TrendLabs 3Q 2013 Security Roundup

News about cybercrime circulated in recent months. The takedown of Liberty Reserve, an illegal digital currency system, and the recent seizure of the online black market, Silk Road, were among the many incidents this quarter that triggered greater public awareness of online threats. The arrest of the alleged Blackhole Exploit Kit creator in October also proved that cybercrime is indeed a business that thrives right under our noses.

Cybercriminals continued to refine their techniques this quarter. Online banking malware infections increased in several regions, including the United States and Japan. We also caught a glimpse of the massive scale of compromised sites. Our research on BKDR_FIDOBOT showed that the backdoor was used to attack more than 17,000 domains in a day. We also observed malware operation refinements like EXPIRO’s use of the Styx Exploit Kit and MEVADE malware’s use of The Onion Router (TOR) network.

On the mobile front, the number of malicious and high-risk Android™ apps surpassed the 1-million mark like we predicted. A significant portion of these dangerous apps were disguised as either fake or Trojanized versions of popular apps.

Internet Explorer® and Java security issues continued to put computers at risk, as a couple of zero-day exploits were discovered this quarter. Document exploits remained a staple in spear-phishing emails related to targeted attacks though we noted improvements in the Sykipot malware family, which now targets information related to civil aviation.


Trend Micro Incorporated, a global cloud security leader, creates a world safe for exchanging digital information with its Internet content security and threat management solutions for businesses and consumers. A pioneer in server security with over 20 years of experience, we deliver top-ranked client, server, and cloud-based security that fits our customers’ and partners’ needs; stops new threats faster; and protects data in physical, virtualized, and cloud environments. Powered by the Trend Micro™ Smart Protection Network™ infrastructure, our industry-leading cloud-computing security technology, products and services stop threats where they emerge, on the Internet, and are supported by 1,000+ threat intelligence experts around the globe. For additional information, visit

Copyright © 2013 Trend Micro Incorporated.
All rights reserved.


The Invisible Web Unmasked
TrendLabs 3Q 2013 Security Roundup

Efficient, undetected movement is the prominent theme of the threats this quarter.

First, mobile threats reached a milestone—the number of mobile malware and high-risk app detections hit 1 million. Interestingly, most of the apps were found outside app stores.

On a positive note, law enforcers struck gold with the seizure of the Silk Road marketplace. This stressed the need to expose illegal trading sites lying undisclosed in the Deep Web.

This quarter’s threats remind individuals and organizations alike to be vigilant. Cybercriminals and attackers, though out of sight, are in constant motion.


Malicious, high-risk apps set 1M record

Just as we predicted, the number of malicious and high-risk apps reached the first million. This shows a 39% increase from last quarter’s count, 718,000. Four in five (80%) of the high-risk apps performed malicious routines; the remaining 20% had high-risk routines like those of adware.

Users had a 1-in-4 chance of stumbling upon malicious and high-risk apps in app stores; the rest were hosted on sites and could infect user devices when they least expect it.

Premium service abusers still reigned in the mobile malware domain. The info-stealing FAKEINST (34%) and the malware-downloading OPFAKE (30%) topped the list.

New technologies and identity theft methods redefine “identity crisis”

Recent events surrounding social media and personal information paved the way for issues on privacy and online identity to resurface.

New online account management technologies like the newly released Apple Touch ID fingerprint sensor were developed to decrease the use of passwords, albeit at great risk. Though these advancements allow us to take advantage of the “Internet of Everything,” they are not a cure-all. We still need passwords to protect sensitive data stored in various devices that use different platforms.

We also saw identities come under attack, as Apple increasingly became a top phishing target. The number of Apple phishing sites reached 8,500, a large jump from last quarter’s count (7,800) and a far cry from the first quarter’s (900). Touch ID became a specific theft target due to its use as a key control ID for multiple Apple products. Meanwhile, mobile phishing sites have started targeting government IDs. Sold underground for US$2–25, these can be used for either profit or identity theft.

