Research and Analysis

While exploits and vulnerabilities are a common problem for users, zero-day exploits in high-profile applications are relatively rare. That was not the case in the first quarter of 2013. Multiple zero-day exploits were found targeting popular applications like Java and Adobe Flash Player, Acrobat, and Reader.

In addition, as predicted, we saw improvements in already-known threats like spam botnets, banking Trojans, and readily available exploit kits.

Other high-profile incidents include the South Korean cyber attacks in March, which reiterated the dangers targeted attacks pose. On the mobile front, fake versions of popular apps remained a problem though phishers found a new target in the form of mobile browsers.

Stay up-to-date to stay protected.

Experts have been predicting the coming “post-PC” era for a few years. So the question has been, “when will we know that it’s really here?” A simple answer is, we’ll know it’s really here when cybercriminals move beyond the PC. By that measure, 2012 is truly the year we entered the post-PC era as cybercriminals moved to embrace Android, social media platforms, and even Macs with their attacks.

Read Evolved Threats in a “Post-PC” World

Android seems to be repeating history by way of Windows. The platform’s growing dominance in the mobile landscape echoes that of Windows in the desktop and laptop space. And much like Windows, Android’s popularity is making it a prime target for cybercriminals and attackers, albeit at a much faster pace.

Read Repeating History

Smartphones are to the early 21st century what the PC was to the late 20th century–a universal tool valued for its productivity and fun factor but hated for the problems it can bring. Since smartphones are handheld computers that communicate, the threats they face are both similar and different from the PC challenges many of us are familiar with. Like the PC, many of today’s mobile malware prey upon the unwary. However, the nature of the mobile malware threat is, in some ways, very different.

Malware targeting Google’s Android platform increased nearly sixfold in the third quarter of 2012. What had been around 30,000 malicious and potentially dangerous or high-risk Android apps in June increased to almost 175,000 between July and September.

This report will examine what led to the increase and what it means for users and developers alike.

Read Android Under Siege: Popularity Comes at a Price

Any kind of business can expose itself to attacks when its employees open themselves up to external threats. Most small businesses are not convinced that bad guys are after them. What they do not know is that everyone is a likely target, regardless of size. Attackers are now carefully selecting their targets, moving away from launching large-scale attacks to focus on more specific and somewhat more “personal” targets.

Read It's Big Business... and It's Getting Personal

“Mobile technology” is just what the name implies—portable technology that isn’t limited to mobile phones. This also includes devices like laptops, tablets, and global positioning system (GPS) devices. As with any other kind of technology though, there are drawbacks to “going mobile.” Mobile devices can expose users’ and organizations’ valuable data to unauthorized people if necessary precautions are not taken against mobile threats.

Read Security in the Age of Mobility

True to one of our predictions for the year, 2011 has been dubbed the “Year of Data Breaches,” as we witnessed organizations worldwide succumb to targeted attacks and lose what we have come to know as the new digital currency—data. As individuals and organizations alike embark on the cloud journey, we at Trend Micro, along with our fellow cybercrimefighters in law enforcement and the security industry, will continue to serve our customers by providing data protection from, in, and for the cloud.

Read Information is Currency

1. 3Q 2011 Threat Roundup
2. Threats to Evolving Data Centers
3. Read Spam Trends in Today’s Business World
4. 2Q 2011 Crimeware Report
5. 2Q 2011 Threat Roundup
6. 1Q 2011 Crimeware Report
7. FAKEAV - The Growing Problem
8. The Business of Cybercrime: A complex business model

Whether considered advanced persistent threats (APTs) or malware-based espionage attacks, successful and long-term compromises of high-value organizations and enterprises worldwide by a consistent set of campaigns cannot be ignored. Because “noisier” campaigns are becoming increasingly well-known within the security community, new and smaller campaigns are beginning to emerge.

This research paper documents the operations of a campaign we refer to as “Safe,” based on the names of the malicious files used. It is an emerging and active targeted threat.

