trend micro - reporte sobre tendencias en amenazas de seguridad q3 2011

8/3/2019 Trend Micro - Reporte sobre tendencias en amenazas de seguridad Q3 2011

1/13

THREAT

ROUNDUP

gThe Trend Micro Quarterly Roundupreports present key security highlights

and developing trends in the current

threat landscape.

A Quarterly Trend Micro Report | 2011


2/132 | Quarterly threat roundup 3Q 2011 threat roundu

In thIs Issue

Trend Micro researchers and analysts were instrumental in uncovering various

cybercriminal operations this quarter. In an effort to aid law enforcement authorities, theyuncovered some popular FAKEAV afliate networks and a particular SpyEye operation,which may bring authorities one step closer to catching the perpetrators.

Similar to the previous quarters, in the past three months, we witnessed an increase intheAndroidmalware volume, more enhancements to notorious crimeware toolkits suchas ZeuSand SpyEye, as well as the proliferation of survey scams in social media. As inthe previous months, cybercriminals continued to employ very enticing social engineeringtactics to lure targets.

Unlike in the past half of the year, however, mass compromises seemingly decreased innumber, most probably due to the shift to launching targeted attacks, particularly againstlarge enterprises and government institutions.

data Breachesand hIghly targeted attacks

South Korea Data Breaches

The SK Communications data breach this Julyaffected at least 35 million users in SouthKorea. Cyworldand NATE, subsidiaries of SKCommunications, one of the most popularsocial networking, telecommunications, andinstant-messaging service providers in thecountry, were among those greatly affected bythe incident. Client information such as emailaddresses, user names, and contact details,among others, were stolen. SK

Communications sent out an advisory soonafter the breachs discovery.

A week afterreports of the SKCommunications data breach came out, TrendMicro analysts discovered a malware now detected as BKDR_SOGU.A, which may havebeen related to the incident. Upon analysis, we found that when executed, the backdoorhad the capability to access databases stored in infected systems in order to gatherdata. It also allowed remote malicious users to send commands to infected systems, thuscompromising their security.

After another week, ESTsoft, a South Korean software vendor, came forward anddisclosed that it may have also suffered the same fate. In a public statement, thecompany admitted that one of its software update servers was also compromised withthe aid of the same backdoor program used in the SK Communications attack. Based onESTsofts investigation, one of its DLL update modules had a common vulnerability thatallowed attackers to drop BKDR_SOGU.A onto the systems of its product users. In aneffort to resolve the issue, ESTsoft released a patch for the said vulnerability and pushedit as an update on August 4.
http://blog.trendmicro.com/large-data-breach-in-south-korea-data-of-35m-users-stolen/http://blog.trendmicro.com/analysis-of-bkdr_sogu-a-database-accessing-malware/http://about-threats.trendmicro.com/Malware.aspx?language=us&name=BKDR_SOGU.Ahttp://blog.trendmicro.com/updates-on-the-sk-comms-data-breach/http://blog.trendmicro.com/updates-on-the-sk-comms-data-breach/http://about-threats.trendmicro.com/Malware.aspx?language=us&name=BKDR_SOGU.Ahttp://blog.trendmicro.com/analysis-of-bkdr_sogu-a-database-accessing-malware/http://blog.trendmicro.com/large-data-breach-in-south-korea-data-of-35m-users-stolen/



Spate of Highly Targeted LURID Downloader Attacks

More recently, variants of the LURID malware family wereused in what was dubbed the LURID Downloaderattacks that targeted major companies andinstitutions in 61 countries, including Russia,Kazakhstan, and the Ukraine. Considered anadvanced persistent threat (APT), thecybercriminals behind the attacks launched over300 malware campaigns to collect data fromtheir targets.

Based on Trend Micro researchers analysis, theperpetrators sent out email that urged targets toopen a malicious le attachment. Users who weretricked into doing so ended up executing a maliciouscode that exploited vulnerabilities in Microsoft Ofce and

Adobe Reader(i.e., CVE-2009-4324and CVE-2010-2883). Infection allowed attackers

to obtain condential data from and to take full control of affected users systems over anextended period of time.

The backdoor program also had the ability to access a network of command-and-control(C&C) servers that made use of 15 domain names and 10 IP addresses, which allowedthe attackers to issue commands to compromised systems. The targeted nature of thecampaigns for specic geographic locations and entities added to the success of thisspate of attacks, allowing them to compromise as many as 1,465 systems.

Rank Country Infection Count

1 Russia 1,063

2 Kazakhstan 325

3 Ukraine 102

4 Vietnam 93

5 Uzbekistan 886 Belarus 67

7 India 66

8 Kyrgyzstan 49

9 Mongolia 42

10 China 39

Table 1. Most targeted countries in the LURID Downloader attacks

A more detailed discussion of the LURID Downloader attacks can be found in the TrendMicro research paper, The Lurid Downloader.

The data breaches and highly targeted attacks mentioned above show that the threatlandscape is indeed changing. Cybercriminals are limiting their focus in terms of

targetby region as in the South Korea data breaches or by industry as in the LURIDDownloader attacks.
http://blog.trendmicro.com/trend-micro-exposes-lurid-apt/http://blog.trendmicro.com/trend-micro-exposes-lurid-apt/http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4324http://www.adobe.com/support/security/advisories/apsa10-02.htmlhttp://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/12802_trend_micro_lurid_whitepaper.pdfhttp://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/12802_trend_micro_lurid_whitepaper.pdfhttp://www.adobe.com/support/security/advisories/apsa10-02.htmlhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4324http://blog.trendmicro.com/trend-micro-exposes-lurid-apt/http://blog.trendmicro.com/trend-micro-exposes-lurid-apt/



VulneraBIlIty exploIts

osCommerce Mass Compromise

The exploitation of various vulnerabilities in the osCommercesoftware led to a masscompromise in July. An estimated 90,000 Web pages have been injected with an iframethat pointed to malicious sites hosting an exploit kit.

