Underground 101

Today’s successful targeted attacks use a combination of social engineering, malware, and backdoor activities. This research paper discusses how advanced detection techniques can be used to identify malware command-and-control (C&C) communications related to these attacks, illustrating how even the most high-profile and successful attacks of the past few years could have been discovered.

Read Detecting APT Activity with Network Traffic Analysis

The following report contains a technical analysis of the Tinba Trojan-banker family. The name “Tinba” was assigned by CSIS and represents the small size of this Trojan-banker (approximately 20 KB). The name is derived from the words “tiny” and “bank.” The malware is also known as “Tinybanker” and “Zusy.”

Read W32.Tinba (Tinybanker): The Turkish Incident

Taidoor malware, detected by Trend Micro as BKDR_SIMBOT variants, have been historically documented for their use in targeted attacks. Using techniques developed to match the network traffic Taidoor malware generate when communicating with a command-and-control (C&C) server, we were able to identify victims that these appeared to have compromised. All of the compromise victims we discovered were from Taiwan, the majority of which were government organizations.

The Taidoor Campaign: An In-Depth Analysis

While most of the malware associated with advanced persistent threats (APTs) focus on Windows platforms, attackers are actively developing malware targeting other platforms as well. Attackers are expanding their target base as their targets adopt new platforms and devices. In addition to Mac OS X malware, attackers are also exploring the use of mobile malware. While there has been talk of APT attackers likely targeting mobile platforms, we found evidence that the actors behind the Luckycat campaign are actively pursuing mobile malware creation.

Read Adding Android and Mac OS X Malware to the APT Toolbox

The threat landscape of 2012 is extremely sophisticated and hostile. Trend Micro’s latest threat report illustrates a notable shift in the organization of cybercriminals and state actors, as well as a significant evolution of the cyber kill chain. To protect our digital ecosystems, we must appreciate the evolution of blended threats from the simple virus of yesteryear to the virulent malware and organized cyber campaigns of 2012 and beyond.

Read Continuous Monitoring in a Virtual Environment

In the past few months, we investigated several high-volume spam runs that sent users to websites that hosted the Blackhole Exploit Kit. The investigation was prompted by a rise in the number of these spam runs. The spam in these outbreaks claim to be from legitimate companies such as Intuit, LinkedIn, the US Postal Service (USPS), US Airways, Facebook, and PayPal, among others.

Read Blackhole Exploit Kit

In the past few years, Trend Micro has been quietly cooperating with the Federal Bureau of Investigation (FBI), the Office of the Inspector General (OIG), and security industry partners in their attempts to take down the Estonia-based cybercriminal gang, Rove Digital. This collaboration was a huge success, as on November 8, 2011, law enforcement authorities seized Rove Digital’s vast network infrastructure from different data centers in the United States and Estonia as well as arrested six suspects, including the organization’s CEO, Vladimir Tsastsin.

This paper provides some information Trend Micro learned about Rove Digital since 2006. As early as 2006, Trend Micro learned that Rove Digital was spreading Domain Name System (DNS) changer Trojans and appeared to be controlling every step from infection to monetizing infected bots. We, however, decided to withhold publication of certain information in order to allow law enforcement agencies to take the proper legal action against the cybercriminal masterminds while protecting our customers. Now that the main perpetrators have been arrested and Rove Digital’s network has been taken down, we can share more details regarding the intelligence we gathered about the operation in the past five years.

Read Rove Digital Takedown

This research paper will discuss automatic transfer systems (ATSs), which cybercriminals have started using in conjunction with SpyEye and ZeuS malware variants as part of WebInject files. It will also provide some insights as to why some countries appear to be more targeted than others.

Read Automating Online Banking Fraud

The number of targeted attacks is undoubtedly on the rise. These highly targeted attacks focus on individual organizations in an effort to extract valuable information. In many ways, this is a return to the “old hacking days” before more widespread attacks targeting millions of users and the rise of computer worms came about. Sometimes, these targeted attacks are allegedly linked to state-sponsored activities but may also be carried out by individual groups with their own goals.

This research paper will delve into another prominent group of attackers referred to as “IXESHE” (pronounced “i-sushi”), based on one of the more common detection names security companies use for the malware they utilize. This campaign is notable for targeting East Asian governments, electronics manufacturers, and a German telecommunications company.

