Post on 29-May-2018
transcript
TrendLabs 2Q 2013 Security Roundup
Mobile Threats Go Full ThrottleDevice Flaws Lead to Risky Trail
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
Contents
1 | MOBILE
Threats Increase in Sophistication to Bypass Security Measures
6 | CyBERCRIME
Banking Malware Get Regionalized Old Threats Flourish
13 | DIgITaL LIFE SECuRITy ISSuES
Social Threats Abuse Diverse Platforms
15 | ExpLOITS aND VuLNERaBILITIES
Software Vendors Try to Clean Up Their Act
17 | TaRgETED aTTaCk CaMpaIgNS DDoS aTTaCkS aND DaTa BREaChES
Corporate Security Woes Pile Up
19 | Appendix
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
Introduction
The TrendLabs 2012 Annual Security Roundup showed that the past year ushered in the post-PC era as cybercriminals embraced mobile malware use1 Mobile malware remained a big problem for users this quarter though the main concern went beyond their sheer number The discovery of OBAD malware and the ldquomaster keyrdquo vulnerability highlighted cybercriminalsrsquo ability to find ways to exploit flaws in the Androidtrade ecosystem We noted that these incidents were designed to bypass security measures and serve as other means for cybercriminals to gain control over devices
More online banking threats were seen in different countries this quarter specifically in Brazil South Korea and Japan These highlighted the need for increased awareness
of online banking security Cybercriminals also came up with more diverse attacks that used various social engineering lures single sign-on (SSO) and multiprotocol services and blogging platforms for their malicious schemes Vulnerability disclosure also became a hot topic this quarter in response to the flurry of zero-day incidents at the beginning of the year
Enterprises continued to battle targeted attacks The Naikon campaign was primarily seen in AsiaPacific while our research on the Safe campaign revealed victim IP addresses spread throughout 100 countries worldwide These stress the importance of strengthening enterprise defense against targeted attacks while coming up with proactive solutions to protect corporate networks
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
1 | Mobile
MOBILE
Threats Increase in Sophistication to Bypass Security MeasuresIn 2012 we saw how the number of mobile malware quickly grew to the same volume that PC malware took more than a decade to reach The number of malicious and high-risk Android apps hit 718000 in the second quarter from 509000 in the first quarter of this year In just six months these apps surged by more than 350000ndasha number that originally took them three years to reach The majority of these malware were still packaged as spoofed or Trojanized versions of popular apps Similar to the previous quarter almost half of the mobile malware uncovered this quarter were designed to subscribe unwitting users to costly services
However the discovery of the Android master key vulnerability was a scene-stealer as almost 99 of Android devices were deemed vulnerable2 The vulnerability allows installed apps to be modified without usersrsquo consent It further raised concerns about mostly relying on scanning apps for protection along with the fragmentation that exists in the Android ecosystem
OBAD (ANDROIDOS_OBADA) also exploited an Android vulnerability3 Once installed OBAD requests root and device
administrator privileges which allow it to take full control of an infected device This routine rings similar to PC backdoors and rootkits4 OBAD repeatedly shows pop-up notifications to convince users to grant permissions It also makes use of a new obfuscation technique that renders detection and cleanup more difficult to do
The FAKEBANK malware spotted this quarter meanwhile spoofs legitimate apps It contains specific Android application package files (APKs) which it copies to a devicersquos Secure Digital (SD) card5 Using the APK files the malware displays icons and a user interface that imitates legitimate banking apps This technique is reminiscent of PC banking Trojans that monitor usersrsquo browsing behaviors and spoofs banking sites6
We also found more fake antivirus (FAKEAV) malware this quarter that even more closely resembled legitimate ones7 Targeted attacks found their way to mobile devices as well in the form of the CHULI malware which arrives as an attachment to spear-phishing emails8
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
2 | Mobile
1000000
0
500000
561KAPR 639K
MAY 718KJUN
The number of malicious and high-risk android apps steadily increased until June 2013 The number of malicious and high-risk apps took three years to reach 350000 a number that already doubled in just six months (JanuaryndashJune 2013)
Android Volume Threat Growth
Top Android Malware Families
FAKEINST
OPFAKE
SNDAPPS
BOXER
GINMASTER
VDLOADER
FAKEDOLPHIN
KUNGFU
JIFAKE
BASEBRIDGE
Others
22
14
12
6
6
3
3
3
2
2
27
1
2
3
4
5
6
7
8
9
10
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
3 | Mobile
Top Threat Type Distribution
60
40
100
80
20
0
PREMIUMSERVICEABUSER
ADWARE MALICIOUSDOWNLOADER
HACKINGTOOL
BACKDOORREMOTE
CONTROLLER
UNAUTHORIZEDSPENDER
OTHERS
22
224717
44
DATASTEALER
24
premium service abusers remained the most dominant mobile threats While the mobile threat type ranking remained consistent with the previous quarterrsquos we saw an increase in the data stealer volume which may indicate the continued sophistication of this threat type
The distribution data was based on the top 20 mobile malware and adware families that comprise 88 of all the mobile threats detected by the Mobile App Reputation Technology for the period AprilndashJune 2013 Note that a mobile threat family may exhibit the behaviors of more than one threat type
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
4 | Mobile
Countries with the Highest Malicious Android App Download Volumes
MOVED DOWNMOVED UPNEW ENTRY
United Arab Emirates
Myanmar (Burma)
Vietnam
Mexico
Russia
India
China
Venezuela
Malaysia
Singapore
1379
505
494
423
417
374
357
311
297
284
1
2
3
4
5
6
7
8
9
10
14
23
5
6
7
8 910
The united arab Emirates (uaE) recorded the highest malicious android app download volume overtaking Myanmar which placed first in the previous quarter Six new countries figured in this monthrsquos top 10 which may indicate an increase in mobile device use andor attacks against such devices in these locations
The ranking was based on the percentage of apps rated ldquomaliciousrdquo over the total number of apps scanned per country The ranking was limited to countries with at least 10000 scans The ratings were based on the quarterly analysis of real-time threat detection via Trend Microtrade Mobile Security Personal Edition
Countries Most at Risk of Privacy Exposure Due to App Use
Saudi Arabia
Vietnam
Indonesia
Brazil
India
Malaysia
South Africa
Russia
Algeria
Philippines
1149
887
882
798
787
757
652
564
555
519
1
2
3
4
5
6
7
8
9
10
1
4
2
3
5
6
7
8
910
Similar to last quarter mobile users in Saudi arabia downloaded the most number of high-risk apps Vietnam placed second in light of the increasing mobile device use in the country9
The ranking was based on the percentage of apps categorized as ldquoprivacy risk inducersrdquo over the total number of apps scanned per country The ranking was limited to countries with at least 10000 scans The ratings were based on the quarterly analysis of real-time threat detection via Trend Micro Mobile Security Personal Edition
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
5 | Mobile
The increased sophistication of mobile threats could be attributed to the growing demand for short message service (SMS)-related information in the underground market SMS databases are some of the best-selling data sets in the underground
How the Android Update Process Works
MOBILE DATA PRICE
1M numbers US$70
10K numbers US$10
Customized database with personal data
US$35 for 1000 numbers
Underground Prices of Collected Mobile Numbers from Russian
Mobile Network Operators
Google creates thelatest update to
Android OS
It makes theupdate available to
manufacturers
Device manufacturers make the update compatiblewith their devices Phone companies must then
approve the update for end users
Finally the phone companies push theupdate to end users
Android Versus PC Threat Type Timeline Comparison
DROIDSMS
Aug 2010
LOTOOR TOOR
GoldDream DroidDream-
Light
One-Click Billing Fraud
Plankton LEADBOLT
Chuli OBAD
Mar 2011Jul 2011 Aug 2011 Jan 2012 Mar 2013 Jun 2013
Morris CODERED
1988
PC Cyborg Police
Ransomware
ZANGO 888bar
NTRootkit Morcut
ZeuS Passteal
TIBS Dialer
Porn Dialers
BANKER GHOST RAT
FAKEAV
1989 1992 1999 2000 2002 2006 2007 2008
QAKBOT
FAKEBANK
MobileFAKEAV
Worm Ransomware Adware Rootkit Infostealer Dialer Banking Trojan
Multicomponent Targeted Attack
Malware
Scareware
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
6 | Cybercrime
CyBERCRIME
Banking Malware Get Regionalized Old Threats FlourishThe overall number of threats blocked by the Trend Microtrade Smart Protection Networktrade increased by 13 compared with last quarter The DOWNADConficker worm remained
the top malware while the adware volume noticeably increased as more users across segments were tricked into downloading them as part of free software
Overall Trend Micro Smart Protection Network Numbers
9B
8B
7B
6B
5B
4B
3B
2B
0
1B
NUMBER OF THREATSBLOCKED PER SECOND
TOTAL NUMBER OFTHREATS BLOCKED
NUMBER OF MALICIOUSFILES BLOCKED
NUMBER OF MALICIOUSURLs BLOCKED
NUMBER OF SPAM-SENDING IP ADDRESSESBLOCKED
APRIL MAY JUNE
57B
408M601M
67B71B
84B
25722663
3258
61B
483M564M
76B
427M513M
We were able to protect Trend Micro customers from nearly 3000 threats per second this quarter compared with 2400 in the first quarter
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
7 | Cybercrime
WORM_DOWNAD 509K
APAC 51
EMEA 19
LAR 15
NORTH AMERICA 9
JAPAN 6
ADW_BHO 448K
JAPAN 34
APAC 26
EMEA 19
NORTH AMERICA 17
LAR 4
ADW_BPROTECT 311K
APAC 28
EMEA 28
JAPAN 20
NORTH AMERICA 15
LAR 9
Top 3 Malware
The Server Service vulnerability has been patched since 2008 but DOWNaDConficker which is known to exploit this remained one of the top 3 malware this quarter The majority of the top 50 malware comprised adware ZaCCESSSIREFEF and SaLITy remained in the top 10
Top 3 Malware by Segment
ENTERPRIsE sMB CONsuMER
NAME vOLuME NAME vOLuME NAME vOLuME
WORM_DOWNADAD 360K WORM_DOWNADAD 58K ADW_BHO 370K
ADW_BPROTECT 53K ADW_BPROTECT 9K ADW_BPROTECT 215K
ADW_BHO 28K ADW_BHO 8K BKDR_BIFROSEBMC 208K
Consumers were more inclined to unknowingly download adware that come bundled with software while DOWNaDConficker was still a concern for enterprises and small and medium-sized businesses (SMBs)
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
8 | Cybercrime
Top 10 Malicious Domains Blocked
DOMAIN REAsON
trafficconverter biz Hosts malware particularly DOWNAD variants
ads alpha00001 com Hosts malware that modify default browser settings to hijack search results
www ody cc Has sites that host BKDR_HPGNB-CN and other suspicious scripts
pu plugrush com Related to a Blackhole Exploit Kit campaign
c rvzrjs info Related to spamming and other malicious activities
adsgangsta com Related to malware and phishing attacks
vjlvchretllifcsgynuq com Hosts malware also used to spread malware via Skype
strongvault02 safe-copy com Hosts malware
www polaris-software com Hosts malware
promos fling com Hosts malware
One of the top malicious domains blocked was related to a Blackhole Exploit kit campaign The domain trafficconverter biz hosts DOWNaDConficker variants which was also the top malware for the first half of 2013
As predicted cybercriminals have not generated completely new threats and instead opted to repackage old ones10 We observed several interesting trends in online banking threats this quarter that led to a 29 increase in infections with this type of malware
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
9 | Cybercrime
1Q 2Q
2013 113K 146K
Online Banking Infections
Online Banking Malware Infections
Top Online Banking Victim Countries
COuNTRIEs sHARE
United States 28
Brazil 22
Australia 5
France 5
Japan 4
Taiwan 4
Vietnam 3
India 2
Germany 2
Canada 2
Others 23
The online banking malware volume significantly increased this quarter due in part to the rise in the ZeuSZBOT malware volume in the wild Online banking threats are spreading across the globe and are no longer concentrated in certain regions like Europe and the americas The united States was most affected by online banking malware accounting for 28 of the total number of infections worldwide
60000
40000
80000
20000
0
APRIL MAY JUNE
37K39K
71K
Brazil an online banking malware hotspot was mostly targeted by two types of the threat type this quarter The first was the BANKER malware disguised as updates for Adobereg Flashreg Player hosted on compromised sites11 The other malware was disguised as a ldquohomemade browserrdquo that targets Banco do Brasil users12
In the cybercriminal underground the CARBERP source code was ldquoleakedrdquo making the creation of banking Trojans even easier to do for bad guys Meanwhile other online banking Trojan toolkits like ZeuS SpyEye and Ice IX are already available for free making it easier for any skilled hacker to obtain their source codes
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
10 | Cybercrime
0
US$2000
2010 2011 2012 2013
US$4000
US$6000
US$8000
US$10000ZEUS
SPYEYE
CARBERP
ICE IX(only madeavailable in2012)
CITADEL
Underground Price Changes for Basic Online Banking Toolkits
We found an online banking malware that modifies an infected computerrsquos HOSTS file to redirect a customer of certain South Korean banks to phishing sites13 We also saw more Citadel variants (detected as ZBOT) target different financial service institutions in Japan These malware not only target the big banks in Japan but also smaller ones including those that exclusively cater to online banking customers
As predicted cybercriminals carried out developments in malware distribution and refinement for existing tools New ZeuSZBOT deployment tactics include a propagation routine14 The PIZZER worm was also found spreading and copying itself onto password-protected archived files using a technique similar to that of PROLACO malware15
Several cloud services were also hit by attacks this quarter The VERNOT backdoor which first abused a popular note-taking service abused a well-known Japanese blogging platform by using it as a CampC server Several GAMARUE variants were hosted on SourceForge a popular code repository Cybercriminals typically abuse legitimate services for ldquofree hostingrdquo successfully tricking users into trusting malicious links since these appear to belong to a well-known name
More developments in cybercrime contributed to the increase in spam and botnet activity this quarter Among these were the compromise of WordPress sites in April the emergence of Stealrat and its use of compromised hosts to send out spam and observed peaks in spam activity16
These are estimated going ratesNote that ZeuS and SpyEye have been around since before 2010
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
11 | Cybercrime
Number of Botnet CampC Servers Detected per Month
1000 2000 3000 4000 5000
APRIL
MAY
JUNE 2102
4003
1434
May showed the highest number of detected CampC servers so far this year
Number of Connections to Botnets per Month
Due to the increase in the number of active botnets in May we also noted a significant increase in the number of botnet connections that month
3M 6M 9M 12M
APRIL
MAY
JUNE 104M
119M
27M
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
12 | Cybercrime
Top 10 Spam Languages
While English remained the top preferred language of spammers we also saw a general increase in the non-English spam volume
1
2
3
4
5
6
7
8
9
10
8256
326
249
194
086
029
020
016
007
007
810
English
Chinese
Russian
Japanese
German
Portuguese
Spanish
Icelandic
French
Turkish
Others
MOVED DOWNMOVED UPNEW ENTRY
Top 10 Spam-Sending Countries
Cybercriminals are finding other countries to host their malicious activities in hence the increase in spam activity in countries like argentina Italy Mexico and Turkey
1
2
3
4
5
6
7
8
9
10
947
697
636
568
549
452
370
356
355
308
4762
United States
Spain
India
Taiwan
Argentina
Italy
Colombia
Mexico
Belarus
Turkey
Others
MOVED DOWNMOVED UPNEW ENTRY
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
13 | Digital Life Security Issues
DIgITaL LIFE SECuRITy ISSuES
Social Threats Abuse Diverse PlatformsAs more users manage multiple online accounts cybercriminals explored means to use this trend to their advantage They abused popular blogging sites like Tumblr WordPress and Blogger to host fake streaming sites of popular summer movies including Man of Steel Fast and Furious 6 and Iron Man 317 Apple ID and well-known multiprotocol instant-messaging (IM) platforms like Digsby were also targeted by attacks18 These attacks abused the use of
the SSO approach which should serve as a reminder to protect online accounts and avoid using weak passwords
Users were also reacquainted with old social engineering tactics as several attacks used diverse items including the Boston marathon bombing the Oklahoma tornado disaster the Texas fertilizer plant explosion and the tax season as bait19
Notable Social Engineering Lures Used
GET FREEFOLLOWERS
ON INSTAGRAMBOSTON BOMBING
MIT SHOOTING
TEXAS FERTILIZERPLANT BOMBING
IRON MAN 3
INCOME TAX RETURNS
as more users across different segments maximize the use of Instagram it has now become a viable target for cybercrime
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
14 | Digital Life Security Issues
In response to compromise incidents LinkedIn Evernote and Twitter rolled out additional security measures which notably included two-step verification measures20 The attack on Twitter posed an interesting case study on how social media can be used to spread false news that can have severe results21
Instagram scams showed that cybercriminals are targeting SMBs and marketers who wish
to increase their online presence Such scams offer ldquofree followersrdquo or use professional-looking sites where they can supposedly buy followers in bulk22 The tactic of selling followers is not new though Cybercriminals simply turned to different avenues outside Twitter and Facebook Interestingly this threat appeared while social media sites found ways to monetize the services they offered23
How Cybercriminals Trick Users into Giving Out Their Information24
Scammers modified their schemes as new platforms were introduced From the Nigerian scams usually seen by way of spam scammers have now branched out to new platforms and targets like social media and mobile devices
Spam and phiShing SiteS Search engineS Social media mobile
EARly 2000ndash2009 2009ndash2011 lATE 2009ndashPRESENT 2011ndashPRESENT
Scams in the early 2000s mainly comprised pharmaceutical account notification and Nigerian scams which mostly led victims to phishing sites
Cybercriminals abuse search engines via blackhat search engine optimization (SEO) This technique takes advantage of using keywords related to significant news andor events for malicious purposes
Social media present themselves as attractive cybercrime platforms because of their large user bases Cybercriminal favorites include Facebook Twitter Tumblr and Pinterest
Today smartphones and other mobile devices enable cybercriminals to reach new heights Mobile adware and malicious apps are among the preferred means of deploying malicious schemes
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
15 | Exploits and Vulnerabilities
ExpLOITS aND VuLNERaBILITIES
Software Vendors Try to Clean Up Their ActAfter last quarterrsquos high volume of zero-day vulnerabilities Oracle implemented several steps that aimed to improve Javarsquos security These include quarterly update releases automated security testing and not allowing self-signed or unsigned apps for Java software used in browsers
Though we saw fewer zero-day incidents this quarter exploits still posed serious threats to users The Internet Explorerreg (IE) zero-day exploit found on the US Department of Labor page showed that even trusted sites like it can be compromised25 Exploits targeting Plesk and ColdFusionreg also put forth the importance of securing web servers and touched on how enterprises secure their sites26
As anticipated it was only a matter of time before attackers took advantage of the critical Ruby on Rails vulnerability found last January27 This quarter we saw exploits target the software flaw as a result of the disclosure of the vulnerabilityrsquos code
The issue of addressing vulnerabilities was a hot topic this quarter especially with Googlersquos announcement of a seven-day disclosure policy Several security pundits saw this as a noble yet impractical proposal But as our CTO Raimund Genes pointed out the bigger issue that should be discussed has to do with how vulnerabilities should be reported
Timeline of Vulnerability Attacks
RUBYON RAILS
PLESK
IEZERO-DAY
JAVA
Private Disclosure Public Disclosure Patch Released Exploited
1082013
5032012
1282013
1172012
5282013
5032012
4302013
5032013
5142013
6182013
6182013
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
16 | Exploits and Vulnerabilities
How Oracle Plans to Secure Java
Delivering three patches every three months starting October 2013
Using automated security testing tools against regressions and bugs
Supporting Windowsreg security policies so system administrators can set networkwide policies on Java use
Disallowing running unsigned or self-signed apps
Making Javarsquos process of revoking signing signatures flexible
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
17 | Targeted attack Campaigns DDoS attacks and Data Breaches
TaRgETED aTTaCk CaMpaIgNS DDoS aTTaCkS aND DaTa BREaChES
Corporate Security Woes Pile UpTargeted AttacksTargeted attack campaigns remained a problem for organizations as we continued to discover active and ongoing campaigns The Naikon campaign used the remote access Trojan (RAT) RARSTONE and was primarily seen in several countries in AsiaPacific28 This campaign hit various industries like telecommunications oil and gas government media and others It usually starts out with spear-phishing attacks that target a specific vulnerability which was also used in another campaign known as
ldquoSaferdquo29 Our research on the Safe campaign meanwhile revealed victim IP addresses spread throughout 100 countries worldwide
Targeted attacks also took advantage of tragic events to infiltrate organizational networks this quarter We saw emails using the Boston marathon bombing as a social engineering lure to trick users into downloading a malware that communicates via Secure Sockets Layer (SSL) communication30
File Types Used in Spear Phishing Related to Targeted Attacks
1
2
3
4
5
6
7
8
9
10
EXEDLL
DOC
JPG
TXTHTML
RTF
ZIP
XLS
RAR
PPSPPT
Others
43
12
10
8
5
4
3
3
3
2
7
Threat actors custom-fit an attack to an intended target They use any file type as long as it gets them closer to their goalmdashto infiltrate a network
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
18 | Targeted attack Campaigns DDoS attacks and Data Breaches
DDoS AttacksSeveral South Korean agencies suffered serious security breaches that led to distributed denial-of-service (DDoS) attacks and site defacements One particular incident rendered several sites inaccessible Similar to the MBR Trojan wiper incident last March this attack was designed to execute at a specific time It also showed how attackers continued to go after high-value targets and how they could inflict maximum damage within a short period of time
Data BreachesCompanies like Yahoo Japan LivingSocial Twitter and Namecom all suffered from security breaches this quarter Opera also suffered a security breach that led to the theft of outdated digital certificates
Attacks Targeting Well-known Companies31
COMPANy REsuLTs
Goo locked 100000 accounts to prevent unauthorized logins
yahoo Japan Attackers attempted to extract data belonging to 127
million users
Associated Press (AP) Attackers hacked APrsquos Twitter account which erased
US$200-billion worth of stock value
livingSocial Resulted in unauthorized access to the accounts of 50 million users
Several South Korean agencies Several sites were defaced and suffered DDoS attacks
attacks against high-profile companies had costly results stressing the importance of strengthening organizational defenses
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
19 | appendix
Appendix
Top 10 Android Adware Families
1
2
3
4
5
6
7
8
9
10
ARPUSH
ADSWO
PLANKTON
LEADBLT
IZP
WAPSX
OQX
WBOO
YOUMI
UAPSH
Others
4179
1650
1284
1102
817
425
410
067
027
013
026
Malicious URL Country Sources
No major changes among the countries on the list were seen The united States accounted for the lionrsquos share of the malicious uRL volume with germany trailing not far behind
COuNTRy sHARE
1 United States 2590
2 Germany 324
3 China 316
4 Netherlands 313
5 South Korea 260
6 France 194
7 Japan 193
8 Russia 164
9 Canada 081
10 United Kingdom 077
Others 5488
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
20 | appendix
Top 10 Countries with the Most Number of Botnet CampC Servers
Similar to the previous quarter the united States had the most number of botnet CampC servers while australia surpassed South korea
COuNTRy sHARE
1 United States 2405
2 Australia 515
3 South Korea 338
4 China 302
5 Germany 287
6 Taiwan 210
7 France 188
8 United Kingdom 172
9 Brazil 147
10 Canada 118
Others 5318
Top 10 Countries with the Highest Number of Connections to Botnets
DDoS attacks in Malaysia in relation to the elections contributed to the increase in the countryrsquos volume of malicious connections
COuNTRy sHARE
1 Malaysia 2839
2 United States 1414
3 France 1163
4 Germany 564
5 Canada 529
6 South Korea 413
7 United Kingdom 384
8 Thailand 322
9 Hong Kong 307
10 Italy 253
Others 1812
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
21 | References
References
1 Trend Micro Incorporated (2013) ldquoTrendLabs 2012 Annual Security Roundup Evolved Threats in a lsquoPost-PCrsquo Worldrdquo Last accessed July 30 2013 httpwwwtrendmicrocomcloud-contentuspdfssecurity-intelligencereportsrpt-evolved-threats-in-a-post-pc-worldpdf
2 Jonathan Leopando (July 10 2013) TrendLabs Security Intelligence Blog ldquoAndroid Vulnerability Affects 99 of DevicesmdashTrend Micro Users Protectedrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencetrend-micro-solution-for-vulnerability-affecting-nearly-all-android-devices
3 Trend Micro Incorporated (2013) Threat Encyclopedia ldquoANDROIDOS_OBADArdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusmalwareANDROIDOS_OBADA
4 Leo Zhang (July 13 2013) TrendLabs Security Intelligence Blog ldquoCybercriminals Improve Android Malware Stealth Routines with OBADrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecybercriminals-improve-android-malware-stealth-routines-with-obad
5 Trend Micro Incorporated (2013) Threat Encyclopedia ldquoANDROIDOS_FAKEBANKArdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusmalwareANDROIDOS_FAKEBANKA
6 Weichao Sun (May 14 2013) TrendLabs Security Intelligence Blog ldquoMobile Ads Pushed by Android Apps Lead to Scam Sitesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencemobile-ads-pushed-by-android-apps-lead-to-scam-sites
7 Trend Micro Incorporated (2013) Threat Encyclopedia ldquoANDROIDOS_FAKEAVFrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusmalwareANDROIDOS_FAKEAVF
8 Iain Thomson (March 27 2013) The Register ldquoTibetan and Uyghur Activists Targeted with Android Malwarerdquo Last accessed July 30 2013 httpwwwtheregistercouk20130327android_malware_targeting_tibetan
9 Ericsson ConsumerLab (August 6 2012) Ericssoncom ldquoVietnamese Consumers Show Increasing Demand for Smartphones and Tabletsrdquo Last accessed July 30 2013 httpwwwericssoncomvnnews2012_vn_smartphone_demands_254740123_c
10 Trend Micro Incorporated (2012) ldquoSecurity Threats to Business the Digital Lifestyle and the Cloud Trend Micro Predictions for 2013 and Beyondrdquo Last accessed July 30 2013 httpwwwtrendmicrocoukmediamisctrend-micro-predictions-for-2013-and-beyond-enpdf
11 Roddell Santos (May 28 2013) TrendLabs Security Intelligence Blog ldquoBANKER Malware Hosted in Compromised Brazilian Government Sitesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencebanker-malware-hosted-in-compromised-brazilian-government-sites
12 Ranieri Romera (May 7 2013) TrendLabs Security Intelligence Blog ldquoHomemade Browser Targeting lsquoBanco do Brasilrsquo Usersrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencehomemade-browser-targeting-banco-do-brasil-users
13 Roddell Santos (June 14 2013) TrendLabs Security Intelligence Blog ldquoMalware Redirects South Korean Users to Phishing Sitesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencemalware-redirects-south-korean-users-to-phishing-sites
14 Abigail Pichel (June 10 2013) TrendLabs Security Intelligence Blog ldquoGoing Solo Self-Propagating ZBOT Malware Spottedrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencegoing-solo-self-propagating-zbot-malware-spotted
15 Lenart Bermejo (May 24 2013) TrendLabs Security Intelligence Blog ldquoWorm Creates Copies in Password-Protected Archived Filesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligenceworm-creates-copies-in-password-protected-archived-files
16 Jessa Dela Torre (April 16 2013) TrendLabs Security Intelligence Blog ldquoCompromised Sites Conceal Stealrat Botnet Operationsrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecompromised-sites-conceal-stealrat-botnet-operations
17 Paul Pajares (July 8 2013) TrendLabs Security Intelligence Blog ldquoMan of Steel Fast and Furious 6 Among Online Fraudstersrsquo Most Used Luresrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligenceman-of-steel-fast-and-furious-6-among-online-fraudsters-most-used-lures Gelo Abendan (May 2 2013) TrendLabs Security Intelligence Blog ldquoFake Iron Man 3 Streaming Sites Sprout on Social Mediardquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencefake-iron-man-3-streaming-sites-sprout-on-social-media
18 Anthony Melgarejo (May 2 2013) TrendLabs Security Intelligence Blog ldquoBackdoor Leads to Facebook and Multiprotocol Instant-Messaging Wormrdquo
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
22 | References
Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencebackdoor-leads-to-facebook-and-multi-protocol-instant-messaging-worm Paul Pajares (April 30 2013) TrendLabs Security Intelligence Blog ldquoHackers to Manage Your Apple ID If Caught from Phishing Baitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencehackers-to-manage-your-apple-id-if-caught-from-phishing-bait
19 Aisa Escober (April 16 2013) TrendLabs Security Intelligence Blog ldquoKELIHOS Worm Emerges Takes Advantage of Boston Marathon Blastrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencekelihos-worm-emerges-takes-advantage-of-boston-marathon-blast Trend Micro Incorporated (2013) Threat Encyclopedia ldquoSpam Attack Leverages Oklahoma Tornado Disasterrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusspam494Spam+Attack+Leverages+Oklahoma+Tornado+Disaster Ryan Certeza (April 19 2013) TrendLabs Security Intelligence Blog ldquoCybercriminals Quickly Take Advantage of Texas Fertilizer Plant Blast MIT Shootingrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecybercriminals-quickly-take-advantage-of-texas-fertilizer-plant-blast-mit-shooting Gelo Abendan (April 4 2013) TrendLabs Security Intelligence Blog ldquoCybercriminals Threaten Tax Day Once Againrdquo Last accessed July 30 2013 http blogtrendmicrocomtrendlabs-security-intelligencecybercriminals-threaten-tax-day-once-again
20 Jim Finkle (May 31 2013) NBC News Technology ldquoLinkedIn Improves Security with Two-Factor Authenticationrdquo Last accessed July 2013 httpwwwnbcnewscomtechnologylinkedin-improves-security-two-factor-authentication-6C10141010 Seth Hitchings (May 30 2013) The Evernote Blog ldquoEvernotersquos Three New Security Featuresrdquo Last accessed July 2013 httpblogevernotecomblog20130530evernotes-three-new-security-features Jim OrsquoLeary (May 22 2013) Twitter Blog ldquoGetting Started with Login Verificationrdquo Last accessed July 2013 httpsblogtwittercom2013getting-started-login-verification
21 David Jackson (April 23 2013) USA Today News ldquoAP Twitter Feed Hacked No Attack at White Houserdquo Last accessed July 30 2013 httpwwwusatodaycomstorytheoval20130423obama-carney-associated-press-hack-white-house2106757
22 Karla Agregado (June 25 2013) TrendLabs Security Intelligence Blog ldquoScam Sites Now Selling Instagram Followersrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencescam-sites-now-selling-instagram-followers
23 Zachary Seward (May 20 2013) Quartz ldquoHow Yahoo Plans to Make Money on Tumblr Ads That Donrsquot Feel Like Adsrdquo Last accessed July 30 2013 httpqzcom86437how-yahoo-plans-to-make-money-on-tumblr-ads-that-dont-feel-like-ads
24 Gelo Abendan (March 3 2012) Threat Encyc lopedia ldquoMobile Apps New Frontier for Cybercrimerdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack119mobile apps new frontier for cybercrime Marco Dela Vega (November 23 2010) TrendLabs Security Intelligence Blog ldquoWith Holiday Wishes Come Poisoned Searchesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencewith-holiday-wishes-come-poisoned-searches Dianne Kristine Lagrimas (November 13 2011) Threat Encyclopedia ldquoSports as Bait Cybercriminals Play to Winrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack99sports as bait cybercriminals play to win Valerie Ria Rivera (March 29 2011) Threat Encyclopedia ldquoSpam Scams and Other Social Media Threatsrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack75spam scams and other social media threats
25 Dexter To (May 5 2013) TrendLabs Security Intelligence Blog ldquoCompromised US Government Web Page Used Zero-Day Exploitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecompromised-us-government-webpage-used-zero-day-exploit
26 Sooraj KS (June 6 2013) TrendLabs Security Intelligence Blog ldquoPlesk Zero-Day Exploit Results in Compromised Web Serverrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligenceplesk-zero-day-exploit-results-in-compromised-webserver
27 Gelo Abendan (May 30 2013) TrendLabs Security Intelligence Blog ldquoTrend Micro Deep Security Guards Users from Ruby on Rails Exploitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencetrend-micro-deep-security-guards-users-from-ruby-on-rails-exploit
28 Maharlito Aquino (June 13 2013) TrendLabs Security Intelligence Blog ldquoRARSTONE Found in Targeted Attacksrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencerarstone-found-in-targeted-attacks
29 Kyle Wilhoit (May 17 2013) TrendLabs Security Intelligence Blog ldquoHiding in Plain Sight A New Targeted Attack Campaignrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencehiding-in-plain-sight-a-new-apt-campaign
30 Nart Villeneuve (April 25 2013) TrendLabs Security Intelligence Blog ldquoTargeted Attack Campaign Hides Behind SSL Communicationrdquo Last accessed July 2013 httpblogtrendmicrocomtrendlabs-security-intelligencetargeted-attack-campaign-hides-behind-ssl-communication
31 Jay Alabaster (April 4 2013) Computerworld ldquoJapanese Web Portals Hacked Up to 100000 Accounts Compromisedrdquo Last accessed July 30 2013 httpwwwcomputerworldcomauarticle458079japanese_web_portals_hacked_up_100_000_accounts_compromised LivingSocial ldquoLivingSocial Security Noticerdquo Last accessed July 30 2013 httpswwwlivingsocialcomcreatepassword Kadim Shubber (May 20 2013) Wired UK ldquoMillions of Usersrsquo Data Hacked in Yahoo Japan Security Breachrdquo Last accessed July 30 2013 httpwwwwiredcouknewsarchive2013-0520yahoo-japan-hacked Erin Madigan White (April 23 2013) AP Blog The Definitive Source ldquoAP Responds to Hacking of Twitter Accountrdquo Last accessed July 30 2013 httpblogaporg20130423hackers-compromise-ap-twitter-account
TREND MICRO LEgaL DISCLaIMER
The information provided herein is for general information and educational purposes only It is not intended and should not be construed to constitute legal advice The information contained herein may not be applicable to all situations and may not reflect the most current situation Nothing contained herein should be relied on or acted upon without the benefit of legal advice based on the particular facts and circumstances presented and nothing herein should be construed otherwise Trend Micro reserves the right to modify the contents of this document at any time without prior notice
Translations of any material into other languages are intended solely as a convenience Translation accuracy is not guaranteed nor implied If any questions arise related to the accuracy of a translation please refer to the original language official version of the document any discrepancies or differences created in the translation are not binding and have no legal effect for compliance or enforcement purposes
although Trend Micro uses reasonable efforts to include accurate and up-to-date information herein Trend Micro makes no warranties or representations of any kind as to its accuracy currency or completeness you agree that access to and use of and reliance on this document and the content thereof is at your own risk Trend Micro disclaims all warranties of any kind express or implied Neither Trend Micro nor any party involved in creating producing or delivering this document shall be liable for any consequence loss or damage including direct indirect special consequential loss of business profits or special damages whatsoever arising out of access to use of or inability to use or in connection with the use of this document or any errors or omissions in the content thereof use of this information constitutes acceptance for use in an ldquoas isrdquo condition
Trend Micro Incorporated a global leader in security software and solutions strives to make the world safe for exchanging digital information For more information visit wwwtrendmicrocom
copy2013 by Trend Micro Incorporated all rights reserved Trend Micro and the Trend Micro t-ball logo are trademarks or registered trademarks of Trend Micro Incorporated all other product or company names may be trademarks or registered trademarks of their owners
Created by
global Technical Support amp RampD Center of TREND MICRO
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
Contents
1 | MOBILE
Threats Increase in Sophistication to Bypass Security Measures
6 | CyBERCRIME
Banking Malware Get Regionalized Old Threats Flourish
13 | DIgITaL LIFE SECuRITy ISSuES
Social Threats Abuse Diverse Platforms
15 | ExpLOITS aND VuLNERaBILITIES
Software Vendors Try to Clean Up Their Act
17 | TaRgETED aTTaCk CaMpaIgNS DDoS aTTaCkS aND DaTa BREaChES
Corporate Security Woes Pile Up
19 | Appendix
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
Introduction
The TrendLabs 2012 Annual Security Roundup showed that the past year ushered in the post-PC era as cybercriminals embraced mobile malware use1 Mobile malware remained a big problem for users this quarter though the main concern went beyond their sheer number The discovery of OBAD malware and the ldquomaster keyrdquo vulnerability highlighted cybercriminalsrsquo ability to find ways to exploit flaws in the Androidtrade ecosystem We noted that these incidents were designed to bypass security measures and serve as other means for cybercriminals to gain control over devices
More online banking threats were seen in different countries this quarter specifically in Brazil South Korea and Japan These highlighted the need for increased awareness
of online banking security Cybercriminals also came up with more diverse attacks that used various social engineering lures single sign-on (SSO) and multiprotocol services and blogging platforms for their malicious schemes Vulnerability disclosure also became a hot topic this quarter in response to the flurry of zero-day incidents at the beginning of the year
Enterprises continued to battle targeted attacks The Naikon campaign was primarily seen in AsiaPacific while our research on the Safe campaign revealed victim IP addresses spread throughout 100 countries worldwide These stress the importance of strengthening enterprise defense against targeted attacks while coming up with proactive solutions to protect corporate networks
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
1 | Mobile
MOBILE
Threats Increase in Sophistication to Bypass Security MeasuresIn 2012 we saw how the number of mobile malware quickly grew to the same volume that PC malware took more than a decade to reach The number of malicious and high-risk Android apps hit 718000 in the second quarter from 509000 in the first quarter of this year In just six months these apps surged by more than 350000ndasha number that originally took them three years to reach The majority of these malware were still packaged as spoofed or Trojanized versions of popular apps Similar to the previous quarter almost half of the mobile malware uncovered this quarter were designed to subscribe unwitting users to costly services
However the discovery of the Android master key vulnerability was a scene-stealer as almost 99 of Android devices were deemed vulnerable2 The vulnerability allows installed apps to be modified without usersrsquo consent It further raised concerns about mostly relying on scanning apps for protection along with the fragmentation that exists in the Android ecosystem
OBAD (ANDROIDOS_OBADA) also exploited an Android vulnerability3 Once installed OBAD requests root and device
administrator privileges which allow it to take full control of an infected device This routine rings similar to PC backdoors and rootkits4 OBAD repeatedly shows pop-up notifications to convince users to grant permissions It also makes use of a new obfuscation technique that renders detection and cleanup more difficult to do
The FAKEBANK malware spotted this quarter meanwhile spoofs legitimate apps It contains specific Android application package files (APKs) which it copies to a devicersquos Secure Digital (SD) card5 Using the APK files the malware displays icons and a user interface that imitates legitimate banking apps This technique is reminiscent of PC banking Trojans that monitor usersrsquo browsing behaviors and spoofs banking sites6
We also found more fake antivirus (FAKEAV) malware this quarter that even more closely resembled legitimate ones7 Targeted attacks found their way to mobile devices as well in the form of the CHULI malware which arrives as an attachment to spear-phishing emails8
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
2 | Mobile
1000000
0
500000
561KAPR 639K
MAY 718KJUN
The number of malicious and high-risk android apps steadily increased until June 2013 The number of malicious and high-risk apps took three years to reach 350000 a number that already doubled in just six months (JanuaryndashJune 2013)
Android Volume Threat Growth
Top Android Malware Families
FAKEINST
OPFAKE
SNDAPPS
BOXER
GINMASTER
VDLOADER
FAKEDOLPHIN
KUNGFU
JIFAKE
BASEBRIDGE
Others
22
14
12
6
6
3
3
3
2
2
27
1
2
3
4
5
6
7
8
9
10
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
3 | Mobile
Top Threat Type Distribution
60
40
100
80
20
0
PREMIUMSERVICEABUSER
ADWARE MALICIOUSDOWNLOADER
HACKINGTOOL
BACKDOORREMOTE
CONTROLLER
UNAUTHORIZEDSPENDER
OTHERS
22
224717
44
DATASTEALER
24
premium service abusers remained the most dominant mobile threats While the mobile threat type ranking remained consistent with the previous quarterrsquos we saw an increase in the data stealer volume which may indicate the continued sophistication of this threat type
The distribution data was based on the top 20 mobile malware and adware families that comprise 88 of all the mobile threats detected by the Mobile App Reputation Technology for the period AprilndashJune 2013 Note that a mobile threat family may exhibit the behaviors of more than one threat type
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
4 | Mobile
Countries with the Highest Malicious Android App Download Volumes
MOVED DOWNMOVED UPNEW ENTRY
United Arab Emirates
Myanmar (Burma)
Vietnam
Mexico
Russia
India
China
Venezuela
Malaysia
Singapore
1379
505
494
423
417
374
357
311
297
284
1
2
3
4
5
6
7
8
9
10
14
23
5
6
7
8 910
The united arab Emirates (uaE) recorded the highest malicious android app download volume overtaking Myanmar which placed first in the previous quarter Six new countries figured in this monthrsquos top 10 which may indicate an increase in mobile device use andor attacks against such devices in these locations
The ranking was based on the percentage of apps rated ldquomaliciousrdquo over the total number of apps scanned per country The ranking was limited to countries with at least 10000 scans The ratings were based on the quarterly analysis of real-time threat detection via Trend Microtrade Mobile Security Personal Edition
Countries Most at Risk of Privacy Exposure Due to App Use
Saudi Arabia
Vietnam
Indonesia
Brazil
India
Malaysia
South Africa
Russia
Algeria
Philippines
1149
887
882
798
787
757
652
564
555
519
1
2
3
4
5
6
7
8
9
10
1
4
2
3
5
6
7
8
910
Similar to last quarter mobile users in Saudi arabia downloaded the most number of high-risk apps Vietnam placed second in light of the increasing mobile device use in the country9
The ranking was based on the percentage of apps categorized as ldquoprivacy risk inducersrdquo over the total number of apps scanned per country The ranking was limited to countries with at least 10000 scans The ratings were based on the quarterly analysis of real-time threat detection via Trend Micro Mobile Security Personal Edition
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
5 | Mobile
The increased sophistication of mobile threats could be attributed to the growing demand for short message service (SMS)-related information in the underground market SMS databases are some of the best-selling data sets in the underground
How the Android Update Process Works
MOBILE DATA PRICE
1M numbers US$70
10K numbers US$10
Customized database with personal data
US$35 for 1000 numbers
Underground Prices of Collected Mobile Numbers from Russian
Mobile Network Operators
Google creates thelatest update to
Android OS
It makes theupdate available to
manufacturers
Device manufacturers make the update compatiblewith their devices Phone companies must then
approve the update for end users
Finally the phone companies push theupdate to end users
Android Versus PC Threat Type Timeline Comparison
DROIDSMS
Aug 2010
LOTOOR TOOR
GoldDream DroidDream-
Light
One-Click Billing Fraud
Plankton LEADBOLT
Chuli OBAD
Mar 2011Jul 2011 Aug 2011 Jan 2012 Mar 2013 Jun 2013
Morris CODERED
1988
PC Cyborg Police
Ransomware
ZANGO 888bar
NTRootkit Morcut
ZeuS Passteal
TIBS Dialer
Porn Dialers
BANKER GHOST RAT
FAKEAV
1989 1992 1999 2000 2002 2006 2007 2008
QAKBOT
FAKEBANK
MobileFAKEAV
Worm Ransomware Adware Rootkit Infostealer Dialer Banking Trojan
Multicomponent Targeted Attack
Malware
Scareware
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
6 | Cybercrime
CyBERCRIME
Banking Malware Get Regionalized Old Threats FlourishThe overall number of threats blocked by the Trend Microtrade Smart Protection Networktrade increased by 13 compared with last quarter The DOWNADConficker worm remained
the top malware while the adware volume noticeably increased as more users across segments were tricked into downloading them as part of free software
Overall Trend Micro Smart Protection Network Numbers
9B
8B
7B
6B
5B
4B
3B
2B
0
1B
NUMBER OF THREATSBLOCKED PER SECOND
TOTAL NUMBER OFTHREATS BLOCKED
NUMBER OF MALICIOUSFILES BLOCKED
NUMBER OF MALICIOUSURLs BLOCKED
NUMBER OF SPAM-SENDING IP ADDRESSESBLOCKED
APRIL MAY JUNE
57B
408M601M
67B71B
84B
25722663
3258
61B
483M564M
76B
427M513M
We were able to protect Trend Micro customers from nearly 3000 threats per second this quarter compared with 2400 in the first quarter
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
7 | Cybercrime
WORM_DOWNAD 509K
APAC 51
EMEA 19
LAR 15
NORTH AMERICA 9
JAPAN 6
ADW_BHO 448K
JAPAN 34
APAC 26
EMEA 19
NORTH AMERICA 17
LAR 4
ADW_BPROTECT 311K
APAC 28
EMEA 28
JAPAN 20
NORTH AMERICA 15
LAR 9
Top 3 Malware
The Server Service vulnerability has been patched since 2008 but DOWNaDConficker which is known to exploit this remained one of the top 3 malware this quarter The majority of the top 50 malware comprised adware ZaCCESSSIREFEF and SaLITy remained in the top 10
Top 3 Malware by Segment
ENTERPRIsE sMB CONsuMER
NAME vOLuME NAME vOLuME NAME vOLuME
WORM_DOWNADAD 360K WORM_DOWNADAD 58K ADW_BHO 370K
ADW_BPROTECT 53K ADW_BPROTECT 9K ADW_BPROTECT 215K
ADW_BHO 28K ADW_BHO 8K BKDR_BIFROSEBMC 208K
Consumers were more inclined to unknowingly download adware that come bundled with software while DOWNaDConficker was still a concern for enterprises and small and medium-sized businesses (SMBs)
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
8 | Cybercrime
Top 10 Malicious Domains Blocked
DOMAIN REAsON
trafficconverter biz Hosts malware particularly DOWNAD variants
ads alpha00001 com Hosts malware that modify default browser settings to hijack search results
www ody cc Has sites that host BKDR_HPGNB-CN and other suspicious scripts
pu plugrush com Related to a Blackhole Exploit Kit campaign
c rvzrjs info Related to spamming and other malicious activities
adsgangsta com Related to malware and phishing attacks
vjlvchretllifcsgynuq com Hosts malware also used to spread malware via Skype
strongvault02 safe-copy com Hosts malware
www polaris-software com Hosts malware
promos fling com Hosts malware
One of the top malicious domains blocked was related to a Blackhole Exploit kit campaign The domain trafficconverter biz hosts DOWNaDConficker variants which was also the top malware for the first half of 2013
As predicted cybercriminals have not generated completely new threats and instead opted to repackage old ones10 We observed several interesting trends in online banking threats this quarter that led to a 29 increase in infections with this type of malware
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
9 | Cybercrime
1Q 2Q
2013 113K 146K
Online Banking Infections
Online Banking Malware Infections
Top Online Banking Victim Countries
COuNTRIEs sHARE
United States 28
Brazil 22
Australia 5
France 5
Japan 4
Taiwan 4
Vietnam 3
India 2
Germany 2
Canada 2
Others 23
The online banking malware volume significantly increased this quarter due in part to the rise in the ZeuSZBOT malware volume in the wild Online banking threats are spreading across the globe and are no longer concentrated in certain regions like Europe and the americas The united States was most affected by online banking malware accounting for 28 of the total number of infections worldwide
60000
40000
80000
20000
0
APRIL MAY JUNE
37K39K
71K
Brazil an online banking malware hotspot was mostly targeted by two types of the threat type this quarter The first was the BANKER malware disguised as updates for Adobereg Flashreg Player hosted on compromised sites11 The other malware was disguised as a ldquohomemade browserrdquo that targets Banco do Brasil users12
In the cybercriminal underground the CARBERP source code was ldquoleakedrdquo making the creation of banking Trojans even easier to do for bad guys Meanwhile other online banking Trojan toolkits like ZeuS SpyEye and Ice IX are already available for free making it easier for any skilled hacker to obtain their source codes
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
10 | Cybercrime
0
US$2000
2010 2011 2012 2013
US$4000
US$6000
US$8000
US$10000ZEUS
SPYEYE
CARBERP
ICE IX(only madeavailable in2012)
CITADEL
Underground Price Changes for Basic Online Banking Toolkits
We found an online banking malware that modifies an infected computerrsquos HOSTS file to redirect a customer of certain South Korean banks to phishing sites13 We also saw more Citadel variants (detected as ZBOT) target different financial service institutions in Japan These malware not only target the big banks in Japan but also smaller ones including those that exclusively cater to online banking customers
As predicted cybercriminals carried out developments in malware distribution and refinement for existing tools New ZeuSZBOT deployment tactics include a propagation routine14 The PIZZER worm was also found spreading and copying itself onto password-protected archived files using a technique similar to that of PROLACO malware15
Several cloud services were also hit by attacks this quarter The VERNOT backdoor which first abused a popular note-taking service abused a well-known Japanese blogging platform by using it as a CampC server Several GAMARUE variants were hosted on SourceForge a popular code repository Cybercriminals typically abuse legitimate services for ldquofree hostingrdquo successfully tricking users into trusting malicious links since these appear to belong to a well-known name
More developments in cybercrime contributed to the increase in spam and botnet activity this quarter Among these were the compromise of WordPress sites in April the emergence of Stealrat and its use of compromised hosts to send out spam and observed peaks in spam activity16
These are estimated going ratesNote that ZeuS and SpyEye have been around since before 2010
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
11 | Cybercrime
Number of Botnet CampC Servers Detected per Month
1000 2000 3000 4000 5000
APRIL
MAY
JUNE 2102
4003
1434
May showed the highest number of detected CampC servers so far this year
Number of Connections to Botnets per Month
Due to the increase in the number of active botnets in May we also noted a significant increase in the number of botnet connections that month
3M 6M 9M 12M
APRIL
MAY
JUNE 104M
119M
27M
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
12 | Cybercrime
Top 10 Spam Languages
While English remained the top preferred language of spammers we also saw a general increase in the non-English spam volume
1
2
3
4
5
6
7
8
9
10
8256
326
249
194
086
029
020
016
007
007
810
English
Chinese
Russian
Japanese
German
Portuguese
Spanish
Icelandic
French
Turkish
Others
MOVED DOWNMOVED UPNEW ENTRY
Top 10 Spam-Sending Countries
Cybercriminals are finding other countries to host their malicious activities in hence the increase in spam activity in countries like argentina Italy Mexico and Turkey
1
2
3
4
5
6
7
8
9
10
947
697
636
568
549
452
370
356
355
308
4762
United States
Spain
India
Taiwan
Argentina
Italy
Colombia
Mexico
Belarus
Turkey
Others
MOVED DOWNMOVED UPNEW ENTRY
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
13 | Digital Life Security Issues
DIgITaL LIFE SECuRITy ISSuES
Social Threats Abuse Diverse PlatformsAs more users manage multiple online accounts cybercriminals explored means to use this trend to their advantage They abused popular blogging sites like Tumblr WordPress and Blogger to host fake streaming sites of popular summer movies including Man of Steel Fast and Furious 6 and Iron Man 317 Apple ID and well-known multiprotocol instant-messaging (IM) platforms like Digsby were also targeted by attacks18 These attacks abused the use of
the SSO approach which should serve as a reminder to protect online accounts and avoid using weak passwords
Users were also reacquainted with old social engineering tactics as several attacks used diverse items including the Boston marathon bombing the Oklahoma tornado disaster the Texas fertilizer plant explosion and the tax season as bait19
Notable Social Engineering Lures Used
GET FREEFOLLOWERS
ON INSTAGRAMBOSTON BOMBING
MIT SHOOTING
TEXAS FERTILIZERPLANT BOMBING
IRON MAN 3
INCOME TAX RETURNS
as more users across different segments maximize the use of Instagram it has now become a viable target for cybercrime
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
14 | Digital Life Security Issues
In response to compromise incidents LinkedIn Evernote and Twitter rolled out additional security measures which notably included two-step verification measures20 The attack on Twitter posed an interesting case study on how social media can be used to spread false news that can have severe results21
Instagram scams showed that cybercriminals are targeting SMBs and marketers who wish
to increase their online presence Such scams offer ldquofree followersrdquo or use professional-looking sites where they can supposedly buy followers in bulk22 The tactic of selling followers is not new though Cybercriminals simply turned to different avenues outside Twitter and Facebook Interestingly this threat appeared while social media sites found ways to monetize the services they offered23
How Cybercriminals Trick Users into Giving Out Their Information24
Scammers modified their schemes as new platforms were introduced From the Nigerian scams usually seen by way of spam scammers have now branched out to new platforms and targets like social media and mobile devices
Spam and phiShing SiteS Search engineS Social media mobile
EARly 2000ndash2009 2009ndash2011 lATE 2009ndashPRESENT 2011ndashPRESENT
Scams in the early 2000s mainly comprised pharmaceutical account notification and Nigerian scams which mostly led victims to phishing sites
Cybercriminals abuse search engines via blackhat search engine optimization (SEO) This technique takes advantage of using keywords related to significant news andor events for malicious purposes
Social media present themselves as attractive cybercrime platforms because of their large user bases Cybercriminal favorites include Facebook Twitter Tumblr and Pinterest
Today smartphones and other mobile devices enable cybercriminals to reach new heights Mobile adware and malicious apps are among the preferred means of deploying malicious schemes
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
15 | Exploits and Vulnerabilities
ExpLOITS aND VuLNERaBILITIES
Software Vendors Try to Clean Up Their ActAfter last quarterrsquos high volume of zero-day vulnerabilities Oracle implemented several steps that aimed to improve Javarsquos security These include quarterly update releases automated security testing and not allowing self-signed or unsigned apps for Java software used in browsers
Though we saw fewer zero-day incidents this quarter exploits still posed serious threats to users The Internet Explorerreg (IE) zero-day exploit found on the US Department of Labor page showed that even trusted sites like it can be compromised25 Exploits targeting Plesk and ColdFusionreg also put forth the importance of securing web servers and touched on how enterprises secure their sites26
As anticipated it was only a matter of time before attackers took advantage of the critical Ruby on Rails vulnerability found last January27 This quarter we saw exploits target the software flaw as a result of the disclosure of the vulnerabilityrsquos code
The issue of addressing vulnerabilities was a hot topic this quarter especially with Googlersquos announcement of a seven-day disclosure policy Several security pundits saw this as a noble yet impractical proposal But as our CTO Raimund Genes pointed out the bigger issue that should be discussed has to do with how vulnerabilities should be reported
Timeline of Vulnerability Attacks
RUBYON RAILS
PLESK
IEZERO-DAY
JAVA
Private Disclosure Public Disclosure Patch Released Exploited
1082013
5032012
1282013
1172012
5282013
5032012
4302013
5032013
5142013
6182013
6182013
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
16 | Exploits and Vulnerabilities
How Oracle Plans to Secure Java
Delivering three patches every three months starting October 2013
Using automated security testing tools against regressions and bugs
Supporting Windowsreg security policies so system administrators can set networkwide policies on Java use
Disallowing running unsigned or self-signed apps
Making Javarsquos process of revoking signing signatures flexible
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
17 | Targeted attack Campaigns DDoS attacks and Data Breaches
TaRgETED aTTaCk CaMpaIgNS DDoS aTTaCkS aND DaTa BREaChES
Corporate Security Woes Pile UpTargeted AttacksTargeted attack campaigns remained a problem for organizations as we continued to discover active and ongoing campaigns The Naikon campaign used the remote access Trojan (RAT) RARSTONE and was primarily seen in several countries in AsiaPacific28 This campaign hit various industries like telecommunications oil and gas government media and others It usually starts out with spear-phishing attacks that target a specific vulnerability which was also used in another campaign known as
ldquoSaferdquo29 Our research on the Safe campaign meanwhile revealed victim IP addresses spread throughout 100 countries worldwide
Targeted attacks also took advantage of tragic events to infiltrate organizational networks this quarter We saw emails using the Boston marathon bombing as a social engineering lure to trick users into downloading a malware that communicates via Secure Sockets Layer (SSL) communication30
File Types Used in Spear Phishing Related to Targeted Attacks
1
2
3
4
5
6
7
8
9
10
EXEDLL
DOC
JPG
TXTHTML
RTF
ZIP
XLS
RAR
PPSPPT
Others
43
12
10
8
5
4
3
3
3
2
7
Threat actors custom-fit an attack to an intended target They use any file type as long as it gets them closer to their goalmdashto infiltrate a network
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
18 | Targeted attack Campaigns DDoS attacks and Data Breaches
DDoS AttacksSeveral South Korean agencies suffered serious security breaches that led to distributed denial-of-service (DDoS) attacks and site defacements One particular incident rendered several sites inaccessible Similar to the MBR Trojan wiper incident last March this attack was designed to execute at a specific time It also showed how attackers continued to go after high-value targets and how they could inflict maximum damage within a short period of time
Data BreachesCompanies like Yahoo Japan LivingSocial Twitter and Namecom all suffered from security breaches this quarter Opera also suffered a security breach that led to the theft of outdated digital certificates
Attacks Targeting Well-known Companies31
COMPANy REsuLTs
Goo locked 100000 accounts to prevent unauthorized logins
yahoo Japan Attackers attempted to extract data belonging to 127
million users
Associated Press (AP) Attackers hacked APrsquos Twitter account which erased
US$200-billion worth of stock value
livingSocial Resulted in unauthorized access to the accounts of 50 million users
Several South Korean agencies Several sites were defaced and suffered DDoS attacks
attacks against high-profile companies had costly results stressing the importance of strengthening organizational defenses
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
19 | appendix
Appendix
Top 10 Android Adware Families
1
2
3
4
5
6
7
8
9
10
ARPUSH
ADSWO
PLANKTON
LEADBLT
IZP
WAPSX
OQX
WBOO
YOUMI
UAPSH
Others
4179
1650
1284
1102
817
425
410
067
027
013
026
Malicious URL Country Sources
No major changes among the countries on the list were seen The united States accounted for the lionrsquos share of the malicious uRL volume with germany trailing not far behind
COuNTRy sHARE
1 United States 2590
2 Germany 324
3 China 316
4 Netherlands 313
5 South Korea 260
6 France 194
7 Japan 193
8 Russia 164
9 Canada 081
10 United Kingdom 077
Others 5488
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
20 | appendix
Top 10 Countries with the Most Number of Botnet CampC Servers
Similar to the previous quarter the united States had the most number of botnet CampC servers while australia surpassed South korea
COuNTRy sHARE
1 United States 2405
2 Australia 515
3 South Korea 338
4 China 302
5 Germany 287
6 Taiwan 210
7 France 188
8 United Kingdom 172
9 Brazil 147
10 Canada 118
Others 5318
Top 10 Countries with the Highest Number of Connections to Botnets
DDoS attacks in Malaysia in relation to the elections contributed to the increase in the countryrsquos volume of malicious connections
COuNTRy sHARE
1 Malaysia 2839
2 United States 1414
3 France 1163
4 Germany 564
5 Canada 529
6 South Korea 413
7 United Kingdom 384
8 Thailand 322
9 Hong Kong 307
10 Italy 253
Others 1812
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
21 | References
References
1 Trend Micro Incorporated (2013) ldquoTrendLabs 2012 Annual Security Roundup Evolved Threats in a lsquoPost-PCrsquo Worldrdquo Last accessed July 30 2013 httpwwwtrendmicrocomcloud-contentuspdfssecurity-intelligencereportsrpt-evolved-threats-in-a-post-pc-worldpdf
2 Jonathan Leopando (July 10 2013) TrendLabs Security Intelligence Blog ldquoAndroid Vulnerability Affects 99 of DevicesmdashTrend Micro Users Protectedrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencetrend-micro-solution-for-vulnerability-affecting-nearly-all-android-devices
3 Trend Micro Incorporated (2013) Threat Encyclopedia ldquoANDROIDOS_OBADArdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusmalwareANDROIDOS_OBADA
4 Leo Zhang (July 13 2013) TrendLabs Security Intelligence Blog ldquoCybercriminals Improve Android Malware Stealth Routines with OBADrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecybercriminals-improve-android-malware-stealth-routines-with-obad
5 Trend Micro Incorporated (2013) Threat Encyclopedia ldquoANDROIDOS_FAKEBANKArdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusmalwareANDROIDOS_FAKEBANKA
6 Weichao Sun (May 14 2013) TrendLabs Security Intelligence Blog ldquoMobile Ads Pushed by Android Apps Lead to Scam Sitesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencemobile-ads-pushed-by-android-apps-lead-to-scam-sites
7 Trend Micro Incorporated (2013) Threat Encyclopedia ldquoANDROIDOS_FAKEAVFrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusmalwareANDROIDOS_FAKEAVF
8 Iain Thomson (March 27 2013) The Register ldquoTibetan and Uyghur Activists Targeted with Android Malwarerdquo Last accessed July 30 2013 httpwwwtheregistercouk20130327android_malware_targeting_tibetan
9 Ericsson ConsumerLab (August 6 2012) Ericssoncom ldquoVietnamese Consumers Show Increasing Demand for Smartphones and Tabletsrdquo Last accessed July 30 2013 httpwwwericssoncomvnnews2012_vn_smartphone_demands_254740123_c
10 Trend Micro Incorporated (2012) ldquoSecurity Threats to Business the Digital Lifestyle and the Cloud Trend Micro Predictions for 2013 and Beyondrdquo Last accessed July 30 2013 httpwwwtrendmicrocoukmediamisctrend-micro-predictions-for-2013-and-beyond-enpdf
11 Roddell Santos (May 28 2013) TrendLabs Security Intelligence Blog ldquoBANKER Malware Hosted in Compromised Brazilian Government Sitesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencebanker-malware-hosted-in-compromised-brazilian-government-sites
12 Ranieri Romera (May 7 2013) TrendLabs Security Intelligence Blog ldquoHomemade Browser Targeting lsquoBanco do Brasilrsquo Usersrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencehomemade-browser-targeting-banco-do-brasil-users
13 Roddell Santos (June 14 2013) TrendLabs Security Intelligence Blog ldquoMalware Redirects South Korean Users to Phishing Sitesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencemalware-redirects-south-korean-users-to-phishing-sites
14 Abigail Pichel (June 10 2013) TrendLabs Security Intelligence Blog ldquoGoing Solo Self-Propagating ZBOT Malware Spottedrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencegoing-solo-self-propagating-zbot-malware-spotted
15 Lenart Bermejo (May 24 2013) TrendLabs Security Intelligence Blog ldquoWorm Creates Copies in Password-Protected Archived Filesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligenceworm-creates-copies-in-password-protected-archived-files
16 Jessa Dela Torre (April 16 2013) TrendLabs Security Intelligence Blog ldquoCompromised Sites Conceal Stealrat Botnet Operationsrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecompromised-sites-conceal-stealrat-botnet-operations
17 Paul Pajares (July 8 2013) TrendLabs Security Intelligence Blog ldquoMan of Steel Fast and Furious 6 Among Online Fraudstersrsquo Most Used Luresrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligenceman-of-steel-fast-and-furious-6-among-online-fraudsters-most-used-lures Gelo Abendan (May 2 2013) TrendLabs Security Intelligence Blog ldquoFake Iron Man 3 Streaming Sites Sprout on Social Mediardquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencefake-iron-man-3-streaming-sites-sprout-on-social-media
18 Anthony Melgarejo (May 2 2013) TrendLabs Security Intelligence Blog ldquoBackdoor Leads to Facebook and Multiprotocol Instant-Messaging Wormrdquo
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
22 | References
Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencebackdoor-leads-to-facebook-and-multi-protocol-instant-messaging-worm Paul Pajares (April 30 2013) TrendLabs Security Intelligence Blog ldquoHackers to Manage Your Apple ID If Caught from Phishing Baitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencehackers-to-manage-your-apple-id-if-caught-from-phishing-bait
19 Aisa Escober (April 16 2013) TrendLabs Security Intelligence Blog ldquoKELIHOS Worm Emerges Takes Advantage of Boston Marathon Blastrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencekelihos-worm-emerges-takes-advantage-of-boston-marathon-blast Trend Micro Incorporated (2013) Threat Encyclopedia ldquoSpam Attack Leverages Oklahoma Tornado Disasterrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusspam494Spam+Attack+Leverages+Oklahoma+Tornado+Disaster Ryan Certeza (April 19 2013) TrendLabs Security Intelligence Blog ldquoCybercriminals Quickly Take Advantage of Texas Fertilizer Plant Blast MIT Shootingrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecybercriminals-quickly-take-advantage-of-texas-fertilizer-plant-blast-mit-shooting Gelo Abendan (April 4 2013) TrendLabs Security Intelligence Blog ldquoCybercriminals Threaten Tax Day Once Againrdquo Last accessed July 30 2013 http blogtrendmicrocomtrendlabs-security-intelligencecybercriminals-threaten-tax-day-once-again
20 Jim Finkle (May 31 2013) NBC News Technology ldquoLinkedIn Improves Security with Two-Factor Authenticationrdquo Last accessed July 2013 httpwwwnbcnewscomtechnologylinkedin-improves-security-two-factor-authentication-6C10141010 Seth Hitchings (May 30 2013) The Evernote Blog ldquoEvernotersquos Three New Security Featuresrdquo Last accessed July 2013 httpblogevernotecomblog20130530evernotes-three-new-security-features Jim OrsquoLeary (May 22 2013) Twitter Blog ldquoGetting Started with Login Verificationrdquo Last accessed July 2013 httpsblogtwittercom2013getting-started-login-verification
21 David Jackson (April 23 2013) USA Today News ldquoAP Twitter Feed Hacked No Attack at White Houserdquo Last accessed July 30 2013 httpwwwusatodaycomstorytheoval20130423obama-carney-associated-press-hack-white-house2106757
22 Karla Agregado (June 25 2013) TrendLabs Security Intelligence Blog ldquoScam Sites Now Selling Instagram Followersrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencescam-sites-now-selling-instagram-followers
23 Zachary Seward (May 20 2013) Quartz ldquoHow Yahoo Plans to Make Money on Tumblr Ads That Donrsquot Feel Like Adsrdquo Last accessed July 30 2013 httpqzcom86437how-yahoo-plans-to-make-money-on-tumblr-ads-that-dont-feel-like-ads
24 Gelo Abendan (March 3 2012) Threat Encyc lopedia ldquoMobile Apps New Frontier for Cybercrimerdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack119mobile apps new frontier for cybercrime Marco Dela Vega (November 23 2010) TrendLabs Security Intelligence Blog ldquoWith Holiday Wishes Come Poisoned Searchesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencewith-holiday-wishes-come-poisoned-searches Dianne Kristine Lagrimas (November 13 2011) Threat Encyclopedia ldquoSports as Bait Cybercriminals Play to Winrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack99sports as bait cybercriminals play to win Valerie Ria Rivera (March 29 2011) Threat Encyclopedia ldquoSpam Scams and Other Social Media Threatsrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack75spam scams and other social media threats
25 Dexter To (May 5 2013) TrendLabs Security Intelligence Blog ldquoCompromised US Government Web Page Used Zero-Day Exploitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecompromised-us-government-webpage-used-zero-day-exploit
26 Sooraj KS (June 6 2013) TrendLabs Security Intelligence Blog ldquoPlesk Zero-Day Exploit Results in Compromised Web Serverrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligenceplesk-zero-day-exploit-results-in-compromised-webserver
27 Gelo Abendan (May 30 2013) TrendLabs Security Intelligence Blog ldquoTrend Micro Deep Security Guards Users from Ruby on Rails Exploitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencetrend-micro-deep-security-guards-users-from-ruby-on-rails-exploit
28 Maharlito Aquino (June 13 2013) TrendLabs Security Intelligence Blog ldquoRARSTONE Found in Targeted Attacksrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencerarstone-found-in-targeted-attacks
29 Kyle Wilhoit (May 17 2013) TrendLabs Security Intelligence Blog ldquoHiding in Plain Sight A New Targeted Attack Campaignrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencehiding-in-plain-sight-a-new-apt-campaign
30 Nart Villeneuve (April 25 2013) TrendLabs Security Intelligence Blog ldquoTargeted Attack Campaign Hides Behind SSL Communicationrdquo Last accessed July 2013 httpblogtrendmicrocomtrendlabs-security-intelligencetargeted-attack-campaign-hides-behind-ssl-communication
31 Jay Alabaster (April 4 2013) Computerworld ldquoJapanese Web Portals Hacked Up to 100000 Accounts Compromisedrdquo Last accessed July 30 2013 httpwwwcomputerworldcomauarticle458079japanese_web_portals_hacked_up_100_000_accounts_compromised LivingSocial ldquoLivingSocial Security Noticerdquo Last accessed July 30 2013 httpswwwlivingsocialcomcreatepassword Kadim Shubber (May 20 2013) Wired UK ldquoMillions of Usersrsquo Data Hacked in Yahoo Japan Security Breachrdquo Last accessed July 30 2013 httpwwwwiredcouknewsarchive2013-0520yahoo-japan-hacked Erin Madigan White (April 23 2013) AP Blog The Definitive Source ldquoAP Responds to Hacking of Twitter Accountrdquo Last accessed July 30 2013 httpblogaporg20130423hackers-compromise-ap-twitter-account
TREND MICRO LEgaL DISCLaIMER
The information provided herein is for general information and educational purposes only It is not intended and should not be construed to constitute legal advice The information contained herein may not be applicable to all situations and may not reflect the most current situation Nothing contained herein should be relied on or acted upon without the benefit of legal advice based on the particular facts and circumstances presented and nothing herein should be construed otherwise Trend Micro reserves the right to modify the contents of this document at any time without prior notice
Translations of any material into other languages are intended solely as a convenience Translation accuracy is not guaranteed nor implied If any questions arise related to the accuracy of a translation please refer to the original language official version of the document any discrepancies or differences created in the translation are not binding and have no legal effect for compliance or enforcement purposes
although Trend Micro uses reasonable efforts to include accurate and up-to-date information herein Trend Micro makes no warranties or representations of any kind as to its accuracy currency or completeness you agree that access to and use of and reliance on this document and the content thereof is at your own risk Trend Micro disclaims all warranties of any kind express or implied Neither Trend Micro nor any party involved in creating producing or delivering this document shall be liable for any consequence loss or damage including direct indirect special consequential loss of business profits or special damages whatsoever arising out of access to use of or inability to use or in connection with the use of this document or any errors or omissions in the content thereof use of this information constitutes acceptance for use in an ldquoas isrdquo condition
Trend Micro Incorporated a global leader in security software and solutions strives to make the world safe for exchanging digital information For more information visit wwwtrendmicrocom
copy2013 by Trend Micro Incorporated all rights reserved Trend Micro and the Trend Micro t-ball logo are trademarks or registered trademarks of Trend Micro Incorporated all other product or company names may be trademarks or registered trademarks of their owners
Created by
global Technical Support amp RampD Center of TREND MICRO
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
Introduction
The TrendLabs 2012 Annual Security Roundup showed that the past year ushered in the post-PC era as cybercriminals embraced mobile malware use1 Mobile malware remained a big problem for users this quarter though the main concern went beyond their sheer number The discovery of OBAD malware and the ldquomaster keyrdquo vulnerability highlighted cybercriminalsrsquo ability to find ways to exploit flaws in the Androidtrade ecosystem We noted that these incidents were designed to bypass security measures and serve as other means for cybercriminals to gain control over devices
More online banking threats were seen in different countries this quarter specifically in Brazil South Korea and Japan These highlighted the need for increased awareness
of online banking security Cybercriminals also came up with more diverse attacks that used various social engineering lures single sign-on (SSO) and multiprotocol services and blogging platforms for their malicious schemes Vulnerability disclosure also became a hot topic this quarter in response to the flurry of zero-day incidents at the beginning of the year
Enterprises continued to battle targeted attacks The Naikon campaign was primarily seen in AsiaPacific while our research on the Safe campaign revealed victim IP addresses spread throughout 100 countries worldwide These stress the importance of strengthening enterprise defense against targeted attacks while coming up with proactive solutions to protect corporate networks
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
1 | Mobile
MOBILE
