Feed aggregator

Mobile Device Encryption Could Lead to a ‘Very, Very Dark Place’, FBI Director Says

Threatpost for B2B - Thu, 10/16/2014 - 13:48
FBI Director James Comey said Thursday that the recent movement toward default encryption of smartphones and other devices could “lead us to a very, very dark place.” Echoing comments made by law enforcement officials for the last several decades, Comey said that the advanced cryptosystems available today threaten to cripple the ability of intelligence and law […]

OpenSSL Releases Patch for POODLE Attack

Threatpost for B2B - Thu, 10/16/2014 - 10:29
The OpenSSL Project has released a new version of the encryption software, which patches several security flaws, including the bug that is exploited by the POODLE attack on SSLv3. The updated versions of OpenSSL come just a couple of days after a trio of researchers at Google revealed the POODLE attack, which allows an attacker to […]

The Ventir Trojan: assemble your MacOS spy

Secure List feed for B2B - Thu, 10/16/2014 - 10:00

We got an interesting file (MD5 9283c61f8cce4258c8111aaf098d21ee) for analysis a short while ago. It turned out to be a sample of modular malware for MacOS X. Even after preliminary analysis it was clear that the file was not designed for any good purpose: an ordinary 64-bit mach-o executable contained several more mach-o files in its data section; it set one of them to autorun, which is typical of Trojan-Droppers.

Further investigation showed that a backdoor, a keylogger and a Trojan-Spy were hidden inside the sample. It is particularly noteworthy that the keylogger uses an open-source kernel extension. The extension's code is publicly available, for example, on GitHub!

Depending on their purpose, these files are detected by Kaspersky Lab antivirus solutions as Trojan-Dropper.OSX.Ventir.a, Backdoor.OSX.Ventir.a, Trojan-Spy.OSX.Ventir.a and not-a-virus:Monitor.OSX.LogKext.c.

Source file (Trojan-Dropper.OSX.Ventir.a)

As soon as it is launched, the dropper checks whether it has root access by calling the geteuid () function. The result of the check determines where the Trojan's files will be installed:

  • If it has root access, the files will be installed in /Library/.local and /Library/LaunchDaemons;
  • If it does not have root access, the files will be installed in ~/Library/.local and ~/Library/LaunchAgents ("~" stands for the path to the current user's home directory).

All files of the Trojan to be downloaded to the victim machine are initially located in the "__data" section of the dropper file.

Location of the Trojan's files inside the dropper

As a result, the following files will be installed on the infected system:

  1. Library/.local/updated – re-launches files update and EventMonitor in the event of unexpected termination.
  2. Library/.local/reweb – used to re-launch the file updated.
  3. Library/.local/update – the backdoor module.
  4. Library/.local/libweb.db – the malicious program's database file. Initially contains the Trojan's global settings, such as the C&C address.
  5. Library/LaunchAgents (or LaunchDaemons)/com.updated.launchagent.plist – the properties file used to set the file Library/.local/updated to autorun using the launchd daemon.
  6. Depending on whether root access is available:

    А) if it is – /Library/.local/kext.tar. The following files are extracted from the archive:

    • updated.kext – the driver that intercepts user keystrokes
    • Keymap.plist – the map which matches the codes of the keys pressed by the user to the characters associated with these codes;
    • EventMonitor – the agent which logs keystrokes as well as certain system events to the following file: Library/.local/.logfile.

    B) if it isn't – ~/Library/.local/EventMonitor. This is the agent that logs the current active window name and the keystrokes to the following file: Library/.local/.logfile

After installing these files, the Trojan sets the file updated to autorun using launchctl – the standard console utility (launchctl load% s/com.updated.launchagent.plist command).

Next, if root access is available, the dropper loads the logging driver into the kernel using the standard utility OSX kextload (kextload /System/Library/Extensions/updated.kext command)

After that, Trojan-Dropper.OSX.Ventir.a launches the file reweb and removes itself from the system.

Updated and reweb files

The file updated terminates all processes with the name reweb (killall -9 reweb command). After that, it regularly checks whether the processes EventMonitor and update are running and restarts them if necessary.

The file reweb terminates all processes with the names updated and update and then runs the file Library/.local/updated.

Update (Backdoor.OSX.Ventir.a) file

The backdoor first allocates the field values from the config table of the libweb.db database to local variables for further use.

To receive commands from C&C, the  malware uses an HTTP GET request in the following format: http://220.175.13.250:82/macsql.php?mode=getcmd&key=1000&udid=000C29174BA0, where key is some key stored in libweb.db in the config table; udid is the MAC address and 220.175.13.250:82 is the IP-address and port of the C & C server.

This request is sent regularly at short intervals in an infinite loop.

