TrendLabsSM 3Q 2013 Security Roundup
The Invisible Web
Unmasked
TREND MICRO | TrendLabs 3Q 2013 Security Roundup
Contents
1|
6|
CYBERCRIME:
Takedowns, Banking Trojans,
Site Compromises, and
Refined Malware Techniques Seen
MOBILE:
Mobile Malware and High-Risk Apps:
1-Million Strong
10 |
DIGITAL LIFE SECURITY ISSUES:
12 |
EXPLOITS AND VULNERABILITIES:
13 |
TARGETED ATTACKS:
On Privacy and Data Theft:
A New “Identity Crisis”
Java Vulnerabilities Remain a Major Concern
Sykipot Targets Aviation Data
15 | Appendix
TREND MICRO | TrendLabs 3Q 2013 Security Roundup
Introduction
News about cybercrime circulated in recent
months. The takedown of Liberty Reserve,
an illegal digital currency system, and the
recent seizure of the online black market,
Silk Road, were among the many incidents
this quarter that triggered greater public
awareness of online threats.1 The arrest of
the alleged Blackhole Exploit Kit creator
in October also proved that cybercrime is
indeed a business that thrives right under our
noses.2
observed malware operation refinements
like EXPIRO’s use of the Styx Exploit Kit
and MEVADE malware’s use of The Onion
Router (TOR) network.
Cybercriminals continued to refine their
techniques this quarter. Online banking
malware infections increased in several
regions, including the United States and
Japan. We also caught a glimpse of the
massive scale of compromised sites. Our
research on BKDR_FIDOBOT showed
that the backdoor was used to attack more
than 17,000 domains in a day. We also
Internet Explorer® and Java security
issues continued to put computers at risk,
as a couple of zero-day exploits were
discovered this quarter. Document exploits
remained a staple in spear-phishing emails
related to targeted attacks though we noted
improvements in the Sykipot malware family,
which now targets information related to
civil aviation.
On the mobile front, the number of malicious
and high-risk Android™ apps surpassed
the 1-million mark like we predicted. A
significant portion of these dangerous apps
were disguised as either fake or Trojanized
versions of popular apps.
TREND MICRO | TrendLabs 3Q 2013 Security Roundup
CYBERCRIME
Takedowns, Banking Trojans,
Site Compromises, and
Refined Malware Techniques Seen
Law enforcement agencies took home
several wins, affecting the current threat
landscape. The Liberty Reserve takedown
caused cybercriminals to scramble for
alternative currencies. They had to resort to
other means like using Bitcoins to continue
their operations. The infamous Silk Road
takedown also showed the hidden but equally
nefarious side of cybercrime, particularly
the use of the Deep Web to hide illegal
site networks. Lastly, the alleged Blackhole
Exploit Kit author known as “Paunch”
made headlines when he was arrested in
early October.3 These positive developments
in law enforcement spurred awareness of
cybercriminal underground elements that
most Internet users were not privy to.4
Overall Trend Micro™ Smart Protection Network™ Numbers
8B
7B
2,876
7.5B
2,817
7.5B
574M
495M
606M
414M
6B
2,697
7.2B
586M
392M
NUMBER OF THREATS
BLOCKED PER SECOND
TOTAL NUMBER OF
THREATS BLOCKED
5B
4B
6.4B
3B
6.5B
6.2B
NUMBER OF MALICIOUS
FILES BLOCKED
NUMBER OF MALICIOUS
URLs BLOCKED
2B
1B
0
JUL
AUG
SEP
NUMBER OF SPAMSENDING IP ADDRESSES
BLOCKED
We were able to protect Trend Micro customers from an average of 2,797 threats per second this quarter.
1 | Cybercrime
TREND MICRO | TrendLabs 3Q 2013 Security Roundup
DOWNAD/Conficker remained the top
malware this quarter. Adware packaged with
fake software offers continued to victimize
Internet users. Despite being the top malware
though, the number of DOWNAD/
Conficker infections decreased to 345,000
from last quarter’s 509,000, possibly due
to number of users who upgraded OSs in
light of the impending end of support for
Windows® XP.
Top Malware
WORM_DOWNAD.AD
345K
ADW_BPROTECT
246K
ADW_BHO
238K
100,000
1,000
100
10
1
DOWNAD/Conficker remained the top malware for three consecutive quarters while adware continued to
trail behind.