Threats Increase in Sophistication to Bypass Security MeasuresIn 2012 we saw how the number of mobile malware quickly grew to the same volume that PC malware took more than a decade to reach The number of malicious and high-risk Android apps hit 718000 in the second quarter from 509000 in the first quarter of this year In just six months these apps surged by more than 350000ndasha number that originally took them three years to reach The majority of these malware were still packaged as spoofed or Trojanized versions of popular apps Similar to the previous quarter almost half of the mobile malware uncovered this quarter were designed to subscribe unwitting users to costly services
However the discovery of the Android master key vulnerability was a scene-stealer as almost 99 of Android devices were deemed vulnerable2 The vulnerability allows installed apps to be modified without usersrsquo consent It further raised concerns about mostly relying on scanning apps for protection along with the fragmentation that exists in the Android ecosystem
OBAD (ANDROIDOS_OBADA) also exploited an Android vulnerability3 Once installed OBAD requests root and device
administrator privileges which allow it to take full control of an infected device This routine rings similar to PC backdoors and rootkits4 OBAD repeatedly shows pop-up notifications to convince users to grant permissions It also makes use of a new obfuscation technique that renders detection and cleanup more difficult to do
The FAKEBANK malware spotted this quarter meanwhile spoofs legitimate apps It contains specific Android application package files (APKs) which it copies to a devicersquos Secure Digital (SD) card5 Using the APK files the malware displays icons and a user interface that imitates legitimate banking apps This technique is reminiscent of PC banking Trojans that monitor usersrsquo browsing behaviors and spoofs banking sites6
We also found more fake antivirus (FAKEAV) malware this quarter that even more closely resembled legitimate ones7 Targeted attacks found their way to mobile devices as well in the form of the CHULI malware which arrives as an attachment to spear-phishing emails8
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
2 | Mobile
1000000
0
500000
561KAPR 639K
MAY 718KJUN
The number of malicious and high-risk android apps steadily increased until June 2013 The number of malicious and high-risk apps took three years to reach 350000 a number that already doubled in just six months (JanuaryndashJune 2013)
Android Volume Threat Growth
Top Android Malware Families
FAKEINST
OPFAKE
SNDAPPS
BOXER
GINMASTER
VDLOADER
FAKEDOLPHIN
KUNGFU
JIFAKE
BASEBRIDGE
Others
22
14
12
6
6
3
3
3
2
2
27
1
2
3
4
5
6
7
8
9
10
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
3 | Mobile
Top Threat Type Distribution
60
40
100
80
20
0
PREMIUMSERVICEABUSER
ADWARE MALICIOUSDOWNLOADER
HACKINGTOOL
BACKDOORREMOTE
CONTROLLER
UNAUTHORIZEDSPENDER
OTHERS
22
224717
44
DATASTEALER
24
premium service abusers remained the most dominant mobile threats While the mobile threat type ranking remained consistent with the previous quarterrsquos we saw an increase in the data stealer volume which may indicate the continued sophistication of this threat type
The distribution data was based on the top 20 mobile malware and adware families that comprise 88 of all the mobile threats detected by the Mobile App Reputation Technology for the period AprilndashJune 2013 Note that a mobile threat family may exhibit the behaviors of more than one threat type
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
4 | Mobile
Countries with the Highest Malicious Android App Download Volumes
MOVED DOWNMOVED UPNEW ENTRY
United Arab Emirates
Myanmar (Burma)
Vietnam
Mexico
Russia
India
China
Venezuela
Malaysia
Singapore
1379
505
494
423
417
374
357
311
297
284
1
2
3
4
5
6
7
8
9
10
14
23
5
6
7
8 910
The united arab Emirates (uaE) recorded the highest malicious android app download volume overtaking Myanmar which placed first in the previous quarter Six new countries figured in this monthrsquos top 10 which may indicate an increase in mobile device use andor attacks against such devices in these locations
The ranking was based on the percentage of apps rated ldquomaliciousrdquo over the total number of apps scanned per country The ranking was limited to countries with at least 10000 scans The ratings were based on the quarterly analysis of real-time threat detection via Trend Microtrade Mobile Security Personal Edition
Countries Most at Risk of Privacy Exposure Due to App Use
Saudi Arabia
Vietnam
Indonesia
Brazil
India
Malaysia
South Africa
Russia
Algeria
Philippines
1149
887
882
798
787
757
652
564
555
519
1
2
3
4
5
6
7
8
9
10
1
4
2
3
5
6
7
8
910
Similar to last quarter mobile users in Saudi arabia downloaded the most number of high-risk apps Vietnam placed second in light of the increasing mobile device use in the country9
The ranking was based on the percentage of apps categorized as ldquoprivacy risk inducersrdquo over the total number of apps scanned per country The ranking was limited to countries with at least 10000 scans The ratings were based on the quarterly analysis of real-time threat detection via Trend Micro Mobile Security Personal Edition
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
5 | Mobile
The increased sophistication of mobile threats could be attributed to the growing demand for short message service (SMS)-related information in the underground market SMS databases are some of the best-selling data sets in the underground
How the Android Update Process Works
MOBILE DATA PRICE
1M numbers US$70
10K numbers US$10
Customized database with personal data
US$35 for 1000 numbers
Underground Prices of Collected Mobile Numbers from Russian
Mobile Network Operators
Google creates thelatest update to
Android OS
It makes theupdate available to
manufacturers
Device manufacturers make the update compatiblewith their devices Phone companies must then
approve the update for end users
Finally the phone companies push theupdate to end users
Android Versus PC Threat Type Timeline Comparison
DROIDSMS
Aug 2010
LOTOOR TOOR
GoldDream DroidDream-
Light
One-Click Billing Fraud
Plankton LEADBOLT
Chuli OBAD
Mar 2011Jul 2011 Aug 2011 Jan 2012 Mar 2013 Jun 2013
Morris CODERED
1988
PC Cyborg Police
Ransomware
ZANGO 888bar
NTRootkit Morcut
ZeuS Passteal
TIBS Dialer
Porn Dialers
BANKER GHOST RAT
FAKEAV
1989 1992 1999 2000 2002 2006 2007 2008
QAKBOT
FAKEBANK
MobileFAKEAV
Worm Ransomware Adware Rootkit Infostealer Dialer Banking Trojan
Multicomponent Targeted Attack
Malware
Scareware
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
6 | Cybercrime
CyBERCRIME
Banking Malware Get Regionalized Old Threats FlourishThe overall number of threats blocked by the Trend Microtrade Smart Protection Networktrade increased by 13 compared with last quarter The DOWNADConficker worm remained
the top malware while the adware volume noticeably increased as more users across segments were tricked into downloading them as part of free software
Overall Trend Micro Smart Protection Network Numbers
9B
8B
7B
6B
5B
4B
3B
2B
0
1B
NUMBER OF THREATSBLOCKED PER SECOND
TOTAL NUMBER OFTHREATS BLOCKED
NUMBER OF MALICIOUSFILES BLOCKED
NUMBER OF MALICIOUSURLs BLOCKED
NUMBER OF SPAM-SENDING IP ADDRESSESBLOCKED
APRIL MAY JUNE
57B
408M601M
67B71B
84B
25722663
3258
61B
483M564M
76B
427M513M
We were able to protect Trend Micro customers from nearly 3000 threats per second this quarter compared with 2400 in the first quarter
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
7 | Cybercrime
WORM_DOWNAD 509K
APAC 51
EMEA 19
LAR 15
NORTH AMERICA 9
JAPAN 6
ADW_BHO 448K
JAPAN 34
APAC 26
EMEA 19
NORTH AMERICA 17
LAR 4
ADW_BPROTECT 311K
APAC 28
EMEA 28
JAPAN 20
NORTH AMERICA 15
LAR 9
Top 3 Malware
The Server Service vulnerability has been patched since 2008 but DOWNaDConficker which is known to exploit this remained one of the top 3 malware this quarter The majority of the top 50 malware comprised adware ZaCCESSSIREFEF and SaLITy remained in the top 10
Top 3 Malware by Segment
ENTERPRIsE sMB CONsuMER
NAME vOLuME NAME vOLuME NAME vOLuME
WORM_DOWNADAD 360K WORM_DOWNADAD 58K ADW_BHO 370K
ADW_BPROTECT 53K ADW_BPROTECT 9K ADW_BPROTECT 215K
ADW_BHO 28K ADW_BHO 8K BKDR_BIFROSEBMC 208K
Consumers were more inclined to unknowingly download adware that come bundled with software while DOWNaDConficker was still a concern for enterprises and small and medium-sized businesses (SMBs)
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
8 | Cybercrime
Top 10 Malicious Domains Blocked
DOMAIN REAsON
trafficconverter biz Hosts malware particularly DOWNAD variants
ads alpha00001 com Hosts malware that modify default browser settings to hijack search results
www ody cc Has sites that host BKDR_HPGNB-CN and other suspicious scripts
pu plugrush com Related to a Blackhole Exploit Kit campaign
c rvzrjs info Related to spamming and other malicious activities
adsgangsta com Related to malware and phishing attacks
vjlvchretllifcsgynuq com Hosts malware also used to spread malware via Skype
strongvault02 safe-copy com Hosts malware
www polaris-software com Hosts malware
promos fling com Hosts malware
One of the top malicious domains blocked was related to a Blackhole Exploit kit campaign The domain trafficconverter biz hosts DOWNaDConficker variants which was also the top malware for the first half of 2013
As predicted cybercriminals have not generated completely new threats and instead opted to repackage old ones10 We observed several interesting trends in online banking threats this quarter that led to a 29 increase in infections with this type of malware
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
9 | Cybercrime
1Q 2Q
2013 113K 146K
Online Banking Infections
Online Banking Malware Infections
Top Online Banking Victim Countries
COuNTRIEs sHARE
United States 28
Brazil 22
Australia 5
France 5
Japan 4
Taiwan 4
Vietnam 3
India 2
Germany 2
Canada 2
Others 23
The online banking malware volume significantly increased this quarter due in part to the rise in the ZeuSZBOT malware volume in the wild Online banking threats are spreading across the globe and are no longer concentrated in certain regions like Europe and the americas The united States was most affected by online banking malware accounting for 28 of the total number of infections worldwide
60000
40000
80000
20000
0
APRIL MAY JUNE
37K39K
71K
Brazil an online banking malware hotspot was mostly targeted by two types of the threat type this quarter The first was the BANKER malware disguised as updates for Adobereg Flashreg Player hosted on compromised sites11 The other malware was disguised as a ldquohomemade browserrdquo that targets Banco do Brasil users12
In the cybercriminal underground the CARBERP source code was ldquoleakedrdquo making the creation of banking Trojans even easier to do for bad guys Meanwhile other online banking Trojan toolkits like ZeuS SpyEye and Ice IX are already available for free making it easier for any skilled hacker to obtain their source codes
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
10 | Cybercrime
0
US$2000
2010 2011 2012 2013
US$4000
US$6000
US$8000
US$10000ZEUS
SPYEYE
CARBERP
ICE IX(only madeavailable in2012)
CITADEL
Underground Price Changes for Basic Online Banking Toolkits
We found an online banking malware that modifies an infected computerrsquos HOSTS file to redirect a customer of certain South Korean banks to phishing sites13 We also saw more Citadel variants (detected as ZBOT) target different financial service institutions in Japan These malware not only target the big banks in Japan but also smaller ones including those that exclusively cater to online banking customers
As predicted cybercriminals carried out developments in malware distribution and refinement for existing tools New ZeuSZBOT deployment tactics include a propagation routine14 The PIZZER worm was also found spreading and copying itself onto password-protected archived files using a technique similar to that of PROLACO malware15
Several cloud services were also hit by attacks this quarter The VERNOT backdoor which first abused a popular note-taking service abused a well-known Japanese blogging platform by using it as a CampC server Several GAMARUE variants were hosted on SourceForge a popular code repository Cybercriminals typically abuse legitimate services for ldquofree hostingrdquo successfully tricking users into trusting malicious links since these appear to belong to a well-known name
More developments in cybercrime contributed to the increase in spam and botnet activity this quarter Among these were the compromise of WordPress sites in April the emergence of Stealrat and its use of compromised hosts to send out spam and observed peaks in spam activity16
These are estimated going ratesNote that ZeuS and SpyEye have been around since before 2010
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
11 | Cybercrime
Number of Botnet CampC Servers Detected per Month
1000 2000 3000 4000 5000
APRIL
MAY
JUNE 2102
4003
1434
May showed the highest number of detected CampC servers so far this year
Number of Connections to Botnets per Month
Due to the increase in the number of active botnets in May we also noted a significant increase in the number of botnet connections that month
3M 6M 9M 12M
APRIL
MAY
JUNE 104M
119M
27M
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
12 | Cybercrime
Top 10 Spam Languages
While English remained the top preferred language of spammers we also saw a general increase in the non-English spam volume
1
2
3
4
5
6
7
8
9
10
8256
326
249
194
086
029
020
016
007
007
810
English
Chinese
Russian
Japanese
German
Portuguese
Spanish
Icelandic
French
Turkish
Others
MOVED DOWNMOVED UPNEW ENTRY
Top 10 Spam-Sending Countries
Cybercriminals are finding other countries to host their malicious activities in hence the increase in spam activity in countries like argentina Italy Mexico and Turkey
1
2
3
4
5
6
7
8
9
10
947
697
636
568
549
452
370
356
355
308
4762
United States
Spain
India
Taiwan
Argentina
Italy
Colombia
Mexico
Belarus
Turkey
Others
MOVED DOWNMOVED UPNEW ENTRY
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
13 | Digital Life Security Issues
DIgITaL LIFE SECuRITy ISSuES
Social Threats Abuse Diverse PlatformsAs more users manage multiple online accounts cybercriminals explored means to use this trend to their advantage They abused popular blogging sites like Tumblr WordPress and Blogger to host fake streaming sites of popular summer movies including Man of Steel Fast and Furious 6 and Iron Man 317 Apple ID and well-known multiprotocol instant-messaging (IM) platforms like Digsby were also targeted by attacks18 These attacks abused the use of
the SSO approach which should serve as a reminder to protect online accounts and avoid using weak passwords
Users were also reacquainted with old social engineering tactics as several attacks used diverse items including the Boston marathon bombing the Oklahoma tornado disaster the Texas fertilizer plant explosion and the tax season as bait19
Notable Social Engineering Lures Used
GET FREEFOLLOWERS
ON INSTAGRAMBOSTON BOMBING
MIT SHOOTING
TEXAS FERTILIZERPLANT BOMBING
IRON MAN 3
INCOME TAX RETURNS
as more users across different segments maximize the use of Instagram it has now become a viable target for cybercrime
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
14 | Digital Life Security Issues
In response to compromise incidents LinkedIn Evernote and Twitter rolled out additional security measures which notably included two-step verification measures20 The attack on Twitter posed an interesting case study on how social media can be used to spread false news that can have severe results21
Instagram scams showed that cybercriminals are targeting SMBs and marketers who wish
to increase their online presence Such scams offer ldquofree followersrdquo or use professional-looking sites where they can supposedly buy followers in bulk22 The tactic of selling followers is not new though Cybercriminals simply turned to different avenues outside Twitter and Facebook Interestingly this threat appeared while social media sites found ways to monetize the services they offered23
How Cybercriminals Trick Users into Giving Out Their Information24
Scammers modified their schemes as new platforms were introduced From the Nigerian scams usually seen by way of spam scammers have now branched out to new platforms and targets like social media and mobile devices
Spam and phiShing SiteS Search engineS Social media mobile
EARly 2000ndash2009 2009ndash2011 lATE 2009ndashPRESENT 2011ndashPRESENT
Scams in the early 2000s mainly comprised pharmaceutical account notification and Nigerian scams which mostly led victims to phishing sites
Cybercriminals abuse search engines via blackhat search engine optimization (SEO) This technique takes advantage of using keywords related to significant news andor events for malicious purposes
Social media present themselves as attractive cybercrime platforms because of their large user bases Cybercriminal favorites include Facebook Twitter Tumblr and Pinterest
Today smartphones and other mobile devices enable cybercriminals to reach new heights Mobile adware and malicious apps are among the preferred means of deploying malicious schemes
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
15 | Exploits and Vulnerabilities
ExpLOITS aND VuLNERaBILITIES
Software Vendors Try to Clean Up Their ActAfter last quarterrsquos high volume of zero-day vulnerabilities Oracle implemented several steps that aimed to improve Javarsquos security These include quarterly update releases automated security testing and not allowing self-signed or unsigned apps for Java software used in browsers
Though we saw fewer zero-day incidents this quarter exploits still posed serious threats to users The Internet Explorerreg (IE) zero-day exploit found on the US Department of Labor page showed that even trusted sites like it can be compromised25 Exploits targeting Plesk and ColdFusionreg also put forth the importance of securing web servers and touched on how enterprises secure their sites26
As anticipated it was only a matter of time before attackers took advantage of the critical Ruby on Rails vulnerability found last January27 This quarter we saw exploits target the software flaw as a result of the disclosure of the vulnerabilityrsquos code
The issue of addressing vulnerabilities was a hot topic this quarter especially with Googlersquos announcement of a seven-day disclosure policy Several security pundits saw this as a noble yet impractical proposal But as our CTO Raimund Genes pointed out the bigger issue that should be discussed has to do with how vulnerabilities should be reported
Timeline of Vulnerability Attacks
RUBYON RAILS
PLESK
IEZERO-DAY
JAVA
Private Disclosure Public Disclosure Patch Released Exploited
1082013
5032012
1282013
1172012
5282013
5032012
4302013
5032013
5142013
6182013
6182013
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
16 | Exploits and Vulnerabilities
How Oracle Plans to Secure Java
Delivering three patches every three months starting October 2013
Using automated security testing tools against regressions and bugs
Supporting Windowsreg security policies so system administrators can set networkwide policies on Java use
Disallowing running unsigned or self-signed apps
Making Javarsquos process of revoking signing signatures flexible
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
17 | Targeted attack Campaigns DDoS attacks and Data Breaches
TaRgETED aTTaCk CaMpaIgNS DDoS aTTaCkS aND DaTa BREaChES
Corporate Security Woes Pile UpTargeted AttacksTargeted attack campaigns remained a problem for organizations as we continued to discover active and ongoing campaigns The Naikon campaign used the remote access Trojan (RAT) RARSTONE and was primarily seen in several countries in AsiaPacific28 This campaign hit various industries like telecommunications oil and gas government media and others It usually starts out with spear-phishing attacks that target a specific vulnerability which was also used in another campaign known as
ldquoSaferdquo29 Our research on the Safe campaign meanwhile revealed victim IP addresses spread throughout 100 countries worldwide
Targeted attacks also took advantage of tragic events to infiltrate organizational networks this quarter We saw emails using the Boston marathon bombing as a social engineering lure to trick users into downloading a malware that communicates via Secure Sockets Layer (SSL) communication30
File Types Used in Spear Phishing Related to Targeted Attacks
1
2
3
4
5
6
7
8
9
10
EXEDLL
DOC
JPG
TXTHTML
RTF
ZIP
XLS
RAR
PPSPPT
Others
43
12
10
8
5
4
3
3
3
2
7
Threat actors custom-fit an attack to an intended target They use any file type as long as it gets them closer to their goalmdashto infiltrate a network
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
18 | Targeted attack Campaigns DDoS attacks and Data Breaches
DDoS AttacksSeveral South Korean agencies suffered serious security breaches that led to distributed denial-of-service (DDoS) attacks and site defacements One particular incident rendered several sites inaccessible Similar to the MBR Trojan wiper incident last March this attack was designed to execute at a specific time It also showed how attackers continued to go after high-value targets and how they could inflict maximum damage within a short period of time
Data BreachesCompanies like Yahoo Japan LivingSocial Twitter and Namecom all suffered from security breaches this quarter Opera also suffered a security breach that led to the theft of outdated digital certificates
Attacks Targeting Well-known Companies31
COMPANy REsuLTs
Goo locked 100000 accounts to prevent unauthorized logins
yahoo Japan Attackers attempted to extract data belonging to 127
million users
Associated Press (AP) Attackers hacked APrsquos Twitter account which erased
US$200-billion worth of stock value
livingSocial Resulted in unauthorized access to the accounts of 50 million users
Several South Korean agencies Several sites were defaced and suffered DDoS attacks
attacks against high-profile companies had costly results stressing the importance of strengthening organizational defenses
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
19 | appendix
Appendix
Top 10 Android Adware Families
1
2
3
4
5
6
7
8
9
10
ARPUSH
ADSWO
PLANKTON
LEADBLT
IZP
WAPSX
OQX
WBOO
YOUMI
UAPSH
Others
4179
1650
1284
1102
817
425
410
067
027
013
026
Malicious URL Country Sources
No major changes among the countries on the list were seen The united States accounted for the lionrsquos share of the malicious uRL volume with germany trailing not far behind
COuNTRy sHARE
1 United States 2590
2 Germany 324
3 China 316
4 Netherlands 313
5 South Korea 260
6 France 194
7 Japan 193
8 Russia 164
9 Canada 081
10 United Kingdom 077
Others 5488
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
20 | appendix
Top 10 Countries with the Most Number of Botnet CampC Servers
Similar to the previous quarter the united States had the most number of botnet CampC servers while australia surpassed South korea
COuNTRy sHARE
1 United States 2405
2 Australia 515
3 South Korea 338
4 China 302
5 Germany 287
6 Taiwan 210
7 France 188
8 United Kingdom 172
9 Brazil 147
10 Canada 118
Others 5318
Top 10 Countries with the Highest Number of Connections to Botnets
DDoS attacks in Malaysia in relation to the elections contributed to the increase in the countryrsquos volume of malicious connections
COuNTRy sHARE
1 Malaysia 2839
2 United States 1414
3 France 1163
4 Germany 564
5 Canada 529
6 South Korea 413
7 United Kingdom 384
8 Thailand 322
9 Hong Kong 307
10 Italy 253
Others 1812
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
21 | References
References
1 Trend Micro Incorporated (2013) ldquoTrendLabs 2012 Annual Security Roundup Evolved Threats in a lsquoPost-PCrsquo Worldrdquo Last accessed July 30 2013 httpwwwtrendmicrocomcloud-contentuspdfssecurity-intelligencereportsrpt-evolved-threats-in-a-post-pc-worldpdf
2 Jonathan Leopando (July 10 2013) TrendLabs Security Intelligence Blog ldquoAndroid Vulnerability Affects 99 of DevicesmdashTrend Micro Users Protectedrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencetrend-micro-solution-for-vulnerability-affecting-nearly-all-android-devices
3 Trend Micro Incorporated (2013) Threat Encyclopedia ldquoANDROIDOS_OBADArdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusmalwareANDROIDOS_OBADA
4 Leo Zhang (July 13 2013) TrendLabs Security Intelligence Blog ldquoCybercriminals Improve Android Malware Stealth Routines with OBADrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecybercriminals-improve-android-malware-stealth-routines-with-obad
5 Trend Micro Incorporated (2013) Threat Encyclopedia ldquoANDROIDOS_FAKEBANKArdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusmalwareANDROIDOS_FAKEBANKA
6 Weichao Sun (May 14 2013) TrendLabs Security Intelligence Blog ldquoMobile Ads Pushed by Android Apps Lead to Scam Sitesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencemobile-ads-pushed-by-android-apps-lead-to-scam-sites
7 Trend Micro Incorporated (2013) Threat Encyclopedia ldquoANDROIDOS_FAKEAVFrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusmalwareANDROIDOS_FAKEAVF
8 Iain Thomson (March 27 2013) The Register ldquoTibetan and Uyghur Activists Targeted with Android Malwarerdquo Last accessed July 30 2013 httpwwwtheregistercouk20130327android_malware_targeting_tibetan
9 Ericsson ConsumerLab (August 6 2012) Ericssoncom ldquoVietnamese Consumers Show Increasing Demand for Smartphones and Tabletsrdquo Last accessed July 30 2013 httpwwwericssoncomvnnews2012_vn_smartphone_demands_254740123_c
10 Trend Micro Incorporated (2012) ldquoSecurity Threats to Business the Digital Lifestyle and the Cloud Trend Micro Predictions for 2013 and Beyondrdquo Last accessed July 30 2013 httpwwwtrendmicrocoukmediamisctrend-micro-predictions-for-2013-and-beyond-enpdf
11 Roddell Santos (May 28 2013) TrendLabs Security Intelligence Blog ldquoBANKER Malware Hosted in Compromised Brazilian Government Sitesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencebanker-malware-hosted-in-compromised-brazilian-government-sites
12 Ranieri Romera (May 7 2013) TrendLabs Security Intelligence Blog ldquoHomemade Browser Targeting lsquoBanco do Brasilrsquo Usersrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencehomemade-browser-targeting-banco-do-brasil-users
13 Roddell Santos (June 14 2013) TrendLabs Security Intelligence Blog ldquoMalware Redirects South Korean Users to Phishing Sitesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencemalware-redirects-south-korean-users-to-phishing-sites
14 Abigail Pichel (June 10 2013) TrendLabs Security Intelligence Blog ldquoGoing Solo Self-Propagating ZBOT Malware Spottedrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencegoing-solo-self-propagating-zbot-malware-spotted
15 Lenart Bermejo (May 24 2013) TrendLabs Security Intelligence Blog ldquoWorm Creates Copies in Password-Protected Archived Filesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligenceworm-creates-copies-in-password-protected-archived-files
16 Jessa Dela Torre (April 16 2013) TrendLabs Security Intelligence Blog ldquoCompromised Sites Conceal Stealrat Botnet Operationsrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecompromised-sites-conceal-stealrat-botnet-operations
17 Paul Pajares (July 8 2013) TrendLabs Security Intelligence Blog ldquoMan of Steel Fast and Furious 6 Among Online Fraudstersrsquo Most Used Luresrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligenceman-of-steel-fast-and-furious-6-among-online-fraudsters-most-used-lures Gelo Abendan (May 2 2013) TrendLabs Security Intelligence Blog ldquoFake Iron Man 3 Streaming Sites Sprout on Social Mediardquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencefake-iron-man-3-streaming-sites-sprout-on-social-media
18 Anthony Melgarejo (May 2 2013) TrendLabs Security Intelligence Blog ldquoBackdoor Leads to Facebook and Multiprotocol Instant-Messaging Wormrdquo
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
22 | References
Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencebackdoor-leads-to-facebook-and-multi-protocol-instant-messaging-worm Paul Pajares (April 30 2013) TrendLabs Security Intelligence Blog ldquoHackers to Manage Your Apple ID If Caught from Phishing Baitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencehackers-to-manage-your-apple-id-if-caught-from-phishing-bait
19 Aisa Escober (April 16 2013) TrendLabs Security Intelligence Blog ldquoKELIHOS Worm Emerges Takes Advantage of Boston Marathon Blastrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencekelihos-worm-emerges-takes-advantage-of-boston-marathon-blast Trend Micro Incorporated (2013) Threat Encyclopedia ldquoSpam Attack Leverages Oklahoma Tornado Disasterrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusspam494Spam+Attack+Leverages+Oklahoma+Tornado+Disaster Ryan Certeza (April 19 2013) TrendLabs Security Intelligence Blog ldquoCybercriminals Quickly Take Advantage of Texas Fertilizer Plant Blast MIT Shootingrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecybercriminals-quickly-take-advantage-of-texas-fertilizer-plant-blast-mit-shooting Gelo Abendan (April 4 2013) TrendLabs Security Intelligence Blog ldquoCybercriminals Threaten Tax Day Once Againrdquo Last accessed July 30 2013 http blogtrendmicrocomtrendlabs-security-intelligencecybercriminals-threaten-tax-day-once-again
20 Jim Finkle (May 31 2013) NBC News Technology ldquoLinkedIn Improves Security with Two-Factor Authenticationrdquo Last accessed July 2013 httpwwwnbcnewscomtechnologylinkedin-improves-security-two-factor-authentication-6C10141010 Seth Hitchings (May 30 2013) The Evernote Blog ldquoEvernotersquos Three New Security Featuresrdquo Last accessed July 2013 httpblogevernotecomblog20130530evernotes-three-new-security-features Jim OrsquoLeary (May 22 2013) Twitter Blog ldquoGetting Started with Login Verificationrdquo Last accessed July 2013 httpsblogtwittercom2013getting-started-login-verification
21 David Jackson (April 23 2013) USA Today News ldquoAP Twitter Feed Hacked No Attack at White Houserdquo Last accessed July 30 2013 httpwwwusatodaycomstorytheoval20130423obama-carney-associated-press-hack-white-house2106757
22 Karla Agregado (June 25 2013) TrendLabs Security Intelligence Blog ldquoScam Sites Now Selling Instagram Followersrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencescam-sites-now-selling-instagram-followers
23 Zachary Seward (May 20 2013) Quartz ldquoHow Yahoo Plans to Make Money on Tumblr Ads That Donrsquot Feel Like Adsrdquo Last accessed July 30 2013 httpqzcom86437how-yahoo-plans-to-make-money-on-tumblr-ads-that-dont-feel-like-ads
24 Gelo Abendan (March 3 2012) Threat Encyc lopedia ldquoMobile Apps New Frontier for Cybercrimerdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack119mobile apps new frontier for cybercrime Marco Dela Vega (November 23 2010) TrendLabs Security Intelligence Blog ldquoWith Holiday Wishes Come Poisoned Searchesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencewith-holiday-wishes-come-poisoned-searches Dianne Kristine Lagrimas (November 13 2011) Threat Encyclopedia ldquoSports as Bait Cybercriminals Play to Winrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack99sports as bait cybercriminals play to win Valerie Ria Rivera (March 29 2011) Threat Encyclopedia ldquoSpam Scams and Other Social Media Threatsrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack75spam scams and other social media threats
25 Dexter To (May 5 2013) TrendLabs Security Intelligence Blog ldquoCompromised US Government Web Page Used Zero-Day Exploitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecompromised-us-government-webpage-used-zero-day-exploit
26 Sooraj KS (June 6 2013) TrendLabs Security Intelligence Blog ldquoPlesk Zero-Day Exploit Results in Compromised Web Serverrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligenceplesk-zero-day-exploit-results-in-compromised-webserver
27 Gelo Abendan (May 30 2013) TrendLabs Security Intelligence Blog ldquoTrend Micro Deep Security Guards Users from Ruby on Rails Exploitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencetrend-micro-deep-security-guards-users-from-ruby-on-rails-exploit
28 Maharlito Aquino (June 13 2013) TrendLabs Security Intelligence Blog ldquoRARSTONE Found in Targeted Attacksrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencerarstone-found-in-targeted-attacks
29 Kyle Wilhoit (May 17 2013) TrendLabs Security Intelligence Blog ldquoHiding in Plain Sight A New Targeted Attack Campaignrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencehiding-in-plain-sight-a-new-apt-campaign
30 Nart Villeneuve (April 25 2013) TrendLabs Security Intelligence Blog ldquoTargeted Attack Campaign Hides Behind SSL Communicationrdquo Last accessed July 2013 httpblogtrendmicrocomtrendlabs-security-intelligencetargeted-attack-campaign-hides-behind-ssl-communication
31 Jay Alabaster (April 4 2013) Computerworld ldquoJapanese Web Portals Hacked Up to 100000 Accounts Compromisedrdquo Last accessed July 30 2013 httpwwwcomputerworldcomauarticle458079japanese_web_portals_hacked_up_100_000_accounts_compromised LivingSocial ldquoLivingSocial Security Noticerdquo Last accessed July 30 2013 httpswwwlivingsocialcomcreatepassword Kadim Shubber (May 20 2013) Wired UK ldquoMillions of Usersrsquo Data Hacked in Yahoo Japan Security Breachrdquo Last accessed July 30 2013 httpwwwwiredcouknewsarchive2013-0520yahoo-japan-hacked Erin Madigan White (April 23 2013) AP Blog The Definitive Source ldquoAP Responds to Hacking of Twitter Accountrdquo Last accessed July 30 2013 httpblogaporg20130423hackers-compromise-ap-twitter-account
TREND MICRO LEgaL DISCLaIMER
The information provided herein is for general information and educational purposes only It is not intended and should not be construed to constitute legal advice The information contained herein may not be applicable to all situations and may not reflect the most current situation Nothing contained herein should be relied on or acted upon without the benefit of legal advice based on the particular facts and circumstances presented and nothing herein should be construed otherwise Trend Micro reserves the right to modify the contents of this document at any time without prior notice
Translations of any material into other languages are intended solely as a convenience Translation accuracy is not guaranteed nor implied If any questions arise related to the accuracy of a translation please refer to the original language official version of the document any discrepancies or differences created in the translation are not binding and have no legal effect for compliance or enforcement purposes
although Trend Micro uses reasonable efforts to include accurate and up-to-date information herein Trend Micro makes no warranties or representations of any kind as to its accuracy currency or completeness you agree that access to and use of and reliance on this document and the content thereof is at your own risk Trend Micro disclaims all warranties of any kind express or implied Neither Trend Micro nor any party involved in creating producing or delivering this document shall be liable for any consequence loss or damage including direct indirect special consequential loss of business profits or special damages whatsoever arising out of access to use of or inability to use or in connection with the use of this document or any errors or omissions in the content thereof use of this information constitutes acceptance for use in an ldquoas isrdquo condition
Trend Micro Incorporated a global leader in security software and solutions strives to make the world safe for exchanging digital information For more information visit wwwtrendmicrocom
copy2013 by Trend Micro Incorporated all rights reserved Trend Micro and the Trend Micro t-ball logo are trademarks or registered trademarks of Trend Micro Incorporated all other product or company names may be trademarks or registered trademarks of their owners
Created by
global Technical Support amp RampD Center of TREND MICRO
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
1 | Mobile
MOBILE
Threats Increase in Sophistication to Bypass Security MeasuresIn 2012 we saw how the number of mobile malware quickly grew to the same volume that PC malware took more than a decade to reach The number of malicious and high-risk Android apps hit 718000 in the second quarter from 509000 in the first quarter of this year In just six months these apps surged by more than 350000ndasha number that originally took them three years to reach The majority of these malware were still packaged as spoofed or Trojanized versions of popular apps Similar to the previous quarter almost half of the mobile malware uncovered this quarter were designed to subscribe unwitting users to costly services
However the discovery of the Android master key vulnerability was a scene-stealer as almost 99 of Android devices were deemed vulnerable2 The vulnerability allows installed apps to be modified without usersrsquo consent It further raised concerns about mostly relying on scanning apps for protection along with the fragmentation that exists in the Android ecosystem
OBAD (ANDROIDOS_OBADA) also exploited an Android vulnerability3 Once installed OBAD requests root and device
administrator privileges which allow it to take full control of an infected device This routine rings similar to PC backdoors and rootkits4 OBAD repeatedly shows pop-up notifications to convince users to grant permissions It also makes use of a new obfuscation technique that renders detection and cleanup more difficult to do
The FAKEBANK malware spotted this quarter meanwhile spoofs legitimate apps It contains specific Android application package files (APKs) which it copies to a devicersquos Secure Digital (SD) card5 Using the APK files the malware displays icons and a user interface that imitates legitimate banking apps This technique is reminiscent of PC banking Trojans that monitor usersrsquo browsing behaviors and spoofs banking sites6
We also found more fake antivirus (FAKEAV) malware this quarter that even more closely resembled legitimate ones7 Targeted attacks found their way to mobile devices as well in the form of the CHULI malware which arrives as an attachment to spear-phishing emails8
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
2 | Mobile
1000000
0
500000
561KAPR 639K
MAY 718KJUN
The number of malicious and high-risk android apps steadily increased until June 2013 The number of malicious and high-risk apps took three years to reach 350000 a number that already doubled in just six months (JanuaryndashJune 2013)
Android Volume Threat Growth
Top Android Malware Families
FAKEINST
OPFAKE
SNDAPPS
BOXER
GINMASTER
VDLOADER
FAKEDOLPHIN
KUNGFU
JIFAKE
BASEBRIDGE
Others
22
14
12
6
6
3
3
3
2
2
27
1
2
3
4
5
6
7
8
9
10
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
3 | Mobile
Top Threat Type Distribution
60
40
100
80
20
0
PREMIUMSERVICEABUSER
ADWARE MALICIOUSDOWNLOADER
HACKINGTOOL
BACKDOORREMOTE
CONTROLLER
UNAUTHORIZEDSPENDER
OTHERS
22
224717
44
DATASTEALER
24
premium service abusers remained the most dominant mobile threats While the mobile threat type ranking remained consistent with the previous quarterrsquos we saw an increase in the data stealer volume which may indicate the continued sophistication of this threat type
The distribution data was based on the top 20 mobile malware and adware families that comprise 88 of all the mobile threats detected by the Mobile App Reputation Technology for the period AprilndashJune 2013 Note that a mobile threat family may exhibit the behaviors of more than one threat type
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
4 | Mobile
Countries with the Highest Malicious Android App Download Volumes
MOVED DOWNMOVED UPNEW ENTRY
United Arab Emirates
Myanmar (Burma)
Vietnam
Mexico
Russia
India
China
Venezuela
Malaysia
Singapore
1379
505
494
423
417
374
357
311
297
284
1
2
3
4
5
6
7
8
9
10
14
23
5
6
7
8 910
The united arab Emirates (uaE) recorded the highest malicious android app download volume overtaking Myanmar which placed first in the previous quarter Six new countries figured in this monthrsquos top 10 which may indicate an increase in mobile device use andor attacks against such devices in these locations
The ranking was based on the percentage of apps rated ldquomaliciousrdquo over the total number of apps scanned per country The ranking was limited to countries with at least 10000 scans The ratings were based on the quarterly analysis of real-time threat detection via Trend Microtrade Mobile Security Personal Edition
Countries Most at Risk of Privacy Exposure Due to App Use
Saudi Arabia
Vietnam
Indonesia
Brazil
India
Malaysia
South Africa
Russia
Algeria
Philippines
1149
887
882
798
787
757
652
564
555
519
1
2
3
4
5
6
7
8
9
10
1
4
2
3
5
6
7
8
910
Similar to last quarter mobile users in Saudi arabia downloaded the most number of high-risk apps Vietnam placed second in light of the increasing mobile device use in the country9
The ranking was based on the percentage of apps categorized as ldquoprivacy risk inducersrdquo over the total number of apps scanned per country The ranking was limited to countries with at least 10000 scans The ratings were based on the quarterly analysis of real-time threat detection via Trend Micro Mobile Security Personal Edition
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
5 | Mobile
The increased sophistication of mobile threats could be attributed to the growing demand for short message service (SMS)-related information in the underground market SMS databases are some of the best-selling data sets in the underground
How the Android Update Process Works
MOBILE DATA PRICE
1M numbers US$70
10K numbers US$10
Customized database with personal data
US$35 for 1000 numbers
Underground Prices of Collected Mobile Numbers from Russian
Mobile Network Operators
Google creates thelatest update to
Android OS
It makes theupdate available to
manufacturers
Device manufacturers make the update compatiblewith their devices Phone companies must then
approve the update for end users
Finally the phone companies push theupdate to end users
Android Versus PC Threat Type Timeline Comparison
DROIDSMS
Aug 2010
LOTOOR TOOR
GoldDream DroidDream-
Light
One-Click Billing Fraud
Plankton LEADBOLT
Chuli OBAD
Mar 2011Jul 2011 Aug 2011 Jan 2012 Mar 2013 Jun 2013
Morris CODERED
1988
PC Cyborg Police
Ransomware
ZANGO 888bar
NTRootkit Morcut
ZeuS Passteal
TIBS Dialer
Porn Dialers
BANKER GHOST RAT
FAKEAV
1989 1992 1999 2000 2002 2006 2007 2008
QAKBOT
FAKEBANK
MobileFAKEAV
Worm Ransomware Adware Rootkit Infostealer Dialer Banking Trojan
Multicomponent Targeted Attack
Malware
Scareware
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
6 | Cybercrime
CyBERCRIME
Banking Malware Get Regionalized Old Threats FlourishThe overall number of threats blocked by the Trend Microtrade Smart Protection Networktrade increased by 13 compared with last quarter The DOWNADConficker worm remained
the top malware while the adware volume noticeably increased as more users across segments were tricked into downloading them as part of free software
Overall Trend Micro Smart Protection Network Numbers
9B
8B
7B
6B
5B
4B
3B
2B
0
1B
NUMBER OF THREATSBLOCKED PER SECOND
TOTAL NUMBER OFTHREATS BLOCKED
NUMBER OF MALICIOUSFILES BLOCKED
NUMBER OF MALICIOUSURLs BLOCKED
NUMBER OF SPAM-SENDING IP ADDRESSESBLOCKED
APRIL MAY JUNE
57B
408M601M
67B71B
84B
25722663
3258
61B
483M564M
76B
427M513M
We were able to protect Trend Micro customers from nearly 3000 threats per second this quarter compared with 2400 in the first quarter
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
7 | Cybercrime
WORM_DOWNAD 509K
APAC 51
EMEA 19
LAR 15
NORTH AMERICA 9
JAPAN 6
ADW_BHO 448K
JAPAN 34
APAC 26
EMEA 19
NORTH AMERICA 17
LAR 4
ADW_BPROTECT 311K
APAC 28
EMEA 28
JAPAN 20
NORTH AMERICA 15
LAR 9
Top 3 Malware
The Server Service vulnerability has been patched since 2008 but DOWNaDConficker which is known to exploit this remained one of the top 3 malware this quarter The majority of the top 50 malware comprised adware ZaCCESSSIREFEF and SaLITy remained in the top 10
Top 3 Malware by Segment
ENTERPRIsE sMB CONsuMER
NAME vOLuME NAME vOLuME NAME vOLuME
WORM_DOWNADAD 360K WORM_DOWNADAD 58K ADW_BHO 370K
ADW_BPROTECT 53K ADW_BPROTECT 9K ADW_BPROTECT 215K
ADW_BHO 28K ADW_BHO 8K BKDR_BIFROSEBMC 208K
Consumers were more inclined to unknowingly download adware that come bundled with software while DOWNaDConficker was still a concern for enterprises and small and medium-sized businesses (SMBs)
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
8 | Cybercrime
Top 10 Malicious Domains Blocked
DOMAIN REAsON
trafficconverter biz Hosts malware particularly DOWNAD variants
ads alpha00001 com Hosts malware that modify default browser settings to hijack search results
www ody cc Has sites that host BKDR_HPGNB-CN and other suspicious scripts
pu plugrush com Related to a Blackhole Exploit Kit campaign
c rvzrjs info Related to spamming and other malicious activities
adsgangsta com Related to malware and phishing attacks
vjlvchretllifcsgynuq com Hosts malware also used to spread malware via Skype
strongvault02 safe-copy com Hosts malware
www polaris-software com Hosts malware
promos fling com Hosts malware
One of the top malicious domains blocked was related to a Blackhole Exploit kit campaign The domain trafficconverter biz hosts DOWNaDConficker variants which was also the top malware for the first half of 2013
As predicted cybercriminals have not generated completely new threats and instead opted to repackage old ones10 We observed several interesting trends in online banking threats this quarter that led to a 29 increase in infections with this type of malware
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
9 | Cybercrime
1Q 2Q
2013 113K 146K
Online Banking Infections
Online Banking Malware Infections
Top Online Banking Victim Countries
COuNTRIEs sHARE
United States 28
Brazil 22
Australia 5
France 5
Japan 4
Taiwan 4
Vietnam 3
India 2
Germany 2
Canada 2
Others 23
The online banking malware volume significantly increased this quarter due in part to the rise in the ZeuSZBOT malware volume in the wild Online banking threats are spreading across the globe and are no longer concentrated in certain regions like Europe and the americas The united States was most affected by online banking malware accounting for 28 of the total number of infections worldwide
60000
40000
80000
20000
0
APRIL MAY JUNE
37K39K
71K
Brazil an online banking malware hotspot was mostly targeted by two types of the threat type this quarter The first was the BANKER malware disguised as updates for Adobereg Flashreg Player hosted on compromised sites11 The other malware was disguised as a ldquohomemade browserrdquo that targets Banco do Brasil users12
In the cybercriminal underground the CARBERP source code was ldquoleakedrdquo making the creation of banking Trojans even easier to do for bad guys Meanwhile other online banking Trojan toolkits like ZeuS SpyEye and Ice IX are already available for free making it easier for any skilled hacker to obtain their source codes
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
10 | Cybercrime
0
US$2000
2010 2011 2012 2013
US$4000
US$6000
US$8000
US$10000ZEUS
SPYEYE
CARBERP
ICE IX(only madeavailable in2012)
CITADEL
Underground Price Changes for Basic Online Banking Toolkits
We found an online banking malware that modifies an infected computerrsquos HOSTS file to redirect a customer of certain South Korean banks to phishing sites13 We also saw more Citadel variants (detected as ZBOT) target different financial service institutions in Japan These malware not only target the big banks in Japan but also smaller ones including those that exclusively cater to online banking customers
As predicted cybercriminals carried out developments in malware distribution and refinement for existing tools New ZeuSZBOT deployment tactics include a propagation routine14 The PIZZER worm was also found spreading and copying itself onto password-protected archived files using a technique similar to that of PROLACO malware15
Several cloud services were also hit by attacks this quarter The VERNOT backdoor which first abused a popular note-taking service abused a well-known Japanese blogging platform by using it as a CampC server Several GAMARUE variants were hosted on SourceForge a popular code repository Cybercriminals typically abuse legitimate services for ldquofree hostingrdquo successfully tricking users into trusting malicious links since these appear to belong to a well-known name
More developments in cybercrime contributed to the increase in spam and botnet activity this quarter Among these were the compromise of WordPress sites in April the emergence of Stealrat and its use of compromised hosts to send out spam and observed peaks in spam activity16
These are estimated going ratesNote that ZeuS and SpyEye have been around since before 2010
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
11 | Cybercrime
Number of Botnet CampC Servers Detected per Month
1000 2000 3000 4000 5000
APRIL
MAY
JUNE 2102
4003
1434
May showed the highest number of detected CampC servers so far this year
Number of Connections to Botnets per Month
Due to the increase in the number of active botnets in May we also noted a significant increase in the number of botnet connections that month
3M 6M 9M 12M
APRIL
MAY
JUNE 104M
119M
27M
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
12 | Cybercrime
Top 10 Spam Languages
While English remained the top preferred language of spammers we also saw a general increase in the non-English spam volume
1
2
3
4
5
6
7
8
9
10
8256
326
249
194
086
029
020
016
007
007
810
English
Chinese
Russian
Japanese
German
Portuguese
Spanish
Icelandic
French
Turkish
Others
MOVED DOWNMOVED UPNEW ENTRY
Top 10 Spam-Sending Countries
Cybercriminals are finding other countries to host their malicious activities in hence the increase in spam activity in countries like argentina Italy Mexico and Turkey
1
2
3
4
5
6
7
8
9
10
947
697
636
568
549
452
370
356
355
308
4762
United States
Spain
India
Taiwan
Argentina
Italy
Colombia
Mexico
Belarus
Turkey
Others
MOVED DOWNMOVED UPNEW ENTRY
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
13 | Digital Life Security Issues
DIgITaL LIFE SECuRITy ISSuES
Social Threats Abuse Diverse PlatformsAs more users manage multiple online accounts cybercriminals explored means to use this trend to their advantage They abused popular blogging sites like Tumblr WordPress and Blogger to host fake streaming sites of popular summer movies including Man of Steel Fast and Furious 6 and Iron Man 317 Apple ID and well-known multiprotocol instant-messaging (IM) platforms like Digsby were also targeted by attacks18 These attacks abused the use of
the SSO approach which should serve as a reminder to protect online accounts and avoid using weak passwords
Users were also reacquainted with old social engineering tactics as several attacks used diverse items including the Boston marathon bombing the Oklahoma tornado disaster the Texas fertilizer plant explosion and the tax season as bait19
Notable Social Engineering Lures Used
GET FREEFOLLOWERS
ON INSTAGRAMBOSTON BOMBING
MIT SHOOTING
TEXAS FERTILIZERPLANT BOMBING
IRON MAN 3
INCOME TAX RETURNS
as more users across different segments maximize the use of Instagram it has now become a viable target for cybercrime
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
14 | Digital Life Security Issues
In response to compromise incidents LinkedIn Evernote and Twitter rolled out additional security measures which notably included two-step verification measures20 The attack on Twitter posed an interesting case study on how social media can be used to spread false news that can have severe results21
Instagram scams showed that cybercriminals are targeting SMBs and marketers who wish
to increase their online presence Such scams offer ldquofree followersrdquo or use professional-looking sites where they can supposedly buy followers in bulk22 The tactic of selling followers is not new though Cybercriminals simply turned to different avenues outside Twitter and Facebook Interestingly this threat appeared while social media sites found ways to monetize the services they offered23
How Cybercriminals Trick Users into Giving Out Their Information24
Scammers modified their schemes as new platforms were introduced From the Nigerian scams usually seen by way of spam scammers have now branched out to new platforms and targets like social media and mobile devices
Spam and phiShing SiteS Search engineS Social media mobile
EARly 2000ndash2009 2009ndash2011 lATE 2009ndashPRESENT 2011ndashPRESENT
Scams in the early 2000s mainly comprised pharmaceutical account notification and Nigerian scams which mostly led victims to phishing sites
Cybercriminals abuse search engines via blackhat search engine optimization (SEO) This technique takes advantage of using keywords related to significant news andor events for malicious purposes
Social media present themselves as attractive cybercrime platforms because of their large user bases Cybercriminal favorites include Facebook Twitter Tumblr and Pinterest
Today smartphones and other mobile devices enable cybercriminals to reach new heights Mobile adware and malicious apps are among the preferred means of deploying malicious schemes
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
15 | Exploits and Vulnerabilities
ExpLOITS aND VuLNERaBILITIES
Software Vendors Try to Clean Up Their ActAfter last quarterrsquos high volume of zero-day vulnerabilities Oracle implemented several steps that aimed to improve Javarsquos security These include quarterly update releases automated security testing and not allowing self-signed or unsigned apps for Java software used in browsers
Though we saw fewer zero-day incidents this quarter exploits still posed serious threats to users The Internet Explorerreg (IE) zero-day exploit found on the US Department of Labor page showed that even trusted sites like it can be compromised25 Exploits targeting Plesk and ColdFusionreg also put forth the importance of securing web servers and touched on how enterprises secure their sites26
As anticipated it was only a matter of time before attackers took advantage of the critical Ruby on Rails vulnerability found last January27 This quarter we saw exploits target the software flaw as a result of the disclosure of the vulnerabilityrsquos code
The issue of addressing vulnerabilities was a hot topic this quarter especially with Googlersquos announcement of a seven-day disclosure policy Several security pundits saw this as a noble yet impractical proposal But as our CTO Raimund Genes pointed out the bigger issue that should be discussed has to do with how vulnerabilities should be reported
Timeline of Vulnerability Attacks
RUBYON RAILS
PLESK
IEZERO-DAY
JAVA
Private Disclosure Public Disclosure Patch Released Exploited
1082013
5032012
1282013
1172012
5282013
5032012
4302013
5032013
5142013
6182013
6182013
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
16 | Exploits and Vulnerabilities
How Oracle Plans to Secure Java
Delivering three patches every three months starting October 2013
Using automated security testing tools against regressions and bugs
Supporting Windowsreg security policies so system administrators can set networkwide policies on Java use
Disallowing running unsigned or self-signed apps
Making Javarsquos process of revoking signing signatures flexible
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
17 | Targeted attack Campaigns DDoS attacks and Data Breaches
TaRgETED aTTaCk CaMpaIgNS DDoS aTTaCkS aND DaTa BREaChES
Corporate Security Woes Pile UpTargeted AttacksTargeted attack campaigns remained a problem for organizations as we continued to discover active and ongoing campaigns The Naikon campaign used the remote access Trojan (RAT) RARSTONE and was primarily seen in several countries in AsiaPacific28 This campaign hit various industries like telecommunications oil and gas government media and others It usually starts out with spear-phishing attacks that target a specific vulnerability which was also used in another campaign known as
ldquoSaferdquo29 Our research on the Safe campaign meanwhile revealed victim IP addresses spread throughout 100 countries worldwide
Targeted attacks also took advantage of tragic events to infiltrate organizational networks this quarter We saw emails using the Boston marathon bombing as a social engineering lure to trick users into downloading a malware that communicates via Secure Sockets Layer (SSL) communication30
File Types Used in Spear Phishing Related to Targeted Attacks
1
2
3
4
5
6
7
8
9
10
EXEDLL
DOC
JPG
TXTHTML
RTF
ZIP
XLS
RAR
PPSPPT
Others
43
12
10
8
5
4
3
3
3
2
7
Threat actors custom-fit an attack to an intended target They use any file type as long as it gets them closer to their goalmdashto infiltrate a network
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
18 | Targeted attack Campaigns DDoS attacks and Data Breaches
DDoS AttacksSeveral South Korean agencies suffered serious security breaches that led to distributed denial-of-service (DDoS) attacks and site defacements One particular incident rendered several sites inaccessible Similar to the MBR Trojan wiper incident last March this attack was designed to execute at a specific time It also showed how attackers continued to go after high-value targets and how they could inflict maximum damage within a short period of time
Data BreachesCompanies like Yahoo Japan LivingSocial Twitter and Namecom all suffered from security breaches this quarter Opera also suffered a security breach that led to the theft of outdated digital certificates
Attacks Targeting Well-known Companies31
COMPANy REsuLTs
Goo locked 100000 accounts to prevent unauthorized logins
yahoo Japan Attackers attempted to extract data belonging to 127
million users
Associated Press (AP) Attackers hacked APrsquos Twitter account which erased
US$200-billion worth of stock value
livingSocial Resulted in unauthorized access to the accounts of 50 million users
Several South Korean agencies Several sites were defaced and suffered DDoS attacks
attacks against high-profile companies had costly results stressing the importance of strengthening organizational defenses
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
19 | appendix
Appendix
Top 10 Android Adware Families
1
2
3
4
5
6
7
8
9
10
ARPUSH
ADSWO
PLANKTON
LEADBLT
IZP
WAPSX
OQX
WBOO
YOUMI
UAPSH
Others
4179
1650
1284
1102
817
425
410
067
027
013
026
Malicious URL Country Sources
No major changes among the countries on the list were seen The united States accounted for the lionrsquos share of the malicious uRL volume with germany trailing not far behind
COuNTRy sHARE
1 United States 2590
2 Germany 324
3 China 316
4 Netherlands 313
5 South Korea 260
6 France 194
7 Japan 193
8 Russia 164
9 Canada 081
10 United Kingdom 077
Others 5488
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
20 | appendix
Top 10 Countries with the Most Number of Botnet CampC Servers
Similar to the previous quarter the united States had the most number of botnet CampC servers while australia surpassed South korea
COuNTRy sHARE
1 United States 2405
2 Australia 515
3 South Korea 338
4 China 302
5 Germany 287
6 Taiwan 210
7 France 188
8 United Kingdom 172
9 Brazil 147
10 Canada 118
Others 5318
Top 10 Countries with the Highest Number of Connections to Botnets
DDoS attacks in Malaysia in relation to the elections contributed to the increase in the countryrsquos volume of malicious connections
COuNTRy sHARE
1 Malaysia 2839
2 United States 1414
3 France 1163
4 Germany 564
5 Canada 529
6 South Korea 413
7 United Kingdom 384
8 Thailand 322
9 Hong Kong 307
10 Italy 253
Others 1812
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
21 | References
References
1 Trend Micro Incorporated (2013) ldquoTrendLabs 2012 Annual Security Roundup Evolved Threats in a lsquoPost-PCrsquo Worldrdquo Last accessed July 30 2013 httpwwwtrendmicrocomcloud-contentuspdfssecurity-intelligencereportsrpt-evolved-threats-in-a-post-pc-worldpdf
2 Jonathan Leopando (July 10 2013) TrendLabs Security Intelligence Blog ldquoAndroid Vulnerability Affects 99 of DevicesmdashTrend Micro Users Protectedrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencetrend-micro-solution-for-vulnerability-affecting-nearly-all-android-devices
3 Trend Micro Incorporated (2013) Threat Encyclopedia ldquoANDROIDOS_OBADArdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusmalwareANDROIDOS_OBADA
4 Leo Zhang (July 13 2013) TrendLabs Security Intelligence Blog ldquoCybercriminals Improve Android Malware Stealth Routines with OBADrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecybercriminals-improve-android-malware-stealth-routines-with-obad
5 Trend Micro Incorporated (2013) Threat Encyclopedia ldquoANDROIDOS_FAKEBANKArdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusmalwareANDROIDOS_FAKEBANKA
6 Weichao Sun (May 14 2013) TrendLabs Security Intelligence Blog ldquoMobile Ads Pushed by Android Apps Lead to Scam Sitesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencemobile-ads-pushed-by-android-apps-lead-to-scam-sites
7 Trend Micro Incorporated (2013) Threat Encyclopedia ldquoANDROIDOS_FAKEAVFrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusmalwareANDROIDOS_FAKEAVF
8 Iain Thomson (March 27 2013) The Register ldquoTibetan and Uyghur Activists Targeted with Android Malwarerdquo Last accessed July 30 2013 httpwwwtheregistercouk20130327android_malware_targeting_tibetan
9 Ericsson ConsumerLab (August 6 2012) Ericssoncom ldquoVietnamese Consumers Show Increasing Demand for Smartphones and Tabletsrdquo Last accessed July 30 2013 httpwwwericssoncomvnnews2012_vn_smartphone_demands_254740123_c
10 Trend Micro Incorporated (2012) ldquoSecurity Threats to Business the Digital Lifestyle and the Cloud Trend Micro Predictions for 2013 and Beyondrdquo Last accessed July 30 2013 httpwwwtrendmicrocoukmediamisctrend-micro-predictions-for-2013-and-beyond-enpdf
11 Roddell Santos (May 28 2013) TrendLabs Security Intelligence Blog ldquoBANKER Malware Hosted in Compromised Brazilian Government Sitesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencebanker-malware-hosted-in-compromised-brazilian-government-sites
12 Ranieri Romera (May 7 2013) TrendLabs Security Intelligence Blog ldquoHomemade Browser Targeting lsquoBanco do Brasilrsquo Usersrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencehomemade-browser-targeting-banco-do-brasil-users
13 Roddell Santos (June 14 2013) TrendLabs Security Intelligence Blog ldquoMalware Redirects South Korean Users to Phishing Sitesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencemalware-redirects-south-korean-users-to-phishing-sites
14 Abigail Pichel (June 10 2013) TrendLabs Security Intelligence Blog ldquoGoing Solo Self-Propagating ZBOT Malware Spottedrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencegoing-solo-self-propagating-zbot-malware-spotted
15 Lenart Bermejo (May 24 2013) TrendLabs Security Intelligence Blog ldquoWorm Creates Copies in Password-Protected Archived Filesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligenceworm-creates-copies-in-password-protected-archived-files
16 Jessa Dela Torre (April 16 2013) TrendLabs Security Intelligence Blog ldquoCompromised Sites Conceal Stealrat Botnet Operationsrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecompromised-sites-conceal-stealrat-botnet-operations
17 Paul Pajares (July 8 2013) TrendLabs Security Intelligence Blog ldquoMan of Steel Fast and Furious 6 Among Online Fraudstersrsquo Most Used Luresrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligenceman-of-steel-fast-and-furious-6-among-online-fraudsters-most-used-lures Gelo Abendan (May 2 2013) TrendLabs Security Intelligence Blog ldquoFake Iron Man 3 Streaming Sites Sprout on Social Mediardquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencefake-iron-man-3-streaming-sites-sprout-on-social-media
18 Anthony Melgarejo (May 2 2013) TrendLabs Security Intelligence Blog ldquoBackdoor Leads to Facebook and Multiprotocol Instant-Messaging Wormrdquo
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
22 | References
Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencebackdoor-leads-to-facebook-and-multi-protocol-instant-messaging-worm Paul Pajares (April 30 2013) TrendLabs Security Intelligence Blog ldquoHackers to Manage Your Apple ID If Caught from Phishing Baitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencehackers-to-manage-your-apple-id-if-caught-from-phishing-bait
19 Aisa Escober (April 16 2013) TrendLabs Security Intelligence Blog ldquoKELIHOS Worm Emerges Takes Advantage of Boston Marathon Blastrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencekelihos-worm-emerges-takes-advantage-of-boston-marathon-blast Trend Micro Incorporated (2013) Threat Encyclopedia ldquoSpam Attack Leverages Oklahoma Tornado Disasterrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusspam494Spam+Attack+Leverages+Oklahoma+Tornado+Disaster Ryan Certeza (April 19 2013) TrendLabs Security Intelligence Blog ldquoCybercriminals Quickly Take Advantage of Texas Fertilizer Plant Blast MIT Shootingrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecybercriminals-quickly-take-advantage-of-texas-fertilizer-plant-blast-mit-shooting Gelo Abendan (April 4 2013) TrendLabs Security Intelligence Blog ldquoCybercriminals Threaten Tax Day Once Againrdquo Last accessed July 30 2013 http blogtrendmicrocomtrendlabs-security-intelligencecybercriminals-threaten-tax-day-once-again
20 Jim Finkle (May 31 2013) NBC News Technology ldquoLinkedIn Improves Security with Two-Factor Authenticationrdquo Last accessed July 2013 httpwwwnbcnewscomtechnologylinkedin-improves-security-two-factor-authentication-6C10141010 Seth Hitchings (May 30 2013) The Evernote Blog ldquoEvernotersquos Three New Security Featuresrdquo Last accessed July 2013 httpblogevernotecomblog20130530evernotes-three-new-security-features Jim OrsquoLeary (May 22 2013) Twitter Blog ldquoGetting Started with Login Verificationrdquo Last accessed July 2013 httpsblogtwittercom2013getting-started-login-verification
21 David Jackson (April 23 2013) USA Today News ldquoAP Twitter Feed Hacked No Attack at White Houserdquo Last accessed July 30 2013 httpwwwusatodaycomstorytheoval20130423obama-carney-associated-press-hack-white-house2106757
22 Karla Agregado (June 25 2013) TrendLabs Security Intelligence Blog ldquoScam Sites Now Selling Instagram Followersrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencescam-sites-now-selling-instagram-followers
23 Zachary Seward (May 20 2013) Quartz ldquoHow Yahoo Plans to Make Money on Tumblr Ads That Donrsquot Feel Like Adsrdquo Last accessed July 30 2013 httpqzcom86437how-yahoo-plans-to-make-money-on-tumblr-ads-that-dont-feel-like-ads
24 Gelo Abendan (March 3 2012) Threat Encyc lopedia ldquoMobile Apps New Frontier for Cybercrimerdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack119mobile apps new frontier for cybercrime Marco Dela Vega (November 23 2010) TrendLabs Security Intelligence Blog ldquoWith Holiday Wishes Come Poisoned Searchesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencewith-holiday-wishes-come-poisoned-searches Dianne Kristine Lagrimas (November 13 2011) Threat Encyclopedia ldquoSports as Bait Cybercriminals Play to Winrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack99sports as bait cybercriminals play to win Valerie Ria Rivera (March 29 2011) Threat Encyclopedia ldquoSpam Scams and Other Social Media Threatsrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack75spam scams and other social media threats
25 Dexter To (May 5 2013) TrendLabs Security Intelligence Blog ldquoCompromised US Government Web Page Used Zero-Day Exploitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecompromised-us-government-webpage-used-zero-day-exploit
26 Sooraj KS (June 6 2013) TrendLabs Security Intelligence Blog ldquoPlesk Zero-Day Exploit Results in Compromised Web Serverrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligenceplesk-zero-day-exploit-results-in-compromised-webserver
27 Gelo Abendan (May 30 2013) TrendLabs Security Intelligence Blog ldquoTrend Micro Deep Security Guards Users from Ruby on Rails Exploitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencetrend-micro-deep-security-guards-users-from-ruby-on-rails-exploit
28 Maharlito Aquino (June 13 2013) TrendLabs Security Intelligence Blog ldquoRARSTONE Found in Targeted Attacksrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencerarstone-found-in-targeted-attacks
29 Kyle Wilhoit (May 17 2013) TrendLabs Security Intelligence Blog ldquoHiding in Plain Sight A New Targeted Attack Campaignrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencehiding-in-plain-sight-a-new-apt-campaign
30 Nart Villeneuve (April 25 2013) TrendLabs Security Intelligence Blog ldquoTargeted Attack Campaign Hides Behind SSL Communicationrdquo Last accessed July 2013 httpblogtrendmicrocomtrendlabs-security-intelligencetargeted-attack-campaign-hides-behind-ssl-communication
31 Jay Alabaster (April 4 2013) Computerworld ldquoJapanese Web Portals Hacked Up to 100000 Accounts Compromisedrdquo Last accessed July 30 2013 httpwwwcomputerworldcomauarticle458079japanese_web_portals_hacked_up_100_000_accounts_compromised LivingSocial ldquoLivingSocial Security Noticerdquo Last accessed July 30 2013 httpswwwlivingsocialcomcreatepassword Kadim Shubber (May 20 2013) Wired UK ldquoMillions of Usersrsquo Data Hacked in Yahoo Japan Security Breachrdquo Last accessed July 30 2013 httpwwwwiredcouknewsarchive2013-0520yahoo-japan-hacked Erin Madigan White (April 23 2013) AP Blog The Definitive Source ldquoAP Responds to Hacking of Twitter Accountrdquo Last accessed July 30 2013 httpblogaporg20130423hackers-compromise-ap-twitter-account
TREND MICRO LEgaL DISCLaIMER
The information provided herein is for general information and educational purposes only It is not intended and should not be construed to constitute legal advice The information contained herein may not be applicable to all situations and may not reflect the most current situation Nothing contained herein should be relied on or acted upon without the benefit of legal advice based on the particular facts and circumstances presented and nothing herein should be construed otherwise Trend Micro reserves the right to modify the contents of this document at any time without prior notice
Translations of any material into other languages are intended solely as a convenience Translation accuracy is not guaranteed nor implied If any questions arise related to the accuracy of a translation please refer to the original language official version of the document any discrepancies or differences created in the translation are not binding and have no legal effect for compliance or enforcement purposes
although Trend Micro uses reasonable efforts to include accurate and up-to-date information herein Trend Micro makes no warranties or representations of any kind as to its accuracy currency or completeness you agree that access to and use of and reliance on this document and the content thereof is at your own risk Trend Micro disclaims all warranties of any kind express or implied Neither Trend Micro nor any party involved in creating producing or delivering this document shall be liable for any consequence loss or damage including direct indirect special consequential loss of business profits or special damages whatsoever arising out of access to use of or inability to use or in connection with the use of this document or any errors or omissions in the content thereof use of this information constitutes acceptance for use in an ldquoas isrdquo condition
Trend Micro Incorporated a global leader in security software and solutions strives to make the world safe for exchanging digital information For more information visit wwwtrendmicrocom
copy2013 by Trend Micro Incorporated all rights reserved Trend Micro and the Trend Micro t-ball logo are trademarks or registered trademarks of Trend Micro Incorporated all other product or company names may be trademarks or registered trademarks of their owners
Created by
global Technical Support amp RampD Center of TREND MICRO
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
2 | Mobile
1000000
0
500000
561KAPR 639K
MAY 718KJUN
The number of malicious and high-risk android apps steadily increased until June 2013 The number of malicious and high-risk apps took three years to reach 350000 a number that already doubled in just six months (JanuaryndashJune 2013)
Android Volume Threat Growth
Top Android Malware Families
FAKEINST
OPFAKE
SNDAPPS
BOXER
GINMASTER
VDLOADER
FAKEDOLPHIN
KUNGFU
JIFAKE
BASEBRIDGE
Others
22
14
12
6
6
3
3
3
2
2
27
1
2
3
4
5
6
7
8
9
10
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
3 | Mobile
Top Threat Type Distribution
60
40
100
80
20
0
PREMIUMSERVICEABUSER
ADWARE MALICIOUSDOWNLOADER
HACKINGTOOL
BACKDOORREMOTE
CONTROLLER
UNAUTHORIZEDSPENDER
OTHERS
22
224717
44
DATASTEALER
24
premium service abusers remained the most dominant mobile threats While the mobile threat type ranking remained consistent with the previous quarterrsquos we saw an increase in the data stealer volume which may indicate the continued sophistication of this threat type
The distribution data was based on the top 20 mobile malware and adware families that comprise 88 of all the mobile threats detected by the Mobile App Reputation Technology for the period AprilndashJune 2013 Note that a mobile threat family may exhibit the behaviors of more than one threat type
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
4 | Mobile
Countries with the Highest Malicious Android App Download Volumes
MOVED DOWNMOVED UPNEW ENTRY
United Arab Emirates
Myanmar (Burma)
Vietnam
Mexico
Russia
India
China
Venezuela
Malaysia
Singapore
1379
505
494
423
417
374
357
311
297
284
1
2
3
4
5
6
7
8
9
10
14
23
5
6
7
8 910
The united arab Emirates (uaE) recorded the highest malicious android app download volume overtaking Myanmar which placed first in the previous quarter Six new countries figured in this monthrsquos top 10 which may indicate an increase in mobile device use andor attacks against such devices in these locations
The ranking was based on the percentage of apps rated ldquomaliciousrdquo over the total number of apps scanned per country The ranking was limited to countries with at least 10000 scans The ratings were based on the quarterly analysis of real-time threat detection via Trend Microtrade Mobile Security Personal Edition
Countries Most at Risk of Privacy Exposure Due to App Use
Saudi Arabia
Vietnam
Indonesia
Brazil
India
Malaysia
South Africa
Russia
Algeria
Philippines
1149
887
882
798
787
757
652
564
555
519
1
2
3
4
5
6
7
8
9
10
1
4
2
3
5
6
7
8
910
Similar to last quarter mobile users in Saudi arabia downloaded the most number of high-risk apps Vietnam placed second in light of the increasing mobile device use in the country9
The ranking was based on the percentage of apps categorized as ldquoprivacy risk inducersrdquo over the total number of apps scanned per country The ranking was limited to countries with at least 10000 scans The ratings were based on the quarterly analysis of real-time threat detection via Trend Micro Mobile Security Personal Edition
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
5 | Mobile
The increased sophistication of mobile threats could be attributed to the growing demand for short message service (SMS)-related information in the underground market SMS databases are some of the best-selling data sets in the underground
How the Android Update Process Works
MOBILE DATA PRICE
1M numbers US$70
10K numbers US$10
Customized database with personal data
US$35 for 1000 numbers
Underground Prices of Collected Mobile Numbers from Russian
Mobile Network Operators
Google creates thelatest update to
Android OS
It makes theupdate available to
manufacturers
Device manufacturers make the update compatiblewith their devices Phone companies must then
approve the update for end users
Finally the phone companies push theupdate to end users
Android Versus PC Threat Type Timeline Comparison
DROIDSMS
Aug 2010
LOTOOR TOOR
GoldDream DroidDream-
Light
One-Click Billing Fraud
Plankton LEADBOLT
Chuli OBAD
Mar 2011Jul 2011 Aug 2011 Jan 2012 Mar 2013 Jun 2013
Morris CODERED
1988
PC Cyborg Police
Ransomware
ZANGO 888bar
NTRootkit Morcut
ZeuS Passteal
TIBS Dialer
Porn Dialers
BANKER GHOST RAT
FAKEAV
1989 1992 1999 2000 2002 2006 2007 2008
QAKBOT
FAKEBANK
MobileFAKEAV
Worm Ransomware Adware Rootkit Infostealer Dialer Banking Trojan
Multicomponent Targeted Attack
Malware
Scareware
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
6 | Cybercrime
CyBERCRIME
Banking Malware Get Regionalized Old Threats FlourishThe overall number of threats blocked by the Trend Microtrade Smart Protection Networktrade increased by 13 compared with last quarter The DOWNADConficker worm remained
the top malware while the adware volume noticeably increased as more users across segments were tricked into downloading them as part of free software
Overall Trend Micro Smart Protection Network Numbers
9B
8B
7B
6B
5B
4B
3B
2B
0
1B
NUMBER OF THREATSBLOCKED PER SECOND
TOTAL NUMBER OFTHREATS BLOCKED
NUMBER OF MALICIOUSFILES BLOCKED
NUMBER OF MALICIOUSURLs BLOCKED
NUMBER OF SPAM-SENDING IP ADDRESSESBLOCKED
APRIL MAY JUNE
57B
408M601M
67B71B
84B
25722663
3258
61B
483M564M
76B
427M513M
We were able to protect Trend Micro customers from nearly 3000 threats per second this quarter compared with 2400 in the first quarter
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
7 | Cybercrime
WORM_DOWNAD 509K
APAC 51
EMEA 19
LAR 15
NORTH AMERICA 9
JAPAN 6
ADW_BHO 448K
JAPAN 34
APAC 26
EMEA 19
NORTH AMERICA 17
LAR 4
ADW_BPROTECT 311K
APAC 28
EMEA 28
JAPAN 20
NORTH AMERICA 15
LAR 9
Top 3 Malware
The Server Service vulnerability has been patched since 2008 but DOWNaDConficker which is known to exploit this remained one of the top 3 malware this quarter The majority of the top 50 malware comprised adware ZaCCESSSIREFEF and SaLITy remained in the top 10
Top 3 Malware by Segment
ENTERPRIsE sMB CONsuMER
NAME vOLuME NAME vOLuME NAME vOLuME
WORM_DOWNADAD 360K WORM_DOWNADAD 58K ADW_BHO 370K
ADW_BPROTECT 53K ADW_BPROTECT 9K ADW_BPROTECT 215K
ADW_BHO 28K ADW_BHO 8K BKDR_BIFROSEBMC 208K
