# Operation Pawn Storm ### Using Decoys to Evade Detection #### Loucif Kharouni Feike Hacquebord Numaan Huq Jim Gogolinski Fernando Mercês Alfred Remorin Douglas Otis Forward-Looking Threat Research Team ----- ## CONTENTS Introduction.....................................................................................................................................1 Ties That Bind the Operation Pawn Storm Attacks Together..........................................................2 SEDNIT....................................................................................................................................2 Attack Timeline.........................................................................................................................2 Attack Details............................................................................................................................4 Attack Evolution........................................................................................................................5 Next-Level Phishing Targets...................................................................................................11 Case 1: Ministry of Defense, Hungary..............................................................................11 Case 2: OSCE, Austria.....................................................................................................13 Case 3: SAIC, United States............................................................................................13 Case 4: Academi...............................................................................................................13 Other Webmail Services.........................................................................................................14 Conclusion....................................................................................................................................16 References...................................................................................................................................17 TREND MICRO LEGAL DISCLAIMER The information provided herein is for general information and educational purposes only. It is not intended and should not be construed to constitute legal advice. The information contained herein may not be applicable to all situations and may not reflect the most current situation. Nothing contained herein should be relied on or acted upon without the benefit of legal advice based on the particular facts and circumstances presented and nothing herein should be construed otherwise. Trend Micro reserves the right to modify the contents of this document at any time without prior notice. Translations of any material into other languages are intended solely as a convenience. Translation accuracy is not guaranteed nor implied. If any questions arise related to the accuracy of a translation, please refer to the original language official version of the document. Any discrepancies or differences created in the translation are not binding and have no legal effect for compliance or enforcement purposes. Although Trend Micro uses reasonable efforts to include accurate and up-to-date information herein, Trend Micro makes no warranties or representations of any kind as to its accuracy, currency, or completeness. You agree that access to and use of and reliance on this document and the content thereof is at your own risk. Trend Micro disclaims all warranties of any kind, express or implied. Neither Trend Micro nor any party involved in creating, producing, or delivering this document shall be liable for any consequence, loss, or damage, including direct, indirect, special, consequential, loss of business profits, or special damages, whatsoever arising out of access to, use of, or inability to use, or in connection with the use of this document, or any errors or omissions in the content thereof. Use of this information constitutes acceptance for use in an “as is” condition. ----- ## INTRODUCTION Operation Pawn Storm refers to economic and political espionage attacks instigated by a group of threat actors primarily targeting military, embassy, and defense contractor personnel from the United States and its allies. Opposing factions to and dissidents of the Russian government, international