The backdoor can process the following commands from C&C:

  • reboot – restart the computer;
  • restart – restart the backdoor by launching reweb file;
  • uninstall – completely remove the backdoor from the system
  • show config – send data from the config table to the C&C server;
  • down exec – update the file update, download it from the C&C-server;
  • down config – update configuration file libweb.db, download it from the C&C server;
  • upload config – send the file libweb.db to the C&C server;
  • update config:[parameters] – update the config table in the libweb.db database file; values of fields from the table are sent as parameters;
  • executeCMD:[ parameter] – execute the command specified in the parameter using the function popen(cmd, "r"); send the command's output to the C & C server;
  • executeSYS:[parameter] – execute the command specified in the parameter using the function system(cmd);
  • executePATH:[parameter] – run file from the Library/.local/ directory; the file name is sent in the parameter;
  • uploadfrompath:[parameter] – upload file with the name specified in the parameter from the Library/.local/ directory to the C&C server;
  • downfile:[parameters] – download file with the name specified in a parameter from the C&C server and save it to the path specified in another parameter.

Some of the commands processed by the backdoor module

EventMonitor (Trojan-Spy.OSX.Ventir.a) file

This file is downloaded to the system if the dropper cannot get root access. Once launched, Trojan-Spy.OSX.Ventir.a installs its own system event handler using Carbon Event Manager API functions. The new handler intercepts all keystroke events and logs them to the file ~/Library/.local/.logfile. Modifier buttons (e.g., shift) are logged as follows: [command], [option], [ctrl], [fn], [ESC], [tab], [backspace], etc.

Keyboard event handler

Immediately before processing a keystroke, the malware determines the name of the process whose window is currently active. To do this, it uses GetFrontProcess and CopyProcessName functions from Carbon API. The name of the process is also logged as [Application {process_name} is the frontwindow]. This enables the Trojan's owner to determine in which application the phrase logged was entered.

kext.tar (not-a-virus:Monitor.OSX.LogKext.c) file

As mentioned above, the kext.tar archive is downloaded to the infected computer if Trojan-Dropper.OSX.Ventir has successfully got root access. The archive contains three files:

  • updated.kext
  • EventMonitor
  • Keymap.plist

The updated.kext software package is an open-source kernel extension (kext) designed to intercept keystrokes. This extension has long been detected by Kaspersky Lab products as not-a-virus:Monitor.OSX.LogKext.c and the source code (as it mentioned earlier) is currently available to the general public.

The file Keymap.plist is a map which matches the codes of keys pressed to their values. The file EventMonitor uses it to determine key values based on the codes provided to it by the file updated.kext.

The file EventMonitor is an agent file that receives data from the updated.kext kernel extension, processes it and records it in the /Library/.local/.logfile log file. Below is a fragment of the log that contains a login and password intercepted by the Trojan

As the screenshot demonstrates, as soon as a victim enters the username and password to his or her email account on yandex.ru, the data is immediately logged and falls into the cybercriminals' hands.

This threat is especially significant in view of the recent leaks of login and password databases from Yandex, Mail.ru and Gmail. It is quite possible that malware from the Ventir family was used to supply data to the databases published by cybercriminals.

In conclusion, it should be noted that Trojan-Dropper.OSX.Ventir.a with its modular structure is similar to the infamous Trojan.OSX.Morcut (aka OSX/Crisis), which had approximately the same number of modules with similar functionality. Using open-source software makes it much easier for cybercriminals to create new malware. This means we can safely assume that the number of Trojan-Spy programs will only grow in the future.

Facebook to Double Bounty Payouts For Ad Code Bugs

Threatpost for B2B - Wed, 10/15/2014 - 15:00
Facebook said it will double bug bounty payouts for the remainder of the year for serious vulnerabilities in its ad code.

Two Patched Zero Days Targeting Windows Kernel

Threatpost for B2B - Wed, 10/15/2014 - 14:58
Security firms have peeled back the layers on two zero day vulnerabilities that are currently being used in limited, targeted attacks against the Windows Kernel.

Drupal Fixes Highly Critical SQL Injection Flaw

Threatpost for B2B - Wed, 10/15/2014 - 13:34
Drupal has patched a critical SQL injection vulnerability in version 7.x of the content management system that can allow arbitrary code execution.

Microsoft Extends SHA-2, TLS Support for Windows

Threatpost for B2B - Wed, 10/15/2014 - 11:40
Microsoft announced that it has extended support for SHA-2 and TLS in supported versions of Windows.

Browser Vendors Move to Disable SSLv3 in Wake of POODLE Attack

Threatpost for B2B - Wed, 10/15/2014 - 10:35
With details of the new POODLE attack on SSLv3 now public, browser vendors are in the process of planning how they're going to address the issue in their products in a way that doesn't break the Internet for millions of users but still provides protection.

Java Reflection API Woes Resurface in Latest Oracle Patches

Threatpost for B2B - Wed, 10/15/2014 - 09:55
Oracle's Critical Patch update addresses 154 vulnerabilities, many of which are remotely exploitable. Security Explorations of Poland, meanwhile, published details on a number of Java flaws in the Java Reflection API.

