Trend Micro

TrendLabs
Global Threat Trends 1H 2010

Table of Contents
Threat Trends Email Threat Trends Web-Based Threat Trends File-Based Threat Trends Cybercrime and Botnets Underground Economy High Profile Incidents of 1H2010 Vulnerabilities Trend Micro Technology and Protection Smart Protection Network Solutions and Services Trend Micro Enterprise Security Trend Micro SecureCloud Trend Micro Worry-Free Business Security Trend Micro Titanium Advice for Businesses Adopting Cloud Strategies Advice for Businesses Top Tips for End Users 4 5 8 9 10 12 12 15 16 16 16 16 16 16 17 17 17-18 19 20

About TrendLabs

Introduction
Cybercrime is now a fully fledged, but highly illegal business. And its all about money.
As the Underground Economy has grown and flourished, cybercriminals have developed new methods for tricking victims. Their scams are amazingly lucrative, with profits totaling in the billions per year. Many perpetrators hail from Eastern Europe where cybercrime is rampant and considered business as usual. Canadian pharmacy spam, fake antivirus and others are part of a well-organized business model based on the concept of affiliate networking. In the case of cybercrime, products sold via affiliate marketing may be highly profitable, although highly illegalsuch as click fraud and selling credit card details. In this report covering January to June 2010, we examine various cybercrime incidents, the criminals use of multiple tools such as botnets, and look at threat trends and activity currently causing, and likely to continue to cause the most pain, cost and disruption to connected users across the world. Many threats have evolved in recent times, becoming more silent, and more insidious. Threats are intertwined meaning almost every threat comprises multiple components for attacking, infecting and compromising data. Components always relate to one or more of the following three vectors email, web and file. During the first six months of 2010 TrendLabsSM identified Europe as the largest source of spam emails, while Education is the industry most affected by malware compromise. Meanwhile, the US is the primary source of malicious URLs. Vulnerability exploits are a key asset used by cybercriminals. They buy and sell vulnerability information, exploit code, as well as other types of malware. In the first half of 2010, over 2500 common vulnerabilities and exposures (CVEs) were recorded. Professional criminals are widely known to be the perpetrators of almost all threats. Botnets are managed and run as an enterprise organization manages its network. Making money is the primary aim.

Threat Trends

The Trend Micro Smart Protection Network infrastructure delivers advanced protection from the cloud, blocking threats in real-time before they reach you. Leveraging a unique, cloudclient architecture, it is powered by a global network of threat intelligence sensors, email, Web, and file reputation technologies that work together to dramatically reduce infections.
The Smart Protection Network is now seeing 45 billion queries every 24 hours, while it blocks 5 billion threats and processes 2.5 terabytes of data on a daily basis. On average 80 million users are connected to the network each day. This community of users helps enable Trend Micro Smart Protection Network to continue evolving and improving protection in real-time. The following data points, taken from Smart Protection Network and other supporting monitoring systems, provide a comprehensive insight into the threats Trend Micro protected its users against, in the first six months of 2010.

Email Threat Trends

Spam Spam continued to grow between January and June 2010, albeit with a brief interval during April.

Regional Spam Sources - Q2

3% 0% 11% 28%

APAC Europe North America South America Unknown Africa

Spam Volume
3,500,000,000 3,000,000,000 2,500,000,000 2,000,000,000 1,500,000,000 1,000,000,000 500,000,000 0.00
MAR FEB APR MAY JUN JAN

14%

44%

Most of the spam tracked during the past six months fall under the following three categories: Commercial (28%), Scams (22%), or Health/Medical (15%). In terms of spam technique, 37% of total samples use HTML, followed by Plain Text (25%) and Short Spam (10%).

The most notable change between the first and second quarters of 2010, was the reduction in spam from APAC and the increase in spam from Europe. Countries strongly contributing to the growth in spam from Europe include Germany, UK, Italy and France.

Spam Technique Distribution

4% 10% 6% 2% 25%

Plain Text HTML Image PDF/RTF attached GIF/JPEG attached RAR/Zip attached XLS attached DOC/TXT attached HTML Inserts Short Spam

Regional Spam Sources - Q1

3% 0% 14% 31%

5% 1% 0%

APAC Europe North America South America Unknown Africa

3% 6% 37%

Salad Others

14%

38%

Currently, TrendLabs monitors 38 languages and dialects used in spam. This coverage is continuously being improved to provide increased protection against highly localized spam. More than 95% of spam is in English. For the non-English spam, the top most common languages received are Russian, Japanese, Chinese, Spanish, and French.

Email Threat Trends

Commercial, Scams and Health/Medical spam made up the vast majority a total of 65 percent of the total spam tracked in the first half of 2010.

The below chart demonstrates the quantity of spam per ASN (Autonomous System Number) in the first six months of 2010. An ASN is allocated to each ISP or organization that manages a large group of IP routing prefixes1.