media, and even the national security department of a U.S. ally were also targeted. The threat actors used three attack vectors― spear-phishing emails with malicious attachments, an advanced network of phishing websites, and exploits injected into legitimate conference and media websites. They used a nonmalicious JavaScript to victimize Microsoft™ Outlook® Web Access (OWA) users from carefully selected target organizations. The OWA phishing attacks proved extremely effective and could be particularly dangerous to any organization that allows employees to use OWA. An in-depth look at six multistage attacks revealed one thing in common―the use of SEDNIT/Sofacy malware [1], [2]. The use of such multistage downloaders provided attackers additional protection against detection. We believe the threat actors aimed to confuse their targets’ IT administrators by making it hard for them to string attack components together, thus evading detection. This research paper details when certain attacks occurred, what tools were used in attempts to get in to target networks, and target profiles to form a general picture of Operation Pawn Storm. ----- ## TIES THAT BIND THE OPERATION PAWN STORM ATTACKS TOGETHER #### SEDNIT SEDNIT malware are mostly backdoors [3], [4] and information stealers [5] that log affected users’ keystrokes, steal system information, and send stolen information to remote command-and-control (C&C) servers. Analyses of the SEDNIT infectors that arrived as email attachments in the attacks featured in this paper revealed six distinct chains [see diagram on page 3]. #### Attack Timeline The investigation focused on a group of attacks that has been dubbed “Operation Pawn Storm” [6] due to the attackers’ use of two or more connected tools/tactics to attack a specific target similar to the chess strategy it was named after. This paper illustrates how the Pawn Storm attacks were carried out with the aid of five spear-phishing emails, which used contextually relevant subjects to get specific targets from different countries to open weaponized attachments designed to compromise their systems. _Timeline of spear-phishing emails sent to specific targets_ The attackers sent emails to potential victims, including military, embassy, and defense contractor personnel. The following emails were among those that were found related to this operation: - An email sent to a potential victim from the Ministry of Defense in France had an exploit for CVE-2010-3333 [7] disguised as a document named _“International Military.rtf.” Trend Micro_ received a sample of this on October 17, 2011 and has been detecting it as TROJ_ARTIEF.AP [8] since then. - An email sent to a potential victim working from the Vatican Embassy in Iraq used reports of a bombing incident [9] that occurred on January 9, 2012 as social engineering lure. [7] disguised as a document named 9, 2012 as social engineering lure. ----- Sent a day after the incident, the email had a Microsoft Word® file attachment named _“IDF_Spokesperson_Terror__ _Attack_011012.doc,” which_ exploited CVE-2012-0158 [10]. _SEDNIT infectors attached to targeted attack campaign emails_ _Exploit for CVE-2012-0158 disguised as a_ _Word (.DOC) file_ _Sample email sent to recipients from the_ _Vatican Embassy in Iraq_ _Vatican Embassy in Iraq_ ----- - An email sent on September 20, 2013 to military officials from several countries used the then-upcoming “Asia-Pacific Economic Cooperation (APEC) Indonesia 2013” conference as bait. The email had two Microsoft Excel® file attachments named _“APEC Media list 2013 Part1.xls,”_ which exploited CVE-2012-0158, and _“APEC Media list 2013 Part2.xls,”_ which was nonmalicious. _Sample email sent to military officials across_ _countries using the “APEC Indonesia 2013”_ _conference as bait_ _Exploit for CVE-2012-0158 disguised as an Excel_ _(.XLS) file (APEC Media list 2013 Part1.xls)_ - An email sent to Pakistani military officials on January 23, 2014 used the “Homeland Security Summit Middle East” [11] conference as bait. It had a Word file attachment named “Details. _doc,” which exploited CVE-2012-_ 0158. _Sample email sent to military officials from_ _Pakistan using the “Homeland Security Summit_ _Middle East” conference as bait_ - An email sent to Polish government employees [12] on August 11, 2014 had a MIME HTML (.MHT) file attachment named “MH17.doc,” which exploited CVE-2012-0158. _Exploit for CVE-2012-0158 disguised as a MIME_ _HTML (.MHT) file_ #### Attack Details All of the observed Operation Pawn Storm attacks comprised several stages. Each attack had at least two phases: - In phase 1, opening the email attachment displays a decoy document while the exploit runs in the background. The exploit drops a downloader component (.DLL file) named “netids.dll,” “netidt.dll,” or _“coreshell.dll.”