The Trend MicroCustom Defense SolutionDetect. Analyze. Adapat, and respondto the attacks that matter to you. 1Q 2013 SECURITY ROUNDUPZero-Days Hit Users Hardat the Start of the Year
LEGAL DISCLAIMERThe information provided herein is for general information and educational purposes only. It is not intended and should not beconstrued to constitute legal advice. The information contained herein may not be applicable to all situations and may not reflect themost current situation. Nothing contained herein should be relied on or acted upon without the benefit of legal advice based on theparticular facts and circumstances presented and nothing herein should be construed otherwise. Trend Micro reserves the right tomodify the contents of this document at any time without prior notice.Translations of any material into other languages are intended solely as a convenience. Translation accuracy is not guaranteed norimplied. If any questions arise related to the accuracy of a translation, please refer to the original language official version of thedocument. Any discrepancies or differences created in the translation are not binding and have no legal effect for compliance orenforcement purposes.Although Trend Micro uses reasonable efforts to include accurate and up-to-date information herein, Trend Micro makes no warrantiesor representations of any kind as to its accuracy, currency, or completeness. You agree that access to and use of and reliance on thisdocument and the content thereof is at your own risk. Trend Micro disclaims all warranties of any kind, express or implied. NeitherTrend Micro nor any party involved in creating, producing, or delivering this document shall be liable for any consequence, loss, ordamage, including direct, indirect, special, consequential, loss of business profits, or special damages, whatsoever arising out ofaccess to, use of, or inability to use, or in connection with the use of this document, or any errors or omissions in the content thereof.Use of this information constitutes acceptance for use in an “as is” condition.ContentsVulnerabilities and Exploits:Multiple Zero-Days in WidelyUsed Software..............................................................2Cybercrime: Old Threats Return...................................4Digital Life Security Issues.....................................................9Mobile Threats:Web Threats Affect Mobile Users, Too........................ 11APTs and Targeted Attacks: In Stealth Mode.............. 15
PAGE 1 | 1Q 2013 SECURITY ROUNDUPWhile exploits and vulnerabilities are a common problem for users,zero-day exploits in high-profile applications are relatively rare.That was not the case in the first quarter of 2013. Multiple zero-dayexploits were found targeting popular applications like Java andAdobe Flash Player, Acrobat, and Reader.In addition, as predicted, we saw improvements in already-knownthreats like spam botnets, banking Trojans, and readily availableexploit kits.Other high-profile incidents include the South Korean cyber attacksin March, which reiterated the dangers targeted attacks pose. Onthe mobile front, fake versions of popular apps remained a problemthough phishers found a new target in the form of mobile browsers.