Consumers were more inclined to unknowingly download adware that come bundled with software while DOWNaDConficker was still a concern for enterprises and small and medium-sized businesses (SMBs)
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
8 | Cybercrime
Top 10 Malicious Domains Blocked
DOMAIN REAsON
trafficconverter biz Hosts malware particularly DOWNAD variants
ads alpha00001 com Hosts malware that modify default browser settings to hijack search results
www ody cc Has sites that host BKDR_HPGNB-CN and other suspicious scripts
pu plugrush com Related to a Blackhole Exploit Kit campaign
c rvzrjs info Related to spamming and other malicious activities
adsgangsta com Related to malware and phishing attacks
vjlvchretllifcsgynuq com Hosts malware also used to spread malware via Skype
strongvault02 safe-copy com Hosts malware
www polaris-software com Hosts malware
promos fling com Hosts malware
One of the top malicious domains blocked was related to a Blackhole Exploit kit campaign The domain trafficconverter biz hosts DOWNaDConficker variants which was also the top malware for the first half of 2013
As predicted cybercriminals have not generated completely new threats and instead opted to repackage old ones10 We observed several interesting trends in online banking threats this quarter that led to a 29 increase in infections with this type of malware
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
9 | Cybercrime
1Q 2Q
2013 113K 146K
Online Banking Infections
Online Banking Malware Infections
Top Online Banking Victim Countries
COuNTRIEs sHARE
United States 28
Brazil 22
Australia 5
France 5
Japan 4
Taiwan 4
Vietnam 3
India 2
Germany 2
Canada 2
Others 23
The online banking malware volume significantly increased this quarter due in part to the rise in the ZeuSZBOT malware volume in the wild Online banking threats are spreading across the globe and are no longer concentrated in certain regions like Europe and the americas The united States was most affected by online banking malware accounting for 28 of the total number of infections worldwide
60000
40000
80000
20000
0
APRIL MAY JUNE
37K39K
71K
Brazil an online banking malware hotspot was mostly targeted by two types of the threat type this quarter The first was the BANKER malware disguised as updates for Adobereg Flashreg Player hosted on compromised sites11 The other malware was disguised as a ldquohomemade browserrdquo that targets Banco do Brasil users12
In the cybercriminal underground the CARBERP source code was ldquoleakedrdquo making the creation of banking Trojans even easier to do for bad guys Meanwhile other online banking Trojan toolkits like ZeuS SpyEye and Ice IX are already available for free making it easier for any skilled hacker to obtain their source codes
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
10 | Cybercrime
0
US$2000
2010 2011 2012 2013
US$4000
US$6000
US$8000
US$10000ZEUS
SPYEYE
CARBERP
ICE IX(only madeavailable in2012)
CITADEL
Underground Price Changes for Basic Online Banking Toolkits
We found an online banking malware that modifies an infected computerrsquos HOSTS file to redirect a customer of certain South Korean banks to phishing sites13 We also saw more Citadel variants (detected as ZBOT) target different financial service institutions in Japan These malware not only target the big banks in Japan but also smaller ones including those that exclusively cater to online banking customers
As predicted cybercriminals carried out developments in malware distribution and refinement for existing tools New ZeuSZBOT deployment tactics include a propagation routine14 The PIZZER worm was also found spreading and copying itself onto password-protected archived files using a technique similar to that of PROLACO malware15
Several cloud services were also hit by attacks this quarter The VERNOT backdoor which first abused a popular note-taking service abused a well-known Japanese blogging platform by using it as a CampC server Several GAMARUE variants were hosted on SourceForge a popular code repository Cybercriminals typically abuse legitimate services for ldquofree hostingrdquo successfully tricking users into trusting malicious links since these appear to belong to a well-known name
More developments in cybercrime contributed to the increase in spam and botnet activity this quarter Among these were the compromise of WordPress sites in April the emergence of Stealrat and its use of compromised hosts to send out spam and observed peaks in spam activity16
These are estimated going ratesNote that ZeuS and SpyEye have been around since before 2010
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
11 | Cybercrime
Number of Botnet CampC Servers Detected per Month
1000 2000 3000 4000 5000
APRIL
MAY
JUNE 2102
4003
1434
May showed the highest number of detected CampC servers so far this year
Number of Connections to Botnets per Month
Due to the increase in the number of active botnets in May we also noted a significant increase in the number of botnet connections that month
3M 6M 9M 12M
APRIL
MAY
JUNE 104M
119M
27M
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
12 | Cybercrime
Top 10 Spam Languages
While English remained the top preferred language of spammers we also saw a general increase in the non-English spam volume
1
2
3
4
5
6
7
8
9
10
8256
326
249
194
086
029
020
016
007
007
810
English
Chinese
Russian
Japanese
German
Portuguese
Spanish
Icelandic
French
Turkish
Others
MOVED DOWNMOVED UPNEW ENTRY
Top 10 Spam-Sending Countries
Cybercriminals are finding other countries to host their malicious activities in hence the increase in spam activity in countries like argentina Italy Mexico and Turkey
1
2
3
4
5
6
7
8
9
10
947
697
636
568
549
452
370
356
355
308
4762
United States
Spain
India
Taiwan
Argentina
Italy
Colombia
Mexico
Belarus
Turkey
Others
MOVED DOWNMOVED UPNEW ENTRY
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
13 | Digital Life Security Issues
DIgITaL LIFE SECuRITy ISSuES
Social Threats Abuse Diverse PlatformsAs more users manage multiple online accounts cybercriminals explored means to use this trend to their advantage They abused popular blogging sites like Tumblr WordPress and Blogger to host fake streaming sites of popular summer movies including Man of Steel Fast and Furious 6 and Iron Man 317 Apple ID and well-known multiprotocol instant-messaging (IM) platforms like Digsby were also targeted by attacks18 These attacks abused the use of
the SSO approach which should serve as a reminder to protect online accounts and avoid using weak passwords
Users were also reacquainted with old social engineering tactics as several attacks used diverse items including the Boston marathon bombing the Oklahoma tornado disaster the Texas fertilizer plant explosion and the tax season as bait19
Notable Social Engineering Lures Used
GET FREEFOLLOWERS
ON INSTAGRAMBOSTON BOMBING
MIT SHOOTING
TEXAS FERTILIZERPLANT BOMBING
IRON MAN 3
INCOME TAX RETURNS
as more users across different segments maximize the use of Instagram it has now become a viable target for cybercrime
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
14 | Digital Life Security Issues
In response to compromise incidents LinkedIn Evernote and Twitter rolled out additional security measures which notably included two-step verification measures20 The attack on Twitter posed an interesting case study on how social media can be used to spread false news that can have severe results21
Instagram scams showed that cybercriminals are targeting SMBs and marketers who wish
to increase their online presence Such scams offer ldquofree followersrdquo or use professional-looking sites where they can supposedly buy followers in bulk22 The tactic of selling followers is not new though Cybercriminals simply turned to different avenues outside Twitter and Facebook Interestingly this threat appeared while social media sites found ways to monetize the services they offered23
How Cybercriminals Trick Users into Giving Out Their Information24
Scammers modified their schemes as new platforms were introduced From the Nigerian scams usually seen by way of spam scammers have now branched out to new platforms and targets like social media and mobile devices
Spam and phiShing SiteS Search engineS Social media mobile
EARly 2000ndash2009 2009ndash2011 lATE 2009ndashPRESENT 2011ndashPRESENT
Scams in the early 2000s mainly comprised pharmaceutical account notification and Nigerian scams which mostly led victims to phishing sites
Cybercriminals abuse search engines via blackhat search engine optimization (SEO) This technique takes advantage of using keywords related to significant news andor events for malicious purposes
Social media present themselves as attractive cybercrime platforms because of their large user bases Cybercriminal favorites include Facebook Twitter Tumblr and Pinterest
Today smartphones and other mobile devices enable cybercriminals to reach new heights Mobile adware and malicious apps are among the preferred means of deploying malicious schemes
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
15 | Exploits and Vulnerabilities
ExpLOITS aND VuLNERaBILITIES
Software Vendors Try to Clean Up Their ActAfter last quarterrsquos high volume of zero-day vulnerabilities Oracle implemented several steps that aimed to improve Javarsquos security These include quarterly update releases automated security testing and not allowing self-signed or unsigned apps for Java software used in browsers
Though we saw fewer zero-day incidents this quarter exploits still posed serious threats to users The Internet Explorerreg (IE) zero-day exploit found on the US Department of Labor page showed that even trusted sites like it can be compromised25 Exploits targeting Plesk and ColdFusionreg also put forth the importance of securing web servers and touched on how enterprises secure their sites26
As anticipated it was only a matter of time before attackers took advantage of the critical Ruby on Rails vulnerability found last January27 This quarter we saw exploits target the software flaw as a result of the disclosure of the vulnerabilityrsquos code
The issue of addressing vulnerabilities was a hot topic this quarter especially with Googlersquos announcement of a seven-day disclosure policy Several security pundits saw this as a noble yet impractical proposal But as our CTO Raimund Genes pointed out the bigger issue that should be discussed has to do with how vulnerabilities should be reported
Timeline of Vulnerability Attacks
RUBYON RAILS
PLESK
IEZERO-DAY
JAVA
Private Disclosure Public Disclosure Patch Released Exploited
1082013
5032012
1282013
1172012
5282013
5032012
4302013
5032013
5142013
6182013
6182013
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
16 | Exploits and Vulnerabilities
How Oracle Plans to Secure Java
Delivering three patches every three months starting October 2013
Using automated security testing tools against regressions and bugs
Supporting Windowsreg security policies so system administrators can set networkwide policies on Java use
Disallowing running unsigned or self-signed apps
Making Javarsquos process of revoking signing signatures flexible
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
17 | Targeted attack Campaigns DDoS attacks and Data Breaches
TaRgETED aTTaCk CaMpaIgNS DDoS aTTaCkS aND DaTa BREaChES
Corporate Security Woes Pile UpTargeted AttacksTargeted attack campaigns remained a problem for organizations as we continued to discover active and ongoing campaigns The Naikon campaign used the remote access Trojan (RAT) RARSTONE and was primarily seen in several countries in AsiaPacific28 This campaign hit various industries like telecommunications oil and gas government media and others It usually starts out with spear-phishing attacks that target a specific vulnerability which was also used in another campaign known as
ldquoSaferdquo29 Our research on the Safe campaign meanwhile revealed victim IP addresses spread throughout 100 countries worldwide
Targeted attacks also took advantage of tragic events to infiltrate organizational networks this quarter We saw emails using the Boston marathon bombing as a social engineering lure to trick users into downloading a malware that communicates via Secure Sockets Layer (SSL) communication30
File Types Used in Spear Phishing Related to Targeted Attacks
1
2
3
4
5
6
7
8
9
10
EXEDLL
DOC
JPG
TXTHTML
RTF
ZIP
XLS
RAR
PPSPPT
Others
43
12
10
8
5
4
3
3
3
2
7
Threat actors custom-fit an attack to an intended target They use any file type as long as it gets them closer to their goalmdashto infiltrate a network
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
18 | Targeted attack Campaigns DDoS attacks and Data Breaches
DDoS AttacksSeveral South Korean agencies suffered serious security breaches that led to distributed denial-of-service (DDoS) attacks and site defacements One particular incident rendered several sites inaccessible Similar to the MBR Trojan wiper incident last March this attack was designed to execute at a specific time It also showed how attackers continued to go after high-value targets and how they could inflict maximum damage within a short period of time
Data BreachesCompanies like Yahoo Japan LivingSocial Twitter and Namecom all suffered from security breaches this quarter Opera also suffered a security breach that led to the theft of outdated digital certificates
Attacks Targeting Well-known Companies31
COMPANy REsuLTs
Goo locked 100000 accounts to prevent unauthorized logins
yahoo Japan Attackers attempted to extract data belonging to 127
million users
Associated Press (AP) Attackers hacked APrsquos Twitter account which erased
US$200-billion worth of stock value
livingSocial Resulted in unauthorized access to the accounts of 50 million users
Several South Korean agencies Several sites were defaced and suffered DDoS attacks
attacks against high-profile companies had costly results stressing the importance of strengthening organizational defenses
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
19 | appendix
Appendix
Top 10 Android Adware Families
1
2
3
4
5
6
7
8
9
10
ARPUSH
ADSWO
PLANKTON
LEADBLT
IZP
WAPSX
OQX
WBOO
YOUMI
UAPSH
Others
4179
1650
1284
1102
817
425
410
067
027
013
026
Malicious URL Country Sources
No major changes among the countries on the list were seen The united States accounted for the lionrsquos share of the malicious uRL volume with germany trailing not far behind
COuNTRy sHARE
1 United States 2590
2 Germany 324
3 China 316
4 Netherlands 313
5 South Korea 260
6 France 194
7 Japan 193
8 Russia 164
9 Canada 081
10 United Kingdom 077
Others 5488
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
20 | appendix
Top 10 Countries with the Most Number of Botnet CampC Servers
Similar to the previous quarter the united States had the most number of botnet CampC servers while australia surpassed South korea
COuNTRy sHARE
1 United States 2405
2 Australia 515
3 South Korea 338
4 China 302
5 Germany 287
6 Taiwan 210
7 France 188
8 United Kingdom 172
9 Brazil 147
10 Canada 118
Others 5318
Top 10 Countries with the Highest Number of Connections to Botnets
DDoS attacks in Malaysia in relation to the elections contributed to the increase in the countryrsquos volume of malicious connections
COuNTRy sHARE
1 Malaysia 2839
2 United States 1414
3 France 1163
4 Germany 564
5 Canada 529
6 South Korea 413
7 United Kingdom 384
8 Thailand 322
9 Hong Kong 307
10 Italy 253
Others 1812
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
21 | References
References
1 Trend Micro Incorporated (2013) ldquoTrendLabs 2012 Annual Security Roundup Evolved Threats in a lsquoPost-PCrsquo Worldrdquo Last accessed July 30 2013 httpwwwtrendmicrocomcloud-contentuspdfssecurity-intelligencereportsrpt-evolved-threats-in-a-post-pc-worldpdf
2 Jonathan Leopando (July 10 2013) TrendLabs Security Intelligence Blog ldquoAndroid Vulnerability Affects 99 of DevicesmdashTrend Micro Users Protectedrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencetrend-micro-solution-for-vulnerability-affecting-nearly-all-android-devices
3 Trend Micro Incorporated (2013) Threat Encyclopedia ldquoANDROIDOS_OBADArdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusmalwareANDROIDOS_OBADA
4 Leo Zhang (July 13 2013) TrendLabs Security Intelligence Blog ldquoCybercriminals Improve Android Malware Stealth Routines with OBADrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecybercriminals-improve-android-malware-stealth-routines-with-obad
5 Trend Micro Incorporated (2013) Threat Encyclopedia ldquoANDROIDOS_FAKEBANKArdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusmalwareANDROIDOS_FAKEBANKA
6 Weichao Sun (May 14 2013) TrendLabs Security Intelligence Blog ldquoMobile Ads Pushed by Android Apps Lead to Scam Sitesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencemobile-ads-pushed-by-android-apps-lead-to-scam-sites
7 Trend Micro Incorporated (2013) Threat Encyclopedia ldquoANDROIDOS_FAKEAVFrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusmalwareANDROIDOS_FAKEAVF
8 Iain Thomson (March 27 2013) The Register ldquoTibetan and Uyghur Activists Targeted with Android Malwarerdquo Last accessed July 30 2013 httpwwwtheregistercouk20130327android_malware_targeting_tibetan
9 Ericsson ConsumerLab (August 6 2012) Ericssoncom ldquoVietnamese Consumers Show Increasing Demand for Smartphones and Tabletsrdquo Last accessed July 30 2013 httpwwwericssoncomvnnews2012_vn_smartphone_demands_254740123_c
10 Trend Micro Incorporated (2012) ldquoSecurity Threats to Business the Digital Lifestyle and the Cloud Trend Micro Predictions for 2013 and Beyondrdquo Last accessed July 30 2013 httpwwwtrendmicrocoukmediamisctrend-micro-predictions-for-2013-and-beyond-enpdf
11 Roddell Santos (May 28 2013) TrendLabs Security Intelligence Blog ldquoBANKER Malware Hosted in Compromised Brazilian Government Sitesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencebanker-malware-hosted-in-compromised-brazilian-government-sites
12 Ranieri Romera (May 7 2013) TrendLabs Security Intelligence Blog ldquoHomemade Browser Targeting lsquoBanco do Brasilrsquo Usersrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencehomemade-browser-targeting-banco-do-brasil-users
13 Roddell Santos (June 14 2013) TrendLabs Security Intelligence Blog ldquoMalware Redirects South Korean Users to Phishing Sitesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencemalware-redirects-south-korean-users-to-phishing-sites
14 Abigail Pichel (June 10 2013) TrendLabs Security Intelligence Blog ldquoGoing Solo Self-Propagating ZBOT Malware Spottedrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencegoing-solo-self-propagating-zbot-malware-spotted
15 Lenart Bermejo (May 24 2013) TrendLabs Security Intelligence Blog ldquoWorm Creates Copies in Password-Protected Archived Filesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligenceworm-creates-copies-in-password-protected-archived-files
16 Jessa Dela Torre (April 16 2013) TrendLabs Security Intelligence Blog ldquoCompromised Sites Conceal Stealrat Botnet Operationsrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecompromised-sites-conceal-stealrat-botnet-operations
17 Paul Pajares (July 8 2013) TrendLabs Security Intelligence Blog ldquoMan of Steel Fast and Furious 6 Among Online Fraudstersrsquo Most Used Luresrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligenceman-of-steel-fast-and-furious-6-among-online-fraudsters-most-used-lures Gelo Abendan (May 2 2013) TrendLabs Security Intelligence Blog ldquoFake Iron Man 3 Streaming Sites Sprout on Social Mediardquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencefake-iron-man-3-streaming-sites-sprout-on-social-media
18 Anthony Melgarejo (May 2 2013) TrendLabs Security Intelligence Blog ldquoBackdoor Leads to Facebook and Multiprotocol Instant-Messaging Wormrdquo
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
22 | References
Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencebackdoor-leads-to-facebook-and-multi-protocol-instant-messaging-worm Paul Pajares (April 30 2013) TrendLabs Security Intelligence Blog ldquoHackers to Manage Your Apple ID If Caught from Phishing Baitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencehackers-to-manage-your-apple-id-if-caught-from-phishing-bait
19 Aisa Escober (April 16 2013) TrendLabs Security Intelligence Blog ldquoKELIHOS Worm Emerges Takes Advantage of Boston Marathon Blastrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencekelihos-worm-emerges-takes-advantage-of-boston-marathon-blast Trend Micro Incorporated (2013) Threat Encyclopedia ldquoSpam Attack Leverages Oklahoma Tornado Disasterrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusspam494Spam+Attack+Leverages+Oklahoma+Tornado+Disaster Ryan Certeza (April 19 2013) TrendLabs Security Intelligence Blog ldquoCybercriminals Quickly Take Advantage of Texas Fertilizer Plant Blast MIT Shootingrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecybercriminals-quickly-take-advantage-of-texas-fertilizer-plant-blast-mit-shooting Gelo Abendan (April 4 2013) TrendLabs Security Intelligence Blog ldquoCybercriminals Threaten Tax Day Once Againrdquo Last accessed July 30 2013 http blogtrendmicrocomtrendlabs-security-intelligencecybercriminals-threaten-tax-day-once-again
20 Jim Finkle (May 31 2013) NBC News Technology ldquoLinkedIn Improves Security with Two-Factor Authenticationrdquo Last accessed July 2013 httpwwwnbcnewscomtechnologylinkedin-improves-security-two-factor-authentication-6C10141010 Seth Hitchings (May 30 2013) The Evernote Blog ldquoEvernotersquos Three New Security Featuresrdquo Last accessed July 2013 httpblogevernotecomblog20130530evernotes-three-new-security-features Jim OrsquoLeary (May 22 2013) Twitter Blog ldquoGetting Started with Login Verificationrdquo Last accessed July 2013 httpsblogtwittercom2013getting-started-login-verification
21 David Jackson (April 23 2013) USA Today News ldquoAP Twitter Feed Hacked No Attack at White Houserdquo Last accessed July 30 2013 httpwwwusatodaycomstorytheoval20130423obama-carney-associated-press-hack-white-house2106757
22 Karla Agregado (June 25 2013) TrendLabs Security Intelligence Blog ldquoScam Sites Now Selling Instagram Followersrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencescam-sites-now-selling-instagram-followers
23 Zachary Seward (May 20 2013) Quartz ldquoHow Yahoo Plans to Make Money on Tumblr Ads That Donrsquot Feel Like Adsrdquo Last accessed July 30 2013 httpqzcom86437how-yahoo-plans-to-make-money-on-tumblr-ads-that-dont-feel-like-ads
24 Gelo Abendan (March 3 2012) Threat Encyc lopedia ldquoMobile Apps New Frontier for Cybercrimerdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack119mobile apps new frontier for cybercrime Marco Dela Vega (November 23 2010) TrendLabs Security Intelligence Blog ldquoWith Holiday Wishes Come Poisoned Searchesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencewith-holiday-wishes-come-poisoned-searches Dianne Kristine Lagrimas (November 13 2011) Threat Encyclopedia ldquoSports as Bait Cybercriminals Play to Winrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack99sports as bait cybercriminals play to win Valerie Ria Rivera (March 29 2011) Threat Encyclopedia ldquoSpam Scams and Other Social Media Threatsrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack75spam scams and other social media threats
25 Dexter To (May 5 2013) TrendLabs Security Intelligence Blog ldquoCompromised US Government Web Page Used Zero-Day Exploitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecompromised-us-government-webpage-used-zero-day-exploit
26 Sooraj KS (June 6 2013) TrendLabs Security Intelligence Blog ldquoPlesk Zero-Day Exploit Results in Compromised Web Serverrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligenceplesk-zero-day-exploit-results-in-compromised-webserver
27 Gelo Abendan (May 30 2013) TrendLabs Security Intelligence Blog ldquoTrend Micro Deep Security Guards Users from Ruby on Rails Exploitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencetrend-micro-deep-security-guards-users-from-ruby-on-rails-exploit
28 Maharlito Aquino (June 13 2013) TrendLabs Security Intelligence Blog ldquoRARSTONE Found in Targeted Attacksrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencerarstone-found-in-targeted-attacks
29 Kyle Wilhoit (May 17 2013) TrendLabs Security Intelligence Blog ldquoHiding in Plain Sight A New Targeted Attack Campaignrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencehiding-in-plain-sight-a-new-apt-campaign
30 Nart Villeneuve (April 25 2013) TrendLabs Security Intelligence Blog ldquoTargeted Attack Campaign Hides Behind SSL Communicationrdquo Last accessed July 2013 httpblogtrendmicrocomtrendlabs-security-intelligencetargeted-attack-campaign-hides-behind-ssl-communication
31 Jay Alabaster (April 4 2013) Computerworld ldquoJapanese Web Portals Hacked Up to 100000 Accounts Compromisedrdquo Last accessed July 30 2013 httpwwwcomputerworldcomauarticle458079japanese_web_portals_hacked_up_100_000_accounts_compromised LivingSocial ldquoLivingSocial Security Noticerdquo Last accessed July 30 2013 httpswwwlivingsocialcomcreatepassword Kadim Shubber (May 20 2013) Wired UK ldquoMillions of Usersrsquo Data Hacked in Yahoo Japan Security Breachrdquo Last accessed July 30 2013 httpwwwwiredcouknewsarchive2013-0520yahoo-japan-hacked Erin Madigan White (April 23 2013) AP Blog The Definitive Source ldquoAP Responds to Hacking of Twitter Accountrdquo Last accessed July 30 2013 httpblogaporg20130423hackers-compromise-ap-twitter-account
TREND MICRO LEgaL DISCLaIMER
The information provided herein is for general information and educational purposes only It is not intended and should not be construed to constitute legal advice The information contained herein may not be applicable to all situations and may not reflect the most current situation Nothing contained herein should be relied on or acted upon without the benefit of legal advice based on the particular facts and circumstances presented and nothing herein should be construed otherwise Trend Micro reserves the right to modify the contents of this document at any time without prior notice
Translations of any material into other languages are intended solely as a convenience Translation accuracy is not guaranteed nor implied If any questions arise related to the accuracy of a translation please refer to the original language official version of the document any discrepancies or differences created in the translation are not binding and have no legal effect for compliance or enforcement purposes
although Trend Micro uses reasonable efforts to include accurate and up-to-date information herein Trend Micro makes no warranties or representations of any kind as to its accuracy currency or completeness you agree that access to and use of and reliance on this document and the content thereof is at your own risk Trend Micro disclaims all warranties of any kind express or implied Neither Trend Micro nor any party involved in creating producing or delivering this document shall be liable for any consequence loss or damage including direct indirect special consequential loss of business profits or special damages whatsoever arising out of access to use of or inability to use or in connection with the use of this document or any errors or omissions in the content thereof use of this information constitutes acceptance for use in an ldquoas isrdquo condition
Trend Micro Incorporated a global leader in security software and solutions strives to make the world safe for exchanging digital information For more information visit wwwtrendmicrocom
copy2013 by Trend Micro Incorporated all rights reserved Trend Micro and the Trend Micro t-ball logo are trademarks or registered trademarks of Trend Micro Incorporated all other product or company names may be trademarks or registered trademarks of their owners
Created by
global Technical Support amp RampD Center of TREND MICRO
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
3 | Mobile
Top Threat Type Distribution
60
40
100
80
20
0
PREMIUMSERVICEABUSER
ADWARE MALICIOUSDOWNLOADER
HACKINGTOOL
BACKDOORREMOTE
CONTROLLER
UNAUTHORIZEDSPENDER
OTHERS
22
224717
44
DATASTEALER
24
premium service abusers remained the most dominant mobile threats While the mobile threat type ranking remained consistent with the previous quarterrsquos we saw an increase in the data stealer volume which may indicate the continued sophistication of this threat type
The distribution data was based on the top 20 mobile malware and adware families that comprise 88 of all the mobile threats detected by the Mobile App Reputation Technology for the period AprilndashJune 2013 Note that a mobile threat family may exhibit the behaviors of more than one threat type
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
4 | Mobile
Countries with the Highest Malicious Android App Download Volumes
MOVED DOWNMOVED UPNEW ENTRY
United Arab Emirates
Myanmar (Burma)
Vietnam
Mexico
Russia
India
China
Venezuela
Malaysia
Singapore
1379
505
494
423
417
374
357
311
297
284
1
2
3
4
5
6
7
8
9
10
14
23
5
6
7
8 910
The united arab Emirates (uaE) recorded the highest malicious android app download volume overtaking Myanmar which placed first in the previous quarter Six new countries figured in this monthrsquos top 10 which may indicate an increase in mobile device use andor attacks against such devices in these locations
The ranking was based on the percentage of apps rated ldquomaliciousrdquo over the total number of apps scanned per country The ranking was limited to countries with at least 10000 scans The ratings were based on the quarterly analysis of real-time threat detection via Trend Microtrade Mobile Security Personal Edition
Countries Most at Risk of Privacy Exposure Due to App Use
Saudi Arabia
Vietnam
Indonesia
Brazil
India
Malaysia
South Africa
Russia
Algeria
Philippines
1149
887
882
798
787
757
652
564
555
519
1
2
3
4
5
6
7
8
9
10
1
4
2
3
5
6
7
8
910
Similar to last quarter mobile users in Saudi arabia downloaded the most number of high-risk apps Vietnam placed second in light of the increasing mobile device use in the country9
The ranking was based on the percentage of apps categorized as ldquoprivacy risk inducersrdquo over the total number of apps scanned per country The ranking was limited to countries with at least 10000 scans The ratings were based on the quarterly analysis of real-time threat detection via Trend Micro Mobile Security Personal Edition
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
5 | Mobile
The increased sophistication of mobile threats could be attributed to the growing demand for short message service (SMS)-related information in the underground market SMS databases are some of the best-selling data sets in the underground
How the Android Update Process Works
MOBILE DATA PRICE
1M numbers US$70
10K numbers US$10
Customized database with personal data
US$35 for 1000 numbers
Underground Prices of Collected Mobile Numbers from Russian
Mobile Network Operators
Google creates thelatest update to
Android OS
It makes theupdate available to
manufacturers
Device manufacturers make the update compatiblewith their devices Phone companies must then
approve the update for end users
Finally the phone companies push theupdate to end users
Android Versus PC Threat Type Timeline Comparison
DROIDSMS
Aug 2010
LOTOOR TOOR
GoldDream DroidDream-
Light
One-Click Billing Fraud
Plankton LEADBOLT
Chuli OBAD
Mar 2011Jul 2011 Aug 2011 Jan 2012 Mar 2013 Jun 2013
Morris CODERED
1988
PC Cyborg Police
Ransomware
ZANGO 888bar
NTRootkit Morcut
ZeuS Passteal
TIBS Dialer
Porn Dialers
BANKER GHOST RAT
FAKEAV
1989 1992 1999 2000 2002 2006 2007 2008
QAKBOT
FAKEBANK
MobileFAKEAV
Worm Ransomware Adware Rootkit Infostealer Dialer Banking Trojan
Multicomponent Targeted Attack
Malware
Scareware
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
6 | Cybercrime
CyBERCRIME
Banking Malware Get Regionalized Old Threats FlourishThe overall number of threats blocked by the Trend Microtrade Smart Protection Networktrade increased by 13 compared with last quarter The DOWNADConficker worm remained
the top malware while the adware volume noticeably increased as more users across segments were tricked into downloading them as part of free software
Overall Trend Micro Smart Protection Network Numbers
9B
8B
7B
6B
5B
4B
3B
2B
0
1B
NUMBER OF THREATSBLOCKED PER SECOND
TOTAL NUMBER OFTHREATS BLOCKED
NUMBER OF MALICIOUSFILES BLOCKED
NUMBER OF MALICIOUSURLs BLOCKED
NUMBER OF SPAM-SENDING IP ADDRESSESBLOCKED
APRIL MAY JUNE
57B
408M601M
67B71B
84B
25722663
3258
61B
483M564M
76B
427M513M
We were able to protect Trend Micro customers from nearly 3000 threats per second this quarter compared with 2400 in the first quarter
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
7 | Cybercrime
WORM_DOWNAD 509K
APAC 51
EMEA 19
LAR 15
NORTH AMERICA 9
JAPAN 6
ADW_BHO 448K
JAPAN 34
APAC 26
EMEA 19
NORTH AMERICA 17
LAR 4
ADW_BPROTECT 311K
APAC 28
EMEA 28
JAPAN 20
NORTH AMERICA 15
LAR 9
Top 3 Malware
The Server Service vulnerability has been patched since 2008 but DOWNaDConficker which is known to exploit this remained one of the top 3 malware this quarter The majority of the top 50 malware comprised adware ZaCCESSSIREFEF and SaLITy remained in the top 10
Top 3 Malware by Segment
ENTERPRIsE sMB CONsuMER
NAME vOLuME NAME vOLuME NAME vOLuME
WORM_DOWNADAD 360K WORM_DOWNADAD 58K ADW_BHO 370K
ADW_BPROTECT 53K ADW_BPROTECT 9K ADW_BPROTECT 215K
ADW_BHO 28K ADW_BHO 8K BKDR_BIFROSEBMC 208K
Consumers were more inclined to unknowingly download adware that come bundled with software while DOWNaDConficker was still a concern for enterprises and small and medium-sized businesses (SMBs)
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
8 | Cybercrime
Top 10 Malicious Domains Blocked
DOMAIN REAsON
trafficconverter biz Hosts malware particularly DOWNAD variants
ads alpha00001 com Hosts malware that modify default browser settings to hijack search results
www ody cc Has sites that host BKDR_HPGNB-CN and other suspicious scripts
pu plugrush com Related to a Blackhole Exploit Kit campaign
c rvzrjs info Related to spamming and other malicious activities
adsgangsta com Related to malware and phishing attacks
vjlvchretllifcsgynuq com Hosts malware also used to spread malware via Skype
strongvault02 safe-copy com Hosts malware
www polaris-software com Hosts malware
promos fling com Hosts malware
One of the top malicious domains blocked was related to a Blackhole Exploit kit campaign The domain trafficconverter biz hosts DOWNaDConficker variants which was also the top malware for the first half of 2013
As predicted cybercriminals have not generated completely new threats and instead opted to repackage old ones10 We observed several interesting trends in online banking threats this quarter that led to a 29 increase in infections with this type of malware
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
9 | Cybercrime
1Q 2Q
2013 113K 146K
Online Banking Infections
Online Banking Malware Infections
Top Online Banking Victim Countries
COuNTRIEs sHARE
United States 28
Brazil 22
Australia 5
France 5
Japan 4
Taiwan 4
Vietnam 3
India 2
Germany 2
Canada 2
Others 23
The online banking malware volume significantly increased this quarter due in part to the rise in the ZeuSZBOT malware volume in the wild Online banking threats are spreading across the globe and are no longer concentrated in certain regions like Europe and the americas The united States was most affected by online banking malware accounting for 28 of the total number of infections worldwide
60000
40000
80000
20000
0
APRIL MAY JUNE
37K39K
71K
Brazil an online banking malware hotspot was mostly targeted by two types of the threat type this quarter The first was the BANKER malware disguised as updates for Adobereg Flashreg Player hosted on compromised sites11 The other malware was disguised as a ldquohomemade browserrdquo that targets Banco do Brasil users12
In the cybercriminal underground the CARBERP source code was ldquoleakedrdquo making the creation of banking Trojans even easier to do for bad guys Meanwhile other online banking Trojan toolkits like ZeuS SpyEye and Ice IX are already available for free making it easier for any skilled hacker to obtain their source codes
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
10 | Cybercrime
0
US$2000
2010 2011 2012 2013
US$4000
US$6000
US$8000
US$10000ZEUS
SPYEYE
CARBERP
ICE IX(only madeavailable in2012)
CITADEL
Underground Price Changes for Basic Online Banking Toolkits
We found an online banking malware that modifies an infected computerrsquos HOSTS file to redirect a customer of certain South Korean banks to phishing sites13 We also saw more Citadel variants (detected as ZBOT) target different financial service institutions in Japan These malware not only target the big banks in Japan but also smaller ones including those that exclusively cater to online banking customers
As predicted cybercriminals carried out developments in malware distribution and refinement for existing tools New ZeuSZBOT deployment tactics include a propagation routine14 The PIZZER worm was also found spreading and copying itself onto password-protected archived files using a technique similar to that of PROLACO malware15
Several cloud services were also hit by attacks this quarter The VERNOT backdoor which first abused a popular note-taking service abused a well-known Japanese blogging platform by using it as a CampC server Several GAMARUE variants were hosted on SourceForge a popular code repository Cybercriminals typically abuse legitimate services for ldquofree hostingrdquo successfully tricking users into trusting malicious links since these appear to belong to a well-known name
More developments in cybercrime contributed to the increase in spam and botnet activity this quarter Among these were the compromise of WordPress sites in April the emergence of Stealrat and its use of compromised hosts to send out spam and observed peaks in spam activity16
These are estimated going ratesNote that ZeuS and SpyEye have been around since before 2010
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
11 | Cybercrime
Number of Botnet CampC Servers Detected per Month
1000 2000 3000 4000 5000
APRIL
MAY
JUNE 2102
4003
1434
May showed the highest number of detected CampC servers so far this year
Number of Connections to Botnets per Month
Due to the increase in the number of active botnets in May we also noted a significant increase in the number of botnet connections that month
3M 6M 9M 12M
APRIL
MAY
JUNE 104M
119M
27M
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
12 | Cybercrime
Top 10 Spam Languages
While English remained the top preferred language of spammers we also saw a general increase in the non-English spam volume
1
2
3
4
5
6
7
8
9
10
8256
326
249
194
086
029
020
016
007
007
810
English
Chinese
Russian
Japanese
German
Portuguese
Spanish
Icelandic
French
Turkish
Others
MOVED DOWNMOVED UPNEW ENTRY
Top 10 Spam-Sending Countries
Cybercriminals are finding other countries to host their malicious activities in hence the increase in spam activity in countries like argentina Italy Mexico and Turkey
1
2
3
4
5
6
7
8
9
10
947
697
636
568
549
452
370
356
355
308
4762
United States
Spain
India
Taiwan
Argentina
Italy
Colombia
Mexico
Belarus
Turkey
Others
MOVED DOWNMOVED UPNEW ENTRY
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
13 | Digital Life Security Issues
DIgITaL LIFE SECuRITy ISSuES
Social Threats Abuse Diverse PlatformsAs more users manage multiple online accounts cybercriminals explored means to use this trend to their advantage They abused popular blogging sites like Tumblr WordPress and Blogger to host fake streaming sites of popular summer movies including Man of Steel Fast and Furious 6 and Iron Man 317 Apple ID and well-known multiprotocol instant-messaging (IM) platforms like Digsby were also targeted by attacks18 These attacks abused the use of
the SSO approach which should serve as a reminder to protect online accounts and avoid using weak passwords
Users were also reacquainted with old social engineering tactics as several attacks used diverse items including the Boston marathon bombing the Oklahoma tornado disaster the Texas fertilizer plant explosion and the tax season as bait19
Notable Social Engineering Lures Used
GET FREEFOLLOWERS
ON INSTAGRAMBOSTON BOMBING
MIT SHOOTING
TEXAS FERTILIZERPLANT BOMBING
IRON MAN 3
INCOME TAX RETURNS
as more users across different segments maximize the use of Instagram it has now become a viable target for cybercrime
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
14 | Digital Life Security Issues
In response to compromise incidents LinkedIn Evernote and Twitter rolled out additional security measures which notably included two-step verification measures20 The attack on Twitter posed an interesting case study on how social media can be used to spread false news that can have severe results21
Instagram scams showed that cybercriminals are targeting SMBs and marketers who wish
to increase their online presence Such scams offer ldquofree followersrdquo or use professional-looking sites where they can supposedly buy followers in bulk22 The tactic of selling followers is not new though Cybercriminals simply turned to different avenues outside Twitter and Facebook Interestingly this threat appeared while social media sites found ways to monetize the services they offered23
How Cybercriminals Trick Users into Giving Out Their Information24
Scammers modified their schemes as new platforms were introduced From the Nigerian scams usually seen by way of spam scammers have now branched out to new platforms and targets like social media and mobile devices
Spam and phiShing SiteS Search engineS Social media mobile
EARly 2000ndash2009 2009ndash2011 lATE 2009ndashPRESENT 2011ndashPRESENT
Scams in the early 2000s mainly comprised pharmaceutical account notification and Nigerian scams which mostly led victims to phishing sites
Cybercriminals abuse search engines via blackhat search engine optimization (SEO) This technique takes advantage of using keywords related to significant news andor events for malicious purposes
Social media present themselves as attractive cybercrime platforms because of their large user bases Cybercriminal favorites include Facebook Twitter Tumblr and Pinterest
Today smartphones and other mobile devices enable cybercriminals to reach new heights Mobile adware and malicious apps are among the preferred means of deploying malicious schemes
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
15 | Exploits and Vulnerabilities
ExpLOITS aND VuLNERaBILITIES
Software Vendors Try to Clean Up Their ActAfter last quarterrsquos high volume of zero-day vulnerabilities Oracle implemented several steps that aimed to improve Javarsquos security These include quarterly update releases automated security testing and not allowing self-signed or unsigned apps for Java software used in browsers
Though we saw fewer zero-day incidents this quarter exploits still posed serious threats to users The Internet Explorerreg (IE) zero-day exploit found on the US Department of Labor page showed that even trusted sites like it can be compromised25 Exploits targeting Plesk and ColdFusionreg also put forth the importance of securing web servers and touched on how enterprises secure their sites26
As anticipated it was only a matter of time before attackers took advantage of the critical Ruby on Rails vulnerability found last January27 This quarter we saw exploits target the software flaw as a result of the disclosure of the vulnerabilityrsquos code
The issue of addressing vulnerabilities was a hot topic this quarter especially with Googlersquos announcement of a seven-day disclosure policy Several security pundits saw this as a noble yet impractical proposal But as our CTO Raimund Genes pointed out the bigger issue that should be discussed has to do with how vulnerabilities should be reported
Timeline of Vulnerability Attacks
RUBYON RAILS
PLESK
IEZERO-DAY
JAVA
Private Disclosure Public Disclosure Patch Released Exploited
1082013
5032012
1282013
1172012
5282013
5032012
4302013
5032013
5142013
6182013
6182013
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
16 | Exploits and Vulnerabilities
How Oracle Plans to Secure Java
Delivering three patches every three months starting October 2013
Using automated security testing tools against regressions and bugs
Supporting Windowsreg security policies so system administrators can set networkwide policies on Java use
Disallowing running unsigned or self-signed apps
Making Javarsquos process of revoking signing signatures flexible
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
17 | Targeted attack Campaigns DDoS attacks and Data Breaches
TaRgETED aTTaCk CaMpaIgNS DDoS aTTaCkS aND DaTa BREaChES
Corporate Security Woes Pile UpTargeted AttacksTargeted attack campaigns remained a problem for organizations as we continued to discover active and ongoing campaigns The Naikon campaign used the remote access Trojan (RAT) RARSTONE and was primarily seen in several countries in AsiaPacific28 This campaign hit various industries like telecommunications oil and gas government media and others It usually starts out with spear-phishing attacks that target a specific vulnerability which was also used in another campaign known as
ldquoSaferdquo29 Our research on the Safe campaign meanwhile revealed victim IP addresses spread throughout 100 countries worldwide
Targeted attacks also took advantage of tragic events to infiltrate organizational networks this quarter We saw emails using the Boston marathon bombing as a social engineering lure to trick users into downloading a malware that communicates via Secure Sockets Layer (SSL) communication30
File Types Used in Spear Phishing Related to Targeted Attacks
1
2
3
4
5
6
7
8
9
10
EXEDLL
DOC
JPG
TXTHTML
RTF
ZIP
XLS
RAR
PPSPPT
Others
43
12
10
8
5
4
3
3
3
2
7
Threat actors custom-fit an attack to an intended target They use any file type as long as it gets them closer to their goalmdashto infiltrate a network
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
18 | Targeted attack Campaigns DDoS attacks and Data Breaches
DDoS AttacksSeveral South Korean agencies suffered serious security breaches that led to distributed denial-of-service (DDoS) attacks and site defacements One particular incident rendered several sites inaccessible Similar to the MBR Trojan wiper incident last March this attack was designed to execute at a specific time It also showed how attackers continued to go after high-value targets and how they could inflict maximum damage within a short period of time
Data BreachesCompanies like Yahoo Japan LivingSocial Twitter and Namecom all suffered from security breaches this quarter Opera also suffered a security breach that led to the theft of outdated digital certificates
Attacks Targeting Well-known Companies31
COMPANy REsuLTs
Goo locked 100000 accounts to prevent unauthorized logins
yahoo Japan Attackers attempted to extract data belonging to 127
million users
Associated Press (AP) Attackers hacked APrsquos Twitter account which erased
US$200-billion worth of stock value
livingSocial Resulted in unauthorized access to the accounts of 50 million users
Several South Korean agencies Several sites were defaced and suffered DDoS attacks
attacks against high-profile companies had costly results stressing the importance of strengthening organizational defenses
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
19 | appendix
Appendix
Top 10 Android Adware Families
1
2
3
4
5
6
7
8
9
10
ARPUSH
ADSWO
PLANKTON
LEADBLT
IZP
WAPSX
OQX
WBOO
YOUMI
UAPSH
Others
4179
1650
1284
1102
817
425
410
067
027
013
026
Malicious URL Country Sources
No major changes among the countries on the list were seen The united States accounted for the lionrsquos share of the malicious uRL volume with germany trailing not far behind
COuNTRy sHARE
1 United States 2590
2 Germany 324
3 China 316
4 Netherlands 313
5 South Korea 260
6 France 194
7 Japan 193
8 Russia 164
9 Canada 081
10 United Kingdom 077
Others 5488
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
20 | appendix
Top 10 Countries with the Most Number of Botnet CampC Servers
Similar to the previous quarter the united States had the most number of botnet CampC servers while australia surpassed South korea
COuNTRy sHARE
1 United States 2405
2 Australia 515
3 South Korea 338
4 China 302
5 Germany 287
6 Taiwan 210
7 France 188
8 United Kingdom 172
9 Brazil 147
10 Canada 118
Others 5318
Top 10 Countries with the Highest Number of Connections to Botnets
DDoS attacks in Malaysia in relation to the elections contributed to the increase in the countryrsquos volume of malicious connections
COuNTRy sHARE
1 Malaysia 2839
2 United States 1414
3 France 1163
4 Germany 564
5 Canada 529
6 South Korea 413
7 United Kingdom 384
8 Thailand 322
9 Hong Kong 307
10 Italy 253
Others 1812
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
21 | References
References
1 Trend Micro Incorporated (2013) ldquoTrendLabs 2012 Annual Security Roundup Evolved Threats in a lsquoPost-PCrsquo Worldrdquo Last accessed July 30 2013 httpwwwtrendmicrocomcloud-contentuspdfssecurity-intelligencereportsrpt-evolved-threats-in-a-post-pc-worldpdf
2 Jonathan Leopando (July 10 2013) TrendLabs Security Intelligence Blog ldquoAndroid Vulnerability Affects 99 of DevicesmdashTrend Micro Users Protectedrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencetrend-micro-solution-for-vulnerability-affecting-nearly-all-android-devices
3 Trend Micro Incorporated (2013) Threat Encyclopedia ldquoANDROIDOS_OBADArdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusmalwareANDROIDOS_OBADA
4 Leo Zhang (July 13 2013) TrendLabs Security Intelligence Blog ldquoCybercriminals Improve Android Malware Stealth Routines with OBADrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecybercriminals-improve-android-malware-stealth-routines-with-obad
5 Trend Micro Incorporated (2013) Threat Encyclopedia ldquoANDROIDOS_FAKEBANKArdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusmalwareANDROIDOS_FAKEBANKA
6 Weichao Sun (May 14 2013) TrendLabs Security Intelligence Blog ldquoMobile Ads Pushed by Android Apps Lead to Scam Sitesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencemobile-ads-pushed-by-android-apps-lead-to-scam-sites
7 Trend Micro Incorporated (2013) Threat Encyclopedia ldquoANDROIDOS_FAKEAVFrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusmalwareANDROIDOS_FAKEAVF
8 Iain Thomson (March 27 2013) The Register ldquoTibetan and Uyghur Activists Targeted with Android Malwarerdquo Last accessed July 30 2013 httpwwwtheregistercouk20130327android_malware_targeting_tibetan
9 Ericsson ConsumerLab (August 6 2012) Ericssoncom ldquoVietnamese Consumers Show Increasing Demand for Smartphones and Tabletsrdquo Last accessed July 30 2013 httpwwwericssoncomvnnews2012_vn_smartphone_demands_254740123_c
10 Trend Micro Incorporated (2012) ldquoSecurity Threats to Business the Digital Lifestyle and the Cloud Trend Micro Predictions for 2013 and Beyondrdquo Last accessed July 30 2013 httpwwwtrendmicrocoukmediamisctrend-micro-predictions-for-2013-and-beyond-enpdf
11 Roddell Santos (May 28 2013) TrendLabs Security Intelligence Blog ldquoBANKER Malware Hosted in Compromised Brazilian Government Sitesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencebanker-malware-hosted-in-compromised-brazilian-government-sites
12 Ranieri Romera (May 7 2013) TrendLabs Security Intelligence Blog ldquoHomemade Browser Targeting lsquoBanco do Brasilrsquo Usersrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencehomemade-browser-targeting-banco-do-brasil-users
13 Roddell Santos (June 14 2013) TrendLabs Security Intelligence Blog ldquoMalware Redirects South Korean Users to Phishing Sitesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencemalware-redirects-south-korean-users-to-phishing-sites
14 Abigail Pichel (June 10 2013) TrendLabs Security Intelligence Blog ldquoGoing Solo Self-Propagating ZBOT Malware Spottedrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencegoing-solo-self-propagating-zbot-malware-spotted
15 Lenart Bermejo (May 24 2013) TrendLabs Security Intelligence Blog ldquoWorm Creates Copies in Password-Protected Archived Filesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligenceworm-creates-copies-in-password-protected-archived-files
16 Jessa Dela Torre (April 16 2013) TrendLabs Security Intelligence Blog ldquoCompromised Sites Conceal Stealrat Botnet Operationsrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecompromised-sites-conceal-stealrat-botnet-operations
17 Paul Pajares (July 8 2013) TrendLabs Security Intelligence Blog ldquoMan of Steel Fast and Furious 6 Among Online Fraudstersrsquo Most Used Luresrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligenceman-of-steel-fast-and-furious-6-among-online-fraudsters-most-used-lures Gelo Abendan (May 2 2013) TrendLabs Security Intelligence Blog ldquoFake Iron Man 3 Streaming Sites Sprout on Social Mediardquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencefake-iron-man-3-streaming-sites-sprout-on-social-media
18 Anthony Melgarejo (May 2 2013) TrendLabs Security Intelligence Blog ldquoBackdoor Leads to Facebook and Multiprotocol Instant-Messaging Wormrdquo
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
22 | References
Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencebackdoor-leads-to-facebook-and-multi-protocol-instant-messaging-worm Paul Pajares (April 30 2013) TrendLabs Security Intelligence Blog ldquoHackers to Manage Your Apple ID If Caught from Phishing Baitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencehackers-to-manage-your-apple-id-if-caught-from-phishing-bait
19 Aisa Escober (April 16 2013) TrendLabs Security Intelligence Blog ldquoKELIHOS Worm Emerges Takes Advantage of Boston Marathon Blastrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencekelihos-worm-emerges-takes-advantage-of-boston-marathon-blast Trend Micro Incorporated (2013) Threat Encyclopedia ldquoSpam Attack Leverages Oklahoma Tornado Disasterrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusspam494Spam+Attack+Leverages+Oklahoma+Tornado+Disaster Ryan Certeza (April 19 2013) TrendLabs Security Intelligence Blog ldquoCybercriminals Quickly Take Advantage of Texas Fertilizer Plant Blast MIT Shootingrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecybercriminals-quickly-take-advantage-of-texas-fertilizer-plant-blast-mit-shooting Gelo Abendan (April 4 2013) TrendLabs Security Intelligence Blog ldquoCybercriminals Threaten Tax Day Once Againrdquo Last accessed July 30 2013 http blogtrendmicrocomtrendlabs-security-intelligencecybercriminals-threaten-tax-day-once-again
20 Jim Finkle (May 31 2013) NBC News Technology ldquoLinkedIn Improves Security with Two-Factor Authenticationrdquo Last accessed July 2013 httpwwwnbcnewscomtechnologylinkedin-improves-security-two-factor-authentication-6C10141010 Seth Hitchings (May 30 2013) The Evernote Blog ldquoEvernotersquos Three New Security Featuresrdquo Last accessed July 2013 httpblogevernotecomblog20130530evernotes-three-new-security-features Jim OrsquoLeary (May 22 2013) Twitter Blog ldquoGetting Started with Login Verificationrdquo Last accessed July 2013 httpsblogtwittercom2013getting-started-login-verification
21 David Jackson (April 23 2013) USA Today News ldquoAP Twitter Feed Hacked No Attack at White Houserdquo Last accessed July 30 2013 httpwwwusatodaycomstorytheoval20130423obama-carney-associated-press-hack-white-house2106757
22 Karla Agregado (June 25 2013) TrendLabs Security Intelligence Blog ldquoScam Sites Now Selling Instagram Followersrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencescam-sites-now-selling-instagram-followers
23 Zachary Seward (May 20 2013) Quartz ldquoHow Yahoo Plans to Make Money on Tumblr Ads That Donrsquot Feel Like Adsrdquo Last accessed July 30 2013 httpqzcom86437how-yahoo-plans-to-make-money-on-tumblr-ads-that-dont-feel-like-ads
24 Gelo Abendan (March 3 2012) Threat Encyc lopedia ldquoMobile Apps New Frontier for Cybercrimerdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack119mobile apps new frontier for cybercrime Marco Dela Vega (November 23 2010) TrendLabs Security Intelligence Blog ldquoWith Holiday Wishes Come Poisoned Searchesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencewith-holiday-wishes-come-poisoned-searches Dianne Kristine Lagrimas (November 13 2011) Threat Encyclopedia ldquoSports as Bait Cybercriminals Play to Winrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack99sports as bait cybercriminals play to win Valerie Ria Rivera (March 29 2011) Threat Encyclopedia ldquoSpam Scams and Other Social Media Threatsrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack75spam scams and other social media threats
25 Dexter To (May 5 2013) TrendLabs Security Intelligence Blog ldquoCompromised US Government Web Page Used Zero-Day Exploitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecompromised-us-government-webpage-used-zero-day-exploit
26 Sooraj KS (June 6 2013) TrendLabs Security Intelligence Blog ldquoPlesk Zero-Day Exploit Results in Compromised Web Serverrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligenceplesk-zero-day-exploit-results-in-compromised-webserver
27 Gelo Abendan (May 30 2013) TrendLabs Security Intelligence Blog ldquoTrend Micro Deep Security Guards Users from Ruby on Rails Exploitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencetrend-micro-deep-security-guards-users-from-ruby-on-rails-exploit
28 Maharlito Aquino (June 13 2013) TrendLabs Security Intelligence Blog ldquoRARSTONE Found in Targeted Attacksrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencerarstone-found-in-targeted-attacks
29 Kyle Wilhoit (May 17 2013) TrendLabs Security Intelligence Blog ldquoHiding in Plain Sight A New Targeted Attack Campaignrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencehiding-in-plain-sight-a-new-apt-campaign
30 Nart Villeneuve (April 25 2013) TrendLabs Security Intelligence Blog ldquoTargeted Attack Campaign Hides Behind SSL Communicationrdquo Last accessed July 2013 httpblogtrendmicrocomtrendlabs-security-intelligencetargeted-attack-campaign-hides-behind-ssl-communication
31 Jay Alabaster (April 4 2013) Computerworld ldquoJapanese Web Portals Hacked Up to 100000 Accounts Compromisedrdquo Last accessed July 30 2013 httpwwwcomputerworldcomauarticle458079japanese_web_portals_hacked_up_100_000_accounts_compromised LivingSocial ldquoLivingSocial Security Noticerdquo Last accessed July 30 2013 httpswwwlivingsocialcomcreatepassword Kadim Shubber (May 20 2013) Wired UK ldquoMillions of Usersrsquo Data Hacked in Yahoo Japan Security Breachrdquo Last accessed July 30 2013 httpwwwwiredcouknewsarchive2013-0520yahoo-japan-hacked Erin Madigan White (April 23 2013) AP Blog The Definitive Source ldquoAP Responds to Hacking of Twitter Accountrdquo Last accessed July 30 2013 httpblogaporg20130423hackers-compromise-ap-twitter-account
TREND MICRO LEgaL DISCLaIMER
The information provided herein is for general information and educational purposes only It is not intended and should not be construed to constitute legal advice The information contained herein may not be applicable to all situations and may not reflect the most current situation Nothing contained herein should be relied on or acted upon without the benefit of legal advice based on the particular facts and circumstances presented and nothing herein should be construed otherwise Trend Micro reserves the right to modify the contents of this document at any time without prior notice
Translations of any material into other languages are intended solely as a convenience Translation accuracy is not guaranteed nor implied If any questions arise related to the accuracy of a translation please refer to the original language official version of the document any discrepancies or differences created in the translation are not binding and have no legal effect for compliance or enforcement purposes
although Trend Micro uses reasonable efforts to include accurate and up-to-date information herein Trend Micro makes no warranties or representations of any kind as to its accuracy currency or completeness you agree that access to and use of and reliance on this document and the content thereof is at your own risk Trend Micro disclaims all warranties of any kind express or implied Neither Trend Micro nor any party involved in creating producing or delivering this document shall be liable for any consequence loss or damage including direct indirect special consequential loss of business profits or special damages whatsoever arising out of access to use of or inability to use or in connection with the use of this document or any errors or omissions in the content thereof use of this information constitutes acceptance for use in an ldquoas isrdquo condition
Trend Micro Incorporated a global leader in security software and solutions strives to make the world safe for exchanging digital information For more information visit wwwtrendmicrocom
copy2013 by Trend Micro Incorporated all rights reserved Trend Micro and the Trend Micro t-ball logo are trademarks or registered trademarks of Trend Micro Incorporated all other product or company names may be trademarks or registered trademarks of their owners
Created by
global Technical Support amp RampD Center of TREND MICRO
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
4 | Mobile
Countries with the Highest Malicious Android App Download Volumes
MOVED DOWNMOVED UPNEW ENTRY
United Arab Emirates
Myanmar (Burma)
Vietnam
Mexico
Russia
India
China
Venezuela
Malaysia
Singapore
1379
505
494
423
417
374
357
311
297
284
1
2
3
4
5
6
7
8
9
10
14
23
5
6
7
8 910
The united arab Emirates (uaE) recorded the highest malicious android app download volume overtaking Myanmar which placed first in the previous quarter Six new countries figured in this monthrsquos top 10 which may indicate an increase in mobile device use andor attacks against such devices in these locations
The ranking was based on the percentage of apps rated ldquomaliciousrdquo over the total number of apps scanned per country The ranking was limited to countries with at least 10000 scans The ratings were based on the quarterly analysis of real-time threat detection via Trend Microtrade Mobile Security Personal Edition
Countries Most at Risk of Privacy Exposure Due to App Use
Saudi Arabia
Vietnam
Indonesia
Brazil
India
Malaysia
South Africa
Russia
Algeria
Philippines
1149
887
882
798
787
757
652
564
555
519
1
2
3
4
5
6
7
8
9
10
1
4
2
3
5
6
7
8
910
Similar to last quarter mobile users in Saudi arabia downloaded the most number of high-risk apps Vietnam placed second in light of the increasing mobile device use in the country9
The ranking was based on the percentage of apps categorized as ldquoprivacy risk inducersrdquo over the total number of apps scanned per country The ranking was limited to countries with at least 10000 scans The ratings were based on the quarterly analysis of real-time threat detection via Trend Micro Mobile Security Personal Edition
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
5 | Mobile
The increased sophistication of mobile threats could be attributed to the growing demand for short message service (SMS)-related information in the underground market SMS databases are some of the best-selling data sets in the underground
How the Android Update Process Works
MOBILE DATA PRICE
1M numbers US$70
10K numbers US$10
Customized database with personal data
US$35 for 1000 numbers
Underground Prices of Collected Mobile Numbers from Russian
Mobile Network Operators
Google creates thelatest update to
Android OS
It makes theupdate available to
manufacturers
Device manufacturers make the update compatiblewith their devices Phone companies must then
approve the update for end users
Finally the phone companies push theupdate to end users
Android Versus PC Threat Type Timeline Comparison
DROIDSMS
Aug 2010
LOTOOR TOOR
GoldDream DroidDream-
Light
One-Click Billing Fraud
Plankton LEADBOLT
Chuli OBAD
Mar 2011Jul 2011 Aug 2011 Jan 2012 Mar 2013 Jun 2013
Morris CODERED
1988
PC Cyborg Police
Ransomware
ZANGO 888bar
NTRootkit Morcut
ZeuS Passteal
TIBS Dialer
Porn Dialers
BANKER GHOST RAT
FAKEAV
1989 1992 1999 2000 2002 2006 2007 2008
QAKBOT
FAKEBANK
MobileFAKEAV
Worm Ransomware Adware Rootkit Infostealer Dialer Banking Trojan
Multicomponent Targeted Attack
Malware
Scareware
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
6 | Cybercrime
CyBERCRIME
Banking Malware Get Regionalized Old Threats FlourishThe overall number of threats blocked by the Trend Microtrade Smart Protection Networktrade increased by 13 compared with last quarter The DOWNADConficker worm remained
the top malware while the adware volume noticeably increased as more users across segments were tricked into downloading them as part of free software
Overall Trend Micro Smart Protection Network Numbers
9B
8B
7B
6B
5B
4B
3B
2B
0
1B
NUMBER OF THREATSBLOCKED PER SECOND
TOTAL NUMBER OFTHREATS BLOCKED
NUMBER OF MALICIOUSFILES BLOCKED
NUMBER OF MALICIOUSURLs BLOCKED
NUMBER OF SPAM-SENDING IP ADDRESSESBLOCKED
APRIL MAY JUNE
57B
408M601M
67B71B
84B
25722663
3258
61B
483M564M
76B
427M513M
We were able to protect Trend Micro customers from nearly 3000 threats per second this quarter compared with 2400 in the first quarter
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
7 | Cybercrime
WORM_DOWNAD 509K
APAC 51
EMEA 19
LAR 15
NORTH AMERICA 9
JAPAN 6
ADW_BHO 448K
JAPAN 34
APAC 26
EMEA 19
NORTH AMERICA 17
LAR 4
ADW_BPROTECT 311K
APAC 28
EMEA 28
JAPAN 20
NORTH AMERICA 15
LAR 9
Top 3 Malware
The Server Service vulnerability has been patched since 2008 but DOWNaDConficker which is known to exploit this remained one of the top 3 malware this quarter The majority of the top 50 malware comprised adware ZaCCESSSIREFEF and SaLITy remained in the top 10
Top 3 Malware by Segment
ENTERPRIsE sMB CONsuMER
NAME vOLuME NAME vOLuME NAME vOLuME
WORM_DOWNADAD 360K WORM_DOWNADAD 58K ADW_BHO 370K
ADW_BPROTECT 53K ADW_BPROTECT 9K ADW_BPROTECT 215K
ADW_BHO 28K ADW_BHO 8K BKDR_BIFROSEBMC 208K
Consumers were more inclined to unknowingly download adware that come bundled with software while DOWNaDConficker was still a concern for enterprises and small and medium-sized businesses (SMBs)
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
8 | Cybercrime
Top 10 Malicious Domains Blocked
DOMAIN REAsON
trafficconverter biz Hosts malware particularly DOWNAD variants
ads alpha00001 com Hosts malware that modify default browser settings to hijack search results
www ody cc Has sites that host BKDR_HPGNB-CN and other suspicious scripts
pu plugrush com Related to a Blackhole Exploit Kit campaign
c rvzrjs info Related to spamming and other malicious activities
adsgangsta com Related to malware and phishing attacks
vjlvchretllifcsgynuq com Hosts malware also used to spread malware via Skype
strongvault02 safe-copy com Hosts malware
www polaris-software com Hosts malware
promos fling com Hosts malware
One of the top malicious domains blocked was related to a Blackhole Exploit kit campaign The domain trafficconverter biz hosts DOWNaDConficker variants which was also the top malware for the first half of 2013
As predicted cybercriminals have not generated completely new threats and instead opted to repackage old ones10 We observed several interesting trends in online banking threats this quarter that led to a 29 increase in infections with this type of malware
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
9 | Cybercrime
1Q 2Q
2013 113K 146K
Online Banking Infections
Online Banking Malware Infections
Top Online Banking Victim Countries
COuNTRIEs sHARE
United States 28
Brazil 22
Australia 5
France 5
Japan 4
Taiwan 4
Vietnam 3
India 2
Germany 2
Canada 2
Others 23
The online banking malware volume significantly increased this quarter due in part to the rise in the ZeuSZBOT malware volume in the wild Online banking threats are spreading across the globe and are no longer concentrated in certain regions like Europe and the americas The united States was most affected by online banking malware accounting for 28 of the total number of infections worldwide
60000
40000
80000
20000
0
APRIL MAY JUNE
37K39K
71K
Brazil an online banking malware hotspot was mostly targeted by two types of the threat type this quarter The first was the BANKER malware disguised as updates for Adobereg Flashreg Player hosted on compromised sites11 The other malware was disguised as a ldquohomemade browserrdquo that targets Banco do Brasil users12
In the cybercriminal underground the CARBERP source code was ldquoleakedrdquo making the creation of banking Trojans even easier to do for bad guys Meanwhile other online banking Trojan toolkits like ZeuS SpyEye and Ice IX are already available for free making it easier for any skilled hacker to obtain their source codes
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
10 | Cybercrime
0
US$2000
2010 2011 2012 2013
US$4000
US$6000
US$8000
US$10000ZEUS
SPYEYE
CARBERP
ICE IX(only madeavailable in2012)
CITADEL
Underground Price Changes for Basic Online Banking Toolkits
We found an online banking malware that modifies an infected computerrsquos HOSTS file to redirect a customer of certain South Korean banks to phishing sites13 We also saw more Citadel variants (detected as ZBOT) target different financial service institutions in Japan These malware not only target the big banks in Japan but also smaller ones including those that exclusively cater to online banking customers
As predicted cybercriminals carried out developments in malware distribution and refinement for existing tools New ZeuSZBOT deployment tactics include a propagation routine14 The PIZZER worm was also found spreading and copying itself onto password-protected archived files using a technique similar to that of PROLACO malware15
Several cloud services were also hit by attacks this quarter The VERNOT backdoor which first abused a popular note-taking service abused a well-known Japanese blogging platform by using it as a CampC server Several GAMARUE variants were hosted on SourceForge a popular code repository Cybercriminals typically abuse legitimate services for ldquofree hostingrdquo successfully tricking users into trusting malicious links since these appear to belong to a well-known name
More developments in cybercrime contributed to the increase in spam and botnet activity this quarter Among these were the compromise of WordPress sites in April the emergence of Stealrat and its use of compromised hosts to send out spam and observed peaks in spam activity16
These are estimated going ratesNote that ZeuS and SpyEye have been around since before 2010
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
11 | Cybercrime
Number of Botnet CampC Servers Detected per Month
1000 2000 3000 4000 5000
APRIL
MAY
JUNE 2102
4003
1434
May showed the highest number of detected CampC servers so far this year
Number of Connections to Botnets per Month
Due to the increase in the number of active botnets in May we also noted a significant increase in the number of botnet connections that month
3M 6M 9M 12M
APRIL
MAY
JUNE 104M
119M
27M
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
12 | Cybercrime
Top 10 Spam Languages
While English remained the top preferred language of spammers we also saw a general increase in the non-English spam volume
1
2
3
4
5
6
7
8
9
10
8256
326
249
194
086
029
020
016
007
007
810
English
Chinese
Russian
Japanese
German
Portuguese
Spanish
Icelandic
French
Turkish
Others
MOVED DOWNMOVED UPNEW ENTRY
Top 10 Spam-Sending Countries
Cybercriminals are finding other countries to host their malicious activities in hence the increase in spam activity in countries like argentina Italy Mexico and Turkey
1
2
3
4
5
6
7
8
9
10
947
697
636
568
549
452
370
356
355
308
4762
United States
Spain
India
Taiwan
Argentina
Italy
Colombia
Mexico
Belarus
Turkey
Others
MOVED DOWNMOVED UPNEW ENTRY
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
13 | Digital Life Security Issues
DIgITaL LIFE SECuRITy ISSuES
Social Threats Abuse Diverse PlatformsAs more users manage multiple online accounts cybercriminals explored means to use this trend to their advantage They abused popular blogging sites like Tumblr WordPress and Blogger to host fake streaming sites of popular summer movies including Man of Steel Fast and Furious 6 and Iron Man 317 Apple ID and well-known multiprotocol instant-messaging (IM) platforms like Digsby were also targeted by attacks18 These attacks abused the use of
the SSO approach which should serve as a reminder to protect online accounts and avoid using weak passwords
Users were also reacquainted with old social engineering tactics as several attacks used diverse items including the Boston marathon bombing the Oklahoma tornado disaster the Texas fertilizer plant explosion and the tax season as bait19
Notable Social Engineering Lures Used
GET FREEFOLLOWERS
ON INSTAGRAMBOSTON BOMBING
MIT SHOOTING
TEXAS FERTILIZERPLANT BOMBING
IRON MAN 3
INCOME TAX RETURNS
as more users across different segments maximize the use of Instagram it has now become a viable target for cybercrime
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
14 | Digital Life Security Issues
In response to compromise incidents LinkedIn Evernote and Twitter rolled out additional security measures which notably included two-step verification measures20 The attack on Twitter posed an interesting case study on how social media can be used to spread false news that can have severe results21
Instagram scams showed that cybercriminals are targeting SMBs and marketers who wish
to increase their online presence Such scams offer ldquofree followersrdquo or use professional-looking sites where they can supposedly buy followers in bulk22 The tactic of selling followers is not new though Cybercriminals simply turned to different avenues outside Twitter and Facebook Interestingly this threat appeared while social media sites found ways to monetize the services they offered23
How Cybercriminals Trick Users into Giving Out Their Information24
Scammers modified their schemes as new platforms were introduced From the Nigerian scams usually seen by way of spam scammers have now branched out to new platforms and targets like social media and mobile devices
Spam and phiShing SiteS Search engineS Social media mobile
EARly 2000ndash2009 2009ndash2011 lATE 2009ndashPRESENT 2011ndashPRESENT
Scams in the early 2000s mainly comprised pharmaceutical account notification and Nigerian scams which mostly led victims to phishing sites
Cybercriminals abuse search engines via blackhat search engine optimization (SEO) This technique takes advantage of using keywords related to significant news andor events for malicious purposes
Social media present themselves as attractive cybercrime platforms because of their large user bases Cybercriminal favorites include Facebook Twitter Tumblr and Pinterest
Today smartphones and other mobile devices enable cybercriminals to reach new heights Mobile adware and malicious apps are among the preferred means of deploying malicious schemes
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
15 | Exploits and Vulnerabilities
ExpLOITS aND VuLNERaBILITIES
Software Vendors Try to Clean Up Their ActAfter last quarterrsquos high volume of zero-day vulnerabilities Oracle implemented several steps that aimed to improve Javarsquos security These include quarterly update releases automated security testing and not allowing self-signed or unsigned apps for Java software used in browsers
Though we saw fewer zero-day incidents this quarter exploits still posed serious threats to users The Internet Explorerreg (IE) zero-day exploit found on the US Department of Labor page showed that even trusted sites like it can be compromised25 Exploits targeting Plesk and ColdFusionreg also put forth the importance of securing web servers and touched on how enterprises secure their sites26
As anticipated it was only a matter of time before attackers took advantage of the critical Ruby on Rails vulnerability found last January27 This quarter we saw exploits target the software flaw as a result of the disclosure of the vulnerabilityrsquos code
The issue of addressing vulnerabilities was a hot topic this quarter especially with Googlersquos announcement of a seven-day disclosure policy Several security pundits saw this as a noble yet impractical proposal But as our CTO Raimund Genes pointed out the bigger issue that should be discussed has to do with how vulnerabilities should be reported
Timeline of Vulnerability Attacks
RUBYON RAILS
PLESK
IEZERO-DAY
JAVA
Private Disclosure Public Disclosure Patch Released Exploited
1082013
5032012
1282013
1172012
5282013
5032012
4302013
5032013
5142013
6182013
6182013
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
16 | Exploits and Vulnerabilities
How Oracle Plans to Secure Java
Delivering three patches every three months starting October 2013
Using automated security testing tools against regressions and bugs
Supporting Windowsreg security policies so system administrators can set networkwide policies on Java use
Disallowing running unsigned or self-signed apps
Making Javarsquos process of revoking signing signatures flexible
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
17 | Targeted attack Campaigns DDoS attacks and Data Breaches
TaRgETED aTTaCk CaMpaIgNS DDoS aTTaCkS aND DaTa BREaChES
Corporate Security Woes Pile UpTargeted AttacksTargeted attack campaigns remained a problem for organizations as we continued to discover active and ongoing campaigns The Naikon campaign used the remote access Trojan (RAT) RARSTONE and was primarily seen in several countries in AsiaPacific28 This campaign hit various industries like telecommunications oil and gas government media and others It usually starts out with spear-phishing attacks that target a specific vulnerability which was also used in another campaign known as
ldquoSaferdquo29 Our research on the Safe campaign meanwhile revealed victim IP addresses spread throughout 100 countries worldwide
Targeted attacks also took advantage of tragic events to infiltrate organizational networks this quarter We saw emails using the Boston marathon bombing as a social engineering lure to trick users into downloading a malware that communicates via Secure Sockets Layer (SSL) communication30