_ Word file attachment named “Details. ----- - In phase 2, the downloader component communicates with a C&C server and downloads a dropper that ultimately installs a keylogger. After capturing information from infected systems, the keylogger sends data back to the C&C server. _Phases 1 and 2 in an Operation Pawn Storm attack_ We only managed to collect latterstage payloads for two out of the six aforementioned attacks. The C&C servers tied to the other four attacks refused to serve the rest of the files to complete the attack chains. Multistage attacks are a double-edged sword. If one link in the attack chain, aside from the end node, is detected and removed in the initial infection stage, the entire attack fails. On the other hand, having several links in the attack chain makes detecting the final component more difficult. Tracing the previous and next links is also difficult when any of the components is inspected on its own outside the attack chain. Although some of the C&C servers were still alive at the time of investigation, they did not respond to our infected systems. Repeated attempts to trick the C&C servers into serving the next files in the incomplete attack chains failed. The attacks they were tied to could be time sensitive and it is possible that they no longer hosted the files for succeeding stages. #### Attack Evolution Even though the filenames used for different components remained fairly consistent from 2010 to the present, earlier attacks were more elaborate and complex compared with those seen this year. The 2014 attacks we have seen were more streamlined. ----- _Comparison of an Operation Pawn Storm attack in 2011 and another in 2014_ Although variations in past and current attack chains exist, both are still being used by threat actors to date to ensure one thing—detection evasion. The following table compares and contrasts the six Operation Pawn Storm attacks in greater detail. ----- |Operation Pawn Storm Attack Comparison|Col2|Col3|Col4|Col5|Col6| |---|---|---|---|---|---| |Case 1|Case 2|Case 3 [13]|Case 4|Case 5|Case 6| |Unknown exploit, possibly disguised as a .PDF, .DOC, or .RTF file, carries the top-level dropper (dropper.exe; SHA- 1: 72cfd996957bde0 6a02b0adb2d66d8a a9c25bf37)|.RTF file exploits CVE-2010-3333 (SHA-1: 956d1a360 55c903cb570890da 69deabaacb5a18a) and drops saver.scr (SHA-1: e8b55d9aef f124df4008b0d372bf 2f2d3e5e5ae7)|Unknown exploit carries a dropper (Dropper DLL; SHA-1: 9c622b39521183dd 71ed2a174031ca15 9beb6479)|Two .XLS files come with spear-phishing emails: • First file (APEC Media list 2013 Part1.xls; SHA- 1: a90921c182c b90807102ef40 2719ee8060910 345) exploits CVE-2012-0158 • Second file (APEC Media list 2013 Part2. xls; SHA-1: b30 98f99db1f80e27 aec0c9a5a625a edaab5899a) is a decoy document|.RTF file (SHA-1: 78d28072fdabf0b5a ac5e8f337dc768d07 b63e1e) exploits CVE-2012-0158 and drops saver.scr (SHA-1: 7FBB5A2E4 6FACD3EE0C945F3 24414210C2199FF B) into \Temp\|.MHT file drops: • MH17.doc (SHA-1: DAE7F AA1725DB8192 AD711D759B13 F8195A18821), a decoy document, into \Temp\ • W.q (SHA-1: 8D EF0A554F1913 4A5DB3D2AE9 49F9500CE3D D2CE), a dropper, into \Temp\| ----- |Operation Pawn Storm Attack Comparison|Col2|Col3|Col4|Col5|Col6| |---|---|---|---|---|---| |Case 1|Case 2|Case 3 [13]|Case 4|Case 5|Case 6| |Dropper.exe drops: • Decoy file (Letter to IAEA. pdf; SHA-1: 6ad a11c71a5176a8 2a8898680ed1e aa4e79b9bc3) into \Temp\ • Downloader (netids.dll; SHA- 1: c5ce5b7d10a ccb04a4e45c3a 4dcf10d16b192 e2f) into \ Application Data\|Saver.scr drops: • Decoy document (Military Cooperation. doc; SHA-1: 0E 12C8AB9B89B6 EB6BAF16C4B 3BBF9530067 963F) into \Temp\ • Skype.exe (SHA-1: 550AB D71650BAEA05 A0071C4E084A 803CB413C31), a SEDNIT variant, into \Temp\ • Cryptmodule. exe (SHA-1: 4B 8806FE8E0CB4 9E4AA5D8F877 66415A2DB1E9 