Research and Analysis

“Mobile technology” is just what the name implies—portable technology that isn’t limited to mobile phones. This also includes devices like laptops, tablets, and global positioning system (GPS) devices. As with any other kind of technology though, there are drawbacks to “going mobile.” Mobile devices can expose users’ and organizations’ valuable data to unauthorized people if necessary precautions are not taken.

Read the full report (PDF)

True to one of our predictions for the year, 2011 has been dubbed the “Year of Data Breaches,” as we witnessed organizations worldwide succumb to targeted attacks and lose what we have come to know as the new digital currency—data. As individuals and organizations alike embark on the cloud journey, we at Trend Micro, along with our fellow cybercrimefighters in law enforcement and the security industry, will continue to serve our customers by providing data protection from, in, and for the cloud.

Read the Full Report (PDF)

Trend Micro researchers and analysts were instrumental in uncovering various cybercriminal operations this quarter. In an effort to aid law enforcement authorities, they uncovered some popular FAKEAV affiliate networks and a particular SpyEye operation, which may bring authorities one step closer to catching the perpetrators.

Similar to the previous quarters, in the past three months, we witnessed an increase in the Android malware volume, more enhancements to notorious crimeware toolkits such as ZeuS and SpyEye, as well as the proliferation of survey scams in social media. As in the previous months, cybercriminals continued to employ very enticing social engineering tactics to lure targets.

Unlike in the past half of the year, however, mass compromises seemingly decreased in number, most probably due to the shift to launching targeted attacks, particularly against large enterprises and government institutions.

Read the Full Report (PDF)

Many businesses are evolving their data centers to include virtualization and cloud computing to improve resource utilization, accelerate development and deployment of computer resources, and reduce costs. However, these new platforms open additional avenues for threats against data, systems, and reputation, and raise new infrastructure issues that security providers must consider when creating a security foundation to protect against these threats.

This report discusses the security threats that enterprises face when deploying and using virtualization and cloud computing infrastructures. The report contains real-world examples of attacks and attack tools that cyber criminals use to exploit vulnerabilities in virtualization and cloud computing environments, as well as recommendations for security best practices.

Read the Full Report (PDF)

To address the security threats and issues relevant to cloud computing and virtualization, an accompanying best practice guide is also available for download: Virtualization and Cloud computing - A security best practice guide (PDF)

Over the years, spam has rapidly become a major security threat—a catalyst for potential financial drain or intellectual property theft—to organizations worldwide.

This report discusses current spam trends and related major incidents affecting the spam volume. It highlights how spammers have been leveraging social media as new means to scam users and to launch spear-phishing attacks. It also provides information on our next-generation security solutions to address the changing nature of spam, which goes beyond the scope of traditional email security.

Read the Full Report (PDF)

Crimeware, another vehicle by which cybercriminals generate profit, remains prevalent in the current threat landscape. In the second quarter of 2011, crimeware toolkits such as ZeuS and SpyEye continued to evolve, which allowed cybercriminals to infect as many systems as possible while evading detection and takedown.

In April, we published the “1Q 2011 Crimeware Report,” our first roundup of news and insights on malware families that targeted financial institutions in the first three months of this year. In this issue, we focused on the notable crimeware-related incidents within the last three months, including developments made to the latest SpyEye version and insights as to how the reported ZeuS code leakage will affect the security industry and the cybercriminal underground.

Read the Full Report (PDF)

The second quarter of 2011 was marked by a spate of data breaches, vulnerability exploit attacks, the proliferation of new Android malware, improvements in social networking scams, as well as notable developments in traditional system infectors. Closely resembling the first quarter, albeit some improvements and enhancements in tools, targets, tactics, and scale, cybercriminals continued to instigate a myriad of malicious schemes.

As Trend Micro security experts predicted, the beginning of enterprises’ journey to the cloud indeed ushered in data breaches of never-before-seen magnitude. This spelled disaster not only for attack targets such as Epsilon but for clients and customers as well. At the rate cybercriminals are launching attacks—targeted or not—there is no telling how many more companies and users will succumb to the dangers these pose before the year ends.