File Types Used in Spear Phishing Related to Targeted Attacks
1
2
3
4
5
6
7
8
9
10
EXEDLL
DOC
JPG
TXTHTML
RTF
ZIP
XLS
RAR
PPSPPT
Others
43
12
10
8
5
4
3
3
3
2
7
Threat actors custom-fit an attack to an intended target They use any file type as long as it gets them closer to their goalmdashto infiltrate a network
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
18 | Targeted attack Campaigns DDoS attacks and Data Breaches
DDoS AttacksSeveral South Korean agencies suffered serious security breaches that led to distributed denial-of-service (DDoS) attacks and site defacements One particular incident rendered several sites inaccessible Similar to the MBR Trojan wiper incident last March this attack was designed to execute at a specific time It also showed how attackers continued to go after high-value targets and how they could inflict maximum damage within a short period of time
Data BreachesCompanies like Yahoo Japan LivingSocial Twitter and Namecom all suffered from security breaches this quarter Opera also suffered a security breach that led to the theft of outdated digital certificates
Attacks Targeting Well-known Companies31
COMPANy REsuLTs
Goo locked 100000 accounts to prevent unauthorized logins
yahoo Japan Attackers attempted to extract data belonging to 127
million users
Associated Press (AP) Attackers hacked APrsquos Twitter account which erased
US$200-billion worth of stock value
livingSocial Resulted in unauthorized access to the accounts of 50 million users
Several South Korean agencies Several sites were defaced and suffered DDoS attacks
attacks against high-profile companies had costly results stressing the importance of strengthening organizational defenses
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
19 | appendix
Appendix
Top 10 Android Adware Families
1
2
3
4
5
6
7
8
9
10
ARPUSH
ADSWO
PLANKTON
LEADBLT
IZP
WAPSX
OQX
WBOO
YOUMI
UAPSH
Others
4179
1650
1284
1102
817
425
410
067
027
013
026
Malicious URL Country Sources
No major changes among the countries on the list were seen The united States accounted for the lionrsquos share of the malicious uRL volume with germany trailing not far behind
COuNTRy sHARE
1 United States 2590
2 Germany 324
3 China 316
4 Netherlands 313
5 South Korea 260
6 France 194
7 Japan 193
8 Russia 164
9 Canada 081
10 United Kingdom 077
Others 5488
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
20 | appendix
Top 10 Countries with the Most Number of Botnet CampC Servers
Similar to the previous quarter the united States had the most number of botnet CampC servers while australia surpassed South korea
COuNTRy sHARE
1 United States 2405
2 Australia 515
3 South Korea 338
4 China 302
5 Germany 287
6 Taiwan 210
7 France 188
8 United Kingdom 172
9 Brazil 147
10 Canada 118
Others 5318
Top 10 Countries with the Highest Number of Connections to Botnets
DDoS attacks in Malaysia in relation to the elections contributed to the increase in the countryrsquos volume of malicious connections
COuNTRy sHARE
1 Malaysia 2839
2 United States 1414
3 France 1163
4 Germany 564
5 Canada 529
6 South Korea 413
7 United Kingdom 384
8 Thailand 322
9 Hong Kong 307
10 Italy 253
Others 1812
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
21 | References
References
1 Trend Micro Incorporated (2013) ldquoTrendLabs 2012 Annual Security Roundup Evolved Threats in a lsquoPost-PCrsquo Worldrdquo Last accessed July 30 2013 httpwwwtrendmicrocomcloud-contentuspdfssecurity-intelligencereportsrpt-evolved-threats-in-a-post-pc-worldpdf
2 Jonathan Leopando (July 10 2013) TrendLabs Security Intelligence Blog ldquoAndroid Vulnerability Affects 99 of DevicesmdashTrend Micro Users Protectedrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencetrend-micro-solution-for-vulnerability-affecting-nearly-all-android-devices
3 Trend Micro Incorporated (2013) Threat Encyclopedia ldquoANDROIDOS_OBADArdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusmalwareANDROIDOS_OBADA
4 Leo Zhang (July 13 2013) TrendLabs Security Intelligence Blog ldquoCybercriminals Improve Android Malware Stealth Routines with OBADrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecybercriminals-improve-android-malware-stealth-routines-with-obad
5 Trend Micro Incorporated (2013) Threat Encyclopedia ldquoANDROIDOS_FAKEBANKArdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusmalwareANDROIDOS_FAKEBANKA
6 Weichao Sun (May 14 2013) TrendLabs Security Intelligence Blog ldquoMobile Ads Pushed by Android Apps Lead to Scam Sitesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencemobile-ads-pushed-by-android-apps-lead-to-scam-sites
7 Trend Micro Incorporated (2013) Threat Encyclopedia ldquoANDROIDOS_FAKEAVFrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusmalwareANDROIDOS_FAKEAVF
8 Iain Thomson (March 27 2013) The Register ldquoTibetan and Uyghur Activists Targeted with Android Malwarerdquo Last accessed July 30 2013 httpwwwtheregistercouk20130327android_malware_targeting_tibetan
9 Ericsson ConsumerLab (August 6 2012) Ericssoncom ldquoVietnamese Consumers Show Increasing Demand for Smartphones and Tabletsrdquo Last accessed July 30 2013 httpwwwericssoncomvnnews2012_vn_smartphone_demands_254740123_c
10 Trend Micro Incorporated (2012) ldquoSecurity Threats to Business the Digital Lifestyle and the Cloud Trend Micro Predictions for 2013 and Beyondrdquo Last accessed July 30 2013 httpwwwtrendmicrocoukmediamisctrend-micro-predictions-for-2013-and-beyond-enpdf
11 Roddell Santos (May 28 2013) TrendLabs Security Intelligence Blog ldquoBANKER Malware Hosted in Compromised Brazilian Government Sitesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencebanker-malware-hosted-in-compromised-brazilian-government-sites
12 Ranieri Romera (May 7 2013) TrendLabs Security Intelligence Blog ldquoHomemade Browser Targeting lsquoBanco do Brasilrsquo Usersrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencehomemade-browser-targeting-banco-do-brasil-users
13 Roddell Santos (June 14 2013) TrendLabs Security Intelligence Blog ldquoMalware Redirects South Korean Users to Phishing Sitesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencemalware-redirects-south-korean-users-to-phishing-sites
14 Abigail Pichel (June 10 2013) TrendLabs Security Intelligence Blog ldquoGoing Solo Self-Propagating ZBOT Malware Spottedrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencegoing-solo-self-propagating-zbot-malware-spotted
15 Lenart Bermejo (May 24 2013) TrendLabs Security Intelligence Blog ldquoWorm Creates Copies in Password-Protected Archived Filesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligenceworm-creates-copies-in-password-protected-archived-files
16 Jessa Dela Torre (April 16 2013) TrendLabs Security Intelligence Blog ldquoCompromised Sites Conceal Stealrat Botnet Operationsrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecompromised-sites-conceal-stealrat-botnet-operations
17 Paul Pajares (July 8 2013) TrendLabs Security Intelligence Blog ldquoMan of Steel Fast and Furious 6 Among Online Fraudstersrsquo Most Used Luresrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligenceman-of-steel-fast-and-furious-6-among-online-fraudsters-most-used-lures Gelo Abendan (May 2 2013) TrendLabs Security Intelligence Blog ldquoFake Iron Man 3 Streaming Sites Sprout on Social Mediardquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencefake-iron-man-3-streaming-sites-sprout-on-social-media
18 Anthony Melgarejo (May 2 2013) TrendLabs Security Intelligence Blog ldquoBackdoor Leads to Facebook and Multiprotocol Instant-Messaging Wormrdquo
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
22 | References
Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencebackdoor-leads-to-facebook-and-multi-protocol-instant-messaging-worm Paul Pajares (April 30 2013) TrendLabs Security Intelligence Blog ldquoHackers to Manage Your Apple ID If Caught from Phishing Baitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencehackers-to-manage-your-apple-id-if-caught-from-phishing-bait
19 Aisa Escober (April 16 2013) TrendLabs Security Intelligence Blog ldquoKELIHOS Worm Emerges Takes Advantage of Boston Marathon Blastrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencekelihos-worm-emerges-takes-advantage-of-boston-marathon-blast Trend Micro Incorporated (2013) Threat Encyclopedia ldquoSpam Attack Leverages Oklahoma Tornado Disasterrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusspam494Spam+Attack+Leverages+Oklahoma+Tornado+Disaster Ryan Certeza (April 19 2013) TrendLabs Security Intelligence Blog ldquoCybercriminals Quickly Take Advantage of Texas Fertilizer Plant Blast MIT Shootingrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecybercriminals-quickly-take-advantage-of-texas-fertilizer-plant-blast-mit-shooting Gelo Abendan (April 4 2013) TrendLabs Security Intelligence Blog ldquoCybercriminals Threaten Tax Day Once Againrdquo Last accessed July 30 2013 http blogtrendmicrocomtrendlabs-security-intelligencecybercriminals-threaten-tax-day-once-again
20 Jim Finkle (May 31 2013) NBC News Technology ldquoLinkedIn Improves Security with Two-Factor Authenticationrdquo Last accessed July 2013 httpwwwnbcnewscomtechnologylinkedin-improves-security-two-factor-authentication-6C10141010 Seth Hitchings (May 30 2013) The Evernote Blog ldquoEvernotersquos Three New Security Featuresrdquo Last accessed July 2013 httpblogevernotecomblog20130530evernotes-three-new-security-features Jim OrsquoLeary (May 22 2013) Twitter Blog ldquoGetting Started with Login Verificationrdquo Last accessed July 2013 httpsblogtwittercom2013getting-started-login-verification
21 David Jackson (April 23 2013) USA Today News ldquoAP Twitter Feed Hacked No Attack at White Houserdquo Last accessed July 30 2013 httpwwwusatodaycomstorytheoval20130423obama-carney-associated-press-hack-white-house2106757
22 Karla Agregado (June 25 2013) TrendLabs Security Intelligence Blog ldquoScam Sites Now Selling Instagram Followersrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencescam-sites-now-selling-instagram-followers
23 Zachary Seward (May 20 2013) Quartz ldquoHow Yahoo Plans to Make Money on Tumblr Ads That Donrsquot Feel Like Adsrdquo Last accessed July 30 2013 httpqzcom86437how-yahoo-plans-to-make-money-on-tumblr-ads-that-dont-feel-like-ads
24 Gelo Abendan (March 3 2012) Threat Encyc lopedia ldquoMobile Apps New Frontier for Cybercrimerdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack119mobile apps new frontier for cybercrime Marco Dela Vega (November 23 2010) TrendLabs Security Intelligence Blog ldquoWith Holiday Wishes Come Poisoned Searchesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencewith-holiday-wishes-come-poisoned-searches Dianne Kristine Lagrimas (November 13 2011) Threat Encyclopedia ldquoSports as Bait Cybercriminals Play to Winrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack99sports as bait cybercriminals play to win Valerie Ria Rivera (March 29 2011) Threat Encyclopedia ldquoSpam Scams and Other Social Media Threatsrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack75spam scams and other social media threats
25 Dexter To (May 5 2013) TrendLabs Security Intelligence Blog ldquoCompromised US Government Web Page Used Zero-Day Exploitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecompromised-us-government-webpage-used-zero-day-exploit
26 Sooraj KS (June 6 2013) TrendLabs Security Intelligence Blog ldquoPlesk Zero-Day Exploit Results in Compromised Web Serverrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligenceplesk-zero-day-exploit-results-in-compromised-webserver
27 Gelo Abendan (May 30 2013) TrendLabs Security Intelligence Blog ldquoTrend Micro Deep Security Guards Users from Ruby on Rails Exploitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencetrend-micro-deep-security-guards-users-from-ruby-on-rails-exploit
28 Maharlito Aquino (June 13 2013) TrendLabs Security Intelligence Blog ldquoRARSTONE Found in Targeted Attacksrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencerarstone-found-in-targeted-attacks
29 Kyle Wilhoit (May 17 2013) TrendLabs Security Intelligence Blog ldquoHiding in Plain Sight A New Targeted Attack Campaignrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencehiding-in-plain-sight-a-new-apt-campaign
30 Nart Villeneuve (April 25 2013) TrendLabs Security Intelligence Blog ldquoTargeted Attack Campaign Hides Behind SSL Communicationrdquo Last accessed July 2013 httpblogtrendmicrocomtrendlabs-security-intelligencetargeted-attack-campaign-hides-behind-ssl-communication
31 Jay Alabaster (April 4 2013) Computerworld ldquoJapanese Web Portals Hacked Up to 100000 Accounts Compromisedrdquo Last accessed July 30 2013 httpwwwcomputerworldcomauarticle458079japanese_web_portals_hacked_up_100_000_accounts_compromised LivingSocial ldquoLivingSocial Security Noticerdquo Last accessed July 30 2013 httpswwwlivingsocialcomcreatepassword Kadim Shubber (May 20 2013) Wired UK ldquoMillions of Usersrsquo Data Hacked in Yahoo Japan Security Breachrdquo Last accessed July 30 2013 httpwwwwiredcouknewsarchive2013-0520yahoo-japan-hacked Erin Madigan White (April 23 2013) AP Blog The Definitive Source ldquoAP Responds to Hacking of Twitter Accountrdquo Last accessed July 30 2013 httpblogaporg20130423hackers-compromise-ap-twitter-account
TREND MICRO LEgaL DISCLaIMER
The information provided herein is for general information and educational purposes only It is not intended and should not be construed to constitute legal advice The information contained herein may not be applicable to all situations and may not reflect the most current situation Nothing contained herein should be relied on or acted upon without the benefit of legal advice based on the particular facts and circumstances presented and nothing herein should be construed otherwise Trend Micro reserves the right to modify the contents of this document at any time without prior notice
Translations of any material into other languages are intended solely as a convenience Translation accuracy is not guaranteed nor implied If any questions arise related to the accuracy of a translation please refer to the original language official version of the document any discrepancies or differences created in the translation are not binding and have no legal effect for compliance or enforcement purposes
although Trend Micro uses reasonable efforts to include accurate and up-to-date information herein Trend Micro makes no warranties or representations of any kind as to its accuracy currency or completeness you agree that access to and use of and reliance on this document and the content thereof is at your own risk Trend Micro disclaims all warranties of any kind express or implied Neither Trend Micro nor any party involved in creating producing or delivering this document shall be liable for any consequence loss or damage including direct indirect special consequential loss of business profits or special damages whatsoever arising out of access to use of or inability to use or in connection with the use of this document or any errors or omissions in the content thereof use of this information constitutes acceptance for use in an ldquoas isrdquo condition
Trend Micro Incorporated a global leader in security software and solutions strives to make the world safe for exchanging digital information For more information visit wwwtrendmicrocom
copy2013 by Trend Micro Incorporated all rights reserved Trend Micro and the Trend Micro t-ball logo are trademarks or registered trademarks of Trend Micro Incorporated all other product or company names may be trademarks or registered trademarks of their owners
Created by
global Technical Support amp RampD Center of TREND MICRO
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
5 | Mobile
The increased sophistication of mobile threats could be attributed to the growing demand for short message service (SMS)-related information in the underground market SMS databases are some of the best-selling data sets in the underground
How the Android Update Process Works
MOBILE DATA PRICE
1M numbers US$70
10K numbers US$10
Customized database with personal data
US$35 for 1000 numbers
Underground Prices of Collected Mobile Numbers from Russian
Mobile Network Operators
Google creates thelatest update to
Android OS
It makes theupdate available to
manufacturers
Device manufacturers make the update compatiblewith their devices Phone companies must then
approve the update for end users
Finally the phone companies push theupdate to end users
Android Versus PC Threat Type Timeline Comparison
DROIDSMS
Aug 2010
LOTOOR TOOR
GoldDream DroidDream-
Light
One-Click Billing Fraud
Plankton LEADBOLT
Chuli OBAD
Mar 2011Jul 2011 Aug 2011 Jan 2012 Mar 2013 Jun 2013
Morris CODERED
1988
PC Cyborg Police
Ransomware
ZANGO 888bar
NTRootkit Morcut
ZeuS Passteal
TIBS Dialer
Porn Dialers
BANKER GHOST RAT
FAKEAV
1989 1992 1999 2000 2002 2006 2007 2008
QAKBOT
FAKEBANK
MobileFAKEAV
Worm Ransomware Adware Rootkit Infostealer Dialer Banking Trojan
Multicomponent Targeted Attack
Malware
Scareware
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
6 | Cybercrime
CyBERCRIME
Banking Malware Get Regionalized Old Threats FlourishThe overall number of threats blocked by the Trend Microtrade Smart Protection Networktrade increased by 13 compared with last quarter The DOWNADConficker worm remained
the top malware while the adware volume noticeably increased as more users across segments were tricked into downloading them as part of free software
Overall Trend Micro Smart Protection Network Numbers
9B
8B
7B
6B
5B
4B
3B
2B
0
1B
NUMBER OF THREATSBLOCKED PER SECOND
TOTAL NUMBER OFTHREATS BLOCKED
NUMBER OF MALICIOUSFILES BLOCKED
NUMBER OF MALICIOUSURLs BLOCKED
NUMBER OF SPAM-SENDING IP ADDRESSESBLOCKED
APRIL MAY JUNE
57B
408M601M
67B71B
84B
25722663
3258
61B
483M564M
76B
427M513M
We were able to protect Trend Micro customers from nearly 3000 threats per second this quarter compared with 2400 in the first quarter
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
7 | Cybercrime
WORM_DOWNAD 509K
APAC 51
EMEA 19
LAR 15
NORTH AMERICA 9
JAPAN 6
ADW_BHO 448K
JAPAN 34
APAC 26
EMEA 19
NORTH AMERICA 17
LAR 4
ADW_BPROTECT 311K
APAC 28
EMEA 28
JAPAN 20
NORTH AMERICA 15
LAR 9
Top 3 Malware
The Server Service vulnerability has been patched since 2008 but DOWNaDConficker which is known to exploit this remained one of the top 3 malware this quarter The majority of the top 50 malware comprised adware ZaCCESSSIREFEF and SaLITy remained in the top 10
Top 3 Malware by Segment
ENTERPRIsE sMB CONsuMER
NAME vOLuME NAME vOLuME NAME vOLuME
WORM_DOWNADAD 360K WORM_DOWNADAD 58K ADW_BHO 370K
ADW_BPROTECT 53K ADW_BPROTECT 9K ADW_BPROTECT 215K
ADW_BHO 28K ADW_BHO 8K BKDR_BIFROSEBMC 208K
Consumers were more inclined to unknowingly download adware that come bundled with software while DOWNaDConficker was still a concern for enterprises and small and medium-sized businesses (SMBs)
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
8 | Cybercrime
Top 10 Malicious Domains Blocked
DOMAIN REAsON
trafficconverter biz Hosts malware particularly DOWNAD variants
ads alpha00001 com Hosts malware that modify default browser settings to hijack search results
www ody cc Has sites that host BKDR_HPGNB-CN and other suspicious scripts
pu plugrush com Related to a Blackhole Exploit Kit campaign
c rvzrjs info Related to spamming and other malicious activities
adsgangsta com Related to malware and phishing attacks
vjlvchretllifcsgynuq com Hosts malware also used to spread malware via Skype
strongvault02 safe-copy com Hosts malware
www polaris-software com Hosts malware
promos fling com Hosts malware
One of the top malicious domains blocked was related to a Blackhole Exploit kit campaign The domain trafficconverter biz hosts DOWNaDConficker variants which was also the top malware for the first half of 2013
As predicted cybercriminals have not generated completely new threats and instead opted to repackage old ones10 We observed several interesting trends in online banking threats this quarter that led to a 29 increase in infections with this type of malware
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
9 | Cybercrime
1Q 2Q
2013 113K 146K
Online Banking Infections
Online Banking Malware Infections
Top Online Banking Victim Countries
COuNTRIEs sHARE
United States 28
Brazil 22
Australia 5
France 5
Japan 4
Taiwan 4
Vietnam 3
India 2
Germany 2
Canada 2
Others 23
The online banking malware volume significantly increased this quarter due in part to the rise in the ZeuSZBOT malware volume in the wild Online banking threats are spreading across the globe and are no longer concentrated in certain regions like Europe and the americas The united States was most affected by online banking malware accounting for 28 of the total number of infections worldwide
60000
40000
80000
20000
0
APRIL MAY JUNE
37K39K
71K
Brazil an online banking malware hotspot was mostly targeted by two types of the threat type this quarter The first was the BANKER malware disguised as updates for Adobereg Flashreg Player hosted on compromised sites11 The other malware was disguised as a ldquohomemade browserrdquo that targets Banco do Brasil users12
In the cybercriminal underground the CARBERP source code was ldquoleakedrdquo making the creation of banking Trojans even easier to do for bad guys Meanwhile other online banking Trojan toolkits like ZeuS SpyEye and Ice IX are already available for free making it easier for any skilled hacker to obtain their source codes
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
10 | Cybercrime
0
US$2000
2010 2011 2012 2013
US$4000
US$6000
US$8000
US$10000ZEUS
SPYEYE
CARBERP
ICE IX(only madeavailable in2012)
CITADEL
Underground Price Changes for Basic Online Banking Toolkits
We found an online banking malware that modifies an infected computerrsquos HOSTS file to redirect a customer of certain South Korean banks to phishing sites13 We also saw more Citadel variants (detected as ZBOT) target different financial service institutions in Japan These malware not only target the big banks in Japan but also smaller ones including those that exclusively cater to online banking customers
As predicted cybercriminals carried out developments in malware distribution and refinement for existing tools New ZeuSZBOT deployment tactics include a propagation routine14 The PIZZER worm was also found spreading and copying itself onto password-protected archived files using a technique similar to that of PROLACO malware15
Several cloud services were also hit by attacks this quarter The VERNOT backdoor which first abused a popular note-taking service abused a well-known Japanese blogging platform by using it as a CampC server Several GAMARUE variants were hosted on SourceForge a popular code repository Cybercriminals typically abuse legitimate services for ldquofree hostingrdquo successfully tricking users into trusting malicious links since these appear to belong to a well-known name
More developments in cybercrime contributed to the increase in spam and botnet activity this quarter Among these were the compromise of WordPress sites in April the emergence of Stealrat and its use of compromised hosts to send out spam and observed peaks in spam activity16
These are estimated going ratesNote that ZeuS and SpyEye have been around since before 2010
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
11 | Cybercrime
Number of Botnet CampC Servers Detected per Month
1000 2000 3000 4000 5000
APRIL
MAY
JUNE 2102
4003
1434
May showed the highest number of detected CampC servers so far this year
Number of Connections to Botnets per Month
Due to the increase in the number of active botnets in May we also noted a significant increase in the number of botnet connections that month
3M 6M 9M 12M
APRIL
MAY
JUNE 104M
119M
27M
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
12 | Cybercrime
Top 10 Spam Languages
While English remained the top preferred language of spammers we also saw a general increase in the non-English spam volume
1
2
3
4
5
6
7
8
9
10
8256
326
249
194
086
029
020
016
007
007
810
English
Chinese
Russian
Japanese
German
Portuguese
Spanish
Icelandic
French
Turkish
Others
MOVED DOWNMOVED UPNEW ENTRY
Top 10 Spam-Sending Countries
Cybercriminals are finding other countries to host their malicious activities in hence the increase in spam activity in countries like argentina Italy Mexico and Turkey
1
2
3
4
5
6
7
8
9
10
947
697
636
568
549
452
370
356
355
308
4762
United States
Spain
India
Taiwan
Argentina
Italy
Colombia
Mexico
Belarus
Turkey
Others
MOVED DOWNMOVED UPNEW ENTRY
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
13 | Digital Life Security Issues
DIgITaL LIFE SECuRITy ISSuES
Social Threats Abuse Diverse PlatformsAs more users manage multiple online accounts cybercriminals explored means to use this trend to their advantage They abused popular blogging sites like Tumblr WordPress and Blogger to host fake streaming sites of popular summer movies including Man of Steel Fast and Furious 6 and Iron Man 317 Apple ID and well-known multiprotocol instant-messaging (IM) platforms like Digsby were also targeted by attacks18 These attacks abused the use of
the SSO approach which should serve as a reminder to protect online accounts and avoid using weak passwords
Users were also reacquainted with old social engineering tactics as several attacks used diverse items including the Boston marathon bombing the Oklahoma tornado disaster the Texas fertilizer plant explosion and the tax season as bait19
Notable Social Engineering Lures Used
GET FREEFOLLOWERS
ON INSTAGRAMBOSTON BOMBING
MIT SHOOTING
TEXAS FERTILIZERPLANT BOMBING
IRON MAN 3
INCOME TAX RETURNS
as more users across different segments maximize the use of Instagram it has now become a viable target for cybercrime
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
14 | Digital Life Security Issues
In response to compromise incidents LinkedIn Evernote and Twitter rolled out additional security measures which notably included two-step verification measures20 The attack on Twitter posed an interesting case study on how social media can be used to spread false news that can have severe results21
Instagram scams showed that cybercriminals are targeting SMBs and marketers who wish
to increase their online presence Such scams offer ldquofree followersrdquo or use professional-looking sites where they can supposedly buy followers in bulk22 The tactic of selling followers is not new though Cybercriminals simply turned to different avenues outside Twitter and Facebook Interestingly this threat appeared while social media sites found ways to monetize the services they offered23
How Cybercriminals Trick Users into Giving Out Their Information24
Scammers modified their schemes as new platforms were introduced From the Nigerian scams usually seen by way of spam scammers have now branched out to new platforms and targets like social media and mobile devices
Spam and phiShing SiteS Search engineS Social media mobile
EARly 2000ndash2009 2009ndash2011 lATE 2009ndashPRESENT 2011ndashPRESENT
Scams in the early 2000s mainly comprised pharmaceutical account notification and Nigerian scams which mostly led victims to phishing sites
Cybercriminals abuse search engines via blackhat search engine optimization (SEO) This technique takes advantage of using keywords related to significant news andor events for malicious purposes
Social media present themselves as attractive cybercrime platforms because of their large user bases Cybercriminal favorites include Facebook Twitter Tumblr and Pinterest
Today smartphones and other mobile devices enable cybercriminals to reach new heights Mobile adware and malicious apps are among the preferred means of deploying malicious schemes
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
15 | Exploits and Vulnerabilities
ExpLOITS aND VuLNERaBILITIES
Software Vendors Try to Clean Up Their ActAfter last quarterrsquos high volume of zero-day vulnerabilities Oracle implemented several steps that aimed to improve Javarsquos security These include quarterly update releases automated security testing and not allowing self-signed or unsigned apps for Java software used in browsers
Though we saw fewer zero-day incidents this quarter exploits still posed serious threats to users The Internet Explorerreg (IE) zero-day exploit found on the US Department of Labor page showed that even trusted sites like it can be compromised25 Exploits targeting Plesk and ColdFusionreg also put forth the importance of securing web servers and touched on how enterprises secure their sites26
As anticipated it was only a matter of time before attackers took advantage of the critical Ruby on Rails vulnerability found last January27 This quarter we saw exploits target the software flaw as a result of the disclosure of the vulnerabilityrsquos code
The issue of addressing vulnerabilities was a hot topic this quarter especially with Googlersquos announcement of a seven-day disclosure policy Several security pundits saw this as a noble yet impractical proposal But as our CTO Raimund Genes pointed out the bigger issue that should be discussed has to do with how vulnerabilities should be reported
Timeline of Vulnerability Attacks
RUBYON RAILS
PLESK
IEZERO-DAY
JAVA
Private Disclosure Public Disclosure Patch Released Exploited
1082013
5032012
1282013
1172012
5282013
5032012
4302013
5032013
5142013
6182013
6182013
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
16 | Exploits and Vulnerabilities
How Oracle Plans to Secure Java
Delivering three patches every three months starting October 2013
Using automated security testing tools against regressions and bugs
Supporting Windowsreg security policies so system administrators can set networkwide policies on Java use
Disallowing running unsigned or self-signed apps
Making Javarsquos process of revoking signing signatures flexible
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
17 | Targeted attack Campaigns DDoS attacks and Data Breaches
TaRgETED aTTaCk CaMpaIgNS DDoS aTTaCkS aND DaTa BREaChES
Corporate Security Woes Pile UpTargeted AttacksTargeted attack campaigns remained a problem for organizations as we continued to discover active and ongoing campaigns The Naikon campaign used the remote access Trojan (RAT) RARSTONE and was primarily seen in several countries in AsiaPacific28 This campaign hit various industries like telecommunications oil and gas government media and others It usually starts out with spear-phishing attacks that target a specific vulnerability which was also used in another campaign known as
ldquoSaferdquo29 Our research on the Safe campaign meanwhile revealed victim IP addresses spread throughout 100 countries worldwide
Targeted attacks also took advantage of tragic events to infiltrate organizational networks this quarter We saw emails using the Boston marathon bombing as a social engineering lure to trick users into downloading a malware that communicates via Secure Sockets Layer (SSL) communication30
File Types Used in Spear Phishing Related to Targeted Attacks
1
2
3
4
5
6
7
8
9
10
EXEDLL
DOC
JPG
TXTHTML
RTF
ZIP
XLS
RAR
PPSPPT
Others
43
12
10
8
5
4
3
3
3
2
7
Threat actors custom-fit an attack to an intended target They use any file type as long as it gets them closer to their goalmdashto infiltrate a network
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
18 | Targeted attack Campaigns DDoS attacks and Data Breaches
DDoS AttacksSeveral South Korean agencies suffered serious security breaches that led to distributed denial-of-service (DDoS) attacks and site defacements One particular incident rendered several sites inaccessible Similar to the MBR Trojan wiper incident last March this attack was designed to execute at a specific time It also showed how attackers continued to go after high-value targets and how they could inflict maximum damage within a short period of time
Data BreachesCompanies like Yahoo Japan LivingSocial Twitter and Namecom all suffered from security breaches this quarter Opera also suffered a security breach that led to the theft of outdated digital certificates
Attacks Targeting Well-known Companies31
COMPANy REsuLTs
Goo locked 100000 accounts to prevent unauthorized logins
yahoo Japan Attackers attempted to extract data belonging to 127
million users
Associated Press (AP) Attackers hacked APrsquos Twitter account which erased
US$200-billion worth of stock value
livingSocial Resulted in unauthorized access to the accounts of 50 million users
Several South Korean agencies Several sites were defaced and suffered DDoS attacks
attacks against high-profile companies had costly results stressing the importance of strengthening organizational defenses
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
19 | appendix
Appendix
Top 10 Android Adware Families
1
2
3
4
5
6
7
8
9
10
ARPUSH
ADSWO
PLANKTON
LEADBLT
IZP
WAPSX
OQX
WBOO
YOUMI
UAPSH
Others
4179
1650
1284
1102
817
425
410
067
027
013
026
Malicious URL Country Sources
No major changes among the countries on the list were seen The united States accounted for the lionrsquos share of the malicious uRL volume with germany trailing not far behind
COuNTRy sHARE
1 United States 2590
2 Germany 324
3 China 316
4 Netherlands 313
5 South Korea 260
6 France 194
7 Japan 193
8 Russia 164
9 Canada 081
10 United Kingdom 077
Others 5488
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
20 | appendix
Top 10 Countries with the Most Number of Botnet CampC Servers
Similar to the previous quarter the united States had the most number of botnet CampC servers while australia surpassed South korea
COuNTRy sHARE
1 United States 2405
2 Australia 515
3 South Korea 338
4 China 302
5 Germany 287
6 Taiwan 210
7 France 188
8 United Kingdom 172
9 Brazil 147
10 Canada 118
Others 5318
Top 10 Countries with the Highest Number of Connections to Botnets
DDoS attacks in Malaysia in relation to the elections contributed to the increase in the countryrsquos volume of malicious connections
COuNTRy sHARE
1 Malaysia 2839
2 United States 1414
3 France 1163
4 Germany 564
5 Canada 529
6 South Korea 413
7 United Kingdom 384
8 Thailand 322
9 Hong Kong 307
10 Italy 253
Others 1812
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
21 | References
References
1 Trend Micro Incorporated (2013) ldquoTrendLabs 2012 Annual Security Roundup Evolved Threats in a lsquoPost-PCrsquo Worldrdquo Last accessed July 30 2013 httpwwwtrendmicrocomcloud-contentuspdfssecurity-intelligencereportsrpt-evolved-threats-in-a-post-pc-worldpdf
2 Jonathan Leopando (July 10 2013) TrendLabs Security Intelligence Blog ldquoAndroid Vulnerability Affects 99 of DevicesmdashTrend Micro Users Protectedrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencetrend-micro-solution-for-vulnerability-affecting-nearly-all-android-devices
3 Trend Micro Incorporated (2013) Threat Encyclopedia ldquoANDROIDOS_OBADArdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusmalwareANDROIDOS_OBADA
4 Leo Zhang (July 13 2013) TrendLabs Security Intelligence Blog ldquoCybercriminals Improve Android Malware Stealth Routines with OBADrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecybercriminals-improve-android-malware-stealth-routines-with-obad
5 Trend Micro Incorporated (2013) Threat Encyclopedia ldquoANDROIDOS_FAKEBANKArdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusmalwareANDROIDOS_FAKEBANKA
6 Weichao Sun (May 14 2013) TrendLabs Security Intelligence Blog ldquoMobile Ads Pushed by Android Apps Lead to Scam Sitesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencemobile-ads-pushed-by-android-apps-lead-to-scam-sites
7 Trend Micro Incorporated (2013) Threat Encyclopedia ldquoANDROIDOS_FAKEAVFrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusmalwareANDROIDOS_FAKEAVF
8 Iain Thomson (March 27 2013) The Register ldquoTibetan and Uyghur Activists Targeted with Android Malwarerdquo Last accessed July 30 2013 httpwwwtheregistercouk20130327android_malware_targeting_tibetan
9 Ericsson ConsumerLab (August 6 2012) Ericssoncom ldquoVietnamese Consumers Show Increasing Demand for Smartphones and Tabletsrdquo Last accessed July 30 2013 httpwwwericssoncomvnnews2012_vn_smartphone_demands_254740123_c
10 Trend Micro Incorporated (2012) ldquoSecurity Threats to Business the Digital Lifestyle and the Cloud Trend Micro Predictions for 2013 and Beyondrdquo Last accessed July 30 2013 httpwwwtrendmicrocoukmediamisctrend-micro-predictions-for-2013-and-beyond-enpdf
11 Roddell Santos (May 28 2013) TrendLabs Security Intelligence Blog ldquoBANKER Malware Hosted in Compromised Brazilian Government Sitesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencebanker-malware-hosted-in-compromised-brazilian-government-sites
12 Ranieri Romera (May 7 2013) TrendLabs Security Intelligence Blog ldquoHomemade Browser Targeting lsquoBanco do Brasilrsquo Usersrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencehomemade-browser-targeting-banco-do-brasil-users
13 Roddell Santos (June 14 2013) TrendLabs Security Intelligence Blog ldquoMalware Redirects South Korean Users to Phishing Sitesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencemalware-redirects-south-korean-users-to-phishing-sites
14 Abigail Pichel (June 10 2013) TrendLabs Security Intelligence Blog ldquoGoing Solo Self-Propagating ZBOT Malware Spottedrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencegoing-solo-self-propagating-zbot-malware-spotted
15 Lenart Bermejo (May 24 2013) TrendLabs Security Intelligence Blog ldquoWorm Creates Copies in Password-Protected Archived Filesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligenceworm-creates-copies-in-password-protected-archived-files
16 Jessa Dela Torre (April 16 2013) TrendLabs Security Intelligence Blog ldquoCompromised Sites Conceal Stealrat Botnet Operationsrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecompromised-sites-conceal-stealrat-botnet-operations
17 Paul Pajares (July 8 2013) TrendLabs Security Intelligence Blog ldquoMan of Steel Fast and Furious 6 Among Online Fraudstersrsquo Most Used Luresrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligenceman-of-steel-fast-and-furious-6-among-online-fraudsters-most-used-lures Gelo Abendan (May 2 2013) TrendLabs Security Intelligence Blog ldquoFake Iron Man 3 Streaming Sites Sprout on Social Mediardquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencefake-iron-man-3-streaming-sites-sprout-on-social-media
18 Anthony Melgarejo (May 2 2013) TrendLabs Security Intelligence Blog ldquoBackdoor Leads to Facebook and Multiprotocol Instant-Messaging Wormrdquo
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
22 | References
Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencebackdoor-leads-to-facebook-and-multi-protocol-instant-messaging-worm Paul Pajares (April 30 2013) TrendLabs Security Intelligence Blog ldquoHackers to Manage Your Apple ID If Caught from Phishing Baitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencehackers-to-manage-your-apple-id-if-caught-from-phishing-bait
19 Aisa Escober (April 16 2013) TrendLabs Security Intelligence Blog ldquoKELIHOS Worm Emerges Takes Advantage of Boston Marathon Blastrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencekelihos-worm-emerges-takes-advantage-of-boston-marathon-blast Trend Micro Incorporated (2013) Threat Encyclopedia ldquoSpam Attack Leverages Oklahoma Tornado Disasterrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusspam494Spam+Attack+Leverages+Oklahoma+Tornado+Disaster Ryan Certeza (April 19 2013) TrendLabs Security Intelligence Blog ldquoCybercriminals Quickly Take Advantage of Texas Fertilizer Plant Blast MIT Shootingrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecybercriminals-quickly-take-advantage-of-texas-fertilizer-plant-blast-mit-shooting Gelo Abendan (April 4 2013) TrendLabs Security Intelligence Blog ldquoCybercriminals Threaten Tax Day Once Againrdquo Last accessed July 30 2013 http blogtrendmicrocomtrendlabs-security-intelligencecybercriminals-threaten-tax-day-once-again
20 Jim Finkle (May 31 2013) NBC News Technology ldquoLinkedIn Improves Security with Two-Factor Authenticationrdquo Last accessed July 2013 httpwwwnbcnewscomtechnologylinkedin-improves-security-two-factor-authentication-6C10141010 Seth Hitchings (May 30 2013) The Evernote Blog ldquoEvernotersquos Three New Security Featuresrdquo Last accessed July 2013 httpblogevernotecomblog20130530evernotes-three-new-security-features Jim OrsquoLeary (May 22 2013) Twitter Blog ldquoGetting Started with Login Verificationrdquo Last accessed July 2013 httpsblogtwittercom2013getting-started-login-verification
21 David Jackson (April 23 2013) USA Today News ldquoAP Twitter Feed Hacked No Attack at White Houserdquo Last accessed July 30 2013 httpwwwusatodaycomstorytheoval20130423obama-carney-associated-press-hack-white-house2106757
22 Karla Agregado (June 25 2013) TrendLabs Security Intelligence Blog ldquoScam Sites Now Selling Instagram Followersrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencescam-sites-now-selling-instagram-followers
23 Zachary Seward (May 20 2013) Quartz ldquoHow Yahoo Plans to Make Money on Tumblr Ads That Donrsquot Feel Like Adsrdquo Last accessed July 30 2013 httpqzcom86437how-yahoo-plans-to-make-money-on-tumblr-ads-that-dont-feel-like-ads
24 Gelo Abendan (March 3 2012) Threat Encyc lopedia ldquoMobile Apps New Frontier for Cybercrimerdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack119mobile apps new frontier for cybercrime Marco Dela Vega (November 23 2010) TrendLabs Security Intelligence Blog ldquoWith Holiday Wishes Come Poisoned Searchesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencewith-holiday-wishes-come-poisoned-searches Dianne Kristine Lagrimas (November 13 2011) Threat Encyclopedia ldquoSports as Bait Cybercriminals Play to Winrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack99sports as bait cybercriminals play to win Valerie Ria Rivera (March 29 2011) Threat Encyclopedia ldquoSpam Scams and Other Social Media Threatsrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack75spam scams and other social media threats
25 Dexter To (May 5 2013) TrendLabs Security Intelligence Blog ldquoCompromised US Government Web Page Used Zero-Day Exploitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecompromised-us-government-webpage-used-zero-day-exploit
26 Sooraj KS (June 6 2013) TrendLabs Security Intelligence Blog ldquoPlesk Zero-Day Exploit Results in Compromised Web Serverrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligenceplesk-zero-day-exploit-results-in-compromised-webserver
27 Gelo Abendan (May 30 2013) TrendLabs Security Intelligence Blog ldquoTrend Micro Deep Security Guards Users from Ruby on Rails Exploitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencetrend-micro-deep-security-guards-users-from-ruby-on-rails-exploit
28 Maharlito Aquino (June 13 2013) TrendLabs Security Intelligence Blog ldquoRARSTONE Found in Targeted Attacksrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencerarstone-found-in-targeted-attacks
29 Kyle Wilhoit (May 17 2013) TrendLabs Security Intelligence Blog ldquoHiding in Plain Sight A New Targeted Attack Campaignrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencehiding-in-plain-sight-a-new-apt-campaign
30 Nart Villeneuve (April 25 2013) TrendLabs Security Intelligence Blog ldquoTargeted Attack Campaign Hides Behind SSL Communicationrdquo Last accessed July 2013 httpblogtrendmicrocomtrendlabs-security-intelligencetargeted-attack-campaign-hides-behind-ssl-communication
31 Jay Alabaster (April 4 2013) Computerworld ldquoJapanese Web Portals Hacked Up to 100000 Accounts Compromisedrdquo Last accessed July 30 2013 httpwwwcomputerworldcomauarticle458079japanese_web_portals_hacked_up_100_000_accounts_compromised LivingSocial ldquoLivingSocial Security Noticerdquo Last accessed July 30 2013 httpswwwlivingsocialcomcreatepassword Kadim Shubber (May 20 2013) Wired UK ldquoMillions of Usersrsquo Data Hacked in Yahoo Japan Security Breachrdquo Last accessed July 30 2013 httpwwwwiredcouknewsarchive2013-0520yahoo-japan-hacked Erin Madigan White (April 23 2013) AP Blog The Definitive Source ldquoAP Responds to Hacking of Twitter Accountrdquo Last accessed July 30 2013 httpblogaporg20130423hackers-compromise-ap-twitter-account
TREND MICRO LEgaL DISCLaIMER
The information provided herein is for general information and educational purposes only It is not intended and should not be construed to constitute legal advice The information contained herein may not be applicable to all situations and may not reflect the most current situation Nothing contained herein should be relied on or acted upon without the benefit of legal advice based on the particular facts and circumstances presented and nothing herein should be construed otherwise Trend Micro reserves the right to modify the contents of this document at any time without prior notice
Translations of any material into other languages are intended solely as a convenience Translation accuracy is not guaranteed nor implied If any questions arise related to the accuracy of a translation please refer to the original language official version of the document any discrepancies or differences created in the translation are not binding and have no legal effect for compliance or enforcement purposes
although Trend Micro uses reasonable efforts to include accurate and up-to-date information herein Trend Micro makes no warranties or representations of any kind as to its accuracy currency or completeness you agree that access to and use of and reliance on this document and the content thereof is at your own risk Trend Micro disclaims all warranties of any kind express or implied Neither Trend Micro nor any party involved in creating producing or delivering this document shall be liable for any consequence loss or damage including direct indirect special consequential loss of business profits or special damages whatsoever arising out of access to use of or inability to use or in connection with the use of this document or any errors or omissions in the content thereof use of this information constitutes acceptance for use in an ldquoas isrdquo condition
Trend Micro Incorporated a global leader in security software and solutions strives to make the world safe for exchanging digital information For more information visit wwwtrendmicrocom
copy2013 by Trend Micro Incorporated all rights reserved Trend Micro and the Trend Micro t-ball logo are trademarks or registered trademarks of Trend Micro Incorporated all other product or company names may be trademarks or registered trademarks of their owners
Created by
global Technical Support amp RampD Center of TREND MICRO
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
6 | Cybercrime
CyBERCRIME
Banking Malware Get Regionalized Old Threats FlourishThe overall number of threats blocked by the Trend Microtrade Smart Protection Networktrade increased by 13 compared with last quarter The DOWNADConficker worm remained
the top malware while the adware volume noticeably increased as more users across segments were tricked into downloading them as part of free software
Overall Trend Micro Smart Protection Network Numbers
9B
8B
7B
6B
5B
4B
3B
2B
0
1B
NUMBER OF THREATSBLOCKED PER SECOND
TOTAL NUMBER OFTHREATS BLOCKED
NUMBER OF MALICIOUSFILES BLOCKED
NUMBER OF MALICIOUSURLs BLOCKED
NUMBER OF SPAM-SENDING IP ADDRESSESBLOCKED
APRIL MAY JUNE
57B
408M601M
67B71B
84B
25722663
3258
61B
483M564M
76B
427M513M
We were able to protect Trend Micro customers from nearly 3000 threats per second this quarter compared with 2400 in the first quarter
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
7 | Cybercrime
WORM_DOWNAD 509K
APAC 51
EMEA 19
LAR 15
NORTH AMERICA 9
JAPAN 6
ADW_BHO 448K
JAPAN 34
APAC 26
EMEA 19
NORTH AMERICA 17
LAR 4
ADW_BPROTECT 311K
APAC 28
EMEA 28
JAPAN 20
NORTH AMERICA 15
LAR 9
Top 3 Malware
The Server Service vulnerability has been patched since 2008 but DOWNaDConficker which is known to exploit this remained one of the top 3 malware this quarter The majority of the top 50 malware comprised adware ZaCCESSSIREFEF and SaLITy remained in the top 10
Top 3 Malware by Segment
ENTERPRIsE sMB CONsuMER
NAME vOLuME NAME vOLuME NAME vOLuME
WORM_DOWNADAD 360K WORM_DOWNADAD 58K ADW_BHO 370K
ADW_BPROTECT 53K ADW_BPROTECT 9K ADW_BPROTECT 215K
ADW_BHO 28K ADW_BHO 8K BKDR_BIFROSEBMC 208K
Consumers were more inclined to unknowingly download adware that come bundled with software while DOWNaDConficker was still a concern for enterprises and small and medium-sized businesses (SMBs)
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
8 | Cybercrime
Top 10 Malicious Domains Blocked
DOMAIN REAsON
trafficconverter biz Hosts malware particularly DOWNAD variants
ads alpha00001 com Hosts malware that modify default browser settings to hijack search results
www ody cc Has sites that host BKDR_HPGNB-CN and other suspicious scripts
pu plugrush com Related to a Blackhole Exploit Kit campaign
c rvzrjs info Related to spamming and other malicious activities
adsgangsta com Related to malware and phishing attacks
vjlvchretllifcsgynuq com Hosts malware also used to spread malware via Skype
strongvault02 safe-copy com Hosts malware
www polaris-software com Hosts malware
promos fling com Hosts malware
One of the top malicious domains blocked was related to a Blackhole Exploit kit campaign The domain trafficconverter biz hosts DOWNaDConficker variants which was also the top malware for the first half of 2013
As predicted cybercriminals have not generated completely new threats and instead opted to repackage old ones10 We observed several interesting trends in online banking threats this quarter that led to a 29 increase in infections with this type of malware
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
9 | Cybercrime
1Q 2Q
2013 113K 146K
Online Banking Infections
Online Banking Malware Infections
Top Online Banking Victim Countries
COuNTRIEs sHARE
United States 28
Brazil 22
Australia 5
France 5
Japan 4
Taiwan 4
Vietnam 3
India 2
Germany 2
Canada 2
Others 23
The online banking malware volume significantly increased this quarter due in part to the rise in the ZeuSZBOT malware volume in the wild Online banking threats are spreading across the globe and are no longer concentrated in certain regions like Europe and the americas The united States was most affected by online banking malware accounting for 28 of the total number of infections worldwide
60000
40000
80000
20000
0
APRIL MAY JUNE
37K39K
71K
Brazil an online banking malware hotspot was mostly targeted by two types of the threat type this quarter The first was the BANKER malware disguised as updates for Adobereg Flashreg Player hosted on compromised sites11 The other malware was disguised as a ldquohomemade browserrdquo that targets Banco do Brasil users12
In the cybercriminal underground the CARBERP source code was ldquoleakedrdquo making the creation of banking Trojans even easier to do for bad guys Meanwhile other online banking Trojan toolkits like ZeuS SpyEye and Ice IX are already available for free making it easier for any skilled hacker to obtain their source codes
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
10 | Cybercrime
0
US$2000
2010 2011 2012 2013
US$4000
US$6000
US$8000
US$10000ZEUS
SPYEYE
CARBERP
ICE IX(only madeavailable in2012)
CITADEL
Underground Price Changes for Basic Online Banking Toolkits
We found an online banking malware that modifies an infected computerrsquos HOSTS file to redirect a customer of certain South Korean banks to phishing sites13 We also saw more Citadel variants (detected as ZBOT) target different financial service institutions in Japan These malware not only target the big banks in Japan but also smaller ones including those that exclusively cater to online banking customers
As predicted cybercriminals carried out developments in malware distribution and refinement for existing tools New ZeuSZBOT deployment tactics include a propagation routine14 The PIZZER worm was also found spreading and copying itself onto password-protected archived files using a technique similar to that of PROLACO malware15
Several cloud services were also hit by attacks this quarter The VERNOT backdoor which first abused a popular note-taking service abused a well-known Japanese blogging platform by using it as a CampC server Several GAMARUE variants were hosted on SourceForge a popular code repository Cybercriminals typically abuse legitimate services for ldquofree hostingrdquo successfully tricking users into trusting malicious links since these appear to belong to a well-known name
More developments in cybercrime contributed to the increase in spam and botnet activity this quarter Among these were the compromise of WordPress sites in April the emergence of Stealrat and its use of compromised hosts to send out spam and observed peaks in spam activity16
These are estimated going ratesNote that ZeuS and SpyEye have been around since before 2010
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
11 | Cybercrime
Number of Botnet CampC Servers Detected per Month
1000 2000 3000 4000 5000
APRIL
MAY
JUNE 2102
4003
1434
May showed the highest number of detected CampC servers so far this year
Number of Connections to Botnets per Month
Due to the increase in the number of active botnets in May we also noted a significant increase in the number of botnet connections that month
3M 6M 9M 12M
APRIL
MAY
JUNE 104M
119M
27M
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
12 | Cybercrime
Top 10 Spam Languages
While English remained the top preferred language of spammers we also saw a general increase in the non-English spam volume
1
2
3
4
5
6
7
8
9
10
8256
326
249
194
086
029
020
016
007
007
810
English
Chinese
Russian
Japanese
German
Portuguese
Spanish
Icelandic
French
Turkish
Others
MOVED DOWNMOVED UPNEW ENTRY
Top 10 Spam-Sending Countries
Cybercriminals are finding other countries to host their malicious activities in hence the increase in spam activity in countries like argentina Italy Mexico and Turkey
1
2
3
4
5
6
7
8
9
10
947
697
636
568
549
452
370
356
355
308
4762
United States
Spain
India
Taiwan
Argentina
Italy
Colombia
Mexico
Belarus
Turkey
Others
MOVED DOWNMOVED UPNEW ENTRY
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
13 | Digital Life Security Issues
DIgITaL LIFE SECuRITy ISSuES
Social Threats Abuse Diverse PlatformsAs more users manage multiple online accounts cybercriminals explored means to use this trend to their advantage They abused popular blogging sites like Tumblr WordPress and Blogger to host fake streaming sites of popular summer movies including Man of Steel Fast and Furious 6 and Iron Man 317 Apple ID and well-known multiprotocol instant-messaging (IM) platforms like Digsby were also targeted by attacks18 These attacks abused the use of
the SSO approach which should serve as a reminder to protect online accounts and avoid using weak passwords
Users were also reacquainted with old social engineering tactics as several attacks used diverse items including the Boston marathon bombing the Oklahoma tornado disaster the Texas fertilizer plant explosion and the tax season as bait19
Notable Social Engineering Lures Used
GET FREEFOLLOWERS
ON INSTAGRAMBOSTON BOMBING
MIT SHOOTING
TEXAS FERTILIZERPLANT BOMBING
IRON MAN 3
INCOME TAX RETURNS
as more users across different segments maximize the use of Instagram it has now become a viable target for cybercrime
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
14 | Digital Life Security Issues
In response to compromise incidents LinkedIn Evernote and Twitter rolled out additional security measures which notably included two-step verification measures20 The attack on Twitter posed an interesting case study on how social media can be used to spread false news that can have severe results21
Instagram scams showed that cybercriminals are targeting SMBs and marketers who wish
to increase their online presence Such scams offer ldquofree followersrdquo or use professional-looking sites where they can supposedly buy followers in bulk22 The tactic of selling followers is not new though Cybercriminals simply turned to different avenues outside Twitter and Facebook Interestingly this threat appeared while social media sites found ways to monetize the services they offered23
How Cybercriminals Trick Users into Giving Out Their Information24
Scammers modified their schemes as new platforms were introduced From the Nigerian scams usually seen by way of spam scammers have now branched out to new platforms and targets like social media and mobile devices
Spam and phiShing SiteS Search engineS Social media mobile
EARly 2000ndash2009 2009ndash2011 lATE 2009ndashPRESENT 2011ndashPRESENT
Scams in the early 2000s mainly comprised pharmaceutical account notification and Nigerian scams which mostly led victims to phishing sites
Cybercriminals abuse search engines via blackhat search engine optimization (SEO) This technique takes advantage of using keywords related to significant news andor events for malicious purposes
Social media present themselves as attractive cybercrime platforms because of their large user bases Cybercriminal favorites include Facebook Twitter Tumblr and Pinterest
Today smartphones and other mobile devices enable cybercriminals to reach new heights Mobile adware and malicious apps are among the preferred means of deploying malicious schemes
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
15 | Exploits and Vulnerabilities
ExpLOITS aND VuLNERaBILITIES
Software Vendors Try to Clean Up Their ActAfter last quarterrsquos high volume of zero-day vulnerabilities Oracle implemented several steps that aimed to improve Javarsquos security These include quarterly update releases automated security testing and not allowing self-signed or unsigned apps for Java software used in browsers
Though we saw fewer zero-day incidents this quarter exploits still posed serious threats to users The Internet Explorerreg (IE) zero-day exploit found on the US Department of Labor page showed that even trusted sites like it can be compromised25 Exploits targeting Plesk and ColdFusionreg also put forth the importance of securing web servers and touched on how enterprises secure their sites26
As anticipated it was only a matter of time before attackers took advantage of the critical Ruby on Rails vulnerability found last January27 This quarter we saw exploits target the software flaw as a result of the disclosure of the vulnerabilityrsquos code
The issue of addressing vulnerabilities was a hot topic this quarter especially with Googlersquos announcement of a seven-day disclosure policy Several security pundits saw this as a noble yet impractical proposal But as our CTO Raimund Genes pointed out the bigger issue that should be discussed has to do with how vulnerabilities should be reported
Timeline of Vulnerability Attacks
RUBYON RAILS
PLESK
IEZERO-DAY
JAVA
Private Disclosure Public Disclosure Patch Released Exploited
1082013
5032012
1282013
1172012
5282013
5032012
4302013
5032013
5142013
6182013
6182013
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
16 | Exploits and Vulnerabilities
How Oracle Plans to Secure Java
Delivering three patches every three months starting October 2013
Using automated security testing tools against regressions and bugs
Supporting Windowsreg security policies so system administrators can set networkwide policies on Java use
Disallowing running unsigned or self-signed apps
Making Javarsquos process of revoking signing signatures flexible
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
17 | Targeted attack Campaigns DDoS attacks and Data Breaches
TaRgETED aTTaCk CaMpaIgNS DDoS aTTaCkS aND DaTa BREaChES
Corporate Security Woes Pile UpTargeted AttacksTargeted attack campaigns remained a problem for organizations as we continued to discover active and ongoing campaigns The Naikon campaign used the remote access Trojan (RAT) RARSTONE and was primarily seen in several countries in AsiaPacific28 This campaign hit various industries like telecommunications oil and gas government media and others It usually starts out with spear-phishing attacks that target a specific vulnerability which was also used in another campaign known as
ldquoSaferdquo29 Our research on the Safe campaign meanwhile revealed victim IP addresses spread throughout 100 countries worldwide
Targeted attacks also took advantage of tragic events to infiltrate organizational networks this quarter We saw emails using the Boston marathon bombing as a social engineering lure to trick users into downloading a malware that communicates via Secure Sockets Layer (SSL) communication30
File Types Used in Spear Phishing Related to Targeted Attacks
1
2
3
4
5
6
7
8
9
10
EXEDLL
DOC
JPG
TXTHTML
RTF
ZIP
XLS
RAR
PPSPPT
Others
43
12
10
8
5
4
3
3
3
2
7
Threat actors custom-fit an attack to an intended target They use any file type as long as it gets them closer to their goalmdashto infiltrate a network
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
18 | Targeted attack Campaigns DDoS attacks and Data Breaches
DDoS AttacksSeveral South Korean agencies suffered serious security breaches that led to distributed denial-of-service (DDoS) attacks and site defacements One particular incident rendered several sites inaccessible Similar to the MBR Trojan wiper incident last March this attack was designed to execute at a specific time It also showed how attackers continued to go after high-value targets and how they could inflict maximum damage within a short period of time
Data BreachesCompanies like Yahoo Japan LivingSocial Twitter and Namecom all suffered from security breaches this quarter Opera also suffered a security breach that led to the theft of outdated digital certificates
Attacks Targeting Well-known Companies31
COMPANy REsuLTs
Goo locked 100000 accounts to prevent unauthorized logins
yahoo Japan Attackers attempted to extract data belonging to 127
million users
Associated Press (AP) Attackers hacked APrsquos Twitter account which erased
US$200-billion worth of stock value
livingSocial Resulted in unauthorized access to the accounts of 50 million users
Several South Korean agencies Several sites were defaced and suffered DDoS attacks
attacks against high-profile companies had costly results stressing the importance of strengthening organizational defenses
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
19 | appendix
Appendix
Top 10 Android Adware Families
1
2
3
4
5
6
7
8
9
10
ARPUSH
ADSWO
PLANKTON
LEADBLT
IZP
WAPSX
OQX
WBOO
YOUMI
UAPSH
Others
4179
1650
1284
1102
817
425
410
067
027
013
026
Malicious URL Country Sources
No major changes among the countries on the list were seen The united States accounted for the lionrsquos share of the malicious uRL volume with germany trailing not far behind
COuNTRy sHARE
1 United States 2590
2 Germany 324
3 China 316
4 Netherlands 313
5 South Korea 260
6 France 194
7 Japan 193
8 Russia 164
9 Canada 081
10 United Kingdom 077
Others 5488
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
20 | appendix
Top 10 Countries with the Most Number of Botnet CampC Servers
Similar to the previous quarter the united States had the most number of botnet CampC servers while australia surpassed South korea
COuNTRy sHARE
1 United States 2405
2 Australia 515
3 South Korea 338
4 China 302
5 Germany 287
6 Taiwan 210
7 France 188
8 United Kingdom 172
9 Brazil 147
10 Canada 118
Others 5318
Top 10 Countries with the Highest Number of Connections to Botnets
DDoS attacks in Malaysia in relation to the elections contributed to the increase in the countryrsquos volume of malicious connections
COuNTRy sHARE
1 Malaysia 2839
2 United States 1414
3 France 1163
4 Germany 564
5 Canada 529
6 South Korea 413
7 United Kingdom 384
8 Thailand 322
9 Hong Kong 307
10 Italy 253
Others 1812
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
21 | References
References
1 Trend Micro Incorporated (2013) ldquoTrendLabs 2012 Annual Security Roundup Evolved Threats in a lsquoPost-PCrsquo Worldrdquo Last accessed July 30 2013 httpwwwtrendmicrocomcloud-contentuspdfssecurity-intelligencereportsrpt-evolved-threats-in-a-post-pc-worldpdf
2 Jonathan Leopando (July 10 2013) TrendLabs Security Intelligence Blog ldquoAndroid Vulnerability Affects 99 of DevicesmdashTrend Micro Users Protectedrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencetrend-micro-solution-for-vulnerability-affecting-nearly-all-android-devices
3 Trend Micro Incorporated (2013) Threat Encyclopedia ldquoANDROIDOS_OBADArdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusmalwareANDROIDOS_OBADA
4 Leo Zhang (July 13 2013) TrendLabs Security Intelligence Blog ldquoCybercriminals Improve Android Malware Stealth Routines with OBADrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecybercriminals-improve-android-malware-stealth-routines-with-obad
5 Trend Micro Incorporated (2013) Threat Encyclopedia ldquoANDROIDOS_FAKEBANKArdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusmalwareANDROIDOS_FAKEBANKA
6 Weichao Sun (May 14 2013) TrendLabs Security Intelligence Blog ldquoMobile Ads Pushed by Android Apps Lead to Scam Sitesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencemobile-ads-pushed-by-android-apps-lead-to-scam-sites
7 Trend Micro Incorporated (2013) Threat Encyclopedia ldquoANDROIDOS_FAKEAVFrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusmalwareANDROIDOS_FAKEAVF
8 Iain Thomson (March 27 2013) The Register ldquoTibetan and Uyghur Activists Targeted with Android Malwarerdquo Last accessed July 30 2013 httpwwwtheregistercouk20130327android_malware_targeting_tibetan
9 Ericsson ConsumerLab (August 6 2012) Ericssoncom ldquoVietnamese Consumers Show Increasing Demand for Smartphones and Tabletsrdquo Last accessed July 30 2013 httpwwwericssoncomvnnews2012_vn_smartphone_demands_254740123_c
10 Trend Micro Incorporated (2012) ldquoSecurity Threats to Business the Digital Lifestyle and the Cloud Trend Micro Predictions for 2013 and Beyondrdquo Last accessed July 30 2013 httpwwwtrendmicrocoukmediamisctrend-micro-predictions-for-2013-and-beyond-enpdf
11 Roddell Santos (May 28 2013) TrendLabs Security Intelligence Blog ldquoBANKER Malware Hosted in Compromised Brazilian Government Sitesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencebanker-malware-hosted-in-compromised-brazilian-government-sites
12 Ranieri Romera (May 7 2013) TrendLabs Security Intelligence Blog ldquoHomemade Browser Targeting lsquoBanco do Brasilrsquo Usersrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencehomemade-browser-targeting-banco-do-brasil-users
13 Roddell Santos (June 14 2013) TrendLabs Security Intelligence Blog ldquoMalware Redirects South Korean Users to Phishing Sitesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencemalware-redirects-south-korean-users-to-phishing-sites
14 Abigail Pichel (June 10 2013) TrendLabs Security Intelligence Blog ldquoGoing Solo Self-Propagating ZBOT Malware Spottedrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencegoing-solo-self-propagating-zbot-malware-spotted
15 Lenart Bermejo (May 24 2013) TrendLabs Security Intelligence Blog ldquoWorm Creates Copies in Password-Protected Archived Filesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligenceworm-creates-copies-in-password-protected-archived-files
16 Jessa Dela Torre (April 16 2013) TrendLabs Security Intelligence Blog ldquoCompromised Sites Conceal Stealrat Botnet Operationsrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecompromised-sites-conceal-stealrat-botnet-operations
17 Paul Pajares (July 8 2013) TrendLabs Security Intelligence Blog ldquoMan of Steel Fast and Furious 6 Among Online Fraudstersrsquo Most Used Luresrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligenceman-of-steel-fast-and-furious-6-among-online-fraudsters-most-used-lures Gelo Abendan (May 2 2013) TrendLabs Security Intelligence Blog ldquoFake Iron Man 3 Streaming Sites Sprout on Social Mediardquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencefake-iron-man-3-streaming-sites-sprout-on-social-media
18 Anthony Melgarejo (May 2 2013) TrendLabs Security Intelligence Blog ldquoBackdoor Leads to Facebook and Multiprotocol Instant-Messaging Wormrdquo
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
22 | References
Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencebackdoor-leads-to-facebook-and-multi-protocol-instant-messaging-worm Paul Pajares (April 30 2013) TrendLabs Security Intelligence Blog ldquoHackers to Manage Your Apple ID If Caught from Phishing Baitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencehackers-to-manage-your-apple-id-if-caught-from-phishing-bait
19 Aisa Escober (April 16 2013) TrendLabs Security Intelligence Blog ldquoKELIHOS Worm Emerges Takes Advantage of Boston Marathon Blastrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencekelihos-worm-emerges-takes-advantage-of-boston-marathon-blast Trend Micro Incorporated (2013) Threat Encyclopedia ldquoSpam Attack Leverages Oklahoma Tornado Disasterrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusspam494Spam+Attack+Leverages+Oklahoma+Tornado+Disaster Ryan Certeza (April 19 2013) TrendLabs Security Intelligence Blog ldquoCybercriminals Quickly Take Advantage of Texas Fertilizer Plant Blast MIT Shootingrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecybercriminals-quickly-take-advantage-of-texas-fertilizer-plant-blast-mit-shooting Gelo Abendan (April 4 2013) TrendLabs Security Intelligence Blog ldquoCybercriminals Threaten Tax Day Once Againrdquo Last accessed July 30 2013 http blogtrendmicrocomtrendlabs-security-intelligencecybercriminals-threaten-tax-day-once-again
20 Jim Finkle (May 31 2013) NBC News Technology ldquoLinkedIn Improves Security with Two-Factor Authenticationrdquo Last accessed July 2013 httpwwwnbcnewscomtechnologylinkedin-improves-security-two-factor-authentication-6C10141010 Seth Hitchings (May 30 2013) The Evernote Blog ldquoEvernotersquos Three New Security Featuresrdquo Last accessed July 2013 httpblogevernotecomblog20130530evernotes-three-new-security-features Jim OrsquoLeary (May 22 2013) Twitter Blog ldquoGetting Started with Login Verificationrdquo Last accessed July 2013 httpsblogtwittercom2013getting-started-login-verification
21 David Jackson (April 23 2013) USA Today News ldquoAP Twitter Feed Hacked No Attack at White Houserdquo Last accessed July 30 2013 httpwwwusatodaycomstorytheoval20130423obama-carney-associated-press-hack-white-house2106757
22 Karla Agregado (June 25 2013) TrendLabs Security Intelligence Blog ldquoScam Sites Now Selling Instagram Followersrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencescam-sites-now-selling-instagram-followers
23 Zachary Seward (May 20 2013) Quartz ldquoHow Yahoo Plans to Make Money on Tumblr Ads That Donrsquot Feel Like Adsrdquo Last accessed July 30 2013 httpqzcom86437how-yahoo-plans-to-make-money-on-tumblr-ads-that-dont-feel-like-ads
24 Gelo Abendan (March 3 2012) Threat Encyc lopedia ldquoMobile Apps New Frontier for Cybercrimerdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack119mobile apps new frontier for cybercrime Marco Dela Vega (November 23 2010) TrendLabs Security Intelligence Blog ldquoWith Holiday Wishes Come Poisoned Searchesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencewith-holiday-wishes-come-poisoned-searches Dianne Kristine Lagrimas (November 13 2011) Threat Encyclopedia ldquoSports as Bait Cybercriminals Play to Winrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack99sports as bait cybercriminals play to win Valerie Ria Rivera (March 29 2011) Threat Encyclopedia ldquoSpam Scams and Other Social Media Threatsrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack75spam scams and other social media threats
25 Dexter To (May 5 2013) TrendLabs Security Intelligence Blog ldquoCompromised US Government Web Page Used Zero-Day Exploitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecompromised-us-government-webpage-used-zero-day-exploit
26 Sooraj KS (June 6 2013) TrendLabs Security Intelligence Blog ldquoPlesk Zero-Day Exploit Results in Compromised Web Serverrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligenceplesk-zero-day-exploit-results-in-compromised-webserver
27 Gelo Abendan (May 30 2013) TrendLabs Security Intelligence Blog ldquoTrend Micro Deep Security Guards Users from Ruby on Rails Exploitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencetrend-micro-deep-security-guards-users-from-ruby-on-rails-exploit
28 Maharlito Aquino (June 13 2013) TrendLabs Security Intelligence Blog ldquoRARSTONE Found in Targeted Attacksrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencerarstone-found-in-targeted-attacks
29 Kyle Wilhoit (May 17 2013) TrendLabs Security Intelligence Blog ldquoHiding in Plain Sight A New Targeted Attack Campaignrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencehiding-in-plain-sight-a-new-apt-campaign
30 Nart Villeneuve (April 25 2013) TrendLabs Security Intelligence Blog ldquoTargeted Attack Campaign Hides Behind SSL Communicationrdquo Last accessed July 2013 httpblogtrendmicrocomtrendlabs-security-intelligencetargeted-attack-campaign-hides-behind-ssl-communication
31 Jay Alabaster (April 4 2013) Computerworld ldquoJapanese Web Portals Hacked Up to 100000 Accounts Compromisedrdquo Last accessed July 30 2013 httpwwwcomputerworldcomauarticle458079japanese_web_portals_hacked_up_100_000_accounts_compromised LivingSocial ldquoLivingSocial Security Noticerdquo Last accessed July 30 2013 httpswwwlivingsocialcomcreatepassword Kadim Shubber (May 20 2013) Wired UK ldquoMillions of Usersrsquo Data Hacked in Yahoo Japan Security Breachrdquo Last accessed July 30 2013 httpwwwwiredcouknewsarchive2013-0520yahoo-japan-hacked Erin Madigan White (April 23 2013) AP Blog The Definitive Source ldquoAP Responds to Hacking of Twitter Accountrdquo Last accessed July 30 2013 httpblogaporg20130423hackers-compromise-ap-twitter-account
TREND MICRO LEgaL DISCLaIMER
The information provided herein is for general information and educational purposes only It is not intended and should not be construed to constitute legal advice The information contained herein may not be applicable to all situations and may not reflect the most current situation Nothing contained herein should be relied on or acted upon without the benefit of legal advice based on the particular facts and circumstances presented and nothing herein should be construed otherwise Trend Micro reserves the right to modify the contents of this document at any time without prior notice
Translations of any material into other languages are intended solely as a convenience Translation accuracy is not guaranteed nor implied If any questions arise related to the accuracy of a translation please refer to the original language official version of the document any discrepancies or differences created in the translation are not binding and have no legal effect for compliance or enforcement purposes
although Trend Micro uses reasonable efforts to include accurate and up-to-date information herein Trend Micro makes no warranties or representations of any kind as to its accuracy currency or completeness you agree that access to and use of and reliance on this document and the content thereof is at your own risk Trend Micro disclaims all warranties of any kind express or implied Neither Trend Micro nor any party involved in creating producing or delivering this document shall be liable for any consequence loss or damage including direct indirect special consequential loss of business profits or special damages whatsoever arising out of access to use of or inability to use or in connection with the use of this document or any errors or omissions in the content thereof use of this information constitutes acceptance for use in an ldquoas isrdquo condition
Trend Micro Incorporated a global leader in security software and solutions strives to make the world safe for exchanging digital information For more information visit wwwtrendmicrocom
copy2013 by Trend Micro Incorporated all rights reserved Trend Micro and the Trend Micro t-ball logo are trademarks or registered trademarks of Trend Micro Incorporated all other product or company names may be trademarks or registered trademarks of their owners
Created by
global Technical Support amp RampD Center of TREND MICRO
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
7 | Cybercrime
WORM_DOWNAD 509K
APAC 51
EMEA 19
LAR 15
NORTH AMERICA 9
JAPAN 6
ADW_BHO 448K
JAPAN 34
APAC 26
EMEA 19
NORTH AMERICA 17
LAR 4
ADW_BPROTECT 311K
APAC 28
EMEA 28
JAPAN 20
NORTH AMERICA 15
LAR 9
Top 3 Malware
The Server Service vulnerability has been patched since 2008 but DOWNaDConficker which is known to exploit this remained one of the top 3 malware this quarter The majority of the top 50 malware comprised adware ZaCCESSSIREFEF and SaLITy remained in the top 10
Top 3 Malware by Segment
ENTERPRIsE sMB CONsuMER
NAME vOLuME NAME vOLuME NAME vOLuME
WORM_DOWNADAD 360K WORM_DOWNADAD 58K ADW_BHO 370K
ADW_BPROTECT 53K ADW_BPROTECT 9K ADW_BPROTECT 215K
ADW_BHO 28K ADW_BHO 8K BKDR_BIFROSEBMC 208K
Consumers were more inclined to unknowingly download adware that come bundled with software while DOWNaDConficker was still a concern for enterprises and small and medium-sized businesses (SMBs)
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
8 | Cybercrime
Top 10 Malicious Domains Blocked
DOMAIN REAsON
trafficconverter biz Hosts malware particularly DOWNAD variants
ads alpha00001 com Hosts malware that modify default browser settings to hijack search results
www ody cc Has sites that host BKDR_HPGNB-CN and other suspicious scripts
pu plugrush com Related to a Blackhole Exploit Kit campaign
c rvzrjs info Related to spamming and other malicious activities
adsgangsta com Related to malware and phishing attacks
vjlvchretllifcsgynuq com Hosts malware also used to spread malware via Skype
strongvault02 safe-copy com Hosts malware
www polaris-software com Hosts malware
promos fling com Hosts malware
One of the top malicious domains blocked was related to a Blackhole Exploit kit campaign The domain trafficconverter biz hosts DOWNaDConficker variants which was also the top malware for the first half of 2013
As predicted cybercriminals have not generated completely new threats and instead opted to repackage old ones10 We observed several interesting trends in online banking threats this quarter that led to a 29 increase in infections with this type of malware
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
9 | Cybercrime
1Q 2Q
2013 113K 146K