New POODLE SSL 3.0 Attack Exploits Protocol Fallback Issue

Threatpost for B2B - Tue, 10/14/2014 - 20:13
A new attack on the SSLv3 protocol, disclosed Tuesday, takes advantage of an issue with the protocol that enables a network attacker to recover the plaintext communications of a victim.

Microsoft Security Updates October 2014

Secure List feed for B2B - Tue, 10/14/2014 - 18:23

Update (2014.10.15) - administrative notes for preparation... Friends on Twitter let me know their update cycle took close to 20 minutes on Windows 7. Yesterday, others on 8.1 told me their update download was around a gig, for some it was ~200 mb. Also, this cycle likely requires everyone a reboot to complete.

*******

This morning was possibly one of the most information rich in the history of Microsoft's patch Tuesdays. Last month, we pointed out the Aurora Panda/DeputyDog actor was losing an IE 0day being patched, and that seemed unusual. This month, several vulnerabilities abused with 0day exploits by known APT actors are being patched and the actors are being publicly noted. So today Microsoft pushes out eight security bulletins MS14-056 through MS14-063, including three rated critical.

The most interesting of today's vulnerabilities are two that are enabled by Windows functionality, but are useful for spearphishing targets with Office-type data file attachments - an Excel file, PowerPoint Show, Word document, and so on. The first of the two remind us of the Duqu attacksMS14-058 patches yet another kernel level font handling flaw CVE-2014-4148, the same kind of issue seen in the Duqu spearphish exploits. This one is rated critical by Microsoft. No one particular actor has been associated with this attack or exploit just yet.

The Windows OLE vulnerability patched with MS14-060 is surprisingly rated "Important" by Microsoft. The APT known as the "Sandworm team" deployed CVE-2014-4114 in incidents against targets alongside other known exploits. The group was known for deploying new variants of the BlackEnergy bot in cyber-espionage campaigns, hitting geopolitical and military targets. In one incident, the team sent spearphish as a PowerPoint slide deck containing the 0day OLE exploit to Ukrainian government and US academic organizations. When opened, the slides dropped newer variants of BlackEnergy to the victim systems. These newer variants of BlackEnergy maintain functionality dedicated to cyber espionage tasks.The most interesting characteristics of these BlackEnergy trojans are the custom plugins or modules, but that's for a different blog post. Our GReAT researchers Maria Garnaeva and Sergey Lozhkin spoke about interesting BlackEnergy functionality at the May 2014 PHDays conference.

Another group known as Hurricane Panda attempted to exploit CVE-2014-4113 in targeted environments. This escalation of privilege issue can present a real problem in situations where an attacker has gotten in to a network and is attempting to burrow in further. This bug also exists in Windows kernel code, and is patched by the same MS14-058 bulletin mentioned above.

The Internet Explorer update addresses fourteen vulnerabilities, rated critical for IE6 through IE11. They do not affect Server Core installations.

More can be read about October 2014 Microsoft Security Bulletins here.

Fixes for IE, Flash Player in October Patch Tuesday Release

Threatpost for B2B - Tue, 10/14/2014 - 15:02
Microsoft posted eight bulletins for Patch Tuesday, three of which are considered critical including a cumulative Internet Explorer update, while Adobe has fixes for Flash Player and ColdFusion.

Kmart Latest Retail Chain to Disclose Payment Card Breach

Threatpost for B2B - Tue, 10/14/2014 - 14:04
Discount department store Kmart acknowledged on Friday that it fell victim to a “payment security incident” for most of September and some of October.

BlackBerry 10 Devices Open to Bug That Allows Malicious App Installation

Threatpost for B2B - Tue, 10/14/2014 - 13:57
BlackBerry has patched a vulnerability in its BlackBerry 10 devices that could allow an attacker to intercept users’ traffic to and from the BlackBerry World app store and potentially install malware on a targeted device. The vulnerability is a weakness in the integrity checking system that BlackBerry uses to verify the apps that users download. […]

Dropbox Denies Hack, Says ‘Your Stuff is Safe’

Threatpost for B2B - Tue, 10/14/2014 - 10:28
Dropbox officials on Monday said that a large cache of usernames and passwords posted online and alleged to have come from the company’s users are not related to Dropbox customer accounts. A spate of media reports reported yesterday that attackers had stolen several million sets of credentials from Dropbox and posted them online. The claim of […]

Sandworm APT Team Found Using Windows Zero Day Vulnerability

Threatpost for B2B - Tue, 10/14/2014 - 06:11
A cyberespionage team, possibly based in Russia, has been using a Windows zero day vulnerability to target a variety of organizations in several countries, including the United States, Poland, Ukraine and western Europe.

Backoff Malware Identified as Culprit in Dairy Queen Breach

Threatpost for B2B - Fri, 10/10/2014 - 14:19
Close to 400 Dairy Queen locations were breached this summer and the company has pinned the blame on hackers using the Backoff point-of-sale malware.
Syndicate content