Secure List feed for B2B
A long time has passed since we published our analysis of threats for home network devices. Since then, the situation has significantly changed - alas, not for the better. Back in 2011, we were concerned mainly about the security of SOHO routers, DSL modems and wifi access points. Today, we are talking about the whole Internet-of-Things, which includes every single machine, appliance or gadget that is able to communicate over the Internet.
Let's recall what kind of threats for network devices we were aware of at the end of 2011:
- DNS poisoning, drive-by pharming and SOHO pharming: exploitation of vulnerabilities in a web interface of a router/modem to change its DNS settings in order to redirect users to malicious websites
- UPnP & SNMP based attacks: exploitation of vulnerabilities and implementation issues in widely used protocols in order to get access to the device
- Malicious binaries: Linux-based DDoS (Distributed Denial of Service) tools, especially customized to run on routers; router botnets, capable of conducting a wide range of attacks; worms, infecting routers and spreading through the network
And now, let's look at the year 2014 and see which of our predictions came true...More SOHO pharming attacks
True. There have been numerous attacks utilizing a router's DNS settings to obtain users banking credentials and redirect users to malicious websites. Just to name a few of the biggest incidents:
- January 2014: huge SOHO pharming campaign affecting a wide range of routers from several manufacturers all over the world.The attackers exploited a variety of vulnerabilities to change the DNS settings of more than 300 000 devices, mainly located in Vietnam, India and Thailand, but also in several countries in Europe, both Americas and Africa. As a result, all traffic from behind the compromised routers was redirected to the malicious servers, enabling cybercriminals to decide if users should be pointed to the original version of the website they requested, or to the phishing/malicious one.
- February 2014: another large scale campaign using the DNS poisoning technique. This time the attack was highly targeted and the goals of the cybercriminals were strictly defined: the attack was designed to steal the banking credentials from users of five popular Polish banks. In this case the number of infected routers was about 100 and most of them were located in Poland and Russia. When users tried to log into the online banking website, they were redirected to a modified site which requested them to provide the confidential information.
- September 2014: classical drive-by pharming attack targeting home routers in Mexico and Brazil. This attack started with malicious email, spammed to a large number of Portuguese-speaking users, in which cybercriminals tried to lure the recipient to click on the link to malicious website. The HTML script on this website was designed to try several combinations of default credentials to access the configuration of the router and change its DNS settings. If this approach failed, the script displayed a pop up, asking user to enter the router credentials manually.
True. We have discovered more malware samples that are affecting MIPS routers, and – more importantly – samples developed in such a way that they might be compiled for different platforms (MIPS, ARM, Intel, PPC, SuperH, etc.) and run on different kinds of Linux-based devices. A couple of examples:
- Aidra – an open source DDoS tool, designed to scan modems/routers and create a botnet from exploitable devices. There are currently several Aidra binaries in the wild, compiled for different platforms (MIPS, ARM, PPC, SuperH), which means that this worm has been customized to be able to infect Internet-of-Things devices.
- Darlloz – a Linux worm and bot designed for MIPS, ARM and Intel architectures, spreading through a PHP-CGI vulnerability to randomly generated IP addresses and capable of downloading and running additional code. It communicates with the malicious operator by opening a backdoor on TCP port 58455 and waiting for commands. It infected more than 30 000 devices, mainly in the US and China, and – as it was proven later – was used to install crypto-currency mining software (cpuminer), at least on Intel x86 devices.
- The Moon worm – a mysterious worm, spreading through a remote authentication bypass exploit in the implementation of the HNAP protocol in Linksys E-Series routers. This malware collects information about the device and communicates with its C&C (Command and Control) servers using quotes and images from the 2009 sci-fi movie called "The Moon". The IP ranges that the worm scans, in order to exploit them, are hard-coded in the binary and include about 670 networks, most of which belong to certain DSL and cable modem ISPs in different countries.
Figure 1 – Aidra - open source DDoS tool
Figure 2a – Darlloz worm, code compiled for ARM architecture
Figure 2b – Darlloz worm, same code snipped, compiled for x86 architecture
Figure 3 – The Moon worm, strings related to The Moon movie
True. The story published in the German c't magazine revealed the first router malware that was trying to make persistent changes to the router firmware. The malware consisted of several Linux shell scripts that were responsible for downloading the modified version of the firmware, overwriting the original image and rebooting the router. The malicious firmware came with a modified init script, which launched a sniffing tool (dsniff) on the infected machine, capturing traffic and sending all the intercepted data to the C&C FTP server. This malware was found to be affecting not only routers but also other Linux-based embedded devices, such as Dreambox DVB receivers.
Figure 4 – Flasher, script replacing the original firmware
Figure 5 – Flasher, script running the sniffer and uploading the data to FTP serverCross-platform and multi-platform malware
True. Malware and botnets traditionally associated with Windows machines only, now start to use routers and other Internet enabled devices for different malicious purposes:
- The Sality virus was found to incorporate SOHO routers in its replication process, by using DNS poisoning method to redirect users to infected files. In this case, the malware used was Windows malware similar to the DNSChanger Trojan.
- The Black Energy 2 botnet also got an IoT upgrade: it started to use additional plugins which are designed to run on Linux-based MIPS and ARM devices. These modules are capable of performing DDoS attacks, stealing passwords, scanning ports in the network and sniffing traffic. They are communicating with C&C servers and are able to execute specified shell commands and download and launch additional binaries. We have recently published an in-depth analysis of Black Energy 2, where you can find much more details about it.
True. Several critical vulnerabilities affecting Internet-of-Things devices were discovered and reported to the vendors this year. Just to name a few:
- Rom-0 vulnerability in ZyXEL routers, which allows an attacker to download the router's configuration file without any authentication
- CVE-2014-2719 vulnerability in ASUS wireless routers, which allows an attacker to retrieve the router's credentials
- 15 zero-day vulnerabilities in 10 different SOHO router models, revealed at the Defcon 22's SOHOpelessly Broken contest
- Our colleague, David Jacoby, found interesting zero-days in the devices he uses at home.
- We also need to remember that the Heartbleed and Shellshock vulnerabilities affect some Linux-based network devices and internet-of-Things devices as well.
But what is even more scary than the growth in discovered vulnerabilities, is the fact that certain vendors seem to implement hardcoded firmware backdoors in their products, providing cybercriminals with an easy way-in, especially to devices that no longer receive any updates.
As we can see, the security situation of the network devices didn't much improve since 2011. Most of our predictions came true: the threats are on the rise and cybercriminals widen their interest not only to home routers and modems, but to the whole Internet-of-Things. Although both the vendos and the ISPs are slowly realizing the threat and trying to make their devices more secure, there is still a lot to do. For example, one of the very serious issues is that most of the older devices are not receiving firmware updates anymore, so if there is any new attack vector discovered, users can do literally nothing to protect themselves against it, unless they decide to purchase an (often expensive) newer version of the device, that is still being supported. This issue is not easy to fix: for the vendors, it wouldn't really be cost-effective to support each of the devices they offer for a long period of time; and without the software patches, there is not much to do to secure these devices from the customer's side. Times has changed, and we need to come up with a new security model for Internet of Things, as the old one is not working properly anymore.
To learn, how to protect your home network, please read the guidelines put together by my colleague, David Jacoby.
Our homes today look more like small offices. We have tons of different devices connected to our network, everything from storage devices and network equipment to wireless network printers. The entire "home entertainment" industry is getting connected: it is very difficult to buy a TV, DVD or Blu-ray player that's does not have WIFI… the same thing goes for the gaming industry: all new gaming consoles require Internet connectivity.
I do love the fact that we are applying new technology to old concepts, and improving functionality. I personally even have my old retro computers connected to the Internet - and we are talking about old computers such as Commodore 64, Amiga 500 and Atari computers - because I love the fact of adding new functionality to old things.
And as we know, with great power comes great responsibility. But this is not something that the consumer product vendors are really adopting when adding extra functionality to their "old" products. I did some research where I looked into the devices that were connected to my own home network, and the result was extremely scary! Within minutes I was able to fully compromise some of my devices, turning them into zombie machines in botnets, bypassing all the security and accessing files on storage devices that I did not have the authority to access.