A9) into \ Microsoft\Crypt\|Dropper DLL drops netids.dll (SHA-1: dd 61530076152dae56 8b4834b1899212c9 6c1a02) into \ Application Data\|APEC Media list 2013 Part1.xls drops dw20.t (SHA-1: ac6b 465a13370f87cf579 29b7cfd1e45c36945 85), a .DLL file|Saver.scr drops: • IDF_ Spokesperson_ Targeted_ Attack_101012. doc (SHA-1: F5 42C5F9259274 D94360013D14 FFBECC43AAE 552), a decoy document, into \Temp\ • Install.exe (SHA-1: BC58A 8550C53689C8 148B021C917F B4AEEC62AC 1) into \Temp\|W.q drops: • Coreshell.dll (SHA-1: A85513 97E1F1A2C014 8E6EADCB56F A35EE6009CA) into \Common Files\System\ • Tmp64.dat, a copy of coreshell.dll, into \Common Files\System\| ----- |Operation Pawn Storm Attack Comparison|Col2|Col3|Col4|Col5|Col6| |---|---|---|---|---|---| |Case 1|Case 2|Case 3 [13]|Case 4|Case 5|Case 6| |Netids.dll communicates with a C&C server (200.106.145.122)|• Military Cooperation. doc has been encoded using Cyrillic characters and opens in Word • Skype.exe drops: • Downloader (netids.dll; SHA-1: 6b87 5661a74c46 73ae6ee89a cc5cb6927ca 5fd0d), a SEDNIT variant, into \ system32\ • Copy of netids.dll (mscsv. tmp) into \ system32\ • Cryptmodule. exe drops s.vbs (actually a .PE and not a .VBS file) and communicates with a C&C server (windous. kz)|Netids.dll downloads and saves msmvs. exe (SHA-1: 88f7e27 1e54c127912db4db 49e37d93aea8a49c 9) in \Temp\|Dw20.t drops netids. dll (SHA-1: 3814eec 8c45fc4313a9c7f65c e882a7899cf0405)|Install.exe drops netids.dll (SHA-1: 14 BEEB0FC5C8C887 D0435009730B6370 BF94BC93) into \ system32\|Coreshell.dll downloads conhost. dll (SHA-1: B49FAD 3E5E6787E96373A C37ED58083F7572 D72A), a dropper, from a C&C server| ----- |Operation Pawn Storm Attack Comparison|Col2|Col3|Col4|Col5|Col6| |---|---|---|---|---|---| |Case 1|Case 2|Case 3 [13]|Case 4|Case 5|Case 6| |C&C server confirms receipt of communication from infected systems then stops further interactions|• Netids.dll communicates with a C&C server (70.85.221.20) • S.vbs (SHA-1: 0 A3E6607D5E9 C59C712106C3 55962B11DA29 02FC) runs CreateFile C:\\ DOCUME~1\\ ADMINI~1\\ LOCALS~1\\ Temp\\update. exe but does nothing else|Msmvs.exe drops conhost.dll (SHA-1: 55318328511961EC 339DFDDCA044306 8DCCE9CD2) into \ Temp\|Netids.dll communicates with a C&C server (70.85.221.10)|Netids.dll communicates with a C&C server (70.85.221.10)|Conhost.dll drops advstoreshell.dll (SHA-1: E338A57C3 5A4732BBB5F738E 2387C1671A002BC B), a keylogger| |||Conhost.dll drops netui.dll (SHA-1: 5A452E7248A8D37 45EF53CF2B1F3D7 D8479546B9), a keylogger, into \ system32\|||Advstoreshell.dll sends logs of stolen data to a C&C server (software-update. org)| |||Netui.dll sends logs of stolen data to a C&C server (200.74.244.118)|||| ----- #### Next-Level Phishing Targets The attackers used specially crafted emails to redirect targets to any of several phishing websites with domain names that were very similar to those of well-known conferences and media outfits. These websites did not host malicious content but visiting them did lead to the automatic execution of a nonmalicious JavaScript. Links to these fake websites were then embedded in spearphishing emails and sent to selected targets. Opening such an email and clicking the link in OWA redirected victims to legitimate websites. The JavaScript made it appear that the victims’ OWA sessions ended while at the same time, tricked them into reentering their credentials. To do this, the attackers redirected victims to fake OWA log-in pages by setting their browsers’ open windows property. The victims’ credentials thus ended up in the attackers’ hands. Note that two special conditions need to be met for the attacks to succeed—victims should use OWA and click the embedded links via the web portal’s preview pane. The attacks worked on any popular browser such as Firefox®, Safari®, Chrome™, and Internet Explorer®. No vulnerabilities need to be exploited for the JavaScript to work. Because many companies allow employees to use webmail services to access their mailboxes while on business travel or at home, these attacks are likely to succeed. Once they do, attackers can gain access to compromised mailboxes that they can then use to gain a foothold in target networks. Throughout the course of investigation, several targets have been identified, including: - ACADEMI, formerly Blackwater (United