In line with the rapid shifts in the threat landscape and the never-ending slew of technological developments, we revamped our Threat Roundup reports. Instead of publishing these every month, succeeding issues will now be released on a quarterly basis. This change will allow us to give you a more in-depth view of the ever-evolving threat landscape as the shifts occur and even more valuable insights direct from our experts on what these mean for you.

Read the Full Report (PDF)

Continuous technological advancements have made the Internet the preferred platform to quickly and easily conduct all kinds of transaction. Banks and other financial institutions are aware of and are taking advantage of these by creating more robust online services to reach out to and to better serve their clients’ needs.

The convenience and ease of using the Internet as a service platform, however, also entails certain security risks. In fact, information theft and the conduct of unauthorized online banking transactions are just two of the security issues that organizations have to deal with on a regular basis. In line with this, we at Trend Micro have decided to compile our findings on the latest threats targeting the financial industry.

Read the Full Report (PDF)

1. TrendLabs Threat Trends 2010: The Year of the Toolkit (PDF)
2. FAKEAV - The Growing Problem (PDF)
3. Trend Micro TrendLabs Global Threat Trends 1H 2010 (PDF)
4. The Business of Cybercrime: A Complex Business Model (PDF)

There are three important areas to consider when planning your security and management strategy for the widespread business use of consumer devices

1. How can I protect corporate data?
2. How can I ensure the device is secure and safe to access my networks, applications and data?
3. How can I minimise the cost and effort associated with managing these devices?

In this paper, we explore the principles behind each of these three areas and discuss how you can apply these principles to your organisation.

Read now (PDF)

The number of targeted attacks has dramatically increased. Unlike largely indiscriminate attacks that focus on stealing credit card and banking information associated with cybercrime, targeted attacks noticeably differ and are better characterized as "cyber espionage." Highly targeted attacks are computer intrusions threat actors stage to aggressively pursue and compromise specific targets, often leveraging social engineering, to maintain persistent presence within the victim’s network so they can move laterally and extract sensitive information.

Cyber-espionage campaigns often focus on specific industries or communities of interest in addition to a geographic focus. Different positions of visibility often yield additional sets of targets pursued by the same threat actors. We have been tracking the campaign dubbed "Luckycat" and found that in addition to targeting Indian military research institutions, as previously revealed by Symantec, the same campaign targeted entities in Japan as well as the Tibetan community.

Read now (PDF)

A ransomware is a kind of malware that withholds some digital assets from victims and asks for payment for the assets’ release. Ransomware attacks were first seen in Russia in 2005–2006 and have since changed tactics and targets. Trend Micro has been tracking the so-called "Police Trojan" campaign since the beginning and is now ready to show some of our conclusions after the investigation. A mix of well-tuned social engineering tactics as well as an advanced and very dynamic networking model shows that the Police Trojan’s creators are well-organized, apart from being persistent and creative.

Read now (PDF)

Most organisations operate a change freeze on their IT systems as a control for managing risk and keeping a stable and available IT environment around critical times of the year. However, this strategy can introduce an even greater risk to business operations. Each year thousands of vulnerable software flaws are reported in operating systems and applications that are being exploited. This paper explains how you can implement same-day protection for vulnerabilities whilst still maintaining your Change Freeze.

Read Now (PDF)

Directing traffic to cash in on referrals is a common and legitimate method of making money on the Internet. It should not, therefore, be surprising for the same to be true in the illegitimate world of cybercrime. So-called traffic direction systems (TDSs) have reached a high level of sophistication. This research paper shows how such systems work, how they are utilized by cybercriminals, and what the security industry can do about this.

Read Now (PDF)

This paper illustrates what the author believes should be considered required elements in every industrial control system (ICS) network integration effort.