Online Banking Infections
Online Banking Malware Infections
Top Online Banking Victim Countries
COuNTRIEs sHARE
United States 28
Brazil 22
Australia 5
France 5
Japan 4
Taiwan 4
Vietnam 3
India 2
Germany 2
Canada 2
Others 23
The online banking malware volume significantly increased this quarter due in part to the rise in the ZeuSZBOT malware volume in the wild Online banking threats are spreading across the globe and are no longer concentrated in certain regions like Europe and the americas The united States was most affected by online banking malware accounting for 28 of the total number of infections worldwide
60000
40000
80000
20000
0
APRIL MAY JUNE
37K39K
71K
Brazil an online banking malware hotspot was mostly targeted by two types of the threat type this quarter The first was the BANKER malware disguised as updates for Adobereg Flashreg Player hosted on compromised sites11 The other malware was disguised as a ldquohomemade browserrdquo that targets Banco do Brasil users12
In the cybercriminal underground the CARBERP source code was ldquoleakedrdquo making the creation of banking Trojans even easier to do for bad guys Meanwhile other online banking Trojan toolkits like ZeuS SpyEye and Ice IX are already available for free making it easier for any skilled hacker to obtain their source codes
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
10 | Cybercrime
0
US$2000
2010 2011 2012 2013
US$4000
US$6000
US$8000
US$10000ZEUS
SPYEYE
CARBERP
ICE IX(only madeavailable in2012)
CITADEL
Underground Price Changes for Basic Online Banking Toolkits
We found an online banking malware that modifies an infected computerrsquos HOSTS file to redirect a customer of certain South Korean banks to phishing sites13 We also saw more Citadel variants (detected as ZBOT) target different financial service institutions in Japan These malware not only target the big banks in Japan but also smaller ones including those that exclusively cater to online banking customers
As predicted cybercriminals carried out developments in malware distribution and refinement for existing tools New ZeuSZBOT deployment tactics include a propagation routine14 The PIZZER worm was also found spreading and copying itself onto password-protected archived files using a technique similar to that of PROLACO malware15
Several cloud services were also hit by attacks this quarter The VERNOT backdoor which first abused a popular note-taking service abused a well-known Japanese blogging platform by using it as a CampC server Several GAMARUE variants were hosted on SourceForge a popular code repository Cybercriminals typically abuse legitimate services for ldquofree hostingrdquo successfully tricking users into trusting malicious links since these appear to belong to a well-known name
More developments in cybercrime contributed to the increase in spam and botnet activity this quarter Among these were the compromise of WordPress sites in April the emergence of Stealrat and its use of compromised hosts to send out spam and observed peaks in spam activity16
These are estimated going ratesNote that ZeuS and SpyEye have been around since before 2010
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
11 | Cybercrime
Number of Botnet CampC Servers Detected per Month
1000 2000 3000 4000 5000
APRIL
MAY
JUNE 2102
4003
1434
May showed the highest number of detected CampC servers so far this year
Number of Connections to Botnets per Month
Due to the increase in the number of active botnets in May we also noted a significant increase in the number of botnet connections that month
3M 6M 9M 12M
APRIL
MAY
JUNE 104M
119M
27M
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
12 | Cybercrime
Top 10 Spam Languages
While English remained the top preferred language of spammers we also saw a general increase in the non-English spam volume
1
2
3
4
5
6
7
8
9
10
8256
326
249
194
086
029
020
016
007
007
810
English
Chinese
Russian
Japanese
German
Portuguese
Spanish
Icelandic
French
Turkish
Others
MOVED DOWNMOVED UPNEW ENTRY
Top 10 Spam-Sending Countries
Cybercriminals are finding other countries to host their malicious activities in hence the increase in spam activity in countries like argentina Italy Mexico and Turkey
1
2
3
4
5
6
7
8
9
10
947
697
636
568
549
452
370
356
355
308
4762
United States
Spain
India
Taiwan
Argentina
Italy
Colombia
Mexico
Belarus
Turkey
Others
MOVED DOWNMOVED UPNEW ENTRY
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
13 | Digital Life Security Issues
DIgITaL LIFE SECuRITy ISSuES
Social Threats Abuse Diverse PlatformsAs more users manage multiple online accounts cybercriminals explored means to use this trend to their advantage They abused popular blogging sites like Tumblr WordPress and Blogger to host fake streaming sites of popular summer movies including Man of Steel Fast and Furious 6 and Iron Man 317 Apple ID and well-known multiprotocol instant-messaging (IM) platforms like Digsby were also targeted by attacks18 These attacks abused the use of
the SSO approach which should serve as a reminder to protect online accounts and avoid using weak passwords
Users were also reacquainted with old social engineering tactics as several attacks used diverse items including the Boston marathon bombing the Oklahoma tornado disaster the Texas fertilizer plant explosion and the tax season as bait19
Notable Social Engineering Lures Used
GET FREEFOLLOWERS
ON INSTAGRAMBOSTON BOMBING
MIT SHOOTING
TEXAS FERTILIZERPLANT BOMBING
IRON MAN 3
INCOME TAX RETURNS
as more users across different segments maximize the use of Instagram it has now become a viable target for cybercrime
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
14 | Digital Life Security Issues
In response to compromise incidents LinkedIn Evernote and Twitter rolled out additional security measures which notably included two-step verification measures20 The attack on Twitter posed an interesting case study on how social media can be used to spread false news that can have severe results21
Instagram scams showed that cybercriminals are targeting SMBs and marketers who wish
to increase their online presence Such scams offer ldquofree followersrdquo or use professional-looking sites where they can supposedly buy followers in bulk22 The tactic of selling followers is not new though Cybercriminals simply turned to different avenues outside Twitter and Facebook Interestingly this threat appeared while social media sites found ways to monetize the services they offered23
How Cybercriminals Trick Users into Giving Out Their Information24
Scammers modified their schemes as new platforms were introduced From the Nigerian scams usually seen by way of spam scammers have now branched out to new platforms and targets like social media and mobile devices
Spam and phiShing SiteS Search engineS Social media mobile
EARly 2000ndash2009 2009ndash2011 lATE 2009ndashPRESENT 2011ndashPRESENT
Scams in the early 2000s mainly comprised pharmaceutical account notification and Nigerian scams which mostly led victims to phishing sites
Cybercriminals abuse search engines via blackhat search engine optimization (SEO) This technique takes advantage of using keywords related to significant news andor events for malicious purposes
Social media present themselves as attractive cybercrime platforms because of their large user bases Cybercriminal favorites include Facebook Twitter Tumblr and Pinterest
Today smartphones and other mobile devices enable cybercriminals to reach new heights Mobile adware and malicious apps are among the preferred means of deploying malicious schemes
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
15 | Exploits and Vulnerabilities
ExpLOITS aND VuLNERaBILITIES
Software Vendors Try to Clean Up Their ActAfter last quarterrsquos high volume of zero-day vulnerabilities Oracle implemented several steps that aimed to improve Javarsquos security These include quarterly update releases automated security testing and not allowing self-signed or unsigned apps for Java software used in browsers
Though we saw fewer zero-day incidents this quarter exploits still posed serious threats to users The Internet Explorerreg (IE) zero-day exploit found on the US Department of Labor page showed that even trusted sites like it can be compromised25 Exploits targeting Plesk and ColdFusionreg also put forth the importance of securing web servers and touched on how enterprises secure their sites26
As anticipated it was only a matter of time before attackers took advantage of the critical Ruby on Rails vulnerability found last January27 This quarter we saw exploits target the software flaw as a result of the disclosure of the vulnerabilityrsquos code
The issue of addressing vulnerabilities was a hot topic this quarter especially with Googlersquos announcement of a seven-day disclosure policy Several security pundits saw this as a noble yet impractical proposal But as our CTO Raimund Genes pointed out the bigger issue that should be discussed has to do with how vulnerabilities should be reported
Timeline of Vulnerability Attacks
RUBYON RAILS
PLESK
IEZERO-DAY
JAVA
Private Disclosure Public Disclosure Patch Released Exploited
1082013
5032012
1282013
1172012
5282013
5032012
4302013
5032013
5142013
6182013
6182013
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
16 | Exploits and Vulnerabilities
How Oracle Plans to Secure Java
Delivering three patches every three months starting October 2013
Using automated security testing tools against regressions and bugs
Supporting Windowsreg security policies so system administrators can set networkwide policies on Java use
Disallowing running unsigned or self-signed apps
Making Javarsquos process of revoking signing signatures flexible
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
17 | Targeted attack Campaigns DDoS attacks and Data Breaches
TaRgETED aTTaCk CaMpaIgNS DDoS aTTaCkS aND DaTa BREaChES
Corporate Security Woes Pile UpTargeted AttacksTargeted attack campaigns remained a problem for organizations as we continued to discover active and ongoing campaigns The Naikon campaign used the remote access Trojan (RAT) RARSTONE and was primarily seen in several countries in AsiaPacific28 This campaign hit various industries like telecommunications oil and gas government media and others It usually starts out with spear-phishing attacks that target a specific vulnerability which was also used in another campaign known as
ldquoSaferdquo29 Our research on the Safe campaign meanwhile revealed victim IP addresses spread throughout 100 countries worldwide
Targeted attacks also took advantage of tragic events to infiltrate organizational networks this quarter We saw emails using the Boston marathon bombing as a social engineering lure to trick users into downloading a malware that communicates via Secure Sockets Layer (SSL) communication30
File Types Used in Spear Phishing Related to Targeted Attacks
1
2
3
4
5
6
7
8
9
10
EXEDLL
DOC
JPG
TXTHTML
RTF
ZIP
XLS
RAR
PPSPPT
Others
43
12
10
8
5
4
3
3
3
2
7
Threat actors custom-fit an attack to an intended target They use any file type as long as it gets them closer to their goalmdashto infiltrate a network
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
18 | Targeted attack Campaigns DDoS attacks and Data Breaches
DDoS AttacksSeveral South Korean agencies suffered serious security breaches that led to distributed denial-of-service (DDoS) attacks and site defacements One particular incident rendered several sites inaccessible Similar to the MBR Trojan wiper incident last March this attack was designed to execute at a specific time It also showed how attackers continued to go after high-value targets and how they could inflict maximum damage within a short period of time
Data BreachesCompanies like Yahoo Japan LivingSocial Twitter and Namecom all suffered from security breaches this quarter Opera also suffered a security breach that led to the theft of outdated digital certificates
Attacks Targeting Well-known Companies31
COMPANy REsuLTs
Goo locked 100000 accounts to prevent unauthorized logins
yahoo Japan Attackers attempted to extract data belonging to 127
million users
Associated Press (AP) Attackers hacked APrsquos Twitter account which erased
US$200-billion worth of stock value
livingSocial Resulted in unauthorized access to the accounts of 50 million users
Several South Korean agencies Several sites were defaced and suffered DDoS attacks
attacks against high-profile companies had costly results stressing the importance of strengthening organizational defenses
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
19 | appendix
Appendix
Top 10 Android Adware Families
1
2
3
4
5
6
7
8
9
10
ARPUSH
ADSWO
PLANKTON
LEADBLT
IZP
WAPSX
OQX
WBOO
YOUMI
UAPSH
Others
4179
1650
1284
1102
817
425
410
067
027
013
026
Malicious URL Country Sources
No major changes among the countries on the list were seen The united States accounted for the lionrsquos share of the malicious uRL volume with germany trailing not far behind
COuNTRy sHARE
1 United States 2590
2 Germany 324
3 China 316
4 Netherlands 313
5 South Korea 260
6 France 194
7 Japan 193
8 Russia 164
9 Canada 081
10 United Kingdom 077
Others 5488
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
20 | appendix
Top 10 Countries with the Most Number of Botnet CampC Servers
Similar to the previous quarter the united States had the most number of botnet CampC servers while australia surpassed South korea
COuNTRy sHARE
1 United States 2405
2 Australia 515
3 South Korea 338
4 China 302
5 Germany 287
6 Taiwan 210
7 France 188
8 United Kingdom 172
9 Brazil 147
10 Canada 118
Others 5318
Top 10 Countries with the Highest Number of Connections to Botnets
DDoS attacks in Malaysia in relation to the elections contributed to the increase in the countryrsquos volume of malicious connections
COuNTRy sHARE
1 Malaysia 2839
2 United States 1414
3 France 1163
4 Germany 564
5 Canada 529
6 South Korea 413
7 United Kingdom 384
8 Thailand 322
9 Hong Kong 307
10 Italy 253
Others 1812
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
21 | References
References
1 Trend Micro Incorporated (2013) ldquoTrendLabs 2012 Annual Security Roundup Evolved Threats in a lsquoPost-PCrsquo Worldrdquo Last accessed July 30 2013 httpwwwtrendmicrocomcloud-contentuspdfssecurity-intelligencereportsrpt-evolved-threats-in-a-post-pc-worldpdf
2 Jonathan Leopando (July 10 2013) TrendLabs Security Intelligence Blog ldquoAndroid Vulnerability Affects 99 of DevicesmdashTrend Micro Users Protectedrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencetrend-micro-solution-for-vulnerability-affecting-nearly-all-android-devices
3 Trend Micro Incorporated (2013) Threat Encyclopedia ldquoANDROIDOS_OBADArdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusmalwareANDROIDOS_OBADA
4 Leo Zhang (July 13 2013) TrendLabs Security Intelligence Blog ldquoCybercriminals Improve Android Malware Stealth Routines with OBADrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecybercriminals-improve-android-malware-stealth-routines-with-obad
5 Trend Micro Incorporated (2013) Threat Encyclopedia ldquoANDROIDOS_FAKEBANKArdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusmalwareANDROIDOS_FAKEBANKA
6 Weichao Sun (May 14 2013) TrendLabs Security Intelligence Blog ldquoMobile Ads Pushed by Android Apps Lead to Scam Sitesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencemobile-ads-pushed-by-android-apps-lead-to-scam-sites
7 Trend Micro Incorporated (2013) Threat Encyclopedia ldquoANDROIDOS_FAKEAVFrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusmalwareANDROIDOS_FAKEAVF
8 Iain Thomson (March 27 2013) The Register ldquoTibetan and Uyghur Activists Targeted with Android Malwarerdquo Last accessed July 30 2013 httpwwwtheregistercouk20130327android_malware_targeting_tibetan
9 Ericsson ConsumerLab (August 6 2012) Ericssoncom ldquoVietnamese Consumers Show Increasing Demand for Smartphones and Tabletsrdquo Last accessed July 30 2013 httpwwwericssoncomvnnews2012_vn_smartphone_demands_254740123_c
10 Trend Micro Incorporated (2012) ldquoSecurity Threats to Business the Digital Lifestyle and the Cloud Trend Micro Predictions for 2013 and Beyondrdquo Last accessed July 30 2013 httpwwwtrendmicrocoukmediamisctrend-micro-predictions-for-2013-and-beyond-enpdf
11 Roddell Santos (May 28 2013) TrendLabs Security Intelligence Blog ldquoBANKER Malware Hosted in Compromised Brazilian Government Sitesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencebanker-malware-hosted-in-compromised-brazilian-government-sites
12 Ranieri Romera (May 7 2013) TrendLabs Security Intelligence Blog ldquoHomemade Browser Targeting lsquoBanco do Brasilrsquo Usersrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencehomemade-browser-targeting-banco-do-brasil-users
13 Roddell Santos (June 14 2013) TrendLabs Security Intelligence Blog ldquoMalware Redirects South Korean Users to Phishing Sitesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencemalware-redirects-south-korean-users-to-phishing-sites
14 Abigail Pichel (June 10 2013) TrendLabs Security Intelligence Blog ldquoGoing Solo Self-Propagating ZBOT Malware Spottedrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencegoing-solo-self-propagating-zbot-malware-spotted
15 Lenart Bermejo (May 24 2013) TrendLabs Security Intelligence Blog ldquoWorm Creates Copies in Password-Protected Archived Filesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligenceworm-creates-copies-in-password-protected-archived-files
16 Jessa Dela Torre (April 16 2013) TrendLabs Security Intelligence Blog ldquoCompromised Sites Conceal Stealrat Botnet Operationsrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecompromised-sites-conceal-stealrat-botnet-operations
17 Paul Pajares (July 8 2013) TrendLabs Security Intelligence Blog ldquoMan of Steel Fast and Furious 6 Among Online Fraudstersrsquo Most Used Luresrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligenceman-of-steel-fast-and-furious-6-among-online-fraudsters-most-used-lures Gelo Abendan (May 2 2013) TrendLabs Security Intelligence Blog ldquoFake Iron Man 3 Streaming Sites Sprout on Social Mediardquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencefake-iron-man-3-streaming-sites-sprout-on-social-media
18 Anthony Melgarejo (May 2 2013) TrendLabs Security Intelligence Blog ldquoBackdoor Leads to Facebook and Multiprotocol Instant-Messaging Wormrdquo
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
22 | References
Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencebackdoor-leads-to-facebook-and-multi-protocol-instant-messaging-worm Paul Pajares (April 30 2013) TrendLabs Security Intelligence Blog ldquoHackers to Manage Your Apple ID If Caught from Phishing Baitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencehackers-to-manage-your-apple-id-if-caught-from-phishing-bait
19 Aisa Escober (April 16 2013) TrendLabs Security Intelligence Blog ldquoKELIHOS Worm Emerges Takes Advantage of Boston Marathon Blastrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencekelihos-worm-emerges-takes-advantage-of-boston-marathon-blast Trend Micro Incorporated (2013) Threat Encyclopedia ldquoSpam Attack Leverages Oklahoma Tornado Disasterrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusspam494Spam+Attack+Leverages+Oklahoma+Tornado+Disaster Ryan Certeza (April 19 2013) TrendLabs Security Intelligence Blog ldquoCybercriminals Quickly Take Advantage of Texas Fertilizer Plant Blast MIT Shootingrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecybercriminals-quickly-take-advantage-of-texas-fertilizer-plant-blast-mit-shooting Gelo Abendan (April 4 2013) TrendLabs Security Intelligence Blog ldquoCybercriminals Threaten Tax Day Once Againrdquo Last accessed July 30 2013 http blogtrendmicrocomtrendlabs-security-intelligencecybercriminals-threaten-tax-day-once-again
20 Jim Finkle (May 31 2013) NBC News Technology ldquoLinkedIn Improves Security with Two-Factor Authenticationrdquo Last accessed July 2013 httpwwwnbcnewscomtechnologylinkedin-improves-security-two-factor-authentication-6C10141010 Seth Hitchings (May 30 2013) The Evernote Blog ldquoEvernotersquos Three New Security Featuresrdquo Last accessed July 2013 httpblogevernotecomblog20130530evernotes-three-new-security-features Jim OrsquoLeary (May 22 2013) Twitter Blog ldquoGetting Started with Login Verificationrdquo Last accessed July 2013 httpsblogtwittercom2013getting-started-login-verification
21 David Jackson (April 23 2013) USA Today News ldquoAP Twitter Feed Hacked No Attack at White Houserdquo Last accessed July 30 2013 httpwwwusatodaycomstorytheoval20130423obama-carney-associated-press-hack-white-house2106757
22 Karla Agregado (June 25 2013) TrendLabs Security Intelligence Blog ldquoScam Sites Now Selling Instagram Followersrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencescam-sites-now-selling-instagram-followers
23 Zachary Seward (May 20 2013) Quartz ldquoHow Yahoo Plans to Make Money on Tumblr Ads That Donrsquot Feel Like Adsrdquo Last accessed July 30 2013 httpqzcom86437how-yahoo-plans-to-make-money-on-tumblr-ads-that-dont-feel-like-ads
24 Gelo Abendan (March 3 2012) Threat Encyc lopedia ldquoMobile Apps New Frontier for Cybercrimerdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack119mobile apps new frontier for cybercrime Marco Dela Vega (November 23 2010) TrendLabs Security Intelligence Blog ldquoWith Holiday Wishes Come Poisoned Searchesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencewith-holiday-wishes-come-poisoned-searches Dianne Kristine Lagrimas (November 13 2011) Threat Encyclopedia ldquoSports as Bait Cybercriminals Play to Winrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack99sports as bait cybercriminals play to win Valerie Ria Rivera (March 29 2011) Threat Encyclopedia ldquoSpam Scams and Other Social Media Threatsrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack75spam scams and other social media threats
25 Dexter To (May 5 2013) TrendLabs Security Intelligence Blog ldquoCompromised US Government Web Page Used Zero-Day Exploitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecompromised-us-government-webpage-used-zero-day-exploit
26 Sooraj KS (June 6 2013) TrendLabs Security Intelligence Blog ldquoPlesk Zero-Day Exploit Results in Compromised Web Serverrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligenceplesk-zero-day-exploit-results-in-compromised-webserver
27 Gelo Abendan (May 30 2013) TrendLabs Security Intelligence Blog ldquoTrend Micro Deep Security Guards Users from Ruby on Rails Exploitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencetrend-micro-deep-security-guards-users-from-ruby-on-rails-exploit
28 Maharlito Aquino (June 13 2013) TrendLabs Security Intelligence Blog ldquoRARSTONE Found in Targeted Attacksrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencerarstone-found-in-targeted-attacks
29 Kyle Wilhoit (May 17 2013) TrendLabs Security Intelligence Blog ldquoHiding in Plain Sight A New Targeted Attack Campaignrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencehiding-in-plain-sight-a-new-apt-campaign
30 Nart Villeneuve (April 25 2013) TrendLabs Security Intelligence Blog ldquoTargeted Attack Campaign Hides Behind SSL Communicationrdquo Last accessed July 2013 httpblogtrendmicrocomtrendlabs-security-intelligencetargeted-attack-campaign-hides-behind-ssl-communication
31 Jay Alabaster (April 4 2013) Computerworld ldquoJapanese Web Portals Hacked Up to 100000 Accounts Compromisedrdquo Last accessed July 30 2013 httpwwwcomputerworldcomauarticle458079japanese_web_portals_hacked_up_100_000_accounts_compromised LivingSocial ldquoLivingSocial Security Noticerdquo Last accessed July 30 2013 httpswwwlivingsocialcomcreatepassword Kadim Shubber (May 20 2013) Wired UK ldquoMillions of Usersrsquo Data Hacked in Yahoo Japan Security Breachrdquo Last accessed July 30 2013 httpwwwwiredcouknewsarchive2013-0520yahoo-japan-hacked Erin Madigan White (April 23 2013) AP Blog The Definitive Source ldquoAP Responds to Hacking of Twitter Accountrdquo Last accessed July 30 2013 httpblogaporg20130423hackers-compromise-ap-twitter-account
TREND MICRO LEgaL DISCLaIMER
The information provided herein is for general information and educational purposes only It is not intended and should not be construed to constitute legal advice The information contained herein may not be applicable to all situations and may not reflect the most current situation Nothing contained herein should be relied on or acted upon without the benefit of legal advice based on the particular facts and circumstances presented and nothing herein should be construed otherwise Trend Micro reserves the right to modify the contents of this document at any time without prior notice
Translations of any material into other languages are intended solely as a convenience Translation accuracy is not guaranteed nor implied If any questions arise related to the accuracy of a translation please refer to the original language official version of the document any discrepancies or differences created in the translation are not binding and have no legal effect for compliance or enforcement purposes
although Trend Micro uses reasonable efforts to include accurate and up-to-date information herein Trend Micro makes no warranties or representations of any kind as to its accuracy currency or completeness you agree that access to and use of and reliance on this document and the content thereof is at your own risk Trend Micro disclaims all warranties of any kind express or implied Neither Trend Micro nor any party involved in creating producing or delivering this document shall be liable for any consequence loss or damage including direct indirect special consequential loss of business profits or special damages whatsoever arising out of access to use of or inability to use or in connection with the use of this document or any errors or omissions in the content thereof use of this information constitutes acceptance for use in an ldquoas isrdquo condition
Trend Micro Incorporated a global leader in security software and solutions strives to make the world safe for exchanging digital information For more information visit wwwtrendmicrocom
copy2013 by Trend Micro Incorporated all rights reserved Trend Micro and the Trend Micro t-ball logo are trademarks or registered trademarks of Trend Micro Incorporated all other product or company names may be trademarks or registered trademarks of their owners
Created by
global Technical Support amp RampD Center of TREND MICRO
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
8 | Cybercrime
Top 10 Malicious Domains Blocked
DOMAIN REAsON
trafficconverter biz Hosts malware particularly DOWNAD variants
ads alpha00001 com Hosts malware that modify default browser settings to hijack search results
www ody cc Has sites that host BKDR_HPGNB-CN and other suspicious scripts
pu plugrush com Related to a Blackhole Exploit Kit campaign
c rvzrjs info Related to spamming and other malicious activities
adsgangsta com Related to malware and phishing attacks
vjlvchretllifcsgynuq com Hosts malware also used to spread malware via Skype
strongvault02 safe-copy com Hosts malware
www polaris-software com Hosts malware
promos fling com Hosts malware
One of the top malicious domains blocked was related to a Blackhole Exploit kit campaign The domain trafficconverter biz hosts DOWNaDConficker variants which was also the top malware for the first half of 2013
As predicted cybercriminals have not generated completely new threats and instead opted to repackage old ones10 We observed several interesting trends in online banking threats this quarter that led to a 29 increase in infections with this type of malware
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
9 | Cybercrime
1Q 2Q
2013 113K 146K
Online Banking Infections
Online Banking Malware Infections
Top Online Banking Victim Countries
COuNTRIEs sHARE
United States 28
Brazil 22
Australia 5
France 5
Japan 4
Taiwan 4
Vietnam 3
India 2
Germany 2
Canada 2
Others 23
The online banking malware volume significantly increased this quarter due in part to the rise in the ZeuSZBOT malware volume in the wild Online banking threats are spreading across the globe and are no longer concentrated in certain regions like Europe and the americas The united States was most affected by online banking malware accounting for 28 of the total number of infections worldwide
60000
40000
80000
20000
0
APRIL MAY JUNE
37K39K
71K
Brazil an online banking malware hotspot was mostly targeted by two types of the threat type this quarter The first was the BANKER malware disguised as updates for Adobereg Flashreg Player hosted on compromised sites11 The other malware was disguised as a ldquohomemade browserrdquo that targets Banco do Brasil users12
In the cybercriminal underground the CARBERP source code was ldquoleakedrdquo making the creation of banking Trojans even easier to do for bad guys Meanwhile other online banking Trojan toolkits like ZeuS SpyEye and Ice IX are already available for free making it easier for any skilled hacker to obtain their source codes
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
10 | Cybercrime
0
US$2000
2010 2011 2012 2013
US$4000
US$6000
US$8000
US$10000ZEUS
SPYEYE
CARBERP
ICE IX(only madeavailable in2012)
CITADEL
Underground Price Changes for Basic Online Banking Toolkits
We found an online banking malware that modifies an infected computerrsquos HOSTS file to redirect a customer of certain South Korean banks to phishing sites13 We also saw more Citadel variants (detected as ZBOT) target different financial service institutions in Japan These malware not only target the big banks in Japan but also smaller ones including those that exclusively cater to online banking customers
As predicted cybercriminals carried out developments in malware distribution and refinement for existing tools New ZeuSZBOT deployment tactics include a propagation routine14 The PIZZER worm was also found spreading and copying itself onto password-protected archived files using a technique similar to that of PROLACO malware15
Several cloud services were also hit by attacks this quarter The VERNOT backdoor which first abused a popular note-taking service abused a well-known Japanese blogging platform by using it as a CampC server Several GAMARUE variants were hosted on SourceForge a popular code repository Cybercriminals typically abuse legitimate services for ldquofree hostingrdquo successfully tricking users into trusting malicious links since these appear to belong to a well-known name
More developments in cybercrime contributed to the increase in spam and botnet activity this quarter Among these were the compromise of WordPress sites in April the emergence of Stealrat and its use of compromised hosts to send out spam and observed peaks in spam activity16
These are estimated going ratesNote that ZeuS and SpyEye have been around since before 2010
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
11 | Cybercrime
Number of Botnet CampC Servers Detected per Month
1000 2000 3000 4000 5000
APRIL
MAY
JUNE 2102
4003
1434
May showed the highest number of detected CampC servers so far this year
Number of Connections to Botnets per Month
Due to the increase in the number of active botnets in May we also noted a significant increase in the number of botnet connections that month
3M 6M 9M 12M
APRIL
MAY
JUNE 104M
119M
27M
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
12 | Cybercrime
Top 10 Spam Languages
While English remained the top preferred language of spammers we also saw a general increase in the non-English spam volume
1
2
3
4
5
6
7
8
9
10
8256
326
249
194
086
029
020
016
007
007
810
English
Chinese
Russian
Japanese
German
Portuguese
Spanish
Icelandic
French
Turkish
Others
MOVED DOWNMOVED UPNEW ENTRY
Top 10 Spam-Sending Countries
Cybercriminals are finding other countries to host their malicious activities in hence the increase in spam activity in countries like argentina Italy Mexico and Turkey
1
2
3
4
5
6
7
8
9
10
947
697
636
568
549
452
370
356
355
308
4762
United States
Spain
India
Taiwan
Argentina
Italy
Colombia
Mexico
Belarus
Turkey
Others
MOVED DOWNMOVED UPNEW ENTRY
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
13 | Digital Life Security Issues
DIgITaL LIFE SECuRITy ISSuES
Social Threats Abuse Diverse PlatformsAs more users manage multiple online accounts cybercriminals explored means to use this trend to their advantage They abused popular blogging sites like Tumblr WordPress and Blogger to host fake streaming sites of popular summer movies including Man of Steel Fast and Furious 6 and Iron Man 317 Apple ID and well-known multiprotocol instant-messaging (IM) platforms like Digsby were also targeted by attacks18 These attacks abused the use of
the SSO approach which should serve as a reminder to protect online accounts and avoid using weak passwords
Users were also reacquainted with old social engineering tactics as several attacks used diverse items including the Boston marathon bombing the Oklahoma tornado disaster the Texas fertilizer plant explosion and the tax season as bait19
Notable Social Engineering Lures Used
GET FREEFOLLOWERS
ON INSTAGRAMBOSTON BOMBING
MIT SHOOTING
TEXAS FERTILIZERPLANT BOMBING
IRON MAN 3
INCOME TAX RETURNS
as more users across different segments maximize the use of Instagram it has now become a viable target for cybercrime
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
14 | Digital Life Security Issues
In response to compromise incidents LinkedIn Evernote and Twitter rolled out additional security measures which notably included two-step verification measures20 The attack on Twitter posed an interesting case study on how social media can be used to spread false news that can have severe results21
Instagram scams showed that cybercriminals are targeting SMBs and marketers who wish
to increase their online presence Such scams offer ldquofree followersrdquo or use professional-looking sites where they can supposedly buy followers in bulk22 The tactic of selling followers is not new though Cybercriminals simply turned to different avenues outside Twitter and Facebook Interestingly this threat appeared while social media sites found ways to monetize the services they offered23
How Cybercriminals Trick Users into Giving Out Their Information24
Scammers modified their schemes as new platforms were introduced From the Nigerian scams usually seen by way of spam scammers have now branched out to new platforms and targets like social media and mobile devices
Spam and phiShing SiteS Search engineS Social media mobile
EARly 2000ndash2009 2009ndash2011 lATE 2009ndashPRESENT 2011ndashPRESENT
Scams in the early 2000s mainly comprised pharmaceutical account notification and Nigerian scams which mostly led victims to phishing sites
Cybercriminals abuse search engines via blackhat search engine optimization (SEO) This technique takes advantage of using keywords related to significant news andor events for malicious purposes
Social media present themselves as attractive cybercrime platforms because of their large user bases Cybercriminal favorites include Facebook Twitter Tumblr and Pinterest
Today smartphones and other mobile devices enable cybercriminals to reach new heights Mobile adware and malicious apps are among the preferred means of deploying malicious schemes
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
15 | Exploits and Vulnerabilities
ExpLOITS aND VuLNERaBILITIES
Software Vendors Try to Clean Up Their ActAfter last quarterrsquos high volume of zero-day vulnerabilities Oracle implemented several steps that aimed to improve Javarsquos security These include quarterly update releases automated security testing and not allowing self-signed or unsigned apps for Java software used in browsers
Though we saw fewer zero-day incidents this quarter exploits still posed serious threats to users The Internet Explorerreg (IE) zero-day exploit found on the US Department of Labor page showed that even trusted sites like it can be compromised25 Exploits targeting Plesk and ColdFusionreg also put forth the importance of securing web servers and touched on how enterprises secure their sites26
As anticipated it was only a matter of time before attackers took advantage of the critical Ruby on Rails vulnerability found last January27 This quarter we saw exploits target the software flaw as a result of the disclosure of the vulnerabilityrsquos code
The issue of addressing vulnerabilities was a hot topic this quarter especially with Googlersquos announcement of a seven-day disclosure policy Several security pundits saw this as a noble yet impractical proposal But as our CTO Raimund Genes pointed out the bigger issue that should be discussed has to do with how vulnerabilities should be reported
Timeline of Vulnerability Attacks
RUBYON RAILS
PLESK
IEZERO-DAY
JAVA
Private Disclosure Public Disclosure Patch Released Exploited
1082013
5032012
1282013
1172012
5282013
5032012
4302013
5032013
5142013
6182013
6182013
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
16 | Exploits and Vulnerabilities
How Oracle Plans to Secure Java
Delivering three patches every three months starting October 2013
Using automated security testing tools against regressions and bugs
Supporting Windowsreg security policies so system administrators can set networkwide policies on Java use
Disallowing running unsigned or self-signed apps
Making Javarsquos process of revoking signing signatures flexible
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
17 | Targeted attack Campaigns DDoS attacks and Data Breaches
TaRgETED aTTaCk CaMpaIgNS DDoS aTTaCkS aND DaTa BREaChES
Corporate Security Woes Pile UpTargeted AttacksTargeted attack campaigns remained a problem for organizations as we continued to discover active and ongoing campaigns The Naikon campaign used the remote access Trojan (RAT) RARSTONE and was primarily seen in several countries in AsiaPacific28 This campaign hit various industries like telecommunications oil and gas government media and others It usually starts out with spear-phishing attacks that target a specific vulnerability which was also used in another campaign known as
ldquoSaferdquo29 Our research on the Safe campaign meanwhile revealed victim IP addresses spread throughout 100 countries worldwide
Targeted attacks also took advantage of tragic events to infiltrate organizational networks this quarter We saw emails using the Boston marathon bombing as a social engineering lure to trick users into downloading a malware that communicates via Secure Sockets Layer (SSL) communication30
File Types Used in Spear Phishing Related to Targeted Attacks
1
2
3
4
5
6
7
8
9
10
EXEDLL
DOC
JPG
TXTHTML
RTF
ZIP
XLS
RAR
PPSPPT
Others
43
12
10
8
5
4
3
3
3
2
7
Threat actors custom-fit an attack to an intended target They use any file type as long as it gets them closer to their goalmdashto infiltrate a network
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
18 | Targeted attack Campaigns DDoS attacks and Data Breaches
DDoS AttacksSeveral South Korean agencies suffered serious security breaches that led to distributed denial-of-service (DDoS) attacks and site defacements One particular incident rendered several sites inaccessible Similar to the MBR Trojan wiper incident last March this attack was designed to execute at a specific time It also showed how attackers continued to go after high-value targets and how they could inflict maximum damage within a short period of time
Data BreachesCompanies like Yahoo Japan LivingSocial Twitter and Namecom all suffered from security breaches this quarter Opera also suffered a security breach that led to the theft of outdated digital certificates
Attacks Targeting Well-known Companies31
COMPANy REsuLTs
Goo locked 100000 accounts to prevent unauthorized logins
yahoo Japan Attackers attempted to extract data belonging to 127
million users
Associated Press (AP) Attackers hacked APrsquos Twitter account which erased
US$200-billion worth of stock value
livingSocial Resulted in unauthorized access to the accounts of 50 million users
Several South Korean agencies Several sites were defaced and suffered DDoS attacks
attacks against high-profile companies had costly results stressing the importance of strengthening organizational defenses
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
19 | appendix
Appendix
Top 10 Android Adware Families
1
2
3
4
5
6
7
8
9
10
ARPUSH
ADSWO
PLANKTON
LEADBLT
IZP
WAPSX
OQX
WBOO
YOUMI
UAPSH
Others
4179
1650
1284
1102
817
425
410
067
027
013
026
Malicious URL Country Sources
No major changes among the countries on the list were seen The united States accounted for the lionrsquos share of the malicious uRL volume with germany trailing not far behind
COuNTRy sHARE
1 United States 2590
2 Germany 324
3 China 316
4 Netherlands 313
5 South Korea 260
6 France 194
7 Japan 193
8 Russia 164
9 Canada 081
10 United Kingdom 077
Others 5488
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
20 | appendix
Top 10 Countries with the Most Number of Botnet CampC Servers
Similar to the previous quarter the united States had the most number of botnet CampC servers while australia surpassed South korea
COuNTRy sHARE
1 United States 2405
2 Australia 515
3 South Korea 338
4 China 302
5 Germany 287
6 Taiwan 210
7 France 188
8 United Kingdom 172
9 Brazil 147
10 Canada 118
Others 5318
Top 10 Countries with the Highest Number of Connections to Botnets
DDoS attacks in Malaysia in relation to the elections contributed to the increase in the countryrsquos volume of malicious connections
COuNTRy sHARE
1 Malaysia 2839
2 United States 1414
3 France 1163
4 Germany 564
5 Canada 529
6 South Korea 413
7 United Kingdom 384
8 Thailand 322
9 Hong Kong 307
10 Italy 253
Others 1812
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
21 | References
References
1 Trend Micro Incorporated (2013) ldquoTrendLabs 2012 Annual Security Roundup Evolved Threats in a lsquoPost-PCrsquo Worldrdquo Last accessed July 30 2013 httpwwwtrendmicrocomcloud-contentuspdfssecurity-intelligencereportsrpt-evolved-threats-in-a-post-pc-worldpdf
2 Jonathan Leopando (July 10 2013) TrendLabs Security Intelligence Blog ldquoAndroid Vulnerability Affects 99 of DevicesmdashTrend Micro Users Protectedrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencetrend-micro-solution-for-vulnerability-affecting-nearly-all-android-devices
3 Trend Micro Incorporated (2013) Threat Encyclopedia ldquoANDROIDOS_OBADArdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusmalwareANDROIDOS_OBADA
4 Leo Zhang (July 13 2013) TrendLabs Security Intelligence Blog ldquoCybercriminals Improve Android Malware Stealth Routines with OBADrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecybercriminals-improve-android-malware-stealth-routines-with-obad
5 Trend Micro Incorporated (2013) Threat Encyclopedia ldquoANDROIDOS_FAKEBANKArdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusmalwareANDROIDOS_FAKEBANKA
6 Weichao Sun (May 14 2013) TrendLabs Security Intelligence Blog ldquoMobile Ads Pushed by Android Apps Lead to Scam Sitesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencemobile-ads-pushed-by-android-apps-lead-to-scam-sites
7 Trend Micro Incorporated (2013) Threat Encyclopedia ldquoANDROIDOS_FAKEAVFrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusmalwareANDROIDOS_FAKEAVF
8 Iain Thomson (March 27 2013) The Register ldquoTibetan and Uyghur Activists Targeted with Android Malwarerdquo Last accessed July 30 2013 httpwwwtheregistercouk20130327android_malware_targeting_tibetan
9 Ericsson ConsumerLab (August 6 2012) Ericssoncom ldquoVietnamese Consumers Show Increasing Demand for Smartphones and Tabletsrdquo Last accessed July 30 2013 httpwwwericssoncomvnnews2012_vn_smartphone_demands_254740123_c
10 Trend Micro Incorporated (2012) ldquoSecurity Threats to Business the Digital Lifestyle and the Cloud Trend Micro Predictions for 2013 and Beyondrdquo Last accessed July 30 2013 httpwwwtrendmicrocoukmediamisctrend-micro-predictions-for-2013-and-beyond-enpdf
11 Roddell Santos (May 28 2013) TrendLabs Security Intelligence Blog ldquoBANKER Malware Hosted in Compromised Brazilian Government Sitesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencebanker-malware-hosted-in-compromised-brazilian-government-sites
12 Ranieri Romera (May 7 2013) TrendLabs Security Intelligence Blog ldquoHomemade Browser Targeting lsquoBanco do Brasilrsquo Usersrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencehomemade-browser-targeting-banco-do-brasil-users
13 Roddell Santos (June 14 2013) TrendLabs Security Intelligence Blog ldquoMalware Redirects South Korean Users to Phishing Sitesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencemalware-redirects-south-korean-users-to-phishing-sites
14 Abigail Pichel (June 10 2013) TrendLabs Security Intelligence Blog ldquoGoing Solo Self-Propagating ZBOT Malware Spottedrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencegoing-solo-self-propagating-zbot-malware-spotted
15 Lenart Bermejo (May 24 2013) TrendLabs Security Intelligence Blog ldquoWorm Creates Copies in Password-Protected Archived Filesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligenceworm-creates-copies-in-password-protected-archived-files
16 Jessa Dela Torre (April 16 2013) TrendLabs Security Intelligence Blog ldquoCompromised Sites Conceal Stealrat Botnet Operationsrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecompromised-sites-conceal-stealrat-botnet-operations
17 Paul Pajares (July 8 2013) TrendLabs Security Intelligence Blog ldquoMan of Steel Fast and Furious 6 Among Online Fraudstersrsquo Most Used Luresrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligenceman-of-steel-fast-and-furious-6-among-online-fraudsters-most-used-lures Gelo Abendan (May 2 2013) TrendLabs Security Intelligence Blog ldquoFake Iron Man 3 Streaming Sites Sprout on Social Mediardquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencefake-iron-man-3-streaming-sites-sprout-on-social-media
18 Anthony Melgarejo (May 2 2013) TrendLabs Security Intelligence Blog ldquoBackdoor Leads to Facebook and Multiprotocol Instant-Messaging Wormrdquo
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
22 | References
Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencebackdoor-leads-to-facebook-and-multi-protocol-instant-messaging-worm Paul Pajares (April 30 2013) TrendLabs Security Intelligence Blog ldquoHackers to Manage Your Apple ID If Caught from Phishing Baitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencehackers-to-manage-your-apple-id-if-caught-from-phishing-bait
19 Aisa Escober (April 16 2013) TrendLabs Security Intelligence Blog ldquoKELIHOS Worm Emerges Takes Advantage of Boston Marathon Blastrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencekelihos-worm-emerges-takes-advantage-of-boston-marathon-blast Trend Micro Incorporated (2013) Threat Encyclopedia ldquoSpam Attack Leverages Oklahoma Tornado Disasterrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusspam494Spam+Attack+Leverages+Oklahoma+Tornado+Disaster Ryan Certeza (April 19 2013) TrendLabs Security Intelligence Blog ldquoCybercriminals Quickly Take Advantage of Texas Fertilizer Plant Blast MIT Shootingrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecybercriminals-quickly-take-advantage-of-texas-fertilizer-plant-blast-mit-shooting Gelo Abendan (April 4 2013) TrendLabs Security Intelligence Blog ldquoCybercriminals Threaten Tax Day Once Againrdquo Last accessed July 30 2013 http blogtrendmicrocomtrendlabs-security-intelligencecybercriminals-threaten-tax-day-once-again
20 Jim Finkle (May 31 2013) NBC News Technology ldquoLinkedIn Improves Security with Two-Factor Authenticationrdquo Last accessed July 2013 httpwwwnbcnewscomtechnologylinkedin-improves-security-two-factor-authentication-6C10141010 Seth Hitchings (May 30 2013) The Evernote Blog ldquoEvernotersquos Three New Security Featuresrdquo Last accessed July 2013 httpblogevernotecomblog20130530evernotes-three-new-security-features Jim OrsquoLeary (May 22 2013) Twitter Blog ldquoGetting Started with Login Verificationrdquo Last accessed July 2013 httpsblogtwittercom2013getting-started-login-verification
21 David Jackson (April 23 2013) USA Today News ldquoAP Twitter Feed Hacked No Attack at White Houserdquo Last accessed July 30 2013 httpwwwusatodaycomstorytheoval20130423obama-carney-associated-press-hack-white-house2106757
22 Karla Agregado (June 25 2013) TrendLabs Security Intelligence Blog ldquoScam Sites Now Selling Instagram Followersrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencescam-sites-now-selling-instagram-followers
23 Zachary Seward (May 20 2013) Quartz ldquoHow Yahoo Plans to Make Money on Tumblr Ads That Donrsquot Feel Like Adsrdquo Last accessed July 30 2013 httpqzcom86437how-yahoo-plans-to-make-money-on-tumblr-ads-that-dont-feel-like-ads
24 Gelo Abendan (March 3 2012) Threat Encyc lopedia ldquoMobile Apps New Frontier for Cybercrimerdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack119mobile apps new frontier for cybercrime Marco Dela Vega (November 23 2010) TrendLabs Security Intelligence Blog ldquoWith Holiday Wishes Come Poisoned Searchesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencewith-holiday-wishes-come-poisoned-searches Dianne Kristine Lagrimas (November 13 2011) Threat Encyclopedia ldquoSports as Bait Cybercriminals Play to Winrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack99sports as bait cybercriminals play to win Valerie Ria Rivera (March 29 2011) Threat Encyclopedia ldquoSpam Scams and Other Social Media Threatsrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack75spam scams and other social media threats
25 Dexter To (May 5 2013) TrendLabs Security Intelligence Blog ldquoCompromised US Government Web Page Used Zero-Day Exploitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecompromised-us-government-webpage-used-zero-day-exploit
26 Sooraj KS (June 6 2013) TrendLabs Security Intelligence Blog ldquoPlesk Zero-Day Exploit Results in Compromised Web Serverrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligenceplesk-zero-day-exploit-results-in-compromised-webserver
27 Gelo Abendan (May 30 2013) TrendLabs Security Intelligence Blog ldquoTrend Micro Deep Security Guards Users from Ruby on Rails Exploitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencetrend-micro-deep-security-guards-users-from-ruby-on-rails-exploit
28 Maharlito Aquino (June 13 2013) TrendLabs Security Intelligence Blog ldquoRARSTONE Found in Targeted Attacksrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencerarstone-found-in-targeted-attacks
29 Kyle Wilhoit (May 17 2013) TrendLabs Security Intelligence Blog ldquoHiding in Plain Sight A New Targeted Attack Campaignrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencehiding-in-plain-sight-a-new-apt-campaign
30 Nart Villeneuve (April 25 2013) TrendLabs Security Intelligence Blog ldquoTargeted Attack Campaign Hides Behind SSL Communicationrdquo Last accessed July 2013 httpblogtrendmicrocomtrendlabs-security-intelligencetargeted-attack-campaign-hides-behind-ssl-communication
31 Jay Alabaster (April 4 2013) Computerworld ldquoJapanese Web Portals Hacked Up to 100000 Accounts Compromisedrdquo Last accessed July 30 2013 httpwwwcomputerworldcomauarticle458079japanese_web_portals_hacked_up_100_000_accounts_compromised LivingSocial ldquoLivingSocial Security Noticerdquo Last accessed July 30 2013 httpswwwlivingsocialcomcreatepassword Kadim Shubber (May 20 2013) Wired UK ldquoMillions of Usersrsquo Data Hacked in Yahoo Japan Security Breachrdquo Last accessed July 30 2013 httpwwwwiredcouknewsarchive2013-0520yahoo-japan-hacked Erin Madigan White (April 23 2013) AP Blog The Definitive Source ldquoAP Responds to Hacking of Twitter Accountrdquo Last accessed July 30 2013 httpblogaporg20130423hackers-compromise-ap-twitter-account
TREND MICRO LEgaL DISCLaIMER
The information provided herein is for general information and educational purposes only It is not intended and should not be construed to constitute legal advice The information contained herein may not be applicable to all situations and may not reflect the most current situation Nothing contained herein should be relied on or acted upon without the benefit of legal advice based on the particular facts and circumstances presented and nothing herein should be construed otherwise Trend Micro reserves the right to modify the contents of this document at any time without prior notice
Translations of any material into other languages are intended solely as a convenience Translation accuracy is not guaranteed nor implied If any questions arise related to the accuracy of a translation please refer to the original language official version of the document any discrepancies or differences created in the translation are not binding and have no legal effect for compliance or enforcement purposes
although Trend Micro uses reasonable efforts to include accurate and up-to-date information herein Trend Micro makes no warranties or representations of any kind as to its accuracy currency or completeness you agree that access to and use of and reliance on this document and the content thereof is at your own risk Trend Micro disclaims all warranties of any kind express or implied Neither Trend Micro nor any party involved in creating producing or delivering this document shall be liable for any consequence loss or damage including direct indirect special consequential loss of business profits or special damages whatsoever arising out of access to use of or inability to use or in connection with the use of this document or any errors or omissions in the content thereof use of this information constitutes acceptance for use in an ldquoas isrdquo condition
Trend Micro Incorporated a global leader in security software and solutions strives to make the world safe for exchanging digital information For more information visit wwwtrendmicrocom
copy2013 by Trend Micro Incorporated all rights reserved Trend Micro and the Trend Micro t-ball logo are trademarks or registered trademarks of Trend Micro Incorporated all other product or company names may be trademarks or registered trademarks of their owners
Created by
global Technical Support amp RampD Center of TREND MICRO
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
9 | Cybercrime
1Q 2Q
2013 113K 146K
Online Banking Infections
Online Banking Malware Infections
Top Online Banking Victim Countries
COuNTRIEs sHARE
United States 28
Brazil 22
Australia 5
France 5
Japan 4
Taiwan 4
Vietnam 3
India 2
Germany 2
Canada 2
Others 23
The online banking malware volume significantly increased this quarter due in part to the rise in the ZeuSZBOT malware volume in the wild Online banking threats are spreading across the globe and are no longer concentrated in certain regions like Europe and the americas The united States was most affected by online banking malware accounting for 28 of the total number of infections worldwide
60000
40000
80000
20000
0
APRIL MAY JUNE
37K39K
71K
Brazil an online banking malware hotspot was mostly targeted by two types of the threat type this quarter The first was the BANKER malware disguised as updates for Adobereg Flashreg Player hosted on compromised sites11 The other malware was disguised as a ldquohomemade browserrdquo that targets Banco do Brasil users12
In the cybercriminal underground the CARBERP source code was ldquoleakedrdquo making the creation of banking Trojans even easier to do for bad guys Meanwhile other online banking Trojan toolkits like ZeuS SpyEye and Ice IX are already available for free making it easier for any skilled hacker to obtain their source codes
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
10 | Cybercrime
0
US$2000
2010 2011 2012 2013
US$4000
US$6000
US$8000
US$10000ZEUS
SPYEYE
CARBERP
ICE IX(only madeavailable in2012)
CITADEL
Underground Price Changes for Basic Online Banking Toolkits
We found an online banking malware that modifies an infected computerrsquos HOSTS file to redirect a customer of certain South Korean banks to phishing sites13 We also saw more Citadel variants (detected as ZBOT) target different financial service institutions in Japan These malware not only target the big banks in Japan but also smaller ones including those that exclusively cater to online banking customers
As predicted cybercriminals carried out developments in malware distribution and refinement for existing tools New ZeuSZBOT deployment tactics include a propagation routine14 The PIZZER worm was also found spreading and copying itself onto password-protected archived files using a technique similar to that of PROLACO malware15
Several cloud services were also hit by attacks this quarter The VERNOT backdoor which first abused a popular note-taking service abused a well-known Japanese blogging platform by using it as a CampC server Several GAMARUE variants were hosted on SourceForge a popular code repository Cybercriminals typically abuse legitimate services for ldquofree hostingrdquo successfully tricking users into trusting malicious links since these appear to belong to a well-known name
More developments in cybercrime contributed to the increase in spam and botnet activity this quarter Among these were the compromise of WordPress sites in April the emergence of Stealrat and its use of compromised hosts to send out spam and observed peaks in spam activity16
These are estimated going ratesNote that ZeuS and SpyEye have been around since before 2010
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
11 | Cybercrime
Number of Botnet CampC Servers Detected per Month
1000 2000 3000 4000 5000
APRIL
MAY
JUNE 2102
4003
1434
May showed the highest number of detected CampC servers so far this year
Number of Connections to Botnets per Month
Due to the increase in the number of active botnets in May we also noted a significant increase in the number of botnet connections that month
3M 6M 9M 12M
APRIL
MAY
JUNE 104M
119M
27M
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
12 | Cybercrime
Top 10 Spam Languages
While English remained the top preferred language of spammers we also saw a general increase in the non-English spam volume
1
2
3
4
5
6
7
8
9
10
8256
326
249
194
086
029
020
016
007
007
810
English
Chinese
Russian
Japanese
German
Portuguese
Spanish
Icelandic
French
Turkish
Others
MOVED DOWNMOVED UPNEW ENTRY
Top 10 Spam-Sending Countries
Cybercriminals are finding other countries to host their malicious activities in hence the increase in spam activity in countries like argentina Italy Mexico and Turkey
1
2
3
4
5
6
7
8
9
10
947
697
636
568
549
452
370
356
355
308
4762
United States
Spain
India
Taiwan
Argentina
Italy
Colombia
Mexico
Belarus
Turkey
Others
MOVED DOWNMOVED UPNEW ENTRY
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
13 | Digital Life Security Issues
DIgITaL LIFE SECuRITy ISSuES
Social Threats Abuse Diverse PlatformsAs more users manage multiple online accounts cybercriminals explored means to use this trend to their advantage They abused popular blogging sites like Tumblr WordPress and Blogger to host fake streaming sites of popular summer movies including Man of Steel Fast and Furious 6 and Iron Man 317 Apple ID and well-known multiprotocol instant-messaging (IM) platforms like Digsby were also targeted by attacks18 These attacks abused the use of
the SSO approach which should serve as a reminder to protect online accounts and avoid using weak passwords
Users were also reacquainted with old social engineering tactics as several attacks used diverse items including the Boston marathon bombing the Oklahoma tornado disaster the Texas fertilizer plant explosion and the tax season as bait19
Notable Social Engineering Lures Used
GET FREEFOLLOWERS
ON INSTAGRAMBOSTON BOMBING
MIT SHOOTING
TEXAS FERTILIZERPLANT BOMBING
IRON MAN 3
INCOME TAX RETURNS
as more users across different segments maximize the use of Instagram it has now become a viable target for cybercrime
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
14 | Digital Life Security Issues
In response to compromise incidents LinkedIn Evernote and Twitter rolled out additional security measures which notably included two-step verification measures20 The attack on Twitter posed an interesting case study on how social media can be used to spread false news that can have severe results21
Instagram scams showed that cybercriminals are targeting SMBs and marketers who wish
to increase their online presence Such scams offer ldquofree followersrdquo or use professional-looking sites where they can supposedly buy followers in bulk22 The tactic of selling followers is not new though Cybercriminals simply turned to different avenues outside Twitter and Facebook Interestingly this threat appeared while social media sites found ways to monetize the services they offered23
How Cybercriminals Trick Users into Giving Out Their Information24
Scammers modified their schemes as new platforms were introduced From the Nigerian scams usually seen by way of spam scammers have now branched out to new platforms and targets like social media and mobile devices
Spam and phiShing SiteS Search engineS Social media mobile
EARly 2000ndash2009 2009ndash2011 lATE 2009ndashPRESENT 2011ndashPRESENT
Scams in the early 2000s mainly comprised pharmaceutical account notification and Nigerian scams which mostly led victims to phishing sites
Cybercriminals abuse search engines via blackhat search engine optimization (SEO) This technique takes advantage of using keywords related to significant news andor events for malicious purposes
Social media present themselves as attractive cybercrime platforms because of their large user bases Cybercriminal favorites include Facebook Twitter Tumblr and Pinterest
Today smartphones and other mobile devices enable cybercriminals to reach new heights Mobile adware and malicious apps are among the preferred means of deploying malicious schemes
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
15 | Exploits and Vulnerabilities
ExpLOITS aND VuLNERaBILITIES
Software Vendors Try to Clean Up Their ActAfter last quarterrsquos high volume of zero-day vulnerabilities Oracle implemented several steps that aimed to improve Javarsquos security These include quarterly update releases automated security testing and not allowing self-signed or unsigned apps for Java software used in browsers
Though we saw fewer zero-day incidents this quarter exploits still posed serious threats to users The Internet Explorerreg (IE) zero-day exploit found on the US Department of Labor page showed that even trusted sites like it can be compromised25 Exploits targeting Plesk and ColdFusionreg also put forth the importance of securing web servers and touched on how enterprises secure their sites26
As anticipated it was only a matter of time before attackers took advantage of the critical Ruby on Rails vulnerability found last January27 This quarter we saw exploits target the software flaw as a result of the disclosure of the vulnerabilityrsquos code
The issue of addressing vulnerabilities was a hot topic this quarter especially with Googlersquos announcement of a seven-day disclosure policy Several security pundits saw this as a noble yet impractical proposal But as our CTO Raimund Genes pointed out the bigger issue that should be discussed has to do with how vulnerabilities should be reported
Timeline of Vulnerability Attacks
RUBYON RAILS
PLESK
IEZERO-DAY
JAVA
Private Disclosure Public Disclosure Patch Released Exploited
1082013
5032012
1282013
1172012
5282013
5032012
4302013
5032013
5142013
6182013
6182013
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
16 | Exploits and Vulnerabilities
How Oracle Plans to Secure Java
Delivering three patches every three months starting October 2013
Using automated security testing tools against regressions and bugs
Supporting Windowsreg security policies so system administrators can set networkwide policies on Java use
Disallowing running unsigned or self-signed apps
Making Javarsquos process of revoking signing signatures flexible
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
17 | Targeted attack Campaigns DDoS attacks and Data Breaches
TaRgETED aTTaCk CaMpaIgNS DDoS aTTaCkS aND DaTa BREaChES
Corporate Security Woes Pile UpTargeted AttacksTargeted attack campaigns remained a problem for organizations as we continued to discover active and ongoing campaigns The Naikon campaign used the remote access Trojan (RAT) RARSTONE and was primarily seen in several countries in AsiaPacific28 This campaign hit various industries like telecommunications oil and gas government media and others It usually starts out with spear-phishing attacks that target a specific vulnerability which was also used in another campaign known as
ldquoSaferdquo29 Our research on the Safe campaign meanwhile revealed victim IP addresses spread throughout 100 countries worldwide
Targeted attacks also took advantage of tragic events to infiltrate organizational networks this quarter We saw emails using the Boston marathon bombing as a social engineering lure to trick users into downloading a malware that communicates via Secure Sockets Layer (SSL) communication30
File Types Used in Spear Phishing Related to Targeted Attacks
1
2
3
4
5
6
7
8
9
10
EXEDLL
DOC
JPG
TXTHTML
RTF
ZIP
XLS
RAR
PPSPPT
Others
43
12
10
8
5
4
3
3
3
2
7
Threat actors custom-fit an attack to an intended target They use any file type as long as it gets them closer to their goalmdashto infiltrate a network
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
18 | Targeted attack Campaigns DDoS attacks and Data Breaches
DDoS AttacksSeveral South Korean agencies suffered serious security breaches that led to distributed denial-of-service (DDoS) attacks and site defacements One particular incident rendered several sites inaccessible Similar to the MBR Trojan wiper incident last March this attack was designed to execute at a specific time It also showed how attackers continued to go after high-value targets and how they could inflict maximum damage within a short period of time
Data BreachesCompanies like Yahoo Japan LivingSocial Twitter and Namecom all suffered from security breaches this quarter Opera also suffered a security breach that led to the theft of outdated digital certificates
Attacks Targeting Well-known Companies31
COMPANy REsuLTs
Goo locked 100000 accounts to prevent unauthorized logins
yahoo Japan Attackers attempted to extract data belonging to 127
million users
Associated Press (AP) Attackers hacked APrsquos Twitter account which erased
US$200-billion worth of stock value
livingSocial Resulted in unauthorized access to the accounts of 50 million users
Several South Korean agencies Several sites were defaced and suffered DDoS attacks
attacks against high-profile companies had costly results stressing the importance of strengthening organizational defenses
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
19 | appendix
Appendix
Top 10 Android Adware Families
1
2
3
4
5
6
7
8
9
10
ARPUSH
ADSWO
PLANKTON
LEADBLT
IZP
WAPSX
OQX
WBOO
YOUMI
UAPSH
Others
4179
1650
1284
1102
817
425
410
067
027
013
026
Malicious URL Country Sources
No major changes among the countries on the list were seen The united States accounted for the lionrsquos share of the malicious uRL volume with germany trailing not far behind
COuNTRy sHARE
1 United States 2590
2 Germany 324
3 China 316
4 Netherlands 313
5 South Korea 260
6 France 194
7 Japan 193
8 Russia 164
9 Canada 081
10 United Kingdom 077
Others 5488
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
20 | appendix
Top 10 Countries with the Most Number of Botnet CampC Servers
Similar to the previous quarter the united States had the most number of botnet CampC servers while australia surpassed South korea
COuNTRy sHARE
1 United States 2405
2 Australia 515
3 South Korea 338
4 China 302
5 Germany 287
6 Taiwan 210
7 France 188
8 United Kingdom 172
9 Brazil 147
10 Canada 118
Others 5318
Top 10 Countries with the Highest Number of Connections to Botnets
DDoS attacks in Malaysia in relation to the elections contributed to the increase in the countryrsquos volume of malicious connections
COuNTRy sHARE
1 Malaysia 2839
2 United States 1414
3 France 1163
4 Germany 564
5 Canada 529
6 South Korea 413
7 United Kingdom 384
8 Thailand 322
9 Hong Kong 307
10 Italy 253
Others 1812
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
21 | References
References
1 Trend Micro Incorporated (2013) ldquoTrendLabs 2012 Annual Security Roundup Evolved Threats in a lsquoPost-PCrsquo Worldrdquo Last accessed July 30 2013 httpwwwtrendmicrocomcloud-contentuspdfssecurity-intelligencereportsrpt-evolved-threats-in-a-post-pc-worldpdf
2 Jonathan Leopando (July 10 2013) TrendLabs Security Intelligence Blog ldquoAndroid Vulnerability Affects 99 of DevicesmdashTrend Micro Users Protectedrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencetrend-micro-solution-for-vulnerability-affecting-nearly-all-android-devices
3 Trend Micro Incorporated (2013) Threat Encyclopedia ldquoANDROIDOS_OBADArdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusmalwareANDROIDOS_OBADA
4 Leo Zhang (July 13 2013) TrendLabs Security Intelligence Blog ldquoCybercriminals Improve Android Malware Stealth Routines with OBADrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecybercriminals-improve-android-malware-stealth-routines-with-obad
5 Trend Micro Incorporated (2013) Threat Encyclopedia ldquoANDROIDOS_FAKEBANKArdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusmalwareANDROIDOS_FAKEBANKA
6 Weichao Sun (May 14 2013) TrendLabs Security Intelligence Blog ldquoMobile Ads Pushed by Android Apps Lead to Scam Sitesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencemobile-ads-pushed-by-android-apps-lead-to-scam-sites
7 Trend Micro Incorporated (2013) Threat Encyclopedia ldquoANDROIDOS_FAKEAVFrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusmalwareANDROIDOS_FAKEAVF
8 Iain Thomson (March 27 2013) The Register ldquoTibetan and Uyghur Activists Targeted with Android Malwarerdquo Last accessed July 30 2013 httpwwwtheregistercouk20130327android_malware_targeting_tibetan
9 Ericsson ConsumerLab (August 6 2012) Ericssoncom ldquoVietnamese Consumers Show Increasing Demand for Smartphones and Tabletsrdquo Last accessed July 30 2013 httpwwwericssoncomvnnews2012_vn_smartphone_demands_254740123_c
10 Trend Micro Incorporated (2012) ldquoSecurity Threats to Business the Digital Lifestyle and the Cloud Trend Micro Predictions for 2013 and Beyondrdquo Last accessed July 30 2013 httpwwwtrendmicrocoukmediamisctrend-micro-predictions-for-2013-and-beyond-enpdf
11 Roddell Santos (May 28 2013) TrendLabs Security Intelligence Blog ldquoBANKER Malware Hosted in Compromised Brazilian Government Sitesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencebanker-malware-hosted-in-compromised-brazilian-government-sites
12 Ranieri Romera (May 7 2013) TrendLabs Security Intelligence Blog ldquoHomemade Browser Targeting lsquoBanco do Brasilrsquo Usersrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencehomemade-browser-targeting-banco-do-brasil-users
13 Roddell Santos (June 14 2013) TrendLabs Security Intelligence Blog ldquoMalware Redirects South Korean Users to Phishing Sitesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencemalware-redirects-south-korean-users-to-phishing-sites
14 Abigail Pichel (June 10 2013) TrendLabs Security Intelligence Blog ldquoGoing Solo Self-Propagating ZBOT Malware Spottedrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencegoing-solo-self-propagating-zbot-malware-spotted
15 Lenart Bermejo (May 24 2013) TrendLabs Security Intelligence Blog ldquoWorm Creates Copies in Password-Protected Archived Filesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligenceworm-creates-copies-in-password-protected-archived-files
16 Jessa Dela Torre (April 16 2013) TrendLabs Security Intelligence Blog ldquoCompromised Sites Conceal Stealrat Botnet Operationsrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecompromised-sites-conceal-stealrat-botnet-operations
17 Paul Pajares (July 8 2013) TrendLabs Security Intelligence Blog ldquoMan of Steel Fast and Furious 6 Among Online Fraudstersrsquo Most Used Luresrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligenceman-of-steel-fast-and-furious-6-among-online-fraudsters-most-used-lures Gelo Abendan (May 2 2013) TrendLabs Security Intelligence Blog ldquoFake Iron Man 3 Streaming Sites Sprout on Social Mediardquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencefake-iron-man-3-streaming-sites-sprout-on-social-media
18 Anthony Melgarejo (May 2 2013) TrendLabs Security Intelligence Blog ldquoBackdoor Leads to Facebook and Multiprotocol Instant-Messaging Wormrdquo
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
22 | References
Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencebackdoor-leads-to-facebook-and-multi-protocol-instant-messaging-worm Paul Pajares (April 30 2013) TrendLabs Security Intelligence Blog ldquoHackers to Manage Your Apple ID If Caught from Phishing Baitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencehackers-to-manage-your-apple-id-if-caught-from-phishing-bait
19 Aisa Escober (April 16 2013) TrendLabs Security Intelligence Blog ldquoKELIHOS Worm Emerges Takes Advantage of Boston Marathon Blastrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencekelihos-worm-emerges-takes-advantage-of-boston-marathon-blast Trend Micro Incorporated (2013) Threat Encyclopedia ldquoSpam Attack Leverages Oklahoma Tornado Disasterrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusspam494Spam+Attack+Leverages+Oklahoma+Tornado+Disaster Ryan Certeza (April 19 2013) TrendLabs Security Intelligence Blog ldquoCybercriminals Quickly Take Advantage of Texas Fertilizer Plant Blast MIT Shootingrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecybercriminals-quickly-take-advantage-of-texas-fertilizer-plant-blast-mit-shooting Gelo Abendan (April 4 2013) TrendLabs Security Intelligence Blog ldquoCybercriminals Threaten Tax Day Once Againrdquo Last accessed July 30 2013 http blogtrendmicrocomtrendlabs-security-intelligencecybercriminals-threaten-tax-day-once-again
20 Jim Finkle (May 31 2013) NBC News Technology ldquoLinkedIn Improves Security with Two-Factor Authenticationrdquo Last accessed July 2013 httpwwwnbcnewscomtechnologylinkedin-improves-security-two-factor-authentication-6C10141010 Seth Hitchings (May 30 2013) The Evernote Blog ldquoEvernotersquos Three New Security Featuresrdquo Last accessed July 2013 httpblogevernotecomblog20130530evernotes-three-new-security-features Jim OrsquoLeary (May 22 2013) Twitter Blog ldquoGetting Started with Login Verificationrdquo Last accessed July 2013 httpsblogtwittercom2013getting-started-login-verification
21 David Jackson (April 23 2013) USA Today News ldquoAP Twitter Feed Hacked No Attack at White Houserdquo Last accessed July 30 2013 httpwwwusatodaycomstorytheoval20130423obama-carney-associated-press-hack-white-house2106757
22 Karla Agregado (June 25 2013) TrendLabs Security Intelligence Blog ldquoScam Sites Now Selling Instagram Followersrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencescam-sites-now-selling-instagram-followers
23 Zachary Seward (May 20 2013) Quartz ldquoHow Yahoo Plans to Make Money on Tumblr Ads That Donrsquot Feel Like Adsrdquo Last accessed July 30 2013 httpqzcom86437how-yahoo-plans-to-make-money-on-tumblr-ads-that-dont-feel-like-ads
24 Gelo Abendan (March 3 2012) Threat Encyc lopedia ldquoMobile Apps New Frontier for Cybercrimerdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack119mobile apps new frontier for cybercrime Marco Dela Vega (November 23 2010) TrendLabs Security Intelligence Blog ldquoWith Holiday Wishes Come Poisoned Searchesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencewith-holiday-wishes-come-poisoned-searches Dianne Kristine Lagrimas (November 13 2011) Threat Encyclopedia ldquoSports as Bait Cybercriminals Play to Winrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack99sports as bait cybercriminals play to win Valerie Ria Rivera (March 29 2011) Threat Encyclopedia ldquoSpam Scams and Other Social Media Threatsrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack75spam scams and other social media threats
25 Dexter To (May 5 2013) TrendLabs Security Intelligence Blog ldquoCompromised US Government Web Page Used Zero-Day Exploitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecompromised-us-government-webpage-used-zero-day-exploit
26 Sooraj KS (June 6 2013) TrendLabs Security Intelligence Blog ldquoPlesk Zero-Day Exploit Results in Compromised Web Serverrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligenceplesk-zero-day-exploit-results-in-compromised-webserver
27 Gelo Abendan (May 30 2013) TrendLabs Security Intelligence Blog ldquoTrend Micro Deep Security Guards Users from Ruby on Rails Exploitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencetrend-micro-deep-security-guards-users-from-ruby-on-rails-exploit
28 Maharlito Aquino (June 13 2013) TrendLabs Security Intelligence Blog ldquoRARSTONE Found in Targeted Attacksrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencerarstone-found-in-targeted-attacks
29 Kyle Wilhoit (May 17 2013) TrendLabs Security Intelligence Blog ldquoHiding in Plain Sight A New Targeted Attack Campaignrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencehiding-in-plain-sight-a-new-apt-campaign
30 Nart Villeneuve (April 25 2013) TrendLabs Security Intelligence Blog ldquoTargeted Attack Campaign Hides Behind SSL Communicationrdquo Last accessed July 2013 httpblogtrendmicrocomtrendlabs-security-intelligencetargeted-attack-campaign-hides-behind-ssl-communication
31 Jay Alabaster (April 4 2013) Computerworld ldquoJapanese Web Portals Hacked Up to 100000 Accounts Compromisedrdquo Last accessed July 30 2013 httpwwwcomputerworldcomauarticle458079japanese_web_portals_hacked_up_100_000_accounts_compromised LivingSocial ldquoLivingSocial Security Noticerdquo Last accessed July 30 2013 httpswwwlivingsocialcomcreatepassword Kadim Shubber (May 20 2013) Wired UK ldquoMillions of Usersrsquo Data Hacked in Yahoo Japan Security Breachrdquo Last accessed July 30 2013 httpwwwwiredcouknewsarchive2013-0520yahoo-japan-hacked Erin Madigan White (April 23 2013) AP Blog The Definitive Source ldquoAP Responds to Hacking of Twitter Accountrdquo Last accessed July 30 2013 httpblogaporg20130423hackers-compromise-ap-twitter-account
TREND MICRO LEgaL DISCLaIMER
