###### Trend Micro Incorporated Research Paper 2012 # IXESHE ### An APT Campaign ###### By: David Sancho, Jessa dela Torre, Matsukawa Bakuei, Nart Villeneuve, and Robert McArdle ----- ##### CONTENTS Introduction..................................................................................... 1 Attribution and Unique Fingerprints......................................... 7 Victims and Targets................................................................ 1 Unique Fingerprints and Modus Operandi....................... 7 Context...................................................................................... 1 Relationships Between Attack Components...........................8 Attack Vectors......................................................................... 2 Timeline...........................................................................................12 Operations............................................................................... 2 Conclusion......................................................................................15 Technical Analysis......................................................................... 2 Defending Against APTs..............................................................15 Initial Delivery Method.......................................................... 2 Local and External Threat Intelligence............................15 Malware Local System Effects............................................. 2 Mitigation and Cleanup Strategy.......................................16 C&C Communications............................................................ 3 Educating Employees Against Social Engineering........16 Related AES Campaign.........................................................4 Data-Centric Protection Strategy......................................16 C&C Infrastructure.........................................................................5 Trend Micro Threat Protection Against IXESHE Real C&C Location..................................................................6 Campaign Components...............................................................17 ----- ##### INTRODUCTION The number of targeted attacks is undoubtedly on the The IXESHE attackers almost always make use of rise. These highly targeted attacks focus on individual compromised servers as command-and-control (C&C) organizations in an effort to extract valuable information. servers. In some cases, the compromised servers are In many ways, this is a return to the “old hacking days” hosted on target organizations’ networks after successful before more widespread attacks targeting millions of infiltration so the attackers can increase their control users and the rise of computer worms came about. of the victims’ infrastructure. Using this approach, the Sometimes, these targeted attacks are allegedly linked to attackers amassed at least 60 C&C servers over time. state-sponsored activities but may also be carried out by This technique also allows the attackers to cover their individual groups with their own goals. tracks, as having the C&C server in the victims’ corporate networks means very little C&C traffic leaves them. The Trend Micro continues to track and analyze highly attackers’ deliberate use of compromised machines and targeted attacks, also known as “advanced persistent dynamic Domain Name System (DNS) services allows threats (APTs).” We have, in fact, published two research them to hide traces of their presence by confusing their papers on the Luckycat[1] and Lurid[2] campaigns. This activities with data belonging to legitimate individuals. research paper will delve into another prominent group of attackers referred to as “IXESHE” (pronounced “i-sushi”), Looking at threat intelligence derived from tracking APT based on one of the more common detection names campaigns over time primarily based on the network security companies use for the malware they utilize. This traffic generated by the malware used, we were able campaign is notable for targeting East Asian governments, to develop indicators of compromise for the IXESHE electronics manufacturers, and a telecommunications campaign. The malware samples used in this campaign company. were not very complicated by nature but do give the attackers almost complete control over their targets’ The IXESHE campaign makes use of targeted emails with compromised systems. malicious attachments to compromise victims’ systems. The emails are often tailored for specific victims and ###### Victims and Targets contain malicious attachments that are almost always “weaponized” .PDF files with known exploits that drop malware executables onto targeted systems. In addition, Most of the IP addresses of IXESHE’s victims are linked the IXESHE attackers conducted two specific attacks that to DSL networks, which made it difficult to determine leveraged zero-day exploits—one in 2009 and another in their identities. Careful research, however, allowed the 2011. identification of some of the attackers’ victims: - East Asian governments - Taiwanese electronics manufacturers - A telecommunications company Campaign victims were identified by using Whois records and open source research. Trend Micro generally notifies customers that are believed to have been specifically targeted by APT campaigns. ###### Context The IXESHE attackers have been actively launching highly targeted attacks since at least July 2009. 