2 | Cybercrime
TREND MICRO | TrendLabs 3Q 2013 Security Roundup
Top Malware by Segment
ENTERPRISE
NAME
SMB
VOLUME
WORM_DOWNAD.AD
205K
CONSUMER
NAME
VOLUME
WORM_DOWNAD.AD
33K
NAME
VOLUME
ADW_BHO
158K
138K
ADW_BPROTECT
28K
HKTL_PASSVIEW
7K
ADW_BPROTECT
PE_SALITY.RL
17K
TROJ_FAKEAV.BMC
5K
TROJ_FAKEAV.BMC
87K
Consumers likely download adware most because they were often packaged with fake free software. Enterprises
and small and medium-sized businesses (SMBs), meanwhile, were most affected by DOWNAD/Conficker.
Banking Trojan Volume Surge
The online banking malware volume surged
this quarter. They spread across the globe
and no longer concentrated on certain
regions like Europe and the Americas. We
continued to see this trend, with infection
counts going beyond the 200,000 mark, the
highest infection number since 2002.
Online Banking Malware Infections
250K
200K
202K
150K
100K
131K
146K
113K
2013
132K
125K
2012
110K
50K
0
Q1
Q2
Q3
Q4
Online banking malware accounted for more than 200,000 detections this quarter—the highest-recorded volume
since 2002.
3 | Cybercrime
TREND MICRO | TrendLabs 3Q 2013 Security Roundup
Top Online Banking Victim Countries
A large portion of online banking malware
infections were due to ZeuS/ZBOT Trojans.
ZeuS/ZBOT variants were, in fact, the most
distributed malware by spam this quarter.
New ZBOT variants emerged, specifically
KINS malware, which came armed with
anti-debugging and anti-analysis routines.
Citadel variants, meanwhile, continued to
plague Japan, particularly targeting financial
institutions and varied Webmail services like
Yahoo!® Japan and Gmail™, among others.5
COUNTRY
SHARE
USA
23%
Brazil
16%
Japan
12%
India
6%
Australia
3%
France
3%
Germany
2%
Vietnam
2%
Taiwan
2%
Mexico
2%
Others
29%
The United States and Brazil remained the most-affected countries by online banking malware. Japan,
meanwhile, rose to the third from the fifth spot last quarter, largely due to the increase in Citadel
malware infections.
Compromising Sites: A Norm?
Cybercriminals routinely use compromised
sites to hide their tracks and host malware,
spam templates, and redirection tools.
Spambots like Stealrat heavily relied on
techniques like using compromised sites to
cloak malicious operations.6
How Users End Up on Compromised Sites
Data sent to compromised site 1 is
used to construct email template
Victim gathers spam data* from spam server
then sends to compromised site 1
User receives spam that contains links to
compromised site 2
* Spam data includes the backup email server's URL, the sender's name, the recipient's address, and the email template.
4 | Cybercrime
TREND MICRO | TrendLabs 3Q 2013 Security Roundup
We got a glimpse of the scale of site
compromises by investigating BKDR_
FIDOBOT. This backdoor brute-forced its
way into sites that ran on either Joomla!™
or WordPress and was used to attack more
than 17,000 domains in a single day.7 The
majority of affected sites were either owned
by individuals or small businesses and hosted
in the United States.
Refined Malware Techniques
and Hidden Networks
Other notable malware this quarter include
EXPIRO.8 The malware first surfaced in
2010 and was known to infect files. Recent
variants that emerged this quarter, however,
stole FTP credentials. The EXPIRO variants
used in attacks last July were also distributed
using the Styx Exploit Kit.9
In the latter part of August, we observed
MEVADE malware download a TOR
component
to
initiate
widespread
connections to specific sites.10 This was
the reason behind reports of a growth in
the number of TOR users.11 TOR allowed
cybercriminals to more effectively hide their
command-and-control (C&C) servers. It
is also virtually impossible to take down a
TOR-hidden service. MEVADE malware
also spread alongside certain adware variants
via a downloader disguised as an Adobe®
Flash® Player update.12
When Popular Online Banking Crimeware Were Discovered
ZeuS
Gozi
2006
2007
Cridex,
Shylock,
Tatanga, Tinba,
Carberp Ice IX,
Zitmo,
and
and
and
SpyEye Citadel Spitmo
2009
2010
2011
KINS
2013
This quarter, we saw a resurgence of banking malware, which started making headlines with the introduction of
the ZeuS toolkit way back in 2006.