It also covers best practices when integrating with supervisory control and data acquisition (SCADA) and existing organizational networks as well as the rationale for and importance of each component of the suggested architecture.

Read Now (PDF)

The KOOBFACE botnet has been known to generate money by using the pay-per-install (PPI) and pay-per-click (PPC) business models. In fact, in 2009, the KOOBFACE botnet herders earned about US$2 million from their malicious activities. To earn more, the KOOBFACE gang upgraded their botnet’s framework with the creation of a sophisticated traffic direction system (TDS) that handles all of the traffic referenced to their affiliate sites. They also introduced new binary components to help increase the amount of Internet traffic that goes to their TDS, which translates to even bigger profit.

This research paper discusses how KOOBFACE’s TDS works and how the botnet’s binaries work together to increase the amount of Internet traffic to the TDS.

Read Now (PDF)

HTML5 opens up a wide and wonderful new world for Web designers—bringing fantastic new features that were previously only possible via Flash or horribly over-complicated Javascript. And HTML5 is not a future technology—chances are your favorite browser already has excellent support built in.

In this paper we look at HTML5 from an attacker’s viewpoint. Because not only does HTML5 bring us Semantic web, editable content, inbuilt form validation, local storage, and awesome video support, it also opens up a host of new opportunities for attackers.

We look at some of the troublesome new attacks that this new HTML5 standard introduces, how attackers can leverage these attacks for their own gain, and how, with a little bit of help from some not so over-complicated Javascript, an attacker can build botnets in your browser!

Read Now (PDF)

Often leveraging social engineering and malware, targeted attacks seek to maintain a persistent presence within the victim’s network so that the attackers can move laterally throughout the target’s network and extract sensitive information. These attacks are most commonly aimed at civil society organizations, business enterprises and government/military networks. Given their targeted, the distribution is low; however, the impact on compromised institutions remains high. As a result, targeted attacks have become a priority threat.

This paper examines the stages of a targeted attack from the reconnaissance phase through to the data ex-filtration phase and explores trends in the tools, tactics and procedures used in such attacks. Mitigation strategies leverage threat intelligence and data security to provide organizations with the information they need to increase their ability to analyze and respond to threats and to customize technical solutions in ways that best fit their own defensive posture.

Read Now (PDF)

This research paper will show the capabilities of the four members of the Botnet PHP family, so named because the toolkit used to build its member botnets used PHP script.

PHP is a widely used general-purpose scripting language that is especially suited for Web development and that can be embedded into HTML. The Botnet PHP family comprises four botnets, the most popular of which were the Tequila and Mariachi botnets that targeted Mexican users.

Read Now (PDF)

On October 5 to 7, The VirusBulletin conference was held in Barcelona. Virus Bulletin is the biggest event in the antivirus industry. In that conference, two Trend Micro senior researchers presented a joint paper on the sinkholing technique to shut down botnets. In the paper, Sancho and Link discuss the pros and cons of sinkholing botnets as well as possible roadblocks on the way when using this powerful technique.

Read Now (PDF)

This March, Trend Micro began investigating a specific SpyEye botnet created and controlled by a cybercriminal who goes by the handle, Soldier. This paper will delve deeper into activities related to his SpyEye botnet. It will talk about his success in instigating attacks that impacted various organizations worldwide, particularly in the United States; how his particular botnet works; and how much he has made from the malicious campaigns he has so far instrumented. It will provide insights on how Trend Micro was able to track him down from Russia to Hollywood and reveal what we learned about him and his accomplices in the process.

Read Now (PDF)

Prior to the highly publicized “Aurora” attack on Google in late 2009, which also affected at least 20 other companies, there was little public awareness regarding targeted attacks. However, such attacks have been taking place for years and continue to affect government, military, corporate, educational, and civil society networks today. While such attacks against the U.S. government and related networks are now fairly well-known, other governments and an increasing number of companies are facing similar threats.