Spam Type Distribution

11% 4% 0% 1% 15% 0% 2% 6%

Health/Meds Stocks Educ/Degree Jobs Scam Adult/Porn/Dating Financial Commercial Malware (attachment)
2856 7738 3462 6830 18403 27699 28573 6849 4766 8167 1267 13184 6799

Spam volume by ASN (past 6 months)

800.000 600,000 400,000 200,000 0
3320 20115

Malware (URL)
JAN MAR

7%

4%

Others

Spam volume by ASN (past 6 months)

The quantity of spammed messages distributed via botnets is astronomical. Spam continues to be a vector of choice for criminals owing to the speed of distribution and delivery, the vast target list and relatively low cost of investment when compared to the profit on offer. As can be seen from the chart above, certain ASNs are working hard to reduce the spam distributed via their networks; however, these efforts seem to be countered by a number of providers not acting to manage the spam problem. One way ISPs can help combat botnets and spam is by blocking email on port 25the port responsible for SMTP transfers. Botnet communications use port 25 when sending spam and other junk mail. By blocking port 25 and moving email communications to a different internal port, the spam communications will become ineffective. Generally speaking, users will not notice any direct change, as most use their ISPs own servers or free email services from providers like Gmail, Windows Live Hotmail, or Yahoo Mail. As an example of how and why the issue of spam is now overwhelming, according to Trend Micro research, spam now accounts for around 97% of all email in circulation2. In a recent laboratory controlled investigation, the quantity of spam generated by a single bot infested computer in a 24 hour period totaled around 2,553,9403.

Spam Volume by Country

USA IND DEU BRA GBR FRA VNM ITA KOR POL ROM RUS NLD ESP UKR COL TWN SAU PRT ISR ARG GRC CAN TUR others

800,000,000 700,000,000 600,000,000 500,000,000 400,000,000 300,000,000 200,000,000 100,000,000 0

JAN

FEB

MAR

APR

MAY

JUN

http://en.wikipedia.org/wiki/Autonomous_System_Number ttp://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis h q3_2009_spam_report.pdf

https://blog.trendmicro.com/how-many-spam-can-a-spam-bot-spam/

9829

45899

JUN

12322

MAY

3209

APR

28%

Phishing

24560

9050

22%

5089

25019

FEB

3269

9829 45899 12322 3209 24560 9050

5089 25019 3269 2856 7738 3462

6849 4766 8167 1267 13184 6799

6830 18403 27699 3320 20115 28573

The following chart shows the total number of spam bot infected computers TrendLabs identified per country. A spam bot is an infected computer controlled by a botnet known to prolifically distribute spam, although it is unlikely to be limited to only this type of activity. Note, that this is not the total number of infected computers as many bots are not used to distribute spam. However, the total number of active spamming IPs in India and Brazil are well ahead of their closest rival, Germany. In the past 6 months, both India and Brazil have fully emerged as central countries in the cyber criminal landscape.

anca Carige: a commercial Italian bank, including B some of its subsidiaries like Cassa di Risparmio di Carrara and Cassa di Risparmio di Savona Banca Cesare Ponti: a commercial Italian bank Banca Sai: a commercial Italian bank attle.net: an online gaming service operated by B Blizzard Entertainment assa di Risparmio di Ferrara: a commercial C Italian bank enturyLink: a telecommunications company in the C United States irstCaribbean International Bank: a Barbados-based F bank operating in the Caribbean iQuebec: a French-language Internet portal Lottomatica: an Italian gaming company Nantahala Bank & Trust Company: an American bank NCSoft: an online gaming service provider Pinnacle Bank: an American bank Presidents Choice Financial: a Canadian bank Public Bank Berhad: a Malaysian Bank SCRIGNO for Banca Popolare Di Sondrio: an Italian bank Phishing Techniques Between January and June 2010, phishers continued the trend of explicitly display phishing URLs. This indicates victims still trust that a site is authentic based on more obvious visual clues such as the sites appearance and use of correct company logos, instead of inspecting the URL address bar.

1H10 Total Host Count by Country

25,000,000 20,000,000 15,000,000 10,000,000 5,000,000 0

Phishing Targeted Entities In alphabetical order, the four most popular entities targeted via both phishing email and spoofed sites in the first six months of 2010 were (1)Bank of America, (2)eBay, (3)HSBC, and (4)PayPal . While the majority of the top 10 targeted entities are commercial or financial entities, social media platforms like Facebook and Twitter, as well as MMORPGs like World of Warcraft, were also consistently present. The majority of the new entities being targeted by phishers are local banks in specific countries (e.g., Italy, Malaysia, United States) and online gaming services (see below, in alphabetical order): Air Academy FCU: a credit union with branches in Colorado Banca Del Monte di Lucca

IND BRA DEU VMN RUS USA ITA GBR UKR SAU COL ESP POL CHN ARG TWN ROM THA TUR SRB GRC PRT IDN PAK others

Web-Based Threat Trends

The onslaught of threats using the Web as a means to propagate will increasingly cause challenges for organizations and end users.

# 1 2 3

APR United States China Netherlands Germany Romania Japan United Kingdom

MAy United States China Romania Germany Japan United Kingdom Netherlands

JUN United States Ireland China Romania Japan Germany United Kingdom Netherlands

Q2 United States China Ireland Romania Germany Japan Netherlands United Kingdom

Growth in Malicious URLs

4,000,000,000 3,500,000,000 3,000,000,000 2,500,000,000 2,000,000,000 1,500,000,000 1,000,000,000 500,000,000 0
MAR MAY JAN APR JUN FEB

4 5 6 7 8 9 10 11 12 13 14 15 16 17 18

Russian Federation Ukraine Ukraine France Canada South Korea Italy Australia Sweden Turkey Bahamas Singapore Czech Republic Poland