* Note that any mention of “SafeNet” in this paper is completely unrelated to and has no association with SafeNet, Inc., a global leader in data protection and a valued partner of Trend Micro. The author of the Safe malware apparently maliciously used the word “SafeNet” as part of this viral campaign, and to the extent the word “SafeNet” appears in this paper, it appears solely as replicated in the attacking author’s malware configuration. There is no correlation between SafeNet Inc. and the Safe campaign and should not be interpreted as such.

Read Safe: A Targeted Threat

In a connected world, a trade-off exists between enjoying the convenience that information technology (IT) offers and minimizing the opportunities its use presents to cybercriminals. Cybercriminals can, for instance, spread sophisticated threats by exploiting popular mobile devices and cloud applications to infiltrate high-value targets. They have made cyberspace a means to victimize the public.

In collaboration with Trend Micro Incorporated, the Organization of American States (OAS) and its Secretariat for Multidimensional Security (SMS) would like to share this report to illustrate the cybersecurity and cybercrime trends in Latin America and the Caribbean. Information presented has been gathered through both quantitative and qualitative methods, drawing data from a survey of OAS Member-State governments, as well as an in-depth analysis of global threat intelligence from honeypots and client-provided data collected by Trend Micro. Unless otherwise noted, graphs and tables use data that was collected by Trend Micro. The analysis and conclusions of this report only cover countries that responded to the OAS survey.

Read Latin American and Caribbean Cybersecurity Trends and Government Responses

Tendencias en la seguridad cibernética en América Latina y el Caribe y respuestas de los gobiernos

En un mundo interconectado, es necesario buscar un equilibrio entre disfrutar la comodidad que ofrecen las tecnologías de la información y minimizar las oportunidades que su uso les ofrece a los delincuentes cibernéticos, quienes pueden, por ejemplo, difundir amenazas complejas explotando los populares dispositivos móviles y las aplicaciones en la nube para infiltrarse en blancos de alto valor y han convertido el espacio cibernético en un medio para victimizar al público.

Leer ahora (PDF, español)

Two of the hottest buzzwords circulating in the IT world today are “SCADA” and “cloud computing.” Combining the two technologies has been discussed and is starting to gather more attention in connection with cost savings, system redundancy, and uptime benefits. The question then is: “Are the savings substantial enough to offset the security concerns that users may have if they migrate integral SCADA devices to the cloud?”

Read SCADA in the Cloud

At the end of 2012, Trend Micro cited three reasons why we think Africa is poised to become a new cybercrime harbor. We cited the availability of fast Internet access, the expanding Internet user base, and the lack of cybercrime laws in some African countries as the main reasons why Trend Micro believes so.

This research paper discusses the reasons cited above in more detail. By taking a look at the recent developments in the continent’s Internet infrastructure, we will map Africa’s journey to becoming a safe harbor for cybercriminals in the next three years or so.

Read Africa: A New Safe Harbor for Cybercriminals?

Industrial control systems (ICS) are devices, systems, networks, and controls used to operate and/or automate industrial processes. These devices are often found in nearly any industry—from the vehicle manufacturing and transportation segment to the energy and water treatment segment.

Supervisory control and data acquisition (SCADA) networks are systems and/or networks that communicate with ICS to provide data to operators for supervisory purposes as well as control capabilities for process management. As automation continues to evolve and becomes more important worldwide, the use of ICS/SCADA systems is going to become even more prevalent.

ICS/SCADA systems have been the talk of the security community for the past two years due to Stuxnet, Flame, and several other threats and attacks. While the importance and lack of security surrounding ICS/SCADA systems is well-documented and widely known, this research paper illustrates who’s really attacking Internet-facing ICS/SCADA systems and why. It also covers techniques to secure ICS/SCADA systems and some best practices to do so.

Read Who's Really Attacking Your ICS Equipment?

This research paper documents the Asprox botnet’s current operations. The botnet comprises several components that work together to sustainably send out spam related to “rogue pharma” or that contains malware used to increase its size. In addition, Asprox issues commands that instruct compromised computers to download additional payloads provided by a pay-per-install (PPI) affiliate, from which botnet operators earn revenue.