Several e-commerce websites fell prey to the attack. According to a Trend Micro threatresponse engineer, the malware used in this attack, TROJ_JORIK.BRU, gathered theinformation it needed then immediately deleted itself from infected systems to evadedetection. To resolve the vulnerabilities exploited in the attack, osCommerces developersstrongly advised the owners of sites that use their software to update to the latest versionand to check their sites for signs of code injection.

Targeting Defense Companies

This quarter, cybercriminals staged exploit attacks targetingdefense companies in several countries, including the UnitedStates and Japan. The rst attack involved spam withmalicious .PDF attachments that Trend Micro detects asTROJ_PIDIEF.EED. Analysis showed that when executed,this Trojan drops a backdoor program we detect asBKDR_ZAPCHAST.QZ. This backdoor can receivecommands from a remote malicious user,compromising the security of victims systems.

The attackers commanded compromised systems togather network information and to download certaincustom .DLL les that Trend Micro now detects asBKDR_HUPIG.B. They also commanded the

compromised systems to download certain tools that wouldpermit them to move about the victims networks. The said tools turned out to be remoteaccess Trojans (RATs) that we detect as BKDR_HUPIGON.ZXS andBKDR_HUPIGON.ZUY. These RATs allowed remote malicious users to take full control ocompromised systems.

A few days after, Adobe also released an out-of-band security patch to addressCVE-2011-2444, another vulnerability cybercriminals have been abusing in a targetedattack in order to compromise victims systems and/or networks.
http://blog.trendmicro.com/oscommerce-mass-compromise-leads-to-information-theft/http://about-threats.trendmicro.com/Malware.aspx?language=us&name=TROJ_JORIK.BRUhttp://blog.trendmicro.com/japan-us-defense-industries-among-targeted-entities-in-latest-attack/http://about-threats.trendmicro.com/Malware.aspx?language=us&name=TROJ_PIDIEF.EEDhttp://about-threats.trendmicro.com/Malware.aspx?language=us&name=BKDR_ZAPCHAST.QZhttp://about-threats.trendmicro.com/Malware.aspx?language=us&name=BKDR_HUPIG.Bhttp://about-threats.trendmicro.com/Malware.aspx?language=us&name=BKDR_HUPIGON.ZXShttp://about-threats.trendmicro.com/Malware.aspx?language=us&name=BKDR_HUPIGON.ZUYhttp://blog.trendmicro.com/adobe-releases-out-of-band-patch/http://about-threats.trendmicro.com/Vulnerability.aspx?language=us&name=Several+Vulnerabilities+Found+in+Versions+of+Adobe+Flash+Playerhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2444http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2444http://about-threats.trendmicro.com/Vulnerability.aspx?language=us&name=Several+Vulnerabilities+Found+in+Versions+of+Adobe+Flash+Playerhttp://blog.trendmicro.com/adobe-releases-out-of-band-patch/http://about-threats.trendmicro.com/Malware.aspx?language=us&name=BKDR_HUPIGON.ZUYhttp://about-threats.trendmicro.com/Malware.aspx?language=us&name=BKDR_HUPIGON.ZXShttp://about-threats.trendmicro.com/Malware.aspx?language=us&name=BKDR_HUPIG.Bhttp://about-threats.trendmicro.com/Malware.aspx?language=us&name=BKDR_ZAPCHAST.QZhttp://about-threats.trendmicro.com/Malware.aspx?language=us&name=TROJ_PIDIEF.EEDhttp://blog.trendmicro.com/japan-us-defense-industries-among-targeted-entities-in-latest-attack/http://about-threats.trendmicro.com/Malware.aspx?language=us&name=TROJ_JORIK.BRUhttp://blog.trendmicro.com/oscommerce-mass-compromise-leads-to-information-theft/



Vulnerability Statistics

From being the top vendor in terms or reported vulnerabilities in products in the secondquarter, Microsoft dropped to the third post this quarter. Google ousted last quarters topvendor after several reports of existing vulnerabilities in Chrome. Note, however, thatnone of the vulnerabilities in Chrome were as severe as some of those found in Microsoftproducts. The increase in the number of attacks targeting Chrome may primarily bedue to the browsers increasing usage and popularity. The speed by which Chrome isdeveloped, which limits the amount of time for internal and external bug testing prior toproduct release, may have something to do with Googles rise in ranking as well.

The number of reported vulnerabilities in Oracle products also rose, most probably dueto the vendors acquisition of Sun Microsystems and its Java products. The fact thatOracles codebase is rather large and complicated to maintain may have also contributedto the rise in the number of exploitable bugs in its products, causing it to climb from thetop 5 spot in the second quarter to the top 2 spot this quarter.

Rank

2Q 2011 3Q 2011

VendorNumber ofReported

Vulnerabilities

VendorNumber ofReported

Vulnerabilities

1 Microsoft 96 Google 82

2 Google 65 Oracle 63

3 Adobe 62 Microsoft 58

4 HP 57 Apple 49

5 Oracle 50 Adobe 43

6 IBM 48 IBM 39

7 Mozilla 38 Mozilla 39

8 Linux 31 Opera 36

9 Cisco 30 HP 2510 Sun 29 Cisco 20

Table 2. Top 10 vendors in terms of number of distinct reported vulnerabilities

In the second quarter, we observed a continuous drop in the number of exploitable bugsfrom April to June. This quarter, meanwhile, the number of exploitable bugs intermittentlyrose and fell from month to month.