Russian Federation Russian Federation Russian Federation France South Korea Canada Australia Italy Belgium Sweden Taiwan Bahamas Singapore Poland Ukraine France South Korea Canada Sweden Belgium Australia Latvia Italy Bahamas Taiwan Ukraine France Canada South Korea Australia Sweden Belgium Italy Bahamas Latvia Taiwan

Bad Actors vs. Victims Bad Actors refers to the source of malicious URLs. The United States has consistently been the primary source of malicious URLs, while Japan accessed the greatest number of malicious URLs. Similarly, North America is the top continent that has the most malicious URLs, while Asia is the continent with most victims.
# 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 JAN United States China Netherlands Russian Federation Germany Romania Japan France United Kingdom Ukraine Bosnia and Herzegovina Canada South Korea Sweden Portugal Poland Italy Turkey Australia Israel FEB United States China Netherlands Germany Russian Federation Japan Romania France United Kingdom Canada Ukraine South Korea Italy Sweden Poland Turkey Australia Czech Republic Taiwan Panama MAR United States China Netherlands Germany Romania Japan Russian Federation United Kingdom France Canada Ukraine South Korea Italy Sweden Australia Bahamas Turkey Poland Czech Republic Panama Q1 United States China Netherlands Germany Russian Federation Romania Japan France United Kingdom Canada Ukraine South Korea Sweden Italy Poland Bosnia and Herzegovina Turkey Australia Portugal Czech Republic

19 20

Monthly Top 20 Bad Actors by Country

Top URLs and Domains Blocked Below is the list of the URLs that consistently appeared in the top 10 for 4-6 months (in no particular order):
URL ad. globe7.com:80/iframe3 (USA) bid. openx.net:80/json (USA) delivery. adyea.com:80/lg.php (DEU) Description Contains malicious IFRAME code Known to download TROJ_AGENT variants Known to download worms; sets drives to autoplay by creating autorun.inf in the drives root directories Related to JS_DLOADR.ATF Proxy avoidance site Adult website Known to host adware

dt . tongji.linezing.com:80/tongji.do (CHN) hot1. xgazo.info:80/pic.php (USA) newt1. adultadworld.com:80/jsc/z5/ff2. html (USA) openxxx. viragemedia.com:80/www/ delivery/afr.php (NLD)

Below is the list of domains that consistently appeared in the top 10 for 4-6 months (in no particular order):
URL bid. openx.net (USA) delivery. adyea.com (DEU) Description Known to download TROJ_AGENT variants Known to download worms; sets drives to autoplay by creating autorun.inf in the drives root directories Related to JS_DLOADR.ATF Proxy avoidance site Adult website Known to host adware Known to be accessed by Conficker/ DOWNAD variants

dt. tongji.linezing.com (CHN) hot1. xgazo.info (USA) newt1. adultadworld.com (USA) openxxx. viragemedia.com (NLD) trafficconverter. biz (USA)

File-Based Threat Trends

New Malware Creation In order to ensure wide sourcing of malware samples, Trend Micro has its own research and monitoring systems and also collaborates with multiple independent third parties. Included among these independent third parties is AV-test.org. Calculations based upon the total number of unique samples collected in 2009, a new piece of malware is created every 1.5 seconds.
Unique Samples Added

Infections according to Industry The chart below clearly indicates that Education as an industry has been hardest hit by infections in the first half of 2010. This is likely owing to the number of students using old and out of date software and security, and possibly visiting suspect websites. These issues compound the challenges related to securing a complex, distributed and diverse infrastructure. Infection breakdown by Industry
Banking Communication/Media Education

New Unique Samples Added to AV-Test.orgs Malware Collection

Threat Every

2,000,000

1,500,000

NEW
1.5

Seconds

2% 2% 0% 3% 1% 10% 1% 4% 2% 0% 0% 6% 0% 4%

Energy

1%

Fast-Moving Consumer Goods

Financial Food and beverage Government Healthcare Insurance Manufacturing Materials Retail Technology Telecommunications Transportation Utilities
Media

1,000,000

500,000

2007-01

2007-03

2007-05

2007-07

2007-09

2008-01

2008-05

2008-07

2009-01

2009-03

2009-05

2007-07

2007-09

2009-11

2010-01

2008-03

2008-09

2010-03

2008-11

10%

44% 2% 3% 0% 1%

Oil and gas Other Real estate

Growth 3 Month Median Forecast

TEST

Infections tracked, by Industry over Time

200,000,000

TrendLabs now sees in the region of 250,000 samples each day. However, recent estimates place the number of unique new malware samples introduced in a single day at greater than 60,000 unique samples. Trojans account for about 60 percent of new signatures created by TrendLabs, and 53 percent of overall detections as of June. Backdoors and Trojan-spyware, often associated defined as crimeware or data-stealing malware, come in second and third places, respectively. However, the majority of Trojans lead to data-stealing malware.

150,000,000 100,000,000 50,000,000

FEB MAR APR MAY JUN JAN

Utilities Technology Other Materials Healthcare Financial Education

*5,!

Transportation Retail Oil and Gas Manufacturing Government Fast-Moving Consumer Goods (FMCG) Communications and Media

*56!

257!

8.3!

Telecommunications Real estate Media Insurance Food and beverage Energy Banking

9:;!

D.6.:=EE5,B:+A=,C!