Read Asprox Reborn

The perpetrators of targeted attacks aim to maintain persistent presence in a target network in order to extract sensitive data when needed. To maintain persistent presence, attackers seek to blend in with normal network traffic and use ports that are typically allowed by firewalls. As a result, many of the malware used in targeted attacks utilize the HTTP and HTTPS protocols to appear like web traffic. However, while these malware do give attackers full control over a compromised system, they are often simple and configured to carry out a few commands.

Read FAKEM RAT: Malware Disguised as Windows Messenger and Yahoo! Messenger

This paper exposes a targeted attack called “HeartBeat,” which has been persistently pursuing the South Korean government and related organizations since 2009. This paper will discuss how their specifically crafted campaigns infiltrate their targets.

Read The HeartBeat APT Campaign

The crimeware landscape continuously evolved, particularly in the past few years. Cybercriminals are spending more time securing their malicious creations and the servers where they are stored to prevent leakage or security researchers from getting hold of them.

ZeuS, Citadel, Ice IX, SpyEye, and the Blackhole Exploit Kit—some of the most notorious crimeware today—have been enhanced to better evade detection by security solutions. This research paper discusses some of the notable changes that have been made to the aforementioned crimeware. It specifically talks about two types of crimeware—toolkits and exploit kits—commonly sold underground and used by bad guys for their own malicious purposes.

Read Crimeware Evolution

Advanced persistent threat (APT) campaigns comprise a growing part of the current threat landscape. Some APT campaigns remain active, in fact, even after drawing extensive media attention. Campaigns’ routines may vary over time but their primary goal remains the same—to gain entry to a target organization’s network and obtain confidential information.

Read Spear-Phishing Email: Most Favored APT Attack Bait

A ransomware is a kind of malware that withholds some digital assets from victims and asks for payment for the assets’ release. Ransomware attacks were first seen in Russia in 2005–2006 and have since changed tactics and targets.

Read Police Ransomware Update

This research paper provides a brief summary of the cybercriminal underground and sheds light on the basic types of hacker activity in Russia. The bulk of the information in this paper was based on data gathered from online forums and services used by Russian cybercriminals. We also relied on articles written by hackers on their activities, the computer threats they create, and the kind of information they post on forums’ shopping sites.

Read Russian Underground 101

Today’s successful targeted attacks use a combination of social engineering, malware, and backdoor activities. This research paper discusses how advanced detection techniques can be used to identify malware command-and-control (C&C) communications related to these attacks, illustrating how even the most high-profile and successful attacks of the past few years could have been discovered.

Read Detecting APT Activity with Network Traffic Analysis

The following report contains a technical analysis of the Tinba Trojan-banker family. The name “Tinba” was assigned by CSIS and represents the small size of this Trojan-banker (approximately 20 KB). The name is derived from the words “tiny” and “bank.” The malware is also known as “Tinybanker” and “Zusy.”

Read W32.Tinba (Tinybanker): The Turkish Incident

While most of the malware associated with advanced persistent threats (APTs) focus on Windows platforms, attackers are actively developing malware targeting other platforms as well. Attackers are expanding their target base as their targets adopt new platforms and devices. In addition to Mac OS X malware, attackers are also exploring the use of mobile threats. While there has been talk of APT attackers likely targeting mobile platforms, we found evidence that the actors behind the Luckycat campaign are actively pursuing mobile malware creation.

Read Adding Android and Mac OS X Malware to the APT Toolbox

In the past few months, we investigated several high-volume spam runs that sent users to websites that hosted the Blackhole Exploit Kit. The investigation was prompted by a rise in the number of these spam runs. The spam in these outbreaks claim to be from legitimate companies such as Intuit, LinkedIn, the US Postal Service (USPS), US Airways, Facebook, and PayPal, among others.

Read Blackhole Exploit Kit

In the past few years, Trend Micro has been quietly cooperating with the Federal Bureau of Investigation (FBI), the Office of the Inspector General (OIG), and security industry partners in their attempts to take down the Estonia-based cybercriminal gang, Rove Digital. This collaboration was a huge success, as on November 8, 2011, law enforcement authorities seized Rove Digital’s vast network infrastructure from different data centers in the United States and Estonia as well as arrested six suspects, including the organization’s CEO, Vladimir Tsastsin.