2Q 2011 3Q 2011

Month

Number of

Reported

Vulnerabilities

Month

Number of

Reported

Vulnerabilities

April 312 July 307

May 295 August 294

June 294 September 389Source:http://cve.m

itre.o

rg/

Source

:http://cve.m

itre.o

rg/

Table 3. Overall number of reported vulnerabilities per month
http://www.w3schools.com/browsers/browsers_stats.asphttp://cve.mitre.org/http://cve.mitre.org/http://cve.mitre.org/http://cve.mitre.org/http://cve.mitre.org/http://cve.mitre.org/http://cve.mitre.org/http://cve.mitre.org/http://cve.mitre.org/http://cve.mitre.org/http://cve.mitre.org/http://cve.mitre.org/http://cve.mitre.org/http://cve.mitre.org/http://cve.mitre.org/http://cve.mitre.org/http://cve.mitre.org/http://cve.mitre.org/http://cve.mitre.org/http://cve.mitre.org/http://cve.mitre.org/http://cve.mitre.org/http://cve.mitre.org/http://cve.mitre.org/http://cve.mitre.org/http://cve.mitre.org/http://cve.mitre.org/http://cve.mitre.org/http://cve.mitre.org/http://cve.mitre.org/http://cve.mitre.org/http://cve.mitre.org/http://cve.mitre.org/http://cve.mitre.org/http://cve.mitre.org/http://cve.mitre.org/http://cve.mitre.org/http://cve.mitre.org/http://cve.mitre.org/http://cve.mitre.org/http://cve.mitre.org/http://cve.mitre.org/http://cve.mitre.org/http://cve.mitre.org/http://www.w3schools.com/browsers/browsers_stats.asp



MoBIle attacks

Third-Generation DroidDreamLight Variant

Trend Micro threat analysts came across a new DroidDreamLightvariant with enhanced capabilities and routines. Disguised asbattery-monitoring or task-listing tools or apps that allow usersto see a list of permissions installed apps utilize, copies of thisnewAndroidmalware littered a Chinese third-party appstore. This particular variant, which Trend Micro nowdetects as ANDROIDOS_DORDRAE.N, had the abilityto obtain call logs, text messages, contact details,Google account details, and other information saved ininfected devices. Apart from having additional data theftroutines, this new variants code also featured other changes,one of which allowed it to update its conguration le. Likeprevious variants, this malware sends stolen data to aspecic URL.

Other NotableAndroid Malware Attacks

Trend Micro security experts also came across several otherAndroidmalware inboth theAndroid Marketand third-party app stores. Two of these malware wereTrojanized versions of games, namely, Fast Racing, which Trend Micro now detects asANDROIDOS_SPYGOLD.A aka GoldDream, and Coin Pirates, detectedas ANDROIDOS_PIRATES.A.

Trend Micro engineers also came acrossAndroidmalware types that came in the guiseof a variety of apps. These includeANDROIDOS_LUVRTAP.B, which came in the form ofeithera love test, an e-book reader, or a location tracker app; a premium service abuser,which we detect as ANDROIDOS_AUTOSUBSMS.A; and fake spying tools such as

ANDROIDOS_NICKISPY.AandANDROIDOS_NICKISPY.C, which gather condentialinformation from infected devices.

NICKISPY variants are known for monitoring affected users activities and whereabouts,including their text messages, phone call logs, and geographic locations. For a longtime, we wondered what happens to the information stolen from infectedAndroid-baseddevices. In August, a Trend Micro researcher found a Chinese site that offers access toinformation stolen fromAndroid-based devices for a certain fee. This site provides oneexample of how cybercriminals can monetize stolen data from users infectedmobile devices.

For more details on the variousAndroidmalware we have seen so far, check out ASnapshot ofAndroidThreats [INFOGRAPHIC].

Fake Opera Apps

Two mobile malware posing as Opera Mini(aka ANDROIDOS_FAKEBROWS.A) andas Opera Mobile (aka J2ME_FAKEBROWS.A) were recently found in the wild. Bothmalware were premium service abusers that sent out text messages to premium servicenumbers without the users knowledge. J2ME_FAKEBROWS.A affects mobile devicesthat support MIDletsapplications that use the Mobile Information Device Prole (MIDP)of the Connected Limited Device Conguration (CLDC) for the Java MEenvironment.