Cybercrime and Botnets

Botnets are the tool of choice for distributing malware, perpetrating attacks and sending slews of spam email. Through these botnets, botnet herders the Cybercriminals behind the botnets earn millions of dollars in money stolen from innocent computer users. These cybercriminals buy and sell, build partnerships and rent services just as above-board business would; the main difference being the legitimacy and legality of the products, solutions and services they handle. In an effort to help better explain cybercrime, in April 2010, TrendLabs forward looking research group published the following correlation map to provide a pictorial representation of the cybercriminal business model4. This chart may on the face of it, seem quite complicated, but we can illustrate by using BREDO and CUTWAIL as an example.
CUTWAIL
a.k.a. PUSHDO

CUTWAIL spammed messages contain BREDO variants, therefore it can be assumed that the criminals behind BREDO are paying the criminals behind CUTWAIL to send spam containing BREDO. It is also likely that they are paid per machine infected by the BREDO variant they spammed. Note that these infected machines, which are part of the CUTWAIL botnet, report back to the BREDO botnet master. The same thing happens between ZeuS and BREDO. The criminals behind ZeuS pay the criminals behind BREDO to install their (ZeuS) malware on infected machines. As we all know, ZeuS malware steals bank account information, among other things (e.g., POP3 and FTP accounts).

How the thread is delivered

SPAM

ZEUS
notorious information stealer

Pay per Install

BREDO
a.k.a BREDOLAB BREOLAB

TDSS
Approved for rootkit capabilities

FAKEAV
spamware used to extort money from victims. IT exchange for fake security software

SASFIS
used to deliver Malware as pay per install or pay per access models

WALEDAC

KOOBFACE
usually found in social networking sites

http://blog.trendmicro.com/spotlighting-the-botnet-business-model/

10

There is an ongoing cycle of money moving from one place to another. In another example, criminals behind FAKEAV get paid if users buy their fake antivirus programs and they use this money to pay other botnets to spread their programs. At the end of the day, the aim of this succession of infections is to steal money from affected users. Keep in mind that every time a primary botnet downloads another malware, criminals behind the botnet are paid. TrendLabs experts see this cycle continuing, and evolving constantly. Arguably two threats that have had the most impact in the past six months are ZeuS and KOOBFACE. ZeuS ZeuS is primarily a crimeware kit designed to steal users online banking login credentials, among other things. It is the handiwork of Eastern European organized criminals that has now entered the underground cybercriminal market as a commodity. ZeuS has proliferated in part due to the availability of these ZeuS toolkits, which allow cybercriminals to rapidly create ZeuS variants in a matter of minutes. Hundreds of new ZeuS variants are seen by Trend Micro every day, and this is not likely to change in the near future. A new version of the ZeuS malware has also been encountered in the wild since the start of the year. These new versions, frequently referred to as ZeuS 2.0 versions, have had their behavior changed to become more difficult to detect and remove from systems. In addition, this new version also includes default support for current versions of Windows, where before it had to be acquired as an upgrade5.

KOOBFACE KOOBFACE has been around since last year, gearing up to become the largest social networking threat to date. In the early part of this year, TrendLabs experts noted that the KOOBFACE gang was continuously updating their botnet: changing the botnets architecture, introducing new component binaries, and merging the botnets functions with other binaries. They also began encrypting their C&C communications to avoid monitoring and takedown by security researchers and the authorities. KOOBFACE attacks users on several social networking sites, and given the increasing usage across all demographics, the KOOBFACE gang will not likely let go of this money-generating scheme. In fact, it had begun tracking visitors, as evidenced by a short JavaScript code found in the fake video pages the gang has set up. This enables the creators to correlate user activity based on time of day and volume of successful KOOBFACE infections6.

ttp://us.trendmicro.com/imperia/md/content/us/trendwatch h researchandanalysis/zeusapersistentcriminalenterprise.pdf ttp://us.trendmicro.com/imperia/md/content/us/trendwatch h researchandanalysis/web_2_0_botnet_evolution_-_koobface_revisited__may_2010_.pdf

11

Underground Economy

High Prole Incidents of 1H2010

During their monitoring, experts from TrendLabs identied the following items and their average price tag, for sale on the underground. Documents Scan Resale Services: Passport/utility bill/statement - $20 Credit card (front and back) - $25 Passport/utility bill/statment - $20 Original docs - starts from $4 Passport - $20 Drivers License - $20 Credit cards - $30 Utility bill - $10 US Credit Card Sales: US credit cards selling: USA /Master Card / VISA Price $0.80c - $1 each EU credit cards Credit cards: Denmark, Greece, Ireland (Eire), Latvia, Netherlands, Norway, Sweden Price - $3 per card Credit Card Money Cashers Card information input service Person inputs the information of the credit card in online shops, for delivery to the requested address Price - $5 PayPal accounts selling Sell Hacked PayPal accounts Price - 30% of the current balance on the PayPal account