Silk Road marketplace takedown puts Deep Web in the spotlight

Silk Road, a notorious underground marketplace for illegal trade, earned an estimated income of US$22M in 2012. Before it was shut down, it doubled its user base in less than six months. Silk Road lurked under The Onion Router (TOR) network in a non-indexed section of the Internet, better known as the “Deep Web.” Though the Deep Web is not an inherently malicious medium, its untraceable setup allows for the anonymous exchange of stolen and malicious goods.

The recently shut-down Liberty Reserve digital currency also hails from the Deep Web. The cybercriminal “financial hub” laundered US$6B in criminal proceeds and served over a million global users.

Meanwhile, the Blackhole Exploit Kit creator, Paunch, was arrested last October, three years after the release of the exploit kit’s first version in 2010. The exploit kit became widely popular underground because of its efficient compromise technique using customized attacks and vulnerability updates. No major campaigns were seen two weeks after the arrest and other cybercriminals are now worried they’re next.

Not just Android:
Mobile Web threats target multiple platforms

Multi-platform threats are here to stay, given the growing culture of multiple-device use among consumers. It’s not just the Android platform that’s taking the heat. Recent mobile threats also affect iOS and Symbian.

We saw fake notifications related to mobile messaging app, WhatsApp, for instance, along with fake apps in Russia spread via spam. We also witnessed a rise in mobile phishing, proving that more PC threats are “going mobile.”

Online banking malware upgrades drive more infections

The online banking malware volume rose to 202,000 from 146,000 last quarter due to improved target reach and routines.

ZeuS variants, KINS and Citadel, made the rounds with upgraded infection tactics and scopes. A new KINS version even sported an anti-debugging capability that allowed it to stop running in popular virtual machine servers and made it hard to analyze. Cybercriminals extended the reach of Citadel banking Trojans. This let them steal data from financial and banking organizations native to Japan using compromised computers—96% of which came from the same country.

Cybercriminals target unsupported Java version

This quarter saw a zero-day exploit attack Java 6, now an unsupported Java version. This is problematic for half of the Java users still running this version. Around 31 vulnerabilities—one of which was already exploited—have been disclosed since Java discontinued support for the version.

Meanwhile, we saw a new Internet Explorer vulnerability in versions 6–11 exploited in zero-day attacks. Through code downloaded from exploit-hosting sites, attackers can use the vulnerability to corrupt vulnerable system memory.

As such, users of vulnerable versions of Java and Internet Explorer need to patch their computers to prevent risks of attack.

Sykipot campaign evolves, from file-based exploits to system process injections

The relatively old Sykipot campaign slowly evolved. Moving away from using file-based exploits, attackers injected malware to a number of processes. In addition, recent attacks revealed a change in Sykipot’s unique identifiers. This quarter, Sykipot also targeted the civil aviation sector, a notable change from its usual targets.

As evidenced by this quarter’s attacks, government agencies were still on top of the targeted attack list.

Malware exploits deliver:
Trojans abuse “master key,” SIM, and iOS charger flaws

Last quarter, we warned against the cybercriminal use of the “master key” vulnerability in Android devices to replace legitimate with malicious apps. This came true in August when researchers found a Trojanized banking app that took advantage of the flaw to inject malicious code to vulnerable devices and trick users into revealing their banking credentials.

The Trojanized banking app was only the first of a potential number of threats that can target the “master key” vulnerability. As the process of getting Google updates remains sluggish, many Android users are still exposed to this threat.

Also last August, discussions during Black Hat USA 2013 led to the exposure of two problems. The first was a SIM card issue that allowed cybercriminals to spy on text messages and location information stored in mobile devices running any OS. The bad guys used an error-generating SMS sent to any SIM card equipped with old encryption systems. The second was an iOS issue that let cybercriminals execute commands via the use of a well-crafted malicious charger. This flaw has since been patched.

These threats show that, regardless of OS, the mobile platform remains vulnerable to exploits and the risks they bring.