Read IXESHE: An APT Campaign

The number of targeted attacks has dramatically increased. Unlike largely indiscriminate attacks that focus on stealing credit card and banking information associated with cybercrime, targeted attacks noticeably differ and are better characterized as "cyber espionage." Highly targeted attacks are computer intrusions threat actors stage to aggressively pursue and compromise specific targets, often leveraging social engineering, to maintain persistent presence within the victim’s network so they can move laterally and extract sensitive information.

Cyber-espionage campaigns often focus on specific industries or communities of interest in addition to a geographic focus. Different positions of visibility often yield additional sets of targets pursued by the same threat actors. We have been tracking the campaign dubbed "Luckycat" and found that in addition to targeting Indian military research institutions, as previously revealed by Symantec, the same campaign targeted entities in Japan as well as the Tibetan community.

Read Luckycat Redux

A ransomware is a kind of malware that withholds some digital assets from victims and asks for payment for the assets’ release. Ransomware attacks were first seen in Russia in 2005–2006 and have since changed tactics and targets. Trend Micro has been tracking the so-called "Police Trojan" campaign since the beginning and is now ready to show some of our conclusions after the investigation. A mix of well-tuned social engineering tactics as well as an advanced and very dynamic networking model shows that the Police Trojan’s creators are well-organized, apart from being persistent and creative.

Read more about the Police Trojan

Directing traffic to cash in on referrals is a common and legitimate method of making money on the Internet. It should not, therefore, be surprising for the same to be true in the illegitimate world of cybercrime. So-called traffic direction systems (TDSs) have reached a high level of sophistication. This research paper shows how such systems work, how they are utilized by cybercriminals, and what the security industry can do about this.

Read more about Traffic Direction Systems

This paper illustrates what the author believes should be considered required elements in every industrial control system (ICS) network integration effort.

It also covers best practices when integrating with supervisory control and data acquisition (SCADA) and existing organizational networks as well as the rationale for and importance of each component of the suggested architecture.

Read more about Industrial Control System Networks

The KOOBFACE botnet has been known to generate money by using the pay-per-install (PPI) and pay-per-click (PPC) business models. In fact, in 2009, the KOOBFACE botnet herders earned about US$2 million from their malicious activities. To earn more, the KOOBFACE gang upgraded their botnet’s framework with the creation of a sophisticated traffic direction system (TDS) that handles all of the traffic referenced to their affiliate sites. They also introduced new binary components to help increase the amount of Internet traffic that goes to their TDS, which translates to even bigger profit.

This research paper discusses how KOOBFACE’s TDS works and how the botnet’s binaries work together to increase the amount of Internet traffic to the TDS.

Read KOOBFACE Draws More Blood

HTML5 opens up a wide and wonderful new world for Web designers, bringing fantastic new features that were previously only possible via Flash or horribly over-complicated Javascript. And HTML5 is not a future technology, chances are your favorite browser already has excellent support built in.

In this paper we look at HTML5 from an attacker’s viewpoint. Because not only does HTML5 bring us Semantic web, editable content, inbuilt form validation, local storage, and awesome video support, it also opens up a host of new opportunities for attackers.

We look at some of the troublesome new attacks that this new HTML5 standard introduces, how attackers can leverage these attacks for their own gain, and how, with a little bit of help from some not so over-complicated Javascript, an attacker can build botnets in your browser!

Read more about HTML 5 Attacks

Often leveraging social engineering and malware, targeted attacks seek to maintain a persistent presence within the victim’s network so that the attackers can move laterally throughout the target’s network and extract sensitive information. These attacks are most commonly aimed at civil society organizations, business enterprises and government/military networks. Given their targeted, the distribution is low; however, the impact on compromised institutions remains high. As a result, targeted attacks have become a priority threat.

This paper examines the stages of a targeted attack from the reconnaissance phase through to the data ex-filtration phase and explores trends in the tools, tactics and procedures used in such attacks. Mitigation strategies leverage threat intelligence and data security to provide organizations with the information they need to increase their ability to analyze and respond to threats and to customize technical solutions in ways that best fit their own defensive posture.

Read Trends in Targeted Attacks

This research paper will show the capabilities of the four members of the Botnet PHP family, so named because the toolkit used to build its member botnets used PHP script.