Many people still believe that these attacks are difficult, and require someone to sit on the same network as your devices, for example on your private WIFI connection, but this is false perception. There are very easy and effective ways to compromise the network of connected devices behind your personal firewall remotely over the Internet.
My colleague, Marta Janus, also did some very interesting research where she looked into the (in)security of home modems and routers, and we both came to the same conclusion. We need to act now! This is not a futuristic problem, this problem exists now. Cybercriminals are exploiting these weaknesses right now and the industry is not doing enough about this.
This is not only a technical problem that can be resolved with a patch. Consumers in general are very bad at understanding how these network connected devices should be installed. All of these devices have different usage, and because of that also require different network configurations. We are very lazy, and without proper installation instructions we simple connect the devices to our network; and when that is done, we consider the installation complete.
What is happening is that you are sharing the same network configuration among all devices. This results, for example, in having a TV, Blu-ray player and network storage device on the same network as the laptop you use to do online banking, home finances, online shopping and maybe even work.
The vendors also need to take more responsibility when shipping consumer products. Most people don't understand that the support lifecycle of these devices is only about six months; after that there will be no more updates or support from the vendor, because they need to support the next upcoming products.
From talking to friends and family, it's clear that they have a problem realizing that this is actually a threat! People still believe that it's always "someone else" who will get infected with malicious code, or who will get their credit card details or identity stolen. Please wake up to the real world - this is happening right here, right now! Some really good examples of these types of attacks are:
- Customers to one of the largest ISPs in Sweden were sent vulnerable routers by the ISP, allowing attackers to remotely compromise the device though a "god-like" account with an very weak password; and all devices had the same account with the same password.
- A large amount of money was stolen from the customers of five popular Polish banks, following an attack in which cybercriminals changed the settings of hundreds of vulnerable SOHO routers in order to redirect users to the fake banking websites.
- Malware (Psyb0t) targeted home SOHO routers exploiting software weaknesses, but also weak passwords in the administrative interface - turning the device into a zombie in a botnet.
- Malware (BlackEnergy2) implemented additional modules, designed to run on Internet-of-Things devices, in order to perform DDoS (Distributed Denial of Service) attacks, steal passwords and sniff network traffic.
- Malware (Flasher) replaced the firmware on vulnerable SOHO devices with a modified system image that eavesdrops on users' network activity.
As researchers it is very easy to identify security weaknesses and flame the vendors about them, but it is a bit more challenging to come up with an effective conclusion. Together with Marta, we compiled a little list of easy tips and tricks that you should apply if you have network connected devices. It's only general tips because finding one solution that works on multiple devices is very complex; all products look and feel different and have different usages.
- Change default passwords on the device; attackers will try to exploit this!
- If possible try to update the firmware to the latest version!
- If you do not use the network connectivity on the device, TURN IT OFF! If you use it, or if it's necessary for the device to work, make sure that there is NO REMOTE ACCESS to the management interface of the device from the outside world.
- Apply strong network segmentation for your connected devices
- Does the device require access to the INTERNET?
- Does the device, for example a TV, require access to the same network as your personal data?
- Switch off unnecessary features. Contemporary IoT devices usually implement a variety of different functionalities, some of which you might not even be aware of. It's good practice, after buying each new device, to learn about all its features and disable the ones that you are not going to use. Having all the features enabled increases the potential attack surface.
- Read The Fascinating Manual. Every device is shipped with a manual, which documents its features and configuration settings. Also, there is usually a lot of additional documentation available online. To keep your home secure, you should always familiarize yourself with any new device that you are going to incorporate into your network and take all the recommended steps to make the device as secure as possible.
- Please contact the support team of the vendor if you do have questions. When buying consumer products, you also pay for support. Use it! They will offer guidance for your specific device!
In the spring of 2012, following a Kaspersky Lab presentation on the unusual facts surrounding the Duqu malware, a security researcher contacted us and mentioned that Duqu reminded him of another high-end malware incident. Although he couldn't share a sample, the third-party researcher mentioned the "Regin" name, a malware attack that is now dreaded by many security administrators in governmental agencies around the world.
For the past two years, we've been tracking this most elusive malware across the world. From time to time, samples would appear on various multi-scanner services, but they were all unrelated to each other, cryptic in functionality and lacking context.
It's unknown exactly when the first samples of Regin were created. Some of them have timestamps dating back to 2003.
The victims of Regin fall into the following categories:
- Telecom operators
- Government institutions
- Multi-national political bodies
- Financial institutions
- Research institutions
- Individuals involved in advanced mathematical/cryptographical research
So far, we've observed two main objectives from the attackers:
- Intelligence gathering
- Facilitating other types of attacks
While in most cases, the attackers were focused on extracting sensitive information, such as e-mails and documents, we have observed cases where the attackers compromised telecom operators to enable the launch of additional sophisticated attacks. More about this in the GSM Targeting section below.
Perhaps one of the most publicly known victims of Regin is Jean Jacques Quisquater (https://en.wikipedia.org/wiki/Jean-Jacques_Quisquater), a well-known Belgian cryptographer. In February 2014, Quisquater announced he was the victim of a sophisticated cyber intrusion incident. We were able to obtain samples from the Quisquater case and confirm they belong to the Regin platform.
Another interesting victim of Regin is a computer we are calling "The Magnet of Threats". This computer belongs to a research institution and has been attacked by Turla, Mask/Careto, Regin, Itaduke, Animal Farm and some other advanced threats that do not have a public name, all co-existing happily on the same computer at some point.Initial compromise and lateral movement
The exact method of the initial compromise remains a mystery, although several theories exist, which include man-in-the-middle attacks with browser zero-day exploits. For some of the victims, we observed tools and modules designed for lateral movement. So far, we have not encountered any exploits. The replication modules are copied to remote computers by using Windows administrative shares and then executed. Obviously, this technique requires administrative privileges inside the victim's network. In several cases, the infected machines were also Windows domain controllers. Targeting of system administrators via web-based exploits is one simple way of achieving immediate administrative access to the entire network.The Regin platform
In short, Regin is a cyber-attack platform which the attackers deploy in the victim networks for ultimate remote control at all possible levels.
The platform is extremely modular in nature and has multiple stages.
Regin platform diagram
The first stage ("stage 1") is generally the only executable file that will appear in victim' systems. Further stages are stored either directly on the hard drive (for 64 bit systems), as NTFS Extended Attributes or registry entries. We've observed many different stage 1 modules, which sometimes have been merged with public sources to achieve a type of polymorphism, complicating the detection process.
The second stage has multiple purposes and can remove the Regin infection from the system if instructed so by the 3rd stage.
The second stage also creates a marker file that can be used to identify the infected machine. Known filenames for this marker are:
Stage 3 exists only on 32 bit systems - on 64 bit systems, stage 2 loads the dispatcher directly, skipping the third stage.
Stage 4, the dispatcher, is perhaps the most complex single module of the entire platform. The dispatcher is the user-mode core of the framework. It is loaded directly as the third stage of the 64-bit bootstrap process or extracted and loaded from the VFS as module 50221 as the fourth stage on 32-bit systems.
The dispatcher takes care of the most complicated tasks of the Regin platform, such as providing an API to access virtual file systems, basic communications and storage functions as well as network transport sub-routines. In essence, the dispatcher is the brain that runs the entire platform.
A thorough description of all malware stages can be found in our full technical paper.Virtual File Systems (32/64-bit)
The most interesting code from the Regin platform is stored in encrypted file storages, known as Virtual File Systems (VFSes).
During our analysis we were able to obtain 24 VFSes, from multiple victims around the world. Generally, these have random names and can be located in several places in the infected system. For a full list, including format of the Regin VFSes, see our technical paper.Unusual modules and artifacts
With high-end APT groups such as the one behind Regin, mistakes are very rare. Nevertheless, they do happen. Some of the VFSes we analyzed contain words which appear to be the respective codenames of the modules deployed on the victim:
- legspinv2.6 and LEGSPINv2.6
Another module we found, which is a plugin type 55001.0 references another codename, which is U_STARBUCKS:
The most interesting aspect we found so far about Regin is related to an infection of a large GSM operator. One VFS encrypted entry we located had internal id 50049.2 and appears to be an activity log on a GSM Base Station Controller.