PAGE 2 | 1Q 2013 SECURITY ROUNDUPVulnerabilities and Exploits:Multiple Zero-Days in Widely Used SoftwareJava in the Spotlight• Java again took center stage this quarter due to acouple of high-profile zero-day incidents.• A zero-day exploit that sported REVETON and ransomwarevariants proved that even fully patched systems can be nomatch for an exploit sometimes.1• Within days, Java released a security update to address theissue. But instead of putting the issue to rest, the solution ledto even more questions, leading groups, including the U.S.Department of Homeland Security, to recommend uninstallingJava from computers.21 http://blog.trendmicro.com/trendlabs-security-intelligence/java-zero-day-exploit-in-the-wild-spreading-ransomware/2 http://blog.trendmicro.com/trendlabs-security-intelligence/java-fix-for-zero-day-stirs-questions/Adobe’s Improvements Challenged• Adobe was not exempted from zero-day attacks, as AdobeFlash Player and Reader fell prey to zero-day exploits inFebruary.• Two critical vulnerabilities in Adobe Flash Player wereexploited, lending vulnerable computers to malware infection.• Adobe Reader versions 9, 10, and 11 also fell prey to a zero-day attack, rendering even the vendor’s sandbox technologyvulnerable.33 http://blog.trendmicro.com/trendlabs-security-intelligence/zero-day-vulnerability-hits-adobe-reader/CVSS Score Distribution for Vulnerabilities AddressedSource: CVE Database (cve.mitre.org)The majority of the vulnerabilities disclosed in the first quarter were rated“medium” while about a third were rated “high.”LowMedium(Rated 7–10)High36%52%12%(Rated 4–6.9)(Rated 0–3.9)
PAGE 3 | 1Q 2013 SECURITY ROUNDUPTimeline of Adobe and Java Exploit Attacks Since Adobe Reader XAdobe released Adobe Reader X,which comes with the protectedmode feature.November 22, 2010A zero-day exploit for an Adobe Reader Xvulnerability related to a possible targetedattack was unearthed.December 14, 2011Adobe released theenhanced protected modefeature in Adobe Reader XIand Acrobat XI.October 17, 2012A zero-day Java exploitwas actively used in thewild, particularly by theCool Exploit Kit and theBlackhole Exploit Kit,to distribute REVETONand other ransomwarevariants.January 10, 2013Oracle released a new version of Java toaddress an in-the-wild zero-day exploit. It alsotightened Java’s default settings.January 13, 2013!Oracle released a security updateto address 50 vulnerabilities,including those exploited by theJava zero-days in January.February 5, 2013A zero-day exploit targetingAdobe Flash Playersurfaced.February 8, 2013A zero-day exploit targetingcertain versions of AdobeReader was found.February 13, 2013A zero-day Java exploit hit Java 7but spared Java 6, forcing Oracle torelease an out-of-band patch.August 28, 2012Adobe’s protection features kept cybercriminals at bay for most of 2012 and in 2013, although these were first broken thisquarter.In the meantime, Java was exploited left and right, joining the ranks of some of the more exploited software to date.Adobe’s monthly patching cycle (as opposed to Oracle’s quarterly cycle) allowed it to respond more quickly to privatelyreported vulnerabilities. Despite these steps by vendors, multiple zero-days riddled the first quarter’s security landscape,highlighting the importance of cautious browsing and using proactive solutions.
PAGE 5 | 1Q 2013 SECURITY ROUNDUPTop 10 Countries with the Most Number of Botnet C&C ServersAustralia, 10.88%Brazil, 2.35%Chile, 1.71%United States, 35.66%United Kingdom, 2.60%Italy, 2.28%Germany, 3.41%China, 5.72% South Korea, 6.51%Taiwan, 2.17%As in 2012, the UnitedStates continued to post themost number of botnet C&Cservers this quarter.Note that the hosting countryis not necessarily the locationof the threat actor.Number of Botnet-Connected Computers Detected per MonthJANUARYFEBRUARYMARCH 2.5M1.4M1.2MThe number of computersaccessing detected C&Cservers peaked in Marchas well. However, theseconnections were made toC&C servers discoveredbefore March. Botnets canbecome less active in onemonth and active the next,depending on the botnetmaster’s purposes.