Cybercriminals are clearly not limiting their range of targets in terms of platform, as theyalso create malware for devices running mobile OSs other thanAndroid.
http://blog.trendmicro.com/massive-code-change-for-new-droiddreamlight-variant/http://blog.trendmicro.com/massive-code-change-for-new-droiddreamlight-variant/http://about-threats.trendmicro.com/Malware.aspx?language=us&name=ANDROIDOS_DORDRAE.Nhttp://blog.trendmicro.com/new-android-malware-on-the-road-golddream-catcher/http://about-threats.trendmicro.com/Malware.aspx?language=us&name=ANDROIDOS_SPYGOLD.Ahttp://blog.trendmicro.com/trojanized-android-app-checks-for-keywords-in-sms-messages/http://about-threats.trendmicro.com/Malware.aspx?language=us&name=ANDROIDOS_PIRATES.Ahttp://about-threats.trendmicro.com/malware.aspx?language=us&name=ANDROIDOS_LUVRTAP.Bhttp://about-threats.trendmicro.com/malware.aspx?language=us&name=ANDROIDOS_LUVRTAP.Bhttp://blog.trendmicro.com/love-trap-android-malware-found-in-third-party-app-stores/http://blog.trendmicro.com/premium-abusers-also-check-for-keywords/http://about-threats.trendmicro.com/Malware.aspx?language=us&name=ANDROIDOS_AUTOSUBSMS.Ahttp://blog.trendmicro.com/more-spying-tools-being-seen-in-application-markets/http://about-threats.trendmicro.com/Malware.aspx?language=us&name=ANDROIDOS_NICKISPY.Ahttp://about-threats.trendmicro.com/Malware.aspx?language=us&name=ANDROIDOS_NICKISPY.Chttp://about-threats.trendmicro.com/Malware.aspx?language=us&name=ANDROIDOS_NICKISPY.Chttp://blog.trendmicro.com/android-malware-eavesdrops-on-users-uses-google-as-disguise/http://blog.trendmicro.com/android-malware-eavesdrops-on-users-uses-google-as-disguise/http://blog.trendmicro.com/mobile-phone-monitoring-service-found/http://blog.trendmicro.com/mobile-phone-monitoring-service-found/http://blog.trendmicro.com/mobile-phone-monitoring-service-found/http://blog.trendmicro.com/a-snapshot-of-android-threats-infographic/http://blog.trendmicro.com/a-snapshot-of-android-threats-infographic/http://blog.trendmicro.com/a-snapshot-of-android-threats-infographic/http://blog.trendmicro.com/a-snapshot-of-android-threats-infographic/http://blog.trendmicro.com/malware-found-disguised-as-opera-mini/http://about-threats.trendmicro.com/Malware.aspx?language=us&name=AndroidOS_FAKEBROWS.Ahttp://about-threats.trendmicro.com/Malware.aspx?language=us&name=J2ME_FAKEBROWS.Ahttp://about-threats.trendmicro.com/Malware.aspx?language=us&name=J2ME_FAKEBROWS.Ahttp://about-threats.trendmicro.com/Malware.aspx?language=us&name=AndroidOS_FAKEBROWS.Ahttp://blog.trendmicro.com/malware-found-disguised-as-opera-mini/http://blog.trendmicro.com/a-snapshot-of-android-threats-infographic/http://blog.trendmicro.com/a-snapshot-of-android-threats-infographic/http://blog.trendmicro.com/mobile-phone-monitoring-service-found/http://blog.trendmicro.com/mobile-phone-monitoring-service-found/http://blog.trendmicro.com/mobile-phone-monitoring-service-found/http://blog.trendmicro.com/android-malware-eavesdrops-on-users-uses-google-as-disguise/http://blog.trendmicro.com/android-malware-eavesdrops-on-users-uses-google-as-disguise/http://about-threats.trendmicro.com/Malware.aspx?language=us&name=ANDROIDOS_NICKISPY.Chttp://about-threats.trendmicro.com/Malware.aspx?language=us&name=ANDROIDOS_NICKISPY.Ahttp://blog.trendmicro.com/more-spying-tools-being-seen-in-application-markets/http://about-threats.trendmicro.com/Malware.aspx?language=us&name=ANDROIDOS_AUTOSUBSMS.Ahttp://blog.trendmicro.com/premium-abusers-also-check-for-keywords/http://blog.trendmicro.com/love-trap-android-malware-found-in-third-party-app-stores/http://about-threats.trendmicro.com/malware.aspx?language=us&name=ANDROIDOS_LUVRTAP.Bhttp://about-threats.trendmicro.com/Malware.aspx?language=us&name=ANDROIDOS_PIRATES.Ahttp://blog.trendmicro.com/trojanized-android-app-checks-for-keywords-in-sms-messages/http://about-threats.trendmicro.com/Malware.aspx?language=us&name=ANDROIDOS_SPYGOLD.Ahttp://blog.trendmicro.com/new-android-malware-on-the-road-golddream-catcher/http://about-threats.trendmicro.com/Malware.aspx?language=us&name=ANDROIDOS_DORDRAE.Nhttp://blog.trendmicro.com/massive-code-change-for-new-droiddreamlight-variant/http://blog.trendmicro.com/massive-code-change-for-new-droiddreamlight-variant/



socIal networkIng scaMs

Celebrity Deaths and Natural Disasters

This quarter, we were met with three Facebookscams that leveraged probably two issues thatusually piqued users interestcelebrity newsand natural disasters. One scam abused newsofAmy Winehouses death while anotherleveraged Lady Gagas supposed death. Bothscams employed the use ofWallposts that led toeither a survey page or to an advertising site, which put users at risk.

The huge following of The Twilight Saga movies did not escape cybercriminal interestas well. As early as August, attackers spread Facebook Wallposts that enticed users toclick a malicious link in order to get free tickets to The Twilight Saga: Breaking DawnPart 2. As in other survey scams, of course, all the users ended up with were potential

security risks.

Cybercriminals also did not pass up the opportunity to lure Facebookusers in search ofnews ofHurricane Irene into their traps. This particular scam led users who wanted towatch a supposed video to advertising sites instead.

More Social Networking Sites, More Threats

Despite Facebooks continuing reign in terms of social media popularity, less-knownsocial networking sites like Google+ and LinkedIn, also had their time in the cybercrimespotlight. In the rst half of July, Trend Micro engineers came across a page that enticedusers to click a link to get free invitations to Googles latest stab at taking a slice of thesocial media pieGoogle+. Instead of invitations to join the site, however, all the usersgot was an opportunity to take part in a survey that put them at risk.

A week earlier, LinkedIn also had its time in the spotlight when cybercriminals used itas a redirector. Users who were tricked into clicking the malicious link to a supposedJustin Bieber video were redirected to a page underLinkedIns domain before landing onanother survey page with the aid of a malicious script that Trend Micro detectsas JS_FBJACK.D.

Other Notable Social Media Attacks

Apart from the various survey scams seen this quarter, Trend Micro threat experts alsofound Facebookscams that used fake friend request notications to infect users systemswith a ZBOT variant we detect as TSPY_ZBOT.FAZ.