This paper provides some information Trend Micro learned about Rove Digital since 2006. As early as 2006, Trend Micro learned that Rove Digital was spreading Domain Name System (DNS) changer Trojans and appeared to be controlling every step from infection to monetizing infected bots. We, however, decided to withhold publication of certain information in order to allow law enforcement agencies to take the proper legal action against the cybercriminal masterminds while protecting our customers. Now that the main perpetrators have been arrested and Rove Digital’s network has been taken down, we can share more details regarding the intelligence we gathered about the operation in the past five years.

Read Rove Digital Takedown

This research paper will discuss automatic transfer systems (ATSs), which cybercriminals have started using in conjunction with SpyEye and ZeuS malware variants as part of WebInject files. It will also provide some insights as to why some countries appear to be more targeted than others.

Read Automating Online Banking Fraud

The number of targeted attacks is undoubtedly on the rise. These highly targeted attacks focus on individual organizations in an effort to extract valuable information. In many ways, this is a return to the “old hacking days” before more widespread attacks targeting millions of users and the rise of computer worms came about. Sometimes, these targeted attacks are allegedly linked to state-sponsored activities but may also be carried out by individual groups with their own goals.

This research paper will delve into another prominent group of attackers referred to as “IXESHE” (pronounced “i-sushi”), based on one of the more common detection names security companies use for the malware they utilize. This campaign is notable for targeting East Asian governments, electronics manufacturers, and a German telecommunications company.

Read IXESHE: An APT Campaign

The number of targeted attacks has dramatically increased. Unlike largely indiscriminate attacks that focus on stealing credit card and banking information associated with cybercrime, targeted attacks noticeably differ and are better characterized as "cyber espionage." Highly targeted attacks are computer intrusions threat actors stage to aggressively pursue and compromise specific targets, often leveraging social engineering, to maintain persistent presence within the victim’s network so they can move laterally and extract sensitive information.

Cyber-espionage campaigns often focus on specific industries or communities of interest in addition to a geographic focus. Different positions of visibility often yield additional sets of targets pursued by the same threat actors. We have been tracking the campaign dubbed "Luckycat" and found that in addition to targeting Indian military research institutions, as previously revealed by Symantec, the same campaign targeted entities in Japan as well as the Tibetan community.

Read Luckycat Redux

A ransomware is a kind of malware that withholds some digital assets from victims and asks for payment for the assets’ release. Ransomware attacks were first seen in Russia in 2005–2006 and have since changed tactics and targets. Trend Micro has been tracking the so-called "Police Trojan" campaign since the beginning and is now ready to show some of our conclusions after the investigation. A mix of well-tuned social engineering tactics as well as an advanced and very dynamic networking model shows that the Police Trojan’s creators are well-organized, apart from being persistent and creative.

Read more about the Police Trojan

Often leveraging social engineering and malware, targeted attacks seek to maintain a persistent presence within the victim’s network so that the attackers can move laterally throughout the target’s network and extract sensitive information. These attacks are most commonly aimed at civil society organizations, business enterprises and government/military networks. Given their targeted, the distribution is low; however, the impact on compromised institutions remains high. As a result, targeted attacks have become a priority threat.

This paper examines the stages of a targeted attack from the reconnaissance phase through to the data ex-filtration phase and explores trends in the tools, tactics and procedures used in such attacks. Mitigation strategies leverage threat intelligence and data security to provide organizations with the information they need to increase their ability to analyze and respond to threats and to customize technical solutions in ways that best fit their own defensive posture.

Read Trends in Targeted Attacks

1. The Taidoor Campaign: An In-Depth Analysis
2. Continuous Monitoring in a Virtual Environment
3. Traffic Direction Systems as Malware Distribution Tools
4. Toward a More Secure Posture for Industrial Control System Networks
5. More Traffics, More Money:  KOOBFACE Draws More Blood
6. A Look at HTML5 Attack Scenarios
7. From Russia to Hollywood: Turning the Tables on a SpyEye Cybercrime Ring
8. Dissecting the LURID APT - campaign, attacks, tactics and victims
9. Targeting the Source: FAKEAV Affiliate Networks

APT campaigns aggressively pursue and compromise specific targets to gain control of a company’s computer system for a prolonged period of time. To make a targeted attack successful, the communication channel between a threat actor and the malware inside a network must always remain open and unknown. Know how leveraging threat intelligence can help detect this malicious network traffic by reading this primer.