According to the GSM documentation (http://www.telecomabc.com/b/bsc.html): "The Base Station Controller (BSC) is in control of and supervises a number of Base Transceiver Stations (BTS). The BSC is responsible for the allocation of radio resources to a mobile call and for the handovers that are made between base stations under his control. Other handovers are under control of the MSC."
Here's a look at the decoded Regin GSM activity log:
This log is about 70KB in size and contains hundreds of entries like the ones above. It also includes timestamps which indicate exactly when the command was executed.
The entries in the log appear to contain Ericsson OSS MML (Man-Machine Language as defined by ITU-T) commands.
Here's a list of some commands issued on the Base Station Controller, together with some of their timestamps:
Descriptions for the commands:
- rxmop - check software version type;
- rxmsp - list current call forwarding settings of the Mobile Station;
- rlcrp - list off call forwarding settings for the Base Station Controller;
- rxble - enable (unblock) call forwarding;
- rxtcp - show the Transceiver Group of particular cell;
- allip - show external alarm;
- dtstp - show DIgital Path (DIP) settings (DIP is the name of the function used for supervision of the connected PCM (Pulse Code Modulation) lines);
- rlstc - activate cell(s) in the GSM network;
- rlstp - stop cell(s) in the GSM network;
- rlmfc - add frequencies to the active broadcast control channel allocation list;
- rlnri - add cell neightbour;
- rrtpp - show radio transmission transcoder pool details;
The log seems to contain not only the executed commands but also usernames and passwords of some engineering accounts:
In total, the log indicates that commands were executed on 136 different cells. Some of the cell names include "prn021a, gzn010a, wdk004, kbl027a, etc...". The command log we obtained covers a period of about one month, from April 25, 2008 through May 27, 2008. It is unknown why the commands stopped in May 2008 though; perhaps the infection was removed or the attackers achieved their objective and moved on. Another explanation is that the attackers improved or changed the malware to stop saving logs locally and that's why only some older logs were discovered.Communication and C&C
The C&C mechanism implemented in Regin is extremely sophisticated and relies on communication drones deployed by the attackers throughout the victim networks. Most victims communicate with another machine in their own internal network, through various protocols, as specified in the config file. These include HTTP and Windows network pipes. The purpose of such a complex infrastructure is to achieve two goals: give attackers access deep into the network, potentially bypassing air gaps and restrict as much as possible the traffic to the C&C.
Here's a look at the decoded configurations:
In the above table, we see configurations extracted from several victims that bridge together infected machines in what appears to be virtual networks: 17.3.40.x, 50.103.14.x, 51.9.1.x, 18.159.0.x. One of these routes reaches out to the "external" C&C server at 184.108.40.206.
The numbers right after the "transport" indicate the plugin that handles the communication. These are in our case:
- 27 - ICMP network listener using raw sockets
- 50035 - Winsock-based network transport
- 50037 - Network transport over HTTP
- 50051 - Network transport over HTTPS
- 50271 - Network transport over SMB (named pipes)
The machines located on the border of the network act as routers, effectively connecting victims from inside the network with C&Cs on the internet.
After decoding all the configurations we've collected, we were able to identify the following external C&Cs.C&C server IP Location Description 220.127.116.11 Taiwan, Province Of China Taichung Chwbn 18.104.22.168 India, Chetput Chennai Network Operations (team-m.co) 22.214.171.124 India, Thane Internet Service Provider 126.96.36.199 Belgium, Brussels Perceval S.a.
One particular case includes a country in the Middle East. This case was mind-blowing so we thought it's important to present it. In this specific country, all the victims we identified communicate with each other, forming a peer-to-peer network. The P2P network includes the president's office, a research center, educational institution network and a bank.
These victims spread across the country are all interconnected to each other. One of the victims contains a translation drone which has the ability to forward the packets outside of the country, to the C&C in India.
This represents a rather interesting command-and-control mechanism, which is guaranteed to raise very little suspicions. For instance, if all commands to the president's office are sent through the bank's network, then all the malicious traffic visible for the president's office sysadmins will be only with the bank, in the same country.
Over the past two years, we collected statistics about the attacks and victims of Regin. These were aided by the fact that even after the malware is uninstalled, certain artifacts are left behind which can help identify an infected (but cleaned) system. For instance, we've seen several cases where the systems were cleaned but the "msrdc64.dat" infection marker was left behind.
So far, victims of Regin were identified in 14 countries:
In total, we counted 27 different victims, although it should be pointed out that the definition of a victim here refers to a full entity, including their entire network. The number of unique PCs infected with Regin is of course much, much higher.
From the map above, Fiji and Kiribati are unusual, because we rarely see such advanced malware in such remote, small countries. In particular, the victim in Kiribati is most unusual. To put this into context, Kiribati is a small island in the Pacific, with a population around 100,000.
More information about the Regin victims is available through Kaspersky Intelligent Services. Contact: email@example.comAttribution
Considering the complexity and cost of Regin development, it is likely that this operation is supported by a nation-state. While attribution remains a very difficult problem when it comes to professional attackers such as those behind Regin, certain metadata extracted from the samples might still be relevant.
As this information could be easily altered by the developers, it's up to the reader to attempt to interpret this: as an intentional false flag or a non-critical indicator left by the developers.
More information about Regin is available to Kaspersky Intelligent Services' clients. Contact: firstname.lastname@example.orgConclusions
For more than a decade, a sophisticated group known as Regin has targeted high-profile entities around the world with an advanced malware platform. As far as we can tell, the operation is still active, although the malware may have been upgraded to more sophisticated versions. The most recent sample we've seen was from a 64-bit infection. This infection was still active in the spring of 2014.
The name Regin is apparently a reversed "In Reg", short for "In Registry", as the malware can store its modules in the registry. This name and detections first appeared in anti-malware products around March 2011.
From some points of view, the platform reminds us of another sophisticated malware: Turla. Some similarities include the use of virtual file systems and the deployment of communication drones to bridge networks together. Yet through their implementation, coding methods, plugins, hiding techniques and flexibility, Regin surpasses Turla as one of the most sophisticated attack platforms we have ever analysed.
The ability of this group to penetrate and monitor GSM networks is perhaps the most unusual and interesting aspect of these operations. In today's world, we have become too dependent on mobile phone networks which rely on ancient communication protocols with little or no security available for the end user. Although all GSM networks have mechanisms embedded which allow entities such as law enforcement to track suspects, there are other parties which can gain this ability and further abuse them to launch other types of attacks against mobile users.
Kaspersky products detect modules from the Regin platform as: Trojan.Win32.Regin.gen and Rootkit.Win32.Regin.
If you detect a Regin infection in your network, contact us at: email@example.com
Another ransomware has been spotted in the wild lately, branded as 'CoinVault'. This one involves some interesting details worth mentioning, including the peculiar characteristic of offering the free decryption of one of the hostage files as a sign of good faith.
Technically, the malware writers have taken a lot of measures to slow down the analysis of the sample. Even though it was made with Microsoft's .NET framework, it takes a while to reach the core of their malicious application. Upon opening the initial sample in 'IL Spy', we find that the program starts by using a string key which is passed to a decryption method, which will ultimately get the executable code.
A byte array is also passed as a parameter to the 'EncryptOrDecrypt' method, which in conjunction with the key will output a final byte array with the malware's much needed code.
Implementing these functions in Visual Studio is as easy as copy/paste, so we execute the methods gotten from the source code and set a breakpoint to check what the decryption method is doing. A '77', '90' in decimal tells us we are on the right track since when converting these numbers to hexadecimal we get '4D', '5A', which is the magic number for DOS executable files identified by the ASCII string 'MZ'. We dump all the bytes to an executable file in disk for further analysis.
We get a file called 'SHIELD runner', serving as a 'RunPE' helper application. A 'RunPE' application serves to execute files on the fly, meaning that a memory stream is created from an input and executed directly without first storing the file to disk. This is useful for malware writers that want to avoid leaving traces behind, and as we'll soon see, it's not all this file has to offer.
Although we'll carry on with our investigation into the ransomware code, there's a noteworthy string embedded in the SHIELD runner executable, 'd:\Users\dennis…'.
In the same way as before, a string key and a byte array are used to generate yet another executable file. As you can see, the cybercriminals have gone to great lengths in order to slow down the analysis and hide the malicious payload for as long as possible.
