Feed aggregator

Tic Tac Toe with a twist

Secure List feed for B2B - Fri, 10/10/2014 - 05:00

UPDATE / OCT, 15.

Further to this blog post, describing malicious functions of a mobile Trojan camouflaged as the TicTacToe game app, Lacoon Mobile Security company stated that TicTacToe was developed by them as a proof-of-concept.

Kaspersky Lab would like to reiterate, that as a security company, we detect all forms of malicious program, regardless of their origin or purpose. We recieved the samples through malware exchange with other antivirus companies and it was not marked as a proof-of-concept at this time. We saw several potentially malicious functions in this app – and a thorough analysis of TicTacToe revealed that the game code accounted for less than 30% of the executable file's size. The rest is functionality appeared for monitoring user and obtaining personal data. It is for this reason that we began the investigation and reported the incident to the public.

We respect and support other security companies who aspire to the development of mobile technologies, but we also believe that proof-of-concept programs should be marked clearly and shouldn't demonstrate fully-operational functions, to avoid situations where malicious users replicate the techniques.

Attempts by cybercriminals to disguise malware as useful applications are common to the point of being commonplace. However, the developers of Gomal, a new mobile Trojan, not only achieved a new level of camouflage by adding Tic Tac Toe game to their malicious program, but also implemented interesting techniques which are new to this kind of malware.

It all started with a Tic Tac Toe game being sent to us for analysis. At first glance, the app looked quite harmless:

However, the list of permissions requested by the game made us wonder. Why would it need to access the Internet, the user's contacts and the SMS archive or to be able to process calls and record sound? We analyzed the 'game' and it turned out to be a piece of multi-purpose spyware. The malicious app is now detected by Kaspersky Lab products as Trojan-Spy.AndroidOS.Gomal.a.

A thorough analysis of the malicious program showed that the game code accounts for less than 30% of the executable file's size. The rest is functionality for spying on the user and stealing personal data.

Game code is marked in green, malicious functionality – in red

What does this functionality include? First and foremost, the malware has sound recording functions, which are now standard for mobile spyware:

It also has SMS-stealing functionality:

In addition, the Trojan collects information about the device and sends all the data collected to its masters' server. But Trojan-Spy.AndroidOS.Gomal.a has something really curious up its sleeve – a package of interesting libraries distributed with it.

The package includes an exploit used to obtain root privileges on the Android device. The extended privileges give the app access to various services provided by Linux (the operating system on which Android is based), including the ability to read process memory and /maps.

After obtaining root access, the Trojan gets down to work. For example, it steals emails from Good for Enterprise, if the app is installed on the smartphone. The application is positioned as a secure email client for corporate use, so the theft of data from it can mean serious problems for the company where the owner of the device works. In order to attack Good for Enterprise, the Trojan uses the console to get the ID of the relevant process (ps command) and reads virtual file /proc/ /maps. The file contains information about memory blocks allocated to the application.

After getting the list of memory blocks, the malware finds the block [heap] containing the application's string data and creates its dump using one more library from its package. Next, the dump file created is searched for signatures characteristic of emails and the messages found are sent to the cybercriminals' server.

Gomal also steals data from logcat – the logging service built into Android that is used for application debugging. Developers very often have their applications outputting critically important data to Logcat even after the apps have been released. This enables the Trojan to steal even more confidential data from other programs.

As a result, the seemingly harmless game of Tic Tac Toe gives cybercriminals access to an enormous amount of the user's personal data and corporate data belonging to his employer. The techniques used by Gomal were originally implemented in Windows Trojans, but now, as we can see, they have moved on to Android malware. And, most dangerously, the principles upon which this technique is based can be used to steal data from applications other than Good for Enterprise – it is likely that a range of mobile malware designed to attack popular email clients, messengers and other programs will appear in the near future.

To reduce the risk of infection by mobile malware we recommend that users:
  • Do not activate the "Install applications from third-party sources" option
  • Only install applications from official channels (Google Play, Amazon Store, etc.)
  • When installing new apps, carefully study which rights they request
  • If the requested rights do not correspond with the app's intended functions, do not install the app
  • Use protection software
Update:

Trojan-Spy.AndroidOS.Gomal.a uses an old version of the exploit, which is effective on Samsung devices running Android 4.0.4 or earlier. This particular version of the malware could not successfully attack a corporate email client on devices with newer firmware.
So far, we have not seen any attempts to infect our users with the Gomal Trojan. However, even though this sample is not currently active in-the-wild, we detect it so we will be able to block any future attacks by mobile malicious programs based on this proof-of-concept malware.

Microsoft Ready With Nine Bulletins, New Critical IE Patches

Threatpost for B2B - Thu, 10/09/2014 - 15:20
Microsoft published its Patch Tuesday advance notification, advising IT shops to be ready for nine bulletins, including three critical patches.