To know more about the threats users commonly encounter in social networking sites,check out The Geography of Social Media Threats [INFOGRAPHIC].
http://blog.trendmicro.com/amy-winehouses-death-used-in-online-attacks/http://blog.trendmicro.com/facebook-scam-leverages-lady-gagas-death-bypasses-https/http://blog.trendmicro.com/free-breaking-dawn-part-2-tickets-scam-spreads-in-facebook/http://blog.trendmicro.com/free-breaking-dawn-part-2-tickets-scam-spreads-in-facebook/http://blog.trendmicro.com/hurricane-irene-scam-hits-facebook/http://blog.trendmicro.com/survey-scam-offers-google-invites/http://about-threats.trendmicro.com/Malware.aspx?language=us&name=JS_FBJACK.Dhttp://about-threats.trendmicro.com/Malware.aspx?language=us&name=TSPY_ZBOT.FAZhttp://blog.trendmicro.com/the-geography-of-social-media-threats-infographic/http://blog.trendmicro.com/the-geography-of-social-media-threats-infographic/http://about-threats.trendmicro.com/Malware.aspx?language=us&name=TSPY_ZBOT.FAZhttp://about-threats.trendmicro.com/Malware.aspx?language=us&name=JS_FBJACK.Dhttp://blog.trendmicro.com/survey-scam-offers-google-invites/http://blog.trendmicro.com/hurricane-irene-scam-hits-facebook/http://blog.trendmicro.com/free-breaking-dawn-part-2-tickets-scam-spreads-in-facebook/http://blog.trendmicro.com/free-breaking-dawn-part-2-tickets-scam-spreads-in-facebook/http://blog.trendmicro.com/facebook-scam-leverages-lady-gagas-death-bypasses-https/http://blog.trendmicro.com/amy-winehouses-death-used-in-online-attacks/



top systeM Infectors

Spam Runs and Banking Trojans

The most notorious spam runs this quarter led to the download and execution of twobanking Trojans. The rst campaign featured a spam that supposedly came fromthe Spain National Police. Users who clicked the link embedded in the messagesbody downloaded TROJ_BANLOD.QSPN onto their systems. When executed, thismalware downloads another malware Trend Micro detects as TSPY_BANCOS.QSPN.Like other BANKER Trojans, this gathers personal information, particularly related tonancial institutions such as Caixa, Cajasol, and Banco Popular, from affected userssystems. The most notable factor, however, in this attack was the cybercriminals use ofcompromised sites and phone-home URLs, which allowed them to conrm the success osystem infections and to update the spyware so it can more effectively evade detection.

The second campaign featured a spam that supposedly came from the Internal RevenueService (IRS). Users who clicked a link embedded in the messages body downloaded

a LICAT variant we detect as TSPY_ZBOT.WHZ onto their systems. Like other LICATvariants, this malware generates URLs to access in order to update its conguration le,which contains a list of sites it will monitor and to which it will send stolen information.

Apart from the two data theft-related spam runs above, we also saw a noticeable spike inthe volume of spam with malicious attachments, some of which were vacation related.

Spam Statistics

As in the previous quarter, India and South Korea continued to be part of the top 3 spam-sending countries. Surprisingly, however, the United States, which commonly takes thetop spot was not on the top 10 spam-sending countries list. As the top spam-sendingcountries are also the most spambot-infected ones, the United Statess drop in rankingpossibly indicates a lower infection level. This may be a result of the botnet takedowns

that occurred in the last few months.

Figure 1. Top 10 spam-sending countries in 3Q 2011
http://blog.trendmicro.com/banker-malware-massively-distributed-in-spain/http://about-threats.trendmicro.com/Malware.aspx?language=us&name=TROJ_BANLOD.QSPNhttp://about-threats.trendmicro.com/Malware.aspx?language=us&name=TSPY_BANCOS.QSPNhttp://blog.trendmicro.com/licat-variant-distributed-via-irs-related-spam/http://blog.trendmicro.com/licat-variant-distributed-via-irs-related-spam/http://about-threats.trendmicro.com/Malware.aspx?language=us&name=TSPY_ZBOT.WHZhttp://about-threats.trendmicro.com/RelatedThreats.aspx?language=us&name=Tourists+and+Vacationers+Targeted+by+a+Slew+of+Spam+Attackshttp://about-threats.trendmicro.com/RelatedThreats.aspx?language=us&name=Tourists+and+Vacationers+Targeted+by+a+Slew+of+Spam+Attackshttp://about-threats.trendmicro.com/Malware.aspx?language=us&name=TSPY_ZBOT.WHZhttp://blog.trendmicro.com/licat-variant-distributed-via-irs-related-spam/http://blog.trendmicro.com/licat-variant-distributed-via-irs-related-spam/http://about-threats.trendmicro.com/Malware.aspx?language=us&name=TSPY_BANCOS.QSPNhttp://about-threats.trendmicro.com/Malware.aspx?language=us&name=TROJ_BANLOD.QSPNhttp://blog.trendmicro.com/banker-malware-massively-distributed-in-spain/



The top 3 spam languages this quarter remained English, German, and Russiancompared with the two previous quarters.

Figure 2. Top 10 spam languages in 3Q 2011

For a more comprehensive discussion of the current state of the spam landscape, check

out Spam in Todays Business World.

ZeuS Updates and Stealthier Variants

ZeuSs source code leakage may have led to the proliferation of variants that have beendubbed Ice IX.This new type of ZeuS variant boasts of better protectionagainst tracking.