5 | Cybercrime
TREND MICRO | TrendLabs 3Q 2013 Security Roundup
MOBILE
Mobile Malware and High-Risk Apps:
1-Million Strong
Before 2013 ended, the number of malicious
and high-risk apps targeting the Android
platform reached the 1-million mark. Among
these, 80% were malicious in nature, topped
by premium service abusers. Premium service
abusers are known to send unauthorized
text messages to certain numbers and often
register users to premium-rate services. This
type of malicious app is especially popular in
Russia, most likely due to the country’s lack
of “standard” app stores.13
The remaining 20% were considered highrisk apps, including those that aggressively
pushed ads to users, also known as “adware.”
Adware infections eventually lead to device
information theft.
60%
1M
JUL
820K
AUG
851K
SEP
1M
.5M
0
The number of malicious and high-risk apps
steadily increased from July to August but, come
September, reached the 1-million mark.
Top Threat Type Distribution
55%
40%
Android Threat Volume Growth
27%
22%
20%
12%
9%
2%
0
PREMIUM
SERVICE ABUSER
ADWARE
DATA STEALER
REMOTE
CONTROLLER
MALICIOUS
DOWNLOADER
HACKING
TOOL
Like last quarter, premium service abusers comprised more than half of the mobile threats this quarter though
the number of mobile adware also increased to regain the top 2 post.
6 | Mobile
TREND MICRO | TrendLabs 3Q 2013 Security Roundup
Top Android Malware Families
1. OPFAKE
27%
2. FAKEINST
24%
3. GOYEAR
10%
4. GINMASTER
7%
5. JIFAKE
6%
6. MSEG
4%
7. ADPANDA
3%
8. ADTGPTT
3%
9. BOXER
2%
10. SMSREG
2%
Others
12%
Cross-Platform Threats Pose
Mobile Security Risks
Beyond the dangers malicious apps posed,
mobile devices were also hit by threats that
transcended platforms. These include a fake
WhatsApp email containing a link that, when
clicked using a mobile device, may lead to a
site that hosts a premium service abuser.14
This was not the first time that mobile devices
were targeted by multi-platform threats. In
this case though, the attackers opted to use
spam as infection vector instead of relying
on a more “direct” approach like blackhat
search engine optimization (SEO) or social
media abuse.
7 | Mobile
Another cross-platform issue was the rise
of the number of phishing sites specifically
designed for mobile devices. According to
data we gathered from January to September
this year, we noted a 53% increase in the
number of phishing sites compared with the
same period last year. This quarter, 42% of
the sites spoofed banks and other financial
institutions.15
TREND MICRO | TrendLabs 3Q 2013 Security Roundup
Vulnerabilities and Exploits
Compound Mobile Security
Woes
The discovery of the “master key”
vulnerability last quarter highlighted
cybercriminals’ ability to find ways to
“update” legitimate apps with malicious
code to affect nearly every Android device.
This quarter, we witnessed continued abuse
of this vulnerability to churn out Trojanized
versions of a well-known online banking
app.16
The Black Hat cybersecurity conference last
July additionally touched on other points
pertaining to mobile security. A SIM card
flaw that could allow attackers to obtain a
its digital key was, for instance, discovered.
Also at the conference, researchers from the
Georgia Institute of Technology showed
off a proof-of-concept (POC) charger that
could allow attackers to execute malicious
commands on devices that ran on the latest
iOS version.17
Where Users Stumbled Upon Malicious and High-Risk Apps
SITES
APP STORES
80%
27%
OTHERS
1%
While 27% of malicious and high-risk apps came from app stores, they were also seen in other sources like
malicious sites. Note that the total only represents 42% of the overall number of malicious apps sourced from
August 2010 to September 2013.
8 | Mobile
TREND MICRO | TrendLabs 3Q 2013 Security Roundup
What Premium Service Abusers Do
DELETE DATA
access your
96% can
SD card data
MONITOR MESSAGES
read your
92% can
messages
SEND DEFAULT MESSAGES
VIEW CONTACTS
access your
48% can
contact list
TRACK LOCATION
track your
14% can
location
send out
86% can
predefined messages
Mobile devices are vulnerable to threats like information theft when infected by premium service abusers, which
remained the top mobile threat type this quarter. Based on research covering the period, November 2012–May
2013, premium service abusers can affect devices in various ways.
9 | Mobile
TREND MICRO | TrendLabs 3Q 2013 Security Roundup
DIGITAL LIFE
On Privacy and Data Theft:
A New “Identity Crisis”
Recent events and threats surrounding social
media and personal information paved the
way for resurfacing issues on data security,
also known as a new type of “identity crisis.”
Internet users are still constantly being
challenged by managing and preventing
their personal information from falling into
cybercriminals’ hands.