1 [http://www.trendmicro.com/cloud-content/us/pdfs/security-](http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_luckycat_redux.pdf) [intelligence/white-papers/wp_luckycat_redux.pdf](http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_luckycat_redux.pdf) ----- ##### TECHNICAL ANALYSIS ###### Attack Vectors Initial Delivery Method Available data on the IXESHE campaign indicates that Every IXESHE case we examined revealed that the original targeted emails with malicious .PDF file attachments were infection vector was a targeted email with a PDF exploit as the attackers’ vector of choice. In most cases, the attacks attachment. Older versions also used an XLS exploit. involved Adobe Acrobat, Reader, and Flash Player exploits such as: Opening the .PDF file drops and executes a malware in a victim’s system. The malware displays a blank .PDF file or a _•_ _CVE-2009-4324[3]_ decoy document related to the targeted attack. The emails _•_ _CVE-2009-0927[4]_ normally come from compromised personal accounts or _•_ _CVE-2011-0609[5]_ are entirely spoofed. Emails from spoofed senders were _•_ _CVE-2011-0611[6]_ usually sent via mail servers in the United States and China. It should also be noted that this campaign used CVE-2009- _4324[7] and CVE-2011-0609[8] exploits when these were still_ ###### Malware Local System Effects unpatched or considered zero-day vulnerabilities. The IXESHE attackers also used an exploit that affected Once dropped onto target systems by means of a _Microsoft Excel—CVE-2009-3129.[9]_ document exploit attached to a tailored email, the malware drops an executable file into one of the following folders: ###### Operations _•_ _%APPDATA%\Locations\_ _•_ _%APPDATA%\Adobe_ The IXESHE malware binary allowed the attackers to _•_ _%TEMP%_ easily take over and maintain complete control of victims’ systems to do the following: The malware also sets the executable file’s attributes to “Hidden.” Some of the file names the attackers used - List all services, processes, and drives include: - Terminate processes and services - Download and upload files _•_ _winhlps.exe_ - Start processes and services _•_ _acrotry.exe_ - Get victims’ user names _•_ _AcroRd32.exe_ - Get a machine’s name and domain name _•_ _Updater.exe_ - Download and execute arbitrary files - Cause a system to pause or sleep for a specified In order for the malware to survive rebooting, it normally number of minutes creates the following registry run key: - Spawn a remote shell - List all current files and directories HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Run The registry run key, in turn, points to the malware that has been dropped. The value name of this entry varies [3 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4324](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4324) from sample to sample. Some of the names the attackers [4 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0927](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0927) used for it include: [5 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0609](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0609) [6 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0611](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0611) [7 http://contagiodump.blogspot.com/2009/12/dec-18-adobe-0-day-cve-](http://contagiodump.blogspot.com/2009/12/dec-18-adobe-0-day-cve-2009-4324-pdf.html) _•_ _Adobe Assistant_ [2009-4324-pdf.html](http://contagiodump.blogspot.com/2009/12/dec-18-adobe-0-day-cve-2009-4324-pdf.html) _•_ _Migrated_ [8 http://contagiodump.blogspot.ca/2011/03/cve-2011-0609-adobe-flash-](http://contagiodump.blogspot.ca/2011/03/cve-2011-0609-adobe-flash-player.html) ----- Some samples, however, do not use a registry run key as - ZaGHviIj4ndQ=p012y+NO5RST/xPgUz67FMhYq8b3we load point. Some of the more recent samples we observed mKfkJLBocCDrs9VtWXlEu create a shortcut (i.e., .LNK file) in the Startup folder with - 4HIvZGjaiQdn=p012y+NO5RST/xPgUz67FMhYq8b3we names such as adobe reader speed launch.lnk. mKfkJLBocCDrs9VtWXlEu - pGIaHnZj0vdQ=i421y+NO5RSY/zMgUx67KPhTb8q3we The malware also checks a system’s proxy settings for mFckBLJufWErs9VtCXlDo later use in C&C communications: - QpaZIivj4ndG=H021y+NO5RST/xPgUz67FMhYq8b3we mKfkJLBocCDrs9VtWXlEu HKEY_CURRENT_USER\Software\Microsoft\Windows\ - pGZaHnIj4vdQ=i012y+NO5RST/zPgUx67FMhYb8q3we CurrentVersion\Internet Settings mKckJLBofCDrs9VtWXlEu ProxyEnable ProxyServer Some similarities exist across different versions of the _Base64 alphabet, which indicates that these are most_ ###### C&C Communications likely not completely randomly generated. Instead, the attackers manually cut and pasted older versions after altering some parts. Upon installation, the malware starts communicating with one of its C&C servers. Most of the samples The malware ID seems to be a campaign code with a appeared to have at least three C&C servers hard coded different IP address for each attack. Some of the campaign for redundancy. The C&C communications are easy to codes we have seen include: identify, as these tended to be coded in the following predetermined format: - 19 - KS_0602 - [0222] - KSX_0520 http://[C&C Server]/[ACD] [EW]S[Some Numbers]. - [0713] - LY_ML0430_30m jsp?[Encrypted Base64 Blob] - [0802] - ly0610 Some samples alternatively use an FGKD.jsp or an FPK.jsp - [CR1008] - MAIL_20091208 file. - [CR1031] - MAIL_JAP_0220 - [CZ0312] - MAIL_JAP_0304 The Base64 blob is of particular interest. It makes use of a - [CZ0913] - MAIL_JAP_0325 custom Base64 alphabet. Once decoded, this blob reveals - [CZ0921] - MAIL_JAP_0407 a standardized structure of the information sent to the - [LY]MAIL_20090923 - MAIL0524 registered C&C server, which includes the following details: - [LY]MAIL_20091015 - manufact - [LY]MAIL_20091208 - ML_20091223 - Computer name - [LY0406] - ML0419._30m - Local IP address - [LY0420] - ML0623.LINK_10m - Proxy server IP and port - [LY0816] - ML0628 - Malware ID - [LY1207] - ML_20091216 - [TL1109] - ML_20091223 To date, we have seen several custom Base64 alphabets, - [WH0827] - MW0629 including: - [WH1122] - OM222 - [WL1013] - sandbox - +NO5RZaGHviIjhYq8b4ndQ=p012ySTcCDrs/xPgUz67F - [WZ1011] - sandbox4 M3wemKfkJLBo9VtWXlEuA - CRML_0505 - sandbox6 - HZa4vjIiGndQ=p012y+NO5RST/xPgUz67FMhYq8b3we - CRML_MIL - success mKfkJLBocCDrs9VtWXlEu - Firebox4 - UNKNOWN - j4vpGZaHnIdQ=i012y+N/zPgUO5RSTx67FMhYb8q3we - JUST_0525 - wl0711 mKckJLBofCDrs9VtWXlEu - JUST_JP_6080 - ZWJP_KS_1222 - p12kJLBofCDrs9VtWXlEuainyj4vd+=H0GZIQNO5RST/ - KA_1016 zPgUx67FMhYb8q3wemKc - aZHGviIj4ndQ=p012y+NO5RST/xPgUz67FMhYq8b3we It appears that the numbers in the given campaign codes mKfkJLBocCDrs9VtWXlEu refer to dates when the campaigns were launched in - ZvQIajHi4ndG=p012y+NO5RST/xPgUz67FMhYq8b3we “MMDD” format. The letters are possibly related to the mKfkJLBocCDrs9VtWXlEu target industry or company. ----- If the malware does not get a response from the C&C ###### Related AES Campaign server, it will choose another random number after the AWS part of the URL and try again. We have also been tracking another campaign, which Once connected, the malware specifically waits for the we refer to as the “AES campaign,” which appears to be remote server to issue the following commands, which related to IXESHE. The main body of the malware related may vary from one version to another: to the IXESHE campaign can be identified by its connection to a C&C server using a file such as AWS12345.jsp and a _•_ _del [parameter]: Allows a remote user to delete files._ custom Base64 blob; the malware associated with the AES campaign operates very similarly. The samples used _•_ _disk [parameter]: Lists all available drives._ in the AES campaign slightly differed in terms of C&C communication but had significant similarities with IXESHE _•_ _dos [parameter]: Allows a remote user to execute_ malware, which used the format: commands via cmd.exe. http://[C&C Server]/[ACD] ES[Some Numbers].jsp _•_ _get [parameter]: Allows a remote user to download a_ Even though the network traffic format of the AES file from the remote server onto a local machine. campaign was slightly similar, instead of the more familiar _AWS[random].jsp format, it used several other formats for_ _•_ _list [parameter]: Lists files on the victim’s machine._ certain commands or events such as: _•_ _ls [parameter]: Allows a remote user to display the_ - AES: Initial beacon. contents of a directory. - DES: Send the path of %systemdir%. _•_ _kill [parameter]: Allows a remote user to terminate_ processes. - PES: Send the result of the “put” command. _•_ _put [parameter]: Allows a remote user to upload a file_ - SEU: Send the “error” or “invalid” command. from a local machine to a remote server. - SUS: Send the system name, which is not encoded, _•_ _rsh [parameter]: Similar to the sh or dos [parameter]_ upon receiving the “exit” command. except for the fact that this is an already-existing file or shell. - ZES: Send the result of the “dos” command. _•_ _run [parameter]: Allows a remote user to execute_ Another difference in the traffic is that AWS uses the POST programs. method with the format, “http://[C&C Server]/FPK [Some _Numbers].jsp?[Base64 Blob],” when the “get” command is_ _•_ _sh [parameter]: Allows a remote user to execute_ invoked. The Base64 blob contains the file specified in the commands via cmd.exe. “get” command. _•_ _sleep [parameter]: Causes a system to sleep for a_ Analysis of the binaries also revealed similarities between certain amount of time. the AES and AWS samples. These included the encoding algorithm and commands used. Even though some commands varied, the format and parameters used essentially remained the same. ----- ##### C&C INFRASTRUCTURE The majority of the IXESHE campaign’s C&C servers were based in Taiwan and the United States. _Figure 1. Breakdown of C&C servers by country_ ----- |Port|State|Service| |---|---|---| |80/tcp|Open|HTTP| |8080/tcp|Open|HTTP Alternative| This is, however, not an indicator of attribution. It is not This indicated that the front-end servers actually possible to determine where the attackers are based solely functioned as proxy servers and that the true C&C servers on where their C&C infrastructures are located. In addition, were hidden behind this initial group of C&C servers. not all of the C&C servers are currently active. Many, if This made the network more resistant to takedown and not all of them, appear to be compromised machines. In analysis. Due to a server error, however, the attackers fact, at least 11 of the C&C servers were hosted on the revealed the location of one of their back-end servers. We compromised machines of an East Asian government, discovered that the IP address, xx.xx.x2.202, is located in which made these very useful for launching targeted Guangdong, China. attacks against it. The particular error returned looked very similar to errors Most of the malware samples directly accessed an IP generated by a tool called “HTran.”[10] HTran stands for address as a C&C server. Connections to domains did _“HUC Packet Transmit Tool,” a connection bouncer that_ exist in some cases. The domains were usually registered redirects TCP traffic destined for one host to an alternate using free dynamic DNS service providers or compromised host, keeping the real host hidden from view. “HUC,” in websites. this case, stands for the hacking group, “Honker Union of China.” It was coded by a hacker who goes by the Overall, this strategy was part of the attackers’ modus handle “lion.” This tool’s error-checking code, however, is operandi. By choosing compromised machines to act as flawed. Assuming that everything properly works, the tool C&C servers, fewer clues were left for investigators to functions very well as a proxy server but if the real server follow in an attempt to find out who is behind the attacks is currently inaccessible, HTran will send an error message, compared with those using bulletproof hosting services revealing its whereabouts. and registered domain names. To conduct research on these servers, investigators need to differentiate between Running a port scan on this server revealed some open information related to malicious and legitimate use. ports shown in the table below. ###### Real C&C Location Port State Service 80/tcp Open HTTP One very interesting error revealed more insights into 8080/tcp Open HTTP Alternative the C&C network’s setup. One of the malware samples we tested was designed to access xxx.xxawan.com via port Based on OS fingerprinting, the server appears to be 443, which, at that