Not only do we have the usual 'RunPE' functions but also a nice additional set of methods that will help the malware detect analysis tools and virtualized environments. It checks for 'Sandboxie', 'Wireshark', 'Winsock Packet Editor' and even checks whether the machine's name is 'MALTEST'. Fortunately, none of these conditions are met in my environment so we are good to go.
But wait…. there's more! The detection of the virtualized environment will cause the execution to stop and the malicious payload to be hidden.
Using PowerShell, we are going to check if the malware can actually detect our environment. Apparently it can, so we'll need to carry out some simple modifications in order to continue the analysis process.
We can fix this easily from VMWare's configuration VMX file, setting the option 'SMBIOS.reflectHost = TRUE'. Running out PowerShell checks again, we witness the good news and are ready to go even further.
Repeating the process of string key and byte array decryption and dumping the memory at just the right time pays off and we finally end up with the set of files that will be used during the infection.
The CoinVault 'Locker' has two main Windows forms: the main one telling us to pay in order to recover the victim's files and 'frmGetFreeDecrypt' which is used to decrypt one of the victim's files as a way to demonstrate that we can in fact recover our precious information if we comply in a timely manner.
However, before the 'Locker' analysis we'll need to deobfuscate it (at least a little bit). The malware writers display some sense of humor here: if the analyst has gone through this much trouble to reach this point it seems he's welcome as suggested by the phrase, 'Your worst nightmare'. Moreover, they are keen enough to leave a banner signaling the obfuscation utility they used. In this case we are dealing with the ever popular 'Confuser', in its version 188.8.131.52.
Certainly, this is confusing… but we can make it better. So, we go from something that resembles a Chinese manuscript to readable source code.
We now can see, amongst the many (many) methods and delegates inside the assembly some relevant code regarding the file encryption. .NET's 'System.Security.Cryptography.RijndaelManaged' namespace is used (amongst others) revealing symmetric encryption functionality.
We can even get a glance at how the PRNG was implemented and some internal details of the malicious application.
When we are finally shown the 'Locker' executable, a connection is made to a dynamic domain. During the analysis, two addresses were present: 'cvredirect.no-ip.net' and 'cvredirect.ddns.net'. They are currently offline and this hampers the 'Locker' functionality, since upon traffic analysis inspection we were able to see that a hardware ID is sent to the C&C in order to use a dynamic file encryption password. I guess now we can understand why the malware is checking for Wireshark in the system. After all, cybercriminals wouldn't want you to take a peek at how their business is getting done.
At this point, if everything went well (for the cybercriminals) your personal documents and files have been encrypted and a payment is demanded in less than 24 hours or the price will rise. The bitcoin address used is dynamic too, making the tracing of the funds a lot more complex than usual.
Is this your worst nightmare? If you don't have an updated anti-malware suite and (just in case) a backup of your most important files, it might just be.
Kaspersky detects this family as 'Trojan-Ransom.Win32.Crypmodadv.cj'. We have already seen similar malicious applications in the past (regarding functionality) such as 'TorrentLocker', and some PowerShell ransomware, but the amount of effort invested in this one in order to protect the code shows that cybercriminals are leveraging already developed libraries and functionality in order to avoid reinventing the wheel.
This year's 17th Association of anti-Virus Asia Researchers international conference, "AVAR 2014" came back to Sydney, Australia with the theme "Security Down-Under". The event was held here also in 2003.
The arrival hall at Sydney airport did indeed look like this:
More than 170 attendees related to the anti-virus industry, CERTs, law enforcement and academia from around the world had plenty of opportunities to network and exchange thoughts and ideas.
The keynote, delivered by Graham Cluley, included a part where everybody was invited to join in singing "The anti-virus industry song".
The presentations covered subjects like the current global anti-malware ecosystem, the mobile cybercriminal underground market in a certain country, details about the Dragonfly threat actor and much more (see the link below for more information).
Kaspersky Lab's Roman Unuchek did present his research about Android banking botnets.
Colleagues from ESET did a great job organizing not only the conference but also an entertaining gala dinner at the "Power House Museum".
Another highlight was the "after party" in a Bavarian Beer Cafe. That turned into a kind of power house as well when some attendees of the AVAR 2014 got on stage and rocked the place.
Last but not least there was also an opportunity to see a bit of Sydney's scenery and wild life during a tour.
We are looking forward to the next AVAR in 2015, which will be held in Vietnam.
It took some time but they're finally here – Brazilian cybercriminals have started to target their attacks towards mobile banking users. This week we spotted the first Trojan banker targeting Brazilian users of Android devices. Two malicious applications meant to pass for apps from local Banks were hosted on Google Play.
According FEBRABAN (the local Federation of Banks), more than 6 million Brazilians are using mobile banking regularly, so it's not surprising to find malware targeting mobile users. In fact, Brazil was crowned the country most attacked by banking malware in our Q3 threat evolution report:
This move by Brazilian bad guys was predictable and awaited as a natural development in the local malware scene. In 2012, we witnessed attacks using phishing pages in mobile format and now a bad guy using the name "Governo Federal" (Federal Government) was able to publish 2 malicious apps in the Play store:
Both apps used the name of two very popular public Brazilian Banks – the first app was published on October 31st and registered 80 installations. The second was published on November 10th and had only 1 installation.
To create the malicious app, the (lazy) bad guy decided to use "App Inventor": a free platform that allows anyone to create their own mobile Android application, no technical knowledge required. The result is an app big in size and full of useless code. But both apps had the function to load the logos of the targeted Banks and open a frame – the phishing page programmed to capture the user's credentials. Simple, but effective, as mobile banking users in Brazil still use single authentication, without tokens or OTPs, where only the account number and password are required.
The phishing pages of the targeted Banks were hosted on a hacked website. A good soul removed them and inserted an alert to the visitors stating: "Este é um aplicativo Falso, denuncie este app", meaning "This is a fake app, please report it". As a result, when the user downloads, installs and opens the fake banking app, this message is displayed inside, instead of the original phishing page:
We reported both apps to Google, and they promptly removed them from the Play Store. We detect both apps as Trojan-Banker.AndroidOS.Binv.a (MD5s: 00C79B15E024D1B32075E0114475F1E2 and A18AC7C62C5EFD161039DB29BFDAA8EF) and we're quite sure that these are only the first crude attempts of many more to come.
Thanks to my colleague Roman Unucheck for the valuable help in this case.
In July we published our in-depth analysis into a targeted attack campaign that we dubbed 'Crouching Yeti'. This campaign is also known as 'Energetic Bear'.
This campaign, which has been active since late 2010, has so far targeted the following sectors: industrial/machinery, manufacturing, pharmaceutical, construction, education and information technology. So far there have been more than 2,800 victims worldwide, and we have been able to identify 101 different organisations – mostly in the United States, Spain, Japan, Germany, France, Italy, Turkey, Ireland, Poland and China.
The list of victims suggests that the attackers behind Crouching Yeti are pursuing strategic targets. Nevertheless, the attackers have also shown an interest in not-so-obvious institutions too.
The attackers behind Crouching Yeti use various types of malware (all designed to infect systems running Windows) to infiltrate their victims, extend their reach within the target organisations and steal confidential data, including intellectual property and other strategic information. Infected computers connect to a large network of hacked web sites that host malware modules, hold information about victims and send commands to infected systems.
The attackers use three methods to infect their victims. First, they use a legitimate software installer, re-packaged to include a malicious DLL file. Such modified self-extracting archive files could be uploaded directly to a compromised server, or they could be sent directly to someone within the target organisation by e-mail. Second, they use spear-phishing to deliver a malicious XDP (XML Data Package) file containing a Flash exploit (CVE-2011-0611). Third, they use watering-hole attacks. Hacked web sites use several exploits (CVE-2013-2465, CVE-2013-1347, and CVE-2012-1723) to redirect visitors to malicious JAR or HTML files hosted on other sites maintained by the attackers. The term 'watering-hole' is applied to a web site that is likely to be visited by potential victims. These web sites are compromised in advance by the attackers – the site is injected to install malware on the computers of anyone visiting the compromised site.