Between January and June 2010, there were many high prole threat incidents. The following threat incidents are those we believe had most impact on users and/or the security industry. 1 The IE and other Zero Day Attacks7 In January, spammed emails loaded with malware les were sent to users and malicious sites were been found to contain hidden JavaScript malware that took advantage of a zero-day vulnerability exploit in Internet Explorer. All versions of Internet Explorer (except v5.01) were affected and the exploit was known to send backdoor Trojans to affected systems. Once executed, these malicious backdoor les stole information which was sent to a remote user. This zeroday vulnerability was subsequently reprogrammed to avoid a security feature in Internet Explorer forcing Microsoft to release an out-of-band patch (Microsoft Security Bulletin MS10-002) on 21 January. Some reports also suggest that cybercriminals are also launching attacks using recent vulnerabilities found in Adobe Reader and Acrobat. Independent researchers surmised that about 34 companies were affected by what was been described as a highly sophisticated and targeted attack. This situation is in line with the Trend Micro prediction that there would be No global outbreaks, but localized and targeted attacks. 2 ZeuS, ZBOT and Kneber ZeuS, Kneber and ZBOT all relate to the notorious ZeuS crimeware. In February, Kneber hit the headlines and shone a spotlight on ZeuS, an established toolkit known to be leveraged by many other threats, it is one of the most dangerous threats online. ZeuS is often mistakenly referred to as a botnet in fact, ZeuS is made up of many, many small botnets, all linked by their use of the same crimeware. ZeuS may arrive as an attachment or link in a spammed message or be unknowingly downloaded via compromised websites. Most ZeuS botnets target bank-related websites, however, in the rst 6 months of 2010, Trend Micro monitored activity including: Spam targeting government agencies Phishing attacks that target AIM users ZBOT variants that target the social networking site Facebook

http://threatinfo.trendmicro.com/vinfo/web_attacks/Zero-Day_Internet Explorer_Bug_Downloads_HYDRAQ.html

12

In order to defraud victims, the criminals behind this threat generate a list of bank-related websites or financial institutions from which they steal user names, passwords and other sensitive banking information. They harvest credentials such as those used for online shopping, online payment and FTP, and insert extra form elements to legitimate pages (eg. Online banking) that ask for additional information such as PIN numbers. TrendLabs published a comprehensive insight into ZeuS in March 2010 ZeuS a Persistent Criminal Enterprise8. 3 - Mariposa Botnet Uses Mariposa, butterfly in Spanish, refers to a network of 13 million compromised systems in more than 190 countries worldwide that is managed by a single command-andcontrol (C&C) server in Spain. This botnet has been dubbed as one of the biggest networks of zombie PCs in cyberspace alongside the SDBOT IRC, DOWNAD/ Conficker, and ZeuS botnets. The Mariposa botnet was in existence as early as December 2008, and rose to fame in May 2009. However, in March 2010 came its shutdown and the subsequent arrest of three of its main perpetrators. Typically, botnets carry with them binaries or malicious files that their perpetrators use for various purposes. At the time its notoriety was growing, Trend Micro threat analysts found WORM_AUTORUN.ZRO, a worm retrieved from compromised systems that were found to be part of the Mariposa botnet. This worm has the ability to spread via instant-messaging (IM) applications, peerto-peer (P2P) networks, and removable drives. Some binaries were also capable of spreading by exploiting a vulnerability in Internet Explorer (IE). Just like any other botnet, Dias de Pesadilla (DDP), aka the Nightmare Days Team, used Mariposa to make money. The botnet was being used to steal information such as credit card numbers, bank account details, user names and passwords to social-networking sites, and important files found on affected systems hard drives, which cybercriminals may use in a number of ways. Experts also found that DDP stole money directly from banks using money mules in the United States and Canada.

Further digging into Mariposas business model revealed that its administrators also offered underground services to potential clients. Some of these services included hacking servers to take control, encrypting bots to make them invisible to security applications, and creating anonymous VPN connections to administer bots. More than 200 binaries of the Mariposa botnet have been found in the wild. Among these, users should be most wary of information stealers that compromise not just banking information but also a users identity. 4 - Shanghai World Expo as Bait in Cyber Attack At the end of March/beginning April 2010, TrendLabs identified a new attack, using a previously known Adobe exploit. In the attack, emailed messages, purportedly coming from Bureau of Shanghai World Expo, asked recipients to open a file attached to the message, and to update their submitted registration forms. There were indications that the attack was intentionally targeted toward Western journalists in Asia. It is unclear how the details of persons registered to attend the Expo were accessed by the criminals, however its worth noting that the World Expo website stated that it expected around 70 million attendees to the event this year9. The attachment within the spammed message was a .PDF file that took advantage of a known vulnerability (patched by Adobe in February 2010) in Adobe Acrobat and Reader (CVE-2010-0188). Once successfully exploited, the .PDF file dropped a backdoor program onto the affected system, which in turn enabled attackers to gain full control of a victims machine. The method used to exploit this vulnerability, on this occasion, differed from that used previously. Trend Micro researchers identified that the .PDF files had an embedded malicious .TIFF file. This embedded .TIFF file, when processed by vulnerable Adobe products, triggered the vulnerability and the execution of arbitrary code. In this attack, system information such as Computer name, CPU information, OS version, and IP address of the affected system was stolen and sent to a remote server.

ttp://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/ h zeusapersistentcriminalenterprise.pdf

http://threatinfo.trendmicro.com/vinfo/web_attacks/Shanghai_Expo_Spam_Carries_ Backdoor.html