time, resolved to xx.xxx.114.87:443, a running Windows 7 Enterprise Server. With only a few server located in the United States. The sample, however, open ports, however, it was very difficult to confirm this. In received the following error message from the server: addition, we did not receive a response when we tried to connect to these ports. [SERVER]connection to xx.xx.x2.202:56413 error ----- ##### ATTRIBUTION AND UNIQUE FINGERPRINTS Previous research on the IXESHE campaign indicated ###### Unique Fingerprints and Modus Operandi several connections to groups possibly from China. In addition, the IP address hiding behind the HTran instance was an IP range assigned to China. An attack can be considered associated with the gang behind the IXESHE campaign if it exhibits the following Upon further investigation of the “manufact” campaign, characteristics: however, it appears that the gang behind it may be English speakers. The name of the campaign, for one, is most likely - Uses a specially crafted targeted email with a a shortened form of “manufacturing.” The OS the C&C malicious file attachment server uses is also an English install of Microsoft XP. It is also likely, of course, that the C&C server is a compromised - Uses document exploits, primarily .PDF files, to drop machine so it does not use the attackers’ first language. malware into target systems The malware samples, which appear to have been - Uses malware detected by security vendors as IXESHE developed using C++, had a number of strings and error variants codes in English such as “Enter command” and “Receive command error!” - Uses a malware that sends a GET request to the C&C server in the following format: The date format used in the campaign codes (i.e., MMDD) also provided us a clue as to where the attackers may be http://[C&C Server]/[ACD] [EW]S[Some from. This date format is only commonly used in China, Numbers].jsp?[Encrypted Base64 Blob] Korea, Iran, Japan, Hungary, Lithuania, and the United - Uses dynamic DNS services for or compromised States. machines as C&C servers Based on the limited amount of information we gathered about the attackers, it was very difficult to pinpoint their exact location. ----- ##### RELATIONSHIPS BETWEEN ATTACK COMPONENTS _Figure 2. IXESHE targeted campaign #1_ _Figure 3. IXESHE targeted campaign #2_ ----- _Figure 4. IXESHE targeted campaign #3_ ----- _Figure 5. IXESHE targeted campaign #4_ ----- ----- ##### TIMELINE This section lists known incidents exhibiting the same - 6 May 2010 threat actor behaviors and so may be from the same - PDF name/Subject hook: 蔡政文教授七十華誕系列 group behind IXESHE dating to as far back as July 活動簡報 2009. With the exception of the samples described in - MD5: d80eb21cfe8ad1a710c8652b13f8b7ac _ContagioDump, the dates for other samples refer to when_ - C&C: xxx.xx9.124.13 the respective sandboxes saw them for the first time. As - [Info: http://contagiodump.blogspot.com/2010/05/](http://contagiodump.blogspot.com/2010/05/may-6-cve-2010-0188-pdf-birthday.html) such, these dates should be considered “at least by” and [may-6-cve-2010-0188-pdf-birthday.html](http://contagiodump.blogspot.com/2010/05/may-6-cve-2010-0188-pdf-birthday.html) not the actual date of the attack. - Campaign code: LY_ML0430_30m - 15 October 2009 - 10 May 2010 - PDF name/Subject hook: 中共二炮部隊導彈之發展 - XLS name/Subject hook: 99下半年國防工業評鑑 - MD5: 16a9f340c0d353332ba6f525376c93e1 日期表 - C&C: xxxxxupsenter.byinter.net - MD5: d4b98bda9c3ae0810a61f95863f4f81e - [Info: http://contagiodump.blogspot.com/2009/12/](http://contagiodump.blogspot.com/2009/12/oct-15-2009-attack-of-day-development.html) - C&C: xxxxx.compreautos.com.br [oct-15-2009-attack-of-day-development.html](http://contagiodump.blogspot.com/2009/12/oct-15-2009-attack-of-day-development.html) - [Info: http://contagiodump.blogspot.com/2010/06/](http://contagiodump.blogspot.com/2010/06/may-10-cve-2009-3129-xls-schedule-of.html) - Campaign code: [LY]MAIL_20091015 [may-10-cve-2009-3129-xls-schedule-of.html](http://contagiodump.blogspot.com/2010/06/may-10-cve-2009-3129-xls-schedule-of.html) - Campaign code: CRML_0505 - 18 December 2009 - PDF name/Subject hook: 女兵脫衣比中指 拍照PO - 8 June 2010 上網 - XLS name/Subject hook: 天安艦後的朝鮮半島新 - MD5: 8950bbedf4a7f1d518e859f9800f9347 局勢 - C&C: xxxxxfo.athersite.com - MD5: 100cf902ac31766f7d8a521eeb6f8d68 - [Info: http://contagiodump.blogspot.com/2009/12/](http://contagiodump.blogspot.com/2009/12/dec-18-adobe-0-day-cve-2009-4324-pdf.html) - C&C: xxx.xx.187.130 [dec-18-adobe-0-day-cve-2009-4324-pdf.html](http://contagiodump.blogspot.com/2009/12/dec-18-adobe-0-day-cve-2009-4324-pdf.html) - [Info: http://contagiodump.blogspot.com/2010/06/](http://contagiodump.blogspot.com/2010/06/jun-8-cve-2009-4324-korean-peninsula.html) - Campaign code: ML_20091216 [jun-8-cve-2009-4324-korean-peninsula.html](http://contagiodump.blogspot.com/2010/06/jun-8-cve-2009-4324-korean-peninsula.html) - Campaign code: MAIL0524 - 28 December 2009 - PDF name/Subject hook: Consumer Welfare Table - 27 June 2010 - MD5: c61c231d93d3bd690dd04b6de7350abb - PDF name/Subject hook: Discussion on Cross- - C&C: xxx.xx6.148.42 or xxx.xx6.202.49 Strait Maritime Cooperation - [Info: http://contagiodump.blogspot.com/2009/12/](http://contagiodump.blogspot.com/2009/12/dec-29-cve-2009-4324-adobe-0-day.html) - MD5: 6e14c7a424c2eef7f37810ff65650837 [dec-29-cve-2009-4324-adobe-0-day.html](http://contagiodump.blogspot.com/2009/12/dec-29-cve-2009-4324-adobe-0-day.html) - C&C: xxx.xx.128.71 - Campaign code: ML_20091223 - [Info: http://contagiodump.blogspot.com/2010/07/](http://contagiodump.blogspot.com/2010/07/jun-27-cve-2009-0927-pdf-discussion-on.html) [jun-27-cve-2009-0927-pdf-discussion-on.html](http://contagiodump.blogspot.com/2010/07/jun-27-cve-2009-0927-pdf-discussion-on.html) - 26 April 2010 - Campaign code: ML0628 - PDF name/Subject hook: [研討會]開南大學公共事 務管理學系第五屆「全球化與行政治理」國際學術 - 1 July 2010 研討會 - PDF name/Subject hook: 第五次江陳會談成果記者 - MD5: 58de08c1155a775b760049dff3f5abe4 會本會賴主委講話稿 - C&C: xxx.x.x5.26 - MD5: 