Among the numerous threats that aim to
steal personal information, phishing scams
made a notable impact this quarter due to
a massive increase in Apple-related phishing
sites.18
The spike was likely caused by the clamor for
the latest Apple products and developments
over the past few months, including rumors
last May about the iOS 7 release. Another
spike in the phishing site volume was seen
last June and July when rumors about the
iPhone 5c spread. Last September, we saw
a spam run use the newly released iPhone
models as lure to steal personally identifiable
information (PII).19
Apple-Related Phishing Page Volume Growth
5,800
6K
5K
4,100
4K
2,500
3K
1,900
1,800
2K
1K
300
500
100
300
MAR
APR
0
JAN
FEB
MAY
JUN
JUL
AUG
The rise in Apple-related phishing pages continued even after the huge spike last May.
10 | Digital Life
SEP
TREND MICRO | TrendLabs 3Q 2013 Security Roundup
Mobile banking users were not spared
from attacks that leveraged similar social
engineering techniques. We found a phishing
site that mimicked a well-known financial
institution designed to gather crucial data
like log-in credentials, email addresses, and
even government-issued IDs.20
they hijacked users’ social media account
credentials, specifically those for Facebook,
Google+, and Twitter.22 This quarter was also
plagued by a slew of fake Twitter accounts
that lured followers to sites that supposedly
hosted hacking tools for both Facebook and
Twitter but instead led to survey scams.23
Security threats on social media persisted
this quarter, most notably those that took
advantage of users with rich digital lives.
A “free followers” scam showed how
cybercriminals made a quick buck by
offering fake followers, “likes,” and retweets
to interested buyers.21
Despite these security setbacks, some positive
developments pertaining to managing online
accounts were introduced. These include the
Touch ID fingerprint sensor on the iPhone
5s, a security tool meant to make it easier for
owners to unlock their phones compared
with using a PIN code.24 Though Apple’s
effort to secure users’ online accounts was
commendable, it must not be considered a
cure-all because user behavior is still a crucial
security factor.
Threats targeting social media were not
limited to “free followers” scams this
quarter. We also saw malware disguised as
fake video player updates make the rounds
on social networking sites. When installed,
Notable Social Engineering Lures Used
SUMMER
WHATSAPP MOVIES
OBAMACARE
ENDER’S GAME
PLANTS vs. ROYAL BABY
ZOMBIES
iPHONE 5s and 5c
11 | Digital Life
TREND MICRO | TrendLabs 3Q 2013 Security Roundup
EXPLOITS AND VULNERABILTIES
Java Vulnerabilities Remain
a Major Concern
After several zero-day incidents at the
beginning of the year, Java vulnerabilities
remained a crucial concern. This quarter,
a Java 6 vulnerability exploit was included
in the Neutrino Exploit Kit.25, 26 Because
Oracle stopped supporting this version,
all affected software will no longer receive
security updates and fixes, including for
the recently identified bug. Even worse, the
Oracle announcement means that around 31
recently disclosed vulnerabilities will never
be patched.
Just a week after the September Patch
Tuesday, a zero-day Internet Explorer exploit
that affected even the latest version was
discovered.27 Microsoft immediately released
a fix to address the issue though.
Old vulnerabilities remained a favorite
cybercriminal target, as our research on
Apache Struts showed.28 Our investigation
revealed that the Chinese underground
created automated tools to exploit bugs in
older versions of Apache Struts, just three
days after the flaws were made known to the
public.
How Exploits Dodge Security
1 Crawl URL A
4 Site loads
2 Check if IP address
is in database
MALICIOUS SITE A
3 If IP address is
not in database
*Attackers keep a list of IP addresses
they believe researchers use and
block access from these.
RESEARCHER
BACKEND DATABASE
5 Crawl URL B
8 Site does
not load
12 | Exploits and Vulnerabilties
6 Check if IP address
is in database
MALICIOUS SITE B
7 If IP address is
in database
TREND MICRO | TrendLabs 3Q 2013 Security Roundup
TARGETED ATTACKS
Sykipot Targets Aviation Data
Targeted attack campaigns continued to go
after various targets like governments, large
organizations, and enterprises. Attackers
typically aim to exfiltrate or steal data from
targets. One such campaign that recently
underwent some modifications was Sykipot.
vulnerabilities in spear-phishing attacks.
One widely attacked vulnerability was the
MSCOMCTL.OCX RCE Vulnerability, also
known as “CVE-2012-0158,” which was
addressed by Microsoft with MS12-027 as
early as April last year.30
The Sykipot campaign was first seen in
2007. It initially targeted industries like
telecommunications, computer, government,
and aerospace, among others but remains
active to this day.29 We did observe recent
changes to the campaign’s operations though,
including using updated identifiers, drive-by
exploits, and dynamic link library (DLL)/
process injections. It now also targets civil
aviation information.