13

5 - New, Shortened URLs in IM Spam, Now result in KOOBFACE Malware Cybercriminals are very adept at employing new techniques in order to trick and infect more users. In the middle of April this year, TrendLabs identified attacks of spam over IM, using shortened URLs for their misdemeanor. The twist to this story is a relationship between spam over IM, BUZUS and KOOBFACE. Most users of instant messenger applications have on various occasions seen attempts to dupe them into clicking on spam received over IM or strange friend requests. It seems the cybercriminals may have also realized that their past techniques may be becoming less effective, and TrendLabs has just recently discovered that these criminals are now using shortened URLs to spam malware. URL-shortening services are normally used to compress long and unreadable URLs into short, bite-sized ones. These short URLs are more portable, and are now generally preferred over the (normally long) actual URLs when sharing news within networks, blogs, Tweets, and other social media tools. URL-shortening services can be used to hide malicious links from view, thereby tricking users into clicking suspicious links. KOOBFACE is a notorious botnet that originally targeted innocent Facebook users. Since then, it has gone on to target other social networks, and so it is not surprising that the criminals behind the threat are looking to new avenues through which to extend their network of compromised machines. KOOBFACE causes so much consternation that TrendLabs has published 3 separate research reports on the subject10. 6 FAKEAV, the standard revenue generator11 Throughout the first six months of 2010, FAKEAV (or Rogue Antivirus) continued to be used by cybercriminals as a key revenue generator. Programs designed to look professional, even to the point of offering telephone support services, have been maliciously pushed to innocent users under the pretence of infection and vulnerability. FAKEAV leverages social engineering to capture users attention and make threats believable. Cybercriminals use multiple vectors to deliver their threats.
10

A few of the methods they use are listed below: Stealing from users directly by convincing them to download, install, and then pay for fake software. Infecting users through malicious links placed in search results poisoned search results are otherwise known as Black Hat SEO. Delivering a payload of malicious routines or installers that leave additional malware on the infected system. Using social engineering sites such as Twitter, to trick users

Unlike most threats, FAKEAV software displays a visual element to the targeted user. This comes in the form of fake user interfaces that universally claim that the system has been infected.

Interestingly, FAKEAV has also become localized, with the same tool being found in multiple languages, as can be seen in the following screenshot:

ttp://us.trendmicro.com/us/trendwatch/research-and-analysis/whitepapers-andh articles/index.html

11

ttp://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/ h threatbrief_final.pdf

14

Vulnerabilities

Vulnerabilities in applications have always been a part of the security landscape, but recent developments towards the Web have made these even more significant. For end users, vulnerabilities have facilitated drive-by threats, where all that is necessary to become infected by malware is to visit a website. The website need not be malicious; it may be compromised (via malicious advertisements, or the addition of iframes or Javascript code). This poses a large problem that is not easy to mitigate. In addition, servers are coming under increasing fire as well. Assuming well-established server management procedures are in place, vulnerabilities become the best means of trying to execute malware on servers. While this may be more difficult than compromising a single user system, the potential reward is consequently greater as well. Trend Micro receives information about vulnerabilities both publicly and privately. Private vulnerability information is received both from vendors (such as Microsoft), third-party groups such as TippingPoints ZeroDay Initiative12, and from the cybercriminal underground. The scale of this threat has been documented independently. A paper presented at the Ninth Workshop on the Economics of Information Security delved into the online adult industry, but also profiled whether users were running browsers that contained vulnerable plug-ins. Their study12 concluded that a staggering 88.28 percent of users were vulnerable, a sobering number by any reckoning. With these threats in mind, the following looks at key vulnerability statistics related to the first half of 2010. The Trend Micro Threat Encyclopedia14 includes a Security Advisory section in which details of all covered vulnerabilities can be found. Vulnerability Statistics Publicly-known vulnerabilities are commonly referenced by the Common Vulnerabilities and Exposures (CVE) system, which assigns a unique identifier to each vulnerability. In the first half of 2010, a total of 2,552 CVEs were published. This number is slightly below the similar number for the first half of 2009, where a total of 3,086 CVEs were published. However, it should be noted that this does not mean that the vulnerability threat is lessening. Not all vulnerabilities receive a CVE; many vulnerabilities that are privately reported to vendors are not included in the system.

3,500 3,000 2,500 2,000 1,500 1,000 500 0

2009 2010

CVEs

By vendor, Apple had the most CVEs issued in the first half of the year: CVEs 200
180 160 140 120 100 80 60 40 20 0

CVEs

Microsoft

While some vendors receive a significant amount of press attention for vulnerabilities, this chart serves as a reminder that the vulnerability threat is far more multipronged than just patching Windows or updating Flash and Acrobat/Reader. In addition, some of the vendors with large numbers of vulnerabilities focus on enterprise software, with correspondingly longer patch cycles that potentially leave users at risk. In addition, the presentation of vulnerability information to the general public leaves much to be desired. While some vendors present vulnerability information publicly in well-organized bulletins, others do so in a more ad hoc manner or hide the information behind paywalls on their websites. This makes proper threat assessment on the part of usersboth enterprise and consumermuch more difficult. The overall scale of the threat posed by vulnerabilities and exploits is clearly visible when looking at the number of TROJ_PIDIEF malware seen by Trend Micro in the first half of the year. The PIDIEF malware family is specifically made up of malware that arrives as PDF files, which exploit vulnerabilities in the Acrobat family of products. In the first half of the year, a total of 666 new detection names were added to Trend Micro products. Each detection name represents multiple in-the-wild variants, resulting in a total number of new PDF threats numbering into the thousands in only six months.
12 13

http://www.zerodayinitiative.com/ ttp://threatinfo.trendmicro.com/vinfo/default.asp?page=1&sect=SA h