949265ee1d3e587152a23311a85b3be9 - [Info: http://contagiodump.blogspot.com/2010/04/](http://contagiodump.blogspot.com/2010/04/apr-26-cve-2009-4324-w-low-detection.html) - C&C: xxx.xx.128.71 [apr-26-cve-2009-4324-w-low-detection.html](http://contagiodump.blogspot.com/2010/04/apr-26-cve-2009-4324-w-low-detection.html) - [Info: http://contagiodump.blogspot.com/2010/07/](http://contagiodump.blogspot.com/2010/07/jul-01-cve-2009-4324-results-of-press.html) - Campaign code: ML0419._30m [jul-01-cve-2009-4324-results-of-press.html](http://contagiodump.blogspot.com/2010/07/jul-01-cve-2009-4324-results-of-press.html) - Campaign code: ML0628 ----- - 28 July 2010 - 10 April 2011 - PDF name/Subject hook: Summary of Network - PDF name/Subject hook: [Unknown] Intelligence - MD5: 711542d883f8fca4aeac62ee1b7df6ca - MD5: 738af108a6edd46536492b1782589a04 - C&C: xx.xx.x0.244 - C&C: xxx.xx6.54.189 - [Info: http://www.threatexpert.com/report.aspx?md](http://www.threatexpert.com/report.aspx?md5=711542d883f8fca4aeac62ee1b7df6ca) - [Info: http://contagiodump.blogspot.com/2010/08/](http://contagiodump.blogspot.com/2010/08/jul-28-cve-2009-4324-pdf-990729-romance.html) [5=711542d883f8fca4aeac62ee1b7df6ca](http://www.threatexpert.com/report.aspx?md5=711542d883f8fca4aeac62ee1b7df6ca) [jul-28-cve-2009-4324-pdf-990729-romance.html](http://contagiodump.blogspot.com/2010/08/jul-28-cve-2009-4324-pdf-990729-romance.html) - Campaign code: [LY0406] - Campaign code: [0713] - 20 April 2011 - 16 August 2010 - PDF name/Subject hook: China’s Charm - PDF name/Subject hook: Communist China Diplomacy in BRICS Summit Removes Missiles - MD5: ae39b747e4fe72dce6e5cdc6d0314c02 - MD5: 6227e1594775773a182e1b631db5f6bb - C&C: xx.xx.x9.165 - C&C: xxxxxck.dnsrd.com or xxx.xx6.34.94 (appears - [Info: http://contagiodump.blogspot.com/2011/04/](http://contagiodump.blogspot.com/2011/04/apr-20-cve-2011-0611-pdf-swf-chinas.html) to be a compromised computer of an East Asian [apr-20-cve-2011-0611-pdf-swf-chinas.html](http://contagiodump.blogspot.com/2011/04/apr-20-cve-2011-0611-pdf-swf-chinas.html) university) - Campaign code: [Removed due to privacy - [Info: http://contagiodump.blogspot.com/2010/08/](http://contagiodump.blogspot.com/2010/08/cve-2009-4324-cve-2010-1297-communist.html) concerns] [cve-2009-4324-cve-2010-1297-communist.html](http://contagiodump.blogspot.com/2010/08/cve-2009-4324-cve-2010-1297-communist.html) - Campaign code: [0802] - 20 April 2011 - PDF name/Subject hook: The Obama - 17 August 2010 Administration and the Middle East - PDF name/Subject hook: [Unknown] - MD5: 2368a8f55ee78d844896f05f94866b07 - MD5: 36ee61663fc41496642850c4293fed01 - C&C: xx.xx.x9.165 - C&C: xxxxxck.dnsrd.com or xxx.xx6.34.94 (appears - [Info: http://contagiodump.blogspot.com/2011/04/](http://contagiodump.blogspot.com/2011/04/apr-20-cve-2011-0611-pdf-swf-chinas.html) to be a compromised computer of an East Asian [apr-20-cve-2011-0611-pdf-swf-chinas.html](http://contagiodump.blogspot.com/2011/04/apr-20-cve-2011-0611-pdf-swf-chinas.html) university) - Campaign code: {Removed due to privacy - [Info: http://www.threatexpert.com/report.aspx?md](http://www.threatexpert.com/report.aspx?md5=36ee61663fc41496642850c4293fed01) concerns] [5=36ee61663fc41496642850c4293fed01](http://www.threatexpert.com/report.aspx?md5=36ee61663fc41496642850c4293fed01) - Campaign code: [0802] - 20 April 2011 - PDF name/Subject hook: Russia’s profit from - 27 September 2010 general NATO disunity - PDF name/Subject hook: [Unknown] - MD5: 4065b98fdcb17a081759061306239c8b - MD5: 313158192d4442013f7bedeb9def01ec - C&C: xx.xx.x9.165 - C&C: xx.xx.x3.102 - [Info: http://contagiodump.blogspot.com/2011/04/](http://contagiodump.blogspot.com/2011/04/apr-20-cve-2011-0611-pdf-swf-chinas.html) - [Info: http://www.threatexpert.com/report.aspx?md](http://www.threatexpert.com/report.aspx?md5=313158192d4442013f7bedeb9def01ec) [apr-20-cve-2011-0611-pdf-swf-chinas.html](http://contagiodump.blogspot.com/2011/04/apr-20-cve-2011-0611-pdf-swf-chinas.html) [5=313158192d4442013f7bedeb9def01ec](http://www.threatexpert.com/report.aspx?md5=313158192d4442013f7bedeb9def01ec) - Campaign code: [Removed due to privacy - Campaign code: [WH0827] concerns] - 22 February 2011 - 22 April 2011 - PDF name/Subject hook: [Unknown] - MD5: cd0eb6634ea684313389ddce553a6130 - PDF name/Subject hook: Marshall Plan for the - C&C: xxx.xx.228.58 North Africa - [Info: http://xml.ssdsandbox.net/view/](http://xml.ssdsandbox.net/view/cd0eb6634ea684313389ddce553a6130) - MD5: 6d5fb801b890bfa7cc737c018e87e456 [cd0eb6634ea684313389ddce553a6130](http://xml.ssdsandbox.net/view/cd0eb6634ea684313389ddce553a6130) - C&C: xx.xx.x9.165 - Campaign code: [0222] - [Info: http://contagiodump.blogspot.com/2011/04/](http://contagiodump.blogspot.com/2011/04/apr-22-cve-2011-0611-pdf-swf-marshall.html) [apr-22-cve-2011-0611-pdf-swf-marshall.html](http://contagiodump.blogspot.com/2011/04/apr-22-cve-2011-0611-pdf-swf-marshall.html) - 17 March 2011 - Campaign code: [Removed due to privacy - XLS name/Subject hook: Japan Nuclear Radiation concerns] Leakage and Vulnerability Analysis - MD5: 7ca4ab177f480503653702b33366111f - C&C: xx.xxx.114.44 - Info: http://contagiodump.blogspot.com/2011/03/ cve-2011-0609-adobe-flash-player.html ----- - 28 April 2011 - 26 October 2011 - PDF name/Subject hook: [Unknown] - PDF name/Subject hook: The Future Redefined - MD5: 14bf72167b4e801da205ecf9c0c55f9b 2011 AOEC CEO Summit - C&C: xx.xx.x33.2 - MD5: 3d91d9df315ffeb9bb1c774452b3114b - [Info: http://xml.ssdsandbox.net/view/14bf72167b4e](http://xml.ssdsandbox.net/view/14bf72167b4e801da205ecf9c0c55f9b) - C&C: xxx.xxawan.com or xxx.xx4.230.120 [801da205ecf9c0c55f9b](http://xml.ssdsandbox.net/view/14bf72167b4e801da205ecf9c0c55f9b) - [Info: http://www.kahusecurity.com/2011/apec-](http://www.kahusecurity.com/2011/apec-spearphish-2/) - Campaign code: [LY0420] [spearphish-2/](http://www.kahusecurity.com/2011/apec-spearphish-2/) - Campaign code: 19 - 1 June 2011 - PDF name/Subject hook: [Unknown] - 3 November 2011 - MD5: 6ee4e08e6ab51208757fdc41d0e72846 - PDF name/Subject hook: [Unknown] - C&C: xxxxxain.qpoe.com - MD5: E25DBA0556124D7874D8416DE291CFE2 - [Info: http://www.threatexpert.com/report.aspx?md](http://www.threatexpert.com/report.aspx?md5=6ee4e08e6ab51208757fdc41d0e72846) - C&C: xxxxxfo.sdti.tw or xxx.xx2.246.110 [5=6ee4e08e6ab51208757fdc41d0e72846](http://www.threatexpert.com/report.aspx?md5=6ee4e08e6ab51208757fdc41d0e72846) - [Info: http://www.threatexpert.com/report.aspx?md](http://www.threatexpert.com/report.aspx?md5=e25dba0556124d7874d8416de291cfe2) - Campaign code: [LY]MAIL_20090923 [5=e25dba0556124d7874d8416de291cfe2](http://www.threatexpert.com/report.aspx?md5=e25dba0556124d7874d8416de291cfe2) - Campaign code: [CR1031] - 9 June 2011 - PDF name/Subject hook: [Unknown] - 15 November 2011 - MD5: 10f193f825ada183fcfd067434ca269e - PDF name/Subject hook: [Unknown] - C&C: xxxxxfo.AtHerSite.com - MD5: 829b78f1d1e74c2c5343a0aebb51f519 - [Info: http://www.threatexpert.com/report.aspx?md](http://www.threatexpert.com/report.aspx?md5=10f193f825ada183fcfd067434ca269e) - C&C: xxxxxaga.chickenkiller.com [5=10f193f825ada183fcfd067434ca269e](http://www.threatexpert.com/report.aspx?md5=10f193f825ada183fcfd067434ca269e) - [Info: http://www.threatexpert.com/report.aspx?md](http://www.threatexpert.com/report.aspx?md5=829b78f1d1e74c2c5343a0aebb51f519) - Campaign code: [LY]MAIL_20091208 [5=829b78f1d1e74c2c5343a0aebb51f519](http://www.threatexpert.com/report.aspx?md5=829b78f1d1e74c2c5343a0aebb51f519) - 21 September 2011 - Campaign code: [TL1109] - PDF name/Subject hook: [Unknown] - MD5: 32522cdc17a145486e26f35bdd524e7e - 22 November 2011 - C&C: xxx.xx0.139.67 - PDF name/Subject hook: [Unknown] - [Info: http://www.threatexpert.com/report.aspx?md](http://www.threatexpert.com/report.aspx?md5=32522cdc17a145486e26f35bdd524e7e) - MD5: c4a05230a898d91b30c88d52b3f069b3 [5=32522cdc17a145486e26f35bdd524e7e](http://www.threatexpert.com/report.aspx?md5=32522cdc17a145486e26f35bdd524e7e) - C&C: xxx.xx6.54.150 or xxxxx.ItemDB.com - Campaign code: [LY0816] - [Info: http://www.threatexpert.com/report.aspx?md](http://www.threatexpert.com/report.aspx?md5=c4a05230a898d91b30c88d52b3f069b3) [5=c4a05230a898d91b30c88d52b3f069b3](http://www.threatexpert.com/report.aspx?md5=c4a05230a898d91b30c88d52b3f069b3) - 12 October 2011 - Campaign code: [WH1122] - PDF name/Subject hook: [Unknown] - MD5: 8718ab5c1683a69c4e6092fdcb32cfa2 - C&C: xxx.xx0.63.1 - [Info: http://www.malware-control.com/statics-page](http://www.malware-control.com/statics-pages/8718ab5c1683a69c4e6092fdcb32cfa2.php) [s/8718ab5c1683a69c4e6092fdcb32cfa2.php](http://www.malware-control.com/statics-pages/8718ab5c1683a69c4e6092fdcb32cfa2.php) - Campaign code: [CZ0921] - 19 October 2011 - PDF name/Subject hook: [Unknown] - MD5: 80dad66d6224d18babd9ada4a26aee75 - C&C: xx.xxx.21.41 or king.pirat3.com - [Info: http://xml.ssdsandbox.net/view/80dad66d62](http://xml.ssdsandbox.net/view/80dad66d6224d18babd9ada4a26aee75) [24d18babd9ada4a26aee75](http://xml.ssdsandbox.net/view/80dad66d6224d18babd9ada4a26aee75) - Campaign code: [WZ1011] ----- ##### CONCLUSION DEFENDING AGAINST APTS The IXESHE campaign has been successfully executing Sufficiently motivated threat actors can penetrate targeted attacks since 2009. The attackers primarily even networks that use moderately advanced security use malicious .PDF files that exploit vulnerabilities in measures. As such, apart from standard and relevant _Adobe Reader, Acrobat, and Flash Player, including the_ attack prevention measures and mechanisms such as use of two zero-day exploits—one in 2009 and another solid patch management; endpoint and network security; in 2011. While the attackers primarily targeted East firewall use; and the like, enterprises should also focus Asian governments in the past, they have also started on detecting and mitigating attacks. Moreover, data targeting a telecommunications company and electronics loss prevention (DLP) strategies that identify the data manufacturers. They kept track of their targeted attacks an organization is protecting and take into account the by embedding a “campaign tag” in the malware that context of data use should be employed. appears to describe when each attack was launched and, in some cases, the nature of its target. We found more ###### Local and External Threat Intelligence than 40 of these campaign tags. The IXESHE attackers are notable for their use of Threat intelligence refers to indicators that can be used compromised machines within a target’s internal network to identify the tools, tactics, and procedures threat actors as C&C servers. This helped disguise their activities. In engaging in targeted attacks utilize. Both external and addition, the attackers’ use of the proxy tool, HTran, also local threat intelligence is crucial for developing the helped mask their true location. While their identities ability to detect attacks early. The following are the core remain unknown, the attackers behind the IXESHE components of this defense strategy: campaign demonstrated that they were both determined and capable. While the malware used in the attacks - Enhanced visibility: Logs from endpoint, server, were not very complicated by nature, these proved very and network monitoring are an important and often effective. This campaign remains an active threat. underused resource that can be aggregated to provide a view of the activities within an organization that can be processed for anomalous behaviors that can indicate a targeted attack. - Integrity checks: In order to maintain persistence, malware will make modifications to the file system and registry. Monitoring such changes can indicate the presence of malware. - Empowering the human analyst: Humans are best positioned to identify anomalous behaviors when presented with a view of aggregated logs from across a network. This information is used in conjunction with custom alerts based on the local and external threat intelligence available. Technologies available today such as Deep Discovery provide visibility, insight, and control over networks to defend against targeted threats.