One malicious program used by the attackers, the Havex Trojan, includes special modules to collect data from specific industrial IT environments. The first of these is the OPC scanner module. This module is designed to collect the extremely detailed data about the OPC servers running in the local network. OPC (Object Linking and Embedding (OLE) for Process Control) servers are typically used where multiple industrial automation systems are operating. This module is accompanied by a network scanning tool. This module scans the local network, looks for all computers listening on ports related to OPC/SCADA (Supervisory Control and Data Acquisition) software, and tries to connect to such hosts in order to identify which potential OPC/SCADA system is running. It then transmits all the data it finds to the Command-and-Control (C2) servers used by the attackers to manage the campaign.
While analysing the code, we looked for clues that might point to the identity of the attackers.
A timestamp analysis of 154 files revealed that most of the samples were compiled between 06:00 and 16:00 UTC. This could match any country in Europe. We also looked at the language used by the attackers. The malware contains strings in English (written by non-native English speakers). There were also some clues pointing indicating possible French and Swedish speaker. But unlike several other researchers who looked at Crouching Yeti, we didn't find anything that would enable us to conclude with certainty that the attackers are of Russian origin. There's a lack of Cyrillic content (or transliteration) across the 200 malicious binaries and related operational content – in contrast to what we found when looking at earlier targeted attack campaigns, including Red October, MiniDuke, CosmicDuke, the Snake and TeamSpy.An Epic tale of cyber-espionage
For more than a year Kaspersky Lab has been researching a sophisticated cyber-espionage campaign that we call 'Epic Turla'. This campaign, which dates back to 2012, targets government institutions, embassies, military, research and educational organizations and pharmaceutical companies. Most of the victims are located in the Middle East and Europe, although we have seen victims elsewhere, including the United States. Altogether, we have found several hundred victim's IP addresses in more than 45 countries.
When we published our initial research into this campaign, it was unclear how victims of the attack were becoming infected. In in our latest research, published in August, we outlined the infection mechanisms used by Epic Turla and how they fit within the structure of the overall campaign.
The attackers use social engineering tricks to infect their victims –specifically spear-phishing and watering-hole attacks.
Some of the spear-phishing e-mails include zero-day exploits. The first of these, affecting Adobe Acrobat Reader (CVE-2013-3346), allows the attackers to arbitrarily execute code on the victim's computer. The second, a privilege escalation vulnerability in Windows XP and Windows Server 2003 (CVE-2013-5065), provides the Epic Turla backdoor with administrator rights on the victim's computer. In addition, the attackers trick their victims into running malware installers with an SCR extension – sometimes packed using RAR. When the unsuspecting victims open an infected file, a backdoor is installed on their computer, giving the attackers full control.
The cybercriminals behind Epic Turla also use watering-hole attacks that deploy a Java exploit (CVE-2012-1723), Adobe Flash exploits and Internet Explorer exploits. There are others that use social engineering to trick victims into running fake 'Flash Player' malware installers. Depending on the IP address of the victim, the attackers serve Java or browser exploits, signed fake Adobe Flash Player software or a fake version of Microsoft Security Essentials. We have seen more than 100 injected web sites. Unsurprisingly, the choice of web sites reflects the specific interests of the attackers (as well as the interests of the victims). For example, many infected Spanish web sites belong to local governments.
Once the computer is infected, the Epic Turla backdoor (known also as 'WorldCupSec', 'TadjMakhal', 'Wipbot' and 'Tadvig') immediately connects to the C2 server to send a pack containing the victim's system information. Based on the summary information sent to the C2 server, the attackers deliver pre-configured batch files containing a series of commands to be executed on the infected computer. The attackers also upload custom lateral movement tools (including a specific keylogger and RAR archiver), as well as standard utilities such as a DNS query tool from Microsoft.
Our analysis revealed that the Epic Turla backdoor is just the first stage of a wider infection process. It is used to deploy a more sophisticated backdoor known as the 'Cobra/Carbon system' (named 'Pfinet' by some anti-malware products). After some time, the attackers went further, using the Epic Turla implant to update the Carbon configuration file with a different set of C2 servers. The unique knowledge to operate these two backdoors indicates a clear and direct connection between them: one is used to gain a foothold and validate the high-profile victim. If the victim proves to be of interest to the attackers, the compromised computer is upgraded to the full Carbon system.
Here's an overview of the whole Epic Turla cyber-espionage campaign:
Attributing these attacks is always very difficult. However, some aspects of the code tell us something about the attackers. It's clear that they are not native English speakers. They commonly misspell words and phrases, such as:
'Password it's wrong!'
'File is not exists'
'File is exists for edit'
There are also other indicators that hint at the origin of the attackers. For example, some of the backdoors have been compiled on a system with the Russian language. In addition, the internal name of one of the Epic Turla backdoors is 'Zagruzchik.dll', which means 'bootloader' or 'load program' in Russian. Finally, the Epic Turla 'mother ship' control panel sets the code page to 1251, which is used for Cyrillic characters.NetTraveler gets a birthday makeover
We have discussed this targeted attack campaign, which has now been active for 10 years, on several occasions.
Earlier this year we observed an increase in the number of attacks on Uyghur and Tibetan activists, using an updated version of the NetTraveler backdoor. The attackers use spear-phishing e-mails to lure their victims: e-mails include a Microsoft Word document that contains the CVE-2012-0158 exploit. This drops the main module ('net.exe') onto the computer, which in turn installs a number of other files, including the main C2 module. This module is registered as a service ('Windowsupdata') by means of a Windows batch file called 'dot.bat'. The format of the malware configuration file has also been updated and it's clear that the attackers have taken steps to try and conceal the configuration (but the encryption they used is weak).
The focus of the attackers has changed over time. For much of its existence, the main targets of NetTraveler were diplomatic, government and military organisations. More recently, its cyber-espionage activities have focused more on organisations involved in space exploration, nano-technology, energy production, nuclear power, lasers, medicine and communications.
A focus on Uyghur and Tibetan activists remains a core part of the attackers' activities.The Syrian malware house of cards
Technology is now an integral part of our lives, so it's hardly surprising to see a cyber-dimension to conflicts around the world. This is especially true of the Middle East, where geo-political conflicts have intensified in recent years. Kaspersky Lab's Global Research and Analysis Team analysed the recent increase in malware activity in Syria.
The people behind these attacks use social engineering tricks to lure their victims into opening infected files. They use e-mail, Skype messages, Facebook posts and YouTube videos.
They use a variety of 'hooks' – preying on their victims' trust in social networking forums, their curiosity about news related to the conflict in Syria, their fear of the government and their lack of technical awareness.
Examples include a disturbing video on YouTube showing injured victims of recent bombings that also invites people to download a malicious program from a public file-sharing web site. We also found a set of compressed files on a popular social networking site which, when extracted, revealed a database containing a list of activists and wanted individuals in Syria. The download link for this database application was included in the information section of a video published on 9 November 2013. The attackers also make use of fake security solutions to trick their victims – including a fake anti-virus program called 'Ammazon Internet Security' and a Trojanised version of a legitimate network monitoring tool, Total Network Monitor. They don't just spread fake security applications – we've also seen fake versions of the Whatsapp and Viber instant messaging apps.
The attackers use a number of well-known remote administration tools (RATs), malicious programs that allow a remote 'operator' to control a compromised computer as if they had physical access to it. These tools are widely used in cybercrime attacks of all kinds and even in some state-sponsored attacks. The RATs used in this campaign include 'ShadowTech', 'Xtreme', 'NjRAT',' Bitcoment', 'Dark Comet' and 'Blackshades'. The malware is used to monitor the victims, to gather information and, in some cases, to try and shut down their operations.
The victims of these attacks are not only located in Syria. The attacks have also been seen in Turkey, Saudi Arabia, Lebanon, Palestine, United Arab Emirates, Israel, Morocco, France and the United States.
We were able to track the C2 servers of the attackers to IP addresses in Syria, Russia, Lebanon, the United States and Brazil. In total, we found 110 files, 20 domains and 47 IP addresses associated with the attacks.
The number of attacks has grown markedly over the last year. In addition, it's clear that the groups involved in the attacks are well organised. So far the attackers have made use of established malware tools rather than developing their own (although they use a variety of obfuscation methods to bypass simple signature-based detection). However, we think it's likely that the number and sophistication of malware used in the region is likely to increase.