PAGE 6 | 1Q 2013 SECURITY ROUNDUPOverall Trend Micro Smart Protection Network Numbers1B2B3B4B5B6BJANUARYNumber ofspam blocked7B8B9BFEBRUARY MARCHNumber ofmalicious sitesblockedNumber ofmalicious filesblocked5.6B2,075Total number ofthreats blockedDetection rate(Number of threats blocked persecond)4.7B443M390M5.1B414M367M5.9B2,2117.3B437M430M8.2B3,055Trend Micro protectedproduct users froman average of 2,400threats per secondthis quarter.Top 10 Countries with the Most Number of Botnet-Connected ComputersThe United States showedthe most number ofcomputers accessing C&Cservers in the first twomonths of the quarter. ButSouth Korea surpassedthe United States in March,possibly as a result ofpolitical tensions at thattime.Austria, 2.52%United States, 28.12%Italy, 10.46%Russia, 2.59%South Korea, 21.27% Japan, 2.82%Taiwan, 2.49%Macau, 6.40%India, 1.75% Malaysia, 8.88%
PAGE 7 | 1Q 2013 SECURITY ROUNDUPWORM_DOWNAD TROJ_ZACCESS/SIREFEF ADW_PRICEGONGWORM_DOWNAD - 741KTROJ_ZACCESS/SIREFEF - 274KADW_PRICEGONG - 234KWORM_DOWNAD remained the top malware this quarter, followedby TROJ_ZACCESS/SIREFEF, just like last year. But the numberof adware surged led by ADW_PRICEGONG, which placed third toreplace 2012’s third-most prolific malware, PE_SALITY.100,0001,000100100100,0001,000100100100,0001,000100100Top 3 MalwareENTERPRISE SMB CONSUMERNAME VOLUME NAME VOLUME NAME VOLUMEWORM_DOWNAD 364K WORM_DOWNAD 81K TROJ_ZACCESS/SIREFEF 163KPE_SALITY 81K PE_SALITY 17K CRCK_KEYGEN 162KPE_VIRUX 34K TROJ_ZACCESS/SIREFEF 14K ADW_PRICEGONG 157KTop 10 Malicious Domains BlockedDOMAIN REASONtrafficconverter . biz Has a record for hosting and distributing wormspu . plugrush . com Has a poor reputation and recordads . alpha00001 . com Reported as a C&C server and redirects to enterfactory.com, another malicious siteam10 . ru Has a record and reported in relation to pop-upmessages and adwarewww . trafficholder . com Related to child exploitationwww . funad . co . kr Related to a ADW_SEARCHSCOPEwww . ody . cc Related to links with suspicious scripts and sites thathost BKDR_HPGN.B-CNcdn . bispd . com Redirects to a malicious site and related to maliciousfiles that distribute malwareh4r3k . com Distributes Trojanswww . dblpmp . com Contained spam and malwareAlmost all of the domainsblocked this quarter wereinvolved in maliciousactivities, specifically hostingand distributing malware.Only one of the top 10 wasblocked due to maliciouscontent related to childexploitation.
PAGE 8 | 1Q 2013 SECURITY ROUNDUPTop 10 Malicious URL Country SourcesUnited StatesGermanyNetherlandsChinaSouth KoreaRussiaJapanFranceUnited KingdomCanadaOthers24.63%4.32%3.57%3.33%2.99%2.38%1.97%1.58%1.28%0.63%53.32%More than 20% of themalicious domains weblocked were hosted in theUnited States, consistentwith our 2012 numbers. TheUnited States and Germanyhosted the most number ofblocked malicious domains.The data in this map referto the number of malicioussites hosted in the countries.The malicious site ownersare not necessarily from theidentified countries but mayhave registered their domainsin them.Top 10 Spam LanguagesEnglishChineseJapaneseGermanRussianItalianPortugueseSpanishSlovakFrenchOthers89.32%1.59%1.44%1.36%1.29%0.48%0.37%0.32%0.30%0.15%3.38%The majority of the spam waswritten in English, as it is themost widely used languagein business, commerce,and entertainment. As such,spammers deemed spreadingmalicious messages in thislanguage more profitable.