[11] _Deep Discovery uniquely_ detects and identifies evasive threats in real time and provides in-depth analysis and actionable intelligence to prevent, discover, and reduce risks. ----- ###### Mitigation and Cleanup Strategy Data-Centric Protection Strategy Once an attack is identified, the cleanup strategy should The ultimate objective of targeted attacks is to acquire focus on the following objectives: sensitive data. As such, DLP strategies that focus on identifying and protecting confidential information are - Determine the attack vector and cut off critical. Enhanced data protection and visibility across communications with the C&C server. an enterprise provides the ability to control access to sensitive data as well as monitor and log successful and - Determine the scope of the compromise. unsuccessful attempts to access it. Enhanced access control and logging capabilities allow security analysts to - Assess the damage by analyzing the data and forensic locate and investigate anomalies, respond to incidents, and artifacts available on compromised machines. initiate remediation strategies and damage assessment. Remediation should be applied soon afterward, which includes steps to fortify affected servers, machines, or devices into secure states, informed in part by how the compromised machines were infiltrated. ###### Educating Employees Against Social Engineering Security-related policies and procedures combined with education and training programs are essential components of defense. Traditional training methods can be fortified by simulations and exercises using real spear-phishing attempts sent to test employees. Employees trained to expect targeted attacks are better positioned to report potential threats and constitute an important source of threat intelligence. ----- |Attack Component|Protection Technology|Trend Micro Solution| |---|---|---| |Predetermined C&C communication format: http://[C&C Server]/ [ACD] [EW]S[Some Numbers]. jsp?[Encrypted Base64 Blob]|Web Reputation|Endpoint (Titanium, Worry-Free Business Security, OfficeScan) Server (Deep Security) Messaging (InterScan Messaging Security, ScanMail Suite for Microsoft Exchange) Network (Deep Discovery) Gateway (InterScan Web Security, InterScan Messaging Security) Mobile (Mobile Security)| |TROJ_PIDIEF, BKDR_PROXY, TROJ_ DROPR, and TROJ_DEMTRANC variants|File Reputation (Antivirus/Anti-malware)|Endpoint (Titanium, Worry-Free Business Security, OfficeScan) Server (Deep Security) Messaging (InterScan Messaging Security, ScanMail Suite for Microsoft Exchange) Network (Deep Discovery) Gateway (InterScan Web Security, InterScan Messaging Security) Mobile (Mobile Security)| |CVE-2009-4324 CVE-2009-0927 CVE-2011-0609 CVE-2011-0611 CVE-2009-3129|Vulnerability Shielding/Virtual Patching|Server (Deep Security) Endpoint (OfficeScan with Intrusion Defense Firewall Plug-In) For CVE-2009-4324: • Rule #1004008 (Adobe Reader and Acrobat ‘newplayer()’ JavaScript Method Code Execution) For CVE-2009-0927: • Rule # 1003405 (Adobe Acrobat JavaScript getIcon Method Buffer Overflow) For CVE-2011-0609: • Rule #1004615 (Adobe Flash Player XLS Remote Code Execution) For CVE-2011-0611: • Rule # 1004647 (Restrict Microsoft Office File with Embedded SWF) For CVE-2009-3129: • Rule #1003817 (Excel Featheader Record Memory Corruption Vulnerability)| ##### TREND MICRO THREAT PROTECTION AGAINST IXESHE CAMPAIGN COMPONENTS The following table summarizes the Trend Micro solutions for the components of the IXESHE campaign. Trend Micro recommends a comprehensive security risk management strategy that goes further than advanced protection to meet the real-time threat management requirements of dealing with targeted attacks. Attack Component Protection Technology Trend Micro Solution Predetermined C&C communication Web Reputation Endpoint (Titanium, Worry-Free Business format: _Security, OfficeScan)_ http://[C&C Server]/ Server (Deep Security) [ACD] [EW]S[Some Numbers]. Messaging (InterScan Messaging Security, jsp?[Encrypted Base64 Blob] _ScanMail Suite for Microsoft Exchange)_ Network (Deep Discovery) Gateway (InterScan Web Security, _InterScan Messaging Security)_ Mobile (Mobile Security) TROJ_PIDIEF, BKDR_PROXY, TROJ_ File Reputation Endpoint (Titanium, Worry-Free Business DROPR, and TROJ_DEMTRANC variants (Antivirus/Anti-malware) _Security, OfficeScan)_ Server (Deep Security) Messaging (InterScan Messaging Security, _ScanMail Suite for Microsoft Exchange)_ Network (Deep Discovery) Gateway (InterScan Web Security, _InterScan Messaging Security)_ Mobile (Mobile Security) _CVE-2009-4324_ Vulnerability Shielding/Virtual Patching Server (Deep Security) _CVE-2009-0927_ Endpoint (OfficeScan with Intrusion _CVE-2011-0609_ _Defense Firewall Plug-In)_ _CVE-2011-0611_ For CVE-2009-4324: _CVE-2009-3129_ - Rule #1004008 (Adobe Reader and _Acrobat ‘newplayer()’ JavaScript_ Method Code Execution) For CVE-2009-0927: - Rule # 1003405 (Adobe Acrobat JavaScript getIcon Method Buffer Overflow) For CVE-2011-0609: - Rule #1004615 (Adobe Flash Player XLS Remote Code Execution) For CVE-2011-0611: - Rule # 1004647 (Restrict Microsoft _Office File with Embedded SWF)_ For CVE-2009-3129: - Rule #1003817 (Excel Featheader Record Memory Corruption Vulnerability) ----- |Attack Component|Protection Technology|Trend Micro Solution| |---|---|---| |xxx.x.x87.206 xxx.xx2.36.5 xxx.xx6.129.228 xxx.xx0.139.67 xxx.xx.39.184 xx.xxx.12.18 xxx.xxrver.us xxx.xxt-alice.de xxxxxbaby.mooo.com xxxxxlic.yahoobigdeals.com xx.xx.x1.252 xxx.xx.228.58 xxx.xx.183.86 xxx.xx.128.71 xxx.xx.13.148 xxx.xx5.243.44 xxx.xx2.216.5 xxx.xx.151.190 xxx.xx.63.113 xxx.xx.58.110 xxx.xx.111.151 xxx.xx6.54.150 xxx.xx4.230.120 xxx.xx0.139.67 xxx.xx2.246.110 xx.xxx.223.3 xx.xx.x3.102 xx.xx.x9.165 xx.xx.x0.244 xx.xx.x33.2 xxxxxa.2waky.com xxx.xxawan.com xxxxxmic.dyndns-wiki.com xxxxxain.qpoe.com xxx.xxrver.us xxxxxfo.AtHerSite.com xxxxxem.passingg.as xxx.xxset.com xxxxx.dnset.com