Trend Micro researchers also got hold of an updated ZBOT sample, now detected asTSPY_ZBOT.IMQU, which may have been created with ZeuS version 2.3.2.0. Thisparticular variant exhibited enhanced decryption and encryption routines, making itsconguration le more difcult to analyze compared with previous variants. It alsoshowed signs of possible use for a global campaign targeting nancial institutions fromcountries such as the United States, Germany, Brazil, Spain, and Hong Kong.
http://us.trendmicro.com/imperia/md/content/us/pdf/trendwatch/spam_trends_in_today_s_business_world.pdfhttp://blog.trendmicro.com/zeus-gets-another-update/http://about-threats.trendmicro.com/Malware.aspx?language=us&name=TSPY_ZBOT.IMQUhttp://about-threats.trendmicro.com/Malware.aspx?language=us&name=TSPY_ZBOT.IMQUhttp://blog.trendmicro.com/zeus-gets-another-update/http://us.trendmicro.com/imperia/md/content/us/pdf/trendwatch/spam_trends_in_today_s_business_world.pdf



Other Notable Malware Attacks

This quarter, Trend Micro engineers came across several other notable malware,including a rootkit, two worms, and Bitcoin miners. The rootkit, detected asRTKT_POPUREB.A, is capable of overwriting an infected systems Master Boot Record(MBR). The rootkit, along with TROJ_POPUREB.SMB, is written byTROJ_POPUREB.SMA on an infected systems disk. These malware arrive on systemswhen users visit malicious sites and steal personal information stored oninfected systems.

Although not as notorious as ZeuS and SpyEye operations these days, the KOOBFACEgang has taken to spreading Trojanized applications, which we detect asWORM_KOOBFACE.AV, in torrent peer-to-peer (P2P) sharing networks. This malwareallows a torrent client process to run on infected systems without the users knowledge,turning them into peers that seed or host malicious binaries. The shift to spreading viaP2P networks from social media may be a result of the social networking sites efforts toprevent the KOOBFACE botnet from abusing their framework. This does not, however,mean the gang has stopped luring victims via social networking sites.

Our engineers also found WORM_MORTO.SMA that spread via the Remote DesktopProtocol (RDP). This worm, with the aid of a .DLL componentWORM_MORTO.SM, cangive attackers full control of infected systems and of entire networks by allowing them tolog in using administrator accounts.

We have also been seeing various Bitcoin-relatedattacks featuring a number of what have beendubbed Bitcoin miners. In the last three months,we came across Bitcoin miners such asBKDR_BTMINE.MNR and BKDR_BTMINE.DDOSas well as a related grayware,HKTL_BITCOINMINE. Cybercriminals turnedusers systems into Bitcoin miners so they wouldnot overwork their own systems due to the

resource-intensive mining process. For moredetailed information on what Bitcoins are, how Bitcoinmining works, and why we are seeing more Bitcoinminers in the threat landscape, check out Cashing in onCybercrime: New Malware Target Bitcoin.

Malware Statistics

As in the previous quarters, WORM_DOWNAD.AD and CRCK_KEYGEN (a serial keygenerator) remained the top 2 malware. It is interesting to note that although the URLsthat DOWNAD/Concker uses to call home have long been dead, a DOWNAD variantcontinued to rank rst in the top malware list. This may, however, not be about systemprotection against malware but about setting and enforcing good security policies.Meanwhile, HKTL_KEYGEN (a hacking tool) ousted ADW_SAHAGENT (an adware) from

the top 3 spot and out of this quarters top 5.