PAGE 9 | 1Q 2013 SECURITY ROUNDUPTop 10 Spam-Sending CountriesUnited StatesIndiaChinaSpainTaiwanPeruRussiaVietnamBelarusColombiaOthers11.64%7.70%4.28%3.97%3.93%3.62%3.42%3.29%3.18%2.68%52.29%India, which led the pack ofspam-sending countries in2012, fell to second placeafter the United States. Somecountries that used to be partof the top 10 list completelydropped out this quarter. It isclear though that spammingremains a global problem.Digital Life Security IssuesHolidays and Historic Events RemainEffective Lures• Historic moments like the papal conclave and theannouncement of the new pope did not escape theattention of spammers and Blackhole Exploit Kitperpetrators.12• The Google Glass competition in February also spurredthe appearance of several web threats, includingmalicious links that led to survey scams.13• The spam and malicious domain volumes also spikeddays before Valentine’s Day, again proving thatcybercriminals still profit from these ruses.1412 http://blog.trendmicro.com/trendlabs-security-intelligence/spammers-bless-new-pope-with-spam/13 http://blog.trendmicro.com/trendlabs-security-intelligence/cybercriminals-hop-on-the-google-project-glass-bandwagon/14 http://blog.trendmicro.com/trendlabs-security-intelligence/love-bugs-how-are-valentine-threats-looking-up/Selling User Information Follows Its OwnBusiness Model• “Fullz,” which refers to a collection of crucial informationbeyond names, addresses, and credit card numberstypically stolen from unsuspecting users and sold byscammers in underground forums.15• Data can be stolen using different tools and/ortechniques like spreading data-stealing malware,compromising “target-rich” organizations, and obtainingindiscriminately disclosed information.16• Scammers who sell user information operate withina certain framework so they can gain new and retainexisting customers to profit.1715 http://blog.trendmicro.com/trendlabs-security-intelligence/what-would-scammers-want-with-my-information/16 http://blog.trendmicro.com/trendlabs-security-intelligence/business-models-behind-information-theft/17 http://blog.trendmicro.com/trendlabs-security-intelligence/your-data-and-the-business-of-online-scam/Hacking Gives Life to Zombies• The Montana Emergency Alert System (EAS) wasreportedly hacked and warned users that “bodies ofthe dead are rising from their graves and attacking theliving.”18• Attacks like this shows that anything connectedto the Internet, even public infrastructures, can becompromised and have disastrous results.18 http://blog.trendmicro.com/trendlabs-security-intelligence/zombies-are-funny-until-someone-loses-an-eye/Digital life refers to the entireecosystem regarding the onlineactivities of the general computingpublic, including behaviors,identities, privacy, socialengineering, social media platforms,and the like.
PAGE 10 | 1Q 2013 SECURITY ROUNDUPNotable Social Engineering Lures UsedPope FrancisGoogle GlassWindows 8Candy CrushValentine’s DayNews events dominatedthe social engineeringlures in the first quarter,with the election of a newpope making the loudestnoise. Technology-relatedtopics like Google Glassand Windows 8 were alsofrequently used.Cybercriminal Underground Product/Service Prices(As of January 16, 2013)PERSONAL DATA PRICEBANK LOGIN DATABank of America U.S.US$7,000 balance US$300US$14,000 balance US$500US$18,000 balance US$800HSBC U.S.US$12,000 balance US$400US$28,000 balance US$1,000HSBC U.K.US$8,000 balance US$300US$17,000 balance US$700GADGET SHIPMENTLaptopApple US$240HP/Dell/Toshiba/Samsung US$120Vaio US$200Mobile phone/TabletiPhone 3GS US$120iPhone 4G US$150iPhone 4GS/iPad 2 US$180BlackBerry US$130VERIFIED PAYPAL ACCOUNT (email and password)US$1,500 balance US$150US$2,500 balance US$200US$4,000 balance US$300US$7,000 balance US$500Bank and e-commerce logincredentials are highly prized inthe underground compared withtheir social media counterparts.Besides peddling stolen data,it is interesting to note thatcybercriminals also offer serviceslike shipping gadgets.