You can find our full report on this malware here.Malware stories Shylock – a pound of your flesh
Earlier this year Kaspersky Lab contributed to an alliance of law enforcement and industry organizations, co-ordinated by the United Kingdom National Crime Agency (NCA), to disrupt the infrastructure behind the Shylock Trojan. This partnership shows how global cooperation on cybercrime can produce positive results.
The Shylock banking Trojan, so-called because its code contains excerpts from Shakespeare's The Merchant of Venice, was first discovered in 2011. Like other well-known banking Trojans such as Zeus, SpyEye and Carberp, Shylock is a man-in-the-browser attack designed to steal banking login credentials from the computers of bank customers. The Trojan uses a pre-configured list of target banks, located in different countries around the world.
The Trojan injects fake data entry fields into web pages when they load on the victim's browser. Victims are typically tricked into running the malware by clicking on malicious links. Shylock then seeks to access funds held in business or personal bank accounts, and transfers them to accounts under the control of the attackers.
The focus of the cybercriminals changed over time. When Shylock first appeared, it was aimed mainly at victims in the UK and, during the course of 2012, spread to other countries in Europe and to the United States. By the end of 2013, the cybercriminals were more focused on developing markets such as Brazil, Russia and Vietnam. You can find more information, including data on the spread of the malware, here.
All banking Trojans, Shylock included, target bank customers, hoping to take advantage of what is often the least protected element of any financial transaction – i.e. the human. That's why it's important that security starts at home – we all need to secure our computers effectively.Your money or your file(s)!
The number of ransomware programs has been growing in recent years – not all of them focused on computers running Windows. Some, including the ones targeting Android devices, tend to simply block access to the device and demand a ransom payment in order to unlock the device.
But many ransomware programs go further than this, encrypting data on the victim's computer. One recent example is ZeroLocker.
Unlike most ransomware programs, which encrypt a pre-defined list of file types, ZeroLocker encrypts nearly all the files on the victim's computer and adds the extension '.encrypt' to encrypted files. ZeroLocker doesn't encrypt files located in directories containing the words 'Windows', 'WINDOWS', 'Program Files', 'ZeroLocker' or 'Destroy' and doesn't encrypt files larger than 20MB in size.
ZeroLocker generates a 160-bit AES key to encrypt all files. The key space is somewhat limited because of the way the key is generated, but it's still large enough to make general brute –forcing unfeasible. After encrypting files, the malware runs the 'cipher.exe' utility to remove all unused data from the drive, making file recovery much more difficult. The encryption key, together with a CRC32 of the computer's MAC address, and the associated Bitcoin wallet, is sent to the server used by the cybercriminals. There's an indication that the C2 configuration contains some errors that might prevent successful decryption – another reason why paying the ransom is a bad idea.
The encryption key, along with other information, is sent by means of a GET request, rather than a POST. This results in a 404 error on the server. This could mean that the server isn't storing the information, suggesting that the victims will probably not get their files back, even if they pay the ransom.
Several other URLs that the malware tries to get also result in 404 errors. This suggests that the operation may still be in its infancy. If and when these errors are fixed, we may see ZeroLocker deployed on a larger scale.
The cybercriminals behind ZeroLocker demand an initial $300 worth of Bitcoins to decrypt the file. If the victim does not pay promptly the fee increases to $500 and $1,000 as time goes on.
There's a Bitcoin wallet hard-coded inside the binary, but the malware tries to fetch a new wallet address from the C2 server, probably to make it harder to trace how successful the operation is and where the money goes. None of the Bitcoin wallet addresses we looked at had any transactions associated with them. Since the C2 server provides Bitcoin wallet information, it's possible that the attackers are able to use a unique wallet for each victim.
Another ransomware program that we analysed recently is Onion. This malicious program uses the tried-and-tested method used by other recent ransomware programs – encrypting the victim's data and demanding a ransom payment in Bitcoin.
However, it also breaks new ground. First, Onion uses the anonymous Tor network to hide its C2 servers. This makes it harder to track down the cybercriminals behind the malware. Other malware has used Tor in the past, but this Trojan stands apart because it supports full interaction with Tor without any input from the victim. Other programs like this communicate with the Tor network by launching (sometimes by injecting code into other processes) the legitimate 'tor.exe' file. By contrast Onion implements this communication as part of the malware code itself.
Onion also uses an unorthodox cryptographic algorithm that makes file decryption impossible, even if traffic between the Trojan and the C2 server is intercepted. This Trojan not only uses asymmetric encryption, it also uses a cryptographic protocol known as ECDH (Elliptic Curve Diffie-Hellman). This makes decryption impossible without the master private key – which never leaves the cybercriminals' controlled server. Further details can be found in our report on the Onion Trojan.
These things combined make the Onion Trojan technically advance and very dangerous.
Ransomware operations rely on their victims paying up. Don't do it! Instead, make regular backups of your data. That way, if you ever fall victim to a ransomware program (or a hardware problem that stops you accessing your files) you will not lose any of your data.Why one of our security researchers hacked his own home
The Internet is becoming woven into the fabric of our lives – literally, in some cases, as connectivity is embedded into everyday objects. This trend, known as the 'Internet of Things', has attracted more and more attention as hackers and researchers probe the technologies integrated into cars, hotels, home alarm systems and refrigerators and more – looking for vulnerabilities.
Sometimes the Internet of things can seem remote. But it's often closer than we think. The modern home today is likely to have a handful of devices connected to the local network that aren't traditional computers, tablets or cellphones – devices such as a smart TV, a printer, a gaming console, a network storage device or some kind of media player/satellite receiver.
One of our security researchers, David Jacoby, investigated his own home, to determine whether it was really cyber-secure. He looked at several devices, including network-attached storage (NAS) devices, smart TV, router and satellite receiver, to see if they were vulnerable to attack. The results were striking. David found 14 vulnerabilities in the network-attached storage devices, one in the smart TV and several potentially hidden remote control functions in the router.
The most severe vulnerabilities were found in the network-attached storage devices. Several of them would allow an attacker to remotely execute system commands with the highest administrative privileges. The tested devices also had weak default passwords, stored passwords in plain text and included configuration files with the wrong permissions. The default administrator password for one of the devices contained just one digit! And another device even shared the entire configuration file, containing encrypted passwords, with everyone on the network!
David was also able to upload a file to an area of storage memory that's inaccessible to an ordinary user. If an attacker uploaded a malicious file to this area, the compromised device would become a source of infection for other devices connecting to this NAS – a home PC, for example – and could even serve as a DDoS (Distributed Denial of Service) bot in a botnet. On top of this, the only way to delete this file was by using the same vulnerability –even for a technical specialist this is no simple task.
When David looked at his smart TV, he discovered that communication between the TV and the TV vendor's servers isn't encrypted – potentially opening the way for a Man-in-the-Middle attack that could result in an unsuspecting consumer transferring money to fraudsters while trying to buy content via the TV. As a proof of concept exercise, David was able to replace one of the icons on the smart TV graphic interface with a picture. Normally the widgets and thumbnails are downloaded from the TV vendor's servers but since the connection isn't encrypted, this information could be modified by a third party. He also discovered that the smart TV is able to execute Java code that, in combination with the ability to intercept the exchange of traffic between the TV and Internet, could result in exploit-driven malicious attacks.
The DSL router, used to provide wireless Internet access for all other home devices, contained several dangerous features hidden from its owner. Some of these hidden functions could potentially give an attacker remote access to any device in a private network. What's more, sections of the router's web interface called 'Web Cameras', 'Telephony Expert Configure', 'Access Control', 'WAN-Sensing' and 'Update' are 'invisible' and cannot be adjusted by the owner of the device. They can only be accessed by exploiting a rather generic vulnerability that makes it possible to travel between sections of the interface (these are basically web pages, each with its own alphanumeric address) by brute-forcing the numbers at the end of the address. Originally these functions were implemented for the convenience of the owner of the device: the remote access function makes it fast and easy for an ISP (Internet Service Provider) to troubleshoot and resolve technical problems on the device. But this convenient feature could become a security risk if the controls fell into the wrong hands.