ttp://weis2010.econinfosec.org/papers/session2/weis2010_wondracek.pdf h

14

FreeBSD

Mozilla

Apple

Adobe

IBM

Novell

PHP

Apache

Oracle

Cisco

Sun

HP

Redhat

Linux

15

Trend Micro Technology and Protection

Smart Protection Network The Trend Micro Smart Protection Network infrastructure delivers advanced protection from the cloud, blocking threats in real-time before they reach you. By continuously processing the threat intelligence gathered through its extensive global network of honeypots, customers and partners, Trend Micro delivers automatic protection against the latest threats and provides better together security, much like an automated neighborhood watch that involves the community in protection of others. Because the threat information gathered is based on the reputation of the communication source, not on the content of the specific communication, the privacy of a customers personal or business information is always protected. Trend Micro Smart Protection Network uses patentpending in-the-cloud correlation technology with behaviour analysis to correlate combinations of web, email and file threat activities to determine if they are malicious. By correlating the different components of a threat and continuously updating its threat databases, Trend Micro has the distinct advantage of being able to respond in real time, providing immediate and automatic protection from email, file and Web threats. Another key component of the Trend Micro Smart Protection Network is integrated Smart feedback that provides continuous communication between Trend Micro products as well as the companys 24/7 threat research centers and technologies in a two-way update stream. Each new threat identified via a single customers routine reputation check, for example, automatically updates all of Trend Micros threat databases around the world, blocking any subsequent customer encounters of a given threat. Further information and benchmarks for Trend Micro Smart Protection Network can be found in the Core Technologies area of TrendWatch15.

Solutions and Services

Trend Micro Enterprise Security Trend Micro Enterprise Security is a tightly integrated offering of content security products, services, and solutions that take full advantage of the Trend Micro Smart Protection Network. Optimized to deliver immediate protection, Trend Micro Enterprise Security also dramatically reduces the cost and complexity of security management. For further information about Trend Micro Enterprise Security, visit the Enterprise section of trendmicro.com16 Trend Micro SecureCloud Now available as a Beta release for early adopters of cloud computing17, Trend Micro SecureCloud is a hosted key-management and data-encryption solution designed to protect and control confidential information that you deploy into public and private cloud-computing environments. Trend Micro Worry-Free Business Security Designed specifically to fit the needs of small businesses, Worry-Free Business Security protects your computers wherever theyre connectedin the office, at home or on the road. Powered by the Trend Micro Smart Protection Network, threats are detected faster to keep your data safe and your protection constantly updated. Further details and the benefits of Trend Micro Worry-Free Business Security can be found on the Small Business section of trendmicro.com18. Trend Micro Titanium Combining easy-to-use security with cloud-client technologies Trend Micro Titanium blocks threats such as infected websites, phishing attacks, viruses and spyware before they can reach a users computer. State-of-the-art protection for users data is delivered while ensuring that computer performance is not impacted. Details of the Trend Micro Titanium product line can be found at www.trendmicro.com/titanium.

15

http://us.trendmicro.com/us/trendwatch/core-technologies/index.html ttp://us.trendmicro.com/us/home/enterprise/ h

16 17

ttp://trendmicro.mediaroom.com/index.php?s=43&news_ h item=830&type=current&year=0) ttp://us.trendmicro.com/us/home/small-business/ h

18

16

Advice for Businesses Adopting Cloud Strategies

In March 2010 the Cloud Security Alliance (CSA) published Top Threats to Cloud Computing V 1.019 to help organizations better understand the risks of cloud computing and to consequently make more informed risk management decisions when adopting cloud strategies. With the right approach and security solutions the public cloud can be just as secure as a typical traditional corporate data centre. We recommend that organizations provide their own layers of security in addition to that which is afforded by cloud providers. 1. ncrypt all sensitive data the information that is E exclusive to, and owned by, your organization. The operating system and applications are less important here typically in the cloud they are standard images that are simply recycled back to a master image on shutdown. Its the information proprietary to you, or that you have collected from customers and business partners, which you generally have a legal obligation to protect. 2. nsure that your Firewall, IPS, and IDS protect each E of your virtual machines separately. Particularly in a Public Cloud environment the other virtual machines running on the same physical hardware as you should be considered hostile. The firewall at the cloud providers perimeter cant help you here. 3. nly decrypt your data within that secure container O youve established for your virtual machine. Be sure you check for tampering and data stealing malware before decrypting your data. 4. ake sure that you are in control of the encryption M keys its your data! Trend Micro offers two products Deep Security and SecureCloud which when layered together can achieve the four recommendations above and counter the threats identified. Deep Security is available and already in widespread use and SecureCloud entered public beta over the summer following successful pilot trials20.