xxxx.xirat3.com xxxxxaga.chickenkiller.com xxxxx.otzo.com xxxxxck.dnsrd.com xxxxx.portrelay.com xxxxx.FindHere.org|Web, Domain, and IP Reputation|Endpoint (Titanium, Worry-Free Business Security, OfficeScan) Server (Deep Security) Messaging (InterScan Messaging Security, ScanMail Suite for Microsoft Exchange) Network (Deep Discovery) Gateway (InterScan Web Security, InterScan Messaging Security) Mobile (Mobile Security)| Attack Component Protection Technology Trend Micro Solution _xxx.x.x87.206_ Web, Domain, and IP Reputation Endpoint (Titanium, Worry-Free Business _xxx.xx2.36.5_ _Security, OfficeScan)_ _xxx.xx6.129.228_ Server (Deep Security) _xxx.xx0.139.67_ Messaging (InterScan Messaging Security, _xxx.xx.39.184_ _ScanMail Suite for Microsoft Exchange)_ _xx.xxx.12.18_ Network (Deep Discovery) _xxx.xxrver.us_ Gateway (InterScan Web Security, _xxx.xxt-alice.de_ _InterScan Messaging Security)_ _xxxxxbaby.mooo.com_ Mobile (Mobile Security) _xxxxxlic.yahoobigdeals.com_ _xx.xx.x1.252_ _xxx.xx.228.58_ _xxx.xx.183.86_ _xxx.xx.128.71_ _xxx.xx.13.148_ _xxx.xx5.243.44_ _xxx.xx2.216.5_ _xxx.xx.151.190_ _xxx.xx.63.113_ _xxx.xx.58.110_ _xxx.xx.111.151_ _xxx.xx6.54.150_ _xxx.xx4.230.120_ _xxx.xx0.139.67_ _xxx.xx2.246.110_ _xx.xxx.223.3_ _xx.xx.x3.102_ _xx.xx.x9.165_ _xx.xx.x0.244_ _xx.xx.x33.2_ _xxxxxa.2waky.com_ _xxx.xxawan.com_ _xxxxxmic.dyndns-wiki.com_ _xxxxxain.qpoe.com_ _xxx.xxrver.us_ _xxxxxfo.AtHerSite.com_ _xxxxxem.passingg.as_ _xxx.xxset.com_ _xxxxx.dnset.com_ _xxxx.xirat3.com_ _xxxxxaga.chickenkiller.com_ _xxxxx.otzo.com_ _xxxxxck.dnsrd.com_ _xxxxx.portrelay.com_ _xxxxx.FindHere.org_ ----- Unlike indiscriminate cybercrime attacks, spam, web threats, and the like, APTs are much harder to detect because of the targeted nature of related components and techniques. Also, while cybercrime focuses on stealing credit card and banking information to gain profit, APTs are better thought of as cyber espionage. ## IXESHE #### • First Seen Individual targeted attacks are not one-off attempts. Attackers continually try to get inside the target’s network. The IXESHE campaign has been actively staging targeted attacks since at least July of 2009. #### • Victims and Targets APT campaigns target specific industries or communities of interest in specific regions. IXESHE has been found to target electronics manufacturers, a telecommunications company, and East Asian governments. #### • Operations The attackers used either dynamic Domain Name System (DNS) or compromised servers hosted on networks that they previously successfully infiltrated. #### • Possible Indicators of Compromise Attackers want to remain undetected as long as possible. A key characteristic of these attacks is stealth. »» Enters networks via a specially crafted, targeted email with a malicious file attachment »» Uses document exploits (primarily PDF exploits) to drop malware onto target systems »» Uses malware detected as IXESHE by security companies »» Sends a GET request to the command-and-control (C&C) server with the format: http://[C&C Server]/[ACD] [EW]S[Some Numbers].jsp?[Encrypted Base64 Blob] - The campaign codes we have seen so far are detailed in the Trend Micro research paper, “IXESHE: An APT Campaign.” The characteristics highlighted in this APT campaign quick profile reflect the results of our investigation as of May 2012. ----- Unlike indiscriminate cybercrime attacks, spam, web threats, and the like, APTs are much harder to detect because of the targeted nature of related components and techniques. Also, while cybercrime focuses on stealing credit card and banking information to gain profit, APTs are better thought of as cyber espionage. ## IXESHE #### • First Seen Individual targeted attacks are not one-off attempts. Attackers continually try to get inside the target’s network. The IXESHE campaign has been actively staging targeted attacks since at least July of 2009. #### • Victims and Targets APT campaigns target specific industries or communities of interest in specific regions. IXESHE has been found to target electronics manufacturers, a German telecommunications company, and East Asian governments. #### • Operations The attackers used either dynamic Domain Name System (DNS) or compromised servers hosted on networks that they previously successfully infiltrated. #### • Possible Indicators of Compromise Attackers want to remain undetected as long as possible. A key characteristic of these attacks is stealth. »» Enters networks via a specially crafted, targeted email with a malicious file attachment »» Uses document exploits (primarily PDF exploits) to drop malware onto target systems »» Uses malware detected as IXESHE by security companies »» Sends a GET request to the command-and-control (C&C) server with the format: http://[C&C Server]/[ACD] [EW]S[Some Numbers].jsp?[Encrypted Base64 Blob] - The campaign codes we have seen so far are detailed in the Trend Micro research paper, “IXESHE: An APT Campaign.” The characteristics highlighted in this APT campaign quick profile reflect the results of our investigation as of May 2012. ----- TREND MICRO™ TREND MICRO INC. Trend Micro Incorporated (TYO: 4704; TSE: 4704), a global cloud security 10101 N. De Anza Blvd. leader, creates a world safe for exchanging digital information with its In­ Cupertino, CA 95014 ternet content security and threat management solutions for businesses and consumers. A pioneer in server security with over U.S. toll free: 1 +800.228.5651 20 years’ experience, we deliver top-ranked client, server and cloud- Phone: 1 +408.257.1500 based security that fits our customers’ and partners’ needs, stops Fax: 1 +408.257.2003 new threats faster, and protects data in physical, virtualized and cloud www.trendmicro.com environments. Powered by the industry-leading Trend Micro™ Smart Pro­ tection Network™ cloud computing security infrastructure, our products and services stop threats where they emerge—from the Internet. They are supported by 1,000+ threat intelligence experts around the globe. -----