Rank Malware Detect ion Name

1 WORM_DOWNAD.AD

2 CRCK_KEYGEN

3 HKTL_KEYGEN

4 PE_SALITY.RL

5 HKTL_ULTRASURF

Table 4. Top 5 malware in 3Q 2011
http://about-threats.trendmicro.com/Malware.aspx?language=us&name=RTKT_POPUREB.Ahttp://blog.trendmicro.com/popureb-vs-tdl4/http://blog.trendmicro.com/popureb-vs-tdl4/http://about-threats.trendmicro.com/Malware.aspx?language=us&name=TROJ_POPUREB.SMBhttp://about-threats.trendmicro.com/Malware.aspx?language=us&name=TROJ_POPUREB.SMAhttp://blog.trendmicro.com/koobface-propagates-via-torrent-p2p-file-sharing/http://blog.trendmicro.com/koobface-propagates-via-torrent-p2p-file-sharing/http://about-threats.trendmicro.com/Malware.aspx?language=us&name=WORM_KOOBFACE.AVhttp://about-threats.trendmicro.com/Malware.aspx?language=us&name=WORM_MORTO.SMAhttp://blog.trendmicro.com/more-morto-infections-found/http://blog.trendmicro.com/more-morto-infections-found/http://about-threats.trendmicro.com/Malware.aspx?language=us&name=WORM_MORTO.SMhttp://about-threats.trendmicro.com/malware.aspx?language=us&name=BKDR_BTMINE.MNRhttp://about-threats.trendmicro.com/Malware.aspx?language=us&name=BKDR_BTMINE.DDOShttp://about-threats.trendmicro.com/malware.aspx?language=us&name=HKTL_BITCOINMINEhttp://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/04_cashing_in_on_cybercrime-new_malware_target_bitcoin.pdfhttp://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/04_cashing_in_on_cybercrime-new_malware_target_bitcoin.pdfhttp://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/04_cashing_in_on_cybercrime-new_malware_target_bitcoin.pdfhttp://about-threats.trendmicro.com/Malware.aspx?language=us&name=WORM_DOWNAD.ADhttp://about-threats.trendmicro.com/Malware.aspx?language=us&name=CRCK_KEYGENhttp://about-threats.trendmicro.com/ArchiveGrayware.aspx?language=us&name=HKTL_KEYGENhttp://about-threats.trendmicro.com/ArchiveGrayware.aspx?language=us&name=ADW_SAHAGENThttp://about-threats.trendmicro.com/malware.aspx?language=us&name=PE_SALITY.RLhttp://about-threats.trendmicro.com/malware.aspx?language=us&name=HKTL_ULTRASURFhttp://about-threats.trendmicro.com/malware.aspx?language=us&name=HKTL_ULTRASURFhttp://about-threats.trendmicro.com/malware.aspx?language=us&name=PE_SALITY.RLhttp://about-threats.trendmicro.com/ArchiveGrayware.aspx?language=us&name=ADW_SAHAGENThttp://about-threats.trendmicro.com/ArchiveGrayware.aspx?language=us&name=HKTL_KEYGENhttp://about-threats.trendmicro.com/Malware.aspx?language=us&name=CRCK_KEYGENhttp://about-threats.trendmicro.com/Malware.aspx?language=us&name=WORM_DOWNAD.ADhttp://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/04_cashing_in_on_cybercrime-new_malware_target_bitcoin.pdfhttp://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/04_cashing_in_on_cybercrime-new_malware_target_bitcoin.pdfhttp://about-threats.trendmicro.com/malware.aspx?language=us&name=HKTL_BITCOINMINEhttp://about-threats.trendmicro.com/Malware.aspx?language=us&name=BKDR_BTMINE.DDOShttp://about-threats.trendmicro.com/malware.aspx?language=us&name=BKDR_BTMINE.MNRhttp://about-threats.trendmicro.com/Malware.aspx?language=us&name=WORM_MORTO.SMhttp://blog.trendmicro.com/more-morto-infections-found/http://blog.trendmicro.com/more-morto-infections-found/http://about-threats.trendmicro.com/Malware.aspx?language=us&name=WORM_MORTO.SMAhttp://about-threats.trendmicro.com/Malware.aspx?language=us&name=WORM_KOOBFACE.AVhttp://blog.trendmicro.com/koobface-propagates-via-torrent-p2p-file-sharing/http://blog.trendmicro.com/koobface-propagates-via-torrent-p2p-file-sharing/http://about-threats.trendmicro.com/Malware.aspx?language=us&name=TROJ_POPUREB.SMAhttp://about-threats.trendmicro.com/Malware.aspx?language=us&name=TROJ_POPUREB.SMBhttp://blog.trendmicro.com/popureb-vs-tdl4/http://blog.trendmicro.com/popureb-vs-tdl4/http://about-threats.trendmicro.com/Malware.aspx?language=us&name=RTKT_POPUREB.A



how hasthe threat landscape changed?

Apart from the changes that ZeuSunderwent in order to better evade detection and

takedown, Trend Micro researchers also noticed marked improvements in mobilemalware. Traditional malware such as TDL4 also underwent more enhancements interms of malicious routines and tactics.

Even though we noted a decrease in Anonymous and LulzSec attacks, probably dueto various law enforcement efforts, we also saw an increase in the number and scopeof highly targeted attacks. Cybercriminals are setting their sights for bigger and bettertargets than ever before.

notaBle securIty wIns

Soldiers SpyEye Operation Uncovered

Trend Micro researchers discovered a SpyEye operation controlled by a cybercriminal

who used the handle Soldier. This botnet operation mainly targeted large enterprisesand government institutions in the United States though it also affected organizations inCanada, the United Kingdom, India, and Mexico.

Through monitoring since March of this year, our researchers found that Soldiersoperation has amassed more than US$3.2 million in a span of six months. The discoveryof such an operation is a Trend Micro attempt to show how many users can be exposedto this threat and how damaging successful compromises can become. We also showedjust how protable a single SpyEye botnet can be for cybercriminals.

For more details on this recent Trend Micro win, check out our research paper, FromRussia to Hollywood: Turning Tables on a SpyEye Cybercrime Ring.

FAKEAV Afliate Networks Exposed

Apart from uncovering a SpyEye operation, Trend Micro researchers were alsoable to gather in-depth information on two of the largestFAKEAV afliate networks to dateBeeCoin andMoneyBeat, through careful monitoring of theservers FAKEAV suppliers used. Our researchersfound that between January and June 2011alone, BeeCoin and its afliates were able toinstall FAKEAV malware in more than214,000 systems. They also found that one inevery 44 people that installed the malwareactually purchased the full version of the rogueantivirus software, allowing BeeCoin tocollect US$123,475.

Through the exposure of the relationshipsamong FAKEAV afliate networks, botnets, and othermalicious activities, our researchers hope that the security communityand that law enforcement agencies can better understand the challenges that thismalicious monetization strategy poses for traditional defenses and investigations.

More details on how FAKEAV afliate networks work can be found in the Trend Microresearch paper, Targeting the Source: FAKEAV Afliate Networks.
http://blog.trendmicro.com/the-worm-tdl4-and-botcoin-miners/http://blog.trendmicro.com/soldier-spyeyes-a-jackpot/http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/from_russia_to_hollywood-turning_the_tables_on_a_spyeye_cybercrime_ring.pdfhttp://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/from_russia_to_hollywood-turning_the_tables_on_a_spyeye_cybercrime_ring.pdfhttp://blog.trendmicro.com/targeting-the-source-fakeav-affiliate-networks/http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/targeting_the_source-fakeav_affiliate_networks.pdfhttp://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/targeting_the_source-fakeav_affiliate_networks.pdfhttp://blog.trendmicro.com/targeting-the-source-fakeav-affiliate-networks/http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/from_russia_to_hollywood-turning_the_tables_on_a_spyeye_cybercrime_ring.pdfhttp://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/from_russia_to_hollywood-turning_the_tables_on_a_spyeye_cybercrime_ring.pdfhttp://blog.trendmicro.com/soldier-spyeyes-a-jackpot/http://blog.trendmicro.com/the-worm-tdl4-and-botcoin-miners/



LURID Downloader Attacks Unearthed

In an effort to keep up with the shift in focus to highly targeted attacks, Trend Microresearchers discovered a series of highly targeted attacks leveraging what has beendubbed the LURID Downloader. Our researchers found that related campaignssuccessfully compromised 1,465 computers in 61 different countries. They were able toidentify 47 victims, including diplomatic missions, government ministries, space-relatedgovernment agencies, as well as other companies and research institutions.