PHP is a widely used general-purpose scripting language that is especially suited for Web development and that can be embedded into HTML. The Botnet PHP family comprises four botnets, the most popular of which were the Tequila and Mariachi botnets that targeted Mexican users.

Read The Mexican Botnet Connection

On October 5 to 7, The VirusBulletin conference was held in Barcelona. Virus Bulletin is the biggest event in the antivirus industry. In that conference, two Trend Micro senior researchers presented a joint paper on the sinkholing technique to shut down botnets. In the paper, Sancho and Link discuss the pros and cons of sinkholing botnets as well as possible roadblocks on the way when using this powerful technique.

Read Virus Bulletin paper

This March, Trend Micro began investigating a specific SpyEye botnet created and controlled by a cybercriminal who goes by the handle, Soldier. This paper will delve deeper into activities related to his SpyEye botnet. It will talk about his success in instigating attacks that impacted various organizations worldwide, particularly in the United States; how his particular botnet works; and how much he has made from the malicious campaigns he has so far instrumented. It will provide insights on how Trend Micro was able to track him down from Russia to Hollywood and reveal what we learned about him and his accomplices in the process.

Read Turning the Tables on SpyEye

Prior to the highly publicized “Aurora” attack on Google in late 2009, which also affected at least 20 other companies, there was little public awareness regarding targeted attacks. However, such attacks have been taking place for years and continue to affect government, military, corporate, educational, and civil society networks today. While such attacks against the U.S. government and related networks are now fairly well-known, other governments and an increasing number of companies are facing similar threats.

Read Dissecting the LURID APT

The underground ecosystem provides everything required to set up and to maintain a malware operation for a minimal investment. It enables those with limited technical skills and with a few underground connections to earn significant returns on their investment.

This research paper focuses on how FAKEAV affiliate networks operate, what propagation strategies they use, and how much they earn from their malicious activities. It explores the various underground connections among malicious actors, including the emergence of “meta” affiliate networks that act as mid-tier FAKEAV providers.

Read more about FAKEAV Affiliate Networks

1. Sinkholing Botnets
2. The Dark Side of Trusting Web Searches - From Blackhat SEO to System Infection
3. The Botnet Chronicles – A Journey to Infamy
4. How Blackhat SEO Became Big
5. File-patching ZBOT Variants - ZeuS 2.0 Levels Up
6. Dissecting the XWM Trojan Kit
7. Understanding WMI Malware
8. Web 2.0 Botnet Evolution - KOOBFACE Revisited
9. ZeuS - A Persistent Criminal Enterprise
10. Unmasking FAKEAV
11. Show Me the Money!: The Monetization of KOOBFACE
12. The Heart of KOOBFACE: C&C and Social Network Propagation
13. The Real Face of KOOBFACE: The Largest Web 2.0 Botnet Explained
14. A Cybercrime Hub in Estonia

In 2013, managing the security of devices, small business systems, and large enterprise networks will be more complex than ever before. Users are breaking down the PC monoculture by embracing a wider variety of platforms, each with its own user interface, OS, and security model. Businesses, meanwhile, are grappling with protecting intellectual property and business information as they tackle consumerization, virtualization, and cloud platforms head-on. This divergence in computing experience will further expand opportunities for cybercriminals and other threat actors to gain profit, steal information, and sabotage their targets’ operations.

Users face various unwanted app routines in the current mobile landscape. Given this situation, market owners have taken certain measures like providing safety guidelines, conducting prerelease quality assurance checks, and introducing access permission layers at the OS level. Unfortunately, these are still far from being fool-proof solutions. The reality is: Users are responsible for checking if the apps they download are legitimate or not.

Read Eco and Ego Apps in Japan

When was the last time you played chess? If you are responsible for cyber security you are unwittingly playing it every day. We must appreciate the ancient sport of chess in order to reorganize our defense in 2013.

Read The Knight Fork: Defining Defense in 2013

While East Asian hackers dominate cyber security-related headlines around the world, it would be a mistake to conclude that these attackers are the sole or greatest criminal threat to the global Internet today. Hackers from the former Soviet bloc are a more sophisticated and clandestine threat than their more well-known East Asian counterparts.