Read Now (PDF)

The underground ecosystem provides everything required to set up and to maintain a malware operation for a minimal investment. It enables those with limited technical skills and with a few underground connections to earn significant returns on their investment.

This research paper focuses on how FAKEAV affiliate networks operate, what propagation strategies they use, and how much they earn from their malicious activities. It explores the various underground connections among malicious actors, including the emergence of “meta” affiliate networks that act as mid-tier FAKEAV providers.

Read Now (PDF)

1. Sinkholing Botnets (PDF)
2. The Dark Side of Trusting Web Searches - From Blackhat SEO to System Infection (PDF)
3. The Botnet Chronicles – A Journey to Infamy (PDF)
4. How Blackhat SEO Became Big (PDF)
5. File-Patching ZBOT Variants - ZeuS 2.0 Levels Up (PDF)
6. Dissecting the XWM Trojan Kit (PDF)
7. Understanding WMI Malware (PDF)
8. Web 2.0 Botnet Evolution - KOOBFACE Revisited (PDF)
9. ZeuS - A Persistent Criminal Enterprise (PDF)
10. Unmasking FAKEAV (PDF)
11. Show Me the Money!: The Monetization of KOOBFACE (PDF)
12. The Heart of KOOBFACE: C&C and Social Network Propagation (PDF)
13. The Real Face of KOOBFACE: The Largest Web 2.0 Botnet Explained (PDF)

This time every year, Trend Micro CTO Raimund Genes sits down with his research teams to discuss what they think the coming year will hold in terms of threats to Trend Micro customers. It’s an important discussion that helps Trend Micro not only share with you what we think you need to be prepared for, but also to help guide our direction as we continue to build products and services to help protect you from these threats. This year, as we look ahead, we’ve come up with 12 predictions for 2012 that fall into four main categories:

• Big IT trends
• Mobile landscape
• Threat landscape
• Data leaks and breaches

Read Now (PDF)

What are Domain Naming System (DNS)-changing malware? These recently garnered a lot of attention due to the recent Esthost takedown that involved a botnet comprising 4 million DNS-changing-malware-infected systems. The unobtrusive nature of DNS-changing malware allowed the cybercriminals behind Esthost to earn US$14 million over several years.

Read Now (PDF)

How many ads do you typically see every time you open a page while surfing the Web? Have you ever had the misfortune of accidentally clicking an ad? Where and what did it lead you to? Did you know that malicious advertisements or malvertisements are typically employed as malware infection vectors and can pose grave security risks to users like you? Read on to find out what malvertisements are, how these can affect you, and how you can protect yourself from the perils these pose.

Read Now (PDF)

Cybercriminals are cashing in on Bitcoin, a digital currency that is slowly gaining acceptance as payment for various items bought online. This is probably why creating malware that cause victims to generate money for cybercriminals—akin to the pay-per-click (PPC) schemes of the past and these days’ Bitcoin mining—is seemingly becoming a trend.

Read Now (PDF)

Survey scams in social networking sites may look harmless and may just be a waste of time once users find out that they will not get what they were promised in the end. Keep in mind, however, that bad guys will not waste time coming up with ingenious scams if these will not translate to profit.

Read Now (PDF)

Android’s popularity and the Android Market’s “open” nature are causing mobile devices running on the mobile OS to be targeted by several noteworthy malware. In this article, we will look at the different Android malware we have recently seen, particularly those that steal information from users and that monitor mobile activities.

Read Now (PDF)

Threat Spotlight, our latest monthly offering, features expert views and findings on the current trends in the threat landscape. This maiden edition discusses the recent spate of FAKEAV for Macs. In a span of just one month, TrendLabs engineers came across several FAKEAV variants that targeted Mac users, prompting security experts to watch out for further attacks.

Read Now (PDF)

Mobile malware are growing in number and prevalence due to the rise in the demand for mobile devices. The evolution and emergence of several mobile OSs like Google’s Android OS and Apple’s iOS provided cybercriminals additional routes with which to instigate malicious activities.

Read Now (PDF)