In line with our policy of responsible disclosure, Kaspersky Lab hasn't disclosed the names of vendors whose products were investigated as part of this research. All vendors were informed about the existence of the vulnerabilities and Kaspersky Lab specialists work closely with vendors to help them remediate any vulnerabilities discovered.
It's important that we all understand the potential risks associated with using network devices – this applies to individuals and businesses alike. We also need to understand that our information is not secure just because we use strong passwords or run software to protect against malicious code. There are many things over which we have no control, and to some degree we are in the hands of software and hardware vendors. For example, not all devices include automated update checks – sometimes consumers are required to download and install new firmware. This is not always an easy task. Worse still, it's not always possible to update a device (most devices investigated during this research had been discontinued more than a year before).
You can find some advice on how to reduce the risk of attack in this summary of David Jacoby's article.Web security and data breaches: ShellShock
In September, the information security world faced a red alert following the discovery of the 'Bash' vulnerability (also known as 'ShellShock'). Bash, a Unix shell written in 1989, is the default shell on Linux and Mac OS X. The flaw (CVE-2014-6271) allows an attacker to remotely attach a malicious file to a variable that is executed when the Bash command interpreter is invoked. The high impact of this vulnerability, coupled with the ease with which it can be exploited, make it very powerful. Some have compared it to the 'Heartbleed' vulnerability. However, Bash is much easier to exploit than Heartbleed and, whereas Heartbleed only allowed an attacker to steal data from the memory of a vulnerable computer, Shellshock could provide full system control.
It didn't take long for attackers to try and take advantage of the vulnerability – we discussed some early examples soon after it was discovered. In most cases attackers remotely attacked web servers hosting CGI (Common Gateway Interface) scripts that have been written in Bash or pass values to shell scripts. However, it is possible that the vulnerability could have an impact on a Windows-based infrastructure.
Nor is the problem confined only to web servers. Bash is widely used in the firmware of devices that now take for granted in our everyday lives. This includes routers, home appliances and wireless access points. Some of these devices can be difficult, or impossible to patch – as discussed above.
You can find guidance on how to update vulnerable systems here.Statistics
All statistics used in this report were obtained using Kaspersky Security Network (KSN), a distributed antivirus network that works with various anti-malware protection components. The data was collected from KSN users who agreed to transfer it. Millions of Kaspersky Lab products users from 213 countries and territories worldwide participate in this global exchange of information about malicious activity.Q3 in figures
- According to KSN data, Kaspersky Lab products detected and neutralized a total of 1,325,106,041 threats in the third quarter of 2014.
- Kaspersky Lab solutions repelled 367,431,148 attacks launched from online resources located all over the world
- Kaspersky Lab's web antivirus detected 26,641,747 unique malicious objects: scripts, exploits, executable files, etc.
- 107,215,793 unique URLs were recognized as malicious by web antivirus components.
- 33% of web attacks neutralized by Kaspersky Lab products were carried out using malicious web resources located in the US.
- Kaspersky Lab's antivirus solutions detected a total of 116,710,804 unique malicious and potentially unwanted objects.
- Kaspersky Lab mobile security products detected
- 461,757 installation packages;
- 74,489 new malicious mobile programs;
- 7,010 mobile banking Trojans.
In Q3 2014 Kaspersky Lab mobile security products detected 74,489 new malicious mobile programs, 14.4% more than in the second quarter.
At the same time, fewer installation packages were detected.
Number of installation packages and new malicious mobile programs detected in Q1-Q3 2014
In the first half of 2014, there were a little more than 11 malicious installation packages on the average associated with each malicious program but in Q3 there were 6.2 million.
Using multiple installation packages for one mobile malicious program is typical of SMS-Trojan distributors. For example, attackers have used up to 70,000 packets for one version of Stealer.a. The decrease in the number of malicious installation packages is probably related to the reduced proportion of this malware in the flow of new mobile malicious programs decreased (see below).Distribution of mobile threats by type
Distribution of mobile threats by type in Q2 and Q3 2014
The rating of malware objects for mobile devices for the third quarter of 2014 was headed by RiskTool. This claimed 26.5% of detections, a rise of 8.6 percentage points. These are legal applications that are potentially dangerous for the user – if they are used carelessly, or manipulated by a cybercriminal they could lead to financial losses.
Second came Adware, potentially unwanted advertising applications (19.4%); their contribution went down 7.9 pp.
SMS-Trojans were in 3rd place: their share declined by 7.2pp from the previous quarter.
In Q3, while Adware and SMS-Trojans were less widely seen, we observed a sharp rise in the percentage of banking Trojans: their share in the flow of mobile malware has risen from 2.2% to 9.2% which placed this category 4th in the rating.Top 20 malicious mobile programs Name % of attacks* 1 Trojan-SMS.AndroidOS.Stealer.a 15.63% 2 RiskTool.AndroidOS.SMSreg.gc 14.17% 3 AdWare.AndroidOS.Viser.a 10.76% 4 Trojan-SMS.AndroidOS.FakeInst.fb 7.35% 5 RiskTool.AndroidOS.CallPay.a 4.95% 6 Exploit.AndroidOS.Lotoor.be 3.97% 7 DangerousObject.Multi.Generic 3.94% 8 RiskTool.AndroidOS.MimobSMS.a 3.94% 9 Trojan-SMS.AndroidOS.Agent.ao 2.78% 10 AdWare.AndroidOS.Ganlet.a 2.51% 11 Trojan-SMS.AndroidOS.OpFake.a 2.50% 12 RiskTool.AndroidOS.SMSreg.de 2.36% 13 Trojan-SMS.AndroidOS.FakeInst.ff 2.14% 14 Trojan-SMS.AndroidOS.Podec.a 2.05% 15 Trojan-SMS.AndroidOS.Erop.a 1.53% 16 RiskTool.AndroidOS.NeoSMS.a 1.50% 17 Trojan.AndroidOS.Agent.p 1.47% 18 Trojan-SMS.AndroidOS.OpFake.bo 1.29% 19 RiskTool.AndroidOS.SMSreg.hg 1.19% 20 Trojan-Ransom.AndroidOS.Small.e 1.17%
*The percentage of all attacks recorded on the mobile devices of unique users.
The top 20 is no longer so heavily dominated by SMS Trojans: in Q2 2014 these malicious programs occupied 15 places in the rating while in Q3 there were only 8. Trojan-SMS.AndroidOS.Stealer.a topped the previous quarter's rating with 25.42% of all attacks but in Q3 it accounted for only 16.63% of attacks.
RiskTool representatives occupied 6 positions in the Top 20, with RiskTool.AndroidOS.SMSreg.gc (14.17%) in second place.
7th came DangerousObject.Multi.Generic (3.94%), demonstrating how new malicious applications are detected by Kaspersky Security Network cloud technologies that enable our product to quickly respond to new unknown threats.Mobile banking Trojans
In the third quarter, we detected 7010 mobile banking Trojans, 3.4 times more than last quarter.
Number of mobile banking Trojans detected, Q1-Q3 2014
The number of countries attacked by banking Trojans also increased: in Q2 mobile banking Trojan attacks were detected in 31 countries while in Q3 there were 70.
The geography of mobile banking threats, Q3 2014
(the number of attacked users)
The top 10 countries attacked by banking TrojansCountry % of all attacks* 1 Russia 83.85% 2 USA 7.09% 3 Ukraine 1.79% 4 Belarus 1.18% 5 Kazakhstan 0.92% 6 Republic of Korea 0.68% 7 Germany 0.62% 8 China 0.50% 9 UK 0.50% 10 Saudi Arabia 0.35%
* The percentage of users attacked per country
Italy dropped out of the Top 10 while Saudi Arabia appeared in 10th place.
Russia maintained its traditional lead here, although it was 7.85pp on before. At the same time the contribution of the other Top 10 members grew slightly: mobile cybercriminals are gradually extending their area of activity.The geography of mobile threats
In Q3 2014 mobile malicious attacks were detected at least once in 205 countries.