Following the release of the latest Apache
Struts version, meanwhile, we found
automated tools that exploit vulnerabilities
found in older versions of the software sold
underground. We also saw some targeted
attacks exploit the said bugs in Asia.
While monitoring targeted attacks, we
continued to see the use of old, patched
13 | Targeted Attacks
.PKZIP and .MIME files were the top
file types threat actors used to attack
their intended victims via spear phishing.
Common file types like documents and
spreadsheets were also used to gain entry to
target networks.
TREND MICRO | TrendLabs 3Q 2013 Security Roundup
File Types Used in Spear-Phishing Emails Related to Targeted Attacks
MIME
PKZIP
RAR
RTF
JUL
PPS/PPT
AUG
DOC
SEP
EXE/DLL
XLS
ZIP
PDF
0
10%
20%
Government agencies were the top
attack targets this quarter, followed by
telecommunications
and
IT/software
14 | Targeted Attacks
30%
40%
50%
companies. Enterprises should fortify their
networks to avoid becoming a victim of
targeted attacks.
TREND MICRO | TrendLabs 3Q 2013 Security Roundup
Appendix
Top Spam Languages
1. English
89.39%
2. Chinese
2.49%
3. Japanese
1.88%
4. German
0.95%
5. Russian
0.70%
6. Portuguese
0.24%
7. Spanish
0.16%
8. French
0.08%
9. Icelandic
0.07%
10. Turkish
Others
0.05%
3.99%
English remained spammers’ most preferred language because it is most used worldwide.
Top Spam-Sending Countries
1. USA
9.16%
2. Argentina
6.71%
3. Italy
6.69%
4. Spain
6.45%
5. India
6.16%
6. Taiwan
4.31%
7. Colombia
4.26%
8. Peru
3.97%
9. Mexico
3.82%
10. Germany
3.27%
Others
45.20%
Consistent with the top spamming language, the USA sent out the most spam. Latin American countries like
Argentina, Spain, Colombia, Mexico, and Peru remained part of the top 10.
15 | Appendix
TREND MICRO | TrendLabs 3Q 2013 Security Roundup
Top Malicious Domains Blocked
DOMAINS
REASONS
ads.alpha00001.com
Hijacks well-known web browsers to redirect users to
fake sites, including ad sites
trafficconverter.biz
Hosts and distributes worms, particularly
DOWNAD/Conficker
http :// adsgangsta . com
Related to exploit kit operations
http :// www . ody . cc
Related to sites hosting BKDR_HPGN.B-CN
az7t8.com
Involved in attacking high-traffic sites
ckstatic.com
Involved in attacking high-traffic sites
announce.opensharing.org
Hosted hacking software and used in peer-to-peer
promos.fling.com
Involved in a zombie network spread from an adult
dating site.
http :// labambaka . com
Hosts and distributes malware, related to spamming
international-spcsz.ru
Hosts and distributes malware, related to spamming
The top malicious domains this quarter hosted sites that hijacked Web browsers to redirect users to fake ad
sites. This most likely led to the increase in adware this quarter.
Number of Connections to Botnets per Month
12.7M
JULY
10.7M
AUGUST
13.9M
SEPTEMBER
0
2M
4M
6M
8M
10M
12M
The number of connections to botnets increased in July but dipped in August before rising again in September.
16 | Appendix
14M
TREND MICRO | TrendLabs 3Q 2013 Security Roundup
Malicious URL Country Sources
COUNTRY
SHARE
1
USA
24%
2
Netherlands
3%
3
China
3%
4
Germany
3%
5
France
3%
6
South Korea
2%
7
UK
2%
8
Russia
1%
9
Japan
1%
10
Canada
1%
Others
57%
Like last quarter, a significant share of the malicious URLs found this quarter were hosted in the United States.
Countries That Most Accessed Malicious URLs
COUNTRY
SHARE
1
USA
35%
2
Japan
14%
3
China
7%
4
India
4%
5
Taiwan
4%
6
South Korea
4%
7
Germany
3%
8
Australia
3%
9
Russia
2%
10
UK
2%
Others
22%
Most of the users that accessed malicious URLs were from the United States this quarter.