The information provided herein is for general information and educational purposes only It is not intended and should not be construed to constitute legal advice The information contained herein may not be applicable to all situations and may not reflect the most current situation Nothing contained herein should be relied on or acted upon without the benefit of legal advice based on the particular facts and circumstances presented and nothing herein should be construed otherwise Trend Micro reserves the right to modify the contents of this document at any time without prior notice
Translations of any material into other languages are intended solely as a convenience Translation accuracy is not guaranteed nor implied If any questions arise related to the accuracy of a translation please refer to the original language official version of the document any discrepancies or differences created in the translation are not binding and have no legal effect for compliance or enforcement purposes
although Trend Micro uses reasonable efforts to include accurate and up-to-date information herein Trend Micro makes no warranties or representations of any kind as to its accuracy currency or completeness you agree that access to and use of and reliance on this document and the content thereof is at your own risk Trend Micro disclaims all warranties of any kind express or implied Neither Trend Micro nor any party involved in creating producing or delivering this document shall be liable for any consequence loss or damage including direct indirect special consequential loss of business profits or special damages whatsoever arising out of access to use of or inability to use or in connection with the use of this document or any errors or omissions in the content thereof use of this information constitutes acceptance for use in an ldquoas isrdquo condition
Trend Micro Incorporated a global leader in security software and solutions strives to make the world safe for exchanging digital information For more information visit wwwtrendmicrocom
copy2013 by Trend Micro Incorporated all rights reserved Trend Micro and the Trend Micro t-ball logo are trademarks or registered trademarks of Trend Micro Incorporated all other product or company names may be trademarks or registered trademarks of their owners
Created by
global Technical Support amp RampD Center of TREND MICRO
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
10 | Cybercrime
0
US$2000
2010 2011 2012 2013
US$4000
US$6000
US$8000
US$10000ZEUS
SPYEYE
CARBERP
ICE IX(only madeavailable in2012)
CITADEL
Underground Price Changes for Basic Online Banking Toolkits
We found an online banking malware that modifies an infected computerrsquos HOSTS file to redirect a customer of certain South Korean banks to phishing sites13 We also saw more Citadel variants (detected as ZBOT) target different financial service institutions in Japan These malware not only target the big banks in Japan but also smaller ones including those that exclusively cater to online banking customers
As predicted cybercriminals carried out developments in malware distribution and refinement for existing tools New ZeuSZBOT deployment tactics include a propagation routine14 The PIZZER worm was also found spreading and copying itself onto password-protected archived files using a technique similar to that of PROLACO malware15
Several cloud services were also hit by attacks this quarter The VERNOT backdoor which first abused a popular note-taking service abused a well-known Japanese blogging platform by using it as a CampC server Several GAMARUE variants were hosted on SourceForge a popular code repository Cybercriminals typically abuse legitimate services for ldquofree hostingrdquo successfully tricking users into trusting malicious links since these appear to belong to a well-known name
More developments in cybercrime contributed to the increase in spam and botnet activity this quarter Among these were the compromise of WordPress sites in April the emergence of Stealrat and its use of compromised hosts to send out spam and observed peaks in spam activity16
These are estimated going ratesNote that ZeuS and SpyEye have been around since before 2010
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
11 | Cybercrime
Number of Botnet CampC Servers Detected per Month
1000 2000 3000 4000 5000
APRIL
MAY
JUNE 2102
4003
1434
May showed the highest number of detected CampC servers so far this year
Number of Connections to Botnets per Month
Due to the increase in the number of active botnets in May we also noted a significant increase in the number of botnet connections that month
3M 6M 9M 12M
APRIL
MAY
JUNE 104M
119M
27M
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
12 | Cybercrime
Top 10 Spam Languages
While English remained the top preferred language of spammers we also saw a general increase in the non-English spam volume
1
2
3
4
5
6
7
8
9
10
8256
326
249
194
086
029
020
016
007
007
810
English
Chinese
Russian
Japanese
German
Portuguese
Spanish
Icelandic
French
Turkish
Others
MOVED DOWNMOVED UPNEW ENTRY
Top 10 Spam-Sending Countries
Cybercriminals are finding other countries to host their malicious activities in hence the increase in spam activity in countries like argentina Italy Mexico and Turkey
1
2
3
4
5
6
7
8
9
10
947
697
636
568
549
452
370
356
355
308
4762
United States
Spain
India
Taiwan
Argentina
Italy
Colombia
Mexico
Belarus
Turkey
Others
MOVED DOWNMOVED UPNEW ENTRY
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
13 | Digital Life Security Issues
DIgITaL LIFE SECuRITy ISSuES
Social Threats Abuse Diverse PlatformsAs more users manage multiple online accounts cybercriminals explored means to use this trend to their advantage They abused popular blogging sites like Tumblr WordPress and Blogger to host fake streaming sites of popular summer movies including Man of Steel Fast and Furious 6 and Iron Man 317 Apple ID and well-known multiprotocol instant-messaging (IM) platforms like Digsby were also targeted by attacks18 These attacks abused the use of
the SSO approach which should serve as a reminder to protect online accounts and avoid using weak passwords
Users were also reacquainted with old social engineering tactics as several attacks used diverse items including the Boston marathon bombing the Oklahoma tornado disaster the Texas fertilizer plant explosion and the tax season as bait19
Notable Social Engineering Lures Used
GET FREEFOLLOWERS
ON INSTAGRAMBOSTON BOMBING
MIT SHOOTING
TEXAS FERTILIZERPLANT BOMBING
IRON MAN 3
INCOME TAX RETURNS
as more users across different segments maximize the use of Instagram it has now become a viable target for cybercrime
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
14 | Digital Life Security Issues
In response to compromise incidents LinkedIn Evernote and Twitter rolled out additional security measures which notably included two-step verification measures20 The attack on Twitter posed an interesting case study on how social media can be used to spread false news that can have severe results21
Instagram scams showed that cybercriminals are targeting SMBs and marketers who wish
to increase their online presence Such scams offer ldquofree followersrdquo or use professional-looking sites where they can supposedly buy followers in bulk22 The tactic of selling followers is not new though Cybercriminals simply turned to different avenues outside Twitter and Facebook Interestingly this threat appeared while social media sites found ways to monetize the services they offered23
How Cybercriminals Trick Users into Giving Out Their Information24
Scammers modified their schemes as new platforms were introduced From the Nigerian scams usually seen by way of spam scammers have now branched out to new platforms and targets like social media and mobile devices
Spam and phiShing SiteS Search engineS Social media mobile
EARly 2000ndash2009 2009ndash2011 lATE 2009ndashPRESENT 2011ndashPRESENT
Scams in the early 2000s mainly comprised pharmaceutical account notification and Nigerian scams which mostly led victims to phishing sites
Cybercriminals abuse search engines via blackhat search engine optimization (SEO) This technique takes advantage of using keywords related to significant news andor events for malicious purposes
Social media present themselves as attractive cybercrime platforms because of their large user bases Cybercriminal favorites include Facebook Twitter Tumblr and Pinterest
Today smartphones and other mobile devices enable cybercriminals to reach new heights Mobile adware and malicious apps are among the preferred means of deploying malicious schemes
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
15 | Exploits and Vulnerabilities
ExpLOITS aND VuLNERaBILITIES
Software Vendors Try to Clean Up Their ActAfter last quarterrsquos high volume of zero-day vulnerabilities Oracle implemented several steps that aimed to improve Javarsquos security These include quarterly update releases automated security testing and not allowing self-signed or unsigned apps for Java software used in browsers
Though we saw fewer zero-day incidents this quarter exploits still posed serious threats to users The Internet Explorerreg (IE) zero-day exploit found on the US Department of Labor page showed that even trusted sites like it can be compromised25 Exploits targeting Plesk and ColdFusionreg also put forth the importance of securing web servers and touched on how enterprises secure their sites26
As anticipated it was only a matter of time before attackers took advantage of the critical Ruby on Rails vulnerability found last January27 This quarter we saw exploits target the software flaw as a result of the disclosure of the vulnerabilityrsquos code
The issue of addressing vulnerabilities was a hot topic this quarter especially with Googlersquos announcement of a seven-day disclosure policy Several security pundits saw this as a noble yet impractical proposal But as our CTO Raimund Genes pointed out the bigger issue that should be discussed has to do with how vulnerabilities should be reported
Timeline of Vulnerability Attacks
RUBYON RAILS
PLESK
IEZERO-DAY
JAVA
Private Disclosure Public Disclosure Patch Released Exploited
1082013
5032012
1282013
1172012
5282013
5032012
4302013
5032013
5142013
6182013
6182013
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
16 | Exploits and Vulnerabilities
How Oracle Plans to Secure Java
Delivering three patches every three months starting October 2013
Using automated security testing tools against regressions and bugs
Supporting Windowsreg security policies so system administrators can set networkwide policies on Java use
Disallowing running unsigned or self-signed apps
Making Javarsquos process of revoking signing signatures flexible
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
17 | Targeted attack Campaigns DDoS attacks and Data Breaches
TaRgETED aTTaCk CaMpaIgNS DDoS aTTaCkS aND DaTa BREaChES
Corporate Security Woes Pile UpTargeted AttacksTargeted attack campaigns remained a problem for organizations as we continued to discover active and ongoing campaigns The Naikon campaign used the remote access Trojan (RAT) RARSTONE and was primarily seen in several countries in AsiaPacific28 This campaign hit various industries like telecommunications oil and gas government media and others It usually starts out with spear-phishing attacks that target a specific vulnerability which was also used in another campaign known as
ldquoSaferdquo29 Our research on the Safe campaign meanwhile revealed victim IP addresses spread throughout 100 countries worldwide
Targeted attacks also took advantage of tragic events to infiltrate organizational networks this quarter We saw emails using the Boston marathon bombing as a social engineering lure to trick users into downloading a malware that communicates via Secure Sockets Layer (SSL) communication30
File Types Used in Spear Phishing Related to Targeted Attacks
1
2
3
4
5
6
7
8
9
10
EXEDLL
DOC
JPG
TXTHTML
RTF
ZIP
XLS
RAR
PPSPPT
Others
43
12
10
8
5
4
3
3
3
2
7
Threat actors custom-fit an attack to an intended target They use any file type as long as it gets them closer to their goalmdashto infiltrate a network
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
18 | Targeted attack Campaigns DDoS attacks and Data Breaches
DDoS AttacksSeveral South Korean agencies suffered serious security breaches that led to distributed denial-of-service (DDoS) attacks and site defacements One particular incident rendered several sites inaccessible Similar to the MBR Trojan wiper incident last March this attack was designed to execute at a specific time It also showed how attackers continued to go after high-value targets and how they could inflict maximum damage within a short period of time
Data BreachesCompanies like Yahoo Japan LivingSocial Twitter and Namecom all suffered from security breaches this quarter Opera also suffered a security breach that led to the theft of outdated digital certificates
Attacks Targeting Well-known Companies31
COMPANy REsuLTs
Goo locked 100000 accounts to prevent unauthorized logins
yahoo Japan Attackers attempted to extract data belonging to 127
million users
Associated Press (AP) Attackers hacked APrsquos Twitter account which erased
US$200-billion worth of stock value
livingSocial Resulted in unauthorized access to the accounts of 50 million users
Several South Korean agencies Several sites were defaced and suffered DDoS attacks
attacks against high-profile companies had costly results stressing the importance of strengthening organizational defenses
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
19 | appendix
Appendix
Top 10 Android Adware Families
1
2
3
4
5
6
7
8
9
10
ARPUSH
ADSWO
PLANKTON
LEADBLT
IZP
WAPSX
OQX
WBOO
YOUMI
UAPSH
Others
4179
1650
1284
1102
817
425
410
067
027
013
026
Malicious URL Country Sources
No major changes among the countries on the list were seen The united States accounted for the lionrsquos share of the malicious uRL volume with germany trailing not far behind
COuNTRy sHARE
1 United States 2590
2 Germany 324
3 China 316
4 Netherlands 313
5 South Korea 260
6 France 194
7 Japan 193
8 Russia 164
9 Canada 081
10 United Kingdom 077
Others 5488
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
20 | appendix
Top 10 Countries with the Most Number of Botnet CampC Servers
Similar to the previous quarter the united States had the most number of botnet CampC servers while australia surpassed South korea
COuNTRy sHARE
1 United States 2405
2 Australia 515
3 South Korea 338
4 China 302
5 Germany 287
6 Taiwan 210
7 France 188
8 United Kingdom 172
9 Brazil 147
10 Canada 118
Others 5318
Top 10 Countries with the Highest Number of Connections to Botnets
DDoS attacks in Malaysia in relation to the elections contributed to the increase in the countryrsquos volume of malicious connections
COuNTRy sHARE
1 Malaysia 2839
2 United States 1414
3 France 1163
4 Germany 564
5 Canada 529
6 South Korea 413
7 United Kingdom 384
8 Thailand 322
9 Hong Kong 307
10 Italy 253
Others 1812
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
21 | References
References
1 Trend Micro Incorporated (2013) ldquoTrendLabs 2012 Annual Security Roundup Evolved Threats in a lsquoPost-PCrsquo Worldrdquo Last accessed July 30 2013 httpwwwtrendmicrocomcloud-contentuspdfssecurity-intelligencereportsrpt-evolved-threats-in-a-post-pc-worldpdf
2 Jonathan Leopando (July 10 2013) TrendLabs Security Intelligence Blog ldquoAndroid Vulnerability Affects 99 of DevicesmdashTrend Micro Users Protectedrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencetrend-micro-solution-for-vulnerability-affecting-nearly-all-android-devices
3 Trend Micro Incorporated (2013) Threat Encyclopedia ldquoANDROIDOS_OBADArdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusmalwareANDROIDOS_OBADA
4 Leo Zhang (July 13 2013) TrendLabs Security Intelligence Blog ldquoCybercriminals Improve Android Malware Stealth Routines with OBADrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecybercriminals-improve-android-malware-stealth-routines-with-obad
5 Trend Micro Incorporated (2013) Threat Encyclopedia ldquoANDROIDOS_FAKEBANKArdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusmalwareANDROIDOS_FAKEBANKA
6 Weichao Sun (May 14 2013) TrendLabs Security Intelligence Blog ldquoMobile Ads Pushed by Android Apps Lead to Scam Sitesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencemobile-ads-pushed-by-android-apps-lead-to-scam-sites
7 Trend Micro Incorporated (2013) Threat Encyclopedia ldquoANDROIDOS_FAKEAVFrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusmalwareANDROIDOS_FAKEAVF
8 Iain Thomson (March 27 2013) The Register ldquoTibetan and Uyghur Activists Targeted with Android Malwarerdquo Last accessed July 30 2013 httpwwwtheregistercouk20130327android_malware_targeting_tibetan
9 Ericsson ConsumerLab (August 6 2012) Ericssoncom ldquoVietnamese Consumers Show Increasing Demand for Smartphones and Tabletsrdquo Last accessed July 30 2013 httpwwwericssoncomvnnews2012_vn_smartphone_demands_254740123_c
10 Trend Micro Incorporated (2012) ldquoSecurity Threats to Business the Digital Lifestyle and the Cloud Trend Micro Predictions for 2013 and Beyondrdquo Last accessed July 30 2013 httpwwwtrendmicrocoukmediamisctrend-micro-predictions-for-2013-and-beyond-enpdf
11 Roddell Santos (May 28 2013) TrendLabs Security Intelligence Blog ldquoBANKER Malware Hosted in Compromised Brazilian Government Sitesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencebanker-malware-hosted-in-compromised-brazilian-government-sites
12 Ranieri Romera (May 7 2013) TrendLabs Security Intelligence Blog ldquoHomemade Browser Targeting lsquoBanco do Brasilrsquo Usersrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencehomemade-browser-targeting-banco-do-brasil-users
13 Roddell Santos (June 14 2013) TrendLabs Security Intelligence Blog ldquoMalware Redirects South Korean Users to Phishing Sitesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencemalware-redirects-south-korean-users-to-phishing-sites
14 Abigail Pichel (June 10 2013) TrendLabs Security Intelligence Blog ldquoGoing Solo Self-Propagating ZBOT Malware Spottedrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencegoing-solo-self-propagating-zbot-malware-spotted
15 Lenart Bermejo (May 24 2013) TrendLabs Security Intelligence Blog ldquoWorm Creates Copies in Password-Protected Archived Filesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligenceworm-creates-copies-in-password-protected-archived-files
16 Jessa Dela Torre (April 16 2013) TrendLabs Security Intelligence Blog ldquoCompromised Sites Conceal Stealrat Botnet Operationsrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecompromised-sites-conceal-stealrat-botnet-operations
17 Paul Pajares (July 8 2013) TrendLabs Security Intelligence Blog ldquoMan of Steel Fast and Furious 6 Among Online Fraudstersrsquo Most Used Luresrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligenceman-of-steel-fast-and-furious-6-among-online-fraudsters-most-used-lures Gelo Abendan (May 2 2013) TrendLabs Security Intelligence Blog ldquoFake Iron Man 3 Streaming Sites Sprout on Social Mediardquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencefake-iron-man-3-streaming-sites-sprout-on-social-media
18 Anthony Melgarejo (May 2 2013) TrendLabs Security Intelligence Blog ldquoBackdoor Leads to Facebook and Multiprotocol Instant-Messaging Wormrdquo
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
22 | References
Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencebackdoor-leads-to-facebook-and-multi-protocol-instant-messaging-worm Paul Pajares (April 30 2013) TrendLabs Security Intelligence Blog ldquoHackers to Manage Your Apple ID If Caught from Phishing Baitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencehackers-to-manage-your-apple-id-if-caught-from-phishing-bait
19 Aisa Escober (April 16 2013) TrendLabs Security Intelligence Blog ldquoKELIHOS Worm Emerges Takes Advantage of Boston Marathon Blastrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencekelihos-worm-emerges-takes-advantage-of-boston-marathon-blast Trend Micro Incorporated (2013) Threat Encyclopedia ldquoSpam Attack Leverages Oklahoma Tornado Disasterrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusspam494Spam+Attack+Leverages+Oklahoma+Tornado+Disaster Ryan Certeza (April 19 2013) TrendLabs Security Intelligence Blog ldquoCybercriminals Quickly Take Advantage of Texas Fertilizer Plant Blast MIT Shootingrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecybercriminals-quickly-take-advantage-of-texas-fertilizer-plant-blast-mit-shooting Gelo Abendan (April 4 2013) TrendLabs Security Intelligence Blog ldquoCybercriminals Threaten Tax Day Once Againrdquo Last accessed July 30 2013 http blogtrendmicrocomtrendlabs-security-intelligencecybercriminals-threaten-tax-day-once-again
20 Jim Finkle (May 31 2013) NBC News Technology ldquoLinkedIn Improves Security with Two-Factor Authenticationrdquo Last accessed July 2013 httpwwwnbcnewscomtechnologylinkedin-improves-security-two-factor-authentication-6C10141010 Seth Hitchings (May 30 2013) The Evernote Blog ldquoEvernotersquos Three New Security Featuresrdquo Last accessed July 2013 httpblogevernotecomblog20130530evernotes-three-new-security-features Jim OrsquoLeary (May 22 2013) Twitter Blog ldquoGetting Started with Login Verificationrdquo Last accessed July 2013 httpsblogtwittercom2013getting-started-login-verification
21 David Jackson (April 23 2013) USA Today News ldquoAP Twitter Feed Hacked No Attack at White Houserdquo Last accessed July 30 2013 httpwwwusatodaycomstorytheoval20130423obama-carney-associated-press-hack-white-house2106757
22 Karla Agregado (June 25 2013) TrendLabs Security Intelligence Blog ldquoScam Sites Now Selling Instagram Followersrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencescam-sites-now-selling-instagram-followers
23 Zachary Seward (May 20 2013) Quartz ldquoHow Yahoo Plans to Make Money on Tumblr Ads That Donrsquot Feel Like Adsrdquo Last accessed July 30 2013 httpqzcom86437how-yahoo-plans-to-make-money-on-tumblr-ads-that-dont-feel-like-ads
24 Gelo Abendan (March 3 2012) Threat Encyc lopedia ldquoMobile Apps New Frontier for Cybercrimerdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack119mobile apps new frontier for cybercrime Marco Dela Vega (November 23 2010) TrendLabs Security Intelligence Blog ldquoWith Holiday Wishes Come Poisoned Searchesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencewith-holiday-wishes-come-poisoned-searches Dianne Kristine Lagrimas (November 13 2011) Threat Encyclopedia ldquoSports as Bait Cybercriminals Play to Winrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack99sports as bait cybercriminals play to win Valerie Ria Rivera (March 29 2011) Threat Encyclopedia ldquoSpam Scams and Other Social Media Threatsrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack75spam scams and other social media threats
25 Dexter To (May 5 2013) TrendLabs Security Intelligence Blog ldquoCompromised US Government Web Page Used Zero-Day Exploitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecompromised-us-government-webpage-used-zero-day-exploit
26 Sooraj KS (June 6 2013) TrendLabs Security Intelligence Blog ldquoPlesk Zero-Day Exploit Results in Compromised Web Serverrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligenceplesk-zero-day-exploit-results-in-compromised-webserver
27 Gelo Abendan (May 30 2013) TrendLabs Security Intelligence Blog ldquoTrend Micro Deep Security Guards Users from Ruby on Rails Exploitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencetrend-micro-deep-security-guards-users-from-ruby-on-rails-exploit
28 Maharlito Aquino (June 13 2013) TrendLabs Security Intelligence Blog ldquoRARSTONE Found in Targeted Attacksrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencerarstone-found-in-targeted-attacks
29 Kyle Wilhoit (May 17 2013) TrendLabs Security Intelligence Blog ldquoHiding in Plain Sight A New Targeted Attack Campaignrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencehiding-in-plain-sight-a-new-apt-campaign
30 Nart Villeneuve (April 25 2013) TrendLabs Security Intelligence Blog ldquoTargeted Attack Campaign Hides Behind SSL Communicationrdquo Last accessed July 2013 httpblogtrendmicrocomtrendlabs-security-intelligencetargeted-attack-campaign-hides-behind-ssl-communication
31 Jay Alabaster (April 4 2013) Computerworld ldquoJapanese Web Portals Hacked Up to 100000 Accounts Compromisedrdquo Last accessed July 30 2013 httpwwwcomputerworldcomauarticle458079japanese_web_portals_hacked_up_100_000_accounts_compromised LivingSocial ldquoLivingSocial Security Noticerdquo Last accessed July 30 2013 httpswwwlivingsocialcomcreatepassword Kadim Shubber (May 20 2013) Wired UK ldquoMillions of Usersrsquo Data Hacked in Yahoo Japan Security Breachrdquo Last accessed July 30 2013 httpwwwwiredcouknewsarchive2013-0520yahoo-japan-hacked Erin Madigan White (April 23 2013) AP Blog The Definitive Source ldquoAP Responds to Hacking of Twitter Accountrdquo Last accessed July 30 2013 httpblogaporg20130423hackers-compromise-ap-twitter-account
TREND MICRO LEgaL DISCLaIMER
The information provided herein is for general information and educational purposes only It is not intended and should not be construed to constitute legal advice The information contained herein may not be applicable to all situations and may not reflect the most current situation Nothing contained herein should be relied on or acted upon without the benefit of legal advice based on the particular facts and circumstances presented and nothing herein should be construed otherwise Trend Micro reserves the right to modify the contents of this document at any time without prior notice
Translations of any material into other languages are intended solely as a convenience Translation accuracy is not guaranteed nor implied If any questions arise related to the accuracy of a translation please refer to the original language official version of the document any discrepancies or differences created in the translation are not binding and have no legal effect for compliance or enforcement purposes
although Trend Micro uses reasonable efforts to include accurate and up-to-date information herein Trend Micro makes no warranties or representations of any kind as to its accuracy currency or completeness you agree that access to and use of and reliance on this document and the content thereof is at your own risk Trend Micro disclaims all warranties of any kind express or implied Neither Trend Micro nor any party involved in creating producing or delivering this document shall be liable for any consequence loss or damage including direct indirect special consequential loss of business profits or special damages whatsoever arising out of access to use of or inability to use or in connection with the use of this document or any errors or omissions in the content thereof use of this information constitutes acceptance for use in an ldquoas isrdquo condition
Trend Micro Incorporated a global leader in security software and solutions strives to make the world safe for exchanging digital information For more information visit wwwtrendmicrocom
copy2013 by Trend Micro Incorporated all rights reserved Trend Micro and the Trend Micro t-ball logo are trademarks or registered trademarks of Trend Micro Incorporated all other product or company names may be trademarks or registered trademarks of their owners
Created by
global Technical Support amp RampD Center of TREND MICRO
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
11 | Cybercrime
Number of Botnet CampC Servers Detected per Month
1000 2000 3000 4000 5000
APRIL
MAY
JUNE 2102
4003
1434
May showed the highest number of detected CampC servers so far this year
Number of Connections to Botnets per Month
Due to the increase in the number of active botnets in May we also noted a significant increase in the number of botnet connections that month
3M 6M 9M 12M
APRIL
MAY
JUNE 104M
119M
27M
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
12 | Cybercrime
Top 10 Spam Languages
While English remained the top preferred language of spammers we also saw a general increase in the non-English spam volume
1
2
3
4
5
6
7
8
9
10
8256
326
249
194
086
029
020
016
007
007
810
English
Chinese
Russian
Japanese
German
Portuguese
Spanish
Icelandic
French
Turkish
Others
MOVED DOWNMOVED UPNEW ENTRY
Top 10 Spam-Sending Countries
Cybercriminals are finding other countries to host their malicious activities in hence the increase in spam activity in countries like argentina Italy Mexico and Turkey
1
2
3
4
5
6
7
8
9
10
947
697
636
568
549
452
370
356
355
308
4762
United States
Spain
India
Taiwan
Argentina
Italy
Colombia
Mexico
Belarus
Turkey
Others
MOVED DOWNMOVED UPNEW ENTRY
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
13 | Digital Life Security Issues
DIgITaL LIFE SECuRITy ISSuES
Social Threats Abuse Diverse PlatformsAs more users manage multiple online accounts cybercriminals explored means to use this trend to their advantage They abused popular blogging sites like Tumblr WordPress and Blogger to host fake streaming sites of popular summer movies including Man of Steel Fast and Furious 6 and Iron Man 317 Apple ID and well-known multiprotocol instant-messaging (IM) platforms like Digsby were also targeted by attacks18 These attacks abused the use of
the SSO approach which should serve as a reminder to protect online accounts and avoid using weak passwords
Users were also reacquainted with old social engineering tactics as several attacks used diverse items including the Boston marathon bombing the Oklahoma tornado disaster the Texas fertilizer plant explosion and the tax season as bait19
Notable Social Engineering Lures Used
GET FREEFOLLOWERS
ON INSTAGRAMBOSTON BOMBING
MIT SHOOTING
TEXAS FERTILIZERPLANT BOMBING
IRON MAN 3
INCOME TAX RETURNS
as more users across different segments maximize the use of Instagram it has now become a viable target for cybercrime
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
14 | Digital Life Security Issues
In response to compromise incidents LinkedIn Evernote and Twitter rolled out additional security measures which notably included two-step verification measures20 The attack on Twitter posed an interesting case study on how social media can be used to spread false news that can have severe results21
Instagram scams showed that cybercriminals are targeting SMBs and marketers who wish
to increase their online presence Such scams offer ldquofree followersrdquo or use professional-looking sites where they can supposedly buy followers in bulk22 The tactic of selling followers is not new though Cybercriminals simply turned to different avenues outside Twitter and Facebook Interestingly this threat appeared while social media sites found ways to monetize the services they offered23
How Cybercriminals Trick Users into Giving Out Their Information24
Scammers modified their schemes as new platforms were introduced From the Nigerian scams usually seen by way of spam scammers have now branched out to new platforms and targets like social media and mobile devices
Spam and phiShing SiteS Search engineS Social media mobile
EARly 2000ndash2009 2009ndash2011 lATE 2009ndashPRESENT 2011ndashPRESENT
Scams in the early 2000s mainly comprised pharmaceutical account notification and Nigerian scams which mostly led victims to phishing sites
Cybercriminals abuse search engines via blackhat search engine optimization (SEO) This technique takes advantage of using keywords related to significant news andor events for malicious purposes
Social media present themselves as attractive cybercrime platforms because of their large user bases Cybercriminal favorites include Facebook Twitter Tumblr and Pinterest
Today smartphones and other mobile devices enable cybercriminals to reach new heights Mobile adware and malicious apps are among the preferred means of deploying malicious schemes
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
15 | Exploits and Vulnerabilities
ExpLOITS aND VuLNERaBILITIES
Software Vendors Try to Clean Up Their ActAfter last quarterrsquos high volume of zero-day vulnerabilities Oracle implemented several steps that aimed to improve Javarsquos security These include quarterly update releases automated security testing and not allowing self-signed or unsigned apps for Java software used in browsers
Though we saw fewer zero-day incidents this quarter exploits still posed serious threats to users The Internet Explorerreg (IE) zero-day exploit found on the US Department of Labor page showed that even trusted sites like it can be compromised25 Exploits targeting Plesk and ColdFusionreg also put forth the importance of securing web servers and touched on how enterprises secure their sites26
As anticipated it was only a matter of time before attackers took advantage of the critical Ruby on Rails vulnerability found last January27 This quarter we saw exploits target the software flaw as a result of the disclosure of the vulnerabilityrsquos code
The issue of addressing vulnerabilities was a hot topic this quarter especially with Googlersquos announcement of a seven-day disclosure policy Several security pundits saw this as a noble yet impractical proposal But as our CTO Raimund Genes pointed out the bigger issue that should be discussed has to do with how vulnerabilities should be reported
Timeline of Vulnerability Attacks
RUBYON RAILS
PLESK
IEZERO-DAY
JAVA
Private Disclosure Public Disclosure Patch Released Exploited
1082013
5032012
1282013
1172012
5282013
5032012
4302013
5032013
5142013
6182013
6182013
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
16 | Exploits and Vulnerabilities
How Oracle Plans to Secure Java
Delivering three patches every three months starting October 2013
Using automated security testing tools against regressions and bugs
Supporting Windowsreg security policies so system administrators can set networkwide policies on Java use
Disallowing running unsigned or self-signed apps
Making Javarsquos process of revoking signing signatures flexible
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
17 | Targeted attack Campaigns DDoS attacks and Data Breaches
TaRgETED aTTaCk CaMpaIgNS DDoS aTTaCkS aND DaTa BREaChES
Corporate Security Woes Pile UpTargeted AttacksTargeted attack campaigns remained a problem for organizations as we continued to discover active and ongoing campaigns The Naikon campaign used the remote access Trojan (RAT) RARSTONE and was primarily seen in several countries in AsiaPacific28 This campaign hit various industries like telecommunications oil and gas government media and others It usually starts out with spear-phishing attacks that target a specific vulnerability which was also used in another campaign known as
ldquoSaferdquo29 Our research on the Safe campaign meanwhile revealed victim IP addresses spread throughout 100 countries worldwide
Targeted attacks also took advantage of tragic events to infiltrate organizational networks this quarter We saw emails using the Boston marathon bombing as a social engineering lure to trick users into downloading a malware that communicates via Secure Sockets Layer (SSL) communication30
File Types Used in Spear Phishing Related to Targeted Attacks
1
2
3
4
5
6
7
8
9
10
EXEDLL
DOC
JPG
TXTHTML
RTF
ZIP
XLS
RAR
PPSPPT
Others
43
12
10
8
5
4
3
3
3
2
7
Threat actors custom-fit an attack to an intended target They use any file type as long as it gets them closer to their goalmdashto infiltrate a network
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
18 | Targeted attack Campaigns DDoS attacks and Data Breaches
DDoS AttacksSeveral South Korean agencies suffered serious security breaches that led to distributed denial-of-service (DDoS) attacks and site defacements One particular incident rendered several sites inaccessible Similar to the MBR Trojan wiper incident last March this attack was designed to execute at a specific time It also showed how attackers continued to go after high-value targets and how they could inflict maximum damage within a short period of time
Data BreachesCompanies like Yahoo Japan LivingSocial Twitter and Namecom all suffered from security breaches this quarter Opera also suffered a security breach that led to the theft of outdated digital certificates
Attacks Targeting Well-known Companies31
COMPANy REsuLTs
Goo locked 100000 accounts to prevent unauthorized logins
yahoo Japan Attackers attempted to extract data belonging to 127
million users
Associated Press (AP) Attackers hacked APrsquos Twitter account which erased
US$200-billion worth of stock value
livingSocial Resulted in unauthorized access to the accounts of 50 million users
Several South Korean agencies Several sites were defaced and suffered DDoS attacks
attacks against high-profile companies had costly results stressing the importance of strengthening organizational defenses
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
19 | appendix
Appendix
Top 10 Android Adware Families
1
2
3
4
5
6
7
8
9
10
ARPUSH
ADSWO
PLANKTON
LEADBLT
IZP
WAPSX
OQX
WBOO
YOUMI
UAPSH
Others
4179
1650
1284
1102
817
425
410
067
027
013
026
Malicious URL Country Sources
No major changes among the countries on the list were seen The united States accounted for the lionrsquos share of the malicious uRL volume with germany trailing not far behind
COuNTRy sHARE
1 United States 2590
2 Germany 324
3 China 316
4 Netherlands 313
5 South Korea 260
6 France 194
7 Japan 193
8 Russia 164
9 Canada 081
10 United Kingdom 077
Others 5488
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
20 | appendix
Top 10 Countries with the Most Number of Botnet CampC Servers
Similar to the previous quarter the united States had the most number of botnet CampC servers while australia surpassed South korea
COuNTRy sHARE
1 United States 2405
2 Australia 515
3 South Korea 338
4 China 302
5 Germany 287
6 Taiwan 210
7 France 188
8 United Kingdom 172
9 Brazil 147
10 Canada 118
Others 5318
Top 10 Countries with the Highest Number of Connections to Botnets
DDoS attacks in Malaysia in relation to the elections contributed to the increase in the countryrsquos volume of malicious connections
COuNTRy sHARE
1 Malaysia 2839
2 United States 1414
3 France 1163
4 Germany 564
5 Canada 529
6 South Korea 413
7 United Kingdom 384
8 Thailand 322
9 Hong Kong 307
10 Italy 253
Others 1812
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
21 | References
References
1 Trend Micro Incorporated (2013) ldquoTrendLabs 2012 Annual Security Roundup Evolved Threats in a lsquoPost-PCrsquo Worldrdquo Last accessed July 30 2013 httpwwwtrendmicrocomcloud-contentuspdfssecurity-intelligencereportsrpt-evolved-threats-in-a-post-pc-worldpdf
2 Jonathan Leopando (July 10 2013) TrendLabs Security Intelligence Blog ldquoAndroid Vulnerability Affects 99 of DevicesmdashTrend Micro Users Protectedrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencetrend-micro-solution-for-vulnerability-affecting-nearly-all-android-devices
3 Trend Micro Incorporated (2013) Threat Encyclopedia ldquoANDROIDOS_OBADArdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusmalwareANDROIDOS_OBADA
4 Leo Zhang (July 13 2013) TrendLabs Security Intelligence Blog ldquoCybercriminals Improve Android Malware Stealth Routines with OBADrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecybercriminals-improve-android-malware-stealth-routines-with-obad
5 Trend Micro Incorporated (2013) Threat Encyclopedia ldquoANDROIDOS_FAKEBANKArdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusmalwareANDROIDOS_FAKEBANKA
6 Weichao Sun (May 14 2013) TrendLabs Security Intelligence Blog ldquoMobile Ads Pushed by Android Apps Lead to Scam Sitesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencemobile-ads-pushed-by-android-apps-lead-to-scam-sites
7 Trend Micro Incorporated (2013) Threat Encyclopedia ldquoANDROIDOS_FAKEAVFrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusmalwareANDROIDOS_FAKEAVF
8 Iain Thomson (March 27 2013) The Register ldquoTibetan and Uyghur Activists Targeted with Android Malwarerdquo Last accessed July 30 2013 httpwwwtheregistercouk20130327android_malware_targeting_tibetan
9 Ericsson ConsumerLab (August 6 2012) Ericssoncom ldquoVietnamese Consumers Show Increasing Demand for Smartphones and Tabletsrdquo Last accessed July 30 2013 httpwwwericssoncomvnnews2012_vn_smartphone_demands_254740123_c
10 Trend Micro Incorporated (2012) ldquoSecurity Threats to Business the Digital Lifestyle and the Cloud Trend Micro Predictions for 2013 and Beyondrdquo Last accessed July 30 2013 httpwwwtrendmicrocoukmediamisctrend-micro-predictions-for-2013-and-beyond-enpdf
11 Roddell Santos (May 28 2013) TrendLabs Security Intelligence Blog ldquoBANKER Malware Hosted in Compromised Brazilian Government Sitesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencebanker-malware-hosted-in-compromised-brazilian-government-sites
12 Ranieri Romera (May 7 2013) TrendLabs Security Intelligence Blog ldquoHomemade Browser Targeting lsquoBanco do Brasilrsquo Usersrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencehomemade-browser-targeting-banco-do-brasil-users
13 Roddell Santos (June 14 2013) TrendLabs Security Intelligence Blog ldquoMalware Redirects South Korean Users to Phishing Sitesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencemalware-redirects-south-korean-users-to-phishing-sites
14 Abigail Pichel (June 10 2013) TrendLabs Security Intelligence Blog ldquoGoing Solo Self-Propagating ZBOT Malware Spottedrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencegoing-solo-self-propagating-zbot-malware-spotted
15 Lenart Bermejo (May 24 2013) TrendLabs Security Intelligence Blog ldquoWorm Creates Copies in Password-Protected Archived Filesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligenceworm-creates-copies-in-password-protected-archived-files
16 Jessa Dela Torre (April 16 2013) TrendLabs Security Intelligence Blog ldquoCompromised Sites Conceal Stealrat Botnet Operationsrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecompromised-sites-conceal-stealrat-botnet-operations
17 Paul Pajares (July 8 2013) TrendLabs Security Intelligence Blog ldquoMan of Steel Fast and Furious 6 Among Online Fraudstersrsquo Most Used Luresrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligenceman-of-steel-fast-and-furious-6-among-online-fraudsters-most-used-lures Gelo Abendan (May 2 2013) TrendLabs Security Intelligence Blog ldquoFake Iron Man 3 Streaming Sites Sprout on Social Mediardquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencefake-iron-man-3-streaming-sites-sprout-on-social-media
18 Anthony Melgarejo (May 2 2013) TrendLabs Security Intelligence Blog ldquoBackdoor Leads to Facebook and Multiprotocol Instant-Messaging Wormrdquo
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
22 | References
Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencebackdoor-leads-to-facebook-and-multi-protocol-instant-messaging-worm Paul Pajares (April 30 2013) TrendLabs Security Intelligence Blog ldquoHackers to Manage Your Apple ID If Caught from Phishing Baitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencehackers-to-manage-your-apple-id-if-caught-from-phishing-bait
19 Aisa Escober (April 16 2013) TrendLabs Security Intelligence Blog ldquoKELIHOS Worm Emerges Takes Advantage of Boston Marathon Blastrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencekelihos-worm-emerges-takes-advantage-of-boston-marathon-blast Trend Micro Incorporated (2013) Threat Encyclopedia ldquoSpam Attack Leverages Oklahoma Tornado Disasterrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusspam494Spam+Attack+Leverages+Oklahoma+Tornado+Disaster Ryan Certeza (April 19 2013) TrendLabs Security Intelligence Blog ldquoCybercriminals Quickly Take Advantage of Texas Fertilizer Plant Blast MIT Shootingrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecybercriminals-quickly-take-advantage-of-texas-fertilizer-plant-blast-mit-shooting Gelo Abendan (April 4 2013) TrendLabs Security Intelligence Blog ldquoCybercriminals Threaten Tax Day Once Againrdquo Last accessed July 30 2013 http blogtrendmicrocomtrendlabs-security-intelligencecybercriminals-threaten-tax-day-once-again
20 Jim Finkle (May 31 2013) NBC News Technology ldquoLinkedIn Improves Security with Two-Factor Authenticationrdquo Last accessed July 2013 httpwwwnbcnewscomtechnologylinkedin-improves-security-two-factor-authentication-6C10141010 Seth Hitchings (May 30 2013) The Evernote Blog ldquoEvernotersquos Three New Security Featuresrdquo Last accessed July 2013 httpblogevernotecomblog20130530evernotes-three-new-security-features Jim OrsquoLeary (May 22 2013) Twitter Blog ldquoGetting Started with Login Verificationrdquo Last accessed July 2013 httpsblogtwittercom2013getting-started-login-verification
21 David Jackson (April 23 2013) USA Today News ldquoAP Twitter Feed Hacked No Attack at White Houserdquo Last accessed July 30 2013 httpwwwusatodaycomstorytheoval20130423obama-carney-associated-press-hack-white-house2106757
22 Karla Agregado (June 25 2013) TrendLabs Security Intelligence Blog ldquoScam Sites Now Selling Instagram Followersrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencescam-sites-now-selling-instagram-followers
23 Zachary Seward (May 20 2013) Quartz ldquoHow Yahoo Plans to Make Money on Tumblr Ads That Donrsquot Feel Like Adsrdquo Last accessed July 30 2013 httpqzcom86437how-yahoo-plans-to-make-money-on-tumblr-ads-that-dont-feel-like-ads
24 Gelo Abendan (March 3 2012) Threat Encyc lopedia ldquoMobile Apps New Frontier for Cybercrimerdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack119mobile apps new frontier for cybercrime Marco Dela Vega (November 23 2010) TrendLabs Security Intelligence Blog ldquoWith Holiday Wishes Come Poisoned Searchesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencewith-holiday-wishes-come-poisoned-searches Dianne Kristine Lagrimas (November 13 2011) Threat Encyclopedia ldquoSports as Bait Cybercriminals Play to Winrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack99sports as bait cybercriminals play to win Valerie Ria Rivera (March 29 2011) Threat Encyclopedia ldquoSpam Scams and Other Social Media Threatsrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack75spam scams and other social media threats
25 Dexter To (May 5 2013) TrendLabs Security Intelligence Blog ldquoCompromised US Government Web Page Used Zero-Day Exploitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecompromised-us-government-webpage-used-zero-day-exploit
26 Sooraj KS (June 6 2013) TrendLabs Security Intelligence Blog ldquoPlesk Zero-Day Exploit Results in Compromised Web Serverrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligenceplesk-zero-day-exploit-results-in-compromised-webserver
27 Gelo Abendan (May 30 2013) TrendLabs Security Intelligence Blog ldquoTrend Micro Deep Security Guards Users from Ruby on Rails Exploitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencetrend-micro-deep-security-guards-users-from-ruby-on-rails-exploit
28 Maharlito Aquino (June 13 2013) TrendLabs Security Intelligence Blog ldquoRARSTONE Found in Targeted Attacksrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencerarstone-found-in-targeted-attacks
29 Kyle Wilhoit (May 17 2013) TrendLabs Security Intelligence Blog ldquoHiding in Plain Sight A New Targeted Attack Campaignrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencehiding-in-plain-sight-a-new-apt-campaign
30 Nart Villeneuve (April 25 2013) TrendLabs Security Intelligence Blog ldquoTargeted Attack Campaign Hides Behind SSL Communicationrdquo Last accessed July 2013 httpblogtrendmicrocomtrendlabs-security-intelligencetargeted-attack-campaign-hides-behind-ssl-communication
31 Jay Alabaster (April 4 2013) Computerworld ldquoJapanese Web Portals Hacked Up to 100000 Accounts Compromisedrdquo Last accessed July 30 2013 httpwwwcomputerworldcomauarticle458079japanese_web_portals_hacked_up_100_000_accounts_compromised LivingSocial ldquoLivingSocial Security Noticerdquo Last accessed July 30 2013 httpswwwlivingsocialcomcreatepassword Kadim Shubber (May 20 2013) Wired UK ldquoMillions of Usersrsquo Data Hacked in Yahoo Japan Security Breachrdquo Last accessed July 30 2013 httpwwwwiredcouknewsarchive2013-0520yahoo-japan-hacked Erin Madigan White (April 23 2013) AP Blog The Definitive Source ldquoAP Responds to Hacking of Twitter Accountrdquo Last accessed July 30 2013 httpblogaporg20130423hackers-compromise-ap-twitter-account
TREND MICRO LEgaL DISCLaIMER
The information provided herein is for general information and educational purposes only It is not intended and should not be construed to constitute legal advice The information contained herein may not be applicable to all situations and may not reflect the most current situation Nothing contained herein should be relied on or acted upon without the benefit of legal advice based on the particular facts and circumstances presented and nothing herein should be construed otherwise Trend Micro reserves the right to modify the contents of this document at any time without prior notice
Translations of any material into other languages are intended solely as a convenience Translation accuracy is not guaranteed nor implied If any questions arise related to the accuracy of a translation please refer to the original language official version of the document any discrepancies or differences created in the translation are not binding and have no legal effect for compliance or enforcement purposes
although Trend Micro uses reasonable efforts to include accurate and up-to-date information herein Trend Micro makes no warranties or representations of any kind as to its accuracy currency or completeness you agree that access to and use of and reliance on this document and the content thereof is at your own risk Trend Micro disclaims all warranties of any kind express or implied Neither Trend Micro nor any party involved in creating producing or delivering this document shall be liable for any consequence loss or damage including direct indirect special consequential loss of business profits or special damages whatsoever arising out of access to use of or inability to use or in connection with the use of this document or any errors or omissions in the content thereof use of this information constitutes acceptance for use in an ldquoas isrdquo condition
Trend Micro Incorporated a global leader in security software and solutions strives to make the world safe for exchanging digital information For more information visit wwwtrendmicrocom
copy2013 by Trend Micro Incorporated all rights reserved Trend Micro and the Trend Micro t-ball logo are trademarks or registered trademarks of Trend Micro Incorporated all other product or company names may be trademarks or registered trademarks of their owners
Created by
global Technical Support amp RampD Center of TREND MICRO
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
12 | Cybercrime
Top 10 Spam Languages
While English remained the top preferred language of spammers we also saw a general increase in the non-English spam volume
1
2
3
4
5
6
7
8
9
10
8256
326
249
194
086
029
020
016
007
007
810
English
Chinese
Russian
Japanese
German
Portuguese
Spanish
Icelandic
French
Turkish
Others
MOVED DOWNMOVED UPNEW ENTRY
Top 10 Spam-Sending Countries
Cybercriminals are finding other countries to host their malicious activities in hence the increase in spam activity in countries like argentina Italy Mexico and Turkey
1
2
3
4
5
6
7
8
9
10
947
697
636
568
549
452
370
356
355
308
4762
United States
Spain
India
Taiwan
Argentina
Italy
Colombia
Mexico
Belarus
Turkey
Others
MOVED DOWNMOVED UPNEW ENTRY
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
13 | Digital Life Security Issues
DIgITaL LIFE SECuRITy ISSuES
Social Threats Abuse Diverse PlatformsAs more users manage multiple online accounts cybercriminals explored means to use this trend to their advantage They abused popular blogging sites like Tumblr WordPress and Blogger to host fake streaming sites of popular summer movies including Man of Steel Fast and Furious 6 and Iron Man 317 Apple ID and well-known multiprotocol instant-messaging (IM) platforms like Digsby were also targeted by attacks18 These attacks abused the use of
the SSO approach which should serve as a reminder to protect online accounts and avoid using weak passwords
Users were also reacquainted with old social engineering tactics as several attacks used diverse items including the Boston marathon bombing the Oklahoma tornado disaster the Texas fertilizer plant explosion and the tax season as bait19
Notable Social Engineering Lures Used
GET FREEFOLLOWERS
ON INSTAGRAMBOSTON BOMBING
MIT SHOOTING
TEXAS FERTILIZERPLANT BOMBING
IRON MAN 3
INCOME TAX RETURNS
as more users across different segments maximize the use of Instagram it has now become a viable target for cybercrime
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
14 | Digital Life Security Issues
In response to compromise incidents LinkedIn Evernote and Twitter rolled out additional security measures which notably included two-step verification measures20 The attack on Twitter posed an interesting case study on how social media can be used to spread false news that can have severe results21
Instagram scams showed that cybercriminals are targeting SMBs and marketers who wish
to increase their online presence Such scams offer ldquofree followersrdquo or use professional-looking sites where they can supposedly buy followers in bulk22 The tactic of selling followers is not new though Cybercriminals simply turned to different avenues outside Twitter and Facebook Interestingly this threat appeared while social media sites found ways to monetize the services they offered23
How Cybercriminals Trick Users into Giving Out Their Information24
Scammers modified their schemes as new platforms were introduced From the Nigerian scams usually seen by way of spam scammers have now branched out to new platforms and targets like social media and mobile devices
Spam and phiShing SiteS Search engineS Social media mobile
EARly 2000ndash2009 2009ndash2011 lATE 2009ndashPRESENT 2011ndashPRESENT
Scams in the early 2000s mainly comprised pharmaceutical account notification and Nigerian scams which mostly led victims to phishing sites
Cybercriminals abuse search engines via blackhat search engine optimization (SEO) This technique takes advantage of using keywords related to significant news andor events for malicious purposes
Social media present themselves as attractive cybercrime platforms because of their large user bases Cybercriminal favorites include Facebook Twitter Tumblr and Pinterest
Today smartphones and other mobile devices enable cybercriminals to reach new heights Mobile adware and malicious apps are among the preferred means of deploying malicious schemes
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
15 | Exploits and Vulnerabilities
ExpLOITS aND VuLNERaBILITIES
Software Vendors Try to Clean Up Their ActAfter last quarterrsquos high volume of zero-day vulnerabilities Oracle implemented several steps that aimed to improve Javarsquos security These include quarterly update releases automated security testing and not allowing self-signed or unsigned apps for Java software used in browsers
Though we saw fewer zero-day incidents this quarter exploits still posed serious threats to users The Internet Explorerreg (IE) zero-day exploit found on the US Department of Labor page showed that even trusted sites like it can be compromised25 Exploits targeting Plesk and ColdFusionreg also put forth the importance of securing web servers and touched on how enterprises secure their sites26
As anticipated it was only a matter of time before attackers took advantage of the critical Ruby on Rails vulnerability found last January27 This quarter we saw exploits target the software flaw as a result of the disclosure of the vulnerabilityrsquos code
The issue of addressing vulnerabilities was a hot topic this quarter especially with Googlersquos announcement of a seven-day disclosure policy Several security pundits saw this as a noble yet impractical proposal But as our CTO Raimund Genes pointed out the bigger issue that should be discussed has to do with how vulnerabilities should be reported
Timeline of Vulnerability Attacks
RUBYON RAILS
PLESK
IEZERO-DAY
JAVA
Private Disclosure Public Disclosure Patch Released Exploited
1082013
5032012
1282013
1172012
5282013
5032012
4302013
5032013
5142013
6182013
6182013
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
16 | Exploits and Vulnerabilities
How Oracle Plans to Secure Java
Delivering three patches every three months starting October 2013
Using automated security testing tools against regressions and bugs
Supporting Windowsreg security policies so system administrators can set networkwide policies on Java use
Disallowing running unsigned or self-signed apps
Making Javarsquos process of revoking signing signatures flexible
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
17 | Targeted attack Campaigns DDoS attacks and Data Breaches
TaRgETED aTTaCk CaMpaIgNS DDoS aTTaCkS aND DaTa BREaChES
Corporate Security Woes Pile UpTargeted AttacksTargeted attack campaigns remained a problem for organizations as we continued to discover active and ongoing campaigns The Naikon campaign used the remote access Trojan (RAT) RARSTONE and was primarily seen in several countries in AsiaPacific28 This campaign hit various industries like telecommunications oil and gas government media and others It usually starts out with spear-phishing attacks that target a specific vulnerability which was also used in another campaign known as
ldquoSaferdquo29 Our research on the Safe campaign meanwhile revealed victim IP addresses spread throughout 100 countries worldwide
Targeted attacks also took advantage of tragic events to infiltrate organizational networks this quarter We saw emails using the Boston marathon bombing as a social engineering lure to trick users into downloading a malware that communicates via Secure Sockets Layer (SSL) communication30
File Types Used in Spear Phishing Related to Targeted Attacks
1
2
3
4
5
6
7
8
9
10
EXEDLL
DOC
JPG
TXTHTML
RTF
ZIP
XLS
RAR
PPSPPT
Others
43
12
10
8
5
4
3
3
3
2
7
Threat actors custom-fit an attack to an intended target They use any file type as long as it gets them closer to their goalmdashto infiltrate a network
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
18 | Targeted attack Campaigns DDoS attacks and Data Breaches
DDoS AttacksSeveral South Korean agencies suffered serious security breaches that led to distributed denial-of-service (DDoS) attacks and site defacements One particular incident rendered several sites inaccessible Similar to the MBR Trojan wiper incident last March this attack was designed to execute at a specific time It also showed how attackers continued to go after high-value targets and how they could inflict maximum damage within a short period of time
Data BreachesCompanies like Yahoo Japan LivingSocial Twitter and Namecom all suffered from security breaches this quarter Opera also suffered a security breach that led to the theft of outdated digital certificates
Attacks Targeting Well-known Companies31
COMPANy REsuLTs
Goo locked 100000 accounts to prevent unauthorized logins
yahoo Japan Attackers attempted to extract data belonging to 127
million users
Associated Press (AP) Attackers hacked APrsquos Twitter account which erased
US$200-billion worth of stock value
livingSocial Resulted in unauthorized access to the accounts of 50 million users
Several South Korean agencies Several sites were defaced and suffered DDoS attacks
attacks against high-profile companies had costly results stressing the importance of strengthening organizational defenses
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
19 | appendix
Appendix
Top 10 Android Adware Families
1
2
3
4
5
6
7
8
9
10
ARPUSH
ADSWO
PLANKTON
LEADBLT
IZP
WAPSX
OQX
WBOO
YOUMI
UAPSH
Others
4179
1650
1284
1102
817
425
410
067
027
013
026
Malicious URL Country Sources
No major changes among the countries on the list were seen The united States accounted for the lionrsquos share of the malicious uRL volume with germany trailing not far behind
COuNTRy sHARE
1 United States 2590
2 Germany 324
3 China 316
4 Netherlands 313
5 South Korea 260
6 France 194
7 Japan 193
8 Russia 164
9 Canada 081
10 United Kingdom 077
Others 5488
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
20 | appendix
Top 10 Countries with the Most Number of Botnet CampC Servers
Similar to the previous quarter the united States had the most number of botnet CampC servers while australia surpassed South korea
COuNTRy sHARE
1 United States 2405
2 Australia 515
3 South Korea 338
4 China 302
5 Germany 287
6 Taiwan 210
7 France 188
8 United Kingdom 172
9 Brazil 147
10 Canada 118
Others 5318
Top 10 Countries with the Highest Number of Connections to Botnets
DDoS attacks in Malaysia in relation to the elections contributed to the increase in the countryrsquos volume of malicious connections
COuNTRy sHARE
1 Malaysia 2839
2 United States 1414
3 France 1163
4 Germany 564
5 Canada 529
6 South Korea 413
7 United Kingdom 384
8 Thailand 322
9 Hong Kong 307
10 Italy 253
Others 1812
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
21 | References
References
1 Trend Micro Incorporated (2013) ldquoTrendLabs 2012 Annual Security Roundup Evolved Threats in a lsquoPost-PCrsquo Worldrdquo Last accessed July 30 2013 httpwwwtrendmicrocomcloud-contentuspdfssecurity-intelligencereportsrpt-evolved-threats-in-a-post-pc-worldpdf
2 Jonathan Leopando (July 10 2013) TrendLabs Security Intelligence Blog ldquoAndroid Vulnerability Affects 99 of DevicesmdashTrend Micro Users Protectedrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencetrend-micro-solution-for-vulnerability-affecting-nearly-all-android-devices
3 Trend Micro Incorporated (2013) Threat Encyclopedia ldquoANDROIDOS_OBADArdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusmalwareANDROIDOS_OBADA
4 Leo Zhang (July 13 2013) TrendLabs Security Intelligence Blog ldquoCybercriminals Improve Android Malware Stealth Routines with OBADrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecybercriminals-improve-android-malware-stealth-routines-with-obad
5 Trend Micro Incorporated (2013) Threat Encyclopedia ldquoANDROIDOS_FAKEBANKArdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusmalwareANDROIDOS_FAKEBANKA
6 Weichao Sun (May 14 2013) TrendLabs Security Intelligence Blog ldquoMobile Ads Pushed by Android Apps Lead to Scam Sitesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencemobile-ads-pushed-by-android-apps-lead-to-scam-sites
7 Trend Micro Incorporated (2013) Threat Encyclopedia ldquoANDROIDOS_FAKEAVFrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusmalwareANDROIDOS_FAKEAVF
8 Iain Thomson (March 27 2013) The Register ldquoTibetan and Uyghur Activists Targeted with Android Malwarerdquo Last accessed July 30 2013 httpwwwtheregistercouk20130327android_malware_targeting_tibetan
9 Ericsson ConsumerLab (August 6 2012) Ericssoncom ldquoVietnamese Consumers Show Increasing Demand for Smartphones and Tabletsrdquo Last accessed July 30 2013 httpwwwericssoncomvnnews2012_vn_smartphone_demands_254740123_c
10 Trend Micro Incorporated (2012) ldquoSecurity Threats to Business the Digital Lifestyle and the Cloud Trend Micro Predictions for 2013 and Beyondrdquo Last accessed July 30 2013 httpwwwtrendmicrocoukmediamisctrend-micro-predictions-for-2013-and-beyond-enpdf
11 Roddell Santos (May 28 2013) TrendLabs Security Intelligence Blog ldquoBANKER Malware Hosted in Compromised Brazilian Government Sitesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencebanker-malware-hosted-in-compromised-brazilian-government-sites
12 Ranieri Romera (May 7 2013) TrendLabs Security Intelligence Blog ldquoHomemade Browser Targeting lsquoBanco do Brasilrsquo Usersrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencehomemade-browser-targeting-banco-do-brasil-users
13 Roddell Santos (June 14 2013) TrendLabs Security Intelligence Blog ldquoMalware Redirects South Korean Users to Phishing Sitesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencemalware-redirects-south-korean-users-to-phishing-sites
14 Abigail Pichel (June 10 2013) TrendLabs Security Intelligence Blog ldquoGoing Solo Self-Propagating ZBOT Malware Spottedrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencegoing-solo-self-propagating-zbot-malware-spotted
15 Lenart Bermejo (May 24 2013) TrendLabs Security Intelligence Blog ldquoWorm Creates Copies in Password-Protected Archived Filesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligenceworm-creates-copies-in-password-protected-archived-files
16 Jessa Dela Torre (April 16 2013) TrendLabs Security Intelligence Blog ldquoCompromised Sites Conceal Stealrat Botnet Operationsrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecompromised-sites-conceal-stealrat-botnet-operations
17 Paul Pajares (July 8 2013) TrendLabs Security Intelligence Blog ldquoMan of Steel Fast and Furious 6 Among Online Fraudstersrsquo Most Used Luresrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligenceman-of-steel-fast-and-furious-6-among-online-fraudsters-most-used-lures Gelo Abendan (May 2 2013) TrendLabs Security Intelligence Blog ldquoFake Iron Man 3 Streaming Sites Sprout on Social Mediardquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencefake-iron-man-3-streaming-sites-sprout-on-social-media
18 Anthony Melgarejo (May 2 2013) TrendLabs Security Intelligence Blog ldquoBackdoor Leads to Facebook and Multiprotocol Instant-Messaging Wormrdquo
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
22 | References
Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencebackdoor-leads-to-facebook-and-multi-protocol-instant-messaging-worm Paul Pajares (April 30 2013) TrendLabs Security Intelligence Blog ldquoHackers to Manage Your Apple ID If Caught from Phishing Baitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencehackers-to-manage-your-apple-id-if-caught-from-phishing-bait
19 Aisa Escober (April 16 2013) TrendLabs Security Intelligence Blog ldquoKELIHOS Worm Emerges Takes Advantage of Boston Marathon Blastrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencekelihos-worm-emerges-takes-advantage-of-boston-marathon-blast Trend Micro Incorporated (2013) Threat Encyclopedia ldquoSpam Attack Leverages Oklahoma Tornado Disasterrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusspam494Spam+Attack+Leverages+Oklahoma+Tornado+Disaster Ryan Certeza (April 19 2013) TrendLabs Security Intelligence Blog ldquoCybercriminals Quickly Take Advantage of Texas Fertilizer Plant Blast MIT Shootingrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecybercriminals-quickly-take-advantage-of-texas-fertilizer-plant-blast-mit-shooting Gelo Abendan (April 4 2013) TrendLabs Security Intelligence Blog ldquoCybercriminals Threaten Tax Day Once Againrdquo Last accessed July 30 2013 http blogtrendmicrocomtrendlabs-security-intelligencecybercriminals-threaten-tax-day-once-again
20 Jim Finkle (May 31 2013) NBC News Technology ldquoLinkedIn Improves Security with Two-Factor Authenticationrdquo Last accessed July 2013 httpwwwnbcnewscomtechnologylinkedin-improves-security-two-factor-authentication-6C10141010 Seth Hitchings (May 30 2013) The Evernote Blog ldquoEvernotersquos Three New Security Featuresrdquo Last accessed July 2013 httpblogevernotecomblog20130530evernotes-three-new-security-features Jim OrsquoLeary (May 22 2013) Twitter Blog ldquoGetting Started with Login Verificationrdquo Last accessed July 2013 httpsblogtwittercom2013getting-started-login-verification
21 David Jackson (April 23 2013) USA Today News ldquoAP Twitter Feed Hacked No Attack at White Houserdquo Last accessed July 30 2013 httpwwwusatodaycomstorytheoval20130423obama-carney-associated-press-hack-white-house2106757
22 Karla Agregado (June 25 2013) TrendLabs Security Intelligence Blog ldquoScam Sites Now Selling Instagram Followersrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencescam-sites-now-selling-instagram-followers
23 Zachary Seward (May 20 2013) Quartz ldquoHow Yahoo Plans to Make Money on Tumblr Ads That Donrsquot Feel Like Adsrdquo Last accessed July 30 2013 httpqzcom86437how-yahoo-plans-to-make-money-on-tumblr-ads-that-dont-feel-like-ads
24 Gelo Abendan (March 3 2012) Threat Encyc lopedia ldquoMobile Apps New Frontier for Cybercrimerdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack119mobile apps new frontier for cybercrime Marco Dela Vega (November 23 2010) TrendLabs Security Intelligence Blog ldquoWith Holiday Wishes Come Poisoned Searchesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencewith-holiday-wishes-come-poisoned-searches Dianne Kristine Lagrimas (November 13 2011) Threat Encyclopedia ldquoSports as Bait Cybercriminals Play to Winrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack99sports as bait cybercriminals play to win Valerie Ria Rivera (March 29 2011) Threat Encyclopedia ldquoSpam Scams and Other Social Media Threatsrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack75spam scams and other social media threats
25 Dexter To (May 5 2013) TrendLabs Security Intelligence Blog ldquoCompromised US Government Web Page Used Zero-Day Exploitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecompromised-us-government-webpage-used-zero-day-exploit
26 Sooraj KS (June 6 2013) TrendLabs Security Intelligence Blog ldquoPlesk Zero-Day Exploit Results in Compromised Web Serverrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligenceplesk-zero-day-exploit-results-in-compromised-webserver
27 Gelo Abendan (May 30 2013) TrendLabs Security Intelligence Blog ldquoTrend Micro Deep Security Guards Users from Ruby on Rails Exploitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencetrend-micro-deep-security-guards-users-from-ruby-on-rails-exploit
28 Maharlito Aquino (June 13 2013) TrendLabs Security Intelligence Blog ldquoRARSTONE Found in Targeted Attacksrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencerarstone-found-in-targeted-attacks
29 Kyle Wilhoit (May 17 2013) TrendLabs Security Intelligence Blog ldquoHiding in Plain Sight A New Targeted Attack Campaignrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencehiding-in-plain-sight-a-new-apt-campaign
30 Nart Villeneuve (April 25 2013) TrendLabs Security Intelligence Blog ldquoTargeted Attack Campaign Hides Behind SSL Communicationrdquo Last accessed July 2013 httpblogtrendmicrocomtrendlabs-security-intelligencetargeted-attack-campaign-hides-behind-ssl-communication
31 Jay Alabaster (April 4 2013) Computerworld ldquoJapanese Web Portals Hacked Up to 100000 Accounts Compromisedrdquo Last accessed July 30 2013 httpwwwcomputerworldcomauarticle458079japanese_web_portals_hacked_up_100_000_accounts_compromised LivingSocial ldquoLivingSocial Security Noticerdquo Last accessed July 30 2013 httpswwwlivingsocialcomcreatepassword Kadim Shubber (May 20 2013) Wired UK ldquoMillions of Usersrsquo Data Hacked in Yahoo Japan Security Breachrdquo Last accessed July 30 2013 httpwwwwiredcouknewsarchive2013-0520yahoo-japan-hacked Erin Madigan White (April 23 2013) AP Blog The Definitive Source ldquoAP Responds to Hacking of Twitter Accountrdquo Last accessed July 30 2013 httpblogaporg20130423hackers-compromise-ap-twitter-account
TREND MICRO LEgaL DISCLaIMER
The information provided herein is for general information and educational purposes only It is not intended and should not be construed to constitute legal advice The information contained herein may not be applicable to all situations and may not reflect the most current situation Nothing contained herein should be relied on or acted upon without the benefit of legal advice based on the particular facts and circumstances presented and nothing herein should be construed otherwise Trend Micro reserves the right to modify the contents of this document at any time without prior notice
Translations of any material into other languages are intended solely as a convenience Translation accuracy is not guaranteed nor implied If any questions arise related to the accuracy of a translation please refer to the original language official version of the document any discrepancies or differences created in the translation are not binding and have no legal effect for compliance or enforcement purposes
although Trend Micro uses reasonable efforts to include accurate and up-to-date information herein Trend Micro makes no warranties or representations of any kind as to its accuracy currency or completeness you agree that access to and use of and reliance on this document and the content thereof is at your own risk Trend Micro disclaims all warranties of any kind express or implied Neither Trend Micro nor any party involved in creating producing or delivering this document shall be liable for any consequence loss or damage including direct indirect special consequential loss of business profits or special damages whatsoever arising out of access to use of or inability to use or in connection with the use of this document or any errors or omissions in the content thereof use of this information constitutes acceptance for use in an ldquoas isrdquo condition
Trend Micro Incorporated a global leader in security software and solutions strives to make the world safe for exchanging digital information For more information visit wwwtrendmicrocom
copy2013 by Trend Micro Incorporated all rights reserved Trend Micro and the Trend Micro t-ball logo are trademarks or registered trademarks of Trend Micro Incorporated all other product or company names may be trademarks or registered trademarks of their owners
Created by
global Technical Support amp RampD Center of TREND MICRO
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
13 | Digital Life Security Issues
DIgITaL LIFE SECuRITy ISSuES
Social Threats Abuse Diverse PlatformsAs more users manage multiple online accounts cybercriminals explored means to use this trend to their advantage They abused popular blogging sites like Tumblr WordPress and Blogger to host fake streaming sites of popular summer movies including Man of Steel Fast and Furious 6 and Iron Man 317 Apple ID and well-known multiprotocol instant-messaging (IM) platforms like Digsby were also targeted by attacks18 These attacks abused the use of
the SSO approach which should serve as a reminder to protect online accounts and avoid using weak passwords
Users were also reacquainted with old social engineering tactics as several attacks used diverse items including the Boston marathon bombing the Oklahoma tornado disaster the Texas fertilizer plant explosion and the tax season as bait19
Notable Social Engineering Lures Used
GET FREEFOLLOWERS
ON INSTAGRAMBOSTON BOMBING
MIT SHOOTING
TEXAS FERTILIZERPLANT BOMBING
IRON MAN 3
INCOME TAX RETURNS
as more users across different segments maximize the use of Instagram it has now become a viable target for cybercrime
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
14 | Digital Life Security Issues
In response to compromise incidents LinkedIn Evernote and Twitter rolled out additional security measures which notably included two-step verification measures20 The attack on Twitter posed an interesting case study on how social media can be used to spread false news that can have severe results21
Instagram scams showed that cybercriminals are targeting SMBs and marketers who wish
to increase their online presence Such scams offer ldquofree followersrdquo or use professional-looking sites where they can supposedly buy followers in bulk22 The tactic of selling followers is not new though Cybercriminals simply turned to different avenues outside Twitter and Facebook Interestingly this threat appeared while social media sites found ways to monetize the services they offered23
How Cybercriminals Trick Users into Giving Out Their Information24
Scammers modified their schemes as new platforms were introduced From the Nigerian scams usually seen by way of spam scammers have now branched out to new platforms and targets like social media and mobile devices
Spam and phiShing SiteS Search engineS Social media mobile
EARly 2000ndash2009 2009ndash2011 lATE 2009ndashPRESENT 2011ndashPRESENT
Scams in the early 2000s mainly comprised pharmaceutical account notification and Nigerian scams which mostly led victims to phishing sites
Cybercriminals abuse search engines via blackhat search engine optimization (SEO) This technique takes advantage of using keywords related to significant news andor events for malicious purposes
Social media present themselves as attractive cybercrime platforms because of their large user bases Cybercriminal favorites include Facebook Twitter Tumblr and Pinterest
Today smartphones and other mobile devices enable cybercriminals to reach new heights Mobile adware and malicious apps are among the preferred means of deploying malicious schemes
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
15 | Exploits and Vulnerabilities
ExpLOITS aND VuLNERaBILITIES
Software Vendors Try to Clean Up Their ActAfter last quarterrsquos high volume of zero-day vulnerabilities Oracle implemented several steps that aimed to improve Javarsquos security These include quarterly update releases automated security testing and not allowing self-signed or unsigned apps for Java software used in browsers
Though we saw fewer zero-day incidents this quarter exploits still posed serious threats to users The Internet Explorerreg (IE) zero-day exploit found on the US Department of Labor page showed that even trusted sites like it can be compromised25 Exploits targeting Plesk and ColdFusionreg also put forth the importance of securing web servers and touched on how enterprises secure their sites26
As anticipated it was only a matter of time before attackers took advantage of the critical Ruby on Rails vulnerability found last January27 This quarter we saw exploits target the software flaw as a result of the disclosure of the vulnerabilityrsquos code
The issue of addressing vulnerabilities was a hot topic this quarter especially with Googlersquos announcement of a seven-day disclosure policy Several security pundits saw this as a noble yet impractical proposal But as our CTO Raimund Genes pointed out the bigger issue that should be discussed has to do with how vulnerabilities should be reported
Timeline of Vulnerability Attacks
RUBYON RAILS
PLESK
IEZERO-DAY
JAVA
Private Disclosure Public Disclosure Patch Released Exploited