States) - Broadcasting companies in various countries - Military attachés from various countries - Ministry of Defense (France) - Ministry of Defense (Hungary) - Multinational company based in Germany - Organization for Security and Cooperation in Europe (OSCE) (Austria) - Pakistani military officials - Polish government employees - SAIC (United States) - U.S. Department of State - Vatican Embassy (Iraq) The following case studies reveal more indepth details on four specific attacks. ##### CASE 1: MINISTRY OF DEFENSE, HUNGARY **•** **Malicious conference domain:** _eurosatory2014 . com_ **•** **Real conference domain:** _eurosatory . com_ **•** **Phished OWA domain: mail . hm .** _qov . hu_ **•** **Real OWA domain: mail.hm.gov.hu** The attackers created a domain that was very similar to eurosatory . com [14], a website for an international land and air-land defense and security exhibition. They then sent emails with the link, http :// eurosatory2014 . com, to selected employees of the target defense ministry who might actually have been expecting to hear from the conference staff - Broadcasting companies in various expecting to hear from the conference staff ----- members. Clicking the link embedded in the email via the OWA preview pane opens the real conference website in a new tab. The victims’ OWA session in the other tab, meanwhile, is redirected to a phished log-in page that makes it look like the session has ended. _Real “EUROSATORY 2014” conference website_ _opens in a new tab after clicking the link in a_ _spear-phishing email viewed in OWA_ _“Closed” OWA session page (fake) victims will_ _see, forcing them to reenter their credentials_ In reality, the victims’ OWA session did not end. The previously mentioned JavaScript just redirected them to a fake OWA login page that looks just like the Ministry of Defense in Hungary’s real one. Apart from “EUROSATORY 2014,” other conferences were also used to target employees of the Ministry of Defense in Hungary as shown in the following table. |Similar Attacks Against the Ministry of Defense, Hungary|Col2|Col3| |---|---|---| |Conference|Target Domain|Malicious Domain| |“Africa Aerospace and Defence 2014”|aadexpo . co . za|aadexpo2014 . co . za| |“The 10th Special Operations Forces Exhibition & Conference”|sofexjordan . com|sofexjordan2014 . com| |“ITEC”|itec . co . uk|itec2014 . co . uk| ----- ##### CASE 2: OSCE, AUSTRIA **•** **Malicious news domain: vice - news .** _com_ **•** **Real news domain: news . vice . com** **•** **Phished OWA domain: log-in - osce .** _org_ **•** **Real OWA domain: log-in . osce . org** This attack targeted OSCE employees in Austria. Although the attackers used similar tactics, they did not spoof a conference website. They instead used a fake version of the news website, news . vice . com. _Comparison of the legitimate (top) and spoofed_ _(bottom) OWA log-in pages of OSCE_ Even though OSCE provides better security for webmail users compared with the other targets via one-time session token use during log-in, attackers can still steal highly sensitive data from victims by hijacking a single session. ##### CASE 3: SAIC, UNITED STATES **•** **Malicious conference domain:** _natoexhibitionff14 . com_ **•** **Real conference domain:** _natoexhibition . org_ **•** **Phished OWA domain: webmail -** _saic . com_ **•** **Real OWA domain: webmail . saic .** _com_ This attack targeting SAIC was very similar to the first case. The attackers spoofed the website of the “Future Forces 2014” conference to trick email recipients into handing over their webmail credentials. _Comparison of the legitimate (top) and spoofed_ _(bottom) OWA log-in pages of SAIC_ ##### CASE 4: ACADEMI **•** **Malicious news domain: tolonevvs .** _com_ **•** **Real news domain: tolonews . com** **•** **Phished OWA domain: academl .** _com_ **•** **Real OWA domain: academi . com** _natoexhibitionff14 . com_ ----- This attack targeted the employees of U.S. defense contractor, ACADEMI, using the same phishing tactics as in the second case. _Comparison of the legitimate (top) and spoofed_ _(bottom) OWA log-in pages of ACADEMI_ Apart from the four specific cases presented above, evidence pointing to a fake OWA server for a multinational company based in Germany was also discovered. The threat actors registered a domain that looked very similar to the target’s real domain and purchased a Secure Sockets Layer (SSL) certificate for the fake domain as part of preparations for a targeted attack. Trend Micro was able to warn the target early on, which helped thwart the threat. #### Other Webmail Services OWA users are not the only ones at risk though, as the threat actors behind Operation Pawn Storm also targeted users of free webmail services such as Gmail™, Live Mail, Yahoo!