Advice for Businesses

Use effective solutions to protect your business. o protect your company network, deploy solutions T that use cloud-based protection. Technology such as the Trend Micro Smart Protection Network combines Internet-based (in-the-cloud) technologies with lighter-weight, clients to help businesses close the infection window and respond in real time before threats can even reach a users PC or compromise an entire network. By checking URLs, emails, and files against continuously updated and correlated threat databases in the cloud, customers always have immediate access to the latest protection wherever they connect. hishing poses a significant threat for organizations. P Phishing sites can compromise your brand and/or your companys image as well as your ability to keep your customers confidence while conducting business over the Internet. Protect your employees and customers by procuring all brand-related and look-alike domain names. tay ahead of the threats by reading security-related S blogs and related information pages (i.e., Threat Encyclopedia21, Cloud Security Blog22, TrendLabs Malware Blog23 and social networks such as Twitter24) which can help warn and educate users who might otherwise be drawn to web sites under false pretenses. ducate your employees about how cybercriminals E lure victims to their schemes; make use of threat information provided on security vendor sites like TrendWatch. ry downloading tools such as the Trend Micro Threat T Widget to help raise awareness

19

ttp://www.cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf h ttp://trendmicro.mediaroom.com/index.php?s=43&news h item=830&type=current&year=0

20

21

ttp://threatinfo.trendmicro.com/vinfo/default.asp?sect=SA h ttp://cloudsecurity.trendmicro.com/ h ttp://twitter.com/trendmicro h ttp://blog.trendmicro.com h

22 23

24

17

Safeguard your customers interests. tandardize company communications and let your S customers know about your email and website policies. This way, you can help your customers better identify legitimate messages. void sending phishy-looking email messages by A following these guidelines: o not request personal information D through email. ersonalize email when possible. P o not redirect to another domain from the URL D provided to customers. o not rely on pop-up windows for data collection, D especially those with no address bars or navigational elements. o not use instant messaging or chat with D customers unless they initiate the communication. e explicit in the detail of communications B that require the immediate action or attention of recipients.

Establish and implement effective IT usage guidelines. ust as you would never leave your front door J unlocked when you are not home, you must take the same precautions with your computer system to make sure your business is protected. Protecting your business requires you to educate yourself and your employees about safe cybersecurity practices. A comprehensive set of IT usage guidelines should focus on the following: revention. Identify solutions, policies, and P procedures to reduce the risk of attacks. esolution. In the event of a computer security R breach, you should have plans and procedures in place to determine what resources you will use to remedy a threat. estitution. Be prepared to address the R repercussions of a security threat with your employees and customers to ensure that any loss of trust or business is minimal and short-lived.

18

Top Tips for End Users

Keep your personal computer current with the latest software updates and patches. pply the latest security updates and patches to your A software programs and OSs and enable automatic updates where possible. Since cybercriminals typically take advantage of flaws in the software to plant malware on your PC, keeping your software current will minimize your exposure to vulnerabilities. Protect yourself and your personal computer. f you receive an email requesting personal or I confidential information, do not respond or provide this information via links or phone numbers in the email. Legitimate organizations such as credit card companies and banks will never request this information via email. eware of unexpected or strange-looking emails and B instant messages (IMs) regardless of sender. Never open attachments or click links in these emails and IMs. If you trust the sender, scan the attachments before opening. Never provide personal information in your email or IM responses. egularly check your bank, credit, and debit card R statements to ensure that all transactions are legitimate. eware of Web pages requiring software installation. B Scan programs before executing them. Always read the end-user license agreement (EULA) and cancel if you notice other programs being downloaded in conjunction with the desired program.

o not provide personal information to unsolicited D requests for information. f it sounds too good to be true, it probably is. If you I suspect an email is spam, delete it immediately. Reject all IMs from people whom you do not know. hen shopping, banking, or making other transactions W online, make sure the website address contains an s as in https:// www.bank.com. You should also see a lock icon in the lower right area of your Web browser. Choose secure passwords. se a combination of letters, numbers, and symbols U and avoid using your first and last names as your login name. void using the same password for all your login A needs. Do not use the same password for your banking site that you use for your social networking sites. Change your password every few months.

19

About TrendLabs
TrendLabs is a multinational research, development, and support center with an extensive regional presence committed to 24/7 threat surveillance, attack prevention, and timely and seamless solutions delivery. With more than 1,000-strong staff of threat experts and support engineers deployed round-the-clock at labs around the globe, TrendLabs enables Trend Micro to: Continuously monitor the threat landscape across the globe Deliver real-time data to detect, preempt, and eliminate threats Research and analyze technologies to combat new threats Respond in real-time to targeted threats Help customers worldwide minimize damages, reduce costs, and ensure business continuity TrendLabs has facilities in the following 12 locations: Manila, Philippines (HQ) Arlington, TX, USA Cupertino, CA, USA Lake Forest, CA, USA Shanghai, China Sao Paulo, Brazil Cork, Ireland Paris, France Tokyo, Japan Taipei, Taiwan Marlow, United Kingdom Munich, Germany

Note that these facilities can perform all or part of critical Trend Micro services such as technical support, malware analysis and solutions delivery.

TrendLabs Locations

About Trend Micro: Trend Micro Incorporated, a global leader in Internet content security, focuses on securing the exchange of digital information for businesses and consumers. A pioneer and industry vanguard, Trend Micro is advancing integrated threat management technology to protect operational continuity, personal information, and property from malware, spam, data leaks and the newest Web threats. Visit TrendWatch at www.trendmicro.com/go/ trendwatch to learn more about the latest threats.

Trend Micros flexible solutions, available in multiple form factors, are supported 24/7 by threat intelligence experts around the globe. Many of these solutions are powered by the Trend Micro Smart Protection Network infrastructure, a next-generation cloud-client innovation that combines sophisticated cloud-based reputation technology, feedback loops, and the expertise of TrendLabs(SM) researchers to deliver real-time protection from emerging threats. A transnational company, with headquarters in Tokyo, Trend Micros trusted security solutions are sold through its business partners worldwide. Please visit www.trendmicro.com.