17 | Appendix
TREND MICRO | TrendLabs 3Q 2013 Security Roundup
Countries with the Greatest Number of Botnet Connections
COUNTRY
SHARE
1
USA
25%
2
Malaysia
19%
3
Portugal
4%
4
Russia
4%
5
Canada
4%
6
South Korea
4%
7
Belgium
3%
8
Colombia
2%
9
Germany
2%
10
Netherlands
2%
Others
31%
The United States recorded the greatest number of connections to botnets this quarter. Malaysia slipped to
second place, as the political tension subsided in the country.
Countries with the Highest Malicious Android App Download Volumes
1. Ukraine
13%
2. Myanmar [Burma]
10%
3. Libya
9%
4. Nigeria
7%
5. Vietnam
5%
6. Russia
4%
7. Argentina
4%
8. Antigua and Barbuda
4%
9. Canada
3%
10. India
9
6
1
3
8
4
10
2 5
7
3%
Ukraine recorded the highest malicious app download volume, overtaking the UAE, which dropped out of the list.
This could be attributed to the increased in popularity of smartphones in Eastern Europe. The mobile growth in
Nigeria and Argentina could also be the reason for their inclusion. The ranking was based on the percentage of
apps categorized as “malicious” over the total number of apps scanned per country. The ranking was, however,
limited to countries with at least 10,000 scans.
18 | Appendix
TREND MICRO | TrendLabs 3Q 2013 Security Roundup
Countries Most at Risk of Privacy Exposure Due to App Use
1. Kazakhstan
26%
2. Uganda
20%
3. Ukraine
11%
4. India
10%
5. Argentina
9%
6. Philippines
7%
7. Antigua and Barbuda
7%
8. Thailand
7%
9. Canada
7%
10. Myanmar [Burma]
3
9
7
2
1
4
10
8
6
5
6%
This quarter, new entries like Kazakhstan, Uganda, and Ukraine topped the list of countries most at risk of
privacy exposure. This could be partly due to the growing popularity of smartphones in the countries. The
ranking was based on the percentage of apps categorized as “privacy risk inducers” over the total number of
apps scanned per country. The ranking was, however, limited to countries with at least 10,000 scans.
19 | Appendix
TREND MICRO | TrendLabs 3Q 2013 Security Roundup
References
1.
Trend Micro Incorporated. (July 16, 2013). TrendLabs Security Intelligence Blog. “Post Liberty Reserve Shutdown—What Is Next?” Last accessed October
29, 2013, http://blog.trendmicro.com/trendlabs-security-intelligence/post-liberty-reserve-shutdown-whats-next/.
2.
Charlie Osborne. (October 9, 2013). ZDNet. “Blackhole Malware Toolkit Creator ‘Paunch’ Suspect Arrested.” Last accessed October 29, 2013,
http://www.zdnet.com/blackhole-malware-toolkit-creator-paunch-arrested-7000021740/.
3.
Merianne Polintan. (September 16, 2013). TrendLabs Security Intelligence Blog. “ZeuS/ZBOT Most Distributed Malware by Spam in August.” Last
accessed October 29, 2013, http://blog.trendmicro.com/trendlabs-security-intelligence/zeuszbot-most-distributed-malware-by-spam-in-august/.
4.
Gelo Abendan. (August 20, 2013). TrendLabs Security Intelligence Blog. “Can KINS Be the Next ZeuS?” Last accessed October 29, 2013, http://blog.
trendmicro.com/trendlabs-security-intelligence/can-kins-be-the-next-zeus/.
5.
Trend Micro Incorporated. (September 2, 2013). TrendLabs Security Intelligence Blog. “Citadel Makes a Comeback, Targets Japan Users.” Last accessed
October 29, 2013, http://blog.trendmicro.com/trendlabs-security-intelligence/citadel-makes-a-comeback-targets-japan-users/.
6.
Jessa De La Torre. (August 5, 2013). TrendLabs Security Intelligence Blog. “How to Check If Your Website Is Part of the Stealrat Botnet.” Last accessed,
October 29, 2013, http://blog.trendmicro.com/trendlabs-security-intelligence/how-to-check-if-your-website-is-part-of-the-stealrat-botnet/.
7.
Philippe Lin. (September 5, 2013). TrendLabs Security Intelligence Blog. “Joomla! and WordPress Sites Under Constant Attack from Botnets.” Last
accessed October 29, 2013, http://blog.trendmicro.com/trendlabs-security-intelligence/joomla-and-wordpress-sites-under-constant-attack-frombotnets/.
8.
Rhena Inocencio. (July 15, 2013). TrendLabs Security Intelligence Blog. “File Infector EXPIRO Hits U.S., Steals FTP Credentials.” Last accessed October
29, 2013, http://blog.trendmicro.com/trendlabs-security-intelligence/file-infector-expiro-hits-us-steals-ftp-credentials/.