Rovnix Variant Surfaces With New DGA

Threatpost for B2B - Thu, 10/09/2014 - 14:17
Researchers have unearthed a new version of the Rovnix malware that has a couple of additional features, including a new domain generation algorithm and a secure transmission channel for communicating with the command-and-control servers. Rovnix is a malware variant that often has been distributed by other kinds of malware. Last year Microsoft warned users about a […]

SAP Patches Seven Vulnerabilities in Three Products

Threatpost for B2B - Thu, 10/09/2014 - 13:19
SAP recently pushed out patches to address seven vulnerabilities in three different lines of software that could have opened those running the systems up to complete compromise.

Shellshock Exploits Spreading Mayhem Botnet Malware

Threatpost for B2B - Thu, 10/09/2014 - 12:36
Researchers at Malware Must Die published a report that hackers are spreading Mayhem botnet malware in exploits targeting the Shellshock vulnerability in Bash.

Wyden: Surveillance is a ‘Clear and Present Danger’ to the Digital Economy

Threatpost for B2B - Thu, 10/09/2014 - 10:39
The pervasive dragnet surveillance of Americans revealed by the Edward Snowden documents has caused serious damage to the trust that enterprises and citizens had in the United States government and unless that trust is repaired, it could have serious effects on the Internet economy, a panel of prominent technology executives said. In a town hall meeting […]

EFF Issues Arguments Against National Security Letters

Threatpost for B2B - Thu, 10/09/2014 - 09:51
The Electronic Frontier Foundation and the Justice Department squared off on the topic of National Security Letters in a San Francisco courtroom yesterday. This fight's next stop is likely the Supreme Court.

[Bad]USB ‘Patch’ Skirts More Effective Options

Threatpost for B2B - Thu, 10/09/2014 - 07:54
Researchers who released attack code against vulnerabilities in USB devices followed that up with a patch, that they and researcher Karsten Nohl acknowledge isn't enough to solve the problem.

Google Fixes 159 Flaws in Chrome

Threatpost for B2B - Thu, 10/09/2014 - 07:02
Google updates its Chrome browser on a very aggressive timeline, often a couple of times a month. Usually, each update includes a handful of security fixes, maybe 12 or 15. On Tuesday, the company released Chrome 38, which patched a staggering 159 vulnerabilities. The huge majority of those patches–113 of them–fix minor vulnerabilities in the […]

Siemens Patches Five Vulnerabilities in SIMATIC WinCC for PCS 7

Threatpost for B2B - Tue, 10/07/2014 - 14:49
Siemens has patched five vulnerabilities in its SIMATIC PCS 7 system that could result in privilege escalation and give an attacker unauthenticated access to sensitive data.

Arbor: DDoS Attacks Getting Bigger as Reflection Increases

Threatpost for B2B - Tue, 10/07/2014 - 14:29
New reflected distributed denial of service attack techniques are increasing the volume of each attack as well as the overall frequency of large-scale DDoS attacks.

Twitter Files Suit Over Government Restrictions on National Security Letter Data

Threatpost for B2B - Tue, 10/07/2014 - 14:16
Twitter has filed a lawsuit in federal court asking that the United States Department of Justice’s prohibitions on publishing the number and kind of government requests for data the company receives be declared unconstitutional. The suit claims that the rules infringe on Twitter’s right to free speech by requiring that the company “engage in speech […]

Tyupkin Malware Infects ATMs Worldwide

Threatpost for B2B - Tue, 10/07/2014 - 08:54
The Tyupkin malware, spotted on ATMs in Eastern Europe, allows criminals to make withdrawals of 40 banknotes at a time, researchers at Kaspersky Lab said.

Tyupkin: Manipulating ATM Machines with Malware

Secure List feed for B2B - Tue, 10/07/2014 - 04:00

Earlier this year, at the request of a financial institution, Kaspersky Lab's Global Research and Analysis Team performed a forensics investigation into a cyber-criminal attack targeting multiple ATMs in Eastern Europe.

During the course of this investigation, we discovered a piece of malware that allowed attackers to empty the ATM cash cassettes via direct manipulation.

At the time of the investigation, the malware was active on more than 50 ATMs at banking institutions in Eastern Europe.  Based on submissions to VirusTotal, we believe that the malware has spread to several other countries, including the U.S., India and China.

Due to the nature of the devices where this malware is run, we do not have KSN data to determine the extent of the infections. However, based on statistics culled from VirusTotal, we have seen malware submissions from the following countries:


This new malware, detected by Kaspersky Lab as Backdoor.MSIL.Tyupkin, affects ATMs from a major ATM manufacturer running Microsoft Windows 32-bit.

The malware uses several sneaky techniques to avoid detection. First of all, it is only active at a specific time at night.  It also uses a key based on a random seed for every session. Without this key, nobody can interact with the infected ATM.

When the key is entered correctly, the malware displays information on how much money is available in every cassette and allows an attacker with physical access to the ATM to withdraw 40 notes from the selected cassette.

Most of the analyzed samples were compiled around March 2014. However this malware has evolved over time. In its last variant (version .d) the malware implements anti debug and anti emulation techniques, and also disables McAfee Solidcore from the infected system.

Analysis

According to footage from security cameras at the location of the infected ATMs, the attackers were able to manipulate the device and install the malware via a bootable CD.