1082013
5032012
1282013
1172012
5282013
5032012
4302013
5032013
5142013
6182013
6182013
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
16 | Exploits and Vulnerabilities
How Oracle Plans to Secure Java
Delivering three patches every three months starting October 2013
Using automated security testing tools against regressions and bugs
Supporting Windowsreg security policies so system administrators can set networkwide policies on Java use
Disallowing running unsigned or self-signed apps
Making Javarsquos process of revoking signing signatures flexible
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
17 | Targeted attack Campaigns DDoS attacks and Data Breaches
TaRgETED aTTaCk CaMpaIgNS DDoS aTTaCkS aND DaTa BREaChES
Corporate Security Woes Pile UpTargeted AttacksTargeted attack campaigns remained a problem for organizations as we continued to discover active and ongoing campaigns The Naikon campaign used the remote access Trojan (RAT) RARSTONE and was primarily seen in several countries in AsiaPacific28 This campaign hit various industries like telecommunications oil and gas government media and others It usually starts out with spear-phishing attacks that target a specific vulnerability which was also used in another campaign known as
ldquoSaferdquo29 Our research on the Safe campaign meanwhile revealed victim IP addresses spread throughout 100 countries worldwide
Targeted attacks also took advantage of tragic events to infiltrate organizational networks this quarter We saw emails using the Boston marathon bombing as a social engineering lure to trick users into downloading a malware that communicates via Secure Sockets Layer (SSL) communication30
File Types Used in Spear Phishing Related to Targeted Attacks
1
2
3
4
5
6
7
8
9
10
EXEDLL
DOC
JPG
TXTHTML
RTF
ZIP
XLS
RAR
PPSPPT
Others
43
12
10
8
5
4
3
3
3
2
7
Threat actors custom-fit an attack to an intended target They use any file type as long as it gets them closer to their goalmdashto infiltrate a network
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
18 | Targeted attack Campaigns DDoS attacks and Data Breaches
DDoS AttacksSeveral South Korean agencies suffered serious security breaches that led to distributed denial-of-service (DDoS) attacks and site defacements One particular incident rendered several sites inaccessible Similar to the MBR Trojan wiper incident last March this attack was designed to execute at a specific time It also showed how attackers continued to go after high-value targets and how they could inflict maximum damage within a short period of time
Data BreachesCompanies like Yahoo Japan LivingSocial Twitter and Namecom all suffered from security breaches this quarter Opera also suffered a security breach that led to the theft of outdated digital certificates
Attacks Targeting Well-known Companies31
COMPANy REsuLTs
Goo locked 100000 accounts to prevent unauthorized logins
yahoo Japan Attackers attempted to extract data belonging to 127
million users
Associated Press (AP) Attackers hacked APrsquos Twitter account which erased
US$200-billion worth of stock value
livingSocial Resulted in unauthorized access to the accounts of 50 million users
Several South Korean agencies Several sites were defaced and suffered DDoS attacks
attacks against high-profile companies had costly results stressing the importance of strengthening organizational defenses
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
19 | appendix
Appendix
Top 10 Android Adware Families
1
2
3
4
5
6
7
8
9
10
ARPUSH
ADSWO
PLANKTON
LEADBLT
IZP
WAPSX
OQX
WBOO
YOUMI
UAPSH
Others
4179
1650
1284
1102
817
425
410
067
027
013
026
Malicious URL Country Sources
No major changes among the countries on the list were seen The united States accounted for the lionrsquos share of the malicious uRL volume with germany trailing not far behind
COuNTRy sHARE
1 United States 2590
2 Germany 324
3 China 316
4 Netherlands 313
5 South Korea 260
6 France 194
7 Japan 193
8 Russia 164
9 Canada 081
10 United Kingdom 077
Others 5488
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
20 | appendix
Top 10 Countries with the Most Number of Botnet CampC Servers
Similar to the previous quarter the united States had the most number of botnet CampC servers while australia surpassed South korea
COuNTRy sHARE
1 United States 2405
2 Australia 515
3 South Korea 338
4 China 302
5 Germany 287
6 Taiwan 210
7 France 188
8 United Kingdom 172
9 Brazil 147
10 Canada 118
Others 5318
Top 10 Countries with the Highest Number of Connections to Botnets
DDoS attacks in Malaysia in relation to the elections contributed to the increase in the countryrsquos volume of malicious connections
COuNTRy sHARE
1 Malaysia 2839
2 United States 1414
3 France 1163
4 Germany 564
5 Canada 529
6 South Korea 413
7 United Kingdom 384
8 Thailand 322
9 Hong Kong 307
10 Italy 253
Others 1812
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
21 | References
References
1 Trend Micro Incorporated (2013) ldquoTrendLabs 2012 Annual Security Roundup Evolved Threats in a lsquoPost-PCrsquo Worldrdquo Last accessed July 30 2013 httpwwwtrendmicrocomcloud-contentuspdfssecurity-intelligencereportsrpt-evolved-threats-in-a-post-pc-worldpdf
2 Jonathan Leopando (July 10 2013) TrendLabs Security Intelligence Blog ldquoAndroid Vulnerability Affects 99 of DevicesmdashTrend Micro Users Protectedrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencetrend-micro-solution-for-vulnerability-affecting-nearly-all-android-devices
3 Trend Micro Incorporated (2013) Threat Encyclopedia ldquoANDROIDOS_OBADArdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusmalwareANDROIDOS_OBADA
4 Leo Zhang (July 13 2013) TrendLabs Security Intelligence Blog ldquoCybercriminals Improve Android Malware Stealth Routines with OBADrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecybercriminals-improve-android-malware-stealth-routines-with-obad
5 Trend Micro Incorporated (2013) Threat Encyclopedia ldquoANDROIDOS_FAKEBANKArdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusmalwareANDROIDOS_FAKEBANKA
6 Weichao Sun (May 14 2013) TrendLabs Security Intelligence Blog ldquoMobile Ads Pushed by Android Apps Lead to Scam Sitesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencemobile-ads-pushed-by-android-apps-lead-to-scam-sites
7 Trend Micro Incorporated (2013) Threat Encyclopedia ldquoANDROIDOS_FAKEAVFrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusmalwareANDROIDOS_FAKEAVF
8 Iain Thomson (March 27 2013) The Register ldquoTibetan and Uyghur Activists Targeted with Android Malwarerdquo Last accessed July 30 2013 httpwwwtheregistercouk20130327android_malware_targeting_tibetan
9 Ericsson ConsumerLab (August 6 2012) Ericssoncom ldquoVietnamese Consumers Show Increasing Demand for Smartphones and Tabletsrdquo Last accessed July 30 2013 httpwwwericssoncomvnnews2012_vn_smartphone_demands_254740123_c
10 Trend Micro Incorporated (2012) ldquoSecurity Threats to Business the Digital Lifestyle and the Cloud Trend Micro Predictions for 2013 and Beyondrdquo Last accessed July 30 2013 httpwwwtrendmicrocoukmediamisctrend-micro-predictions-for-2013-and-beyond-enpdf
11 Roddell Santos (May 28 2013) TrendLabs Security Intelligence Blog ldquoBANKER Malware Hosted in Compromised Brazilian Government Sitesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencebanker-malware-hosted-in-compromised-brazilian-government-sites
12 Ranieri Romera (May 7 2013) TrendLabs Security Intelligence Blog ldquoHomemade Browser Targeting lsquoBanco do Brasilrsquo Usersrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencehomemade-browser-targeting-banco-do-brasil-users
13 Roddell Santos (June 14 2013) TrendLabs Security Intelligence Blog ldquoMalware Redirects South Korean Users to Phishing Sitesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencemalware-redirects-south-korean-users-to-phishing-sites
14 Abigail Pichel (June 10 2013) TrendLabs Security Intelligence Blog ldquoGoing Solo Self-Propagating ZBOT Malware Spottedrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencegoing-solo-self-propagating-zbot-malware-spotted
15 Lenart Bermejo (May 24 2013) TrendLabs Security Intelligence Blog ldquoWorm Creates Copies in Password-Protected Archived Filesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligenceworm-creates-copies-in-password-protected-archived-files
16 Jessa Dela Torre (April 16 2013) TrendLabs Security Intelligence Blog ldquoCompromised Sites Conceal Stealrat Botnet Operationsrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecompromised-sites-conceal-stealrat-botnet-operations
17 Paul Pajares (July 8 2013) TrendLabs Security Intelligence Blog ldquoMan of Steel Fast and Furious 6 Among Online Fraudstersrsquo Most Used Luresrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligenceman-of-steel-fast-and-furious-6-among-online-fraudsters-most-used-lures Gelo Abendan (May 2 2013) TrendLabs Security Intelligence Blog ldquoFake Iron Man 3 Streaming Sites Sprout on Social Mediardquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencefake-iron-man-3-streaming-sites-sprout-on-social-media
18 Anthony Melgarejo (May 2 2013) TrendLabs Security Intelligence Blog ldquoBackdoor Leads to Facebook and Multiprotocol Instant-Messaging Wormrdquo
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
22 | References
Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencebackdoor-leads-to-facebook-and-multi-protocol-instant-messaging-worm Paul Pajares (April 30 2013) TrendLabs Security Intelligence Blog ldquoHackers to Manage Your Apple ID If Caught from Phishing Baitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencehackers-to-manage-your-apple-id-if-caught-from-phishing-bait
19 Aisa Escober (April 16 2013) TrendLabs Security Intelligence Blog ldquoKELIHOS Worm Emerges Takes Advantage of Boston Marathon Blastrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencekelihos-worm-emerges-takes-advantage-of-boston-marathon-blast Trend Micro Incorporated (2013) Threat Encyclopedia ldquoSpam Attack Leverages Oklahoma Tornado Disasterrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusspam494Spam+Attack+Leverages+Oklahoma+Tornado+Disaster Ryan Certeza (April 19 2013) TrendLabs Security Intelligence Blog ldquoCybercriminals Quickly Take Advantage of Texas Fertilizer Plant Blast MIT Shootingrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecybercriminals-quickly-take-advantage-of-texas-fertilizer-plant-blast-mit-shooting Gelo Abendan (April 4 2013) TrendLabs Security Intelligence Blog ldquoCybercriminals Threaten Tax Day Once Againrdquo Last accessed July 30 2013 http blogtrendmicrocomtrendlabs-security-intelligencecybercriminals-threaten-tax-day-once-again
20 Jim Finkle (May 31 2013) NBC News Technology ldquoLinkedIn Improves Security with Two-Factor Authenticationrdquo Last accessed July 2013 httpwwwnbcnewscomtechnologylinkedin-improves-security-two-factor-authentication-6C10141010 Seth Hitchings (May 30 2013) The Evernote Blog ldquoEvernotersquos Three New Security Featuresrdquo Last accessed July 2013 httpblogevernotecomblog20130530evernotes-three-new-security-features Jim OrsquoLeary (May 22 2013) Twitter Blog ldquoGetting Started with Login Verificationrdquo Last accessed July 2013 httpsblogtwittercom2013getting-started-login-verification
21 David Jackson (April 23 2013) USA Today News ldquoAP Twitter Feed Hacked No Attack at White Houserdquo Last accessed July 30 2013 httpwwwusatodaycomstorytheoval20130423obama-carney-associated-press-hack-white-house2106757
22 Karla Agregado (June 25 2013) TrendLabs Security Intelligence Blog ldquoScam Sites Now Selling Instagram Followersrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencescam-sites-now-selling-instagram-followers
23 Zachary Seward (May 20 2013) Quartz ldquoHow Yahoo Plans to Make Money on Tumblr Ads That Donrsquot Feel Like Adsrdquo Last accessed July 30 2013 httpqzcom86437how-yahoo-plans-to-make-money-on-tumblr-ads-that-dont-feel-like-ads
24 Gelo Abendan (March 3 2012) Threat Encyc lopedia ldquoMobile Apps New Frontier for Cybercrimerdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack119mobile apps new frontier for cybercrime Marco Dela Vega (November 23 2010) TrendLabs Security Intelligence Blog ldquoWith Holiday Wishes Come Poisoned Searchesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencewith-holiday-wishes-come-poisoned-searches Dianne Kristine Lagrimas (November 13 2011) Threat Encyclopedia ldquoSports as Bait Cybercriminals Play to Winrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack99sports as bait cybercriminals play to win Valerie Ria Rivera (March 29 2011) Threat Encyclopedia ldquoSpam Scams and Other Social Media Threatsrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack75spam scams and other social media threats
25 Dexter To (May 5 2013) TrendLabs Security Intelligence Blog ldquoCompromised US Government Web Page Used Zero-Day Exploitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecompromised-us-government-webpage-used-zero-day-exploit
26 Sooraj KS (June 6 2013) TrendLabs Security Intelligence Blog ldquoPlesk Zero-Day Exploit Results in Compromised Web Serverrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligenceplesk-zero-day-exploit-results-in-compromised-webserver
27 Gelo Abendan (May 30 2013) TrendLabs Security Intelligence Blog ldquoTrend Micro Deep Security Guards Users from Ruby on Rails Exploitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencetrend-micro-deep-security-guards-users-from-ruby-on-rails-exploit
28 Maharlito Aquino (June 13 2013) TrendLabs Security Intelligence Blog ldquoRARSTONE Found in Targeted Attacksrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencerarstone-found-in-targeted-attacks
29 Kyle Wilhoit (May 17 2013) TrendLabs Security Intelligence Blog ldquoHiding in Plain Sight A New Targeted Attack Campaignrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencehiding-in-plain-sight-a-new-apt-campaign
30 Nart Villeneuve (April 25 2013) TrendLabs Security Intelligence Blog ldquoTargeted Attack Campaign Hides Behind SSL Communicationrdquo Last accessed July 2013 httpblogtrendmicrocomtrendlabs-security-intelligencetargeted-attack-campaign-hides-behind-ssl-communication
31 Jay Alabaster (April 4 2013) Computerworld ldquoJapanese Web Portals Hacked Up to 100000 Accounts Compromisedrdquo Last accessed July 30 2013 httpwwwcomputerworldcomauarticle458079japanese_web_portals_hacked_up_100_000_accounts_compromised LivingSocial ldquoLivingSocial Security Noticerdquo Last accessed July 30 2013 httpswwwlivingsocialcomcreatepassword Kadim Shubber (May 20 2013) Wired UK ldquoMillions of Usersrsquo Data Hacked in Yahoo Japan Security Breachrdquo Last accessed July 30 2013 httpwwwwiredcouknewsarchive2013-0520yahoo-japan-hacked Erin Madigan White (April 23 2013) AP Blog The Definitive Source ldquoAP Responds to Hacking of Twitter Accountrdquo Last accessed July 30 2013 httpblogaporg20130423hackers-compromise-ap-twitter-account
TREND MICRO LEgaL DISCLaIMER
The information provided herein is for general information and educational purposes only It is not intended and should not be construed to constitute legal advice The information contained herein may not be applicable to all situations and may not reflect the most current situation Nothing contained herein should be relied on or acted upon without the benefit of legal advice based on the particular facts and circumstances presented and nothing herein should be construed otherwise Trend Micro reserves the right to modify the contents of this document at any time without prior notice
Translations of any material into other languages are intended solely as a convenience Translation accuracy is not guaranteed nor implied If any questions arise related to the accuracy of a translation please refer to the original language official version of the document any discrepancies or differences created in the translation are not binding and have no legal effect for compliance or enforcement purposes
although Trend Micro uses reasonable efforts to include accurate and up-to-date information herein Trend Micro makes no warranties or representations of any kind as to its accuracy currency or completeness you agree that access to and use of and reliance on this document and the content thereof is at your own risk Trend Micro disclaims all warranties of any kind express or implied Neither Trend Micro nor any party involved in creating producing or delivering this document shall be liable for any consequence loss or damage including direct indirect special consequential loss of business profits or special damages whatsoever arising out of access to use of or inability to use or in connection with the use of this document or any errors or omissions in the content thereof use of this information constitutes acceptance for use in an ldquoas isrdquo condition
Trend Micro Incorporated a global leader in security software and solutions strives to make the world safe for exchanging digital information For more information visit wwwtrendmicrocom
copy2013 by Trend Micro Incorporated all rights reserved Trend Micro and the Trend Micro t-ball logo are trademarks or registered trademarks of Trend Micro Incorporated all other product or company names may be trademarks or registered trademarks of their owners
Created by
global Technical Support amp RampD Center of TREND MICRO
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
14 | Digital Life Security Issues
In response to compromise incidents LinkedIn Evernote and Twitter rolled out additional security measures which notably included two-step verification measures20 The attack on Twitter posed an interesting case study on how social media can be used to spread false news that can have severe results21
Instagram scams showed that cybercriminals are targeting SMBs and marketers who wish
to increase their online presence Such scams offer ldquofree followersrdquo or use professional-looking sites where they can supposedly buy followers in bulk22 The tactic of selling followers is not new though Cybercriminals simply turned to different avenues outside Twitter and Facebook Interestingly this threat appeared while social media sites found ways to monetize the services they offered23
How Cybercriminals Trick Users into Giving Out Their Information24
Scammers modified their schemes as new platforms were introduced From the Nigerian scams usually seen by way of spam scammers have now branched out to new platforms and targets like social media and mobile devices
Spam and phiShing SiteS Search engineS Social media mobile
EARly 2000ndash2009 2009ndash2011 lATE 2009ndashPRESENT 2011ndashPRESENT
Scams in the early 2000s mainly comprised pharmaceutical account notification and Nigerian scams which mostly led victims to phishing sites
Cybercriminals abuse search engines via blackhat search engine optimization (SEO) This technique takes advantage of using keywords related to significant news andor events for malicious purposes
Social media present themselves as attractive cybercrime platforms because of their large user bases Cybercriminal favorites include Facebook Twitter Tumblr and Pinterest
Today smartphones and other mobile devices enable cybercriminals to reach new heights Mobile adware and malicious apps are among the preferred means of deploying malicious schemes
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
15 | Exploits and Vulnerabilities
ExpLOITS aND VuLNERaBILITIES
Software Vendors Try to Clean Up Their ActAfter last quarterrsquos high volume of zero-day vulnerabilities Oracle implemented several steps that aimed to improve Javarsquos security These include quarterly update releases automated security testing and not allowing self-signed or unsigned apps for Java software used in browsers
Though we saw fewer zero-day incidents this quarter exploits still posed serious threats to users The Internet Explorerreg (IE) zero-day exploit found on the US Department of Labor page showed that even trusted sites like it can be compromised25 Exploits targeting Plesk and ColdFusionreg also put forth the importance of securing web servers and touched on how enterprises secure their sites26
As anticipated it was only a matter of time before attackers took advantage of the critical Ruby on Rails vulnerability found last January27 This quarter we saw exploits target the software flaw as a result of the disclosure of the vulnerabilityrsquos code
The issue of addressing vulnerabilities was a hot topic this quarter especially with Googlersquos announcement of a seven-day disclosure policy Several security pundits saw this as a noble yet impractical proposal But as our CTO Raimund Genes pointed out the bigger issue that should be discussed has to do with how vulnerabilities should be reported
Timeline of Vulnerability Attacks
RUBYON RAILS
PLESK
IEZERO-DAY
JAVA
Private Disclosure Public Disclosure Patch Released Exploited
1082013
5032012
1282013
1172012
5282013
5032012
4302013
5032013
5142013
6182013
6182013
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
16 | Exploits and Vulnerabilities
How Oracle Plans to Secure Java
Delivering three patches every three months starting October 2013
Using automated security testing tools against regressions and bugs
Supporting Windowsreg security policies so system administrators can set networkwide policies on Java use
Disallowing running unsigned or self-signed apps
Making Javarsquos process of revoking signing signatures flexible
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
17 | Targeted attack Campaigns DDoS attacks and Data Breaches
TaRgETED aTTaCk CaMpaIgNS DDoS aTTaCkS aND DaTa BREaChES
Corporate Security Woes Pile UpTargeted AttacksTargeted attack campaigns remained a problem for organizations as we continued to discover active and ongoing campaigns The Naikon campaign used the remote access Trojan (RAT) RARSTONE and was primarily seen in several countries in AsiaPacific28 This campaign hit various industries like telecommunications oil and gas government media and others It usually starts out with spear-phishing attacks that target a specific vulnerability which was also used in another campaign known as
ldquoSaferdquo29 Our research on the Safe campaign meanwhile revealed victim IP addresses spread throughout 100 countries worldwide
Targeted attacks also took advantage of tragic events to infiltrate organizational networks this quarter We saw emails using the Boston marathon bombing as a social engineering lure to trick users into downloading a malware that communicates via Secure Sockets Layer (SSL) communication30
File Types Used in Spear Phishing Related to Targeted Attacks
1
2
3
4
5
6
7
8
9
10
EXEDLL
DOC
JPG
TXTHTML
RTF
ZIP
XLS
RAR
PPSPPT
Others
43
12
10
8
5
4
3
3
3
2
7
Threat actors custom-fit an attack to an intended target They use any file type as long as it gets them closer to their goalmdashto infiltrate a network
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
18 | Targeted attack Campaigns DDoS attacks and Data Breaches
DDoS AttacksSeveral South Korean agencies suffered serious security breaches that led to distributed denial-of-service (DDoS) attacks and site defacements One particular incident rendered several sites inaccessible Similar to the MBR Trojan wiper incident last March this attack was designed to execute at a specific time It also showed how attackers continued to go after high-value targets and how they could inflict maximum damage within a short period of time
Data BreachesCompanies like Yahoo Japan LivingSocial Twitter and Namecom all suffered from security breaches this quarter Opera also suffered a security breach that led to the theft of outdated digital certificates
Attacks Targeting Well-known Companies31
COMPANy REsuLTs
Goo locked 100000 accounts to prevent unauthorized logins
yahoo Japan Attackers attempted to extract data belonging to 127
million users
Associated Press (AP) Attackers hacked APrsquos Twitter account which erased
US$200-billion worth of stock value
livingSocial Resulted in unauthorized access to the accounts of 50 million users
Several South Korean agencies Several sites were defaced and suffered DDoS attacks
attacks against high-profile companies had costly results stressing the importance of strengthening organizational defenses
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
19 | appendix
Appendix
Top 10 Android Adware Families
1
2
3
4
5
6
7
8
9
10
ARPUSH
ADSWO
PLANKTON
LEADBLT
IZP
WAPSX
OQX
WBOO
YOUMI
UAPSH
Others
4179
1650
1284
1102
817
425
410
067
027
013
026
Malicious URL Country Sources
No major changes among the countries on the list were seen The united States accounted for the lionrsquos share of the malicious uRL volume with germany trailing not far behind
COuNTRy sHARE
1 United States 2590
2 Germany 324
3 China 316
4 Netherlands 313
5 South Korea 260
6 France 194
7 Japan 193
8 Russia 164
9 Canada 081
10 United Kingdom 077
Others 5488
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
20 | appendix
Top 10 Countries with the Most Number of Botnet CampC Servers
Similar to the previous quarter the united States had the most number of botnet CampC servers while australia surpassed South korea
COuNTRy sHARE
1 United States 2405
2 Australia 515
3 South Korea 338
4 China 302
5 Germany 287
6 Taiwan 210
7 France 188
8 United Kingdom 172
9 Brazil 147
10 Canada 118
Others 5318
Top 10 Countries with the Highest Number of Connections to Botnets
DDoS attacks in Malaysia in relation to the elections contributed to the increase in the countryrsquos volume of malicious connections
COuNTRy sHARE
1 Malaysia 2839
2 United States 1414
3 France 1163
4 Germany 564
5 Canada 529
6 South Korea 413
7 United Kingdom 384
8 Thailand 322
9 Hong Kong 307
10 Italy 253
Others 1812
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
21 | References
References
1 Trend Micro Incorporated (2013) ldquoTrendLabs 2012 Annual Security Roundup Evolved Threats in a lsquoPost-PCrsquo Worldrdquo Last accessed July 30 2013 httpwwwtrendmicrocomcloud-contentuspdfssecurity-intelligencereportsrpt-evolved-threats-in-a-post-pc-worldpdf
2 Jonathan Leopando (July 10 2013) TrendLabs Security Intelligence Blog ldquoAndroid Vulnerability Affects 99 of DevicesmdashTrend Micro Users Protectedrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencetrend-micro-solution-for-vulnerability-affecting-nearly-all-android-devices
3 Trend Micro Incorporated (2013) Threat Encyclopedia ldquoANDROIDOS_OBADArdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusmalwareANDROIDOS_OBADA
4 Leo Zhang (July 13 2013) TrendLabs Security Intelligence Blog ldquoCybercriminals Improve Android Malware Stealth Routines with OBADrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecybercriminals-improve-android-malware-stealth-routines-with-obad
5 Trend Micro Incorporated (2013) Threat Encyclopedia ldquoANDROIDOS_FAKEBANKArdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusmalwareANDROIDOS_FAKEBANKA
6 Weichao Sun (May 14 2013) TrendLabs Security Intelligence Blog ldquoMobile Ads Pushed by Android Apps Lead to Scam Sitesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencemobile-ads-pushed-by-android-apps-lead-to-scam-sites
7 Trend Micro Incorporated (2013) Threat Encyclopedia ldquoANDROIDOS_FAKEAVFrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusmalwareANDROIDOS_FAKEAVF
8 Iain Thomson (March 27 2013) The Register ldquoTibetan and Uyghur Activists Targeted with Android Malwarerdquo Last accessed July 30 2013 httpwwwtheregistercouk20130327android_malware_targeting_tibetan
9 Ericsson ConsumerLab (August 6 2012) Ericssoncom ldquoVietnamese Consumers Show Increasing Demand for Smartphones and Tabletsrdquo Last accessed July 30 2013 httpwwwericssoncomvnnews2012_vn_smartphone_demands_254740123_c
10 Trend Micro Incorporated (2012) ldquoSecurity Threats to Business the Digital Lifestyle and the Cloud Trend Micro Predictions for 2013 and Beyondrdquo Last accessed July 30 2013 httpwwwtrendmicrocoukmediamisctrend-micro-predictions-for-2013-and-beyond-enpdf
11 Roddell Santos (May 28 2013) TrendLabs Security Intelligence Blog ldquoBANKER Malware Hosted in Compromised Brazilian Government Sitesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencebanker-malware-hosted-in-compromised-brazilian-government-sites
12 Ranieri Romera (May 7 2013) TrendLabs Security Intelligence Blog ldquoHomemade Browser Targeting lsquoBanco do Brasilrsquo Usersrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencehomemade-browser-targeting-banco-do-brasil-users
13 Roddell Santos (June 14 2013) TrendLabs Security Intelligence Blog ldquoMalware Redirects South Korean Users to Phishing Sitesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencemalware-redirects-south-korean-users-to-phishing-sites
14 Abigail Pichel (June 10 2013) TrendLabs Security Intelligence Blog ldquoGoing Solo Self-Propagating ZBOT Malware Spottedrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencegoing-solo-self-propagating-zbot-malware-spotted
15 Lenart Bermejo (May 24 2013) TrendLabs Security Intelligence Blog ldquoWorm Creates Copies in Password-Protected Archived Filesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligenceworm-creates-copies-in-password-protected-archived-files
16 Jessa Dela Torre (April 16 2013) TrendLabs Security Intelligence Blog ldquoCompromised Sites Conceal Stealrat Botnet Operationsrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecompromised-sites-conceal-stealrat-botnet-operations
17 Paul Pajares (July 8 2013) TrendLabs Security Intelligence Blog ldquoMan of Steel Fast and Furious 6 Among Online Fraudstersrsquo Most Used Luresrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligenceman-of-steel-fast-and-furious-6-among-online-fraudsters-most-used-lures Gelo Abendan (May 2 2013) TrendLabs Security Intelligence Blog ldquoFake Iron Man 3 Streaming Sites Sprout on Social Mediardquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencefake-iron-man-3-streaming-sites-sprout-on-social-media
18 Anthony Melgarejo (May 2 2013) TrendLabs Security Intelligence Blog ldquoBackdoor Leads to Facebook and Multiprotocol Instant-Messaging Wormrdquo
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
22 | References
Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencebackdoor-leads-to-facebook-and-multi-protocol-instant-messaging-worm Paul Pajares (April 30 2013) TrendLabs Security Intelligence Blog ldquoHackers to Manage Your Apple ID If Caught from Phishing Baitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencehackers-to-manage-your-apple-id-if-caught-from-phishing-bait
19 Aisa Escober (April 16 2013) TrendLabs Security Intelligence Blog ldquoKELIHOS Worm Emerges Takes Advantage of Boston Marathon Blastrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencekelihos-worm-emerges-takes-advantage-of-boston-marathon-blast Trend Micro Incorporated (2013) Threat Encyclopedia ldquoSpam Attack Leverages Oklahoma Tornado Disasterrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusspam494Spam+Attack+Leverages+Oklahoma+Tornado+Disaster Ryan Certeza (April 19 2013) TrendLabs Security Intelligence Blog ldquoCybercriminals Quickly Take Advantage of Texas Fertilizer Plant Blast MIT Shootingrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecybercriminals-quickly-take-advantage-of-texas-fertilizer-plant-blast-mit-shooting Gelo Abendan (April 4 2013) TrendLabs Security Intelligence Blog ldquoCybercriminals Threaten Tax Day Once Againrdquo Last accessed July 30 2013 http blogtrendmicrocomtrendlabs-security-intelligencecybercriminals-threaten-tax-day-once-again
20 Jim Finkle (May 31 2013) NBC News Technology ldquoLinkedIn Improves Security with Two-Factor Authenticationrdquo Last accessed July 2013 httpwwwnbcnewscomtechnologylinkedin-improves-security-two-factor-authentication-6C10141010 Seth Hitchings (May 30 2013) The Evernote Blog ldquoEvernotersquos Three New Security Featuresrdquo Last accessed July 2013 httpblogevernotecomblog20130530evernotes-three-new-security-features Jim OrsquoLeary (May 22 2013) Twitter Blog ldquoGetting Started with Login Verificationrdquo Last accessed July 2013 httpsblogtwittercom2013getting-started-login-verification
21 David Jackson (April 23 2013) USA Today News ldquoAP Twitter Feed Hacked No Attack at White Houserdquo Last accessed July 30 2013 httpwwwusatodaycomstorytheoval20130423obama-carney-associated-press-hack-white-house2106757
22 Karla Agregado (June 25 2013) TrendLabs Security Intelligence Blog ldquoScam Sites Now Selling Instagram Followersrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencescam-sites-now-selling-instagram-followers
23 Zachary Seward (May 20 2013) Quartz ldquoHow Yahoo Plans to Make Money on Tumblr Ads That Donrsquot Feel Like Adsrdquo Last accessed July 30 2013 httpqzcom86437how-yahoo-plans-to-make-money-on-tumblr-ads-that-dont-feel-like-ads
24 Gelo Abendan (March 3 2012) Threat Encyc lopedia ldquoMobile Apps New Frontier for Cybercrimerdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack119mobile apps new frontier for cybercrime Marco Dela Vega (November 23 2010) TrendLabs Security Intelligence Blog ldquoWith Holiday Wishes Come Poisoned Searchesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencewith-holiday-wishes-come-poisoned-searches Dianne Kristine Lagrimas (November 13 2011) Threat Encyclopedia ldquoSports as Bait Cybercriminals Play to Winrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack99sports as bait cybercriminals play to win Valerie Ria Rivera (March 29 2011) Threat Encyclopedia ldquoSpam Scams and Other Social Media Threatsrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack75spam scams and other social media threats
25 Dexter To (May 5 2013) TrendLabs Security Intelligence Blog ldquoCompromised US Government Web Page Used Zero-Day Exploitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecompromised-us-government-webpage-used-zero-day-exploit
26 Sooraj KS (June 6 2013) TrendLabs Security Intelligence Blog ldquoPlesk Zero-Day Exploit Results in Compromised Web Serverrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligenceplesk-zero-day-exploit-results-in-compromised-webserver
27 Gelo Abendan (May 30 2013) TrendLabs Security Intelligence Blog ldquoTrend Micro Deep Security Guards Users from Ruby on Rails Exploitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencetrend-micro-deep-security-guards-users-from-ruby-on-rails-exploit
28 Maharlito Aquino (June 13 2013) TrendLabs Security Intelligence Blog ldquoRARSTONE Found in Targeted Attacksrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencerarstone-found-in-targeted-attacks
29 Kyle Wilhoit (May 17 2013) TrendLabs Security Intelligence Blog ldquoHiding in Plain Sight A New Targeted Attack Campaignrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencehiding-in-plain-sight-a-new-apt-campaign
30 Nart Villeneuve (April 25 2013) TrendLabs Security Intelligence Blog ldquoTargeted Attack Campaign Hides Behind SSL Communicationrdquo Last accessed July 2013 httpblogtrendmicrocomtrendlabs-security-intelligencetargeted-attack-campaign-hides-behind-ssl-communication
31 Jay Alabaster (April 4 2013) Computerworld ldquoJapanese Web Portals Hacked Up to 100000 Accounts Compromisedrdquo Last accessed July 30 2013 httpwwwcomputerworldcomauarticle458079japanese_web_portals_hacked_up_100_000_accounts_compromised LivingSocial ldquoLivingSocial Security Noticerdquo Last accessed July 30 2013 httpswwwlivingsocialcomcreatepassword Kadim Shubber (May 20 2013) Wired UK ldquoMillions of Usersrsquo Data Hacked in Yahoo Japan Security Breachrdquo Last accessed July 30 2013 httpwwwwiredcouknewsarchive2013-0520yahoo-japan-hacked Erin Madigan White (April 23 2013) AP Blog The Definitive Source ldquoAP Responds to Hacking of Twitter Accountrdquo Last accessed July 30 2013 httpblogaporg20130423hackers-compromise-ap-twitter-account
TREND MICRO LEgaL DISCLaIMER
The information provided herein is for general information and educational purposes only It is not intended and should not be construed to constitute legal advice The information contained herein may not be applicable to all situations and may not reflect the most current situation Nothing contained herein should be relied on or acted upon without the benefit of legal advice based on the particular facts and circumstances presented and nothing herein should be construed otherwise Trend Micro reserves the right to modify the contents of this document at any time without prior notice
Translations of any material into other languages are intended solely as a convenience Translation accuracy is not guaranteed nor implied If any questions arise related to the accuracy of a translation please refer to the original language official version of the document any discrepancies or differences created in the translation are not binding and have no legal effect for compliance or enforcement purposes
although Trend Micro uses reasonable efforts to include accurate and up-to-date information herein Trend Micro makes no warranties or representations of any kind as to its accuracy currency or completeness you agree that access to and use of and reliance on this document and the content thereof is at your own risk Trend Micro disclaims all warranties of any kind express or implied Neither Trend Micro nor any party involved in creating producing or delivering this document shall be liable for any consequence loss or damage including direct indirect special consequential loss of business profits or special damages whatsoever arising out of access to use of or inability to use or in connection with the use of this document or any errors or omissions in the content thereof use of this information constitutes acceptance for use in an ldquoas isrdquo condition
Trend Micro Incorporated a global leader in security software and solutions strives to make the world safe for exchanging digital information For more information visit wwwtrendmicrocom
copy2013 by Trend Micro Incorporated all rights reserved Trend Micro and the Trend Micro t-ball logo are trademarks or registered trademarks of Trend Micro Incorporated all other product or company names may be trademarks or registered trademarks of their owners
Created by
global Technical Support amp RampD Center of TREND MICRO
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
15 | Exploits and Vulnerabilities
ExpLOITS aND VuLNERaBILITIES
Software Vendors Try to Clean Up Their ActAfter last quarterrsquos high volume of zero-day vulnerabilities Oracle implemented several steps that aimed to improve Javarsquos security These include quarterly update releases automated security testing and not allowing self-signed or unsigned apps for Java software used in browsers
Though we saw fewer zero-day incidents this quarter exploits still posed serious threats to users The Internet Explorerreg (IE) zero-day exploit found on the US Department of Labor page showed that even trusted sites like it can be compromised25 Exploits targeting Plesk and ColdFusionreg also put forth the importance of securing web servers and touched on how enterprises secure their sites26
As anticipated it was only a matter of time before attackers took advantage of the critical Ruby on Rails vulnerability found last January27 This quarter we saw exploits target the software flaw as a result of the disclosure of the vulnerabilityrsquos code
The issue of addressing vulnerabilities was a hot topic this quarter especially with Googlersquos announcement of a seven-day disclosure policy Several security pundits saw this as a noble yet impractical proposal But as our CTO Raimund Genes pointed out the bigger issue that should be discussed has to do with how vulnerabilities should be reported
Timeline of Vulnerability Attacks
RUBYON RAILS
PLESK
IEZERO-DAY
JAVA
Private Disclosure Public Disclosure Patch Released Exploited
1082013
5032012
1282013
1172012
5282013
5032012
4302013
5032013
5142013
6182013
6182013
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
16 | Exploits and Vulnerabilities
How Oracle Plans to Secure Java
Delivering three patches every three months starting October 2013
Using automated security testing tools against regressions and bugs
Supporting Windowsreg security policies so system administrators can set networkwide policies on Java use
Disallowing running unsigned or self-signed apps
Making Javarsquos process of revoking signing signatures flexible
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
17 | Targeted attack Campaigns DDoS attacks and Data Breaches
TaRgETED aTTaCk CaMpaIgNS DDoS aTTaCkS aND DaTa BREaChES
Corporate Security Woes Pile UpTargeted AttacksTargeted attack campaigns remained a problem for organizations as we continued to discover active and ongoing campaigns The Naikon campaign used the remote access Trojan (RAT) RARSTONE and was primarily seen in several countries in AsiaPacific28 This campaign hit various industries like telecommunications oil and gas government media and others It usually starts out with spear-phishing attacks that target a specific vulnerability which was also used in another campaign known as
ldquoSaferdquo29 Our research on the Safe campaign meanwhile revealed victim IP addresses spread throughout 100 countries worldwide
Targeted attacks also took advantage of tragic events to infiltrate organizational networks this quarter We saw emails using the Boston marathon bombing as a social engineering lure to trick users into downloading a malware that communicates via Secure Sockets Layer (SSL) communication30
File Types Used in Spear Phishing Related to Targeted Attacks
1
2
3
4
5
6
7
8
9
10
EXEDLL
DOC
JPG
TXTHTML
RTF
ZIP
XLS
RAR
PPSPPT
Others
43
12
10
8
5
4
3
3
3
2
7
Threat actors custom-fit an attack to an intended target They use any file type as long as it gets them closer to their goalmdashto infiltrate a network
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
18 | Targeted attack Campaigns DDoS attacks and Data Breaches
DDoS AttacksSeveral South Korean agencies suffered serious security breaches that led to distributed denial-of-service (DDoS) attacks and site defacements One particular incident rendered several sites inaccessible Similar to the MBR Trojan wiper incident last March this attack was designed to execute at a specific time It also showed how attackers continued to go after high-value targets and how they could inflict maximum damage within a short period of time
Data BreachesCompanies like Yahoo Japan LivingSocial Twitter and Namecom all suffered from security breaches this quarter Opera also suffered a security breach that led to the theft of outdated digital certificates
Attacks Targeting Well-known Companies31
COMPANy REsuLTs
Goo locked 100000 accounts to prevent unauthorized logins
yahoo Japan Attackers attempted to extract data belonging to 127
million users
Associated Press (AP) Attackers hacked APrsquos Twitter account which erased
US$200-billion worth of stock value
livingSocial Resulted in unauthorized access to the accounts of 50 million users
Several South Korean agencies Several sites were defaced and suffered DDoS attacks
attacks against high-profile companies had costly results stressing the importance of strengthening organizational defenses
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
19 | appendix
Appendix
Top 10 Android Adware Families
1
2
3
4
5
6
7
8
9
10
ARPUSH
ADSWO
PLANKTON
LEADBLT
IZP
WAPSX
OQX
WBOO
YOUMI
UAPSH
Others
4179
1650
1284
1102
817
425
410
067
027
013
026
Malicious URL Country Sources
No major changes among the countries on the list were seen The united States accounted for the lionrsquos share of the malicious uRL volume with germany trailing not far behind
COuNTRy sHARE
1 United States 2590
2 Germany 324
3 China 316
4 Netherlands 313
5 South Korea 260
6 France 194
7 Japan 193
8 Russia 164
9 Canada 081
10 United Kingdom 077
Others 5488
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
20 | appendix
Top 10 Countries with the Most Number of Botnet CampC Servers
Similar to the previous quarter the united States had the most number of botnet CampC servers while australia surpassed South korea
COuNTRy sHARE
1 United States 2405
2 Australia 515
3 South Korea 338
4 China 302
5 Germany 287
6 Taiwan 210
7 France 188
8 United Kingdom 172
9 Brazil 147
10 Canada 118
Others 5318
Top 10 Countries with the Highest Number of Connections to Botnets
DDoS attacks in Malaysia in relation to the elections contributed to the increase in the countryrsquos volume of malicious connections
COuNTRy sHARE
1 Malaysia 2839
2 United States 1414
3 France 1163
4 Germany 564
5 Canada 529
6 South Korea 413
7 United Kingdom 384
8 Thailand 322
9 Hong Kong 307
10 Italy 253
Others 1812
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
21 | References
References
1 Trend Micro Incorporated (2013) ldquoTrendLabs 2012 Annual Security Roundup Evolved Threats in a lsquoPost-PCrsquo Worldrdquo Last accessed July 30 2013 httpwwwtrendmicrocomcloud-contentuspdfssecurity-intelligencereportsrpt-evolved-threats-in-a-post-pc-worldpdf
2 Jonathan Leopando (July 10 2013) TrendLabs Security Intelligence Blog ldquoAndroid Vulnerability Affects 99 of DevicesmdashTrend Micro Users Protectedrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencetrend-micro-solution-for-vulnerability-affecting-nearly-all-android-devices
3 Trend Micro Incorporated (2013) Threat Encyclopedia ldquoANDROIDOS_OBADArdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusmalwareANDROIDOS_OBADA
4 Leo Zhang (July 13 2013) TrendLabs Security Intelligence Blog ldquoCybercriminals Improve Android Malware Stealth Routines with OBADrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecybercriminals-improve-android-malware-stealth-routines-with-obad
5 Trend Micro Incorporated (2013) Threat Encyclopedia ldquoANDROIDOS_FAKEBANKArdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusmalwareANDROIDOS_FAKEBANKA
6 Weichao Sun (May 14 2013) TrendLabs Security Intelligence Blog ldquoMobile Ads Pushed by Android Apps Lead to Scam Sitesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencemobile-ads-pushed-by-android-apps-lead-to-scam-sites
7 Trend Micro Incorporated (2013) Threat Encyclopedia ldquoANDROIDOS_FAKEAVFrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusmalwareANDROIDOS_FAKEAVF
8 Iain Thomson (March 27 2013) The Register ldquoTibetan and Uyghur Activists Targeted with Android Malwarerdquo Last accessed July 30 2013 httpwwwtheregistercouk20130327android_malware_targeting_tibetan
9 Ericsson ConsumerLab (August 6 2012) Ericssoncom ldquoVietnamese Consumers Show Increasing Demand for Smartphones and Tabletsrdquo Last accessed July 30 2013 httpwwwericssoncomvnnews2012_vn_smartphone_demands_254740123_c
10 Trend Micro Incorporated (2012) ldquoSecurity Threats to Business the Digital Lifestyle and the Cloud Trend Micro Predictions for 2013 and Beyondrdquo Last accessed July 30 2013 httpwwwtrendmicrocoukmediamisctrend-micro-predictions-for-2013-and-beyond-enpdf
11 Roddell Santos (May 28 2013) TrendLabs Security Intelligence Blog ldquoBANKER Malware Hosted in Compromised Brazilian Government Sitesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencebanker-malware-hosted-in-compromised-brazilian-government-sites
12 Ranieri Romera (May 7 2013) TrendLabs Security Intelligence Blog ldquoHomemade Browser Targeting lsquoBanco do Brasilrsquo Usersrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencehomemade-browser-targeting-banco-do-brasil-users
13 Roddell Santos (June 14 2013) TrendLabs Security Intelligence Blog ldquoMalware Redirects South Korean Users to Phishing Sitesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencemalware-redirects-south-korean-users-to-phishing-sites
14 Abigail Pichel (June 10 2013) TrendLabs Security Intelligence Blog ldquoGoing Solo Self-Propagating ZBOT Malware Spottedrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencegoing-solo-self-propagating-zbot-malware-spotted
15 Lenart Bermejo (May 24 2013) TrendLabs Security Intelligence Blog ldquoWorm Creates Copies in Password-Protected Archived Filesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligenceworm-creates-copies-in-password-protected-archived-files
16 Jessa Dela Torre (April 16 2013) TrendLabs Security Intelligence Blog ldquoCompromised Sites Conceal Stealrat Botnet Operationsrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecompromised-sites-conceal-stealrat-botnet-operations
17 Paul Pajares (July 8 2013) TrendLabs Security Intelligence Blog ldquoMan of Steel Fast and Furious 6 Among Online Fraudstersrsquo Most Used Luresrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligenceman-of-steel-fast-and-furious-6-among-online-fraudsters-most-used-lures Gelo Abendan (May 2 2013) TrendLabs Security Intelligence Blog ldquoFake Iron Man 3 Streaming Sites Sprout on Social Mediardquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencefake-iron-man-3-streaming-sites-sprout-on-social-media
18 Anthony Melgarejo (May 2 2013) TrendLabs Security Intelligence Blog ldquoBackdoor Leads to Facebook and Multiprotocol Instant-Messaging Wormrdquo
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
22 | References
Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencebackdoor-leads-to-facebook-and-multi-protocol-instant-messaging-worm Paul Pajares (April 30 2013) TrendLabs Security Intelligence Blog ldquoHackers to Manage Your Apple ID If Caught from Phishing Baitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencehackers-to-manage-your-apple-id-if-caught-from-phishing-bait
19 Aisa Escober (April 16 2013) TrendLabs Security Intelligence Blog ldquoKELIHOS Worm Emerges Takes Advantage of Boston Marathon Blastrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencekelihos-worm-emerges-takes-advantage-of-boston-marathon-blast Trend Micro Incorporated (2013) Threat Encyclopedia ldquoSpam Attack Leverages Oklahoma Tornado Disasterrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusspam494Spam+Attack+Leverages+Oklahoma+Tornado+Disaster Ryan Certeza (April 19 2013) TrendLabs Security Intelligence Blog ldquoCybercriminals Quickly Take Advantage of Texas Fertilizer Plant Blast MIT Shootingrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecybercriminals-quickly-take-advantage-of-texas-fertilizer-plant-blast-mit-shooting Gelo Abendan (April 4 2013) TrendLabs Security Intelligence Blog ldquoCybercriminals Threaten Tax Day Once Againrdquo Last accessed July 30 2013 http blogtrendmicrocomtrendlabs-security-intelligencecybercriminals-threaten-tax-day-once-again
20 Jim Finkle (May 31 2013) NBC News Technology ldquoLinkedIn Improves Security with Two-Factor Authenticationrdquo Last accessed July 2013 httpwwwnbcnewscomtechnologylinkedin-improves-security-two-factor-authentication-6C10141010 Seth Hitchings (May 30 2013) The Evernote Blog ldquoEvernotersquos Three New Security Featuresrdquo Last accessed July 2013 httpblogevernotecomblog20130530evernotes-three-new-security-features Jim OrsquoLeary (May 22 2013) Twitter Blog ldquoGetting Started with Login Verificationrdquo Last accessed July 2013 httpsblogtwittercom2013getting-started-login-verification
21 David Jackson (April 23 2013) USA Today News ldquoAP Twitter Feed Hacked No Attack at White Houserdquo Last accessed July 30 2013 httpwwwusatodaycomstorytheoval20130423obama-carney-associated-press-hack-white-house2106757
22 Karla Agregado (June 25 2013) TrendLabs Security Intelligence Blog ldquoScam Sites Now Selling Instagram Followersrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencescam-sites-now-selling-instagram-followers
23 Zachary Seward (May 20 2013) Quartz ldquoHow Yahoo Plans to Make Money on Tumblr Ads That Donrsquot Feel Like Adsrdquo Last accessed July 30 2013 httpqzcom86437how-yahoo-plans-to-make-money-on-tumblr-ads-that-dont-feel-like-ads
24 Gelo Abendan (March 3 2012) Threat Encyc lopedia ldquoMobile Apps New Frontier for Cybercrimerdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack119mobile apps new frontier for cybercrime Marco Dela Vega (November 23 2010) TrendLabs Security Intelligence Blog ldquoWith Holiday Wishes Come Poisoned Searchesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencewith-holiday-wishes-come-poisoned-searches Dianne Kristine Lagrimas (November 13 2011) Threat Encyclopedia ldquoSports as Bait Cybercriminals Play to Winrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack99sports as bait cybercriminals play to win Valerie Ria Rivera (March 29 2011) Threat Encyclopedia ldquoSpam Scams and Other Social Media Threatsrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack75spam scams and other social media threats
25 Dexter To (May 5 2013) TrendLabs Security Intelligence Blog ldquoCompromised US Government Web Page Used Zero-Day Exploitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecompromised-us-government-webpage-used-zero-day-exploit
26 Sooraj KS (June 6 2013) TrendLabs Security Intelligence Blog ldquoPlesk Zero-Day Exploit Results in Compromised Web Serverrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligenceplesk-zero-day-exploit-results-in-compromised-webserver
27 Gelo Abendan (May 30 2013) TrendLabs Security Intelligence Blog ldquoTrend Micro Deep Security Guards Users from Ruby on Rails Exploitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencetrend-micro-deep-security-guards-users-from-ruby-on-rails-exploit
28 Maharlito Aquino (June 13 2013) TrendLabs Security Intelligence Blog ldquoRARSTONE Found in Targeted Attacksrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencerarstone-found-in-targeted-attacks
29 Kyle Wilhoit (May 17 2013) TrendLabs Security Intelligence Blog ldquoHiding in Plain Sight A New Targeted Attack Campaignrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencehiding-in-plain-sight-a-new-apt-campaign
30 Nart Villeneuve (April 25 2013) TrendLabs Security Intelligence Blog ldquoTargeted Attack Campaign Hides Behind SSL Communicationrdquo Last accessed July 2013 httpblogtrendmicrocomtrendlabs-security-intelligencetargeted-attack-campaign-hides-behind-ssl-communication
31 Jay Alabaster (April 4 2013) Computerworld ldquoJapanese Web Portals Hacked Up to 100000 Accounts Compromisedrdquo Last accessed July 30 2013 httpwwwcomputerworldcomauarticle458079japanese_web_portals_hacked_up_100_000_accounts_compromised LivingSocial ldquoLivingSocial Security Noticerdquo Last accessed July 30 2013 httpswwwlivingsocialcomcreatepassword Kadim Shubber (May 20 2013) Wired UK ldquoMillions of Usersrsquo Data Hacked in Yahoo Japan Security Breachrdquo Last accessed July 30 2013 httpwwwwiredcouknewsarchive2013-0520yahoo-japan-hacked Erin Madigan White (April 23 2013) AP Blog The Definitive Source ldquoAP Responds to Hacking of Twitter Accountrdquo Last accessed July 30 2013 httpblogaporg20130423hackers-compromise-ap-twitter-account
TREND MICRO LEgaL DISCLaIMER
The information provided herein is for general information and educational purposes only It is not intended and should not be construed to constitute legal advice The information contained herein may not be applicable to all situations and may not reflect the most current situation Nothing contained herein should be relied on or acted upon without the benefit of legal advice based on the particular facts and circumstances presented and nothing herein should be construed otherwise Trend Micro reserves the right to modify the contents of this document at any time without prior notice
Translations of any material into other languages are intended solely as a convenience Translation accuracy is not guaranteed nor implied If any questions arise related to the accuracy of a translation please refer to the original language official version of the document any discrepancies or differences created in the translation are not binding and have no legal effect for compliance or enforcement purposes
although Trend Micro uses reasonable efforts to include accurate and up-to-date information herein Trend Micro makes no warranties or representations of any kind as to its accuracy currency or completeness you agree that access to and use of and reliance on this document and the content thereof is at your own risk Trend Micro disclaims all warranties of any kind express or implied Neither Trend Micro nor any party involved in creating producing or delivering this document shall be liable for any consequence loss or damage including direct indirect special consequential loss of business profits or special damages whatsoever arising out of access to use of or inability to use or in connection with the use of this document or any errors or omissions in the content thereof use of this information constitutes acceptance for use in an ldquoas isrdquo condition
Trend Micro Incorporated a global leader in security software and solutions strives to make the world safe for exchanging digital information For more information visit wwwtrendmicrocom
copy2013 by Trend Micro Incorporated all rights reserved Trend Micro and the Trend Micro t-ball logo are trademarks or registered trademarks of Trend Micro Incorporated all other product or company names may be trademarks or registered trademarks of their owners
Created by
global Technical Support amp RampD Center of TREND MICRO
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
16 | Exploits and Vulnerabilities
How Oracle Plans to Secure Java
Delivering three patches every three months starting October 2013
Using automated security testing tools against regressions and bugs
Supporting Windowsreg security policies so system administrators can set networkwide policies on Java use
Disallowing running unsigned or self-signed apps
Making Javarsquos process of revoking signing signatures flexible
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
17 | Targeted attack Campaigns DDoS attacks and Data Breaches
TaRgETED aTTaCk CaMpaIgNS DDoS aTTaCkS aND DaTa BREaChES
Corporate Security Woes Pile UpTargeted AttacksTargeted attack campaigns remained a problem for organizations as we continued to discover active and ongoing campaigns The Naikon campaign used the remote access Trojan (RAT) RARSTONE and was primarily seen in several countries in AsiaPacific28 This campaign hit various industries like telecommunications oil and gas government media and others It usually starts out with spear-phishing attacks that target a specific vulnerability which was also used in another campaign known as
ldquoSaferdquo29 Our research on the Safe campaign meanwhile revealed victim IP addresses spread throughout 100 countries worldwide
Targeted attacks also took advantage of tragic events to infiltrate organizational networks this quarter We saw emails using the Boston marathon bombing as a social engineering lure to trick users into downloading a malware that communicates via Secure Sockets Layer (SSL) communication30
File Types Used in Spear Phishing Related to Targeted Attacks
1
2
3
4
5
6
7
8
9
10
EXEDLL
DOC
JPG
TXTHTML
RTF
ZIP
XLS
RAR
PPSPPT
Others
43
12
10
8
5
4
3
3
3
2
7
Threat actors custom-fit an attack to an intended target They use any file type as long as it gets them closer to their goalmdashto infiltrate a network
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
18 | Targeted attack Campaigns DDoS attacks and Data Breaches
DDoS AttacksSeveral South Korean agencies suffered serious security breaches that led to distributed denial-of-service (DDoS) attacks and site defacements One particular incident rendered several sites inaccessible Similar to the MBR Trojan wiper incident last March this attack was designed to execute at a specific time It also showed how attackers continued to go after high-value targets and how they could inflict maximum damage within a short period of time
Data BreachesCompanies like Yahoo Japan LivingSocial Twitter and Namecom all suffered from security breaches this quarter Opera also suffered a security breach that led to the theft of outdated digital certificates
Attacks Targeting Well-known Companies31
COMPANy REsuLTs
Goo locked 100000 accounts to prevent unauthorized logins
yahoo Japan Attackers attempted to extract data belonging to 127
million users
Associated Press (AP) Attackers hacked APrsquos Twitter account which erased
US$200-billion worth of stock value
livingSocial Resulted in unauthorized access to the accounts of 50 million users
Several South Korean agencies Several sites were defaced and suffered DDoS attacks
attacks against high-profile companies had costly results stressing the importance of strengthening organizational defenses
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
19 | appendix
Appendix
Top 10 Android Adware Families
1
2
3
4
5
6
7
8
9
10
ARPUSH
ADSWO
PLANKTON
LEADBLT
IZP
WAPSX
OQX
WBOO
YOUMI
UAPSH
Others
4179
1650
1284
1102
817
425
410
067
027
013
026
Malicious URL Country Sources
No major changes among the countries on the list were seen The united States accounted for the lionrsquos share of the malicious uRL volume with germany trailing not far behind
COuNTRy sHARE
1 United States 2590
2 Germany 324
3 China 316
4 Netherlands 313
5 South Korea 260
6 France 194
7 Japan 193
8 Russia 164
9 Canada 081
10 United Kingdom 077
Others 5488
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
20 | appendix
Top 10 Countries with the Most Number of Botnet CampC Servers
Similar to the previous quarter the united States had the most number of botnet CampC servers while australia surpassed South korea
COuNTRy sHARE
1 United States 2405
2 Australia 515
3 South Korea 338
4 China 302
5 Germany 287
6 Taiwan 210
7 France 188
8 United Kingdom 172
9 Brazil 147
10 Canada 118
Others 5318
Top 10 Countries with the Highest Number of Connections to Botnets
DDoS attacks in Malaysia in relation to the elections contributed to the increase in the countryrsquos volume of malicious connections
COuNTRy sHARE
1 Malaysia 2839
2 United States 1414
3 France 1163
4 Germany 564
5 Canada 529
6 South Korea 413
7 United Kingdom 384
8 Thailand 322
9 Hong Kong 307
10 Italy 253
Others 1812
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
21 | References
References
1 Trend Micro Incorporated (2013) ldquoTrendLabs 2012 Annual Security Roundup Evolved Threats in a lsquoPost-PCrsquo Worldrdquo Last accessed July 30 2013 httpwwwtrendmicrocomcloud-contentuspdfssecurity-intelligencereportsrpt-evolved-threats-in-a-post-pc-worldpdf
2 Jonathan Leopando (July 10 2013) TrendLabs Security Intelligence Blog ldquoAndroid Vulnerability Affects 99 of DevicesmdashTrend Micro Users Protectedrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencetrend-micro-solution-for-vulnerability-affecting-nearly-all-android-devices
3 Trend Micro Incorporated (2013) Threat Encyclopedia ldquoANDROIDOS_OBADArdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusmalwareANDROIDOS_OBADA
4 Leo Zhang (July 13 2013) TrendLabs Security Intelligence Blog ldquoCybercriminals Improve Android Malware Stealth Routines with OBADrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecybercriminals-improve-android-malware-stealth-routines-with-obad
5 Trend Micro Incorporated (2013) Threat Encyclopedia ldquoANDROIDOS_FAKEBANKArdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusmalwareANDROIDOS_FAKEBANKA
6 Weichao Sun (May 14 2013) TrendLabs Security Intelligence Blog ldquoMobile Ads Pushed by Android Apps Lead to Scam Sitesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencemobile-ads-pushed-by-android-apps-lead-to-scam-sites
7 Trend Micro Incorporated (2013) Threat Encyclopedia ldquoANDROIDOS_FAKEAVFrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusmalwareANDROIDOS_FAKEAVF
8 Iain Thomson (March 27 2013) The Register ldquoTibetan and Uyghur Activists Targeted with Android Malwarerdquo Last accessed July 30 2013 httpwwwtheregistercouk20130327android_malware_targeting_tibetan
9 Ericsson ConsumerLab (August 6 2012) Ericssoncom ldquoVietnamese Consumers Show Increasing Demand for Smartphones and Tabletsrdquo Last accessed July 30 2013 httpwwwericssoncomvnnews2012_vn_smartphone_demands_254740123_c
10 Trend Micro Incorporated (2012) ldquoSecurity Threats to Business the Digital Lifestyle and the Cloud Trend Micro Predictions for 2013 and Beyondrdquo Last accessed July 30 2013 httpwwwtrendmicrocoukmediamisctrend-micro-predictions-for-2013-and-beyond-enpdf
11 Roddell Santos (May 28 2013) TrendLabs Security Intelligence Blog ldquoBANKER Malware Hosted in Compromised Brazilian Government Sitesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencebanker-malware-hosted-in-compromised-brazilian-government-sites
12 Ranieri Romera (May 7 2013) TrendLabs Security Intelligence Blog ldquoHomemade Browser Targeting lsquoBanco do Brasilrsquo Usersrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencehomemade-browser-targeting-banco-do-brasil-users
13 Roddell Santos (June 14 2013) TrendLabs Security Intelligence Blog ldquoMalware Redirects South Korean Users to Phishing Sitesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencemalware-redirects-south-korean-users-to-phishing-sites
14 Abigail Pichel (June 10 2013) TrendLabs Security Intelligence Blog ldquoGoing Solo Self-Propagating ZBOT Malware Spottedrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencegoing-solo-self-propagating-zbot-malware-spotted
15 Lenart Bermejo (May 24 2013) TrendLabs Security Intelligence Blog ldquoWorm Creates Copies in Password-Protected Archived Filesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligenceworm-creates-copies-in-password-protected-archived-files
16 Jessa Dela Torre (April 16 2013) TrendLabs Security Intelligence Blog ldquoCompromised Sites Conceal Stealrat Botnet Operationsrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecompromised-sites-conceal-stealrat-botnet-operations
17 Paul Pajares (July 8 2013) TrendLabs Security Intelligence Blog ldquoMan of Steel Fast and Furious 6 Among Online Fraudstersrsquo Most Used Luresrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligenceman-of-steel-fast-and-furious-6-among-online-fraudsters-most-used-lures Gelo Abendan (May 2 2013) TrendLabs Security Intelligence Blog ldquoFake Iron Man 3 Streaming Sites Sprout on Social Mediardquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencefake-iron-man-3-streaming-sites-sprout-on-social-media
18 Anthony Melgarejo (May 2 2013) TrendLabs Security Intelligence Blog ldquoBackdoor Leads to Facebook and Multiprotocol Instant-Messaging Wormrdquo
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
22 | References
Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencebackdoor-leads-to-facebook-and-multi-protocol-instant-messaging-worm Paul Pajares (April 30 2013) TrendLabs Security Intelligence Blog ldquoHackers to Manage Your Apple ID If Caught from Phishing Baitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencehackers-to-manage-your-apple-id-if-caught-from-phishing-bait
19 Aisa Escober (April 16 2013) TrendLabs Security Intelligence Blog ldquoKELIHOS Worm Emerges Takes Advantage of Boston Marathon Blastrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencekelihos-worm-emerges-takes-advantage-of-boston-marathon-blast Trend Micro Incorporated (2013) Threat Encyclopedia ldquoSpam Attack Leverages Oklahoma Tornado Disasterrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusspam494Spam+Attack+Leverages+Oklahoma+Tornado+Disaster Ryan Certeza (April 19 2013) TrendLabs Security Intelligence Blog ldquoCybercriminals Quickly Take Advantage of Texas Fertilizer Plant Blast MIT Shootingrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecybercriminals-quickly-take-advantage-of-texas-fertilizer-plant-blast-mit-shooting Gelo Abendan (April 4 2013) TrendLabs Security Intelligence Blog ldquoCybercriminals Threaten Tax Day Once Againrdquo Last accessed July 30 2013 http blogtrendmicrocomtrendlabs-security-intelligencecybercriminals-threaten-tax-day-once-again
20 Jim Finkle (May 31 2013) NBC News Technology ldquoLinkedIn Improves Security with Two-Factor Authenticationrdquo Last accessed July 2013 httpwwwnbcnewscomtechnologylinkedin-improves-security-two-factor-authentication-6C10141010 Seth Hitchings (May 30 2013) The Evernote Blog ldquoEvernotersquos Three New Security Featuresrdquo Last accessed July 2013 httpblogevernotecomblog20130530evernotes-three-new-security-features Jim OrsquoLeary (May 22 2013) Twitter Blog ldquoGetting Started with Login Verificationrdquo Last accessed July 2013 httpsblogtwittercom2013getting-started-login-verification
21 David Jackson (April 23 2013) USA Today News ldquoAP Twitter Feed Hacked No Attack at White Houserdquo Last accessed July 30 2013 httpwwwusatodaycomstorytheoval20130423obama-carney-associated-press-hack-white-house2106757
22 Karla Agregado (June 25 2013) TrendLabs Security Intelligence Blog ldquoScam Sites Now Selling Instagram Followersrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencescam-sites-now-selling-instagram-followers
23 Zachary Seward (May 20 2013) Quartz ldquoHow Yahoo Plans to Make Money on Tumblr Ads That Donrsquot Feel Like Adsrdquo Last accessed July 30 2013 httpqzcom86437how-yahoo-plans-to-make-money-on-tumblr-ads-that-dont-feel-like-ads
24 Gelo Abendan (March 3 2012) Threat Encyc lopedia ldquoMobile Apps New Frontier for Cybercrimerdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack119mobile apps new frontier for cybercrime Marco Dela Vega (November 23 2010) TrendLabs Security Intelligence Blog ldquoWith Holiday Wishes Come Poisoned Searchesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencewith-holiday-wishes-come-poisoned-searches Dianne Kristine Lagrimas (November 13 2011) Threat Encyclopedia ldquoSports as Bait Cybercriminals Play to Winrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack99sports as bait cybercriminals play to win Valerie Ria Rivera (March 29 2011) Threat Encyclopedia ldquoSpam Scams and Other Social Media Threatsrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack75spam scams and other social media threats
25 Dexter To (May 5 2013) TrendLabs Security Intelligence Blog ldquoCompromised US Government Web Page Used Zero-Day Exploitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecompromised-us-government-webpage-used-zero-day-exploit
26 Sooraj KS (June 6 2013) TrendLabs Security Intelligence Blog ldquoPlesk Zero-Day Exploit Results in Compromised Web Serverrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligenceplesk-zero-day-exploit-results-in-compromised-webserver
27 Gelo Abendan (May 30 2013) TrendLabs Security Intelligence Blog ldquoTrend Micro Deep Security Guards Users from Ruby on Rails Exploitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencetrend-micro-deep-security-guards-users-from-ruby-on-rails-exploit
28 Maharlito Aquino (June 13 2013) TrendLabs Security Intelligence Blog ldquoRARSTONE Found in Targeted Attacksrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencerarstone-found-in-targeted-attacks
29 Kyle Wilhoit (May 17 2013) TrendLabs Security Intelligence Blog ldquoHiding in Plain Sight A New Targeted Attack Campaignrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencehiding-in-plain-sight-a-new-apt-campaign
30 Nart Villeneuve (April 25 2013) TrendLabs Security Intelligence Blog ldquoTargeted Attack Campaign Hides Behind SSL Communicationrdquo Last accessed July 2013 httpblogtrendmicrocomtrendlabs-security-intelligencetargeted-attack-campaign-hides-behind-ssl-communication
31 Jay Alabaster (April 4 2013) Computerworld ldquoJapanese Web Portals Hacked Up to 100000 Accounts Compromisedrdquo Last accessed July 30 2013 httpwwwcomputerworldcomauarticle458079japanese_web_portals_hacked_up_100_000_accounts_compromised LivingSocial ldquoLivingSocial Security Noticerdquo Last accessed July 30 2013 httpswwwlivingsocialcomcreatepassword Kadim Shubber (May 20 2013) Wired UK ldquoMillions of Usersrsquo Data Hacked in Yahoo Japan Security Breachrdquo Last accessed July 30 2013 httpwwwwiredcouknewsarchive2013-0520yahoo-japan-hacked Erin Madigan White (April 23 2013) AP Blog The Definitive Source ldquoAP Responds to Hacking of Twitter Accountrdquo Last accessed July 30 2013 httpblogaporg20130423hackers-compromise-ap-twitter-account
TREND MICRO LEgaL DISCLaIMER
The information provided herein is for general information and educational purposes only It is not intended and should not be construed to constitute legal advice The information contained herein may not be applicable to all situations and may not reflect the most current situation Nothing contained herein should be relied on or acted upon without the benefit of legal advice based on the particular facts and circumstances presented and nothing herein should be construed otherwise Trend Micro reserves the right to modify the contents of this document at any time without prior notice
Translations of any material into other languages are intended solely as a convenience Translation accuracy is not guaranteed nor implied If any questions arise related to the accuracy of a translation please refer to the original language official version of the document any discrepancies or differences created in the translation are not binding and have no legal effect for compliance or enforcement purposes
although Trend Micro uses reasonable efforts to include accurate and up-to-date information herein Trend Micro makes no warranties or representations of any kind as to its accuracy currency or completeness you agree that access to and use of and reliance on this document and the content thereof is at your own risk Trend Micro disclaims all warranties of any kind express or implied Neither Trend Micro nor any party involved in creating producing or delivering this document shall be liable for any consequence loss or damage including direct indirect special consequential loss of business profits or special damages whatsoever arising out of access to use of or inability to use or in connection with the use of this document or any errors or omissions in the content thereof use of this information constitutes acceptance for use in an ldquoas isrdquo condition
Trend Micro Incorporated a global leader in security software and solutions strives to make the world safe for exchanging digital information For more information visit wwwtrendmicrocom
copy2013 by Trend Micro Incorporated all rights reserved Trend Micro and the Trend Micro t-ball logo are trademarks or registered trademarks of Trend Micro Incorporated all other product or company names may be trademarks or registered trademarks of their owners
Created by
global Technical Support amp RampD Center of TREND MICRO
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
17 | Targeted attack Campaigns DDoS attacks and Data Breaches
TaRgETED aTTaCk CaMpaIgNS DDoS aTTaCkS aND DaTa BREaChES
Corporate Security Woes Pile UpTargeted AttacksTargeted attack campaigns remained a problem for organizations as we continued to discover active and ongoing campaigns The Naikon campaign used the remote access Trojan (RAT) RARSTONE and was primarily seen in several countries in AsiaPacific28 This campaign hit various industries like telecommunications oil and gas government media and others It usually starts out with spear-phishing attacks that target a specific vulnerability which was also used in another campaign known as
ldquoSaferdquo29 Our research on the Safe campaign meanwhile revealed victim IP addresses spread throughout 100 countries worldwide
Targeted attacks also took advantage of tragic events to infiltrate organizational networks this quarter We saw emails using the Boston marathon bombing as a social engineering lure to trick users into downloading a malware that communicates via Secure Sockets Layer (SSL) communication30
File Types Used in Spear Phishing Related to Targeted Attacks
1
2
3
4
5
6
7
8
9
10
EXEDLL
DOC
JPG
TXTHTML
RTF
ZIP
XLS
RAR
PPSPPT
Others
43
12
10
8
5
4
3
3
3
2
7
Threat actors custom-fit an attack to an intended target They use any file type as long as it gets them closer to their goalmdashto infiltrate a network
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
18 | Targeted attack Campaigns DDoS attacks and Data Breaches
DDoS AttacksSeveral South Korean agencies suffered serious security breaches that led to distributed denial-of-service (DDoS) attacks and site defacements One particular incident rendered several sites inaccessible Similar to the MBR Trojan wiper incident last March this attack was designed to execute at a specific time It also showed how attackers continued to go after high-value targets and how they could inflict maximum damage within a short period of time
Data BreachesCompanies like Yahoo Japan LivingSocial Twitter and Namecom all suffered from security breaches this quarter Opera also suffered a security breach that led to the theft of outdated digital certificates
Attacks Targeting Well-known Companies31
COMPANy REsuLTs
Goo locked 100000 accounts to prevent unauthorized logins
yahoo Japan Attackers attempted to extract data belonging to 127
million users
Associated Press (AP) Attackers hacked APrsquos Twitter account which erased
US$200-billion worth of stock value
livingSocial Resulted in unauthorized access to the accounts of 50 million users
Several South Korean agencies Several sites were defaced and suffered DDoS attacks
attacks against high-profile companies had costly results stressing the importance of strengthening organizational defenses
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
19 | appendix
Appendix
Top 10 Android Adware Families
1
2
3
4
5
6
7
8
9
10
ARPUSH
ADSWO
PLANKTON
LEADBLT
IZP
WAPSX
OQX
WBOO
YOUMI
UAPSH
Others
4179
1650
1284
1102
817
425
410
067
027
013
026
Malicious URL Country Sources
No major changes among the countries on the list were seen The united States accounted for the lionrsquos share of the malicious uRL volume with germany trailing not far behind
COuNTRy sHARE
1 United States 2590
2 Germany 324
3 China 316
4 Netherlands 313
5 South Korea 260
6 France 194
7 Japan 193
8 Russia 164
9 Canada 081
10 United Kingdom 077
Others 5488
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
20 | appendix
Top 10 Countries with the Most Number of Botnet CampC Servers
Similar to the previous quarter the united States had the most number of botnet CampC servers while australia surpassed South korea
COuNTRy sHARE
1 United States 2405
2 Australia 515
3 South Korea 338
4 China 302
5 Germany 287
6 Taiwan 210
7 France 188
8 United Kingdom 172
9 Brazil 147
10 Canada 118
Others 5318
Top 10 Countries with the Highest Number of Connections to Botnets
DDoS attacks in Malaysia in relation to the elections contributed to the increase in the countryrsquos volume of malicious connections