PAGE 11 | 1Q 2013 SECURITY ROUNDUPMobile Threats: Web ThreatsAffect Mobile Users, TooPhishing Hooks for Mobile Users• Phishing is an emerging threat in the mobile space.19• In 2012, the majority of mobile sites spoofed werebanking sites.20• Financial service-related sites were most spoofed thisquarter, proving that phishers, whether on computers oron mobile devices, will always go where the money is.19 http://about-threats.trendmicro.com/us/mobilehub/mobilereview/rpt-monthly-mobile-review-201302-mobile-phishing-a-problem-on-the-horizon.pdf20 http://blog.trendmicro.com/trendlabs-security-intelligence/when-phishing-goes-mobile/Mobile Backdoor Infects 1M Smartphones• An Android malware variant that can send and receivecommands was found on 1M smartphones.21• The malware can update its script to evade anti-malware detection. Because of its backdoor routines,malicious users are able to control infected devices.• Fortunately for Trend Micro customers, we have beendetecting this malware since July 2012 despite the highnumber of infections in the first quarter.21 http://blog.trendmicro.com/trendlabs-security-intelligence/android-malware-found-to-send-remote-commands/Fake Gaming Apps Become Threat Staples• Mobile malware continued to take advantage of populargaming apps this quarter.• We spotted fake versions of Temple Run 2 and spoofedapps that offer cheats for the game Candy CrushSaga.22These apps aggressively pushed ads andgathered personal information from infected mobiledevices.22 http://blog.trendmicro.com/trendlabs-security-intelligence/fake-versions-of-temple-run-2-sprint-their-way-to-users/; http://blog.trendmicro.com/trendlabs-security-intelligence/dubious-developers-cash-in-on-candy-crush/BusinessComputer/InternetservicesFinancial servicesReal estateShoppingSocial networkingWebmail servicesOthers0.13%0.39%26.90%1.05%3.41%0.79%0.39%66.94%Mobile Phishing Site Types DetectedFinancial sites were still thefavorite phishing targetseven in the mobile spacethis quarter. Note that thenumber of mobile phishingURLs increased by 54% fromaround 500 in the first quarterof 2012 to almost 800 in thesame quarter of 2013.The data in this figure referto the number of maliciousURLs that pointed to siteswith mobile-related keywords.
PAGE 12 | 1Q 2013 SECURITY ROUNDUPAndroid Threat Volume Growth425K462K509K400K500K600KFebruaryJanuaryMarchThe Android threat volumehas reached the halfwaymark in relation to our 2013prediction—1M, indicatingcontinued cybercriminalinterest in the mobile space.The increase could beattributed to the fact that morethan half of the global mobiledevice market share belongsto Google.Distribution of Android Threat TypesPREMIUMSERVICEABUSERADWARE DATA/INFORMATIONSTEALERMALICIOUSDOWNLOADERHACKTOOL BACKDOOR/REMOTECONTROLOTHERS47.72% 31.99% 11.34% 6.41% 2.09% 2.58% 1.08%As in 2012, premium serviceabusers and adware remainedthe top Android threats thisquarter. Premium serviceabusers are known forregistering users to overpricedservices while adwareaggressively push ads andmay even collect personalinformation without affectedusers’ consent.The distribution data wasbased on the top 20 mobilemalware and adware familiesthat comprise 88% of all themobile threats detected by theMobile Application ReputationTechnology as of March 2013.Note that a mobile threat familymay exhibit the behaviors ofmore than one threat type.
PAGE 13 | 1Q 2013 SECURITY ROUNDUPFAKEINSTOPFAKEGINMASTERBOXERSNDAPPSJIFAKEKUNGFUFAKEDOCKMINKSAPPOthers31.50%27.04%5.65%2.73%2.70%2.38%2.38%2.27%1.53%1.49%20.33%Top 10 Android Malware FamiliesFake apps remained asignificant mobile threat.Malicious apps that belong tothe FAKEINST and OPFAKEfamilies are known for imitatingpopular apps to lure users intodownloading them.Countries Most at Risk of Privacy Exposure Due to App Use10.78%7.58%7.26%6.05%5.53%5.11%4.92%4.61%4.48%Saudi ArabiaIndiaMyanmar (Burma)PhilippinesMalaysiaBrazilHong KongChinaFranceTurkey5.74%Android users from Saudi Arabia were most at risk of privacy exposure. This mighthave been due to the fact that almost all of the mobile users in that country take noticeof mobile ads, which could have prompted dubious developers to create apps withaggressive advertising features.The ranking was based on the percentage of apps categorized as “privacy riskinducers” over the total number of apps scanned per country. The ranking was limitedto countries with at least 10,000 scans. The ratings were based on the quarterlyanalysis of real-time threat detection via Trend Micro™ Mobile Security PersonalEdition.