9.
Trend Micro Incorporated. (July 19, 2013). TrendLabs Security Intelligence Blog. “More Details on EXPIRO File Infectors.” Last accessed October 29,
2013, http://blog.trendmicro.com/trendlabs-security-intelligence/more-details-on-expiro-file-infectors/.
10.
Feike Hacquebord. (September 5, 2013). TrendLabs Security Intelligence Blog. “The Mysterious MEVADE Malware.” Last accessed October 29, 2013,
http://blog.trendmicro.com/trendlabs-security-intelligence/the-mysterious-mevade-malware/.
11.
Roger Dingledine. (August 27, 2013). Tor Project. “Many More TOR Users in the Past Week?” Last accessed October 29, 2013, https://lists.torproject.
org/pipermail/tor-talk/2013-August/029582.html.
12.
Roddell Santos. (September 6, 2013). TrendLabs Security Intelligence Blog. “Adware Spread Alongside MEVADE Variants, Hits Japan and U.S.” Last
accessed October 29, 2013, http://blog.trendmicro.com/trendlabs-security-intelligence/us-taiwan-most-affected-by-mevade-malware/.
13.
Rowena Diocton. (September 17, 2013). TrendLabs Security Intelligence Blog. “Connecting the Dots: Fake Apps, Russia, and the Mobile Web.” Last
accessed October 29, 2013, http://blog.trendmicro.com/trendlabs-security-intelligence/connecting-the-dots-fake-apps-russia-and-the-mobile-web/.
14.
Peter Yan. (September 13, 2013). TrendLabs Security Intelligence Blog. “Spam Leads to Multi-Platform Mobile Threat.” Last accessed, October 29, 2013,
http://blog.trendmicro.com/trendlabs-security-intelligence/spam-leads-to-multi-platform-mobile-threat/.
15.
Trend Micro Incorporated. (2013). Monthly Mobile Review. “A Look at Mobile Banking Threats.” Last accessed October 29, 2013, http://about-threats.
trendmicro.com/us/mobile/monthly-mobile-review/2013-08-mobile-banking-threats.
16.
Peter Yan. (August 2, 2013). TrendLabs Security Intelligence Blog. “Master Key Android Vulnerability Used to Trojanize Banking App.” Last accessed
October 29, 2013, http://blog.trendmicro.com/trendlabs-security-intelligence/master-key-android-vulnerability-used-to-trojanize-banking-app/.
17.
Gelo Abendan. (August 8, 2013). TrendLabs Security Intelligence Blog. “Exploiting Vulnerabilities: The Other Side of Mobile Threats.” Last accessed
October 29, 2013, http://blog.trendmicro.com/trendlabs-security-intelligence/exploiting-vulnerabilities-the-other-side-of-mobile-threats/.
18.
Paul Pajares. (October 1, 2013). TrendLabs Security Intelligence Blog. “Apple Spikes as Phishing Target.” Last accessed October 29, 2013, http://blog.
trendmicro.com/trendlabs-security-intelligence/apple-spikes-as-phishing-target/.
19.
Merianne Polintan. (September 10, 2013). TrendLabs Security Intelligence Blog. “iPhone 5s Phishing Mail Arrives in Time for Launch.” Last accessed
October 29, 2013, http://blog.trendmicro.com/trendlabs-security-intelligence/iphone-5s-phishing-mail-arrives-in-time-for-launch/.
20 | References
TREND MICRO | TrendLabs 3Q 2013 Security Roundup
20.
Arabelle Ebora. (August 13, 2013). TrendLabs Security Intelligence Blog. “Mobile Phishing Attack Asks for Government IDs.” Last accessed October 29,
2013, http://blog.trendmicro.com/trendlabs-security-intelligence/mobile-phishing-attack-asks-for-users-government-ids/.
21.
Karla Agregado. (August 1, 2013). TrendLabs Security Intelligence Blog. “From Fame to Shame: Busting the ‘Free Followers’ Myth in Social Media.” Last
accessed October 29, 2013, http://blog.trendmicro.com/trendlabs-security-intelligence/from-fame-to-shame-busting-the-free-followers-myth-insocial-media/.
22.
Don Ladrones. (July 30, 2013). TrendLabs Security Intelligence Blog. “Malware Hijacks Social Media Accounts Via Browser Add-Ons.” Last accessed
October 29, 2013, http://blog.trendmicro.com/trendlabs-security-intelligence/malware-hijacks-social-media-accounts-via-browser-add-ons/.
23.