Read Peter the Great vs Sun Tzu

Attacks are becoming increasingly sophisticated and targeted and the men and women behind them are better resourced than ever before. How dopes the digital insider lay hidden, undetected within an organization for years on end? And more importantly, how can advanced situational awareness help us to respond and mitigate these threats?

Read How to Thwart the Digital Insider

Need help understanding how Advanced Persistent Threats work? Trend Micro Threat Researchers have studied the techniques cybercriminals use in perpetrating Advanced Persistent Threats or Targeted Attacks. This primer will give you insight into these attacks and what steps you need to take to help mitigate them.

Read Detecting the Enemy Inside the Network

This time every year, Trend Micro CTO Raimund Genes sits down with his research teams to discuss what they think the coming year will hold in terms of threats to Trend Micro customers. It’s an important discussion that helps Trend Micro not only share with you what we think you need to be prepared for, but also to help guide our direction as we continue to build products and services to help protect you from these threats. This year, as we look ahead, we’ve come up with 12 predictions for 2012 that fall into four main categories:

• Big IT trends
• Mobile landscape
• Threat landscape
• Data leaks and breaches
   

Read now

What are Domain Naming System (DNS)-changing malware? These recently garnered a lot of attention due to the recent Esthost takedown that involved a botnet comprising 4 million DNS-changing-malware-infected systems. The unobtrusive nature of DNS-changing malware allowed the cybercriminals behind Esthost to earn US$14 million over several years.

Read now

How many ads do you typically see every time you open a page while surfing the Web? Have you ever had the misfortune of accidentally clicking an ad? Where and what did it lead you to? Did you know that malicious advertisements or malvertisements are typically employed as malware infection vectors and can pose grave security risks to users like you? Read on to find out what malvertisements are, how these can affect you, and how you can protect yourself from the perils these pose.

Read now

Cybercriminals are cashing in on Bitcoin, a digital currency that is slowly gaining acceptance as payment for various items bought online. This is probably why creating malware that cause victims to generate money for cybercriminals akin to the pay-per-click (PPC) schemes of the past and these days’ Bitcoin mining is seemingly becoming a trend.

Read now

Survey scams in social networking sites may look harmless and may just be a waste of time once users find out that they will not get what they were promised in the end. Keep in mind, however, that bad guys will not waste time coming up with ingenious scams if these will not translate to profit.

Read now

Android’s popularity and the Android Market’s “open” nature are causing mobile devices running on the mobile OS to be targeted by several noteworthy malware. In this article, we will look at the different Android malware we have recently seen, particularly those that steal information from users and that monitor mobile activities.

Read now

Threat Spotlight, our latest monthly offering, features expert views and findings on the current trends in the threat landscape. This maiden edition discusses the recent spate of FAKEAV for Macs. In a span of just one month, TrendLabs^℠ engineers came across several FAKEAV variants that targeted Mac users, prompting security experts to watch out for further attacks.

Read now

Mobile malware are growing in number and prevalence due to the rise in the demand for mobile devices. The evolution and emergence of several mobile OSs like Google’s Android OS and Apple’s iOS provided cybercriminals additional routes with which to instigate malicious activities.

Read now

1. Threats to Watch Out for During the Tax Season
2. Celebrity News - Roll out the Red Carpet for Cybercrime (asset 39)
3. Cybercriminals Spread Love via Online Threats
4. Top Tips for Safer and More Secure Online Experiences in 2011
5. 2010 threats: The Good, The Bad, and The Ugly
6. Trend Micro 2011 Threat Predictions
7. Tis the Season to Be Wary
8. Security Dangers of Using Open Wi-Fi Networks
9. From the Virtual Works to Real-world Threats
10. Slipping Through the Cracks of Web Services to Serve Malware
11. Mobile Phones Emerge as Security Threat Targets
12. Why FAKEAV Persist
13. XSS Attack Hits Youtube
14. Avoiding the Whack-a-mole Anti-phishing Strategy
15. Security Threats Loom Over Online Banking
16. Emerging Malware Business Platforms
17. Popularity Ushers In New Security Threats
18. Issues and Threats that Facebook Users Face
19. The Evolution of Botnets
20. Building Businesses and Potential Threats with Online Social Networks
21. DOWNAD/Conficker: The Case of the Missing Malware