PAGE 14 | 1Q 2013 SECURITY ROUNDUPCountries with the Highest Battery-Draining App Download VolumesAlgeriaUnited KingdomChinaCanadaIndiaUnited StatesIrelandGermanyPhilippinesJapan42.39%36.11%35.76%35.45%34.94%34.58%33.13%31.94%31.90%31.90%Users from Algeria downloaded the most number of battery-draining apps, closely followed by those from the United Kingdom and China. Havingthe ninth highest Internet penetration rate in Africa, Algeria may also become a likely web threat target.The ranking was based on the percentage of apps categorized as “power hoggers” over the total number of apps scanned per country. The rankingwas limited to countries with at least 10,000 scans. The ratings were based on the quarterly analysis of real-time threat detection via Trend MicroLongevity.Countries with the Highest Malicious Android App Download VolumesMyanmar (Burma)IndiaSaudi ArabiaRussiaUkraineMalaysiaPhilippinesTurkeyIndonesiaItaly9.50%7.25%7.19%6.06%5.98%5.26%4.10%3.50%3.11%3.03%The majority of the countries most at risk of downloading malicious apps were in Asia, ledby Myanmar (Burma).The ranking was based on the percentage of apps rated “malicious” over the total numberof apps scanned per country. The ranking was limited to countries with at least 10,000scans. The ratings were based on the quarterly analysis of real-time threat detection viaTrend Micro Mobile Security Personal Edition.
PAGE 15 | 1Q 2013 SECURITY ROUNDUPAPTs and Targeted Attacks: In Stealth ModeMBR Wiper Attacks Target South Korea• In mid-March, certain South Korean entities weretargeted by a master boot record (MBR)-wipingTrojan.23• The attacks disrupted the targets’ business byrendering systems, both clients and servers, unable toreboot.• The samples we found either overwrite infectedcomputers’ MBR using certain strings or delete specificfiles and/or folders. Once overwritten, computer accesseither becomes limited or nonexistent.23 http://blog.trendmicro.com/trendlabs-security-intelligence/summary-of-march-20-korea-mbr-wiper/FAKEM RAT Blends with Normal Traffic• Like most remote access Trojans (RATs), FAKEMevades detection by blending in with normal networktraffic.24• Unlike other RATs though, FAKEM traffic mimicsWindows Messenger, Yahoo! Messenger, or HTMLtraffic to evade detection.2524 http://blog.trendmicro.com/trendlabs-security-intelligence/hiding-in-plain-sight-the-fakem-remote-access-trojan/25 http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-fakem-rat.pdfRARSTONE Backdoor Imitates PlugX• Like PlugX, the RARSTONE backdoor also loads anexecutable file in an infected computer’s memory, apartfrom having its own set of unique tricks.26• RARSTONE hides its executable file by directly loadinga backdoor in memory instead of dropping it onto thecomputer. Unlike PlugX though, it communicates viaSecure Sockets Layer (SSL), which encrypts its traffic,allowing it to blend with normal traffic.26 http://blog.trendmicro.com/trendlabs-security-intelligence/bkdr_rarstone-new-rat-to-watch-out-for/
PAGE 16 | 1Q 2013 SECURITY ROUNDUPFAKEM Versus RARSTONE: RAT TechniquesDespite certain differencesin routine, both FAKEM andRARSTONE present novel waysto remain undetected by mostanti-malware solutions.FAKEM RARSTONEArrives via spear-phishing emailsArrives via spear-phishing emailsUsually disguised asfiles normally usedin businesses (e.g.,.DOC, .XLS, and.PDF)Usually disguisedas files normallyused in offices(e.g., .DOC, .XLS,and .PDF)Drops an .EXEfile that initiatesencryptedcommunication withC&C serversDrops an .EXEfile that drops acopy, which thenopens a hiddenInternet Explorerprocess and injectsmalicious code into acomputer’s memory;the code decrypts itselfand downloads a .DLLfile from a C&C server;the .DLL file is loaded inmemoryEXEDLLCreates networktraffic that mimicsYahoo! Messenger,Windows Messenger,and HTML trafficCommunicateswith a C&Cserver using SSLHTML SSL