®, Hushmail, and Yandex. ----- _Sample Gmail, Live Mail, Hushmail, and Yandex account phishing websites_ We leaked specific credentials to the threat actors in a couple of cases to see if the fake webmail service log-in pages were indeed intended for attack use. Within minutes of leaking the test credentials, unauthorized log-ins were recorded. The first log-in was usually an automated login check from the same IP address as the phishing website’s owner. The succeeding log-ins were made from the IP addresses, _46.166.162.90 (Latvia) and 192.154.110.244_ (United States), via Internet Message Access Protocol (IMAP). No other forms of abuse such as sending spam via the compromised accounts were witnessed. This showed that the attackers were indeed trying to obtain sensitive data from their targets instead of using their accounts for fraud and other financially motivated scams. ----- ## CONCLUSION Operation Pawn Storm used next-level spear-phishing tactics to obtain the email credentials of primarily military, embassy, and defense contractor personnel from the United States and its allies. The threat actors used a mix of spear-phishing emails and specially crafted webmail service phishing websites to gain access to victims’ inboxes in hopes of getting better footholds inside target organizations. So as not to raise suspicion, the attackers used well-known events and conferences as social engineering bait. They have been quite persistent as well, as we have seen evidence that attacks have been going on since 2007. Apart from effective phishing tactics, the threat actors used a combination of proven targeted attack staples to compromise systems and get in to target networks— exploits and data-stealing malware. SEDNIT variants particularly proved useful, as these allowed the threat actors to steal all manners of sensitive information from the victims’ computers while effectively evading detection. Trend Micro has notified the targets that have been identified in this paper. Individuals and their respective organizations, meanwhile, should use solutions that can help protect against the various attack vectors that the threat actors behind Operation Pawn Storm used. Messaging security solutions such as Trend Micro™ InterScan™ Messaging Security [15] and the ScanMail™ Suite for Microsoft Exchange [16] can send suspicious email attachments to a sandbox for analysis, thus protecting recipients from threats. Other products such as OfficeScan™ [17] for endpoints and InterScan Web Security Virtual Appliance [18] for gateways can also block user access to known phishing sites. For overall protection against targeted attacks, Trend Micro™ Deep Discovery [19] can help protect potential targets by sandboxing and analyzing suspicious attachments to identify phishing emails via Email Inspector. Via 360-degree monitoring of network traffic to get networkwide visibility and intelligence, Deep Discovery allows users to detect and respond to targeted attacks and advanced threats. It also monitors all ports and more than 80 protocols, giving users the broadest protection available. Even more, specialized detection engines and custom sandboxing help identify and analyze malware, C&C communications, and evasive attacker activities that are invisible to standard security solutions. Along with in-depth threat intelligence, it allows for rapid response and automatic sharing with other security products to create real-time custom defense against attacks. ----- ## REFERENCES [1] Trend Micro Incorporated. (2014). _Threat Encyclopedia. “SEDNIT.” Last_ accessed October 13, 2014, http:// about-threats.trendmicro.com/us/search. aspx?p=SEDNIT. [2] Symantec Corporation. (1995‒2014). _Symantec. “Infostealer.Sofacy.” Last_ accessed October 17, 2014, http:// www.symantec.com/security_response/ writeup.jsp?docid=2011-090714-290799&tabid=2. [3] Trend