The use ofEnfal, the malware family to which LURID belongs, has been historicallylinked with threat actors in China. In this particular case, the attack vector (a maliciousemail with an attachment) we analyzed was related to the Tibetan community, whichmany believe indicates an association with China. However, as Chinese entities werealso victimized, we dared not make a nal attribution.

For more information on the LURID Downloader attacks, check out our research paper,The Lurid Downloader.

whatthe future spells

Trend Micro researchers surmised that the volume of mobilemalware, specically those targetingAndroid-based devices,along with the number of highly targeted attacks (aka APTs),will continue to increase in the near future.

However, in an attempt to not just keep up with but to stayahead of cybercriminal efforts, Trend Micro researchers arestriking deals with law enforcement agencies worldwide togain even more wins this year. Should these efforts pushthrough, we may even become instrumental tocybercriminal arrests.

To stay abreast of developing threat trends and to constantly keep employees systems

and your corporate networks safe from the impending doom that can spell disastrousresults for your organization, watch out for the release of the 4Q 2011 Threat Roundupthis coming December.
http://blog.trendmicro.com/trend-micro-exposes-lurid-apt/http://blog.trendmicro.com/lurid-attribution-isnt-easy/http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/12802_trend_micro_lurid_whitepaper.pdfhttp://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/12802_trend_micro_lurid_whitepaper.pdfhttp://blog.trendmicro.com/lurid-attribution-isnt-easy/http://blog.trendmicro.com/trend-micro-exposes-lurid-apt/


13/13

TREND MICRO

Trend Micro Incorporated is a pioneer in secure content andthreat management. Founded in 1988, Trend Micro providesindividuals and organizations of all sizes with award-winningsecurity software, hardware, and services. With headquartersin Tokyo and operations in more than 30 countries, TrendMicro solutions are sold through corporate and value-addedresellers and service providers worldwide. For additionalinformation and evaluation copies of Trend Micro productsand services, visit our website at www.trendmicro.com.

TRENDLABSSM

TrendLabs is Trend Micros global network of research,development, and support centers committed to 24 x 7 threatsurveillance, attack prevention, and timely and seamlesssolutions delivery.

2011 by Trend Micro, Incorporated. All rights reserved. Trend Micro,the Trend Micro t-ball logo are trademarks or registered trademarks ofTrend Micro, Incorporated. All other product or company names may betrademarks or registered trademarks of their owners.

appendIx a: MalIcIous url statIstIcs

The following tables show the top 10 malicious URLs and IP domain addresses blocked

by the Trend Micro Smart Protection Network infrastructure in the third quarterof 2011.

Rank Malicious URL Blocked Description

1www.bit89.com:80/download/dpclean/ibdp.exe

Distributes malware

2trafcconverter.biz:80/4vir/antispyware/loadadv.exe

Distributes malware, particularly DOWNADvariants

3 trafcconverter.biz:80/Distributes malware, particularly DOWNADvariants

4serw.clicksor.com:80/newserving/getkey.php

Included in the list of domains associatedwith the proliferation of pirated applications,

Androidmalware, and rogue antivirus softwareas well as with other malicious activities

5

serw.myroitracking.com:80/

newserving/tracking_id.php

Contacts various servers to download and

aggressively display pop-up ads6 ad.globe7.com:80/imp Distributes TDSS and ZBOT malware

7 cherry-lovepour.com:80/con1.php Distributes malware

8www.myroitracking.com:80/newserving/tracking_id.php

Contacts various servers to download andaggressively display pop-up ads

9 221.8.69.25:80/searchDistributes malware, particularly DOWNADvariants

10 zs11.cnzz.com:80/stat.htm Distributes malware

Table A-1. Top 10 malicious URLs blocked in 3Q 2011

Rank Malicious IP Address

Blocked

Description

1 www.bit89.com Distributes malware

2 trafcconverter.biz Distributes malware, particularly DOWNADvariants

3 serw.clicksor.com

Included in the list of domains associatedwith the proliferation of pirated applications,Android malware, and rogue antivirus softwareas well as with other malicious activities

4 serw.myroitracking.comContacts various servers to download andaggressively display pop-up ads

5 d3lvr7yuk4uaui.cloudfront.net Distributes malware

6 ad.globe7.com Distributes TDSS and ZBOT malware

7 dl.91rb.com Downloads malware

8 cherry-lovepour.com Distributes malware

9 conf.baidupapa.com Distributes malware

10 www.myroitracking. com

Contacts various servers to download and

aggressively display pop-up ads

Table A-2. Top 10 malicious domain IP addresses blocked in 3Q 2011

Please help us improve our articles and other

write-ups by participating in a quick survey. Just

click the image above to start.
http://us.trendmicro.com/us/home/http://us.trendmicro.com/us/trendwatch/cloud/smart-protection-network/http://www.zoomerang.com/Survey/WEB22DFEW5U577http://us.trendmicro.com/us/trendwatch/cloud/smart-protection-network/http://us.trendmicro.com/us/home/

trend micro - reporte sobre tendencias en amenazas de seguridad q3 2011

Documents