COuNTRy sHARE
1 Malaysia 2839
2 United States 1414
3 France 1163
4 Germany 564
5 Canada 529
6 South Korea 413
7 United Kingdom 384
8 Thailand 322
9 Hong Kong 307
10 Italy 253
Others 1812
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
21 | References
References
1 Trend Micro Incorporated (2013) ldquoTrendLabs 2012 Annual Security Roundup Evolved Threats in a lsquoPost-PCrsquo Worldrdquo Last accessed July 30 2013 httpwwwtrendmicrocomcloud-contentuspdfssecurity-intelligencereportsrpt-evolved-threats-in-a-post-pc-worldpdf
2 Jonathan Leopando (July 10 2013) TrendLabs Security Intelligence Blog ldquoAndroid Vulnerability Affects 99 of DevicesmdashTrend Micro Users Protectedrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencetrend-micro-solution-for-vulnerability-affecting-nearly-all-android-devices
3 Trend Micro Incorporated (2013) Threat Encyclopedia ldquoANDROIDOS_OBADArdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusmalwareANDROIDOS_OBADA
4 Leo Zhang (July 13 2013) TrendLabs Security Intelligence Blog ldquoCybercriminals Improve Android Malware Stealth Routines with OBADrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecybercriminals-improve-android-malware-stealth-routines-with-obad
5 Trend Micro Incorporated (2013) Threat Encyclopedia ldquoANDROIDOS_FAKEBANKArdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusmalwareANDROIDOS_FAKEBANKA
6 Weichao Sun (May 14 2013) TrendLabs Security Intelligence Blog ldquoMobile Ads Pushed by Android Apps Lead to Scam Sitesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencemobile-ads-pushed-by-android-apps-lead-to-scam-sites
7 Trend Micro Incorporated (2013) Threat Encyclopedia ldquoANDROIDOS_FAKEAVFrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusmalwareANDROIDOS_FAKEAVF
8 Iain Thomson (March 27 2013) The Register ldquoTibetan and Uyghur Activists Targeted with Android Malwarerdquo Last accessed July 30 2013 httpwwwtheregistercouk20130327android_malware_targeting_tibetan
9 Ericsson ConsumerLab (August 6 2012) Ericssoncom ldquoVietnamese Consumers Show Increasing Demand for Smartphones and Tabletsrdquo Last accessed July 30 2013 httpwwwericssoncomvnnews2012_vn_smartphone_demands_254740123_c
10 Trend Micro Incorporated (2012) ldquoSecurity Threats to Business the Digital Lifestyle and the Cloud Trend Micro Predictions for 2013 and Beyondrdquo Last accessed July 30 2013 httpwwwtrendmicrocoukmediamisctrend-micro-predictions-for-2013-and-beyond-enpdf
11 Roddell Santos (May 28 2013) TrendLabs Security Intelligence Blog ldquoBANKER Malware Hosted in Compromised Brazilian Government Sitesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencebanker-malware-hosted-in-compromised-brazilian-government-sites
12 Ranieri Romera (May 7 2013) TrendLabs Security Intelligence Blog ldquoHomemade Browser Targeting lsquoBanco do Brasilrsquo Usersrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencehomemade-browser-targeting-banco-do-brasil-users
13 Roddell Santos (June 14 2013) TrendLabs Security Intelligence Blog ldquoMalware Redirects South Korean Users to Phishing Sitesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencemalware-redirects-south-korean-users-to-phishing-sites
14 Abigail Pichel (June 10 2013) TrendLabs Security Intelligence Blog ldquoGoing Solo Self-Propagating ZBOT Malware Spottedrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencegoing-solo-self-propagating-zbot-malware-spotted
15 Lenart Bermejo (May 24 2013) TrendLabs Security Intelligence Blog ldquoWorm Creates Copies in Password-Protected Archived Filesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligenceworm-creates-copies-in-password-protected-archived-files
16 Jessa Dela Torre (April 16 2013) TrendLabs Security Intelligence Blog ldquoCompromised Sites Conceal Stealrat Botnet Operationsrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecompromised-sites-conceal-stealrat-botnet-operations
17 Paul Pajares (July 8 2013) TrendLabs Security Intelligence Blog ldquoMan of Steel Fast and Furious 6 Among Online Fraudstersrsquo Most Used Luresrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligenceman-of-steel-fast-and-furious-6-among-online-fraudsters-most-used-lures Gelo Abendan (May 2 2013) TrendLabs Security Intelligence Blog ldquoFake Iron Man 3 Streaming Sites Sprout on Social Mediardquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencefake-iron-man-3-streaming-sites-sprout-on-social-media
18 Anthony Melgarejo (May 2 2013) TrendLabs Security Intelligence Blog ldquoBackdoor Leads to Facebook and Multiprotocol Instant-Messaging Wormrdquo
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
22 | References
Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencebackdoor-leads-to-facebook-and-multi-protocol-instant-messaging-worm Paul Pajares (April 30 2013) TrendLabs Security Intelligence Blog ldquoHackers to Manage Your Apple ID If Caught from Phishing Baitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencehackers-to-manage-your-apple-id-if-caught-from-phishing-bait
19 Aisa Escober (April 16 2013) TrendLabs Security Intelligence Blog ldquoKELIHOS Worm Emerges Takes Advantage of Boston Marathon Blastrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencekelihos-worm-emerges-takes-advantage-of-boston-marathon-blast Trend Micro Incorporated (2013) Threat Encyclopedia ldquoSpam Attack Leverages Oklahoma Tornado Disasterrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusspam494Spam+Attack+Leverages+Oklahoma+Tornado+Disaster Ryan Certeza (April 19 2013) TrendLabs Security Intelligence Blog ldquoCybercriminals Quickly Take Advantage of Texas Fertilizer Plant Blast MIT Shootingrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecybercriminals-quickly-take-advantage-of-texas-fertilizer-plant-blast-mit-shooting Gelo Abendan (April 4 2013) TrendLabs Security Intelligence Blog ldquoCybercriminals Threaten Tax Day Once Againrdquo Last accessed July 30 2013 http blogtrendmicrocomtrendlabs-security-intelligencecybercriminals-threaten-tax-day-once-again
20 Jim Finkle (May 31 2013) NBC News Technology ldquoLinkedIn Improves Security with Two-Factor Authenticationrdquo Last accessed July 2013 httpwwwnbcnewscomtechnologylinkedin-improves-security-two-factor-authentication-6C10141010 Seth Hitchings (May 30 2013) The Evernote Blog ldquoEvernotersquos Three New Security Featuresrdquo Last accessed July 2013 httpblogevernotecomblog20130530evernotes-three-new-security-features Jim OrsquoLeary (May 22 2013) Twitter Blog ldquoGetting Started with Login Verificationrdquo Last accessed July 2013 httpsblogtwittercom2013getting-started-login-verification
21 David Jackson (April 23 2013) USA Today News ldquoAP Twitter Feed Hacked No Attack at White Houserdquo Last accessed July 30 2013 httpwwwusatodaycomstorytheoval20130423obama-carney-associated-press-hack-white-house2106757
22 Karla Agregado (June 25 2013) TrendLabs Security Intelligence Blog ldquoScam Sites Now Selling Instagram Followersrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencescam-sites-now-selling-instagram-followers
23 Zachary Seward (May 20 2013) Quartz ldquoHow Yahoo Plans to Make Money on Tumblr Ads That Donrsquot Feel Like Adsrdquo Last accessed July 30 2013 httpqzcom86437how-yahoo-plans-to-make-money-on-tumblr-ads-that-dont-feel-like-ads
24 Gelo Abendan (March 3 2012) Threat Encyc lopedia ldquoMobile Apps New Frontier for Cybercrimerdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack119mobile apps new frontier for cybercrime Marco Dela Vega (November 23 2010) TrendLabs Security Intelligence Blog ldquoWith Holiday Wishes Come Poisoned Searchesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencewith-holiday-wishes-come-poisoned-searches Dianne Kristine Lagrimas (November 13 2011) Threat Encyclopedia ldquoSports as Bait Cybercriminals Play to Winrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack99sports as bait cybercriminals play to win Valerie Ria Rivera (March 29 2011) Threat Encyclopedia ldquoSpam Scams and Other Social Media Threatsrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack75spam scams and other social media threats
25 Dexter To (May 5 2013) TrendLabs Security Intelligence Blog ldquoCompromised US Government Web Page Used Zero-Day Exploitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecompromised-us-government-webpage-used-zero-day-exploit
26 Sooraj KS (June 6 2013) TrendLabs Security Intelligence Blog ldquoPlesk Zero-Day Exploit Results in Compromised Web Serverrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligenceplesk-zero-day-exploit-results-in-compromised-webserver
27 Gelo Abendan (May 30 2013) TrendLabs Security Intelligence Blog ldquoTrend Micro Deep Security Guards Users from Ruby on Rails Exploitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencetrend-micro-deep-security-guards-users-from-ruby-on-rails-exploit
28 Maharlito Aquino (June 13 2013) TrendLabs Security Intelligence Blog ldquoRARSTONE Found in Targeted Attacksrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencerarstone-found-in-targeted-attacks
29 Kyle Wilhoit (May 17 2013) TrendLabs Security Intelligence Blog ldquoHiding in Plain Sight A New Targeted Attack Campaignrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencehiding-in-plain-sight-a-new-apt-campaign
30 Nart Villeneuve (April 25 2013) TrendLabs Security Intelligence Blog ldquoTargeted Attack Campaign Hides Behind SSL Communicationrdquo Last accessed July 2013 httpblogtrendmicrocomtrendlabs-security-intelligencetargeted-attack-campaign-hides-behind-ssl-communication
31 Jay Alabaster (April 4 2013) Computerworld ldquoJapanese Web Portals Hacked Up to 100000 Accounts Compromisedrdquo Last accessed July 30 2013 httpwwwcomputerworldcomauarticle458079japanese_web_portals_hacked_up_100_000_accounts_compromised LivingSocial ldquoLivingSocial Security Noticerdquo Last accessed July 30 2013 httpswwwlivingsocialcomcreatepassword Kadim Shubber (May 20 2013) Wired UK ldquoMillions of Usersrsquo Data Hacked in Yahoo Japan Security Breachrdquo Last accessed July 30 2013 httpwwwwiredcouknewsarchive2013-0520yahoo-japan-hacked Erin Madigan White (April 23 2013) AP Blog The Definitive Source ldquoAP Responds to Hacking of Twitter Accountrdquo Last accessed July 30 2013 httpblogaporg20130423hackers-compromise-ap-twitter-account
TREND MICRO LEgaL DISCLaIMER
The information provided herein is for general information and educational purposes only It is not intended and should not be construed to constitute legal advice The information contained herein may not be applicable to all situations and may not reflect the most current situation Nothing contained herein should be relied on or acted upon without the benefit of legal advice based on the particular facts and circumstances presented and nothing herein should be construed otherwise Trend Micro reserves the right to modify the contents of this document at any time without prior notice
Translations of any material into other languages are intended solely as a convenience Translation accuracy is not guaranteed nor implied If any questions arise related to the accuracy of a translation please refer to the original language official version of the document any discrepancies or differences created in the translation are not binding and have no legal effect for compliance or enforcement purposes
although Trend Micro uses reasonable efforts to include accurate and up-to-date information herein Trend Micro makes no warranties or representations of any kind as to its accuracy currency or completeness you agree that access to and use of and reliance on this document and the content thereof is at your own risk Trend Micro disclaims all warranties of any kind express or implied Neither Trend Micro nor any party involved in creating producing or delivering this document shall be liable for any consequence loss or damage including direct indirect special consequential loss of business profits or special damages whatsoever arising out of access to use of or inability to use or in connection with the use of this document or any errors or omissions in the content thereof use of this information constitutes acceptance for use in an ldquoas isrdquo condition
Trend Micro Incorporated a global leader in security software and solutions strives to make the world safe for exchanging digital information For more information visit wwwtrendmicrocom
copy2013 by Trend Micro Incorporated all rights reserved Trend Micro and the Trend Micro t-ball logo are trademarks or registered trademarks of Trend Micro Incorporated all other product or company names may be trademarks or registered trademarks of their owners
Created by
global Technical Support amp RampD Center of TREND MICRO
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
18 | Targeted attack Campaigns DDoS attacks and Data Breaches
DDoS AttacksSeveral South Korean agencies suffered serious security breaches that led to distributed denial-of-service (DDoS) attacks and site defacements One particular incident rendered several sites inaccessible Similar to the MBR Trojan wiper incident last March this attack was designed to execute at a specific time It also showed how attackers continued to go after high-value targets and how they could inflict maximum damage within a short period of time
Data BreachesCompanies like Yahoo Japan LivingSocial Twitter and Namecom all suffered from security breaches this quarter Opera also suffered a security breach that led to the theft of outdated digital certificates
Attacks Targeting Well-known Companies31
COMPANy REsuLTs
Goo locked 100000 accounts to prevent unauthorized logins
yahoo Japan Attackers attempted to extract data belonging to 127
million users
Associated Press (AP) Attackers hacked APrsquos Twitter account which erased
US$200-billion worth of stock value
livingSocial Resulted in unauthorized access to the accounts of 50 million users
Several South Korean agencies Several sites were defaced and suffered DDoS attacks
attacks against high-profile companies had costly results stressing the importance of strengthening organizational defenses
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
19 | appendix
Appendix
Top 10 Android Adware Families
1
2
3
4
5
6
7
8
9
10
ARPUSH
ADSWO
PLANKTON
LEADBLT
IZP
WAPSX
OQX
WBOO
YOUMI
UAPSH
Others
4179
1650
1284
1102
817
425
410
067
027
013
026
Malicious URL Country Sources
No major changes among the countries on the list were seen The united States accounted for the lionrsquos share of the malicious uRL volume with germany trailing not far behind
COuNTRy sHARE
1 United States 2590
2 Germany 324
3 China 316
4 Netherlands 313
5 South Korea 260
6 France 194
7 Japan 193
8 Russia 164
9 Canada 081
10 United Kingdom 077
Others 5488
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
20 | appendix
Top 10 Countries with the Most Number of Botnet CampC Servers
Similar to the previous quarter the united States had the most number of botnet CampC servers while australia surpassed South korea
COuNTRy sHARE
1 United States 2405
2 Australia 515
3 South Korea 338
4 China 302
5 Germany 287
6 Taiwan 210
7 France 188
8 United Kingdom 172
9 Brazil 147
10 Canada 118
Others 5318
Top 10 Countries with the Highest Number of Connections to Botnets
DDoS attacks in Malaysia in relation to the elections contributed to the increase in the countryrsquos volume of malicious connections
COuNTRy sHARE
1 Malaysia 2839
2 United States 1414
3 France 1163
4 Germany 564
5 Canada 529
6 South Korea 413
7 United Kingdom 384
8 Thailand 322
9 Hong Kong 307
10 Italy 253
Others 1812
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
21 | References
References
1 Trend Micro Incorporated (2013) ldquoTrendLabs 2012 Annual Security Roundup Evolved Threats in a lsquoPost-PCrsquo Worldrdquo Last accessed July 30 2013 httpwwwtrendmicrocomcloud-contentuspdfssecurity-intelligencereportsrpt-evolved-threats-in-a-post-pc-worldpdf
2 Jonathan Leopando (July 10 2013) TrendLabs Security Intelligence Blog ldquoAndroid Vulnerability Affects 99 of DevicesmdashTrend Micro Users Protectedrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencetrend-micro-solution-for-vulnerability-affecting-nearly-all-android-devices
3 Trend Micro Incorporated (2013) Threat Encyclopedia ldquoANDROIDOS_OBADArdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusmalwareANDROIDOS_OBADA
4 Leo Zhang (July 13 2013) TrendLabs Security Intelligence Blog ldquoCybercriminals Improve Android Malware Stealth Routines with OBADrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecybercriminals-improve-android-malware-stealth-routines-with-obad
5 Trend Micro Incorporated (2013) Threat Encyclopedia ldquoANDROIDOS_FAKEBANKArdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusmalwareANDROIDOS_FAKEBANKA
6 Weichao Sun (May 14 2013) TrendLabs Security Intelligence Blog ldquoMobile Ads Pushed by Android Apps Lead to Scam Sitesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencemobile-ads-pushed-by-android-apps-lead-to-scam-sites
7 Trend Micro Incorporated (2013) Threat Encyclopedia ldquoANDROIDOS_FAKEAVFrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusmalwareANDROIDOS_FAKEAVF
8 Iain Thomson (March 27 2013) The Register ldquoTibetan and Uyghur Activists Targeted with Android Malwarerdquo Last accessed July 30 2013 httpwwwtheregistercouk20130327android_malware_targeting_tibetan
9 Ericsson ConsumerLab (August 6 2012) Ericssoncom ldquoVietnamese Consumers Show Increasing Demand for Smartphones and Tabletsrdquo Last accessed July 30 2013 httpwwwericssoncomvnnews2012_vn_smartphone_demands_254740123_c
10 Trend Micro Incorporated (2012) ldquoSecurity Threats to Business the Digital Lifestyle and the Cloud Trend Micro Predictions for 2013 and Beyondrdquo Last accessed July 30 2013 httpwwwtrendmicrocoukmediamisctrend-micro-predictions-for-2013-and-beyond-enpdf
11 Roddell Santos (May 28 2013) TrendLabs Security Intelligence Blog ldquoBANKER Malware Hosted in Compromised Brazilian Government Sitesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencebanker-malware-hosted-in-compromised-brazilian-government-sites
12 Ranieri Romera (May 7 2013) TrendLabs Security Intelligence Blog ldquoHomemade Browser Targeting lsquoBanco do Brasilrsquo Usersrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencehomemade-browser-targeting-banco-do-brasil-users
13 Roddell Santos (June 14 2013) TrendLabs Security Intelligence Blog ldquoMalware Redirects South Korean Users to Phishing Sitesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencemalware-redirects-south-korean-users-to-phishing-sites
14 Abigail Pichel (June 10 2013) TrendLabs Security Intelligence Blog ldquoGoing Solo Self-Propagating ZBOT Malware Spottedrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencegoing-solo-self-propagating-zbot-malware-spotted
15 Lenart Bermejo (May 24 2013) TrendLabs Security Intelligence Blog ldquoWorm Creates Copies in Password-Protected Archived Filesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligenceworm-creates-copies-in-password-protected-archived-files
16 Jessa Dela Torre (April 16 2013) TrendLabs Security Intelligence Blog ldquoCompromised Sites Conceal Stealrat Botnet Operationsrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecompromised-sites-conceal-stealrat-botnet-operations
17 Paul Pajares (July 8 2013) TrendLabs Security Intelligence Blog ldquoMan of Steel Fast and Furious 6 Among Online Fraudstersrsquo Most Used Luresrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligenceman-of-steel-fast-and-furious-6-among-online-fraudsters-most-used-lures Gelo Abendan (May 2 2013) TrendLabs Security Intelligence Blog ldquoFake Iron Man 3 Streaming Sites Sprout on Social Mediardquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencefake-iron-man-3-streaming-sites-sprout-on-social-media
18 Anthony Melgarejo (May 2 2013) TrendLabs Security Intelligence Blog ldquoBackdoor Leads to Facebook and Multiprotocol Instant-Messaging Wormrdquo
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
22 | References
Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencebackdoor-leads-to-facebook-and-multi-protocol-instant-messaging-worm Paul Pajares (April 30 2013) TrendLabs Security Intelligence Blog ldquoHackers to Manage Your Apple ID If Caught from Phishing Baitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencehackers-to-manage-your-apple-id-if-caught-from-phishing-bait
19 Aisa Escober (April 16 2013) TrendLabs Security Intelligence Blog ldquoKELIHOS Worm Emerges Takes Advantage of Boston Marathon Blastrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencekelihos-worm-emerges-takes-advantage-of-boston-marathon-blast Trend Micro Incorporated (2013) Threat Encyclopedia ldquoSpam Attack Leverages Oklahoma Tornado Disasterrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusspam494Spam+Attack+Leverages+Oklahoma+Tornado+Disaster Ryan Certeza (April 19 2013) TrendLabs Security Intelligence Blog ldquoCybercriminals Quickly Take Advantage of Texas Fertilizer Plant Blast MIT Shootingrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecybercriminals-quickly-take-advantage-of-texas-fertilizer-plant-blast-mit-shooting Gelo Abendan (April 4 2013) TrendLabs Security Intelligence Blog ldquoCybercriminals Threaten Tax Day Once Againrdquo Last accessed July 30 2013 http blogtrendmicrocomtrendlabs-security-intelligencecybercriminals-threaten-tax-day-once-again
20 Jim Finkle (May 31 2013) NBC News Technology ldquoLinkedIn Improves Security with Two-Factor Authenticationrdquo Last accessed July 2013 httpwwwnbcnewscomtechnologylinkedin-improves-security-two-factor-authentication-6C10141010 Seth Hitchings (May 30 2013) The Evernote Blog ldquoEvernotersquos Three New Security Featuresrdquo Last accessed July 2013 httpblogevernotecomblog20130530evernotes-three-new-security-features Jim OrsquoLeary (May 22 2013) Twitter Blog ldquoGetting Started with Login Verificationrdquo Last accessed July 2013 httpsblogtwittercom2013getting-started-login-verification
21 David Jackson (April 23 2013) USA Today News ldquoAP Twitter Feed Hacked No Attack at White Houserdquo Last accessed July 30 2013 httpwwwusatodaycomstorytheoval20130423obama-carney-associated-press-hack-white-house2106757
22 Karla Agregado (June 25 2013) TrendLabs Security Intelligence Blog ldquoScam Sites Now Selling Instagram Followersrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencescam-sites-now-selling-instagram-followers
23 Zachary Seward (May 20 2013) Quartz ldquoHow Yahoo Plans to Make Money on Tumblr Ads That Donrsquot Feel Like Adsrdquo Last accessed July 30 2013 httpqzcom86437how-yahoo-plans-to-make-money-on-tumblr-ads-that-dont-feel-like-ads
24 Gelo Abendan (March 3 2012) Threat Encyc lopedia ldquoMobile Apps New Frontier for Cybercrimerdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack119mobile apps new frontier for cybercrime Marco Dela Vega (November 23 2010) TrendLabs Security Intelligence Blog ldquoWith Holiday Wishes Come Poisoned Searchesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencewith-holiday-wishes-come-poisoned-searches Dianne Kristine Lagrimas (November 13 2011) Threat Encyclopedia ldquoSports as Bait Cybercriminals Play to Winrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack99sports as bait cybercriminals play to win Valerie Ria Rivera (March 29 2011) Threat Encyclopedia ldquoSpam Scams and Other Social Media Threatsrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack75spam scams and other social media threats
25 Dexter To (May 5 2013) TrendLabs Security Intelligence Blog ldquoCompromised US Government Web Page Used Zero-Day Exploitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecompromised-us-government-webpage-used-zero-day-exploit
26 Sooraj KS (June 6 2013) TrendLabs Security Intelligence Blog ldquoPlesk Zero-Day Exploit Results in Compromised Web Serverrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligenceplesk-zero-day-exploit-results-in-compromised-webserver
27 Gelo Abendan (May 30 2013) TrendLabs Security Intelligence Blog ldquoTrend Micro Deep Security Guards Users from Ruby on Rails Exploitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencetrend-micro-deep-security-guards-users-from-ruby-on-rails-exploit
28 Maharlito Aquino (June 13 2013) TrendLabs Security Intelligence Blog ldquoRARSTONE Found in Targeted Attacksrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencerarstone-found-in-targeted-attacks
29 Kyle Wilhoit (May 17 2013) TrendLabs Security Intelligence Blog ldquoHiding in Plain Sight A New Targeted Attack Campaignrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencehiding-in-plain-sight-a-new-apt-campaign
30 Nart Villeneuve (April 25 2013) TrendLabs Security Intelligence Blog ldquoTargeted Attack Campaign Hides Behind SSL Communicationrdquo Last accessed July 2013 httpblogtrendmicrocomtrendlabs-security-intelligencetargeted-attack-campaign-hides-behind-ssl-communication
31 Jay Alabaster (April 4 2013) Computerworld ldquoJapanese Web Portals Hacked Up to 100000 Accounts Compromisedrdquo Last accessed July 30 2013 httpwwwcomputerworldcomauarticle458079japanese_web_portals_hacked_up_100_000_accounts_compromised LivingSocial ldquoLivingSocial Security Noticerdquo Last accessed July 30 2013 httpswwwlivingsocialcomcreatepassword Kadim Shubber (May 20 2013) Wired UK ldquoMillions of Usersrsquo Data Hacked in Yahoo Japan Security Breachrdquo Last accessed July 30 2013 httpwwwwiredcouknewsarchive2013-0520yahoo-japan-hacked Erin Madigan White (April 23 2013) AP Blog The Definitive Source ldquoAP Responds to Hacking of Twitter Accountrdquo Last accessed July 30 2013 httpblogaporg20130423hackers-compromise-ap-twitter-account
TREND MICRO LEgaL DISCLaIMER
The information provided herein is for general information and educational purposes only It is not intended and should not be construed to constitute legal advice The information contained herein may not be applicable to all situations and may not reflect the most current situation Nothing contained herein should be relied on or acted upon without the benefit of legal advice based on the particular facts and circumstances presented and nothing herein should be construed otherwise Trend Micro reserves the right to modify the contents of this document at any time without prior notice
Translations of any material into other languages are intended solely as a convenience Translation accuracy is not guaranteed nor implied If any questions arise related to the accuracy of a translation please refer to the original language official version of the document any discrepancies or differences created in the translation are not binding and have no legal effect for compliance or enforcement purposes
although Trend Micro uses reasonable efforts to include accurate and up-to-date information herein Trend Micro makes no warranties or representations of any kind as to its accuracy currency or completeness you agree that access to and use of and reliance on this document and the content thereof is at your own risk Trend Micro disclaims all warranties of any kind express or implied Neither Trend Micro nor any party involved in creating producing or delivering this document shall be liable for any consequence loss or damage including direct indirect special consequential loss of business profits or special damages whatsoever arising out of access to use of or inability to use or in connection with the use of this document or any errors or omissions in the content thereof use of this information constitutes acceptance for use in an ldquoas isrdquo condition
Trend Micro Incorporated a global leader in security software and solutions strives to make the world safe for exchanging digital information For more information visit wwwtrendmicrocom
copy2013 by Trend Micro Incorporated all rights reserved Trend Micro and the Trend Micro t-ball logo are trademarks or registered trademarks of Trend Micro Incorporated all other product or company names may be trademarks or registered trademarks of their owners
Created by
global Technical Support amp RampD Center of TREND MICRO
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
19 | appendix
Appendix
Top 10 Android Adware Families
1
2
3
4
5
6
7
8
9
10
ARPUSH
ADSWO
PLANKTON
LEADBLT
IZP
WAPSX
OQX
WBOO
YOUMI
UAPSH
Others
4179
1650
1284
1102
817
425
410
067
027
013
026
Malicious URL Country Sources
No major changes among the countries on the list were seen The united States accounted for the lionrsquos share of the malicious uRL volume with germany trailing not far behind
COuNTRy sHARE
1 United States 2590
2 Germany 324
3 China 316
4 Netherlands 313
5 South Korea 260
6 France 194
7 Japan 193
8 Russia 164
9 Canada 081
10 United Kingdom 077
Others 5488
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
20 | appendix
Top 10 Countries with the Most Number of Botnet CampC Servers
Similar to the previous quarter the united States had the most number of botnet CampC servers while australia surpassed South korea
COuNTRy sHARE
1 United States 2405
2 Australia 515
3 South Korea 338
4 China 302
5 Germany 287
6 Taiwan 210
7 France 188
8 United Kingdom 172
9 Brazil 147
10 Canada 118
Others 5318
Top 10 Countries with the Highest Number of Connections to Botnets
DDoS attacks in Malaysia in relation to the elections contributed to the increase in the countryrsquos volume of malicious connections
COuNTRy sHARE
1 Malaysia 2839
2 United States 1414
3 France 1163
4 Germany 564
5 Canada 529
6 South Korea 413
7 United Kingdom 384
8 Thailand 322
9 Hong Kong 307
10 Italy 253
Others 1812
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
21 | References
References
1 Trend Micro Incorporated (2013) ldquoTrendLabs 2012 Annual Security Roundup Evolved Threats in a lsquoPost-PCrsquo Worldrdquo Last accessed July 30 2013 httpwwwtrendmicrocomcloud-contentuspdfssecurity-intelligencereportsrpt-evolved-threats-in-a-post-pc-worldpdf
2 Jonathan Leopando (July 10 2013) TrendLabs Security Intelligence Blog ldquoAndroid Vulnerability Affects 99 of DevicesmdashTrend Micro Users Protectedrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencetrend-micro-solution-for-vulnerability-affecting-nearly-all-android-devices
3 Trend Micro Incorporated (2013) Threat Encyclopedia ldquoANDROIDOS_OBADArdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusmalwareANDROIDOS_OBADA
4 Leo Zhang (July 13 2013) TrendLabs Security Intelligence Blog ldquoCybercriminals Improve Android Malware Stealth Routines with OBADrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecybercriminals-improve-android-malware-stealth-routines-with-obad
5 Trend Micro Incorporated (2013) Threat Encyclopedia ldquoANDROIDOS_FAKEBANKArdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusmalwareANDROIDOS_FAKEBANKA
6 Weichao Sun (May 14 2013) TrendLabs Security Intelligence Blog ldquoMobile Ads Pushed by Android Apps Lead to Scam Sitesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencemobile-ads-pushed-by-android-apps-lead-to-scam-sites
7 Trend Micro Incorporated (2013) Threat Encyclopedia ldquoANDROIDOS_FAKEAVFrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusmalwareANDROIDOS_FAKEAVF
8 Iain Thomson (March 27 2013) The Register ldquoTibetan and Uyghur Activists Targeted with Android Malwarerdquo Last accessed July 30 2013 httpwwwtheregistercouk20130327android_malware_targeting_tibetan
9 Ericsson ConsumerLab (August 6 2012) Ericssoncom ldquoVietnamese Consumers Show Increasing Demand for Smartphones and Tabletsrdquo Last accessed July 30 2013 httpwwwericssoncomvnnews2012_vn_smartphone_demands_254740123_c
10 Trend Micro Incorporated (2012) ldquoSecurity Threats to Business the Digital Lifestyle and the Cloud Trend Micro Predictions for 2013 and Beyondrdquo Last accessed July 30 2013 httpwwwtrendmicrocoukmediamisctrend-micro-predictions-for-2013-and-beyond-enpdf
11 Roddell Santos (May 28 2013) TrendLabs Security Intelligence Blog ldquoBANKER Malware Hosted in Compromised Brazilian Government Sitesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencebanker-malware-hosted-in-compromised-brazilian-government-sites
12 Ranieri Romera (May 7 2013) TrendLabs Security Intelligence Blog ldquoHomemade Browser Targeting lsquoBanco do Brasilrsquo Usersrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencehomemade-browser-targeting-banco-do-brasil-users
13 Roddell Santos (June 14 2013) TrendLabs Security Intelligence Blog ldquoMalware Redirects South Korean Users to Phishing Sitesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencemalware-redirects-south-korean-users-to-phishing-sites
14 Abigail Pichel (June 10 2013) TrendLabs Security Intelligence Blog ldquoGoing Solo Self-Propagating ZBOT Malware Spottedrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencegoing-solo-self-propagating-zbot-malware-spotted
15 Lenart Bermejo (May 24 2013) TrendLabs Security Intelligence Blog ldquoWorm Creates Copies in Password-Protected Archived Filesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligenceworm-creates-copies-in-password-protected-archived-files
16 Jessa Dela Torre (April 16 2013) TrendLabs Security Intelligence Blog ldquoCompromised Sites Conceal Stealrat Botnet Operationsrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecompromised-sites-conceal-stealrat-botnet-operations
17 Paul Pajares (July 8 2013) TrendLabs Security Intelligence Blog ldquoMan of Steel Fast and Furious 6 Among Online Fraudstersrsquo Most Used Luresrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligenceman-of-steel-fast-and-furious-6-among-online-fraudsters-most-used-lures Gelo Abendan (May 2 2013) TrendLabs Security Intelligence Blog ldquoFake Iron Man 3 Streaming Sites Sprout on Social Mediardquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencefake-iron-man-3-streaming-sites-sprout-on-social-media
18 Anthony Melgarejo (May 2 2013) TrendLabs Security Intelligence Blog ldquoBackdoor Leads to Facebook and Multiprotocol Instant-Messaging Wormrdquo
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
22 | References
Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencebackdoor-leads-to-facebook-and-multi-protocol-instant-messaging-worm Paul Pajares (April 30 2013) TrendLabs Security Intelligence Blog ldquoHackers to Manage Your Apple ID If Caught from Phishing Baitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencehackers-to-manage-your-apple-id-if-caught-from-phishing-bait
19 Aisa Escober (April 16 2013) TrendLabs Security Intelligence Blog ldquoKELIHOS Worm Emerges Takes Advantage of Boston Marathon Blastrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencekelihos-worm-emerges-takes-advantage-of-boston-marathon-blast Trend Micro Incorporated (2013) Threat Encyclopedia ldquoSpam Attack Leverages Oklahoma Tornado Disasterrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusspam494Spam+Attack+Leverages+Oklahoma+Tornado+Disaster Ryan Certeza (April 19 2013) TrendLabs Security Intelligence Blog ldquoCybercriminals Quickly Take Advantage of Texas Fertilizer Plant Blast MIT Shootingrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecybercriminals-quickly-take-advantage-of-texas-fertilizer-plant-blast-mit-shooting Gelo Abendan (April 4 2013) TrendLabs Security Intelligence Blog ldquoCybercriminals Threaten Tax Day Once Againrdquo Last accessed July 30 2013 http blogtrendmicrocomtrendlabs-security-intelligencecybercriminals-threaten-tax-day-once-again
20 Jim Finkle (May 31 2013) NBC News Technology ldquoLinkedIn Improves Security with Two-Factor Authenticationrdquo Last accessed July 2013 httpwwwnbcnewscomtechnologylinkedin-improves-security-two-factor-authentication-6C10141010 Seth Hitchings (May 30 2013) The Evernote Blog ldquoEvernotersquos Three New Security Featuresrdquo Last accessed July 2013 httpblogevernotecomblog20130530evernotes-three-new-security-features Jim OrsquoLeary (May 22 2013) Twitter Blog ldquoGetting Started with Login Verificationrdquo Last accessed July 2013 httpsblogtwittercom2013getting-started-login-verification
21 David Jackson (April 23 2013) USA Today News ldquoAP Twitter Feed Hacked No Attack at White Houserdquo Last accessed July 30 2013 httpwwwusatodaycomstorytheoval20130423obama-carney-associated-press-hack-white-house2106757
22 Karla Agregado (June 25 2013) TrendLabs Security Intelligence Blog ldquoScam Sites Now Selling Instagram Followersrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencescam-sites-now-selling-instagram-followers
23 Zachary Seward (May 20 2013) Quartz ldquoHow Yahoo Plans to Make Money on Tumblr Ads That Donrsquot Feel Like Adsrdquo Last accessed July 30 2013 httpqzcom86437how-yahoo-plans-to-make-money-on-tumblr-ads-that-dont-feel-like-ads
24 Gelo Abendan (March 3 2012) Threat Encyc lopedia ldquoMobile Apps New Frontier for Cybercrimerdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack119mobile apps new frontier for cybercrime Marco Dela Vega (November 23 2010) TrendLabs Security Intelligence Blog ldquoWith Holiday Wishes Come Poisoned Searchesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencewith-holiday-wishes-come-poisoned-searches Dianne Kristine Lagrimas (November 13 2011) Threat Encyclopedia ldquoSports as Bait Cybercriminals Play to Winrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack99sports as bait cybercriminals play to win Valerie Ria Rivera (March 29 2011) Threat Encyclopedia ldquoSpam Scams and Other Social Media Threatsrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack75spam scams and other social media threats
25 Dexter To (May 5 2013) TrendLabs Security Intelligence Blog ldquoCompromised US Government Web Page Used Zero-Day Exploitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecompromised-us-government-webpage-used-zero-day-exploit
26 Sooraj KS (June 6 2013) TrendLabs Security Intelligence Blog ldquoPlesk Zero-Day Exploit Results in Compromised Web Serverrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligenceplesk-zero-day-exploit-results-in-compromised-webserver
27 Gelo Abendan (May 30 2013) TrendLabs Security Intelligence Blog ldquoTrend Micro Deep Security Guards Users from Ruby on Rails Exploitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencetrend-micro-deep-security-guards-users-from-ruby-on-rails-exploit
28 Maharlito Aquino (June 13 2013) TrendLabs Security Intelligence Blog ldquoRARSTONE Found in Targeted Attacksrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencerarstone-found-in-targeted-attacks
29 Kyle Wilhoit (May 17 2013) TrendLabs Security Intelligence Blog ldquoHiding in Plain Sight A New Targeted Attack Campaignrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencehiding-in-plain-sight-a-new-apt-campaign
30 Nart Villeneuve (April 25 2013) TrendLabs Security Intelligence Blog ldquoTargeted Attack Campaign Hides Behind SSL Communicationrdquo Last accessed July 2013 httpblogtrendmicrocomtrendlabs-security-intelligencetargeted-attack-campaign-hides-behind-ssl-communication
31 Jay Alabaster (April 4 2013) Computerworld ldquoJapanese Web Portals Hacked Up to 100000 Accounts Compromisedrdquo Last accessed July 30 2013 httpwwwcomputerworldcomauarticle458079japanese_web_portals_hacked_up_100_000_accounts_compromised LivingSocial ldquoLivingSocial Security Noticerdquo Last accessed July 30 2013 httpswwwlivingsocialcomcreatepassword Kadim Shubber (May 20 2013) Wired UK ldquoMillions of Usersrsquo Data Hacked in Yahoo Japan Security Breachrdquo Last accessed July 30 2013 httpwwwwiredcouknewsarchive2013-0520yahoo-japan-hacked Erin Madigan White (April 23 2013) AP Blog The Definitive Source ldquoAP Responds to Hacking of Twitter Accountrdquo Last accessed July 30 2013 httpblogaporg20130423hackers-compromise-ap-twitter-account
TREND MICRO LEgaL DISCLaIMER
The information provided herein is for general information and educational purposes only It is not intended and should not be construed to constitute legal advice The information contained herein may not be applicable to all situations and may not reflect the most current situation Nothing contained herein should be relied on or acted upon without the benefit of legal advice based on the particular facts and circumstances presented and nothing herein should be construed otherwise Trend Micro reserves the right to modify the contents of this document at any time without prior notice
Translations of any material into other languages are intended solely as a convenience Translation accuracy is not guaranteed nor implied If any questions arise related to the accuracy of a translation please refer to the original language official version of the document any discrepancies or differences created in the translation are not binding and have no legal effect for compliance or enforcement purposes
although Trend Micro uses reasonable efforts to include accurate and up-to-date information herein Trend Micro makes no warranties or representations of any kind as to its accuracy currency or completeness you agree that access to and use of and reliance on this document and the content thereof is at your own risk Trend Micro disclaims all warranties of any kind express or implied Neither Trend Micro nor any party involved in creating producing or delivering this document shall be liable for any consequence loss or damage including direct indirect special consequential loss of business profits or special damages whatsoever arising out of access to use of or inability to use or in connection with the use of this document or any errors or omissions in the content thereof use of this information constitutes acceptance for use in an ldquoas isrdquo condition
Trend Micro Incorporated a global leader in security software and solutions strives to make the world safe for exchanging digital information For more information visit wwwtrendmicrocom
copy2013 by Trend Micro Incorporated all rights reserved Trend Micro and the Trend Micro t-ball logo are trademarks or registered trademarks of Trend Micro Incorporated all other product or company names may be trademarks or registered trademarks of their owners
Created by
global Technical Support amp RampD Center of TREND MICRO
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
20 | appendix
Top 10 Countries with the Most Number of Botnet CampC Servers
Similar to the previous quarter the united States had the most number of botnet CampC servers while australia surpassed South korea
COuNTRy sHARE
1 United States 2405
2 Australia 515
3 South Korea 338
4 China 302
5 Germany 287
6 Taiwan 210
7 France 188
8 United Kingdom 172
9 Brazil 147
10 Canada 118
Others 5318
Top 10 Countries with the Highest Number of Connections to Botnets
DDoS attacks in Malaysia in relation to the elections contributed to the increase in the countryrsquos volume of malicious connections
COuNTRy sHARE
1 Malaysia 2839
2 United States 1414
3 France 1163
4 Germany 564
5 Canada 529
6 South Korea 413
7 United Kingdom 384
8 Thailand 322
9 Hong Kong 307
10 Italy 253
Others 1812
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
21 | References
References
1 Trend Micro Incorporated (2013) ldquoTrendLabs 2012 Annual Security Roundup Evolved Threats in a lsquoPost-PCrsquo Worldrdquo Last accessed July 30 2013 httpwwwtrendmicrocomcloud-contentuspdfssecurity-intelligencereportsrpt-evolved-threats-in-a-post-pc-worldpdf
2 Jonathan Leopando (July 10 2013) TrendLabs Security Intelligence Blog ldquoAndroid Vulnerability Affects 99 of DevicesmdashTrend Micro Users Protectedrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencetrend-micro-solution-for-vulnerability-affecting-nearly-all-android-devices
3 Trend Micro Incorporated (2013) Threat Encyclopedia ldquoANDROIDOS_OBADArdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusmalwareANDROIDOS_OBADA
4 Leo Zhang (July 13 2013) TrendLabs Security Intelligence Blog ldquoCybercriminals Improve Android Malware Stealth Routines with OBADrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecybercriminals-improve-android-malware-stealth-routines-with-obad
5 Trend Micro Incorporated (2013) Threat Encyclopedia ldquoANDROIDOS_FAKEBANKArdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusmalwareANDROIDOS_FAKEBANKA
6 Weichao Sun (May 14 2013) TrendLabs Security Intelligence Blog ldquoMobile Ads Pushed by Android Apps Lead to Scam Sitesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencemobile-ads-pushed-by-android-apps-lead-to-scam-sites
7 Trend Micro Incorporated (2013) Threat Encyclopedia ldquoANDROIDOS_FAKEAVFrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusmalwareANDROIDOS_FAKEAVF
8 Iain Thomson (March 27 2013) The Register ldquoTibetan and Uyghur Activists Targeted with Android Malwarerdquo Last accessed July 30 2013 httpwwwtheregistercouk20130327android_malware_targeting_tibetan
9 Ericsson ConsumerLab (August 6 2012) Ericssoncom ldquoVietnamese Consumers Show Increasing Demand for Smartphones and Tabletsrdquo Last accessed July 30 2013 httpwwwericssoncomvnnews2012_vn_smartphone_demands_254740123_c
10 Trend Micro Incorporated (2012) ldquoSecurity Threats to Business the Digital Lifestyle and the Cloud Trend Micro Predictions for 2013 and Beyondrdquo Last accessed July 30 2013 httpwwwtrendmicrocoukmediamisctrend-micro-predictions-for-2013-and-beyond-enpdf
11 Roddell Santos (May 28 2013) TrendLabs Security Intelligence Blog ldquoBANKER Malware Hosted in Compromised Brazilian Government Sitesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencebanker-malware-hosted-in-compromised-brazilian-government-sites
12 Ranieri Romera (May 7 2013) TrendLabs Security Intelligence Blog ldquoHomemade Browser Targeting lsquoBanco do Brasilrsquo Usersrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencehomemade-browser-targeting-banco-do-brasil-users
13 Roddell Santos (June 14 2013) TrendLabs Security Intelligence Blog ldquoMalware Redirects South Korean Users to Phishing Sitesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencemalware-redirects-south-korean-users-to-phishing-sites
14 Abigail Pichel (June 10 2013) TrendLabs Security Intelligence Blog ldquoGoing Solo Self-Propagating ZBOT Malware Spottedrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencegoing-solo-self-propagating-zbot-malware-spotted
15 Lenart Bermejo (May 24 2013) TrendLabs Security Intelligence Blog ldquoWorm Creates Copies in Password-Protected Archived Filesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligenceworm-creates-copies-in-password-protected-archived-files
16 Jessa Dela Torre (April 16 2013) TrendLabs Security Intelligence Blog ldquoCompromised Sites Conceal Stealrat Botnet Operationsrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecompromised-sites-conceal-stealrat-botnet-operations
17 Paul Pajares (July 8 2013) TrendLabs Security Intelligence Blog ldquoMan of Steel Fast and Furious 6 Among Online Fraudstersrsquo Most Used Luresrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligenceman-of-steel-fast-and-furious-6-among-online-fraudsters-most-used-lures Gelo Abendan (May 2 2013) TrendLabs Security Intelligence Blog ldquoFake Iron Man 3 Streaming Sites Sprout on Social Mediardquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencefake-iron-man-3-streaming-sites-sprout-on-social-media
18 Anthony Melgarejo (May 2 2013) TrendLabs Security Intelligence Blog ldquoBackdoor Leads to Facebook and Multiprotocol Instant-Messaging Wormrdquo
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
22 | References
Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencebackdoor-leads-to-facebook-and-multi-protocol-instant-messaging-worm Paul Pajares (April 30 2013) TrendLabs Security Intelligence Blog ldquoHackers to Manage Your Apple ID If Caught from Phishing Baitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencehackers-to-manage-your-apple-id-if-caught-from-phishing-bait
19 Aisa Escober (April 16 2013) TrendLabs Security Intelligence Blog ldquoKELIHOS Worm Emerges Takes Advantage of Boston Marathon Blastrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencekelihos-worm-emerges-takes-advantage-of-boston-marathon-blast Trend Micro Incorporated (2013) Threat Encyclopedia ldquoSpam Attack Leverages Oklahoma Tornado Disasterrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusspam494Spam+Attack+Leverages+Oklahoma+Tornado+Disaster Ryan Certeza (April 19 2013) TrendLabs Security Intelligence Blog ldquoCybercriminals Quickly Take Advantage of Texas Fertilizer Plant Blast MIT Shootingrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecybercriminals-quickly-take-advantage-of-texas-fertilizer-plant-blast-mit-shooting Gelo Abendan (April 4 2013) TrendLabs Security Intelligence Blog ldquoCybercriminals Threaten Tax Day Once Againrdquo Last accessed July 30 2013 http blogtrendmicrocomtrendlabs-security-intelligencecybercriminals-threaten-tax-day-once-again
20 Jim Finkle (May 31 2013) NBC News Technology ldquoLinkedIn Improves Security with Two-Factor Authenticationrdquo Last accessed July 2013 httpwwwnbcnewscomtechnologylinkedin-improves-security-two-factor-authentication-6C10141010 Seth Hitchings (May 30 2013) The Evernote Blog ldquoEvernotersquos Three New Security Featuresrdquo Last accessed July 2013 httpblogevernotecomblog20130530evernotes-three-new-security-features Jim OrsquoLeary (May 22 2013) Twitter Blog ldquoGetting Started with Login Verificationrdquo Last accessed July 2013 httpsblogtwittercom2013getting-started-login-verification
21 David Jackson (April 23 2013) USA Today News ldquoAP Twitter Feed Hacked No Attack at White Houserdquo Last accessed July 30 2013 httpwwwusatodaycomstorytheoval20130423obama-carney-associated-press-hack-white-house2106757
22 Karla Agregado (June 25 2013) TrendLabs Security Intelligence Blog ldquoScam Sites Now Selling Instagram Followersrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencescam-sites-now-selling-instagram-followers
23 Zachary Seward (May 20 2013) Quartz ldquoHow Yahoo Plans to Make Money on Tumblr Ads That Donrsquot Feel Like Adsrdquo Last accessed July 30 2013 httpqzcom86437how-yahoo-plans-to-make-money-on-tumblr-ads-that-dont-feel-like-ads
24 Gelo Abendan (March 3 2012) Threat Encyc lopedia ldquoMobile Apps New Frontier for Cybercrimerdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack119mobile apps new frontier for cybercrime Marco Dela Vega (November 23 2010) TrendLabs Security Intelligence Blog ldquoWith Holiday Wishes Come Poisoned Searchesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencewith-holiday-wishes-come-poisoned-searches Dianne Kristine Lagrimas (November 13 2011) Threat Encyclopedia ldquoSports as Bait Cybercriminals Play to Winrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack99sports as bait cybercriminals play to win Valerie Ria Rivera (March 29 2011) Threat Encyclopedia ldquoSpam Scams and Other Social Media Threatsrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack75spam scams and other social media threats
25 Dexter To (May 5 2013) TrendLabs Security Intelligence Blog ldquoCompromised US Government Web Page Used Zero-Day Exploitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecompromised-us-government-webpage-used-zero-day-exploit
26 Sooraj KS (June 6 2013) TrendLabs Security Intelligence Blog ldquoPlesk Zero-Day Exploit Results in Compromised Web Serverrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligenceplesk-zero-day-exploit-results-in-compromised-webserver
27 Gelo Abendan (May 30 2013) TrendLabs Security Intelligence Blog ldquoTrend Micro Deep Security Guards Users from Ruby on Rails Exploitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencetrend-micro-deep-security-guards-users-from-ruby-on-rails-exploit
28 Maharlito Aquino (June 13 2013) TrendLabs Security Intelligence Blog ldquoRARSTONE Found in Targeted Attacksrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencerarstone-found-in-targeted-attacks
29 Kyle Wilhoit (May 17 2013) TrendLabs Security Intelligence Blog ldquoHiding in Plain Sight A New Targeted Attack Campaignrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencehiding-in-plain-sight-a-new-apt-campaign
30 Nart Villeneuve (April 25 2013) TrendLabs Security Intelligence Blog ldquoTargeted Attack Campaign Hides Behind SSL Communicationrdquo Last accessed July 2013 httpblogtrendmicrocomtrendlabs-security-intelligencetargeted-attack-campaign-hides-behind-ssl-communication
31 Jay Alabaster (April 4 2013) Computerworld ldquoJapanese Web Portals Hacked Up to 100000 Accounts Compromisedrdquo Last accessed July 30 2013 httpwwwcomputerworldcomauarticle458079japanese_web_portals_hacked_up_100_000_accounts_compromised LivingSocial ldquoLivingSocial Security Noticerdquo Last accessed July 30 2013 httpswwwlivingsocialcomcreatepassword Kadim Shubber (May 20 2013) Wired UK ldquoMillions of Usersrsquo Data Hacked in Yahoo Japan Security Breachrdquo Last accessed July 30 2013 httpwwwwiredcouknewsarchive2013-0520yahoo-japan-hacked Erin Madigan White (April 23 2013) AP Blog The Definitive Source ldquoAP Responds to Hacking of Twitter Accountrdquo Last accessed July 30 2013 httpblogaporg20130423hackers-compromise-ap-twitter-account
TREND MICRO LEgaL DISCLaIMER
The information provided herein is for general information and educational purposes only It is not intended and should not be construed to constitute legal advice The information contained herein may not be applicable to all situations and may not reflect the most current situation Nothing contained herein should be relied on or acted upon without the benefit of legal advice based on the particular facts and circumstances presented and nothing herein should be construed otherwise Trend Micro reserves the right to modify the contents of this document at any time without prior notice
Translations of any material into other languages are intended solely as a convenience Translation accuracy is not guaranteed nor implied If any questions arise related to the accuracy of a translation please refer to the original language official version of the document any discrepancies or differences created in the translation are not binding and have no legal effect for compliance or enforcement purposes
although Trend Micro uses reasonable efforts to include accurate and up-to-date information herein Trend Micro makes no warranties or representations of any kind as to its accuracy currency or completeness you agree that access to and use of and reliance on this document and the content thereof is at your own risk Trend Micro disclaims all warranties of any kind express or implied Neither Trend Micro nor any party involved in creating producing or delivering this document shall be liable for any consequence loss or damage including direct indirect special consequential loss of business profits or special damages whatsoever arising out of access to use of or inability to use or in connection with the use of this document or any errors or omissions in the content thereof use of this information constitutes acceptance for use in an ldquoas isrdquo condition
Trend Micro Incorporated a global leader in security software and solutions strives to make the world safe for exchanging digital information For more information visit wwwtrendmicrocom
copy2013 by Trend Micro Incorporated all rights reserved Trend Micro and the Trend Micro t-ball logo are trademarks or registered trademarks of Trend Micro Incorporated all other product or company names may be trademarks or registered trademarks of their owners
Created by
global Technical Support amp RampD Center of TREND MICRO
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
21 | References
References
1 Trend Micro Incorporated (2013) ldquoTrendLabs 2012 Annual Security Roundup Evolved Threats in a lsquoPost-PCrsquo Worldrdquo Last accessed July 30 2013 httpwwwtrendmicrocomcloud-contentuspdfssecurity-intelligencereportsrpt-evolved-threats-in-a-post-pc-worldpdf
2 Jonathan Leopando (July 10 2013) TrendLabs Security Intelligence Blog ldquoAndroid Vulnerability Affects 99 of DevicesmdashTrend Micro Users Protectedrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencetrend-micro-solution-for-vulnerability-affecting-nearly-all-android-devices
3 Trend Micro Incorporated (2013) Threat Encyclopedia ldquoANDROIDOS_OBADArdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusmalwareANDROIDOS_OBADA
4 Leo Zhang (July 13 2013) TrendLabs Security Intelligence Blog ldquoCybercriminals Improve Android Malware Stealth Routines with OBADrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecybercriminals-improve-android-malware-stealth-routines-with-obad
5 Trend Micro Incorporated (2013) Threat Encyclopedia ldquoANDROIDOS_FAKEBANKArdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusmalwareANDROIDOS_FAKEBANKA
6 Weichao Sun (May 14 2013) TrendLabs Security Intelligence Blog ldquoMobile Ads Pushed by Android Apps Lead to Scam Sitesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencemobile-ads-pushed-by-android-apps-lead-to-scam-sites
7 Trend Micro Incorporated (2013) Threat Encyclopedia ldquoANDROIDOS_FAKEAVFrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusmalwareANDROIDOS_FAKEAVF
8 Iain Thomson (March 27 2013) The Register ldquoTibetan and Uyghur Activists Targeted with Android Malwarerdquo Last accessed July 30 2013 httpwwwtheregistercouk20130327android_malware_targeting_tibetan
9 Ericsson ConsumerLab (August 6 2012) Ericssoncom ldquoVietnamese Consumers Show Increasing Demand for Smartphones and Tabletsrdquo Last accessed July 30 2013 httpwwwericssoncomvnnews2012_vn_smartphone_demands_254740123_c
10 Trend Micro Incorporated (2012) ldquoSecurity Threats to Business the Digital Lifestyle and the Cloud Trend Micro Predictions for 2013 and Beyondrdquo Last accessed July 30 2013 httpwwwtrendmicrocoukmediamisctrend-micro-predictions-for-2013-and-beyond-enpdf
11 Roddell Santos (May 28 2013) TrendLabs Security Intelligence Blog ldquoBANKER Malware Hosted in Compromised Brazilian Government Sitesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencebanker-malware-hosted-in-compromised-brazilian-government-sites
12 Ranieri Romera (May 7 2013) TrendLabs Security Intelligence Blog ldquoHomemade Browser Targeting lsquoBanco do Brasilrsquo Usersrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencehomemade-browser-targeting-banco-do-brasil-users
13 Roddell Santos (June 14 2013) TrendLabs Security Intelligence Blog ldquoMalware Redirects South Korean Users to Phishing Sitesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencemalware-redirects-south-korean-users-to-phishing-sites
14 Abigail Pichel (June 10 2013) TrendLabs Security Intelligence Blog ldquoGoing Solo Self-Propagating ZBOT Malware Spottedrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencegoing-solo-self-propagating-zbot-malware-spotted
15 Lenart Bermejo (May 24 2013) TrendLabs Security Intelligence Blog ldquoWorm Creates Copies in Password-Protected Archived Filesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligenceworm-creates-copies-in-password-protected-archived-files
16 Jessa Dela Torre (April 16 2013) TrendLabs Security Intelligence Blog ldquoCompromised Sites Conceal Stealrat Botnet Operationsrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecompromised-sites-conceal-stealrat-botnet-operations
17 Paul Pajares (July 8 2013) TrendLabs Security Intelligence Blog ldquoMan of Steel Fast and Furious 6 Among Online Fraudstersrsquo Most Used Luresrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligenceman-of-steel-fast-and-furious-6-among-online-fraudsters-most-used-lures Gelo Abendan (May 2 2013) TrendLabs Security Intelligence Blog ldquoFake Iron Man 3 Streaming Sites Sprout on Social Mediardquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencefake-iron-man-3-streaming-sites-sprout-on-social-media
18 Anthony Melgarejo (May 2 2013) TrendLabs Security Intelligence Blog ldquoBackdoor Leads to Facebook and Multiprotocol Instant-Messaging Wormrdquo
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
22 | References
Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencebackdoor-leads-to-facebook-and-multi-protocol-instant-messaging-worm Paul Pajares (April 30 2013) TrendLabs Security Intelligence Blog ldquoHackers to Manage Your Apple ID If Caught from Phishing Baitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencehackers-to-manage-your-apple-id-if-caught-from-phishing-bait
19 Aisa Escober (April 16 2013) TrendLabs Security Intelligence Blog ldquoKELIHOS Worm Emerges Takes Advantage of Boston Marathon Blastrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencekelihos-worm-emerges-takes-advantage-of-boston-marathon-blast Trend Micro Incorporated (2013) Threat Encyclopedia ldquoSpam Attack Leverages Oklahoma Tornado Disasterrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusspam494Spam+Attack+Leverages+Oklahoma+Tornado+Disaster Ryan Certeza (April 19 2013) TrendLabs Security Intelligence Blog ldquoCybercriminals Quickly Take Advantage of Texas Fertilizer Plant Blast MIT Shootingrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecybercriminals-quickly-take-advantage-of-texas-fertilizer-plant-blast-mit-shooting Gelo Abendan (April 4 2013) TrendLabs Security Intelligence Blog ldquoCybercriminals Threaten Tax Day Once Againrdquo Last accessed July 30 2013 http blogtrendmicrocomtrendlabs-security-intelligencecybercriminals-threaten-tax-day-once-again
20 Jim Finkle (May 31 2013) NBC News Technology ldquoLinkedIn Improves Security with Two-Factor Authenticationrdquo Last accessed July 2013 httpwwwnbcnewscomtechnologylinkedin-improves-security-two-factor-authentication-6C10141010 Seth Hitchings (May 30 2013) The Evernote Blog ldquoEvernotersquos Three New Security Featuresrdquo Last accessed July 2013 httpblogevernotecomblog20130530evernotes-three-new-security-features Jim OrsquoLeary (May 22 2013) Twitter Blog ldquoGetting Started with Login Verificationrdquo Last accessed July 2013 httpsblogtwittercom2013getting-started-login-verification
21 David Jackson (April 23 2013) USA Today News ldquoAP Twitter Feed Hacked No Attack at White Houserdquo Last accessed July 30 2013 httpwwwusatodaycomstorytheoval20130423obama-carney-associated-press-hack-white-house2106757
22 Karla Agregado (June 25 2013) TrendLabs Security Intelligence Blog ldquoScam Sites Now Selling Instagram Followersrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencescam-sites-now-selling-instagram-followers
23 Zachary Seward (May 20 2013) Quartz ldquoHow Yahoo Plans to Make Money on Tumblr Ads That Donrsquot Feel Like Adsrdquo Last accessed July 30 2013 httpqzcom86437how-yahoo-plans-to-make-money-on-tumblr-ads-that-dont-feel-like-ads
24 Gelo Abendan (March 3 2012) Threat Encyc lopedia ldquoMobile Apps New Frontier for Cybercrimerdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack119mobile apps new frontier for cybercrime Marco Dela Vega (November 23 2010) TrendLabs Security Intelligence Blog ldquoWith Holiday Wishes Come Poisoned Searchesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencewith-holiday-wishes-come-poisoned-searches Dianne Kristine Lagrimas (November 13 2011) Threat Encyclopedia ldquoSports as Bait Cybercriminals Play to Winrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack99sports as bait cybercriminals play to win Valerie Ria Rivera (March 29 2011) Threat Encyclopedia ldquoSpam Scams and Other Social Media Threatsrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack75spam scams and other social media threats
25 Dexter To (May 5 2013) TrendLabs Security Intelligence Blog ldquoCompromised US Government Web Page Used Zero-Day Exploitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecompromised-us-government-webpage-used-zero-day-exploit
26 Sooraj KS (June 6 2013) TrendLabs Security Intelligence Blog ldquoPlesk Zero-Day Exploit Results in Compromised Web Serverrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligenceplesk-zero-day-exploit-results-in-compromised-webserver
27 Gelo Abendan (May 30 2013) TrendLabs Security Intelligence Blog ldquoTrend Micro Deep Security Guards Users from Ruby on Rails Exploitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencetrend-micro-deep-security-guards-users-from-ruby-on-rails-exploit
28 Maharlito Aquino (June 13 2013) TrendLabs Security Intelligence Blog ldquoRARSTONE Found in Targeted Attacksrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencerarstone-found-in-targeted-attacks
29 Kyle Wilhoit (May 17 2013) TrendLabs Security Intelligence Blog ldquoHiding in Plain Sight A New Targeted Attack Campaignrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencehiding-in-plain-sight-a-new-apt-campaign
30 Nart Villeneuve (April 25 2013) TrendLabs Security Intelligence Blog ldquoTargeted Attack Campaign Hides Behind SSL Communicationrdquo Last accessed July 2013 httpblogtrendmicrocomtrendlabs-security-intelligencetargeted-attack-campaign-hides-behind-ssl-communication
31 Jay Alabaster (April 4 2013) Computerworld ldquoJapanese Web Portals Hacked Up to 100000 Accounts Compromisedrdquo Last accessed July 30 2013 httpwwwcomputerworldcomauarticle458079japanese_web_portals_hacked_up_100_000_accounts_compromised LivingSocial ldquoLivingSocial Security Noticerdquo Last accessed July 30 2013 httpswwwlivingsocialcomcreatepassword Kadim Shubber (May 20 2013) Wired UK ldquoMillions of Usersrsquo Data Hacked in Yahoo Japan Security Breachrdquo Last accessed July 30 2013 httpwwwwiredcouknewsarchive2013-0520yahoo-japan-hacked Erin Madigan White (April 23 2013) AP Blog The Definitive Source ldquoAP Responds to Hacking of Twitter Accountrdquo Last accessed July 30 2013 httpblogaporg20130423hackers-compromise-ap-twitter-account
TREND MICRO LEgaL DISCLaIMER
The information provided herein is for general information and educational purposes only It is not intended and should not be construed to constitute legal advice The information contained herein may not be applicable to all situations and may not reflect the most current situation Nothing contained herein should be relied on or acted upon without the benefit of legal advice based on the particular facts and circumstances presented and nothing herein should be construed otherwise Trend Micro reserves the right to modify the contents of this document at any time without prior notice
Translations of any material into other languages are intended solely as a convenience Translation accuracy is not guaranteed nor implied If any questions arise related to the accuracy of a translation please refer to the original language official version of the document any discrepancies or differences created in the translation are not binding and have no legal effect for compliance or enforcement purposes
although Trend Micro uses reasonable efforts to include accurate and up-to-date information herein Trend Micro makes no warranties or representations of any kind as to its accuracy currency or completeness you agree that access to and use of and reliance on this document and the content thereof is at your own risk Trend Micro disclaims all warranties of any kind express or implied Neither Trend Micro nor any party involved in creating producing or delivering this document shall be liable for any consequence loss or damage including direct indirect special consequential loss of business profits or special damages whatsoever arising out of access to use of or inability to use or in connection with the use of this document or any errors or omissions in the content thereof use of this information constitutes acceptance for use in an ldquoas isrdquo condition
Trend Micro Incorporated a global leader in security software and solutions strives to make the world safe for exchanging digital information For more information visit wwwtrendmicrocom
copy2013 by Trend Micro Incorporated all rights reserved Trend Micro and the Trend Micro t-ball logo are trademarks or registered trademarks of Trend Micro Incorporated all other product or company names may be trademarks or registered trademarks of their owners
Created by
global Technical Support amp RampD Center of TREND MICRO
TREND MICRO | TrendLabs 2Q 2013 Security Roundup
22 | References
Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencebackdoor-leads-to-facebook-and-multi-protocol-instant-messaging-worm Paul Pajares (April 30 2013) TrendLabs Security Intelligence Blog ldquoHackers to Manage Your Apple ID If Caught from Phishing Baitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencehackers-to-manage-your-apple-id-if-caught-from-phishing-bait
19 Aisa Escober (April 16 2013) TrendLabs Security Intelligence Blog ldquoKELIHOS Worm Emerges Takes Advantage of Boston Marathon Blastrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencekelihos-worm-emerges-takes-advantage-of-boston-marathon-blast Trend Micro Incorporated (2013) Threat Encyclopedia ldquoSpam Attack Leverages Oklahoma Tornado Disasterrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomusspam494Spam+Attack+Leverages+Oklahoma+Tornado+Disaster Ryan Certeza (April 19 2013) TrendLabs Security Intelligence Blog ldquoCybercriminals Quickly Take Advantage of Texas Fertilizer Plant Blast MIT Shootingrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecybercriminals-quickly-take-advantage-of-texas-fertilizer-plant-blast-mit-shooting Gelo Abendan (April 4 2013) TrendLabs Security Intelligence Blog ldquoCybercriminals Threaten Tax Day Once Againrdquo Last accessed July 30 2013 http blogtrendmicrocomtrendlabs-security-intelligencecybercriminals-threaten-tax-day-once-again
20 Jim Finkle (May 31 2013) NBC News Technology ldquoLinkedIn Improves Security with Two-Factor Authenticationrdquo Last accessed July 2013 httpwwwnbcnewscomtechnologylinkedin-improves-security-two-factor-authentication-6C10141010 Seth Hitchings (May 30 2013) The Evernote Blog ldquoEvernotersquos Three New Security Featuresrdquo Last accessed July 2013 httpblogevernotecomblog20130530evernotes-three-new-security-features Jim OrsquoLeary (May 22 2013) Twitter Blog ldquoGetting Started with Login Verificationrdquo Last accessed July 2013 httpsblogtwittercom2013getting-started-login-verification
21 David Jackson (April 23 2013) USA Today News ldquoAP Twitter Feed Hacked No Attack at White Houserdquo Last accessed July 30 2013 httpwwwusatodaycomstorytheoval20130423obama-carney-associated-press-hack-white-house2106757
22 Karla Agregado (June 25 2013) TrendLabs Security Intelligence Blog ldquoScam Sites Now Selling Instagram Followersrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencescam-sites-now-selling-instagram-followers
23 Zachary Seward (May 20 2013) Quartz ldquoHow Yahoo Plans to Make Money on Tumblr Ads That Donrsquot Feel Like Adsrdquo Last accessed July 30 2013 httpqzcom86437how-yahoo-plans-to-make-money-on-tumblr-ads-that-dont-feel-like-ads
24 Gelo Abendan (March 3 2012) Threat Encyc lopedia ldquoMobile Apps New Frontier for Cybercrimerdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack119mobile apps new frontier for cybercrime Marco Dela Vega (November 23 2010) TrendLabs Security Intelligence Blog ldquoWith Holiday Wishes Come Poisoned Searchesrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencewith-holiday-wishes-come-poisoned-searches Dianne Kristine Lagrimas (November 13 2011) Threat Encyclopedia ldquoSports as Bait Cybercriminals Play to Winrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack99sports as bait cybercriminals play to win Valerie Ria Rivera (March 29 2011) Threat Encyclopedia ldquoSpam Scams and Other Social Media Threatsrdquo Last accessed July 30 2013 httpabout-threatstrendmicrocomuswebattack75spam scams and other social media threats
25 Dexter To (May 5 2013) TrendLabs Security Intelligence Blog ldquoCompromised US Government Web Page Used Zero-Day Exploitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencecompromised-us-government-webpage-used-zero-day-exploit
26 Sooraj KS (June 6 2013) TrendLabs Security Intelligence Blog ldquoPlesk Zero-Day Exploit Results in Compromised Web Serverrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligenceplesk-zero-day-exploit-results-in-compromised-webserver
27 Gelo Abendan (May 30 2013) TrendLabs Security Intelligence Blog ldquoTrend Micro Deep Security Guards Users from Ruby on Rails Exploitrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencetrend-micro-deep-security-guards-users-from-ruby-on-rails-exploit
28 Maharlito Aquino (June 13 2013) TrendLabs Security Intelligence Blog ldquoRARSTONE Found in Targeted Attacksrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencerarstone-found-in-targeted-attacks
29 Kyle Wilhoit (May 17 2013) TrendLabs Security Intelligence Blog ldquoHiding in Plain Sight A New Targeted Attack Campaignrdquo Last accessed July 30 2013 httpblogtrendmicrocomtrendlabs-security-intelligencehiding-in-plain-sight-a-new-apt-campaign
30 Nart Villeneuve (April 25 2013) TrendLabs Security Intelligence Blog ldquoTargeted Attack Campaign Hides Behind SSL Communicationrdquo Last accessed July 2013 httpblogtrendmicrocomtrendlabs-security-intelligencetargeted-attack-campaign-hides-behind-ssl-communication
31 Jay Alabaster (April 4 2013) Computerworld ldquoJapanese Web Portals Hacked Up to 100000 Accounts Compromisedrdquo Last accessed July 30 2013 httpwwwcomputerworldcomauarticle458079japanese_web_portals_hacked_up_100_000_accounts_compromised LivingSocial ldquoLivingSocial Security Noticerdquo Last accessed July 30 2013 httpswwwlivingsocialcomcreatepassword Kadim Shubber (May 20 2013) Wired UK ldquoMillions of Usersrsquo Data Hacked in Yahoo Japan Security Breachrdquo Last accessed July 30 2013 httpwwwwiredcouknewsarchive2013-0520yahoo-japan-hacked Erin Madigan White (April 23 2013) AP Blog The Definitive Source ldquoAP Responds to Hacking of Twitter Accountrdquo Last accessed July 30 2013 httpblogaporg20130423hackers-compromise-ap-twitter-account
TREND MICRO LEgaL DISCLaIMER
The information provided herein is for general information and educational purposes only It is not intended and should not be construed to constitute legal advice The information contained herein may not be applicable to all situations and may not reflect the most current situation Nothing contained herein should be relied on or acted upon without the benefit of legal advice based on the particular facts and circumstances presented and nothing herein should be construed otherwise Trend Micro reserves the right to modify the contents of this document at any time without prior notice
Translations of any material into other languages are intended solely as a convenience Translation accuracy is not guaranteed nor implied If any questions arise related to the accuracy of a translation please refer to the original language official version of the document any discrepancies or differences created in the translation are not binding and have no legal effect for compliance or enforcement purposes
although Trend Micro uses reasonable efforts to include accurate and up-to-date information herein Trend Micro makes no warranties or representations of any kind as to its accuracy currency or completeness you agree that access to and use of and reliance on this document and the content thereof is at your own risk Trend Micro disclaims all warranties of any kind express or implied Neither Trend Micro nor any party involved in creating producing or delivering this document shall be liable for any consequence loss or damage including direct indirect special consequential loss of business profits or special damages whatsoever arising out of access to use of or inability to use or in connection with the use of this document or any errors or omissions in the content thereof use of this information constitutes acceptance for use in an ldquoas isrdquo condition
Trend Micro Incorporated a global leader in security software and solutions strives to make the world safe for exchanging digital information For more information visit wwwtrendmicrocom
copy2013 by Trend Micro Incorporated all rights reserved Trend Micro and the Trend Micro t-ball logo are trademarks or registered trademarks of Trend Micro Incorporated all other product or company names may be trademarks or registered trademarks of their owners
Created by
global Technical Support amp RampD Center of TREND MICRO
TREND MICRO LEgaL DISCLaIMER
The information provided herein is for general information and educational purposes only It is not intended and should not be construed to constitute legal advice The information contained herein may not be applicable to all situations and may not reflect the most current situation Nothing contained herein should be relied on or acted upon without the benefit of legal advice based on the particular facts and circumstances presented and nothing herein should be construed otherwise Trend Micro reserves the right to modify the contents of this document at any time without prior notice
Translations of any material into other languages are intended solely as a convenience Translation accuracy is not guaranteed nor implied If any questions arise related to the accuracy of a translation please refer to the original language official version of the document any discrepancies or differences created in the translation are not binding and have no legal effect for compliance or enforcement purposes
although Trend Micro uses reasonable efforts to include accurate and up-to-date information herein Trend Micro makes no warranties or representations of any kind as to its accuracy currency or completeness you agree that access to and use of and reliance on this document and the content thereof is at your own risk Trend Micro disclaims all warranties of any kind express or implied Neither Trend Micro nor any party involved in creating producing or delivering this document shall be liable for any consequence loss or damage including direct indirect special consequential loss of business profits or special damages whatsoever arising out of access to use of or inability to use or in connection with the use of this document or any errors or omissions in the content thereof use of this information constitutes acceptance for use in an ldquoas isrdquo condition
Trend Micro Incorporated a global leader in security software and solutions strives to make the world safe for exchanging digital information For more information visit wwwtrendmicrocom
copy2013 by Trend Micro Incorporated all rights reserved Trend Micro and the Trend Micro t-ball logo are trademarks or registered trademarks of Trend Micro Incorporated all other product or company names may be trademarks or registered trademarks of their owners
Created by
global Technical Support amp RampD Center of TREND MICRO