Micro Incorporated. (2014). Threat _Encyclopedia. “BKDR_SEDNIT.AE.” Last_ accessed October 13, 2014, http://aboutthreats.trendmicro.com/us/malware/ BKDR_SEDNIT.AE. [4] Trend Micro Incorporated. (2014). Threat _Encyclopedia. “BKDR_SEDNIT.SM.” Last_ accessed October 13, 2014, http://aboutthreats.trendmicro.com/us/malware/ BKDR_SEDNIT.SM. [5] Trend Micro Incorporated. (2014). _Threat Encyclopedia. “TROJ_SEDNIT._ TOK.” Last accessed October 13, 2014, http://about-threats.trendmicro.com/us/ malware/TROJ_SEDNIT.TOK. [6] Wikimedia Foundation Inc. (March 16, 2014). Wikipedia. “Pawn Storm.” Last accessed October 21, 2014, http:// en.wikipedia.org/wiki/Pawn_storm. [7] The MITRE Corporation. (1999–2014). _CVE. “CVE-2010-3333.” Last accessed_ October 16, 2014, http://cve.mitre.org/cgibin/cvename.cgi?name=CVE-2010-3333. [8] Trend Micro Incorporated. (2014). _Threat Encyclopedia. “TROJ_ARTIEF.”_ Last accessed October 21, 2014, http:// www.trendmicro.com/vinfo/us/threatencyclopedia/malware/TROJ_ARTIEF. [9] Post Staff. (January 9, 2012). New York _Post. “Three Car Bombs Explode in Iraq,_ Killing 17.” Last accessed October 16, 2014, http://nypost.com/2012/01/09/threecar-bombs-explode-in-iraq-killing-17/. [10] The MITRE Corporation. (1999– 2014). CVE. “CVE-2012-0158.” Last accessed October 16, 2014, http:// www.cve.mitre.org/cgi-bin/cvename. cgi?name=CVE-2012-0158. [11] IQPC. (2014). Homeland Security _Summit Middle East. “Towards Total_ Preparedness: Advancing Command and Control and Communication for Increased Identification, Access, Surveillance, Cyber Protection Capabilities.” Last accessed October 16, 2014, http://www. homelandsecurityme.com/. [12] _Malware@prevenity. (September 11,_ 2014). “mht, MS12-27 oraz *malware*. info.” Last accessed October 16, 2014, http://malware.prevenity.com/2014/08/ malware-info.html. [13] R136a1. (December 27, 2012). _Analyzing Unknown Malware. “#3_ Disclosure of Another 0-Day Malware— Update and Additional Information.” Last accessed October 17, 2014, http://thegoldenmessenger.blogspot. ro/2012/12/3-disclosure-of-another-0daymalware_27.html. [14] COGES. (2013). EUROSATORY 2014. “The Largest International Land and AirLand Defence and Security Exhibition.” Last accessed October 17, 2014, http:// www.eurosatory.com/. [15] Trend Micro Incorporated. (2014). Trend _Micro. “InterScan Messaging Security.”_ Last accessed October 21, 2014, http:// www.trendmicro.com/us/enterprise/ network-security/interscan-message network-security/interscan-message- ----- security/. [16] Trend Micro Incorporated. (2014). Trend _Micro. “ScanMail Suite for Microsoft_ Exchange.” Last accessed October 21, 2014, http://www.trendmicro.com/us/ enterprise/network-web-messagingsecurity/scanmail-microsoft-exchange/. [17] Trend Micro Incorporated. (2014). Trend _Micro. “OfficeScan—Endpoint Protection.”_ Last accessed October 22, 2014, http:// www.trendmicro.com/us/enterprise/ product-security/officescan/. [18] Trend Micro Incorporated. (2014). Trend _Micro. “InterScan Web Security Virtual_ Appliance.” Last accessed October 22, 2014, http://www.trendmicro.com/us/ enterprise/network-security/interscanweb-security/virtual-appliance/. [19] Trend Micro Incorporated. (2014). Trend _Micro. “Deep Discovery Advanced_ Network Security.” Last accessed October 21, 2014, http://www.trendmicro.com/ us/enterprise/security-risk-management/ deep-discovery/. ----- Trend Micro Incorporated, a global leader in security software, strives to make the world safe for exchanging digital information. Our innovative solutions for consumers, businesses and governments provide layered content security to protect information on mobile devices, endpoints, gateways, servers and the cloud. All of our solutions are powered by cloud-based global threat intelligence, the Trend Micro™ Smart Protection Network™, and are supported by over 1,200 threat experts around the globe. For more [information, visit www.trendmicro.com.](http://www.trendmicro.com/us/index.html) ©2014 by Trend Micro, Incorporated. All rights reserved. Trend Micro and the Trend Micro t-ball logo are trademarks or registered trademarks of Trend Micro, Incorporated. All other product or company names may be trademarks or registered trademarks of their owners. 225 E. John Carpenter Freeway, Suite 1500 Irving, Texas 75062 U.S.A. -----