Jonathan Leopando. (October 20. 2013). TrendLabs Security Intelligence Blog. “Twitter Still Being Used by Shady Hackers.” Last accessed, October 29,
2013, http://blog.trendmicro.com/trendlabs-security-intelligence/twitter-still-being-used-by-shady-hackers/.
24.
Paul Oliveria. (September 17, 2013). TrendLabs Security Intelligence Blog. “Fingerprint Scans, Passwords, and Managing Online Accounts.” Last accessed
October 29, 2013, http://blog.trendmicro.com/trendlabs-security-intelligence/fingerprint-scans-passwords-and-managing-online-accounts/.
25.
Gelo Abendan. (August 27, 2013). TrendLabs Security Intelligence Blog. “Java 6 Zero-Day Exploit Pushes Users to Shift to Latest Java Version.” Last
accessed October 29, 2013, http://blog.trendmicro.com/trendlabs-security-intelligence/java-6-zero-day-exploit-pushes-users-to-shift-to-latest-javaversion/.
26.
Anthony Melgarejo. (March 12, 2013). TrendLabs Security Intelligence Blog. “A New Exploit Kit in Neutrino.” Last accessed October 29, 2013, http://
blog.trendmicro.com/trendlabs-security-intelligence/a-new-exploit-kit-in-neutrino/.
27.
Pavan Thorat. (September 18, 2013). TrendLabs Security Intelligence Blog. “New IE Zero Day Is Actively Exploited in Targeted Attacks.” Last accessed
October 29, 2013, http://blog.trendmicro.com/trendlabs-security-intelligence/new-ie-zero-day-is-actively-exploited-in-targeted-attacks/.
28.
Noriyaki Hayashi. (August 14, 2013). TrendLabs Security Intelligence Blog. “Chinese Underground Creates Tool Exploiting Apache Struts Vulnerability.”
Last accessed October 29, 2013, http://blog.trendmicro.com/trendlabs-security-intelligence/chinese-underground-creates-tool-exploiting-apachestruts-vulnerability/.
29.
Darin Dutcher. (September 4, 2013). TrendLabs Security Intelligence Blog. “Sykipot Now Targeting U.S. Civil Aviation Sector Information.” Last accessed
October 29, 2013, http://blog.trendmicro.com/trendlabs-security-intelligence/sykipot-now-targeting-us-civil-aviation-sector-information/.
30.
Trend Micro Incorporated. (2012) Threat Encyclopedia. “MSCOMCTL.OCX RCE Vulnerability (CVE-2012-0158).” Last accessed October 29, 2013,
http://about-threats.trendmicro.com/us/vulnerability/2580/mscomctlocx%20rce%20vulnerability%20cve20120158.
21 | References
Created by:
Global Technical Support & R&D Center of TREND MICRO
TREND MICRO LEGAL DISCLAIMER
The information provided herein is for general information and educational purposes only. It is not intended and should not be
construed to constitute legal advice. The information contained herein may not be applicable to all situations and may not reflect the
most current situation. Nothing contained herein should be relied on or acted upon without the benefit of legal advice based on the
particular facts and circumstances presented and nothing herein should be construed otherwise. Trend Micro reserves the right to
modify the contents of this document at any time without prior notice.
Translations of any material into other languages are intended solely as a convenience. Translation accuracy is not guaranteed nor
implied. If any questions arise related to the accuracy of a translation, please refer to the original language official version of the
document. Any discrepancies or differences created in the translation are not binding and have no legal effect for compliance or
enforcement purposes.
Although Trend Micro uses reasonable efforts to include accurate and up-to-date information herein, Trend Micro makes no warranties
or representations of any kind as to its accuracy, currency, or completeness. You agree that access to and use of and reliance on this
document and the content thereof is at your own risk. Trend Micro disclaims all warranties of any kind, express or implied. Neither
Trend Micro nor any party involved in creating, producing, or delivering this document shall be liable for any consequence, loss, or
damage, including direct, indirect, special, consequential, loss of business profits, or special damages, whatsoever arising out of access
to, use of, or inability to use, or in connection with the use of this document, or any errors or omissions in the content thereof. Use of
this information constitutes acceptance for use in an “as is” condition.
Trend Micro Incorporated, a global leader in security software and
solutions, strives to make the world safe for exchanging digital
information. For more information, visit www.trendmicro.com.
©2013 by Trend Micro, Incorporated. All rights reserved. Trend Micro
and the Trend Micro t-ball logo are trademarks or registered trademarks
of Trend Micro, Incorporated. All other product or company names may
be trademarks or registered trademarks of their owners.