The attackers copied the following files into the ATM:

C:\Windows\system32\ulssm.exe
%ALLUSERSPROFILE%\Start Menu\Programs\Startup\AptraDebug.lnk

After some checks of the environment, the malware removes the .lnk file and create a key in the registry:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"AptraDebug" = "C:\Windows\system32\ulssm.exe"

The malware is then able to interact with ATM through the standard library MSXFS.dll – Extension for Financial Services (XFS).

The malware runs in an infinite loop waiting for user input. In order to make it more difficult to detect, Tyupkin accepts (by default) commands only on Sunday and Monday nights.

It accepts the following commands:

  • XXXXXX – Shows the main window.
  • XXXXXX – Self deletes with a batch file.
  • XXXXXX – Increases the malware activity period.
  • XXXXXX – Hides the main window.

After every command the operator must press "Enter" on the ATM's pin pad.

Tyupkin also uses session keys to prevent interaction with random users. After entering the "Show the main window" command, the malware shows the message "ENTER SESSION KEY TO PROCEED!" using a random seed for each session.

The malicious operator must know the algorithm to generate a session key based on the seed shown. Only when this key is successfully entered that it is possible to interact with the infected ATM.

After that, the malware shows the following message:

CASH OPERATION PERMITTED.
TO START DISPENSE OPERATION -
ENTER CASSETTE NUMBER AND PRESS ENTER.

When the operator chooses the cassette number, the ATM dispenses 40 banknotes from it.

When the session key entered is incorrect, the malware disables the local network and shows the message:

DISABLING LOCAL AREA NETWORK...
PLEASE WAIT...

It is not clear why the malware disables the local network.  This is likely done to to delay or disrupt remote investigations.

Video with a demonstration in a real ATM is available:

Conclusion

Over the last few years, we have observed a major uptick in ATM attacks using skimming devices and malicious software.  Following major reports of skimmers hijacking financial data at banks around the world, we have seen a global law enforcement crackdown that led to arrests and prosecution of cyber-criminals.

The successful use of skimmers to secretly swipe credit and debit card data when customers slip their cards into ATMs at banks or gas stations is well known and has led to a greater awareness for the public to be on the lookout – and take precautions – when using public ATMs.

Now we are seeing the natural evolution of this threat with cyber-criminals moving up the chain and targeting financial institutions directly.   This is done by infecting ATMs directly or direct APT-style attacks against the bank.  The Tyupkin malware is one such example of attackers moving up the chain and finding weaknesses in the ATM infrastructure.

The fact that many ATMs run on operating systems with known security weaknesses and the absence of security solutions is another problem that needs to be addressed urgently.

Our recommendations for the banks is to review the physical security of their ATMs and consider investing in quality security solutions.

Mitigation recommendations

We recommend that financial institutions and businesses that operate ATMs on premises consider the following mitigation guidance:

  • Review the physical security of their ATMs and consider investing in quality security solutions.
  • Change default upper pool lock and keys in all ATMs. Avoid using default master keys provided by the manufacturer.
  • Install and make sure that ATM security alarm works. It was observed that the cyber-criminals behind Tyupkin infected only those ATMs that had no security alarm installed.
  • For the instructions on how to verify that your ATMs are not currently infected in one step, please contact us at intelreports@kaspersky.com. For the full scan of the ATM's system and deleting the backdoor, please use free Kaspersky Virus Removal Tool (you may download it here).
General advice for on-premise ATM operators
  • Ensure the ATM is in an open, well-lit environment that is monitored by visible security cameras. The ATM should be securely fixed to the floor with an anti-lasso device that will deter criminals.
  • Regularly check the ATM for signs of attached third-party devices (skimmers).
  • Be on the lookout for social engineering attacks by criminals who may be masquerading as inspectors or security alarms, security cameras or other devices on premises.
  • Treat intruder alarms seriously and act accordingly by notifying law enforcement authorities of any potential breach.
  • Consider filling the ATM with just enough cash for a single day of activity.
  • For more advices both for merchants and users please visit http://www.link.co.uk/AboutLINK/site-owners/Pages/Security-for-ATMs.aspx

Yahoo Confirms Infected Servers Unrelated to Shellshock

Threatpost for B2B - Mon, 10/06/2014 - 19:56
Yahoo CISO Alex Stamos confirmed that three servers had been infected with malware by hackers looking for machines vulnerable to Shellshock.

Bugzilla Vulnerability Puts Bug Collections in Harm’s Way

Threatpost for B2B - Mon, 10/06/2014 - 14:13
A vulnerability in the account creation process in Bugzilla, bug-tracking software developed and licensed by Mozilla, exposes vulnerabilities collected by the system. Mozilla is expected to patch the vulnerability today.

Experts Laud Changes to iPhone, Android Encryption

Threatpost for B2B - Mon, 10/06/2014 - 13:49
The changes that both Google and Apple have made to their mobile operating systems to encrypt the data on users' devices have generated praise from the security and privacy communities and vitriol and criticism from the law enforcement and political worlds in equal measure.

AT&T Hit By Insider Breach

Threatpost for B2B - Mon, 10/06/2014 - 10:32
AT&T is warning consumers about a data breach involving an insider who illegally accessed the personal information of an unspecified number of users.
Syndicate content