Read Malicious Network Communications: What Are You Overlooking
 

As 2012 drew to a close, SMBs, along with most organizations, should have taken a step back and learned from the past year. With mobile devices fast becoming part of workplaces and the increased availability of cloud services, SMBs should adopt security practices to fully protect their assets. This year, the Android malware volume is expected to hit the 1 million mark. The continuous use of cloud services will also play a key part in the SMB threat environment. This primer runs through five predictions SMBs should take note of.

Read our 5 predictions for SMBs

In 2013, managing the security of devices, small business systems, and large enterprise networks will be more complex than ever before. Users are breaking down the PC monoculture by embracing a wider variety of platforms, each with its own user interface, OS, and security model. Businesses, meanwhile, are grappling with protecting intellectual property and business information as they tackle consumerization, virtualization, and cloud platforms head-on. This divergence in computing experience will further expand opportunities for cybercriminals and other threat actors to gain profit, steal information, and sabotage their targets’ operations.

Read our 2013 predictions

Users face various unwanted app routines in the current mobile landscape. Given this situation, market owners have taken certain measures like providing safety guidelines, conducting prerelease quality assurance checks, and introducing access permission layers at the OS level. Unfortunately, these are still far from being fool-proof solutions. The reality is: Users are responsible for checking if the apps they download are legitimate or not.

Read Eco and Ego Apps in Japan

When was the last time you played chess? If you are responsible for cyber security you are unwittingly playing it every day. We must appreciate the ancient sport of chess in order to reorganize our defense in 2013.

Read The Knight Fork: Defining Defense in 2013

While East Asian hackers dominate cyber security-related headlines around the world, it would be a mistake to conclude that these attackers are the sole or greatest criminal threat to the global Internet today. Hackers from the former Soviet bloc are a more sophisticated and clandestine threat than their more well-known East Asian counterparts.

Read Peter the Great vs Sun Tzu

Attacks are becoming increasingly sophisticated and targeted and the men and women behind them are better resourced than ever before. How dopes the digital insider lay hidden, undetected within an organization for years on end? And more importantly, how can advanced situational awareness help us to respond and mitigate these threats?

Read How to Thwart the Digital Insider

Need help understanding how Advanced Persistent Threats work? Trend Micro Threat Researchers have studied the techniques cybercriminals use in perpetrating Advanced Persistent Threats or Targeted Attacks. This primer will give you insight into these attacks and what steps you need to take to help mitigate them.

Read Detecting the Enemy Inside the Network

This time every year, Trend Micro CTO Raimund Genes sits down with his research teams to discuss what they think the coming year will hold in terms of threats to Trend Micro customers. It’s an important discussion that helps Trend Micro not only share with you what we think you need to be prepared for, such as emerging mobile threats, but also to help guide our direction as we continue to build products and services to help protect you from these threats. This year, as we look ahead, we’ve come up with 12 predictions for 2012 that fall into four main categories:

• Big IT trends
• Mobile landscape
• Threat landscape
• Data leaks and breaches

Read 2012 Security Predictions

What are Domain Naming System (DNS)-changing malware? These recently garnered a lot of attention due to the recent Esthost takedown that involved a botnet comprising 4 million DNS-changing-malware-infected systems. The unobtrusive nature of DNS-changing malware allowed the cybercriminals behind Esthost to earn US$14 million over several years.

Read more about DNS Changers

1. Read more about The Perils that Malvertisements Pose
2. Cashing in on Cybercrime
3. Why Social Media Users Fall for Scams
4. Android Malware Acts as an SMS Relay
5. The Evolution of Mac Malware
6. Mobile Landscape: Security Risks and opportunities