The geography of infection by mobile banking Trojans, Q3 2014
(the percentage of all attacked users)
The Top 10 of attacked countriesCountry % of attacks* 1 Russia 44.0% 2 India 7.6% 3 Germany 5.6% 4 Iran 3.4% 5 Vietnam 3.1% 6 Kazakhstan 3.1% 7 Ukraine 2.7% 8 Malaysia 1.9% 9 Brazil 1.7% 10 USA 1.7%
* The percentage of users attacked per country
Russia remained the most heavily targeted nation with 44% of all attacks. India (7.6%) returned to second place. For the first time in 2014 Iran (3.4%) and the USA (1.7%) entered the Top 10 while Poland, France, Spain and Mexico were the Q3 outsiders.Vulnerable applications used by fraudsters
The rating of vulnerable applications below is based on information about the exploits blocked by our products. These exploits were used by hackers in Internet attacks and when compromising local applications, including those installed on mobile devices.
The distribution of web-exploits used by fraudsters, by type of application attacked, Q3 2014
Of all registered attempts to use vulnerabilities, 47% involved vulnerabilities in browsers. Almost every exploit pack includes an exploit for Internet Explorer.
Java exploits are in second place. Java vulnerabilities are used in drive-by attacks via the Internet and new Java exploits are part of many exploit packs although no new Java vulnerabilities have been made public for almost a year. In Q3 of this year, 28% of attempts to use vulnerabilities targeted Java; in the first quarter the figure was 29%.
Next come Adobe Reader exploits (12%). These vulnerabilities are also exploited in drive-by attacks via the Internet and PDF exploits feature in many exploit packs.Online threats (Web-based attacks)
The statistics in this section were derived from web antivirus components that protect users when malicious code attempts to download from a malicious/infected website. Malicious websites are deliberately created by malicious users; infected sites include those with user-contributed content (such as forums) as well as legitimate resources that have been hacked.Online threats in the banking sector
During the reporting period, Kaspersky Lab solutions blocked 696,977 attacks that attempted to launch malware capable of stealing money from online banking accounts. This figure represents a 24.9% decrease compared to Q2 (927,568).
The number of computers attacked by financial malware, Q3 2014
The number of attacks gradually declined throughout the quarter: in June 244,490 attacks were blocked while in September this figure was 218,384 (-11%).
A total of 2,466,952 notifications of malicious activity by programs designed to steal money via online access to bank accounts were registered by Kaspersky Lab security solutions in Q3 2014.The geography of attacks
The geography of banking malware attacks in Q2 2014
(by number of attacked users in the country)
The Top 10 countries by the number of attacked users:Countries Number of users 1 Brazil 90176 2 Russia 57729 3 Germany 55225 4 Italy 32529 5 India 24975 6 USA 22340 7 Austria 22013 8 Vietnam 13495 9 UK 11095 10 China 9060
Brazil remained the country where users are most often attacked by banking malware, even if its share was down one third. Russia stayed in second place. Italy dropped to 4th position while Germany rose to 3rd place: the number of attacked users in this country grew by 1.5 times.The Top 10 banking malware families
The table below shows the programs most commonly used to attack online banking users in Q3 2014, based on the number of reported infection attempts:Verdict Number of notifications Number of users Trojan-Spy.Win32.Zbot 1381762 285559 Trojan-Banker.Win32.ChePro 322928 92415 Trojan-Banker.Win32.Shiotob 123150 24839 Trojan-Banker.Win32.Agent 49563 23943 Trojan-Banker.HTML.PayPal 117692 21138 Trojan-Spy.Win32.SpyEyes 73496 19113 Trojan-Banker.Win32.Lohmys 47188 16619 Trojan-Banker.Win32.Banker 39892 12673 Trojan-Banker.Win32.Banbra 20563 9646 Backdoor.Win32.Sinowal 18921 8189
Zeus (Trojan-Spy.Win32.Zbot) remained the most widespread banking Trojan although the number of attacks involving this malicious the program, as well as the number of attacked users, nearly halved compared with the previous quarter.
In Q3, 3rd place was occupied by Trojan-Banker.Win32.ShiotobThis malicious program is most often spread via spam messages and is designed to monitor traffic in order to intercept payment data. Nine out of 10 malware families represented in the table work by injecting random HTML code into the web page displayed by the browser and intercepting any payment data entered by the user in the original or inserted web forms.
Financial threats are not restricted to malware that attacks online banking services.
Distribution of attacks targeting user money by malware type, Q3 2014
Bitcoin wallet theft was the second most frequently used method of stealing e-money: its popularity grew from 8% in the previous quarter to 15% in Q3. Yet another threat related to crypto currency is Bitcoin mining software (11%) which uses computing resources to generate bitcoins.The Top 20 malicious objects detected online
In the third quarter of 2014, Kaspersky Lab's web antivirus detected 26,641,747 unique malicious objects: scripts, exploits, executable files, etc.
We identified the 20 most active malicious programs involved in online attacks launched against user computers. These 20 accounted for 96.2% of all attacks on the Internet.
The Top 20 malicious objects detected onlineName* % of all attacks** 1 Malicious URL 59.83% 2 AdWare.Script.Generic 14.46% 3 Trojan.Script.Generic 13.13% 4 Trojan.Script.Iframer 1.77% 5 AdWare.Win32.Agent.fflm 1.23% 6 Trojan-Downloader.Script.Generic 1.02% 7 AdWare.Win32.Agent.allm 1.02% 8 AdWare.JS.Agent.ao 0.78% 9 AdWare.JS.Agent.an 0.55% 10 AdWare.Win32.Agent.aiyc 0.32% 11 AdWare.Win32.OutBrowse.g 0.32% 12 Trojan.Win32.Generic 0.30% 13 AdWare.Win32.Amonetize.bcw 0.23% 14 AdWare.Win32.Amonetize.cmg 0.18% 15 AdWare.Win32.Yotoon.heur 0.18% 16 Trojan-Downloader.Win32.Generic 0.15% 17 AdWare.Win32.Amonetize.cmd 0.14% 18 Trojan-Dropper.Win32.Agent.lefs 0.12% 19 AdWare.Win32.Linkun.j 0.11% 20 AdWare.Win32.Amonetize.aik 0.09%
* These statistics represent detection verdicts of the web antivirus module. Information was provided by users of Kaspersky Lab products who consented to share their local data.
** The percentage of all web attacks recorded on the computers of unique users.
As is often the case, the Top 20 is largely made up of objects used in drive-by attacks, as well as adware programs. 59.8% of all verdicts fell on links from these black lists.The Top 10 countries where online resources are seeded with malware
The following stats are based on the physical location of the online resources that were used in attacks and blocked by antivirus components (web pages containing redirects to exploits, sites containing exploits and other malware, botnet command centers, etc.). Any unique host might become a source of one or more web attacks.
In order to determine the geographical source of web-based attacks domain names are matched up against actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established.
In Q3 2014, Kaspersky Lab solutions blocked 367,431,148 attacks launched from web resources located in various countries around the world. 87% of the online resources used to spread malicious programs are located in 10 countries. This is 1.3 percentage points less than in the previous quarter.
The distribution of online resources seeded with malicious programs in Q3 2014
The Top 10 rating of countries where online resources are seeded with malware saw major changes from the previous quarter: Canada (-7 pp) and Ireland (-0.7 pp) dropped out of the Top 10. China reentered the Top 10 with 1.87% and settled in 7th. Switzerland (1.03%) was Q3's other newcomer.
The most significant changes happened to the USA, which climbed to the top of the rating with a +11.2pp swing, and Germany (-9 pp), which dropped from 1st to 3rd place.Countries where users face the greatest risk of online infection
In order to assess in which countries users face cyber threats most often, we calculated how often Kaspersky users encountered detection verdicts on their machines in each country. The resulting data characterizes the risk of infection that computers are exposed to in different countries across the globe, providing an indicator of the aggressiveness of the environment in which computers work in different countries.Country* % of unique users ** 1 Russia 46.68% 2 Kazakhstan 45.92% 3 Azerbaijan 43.50% 4 Armenia 41.64% 5 Ukraine 40.70% 6 Iran 39.91% 7 Vietnam 38.55% 8 Belarus 38.08% 9 Moldova 36.64% 10 Algeria 36.05% 11 Tadjikistan 36.05% 12 Kyrgyzstan 33.59% 13 Mongolia 33.59% 14 Qatar 30.84% 15 Uzbekistan 29.22% 16 Georgia 29.17% 17 Turkey 28.91% 18 UAE 28.76% 19 Indonesia 28.59% 20 Germany 28.36%
These statistics are based on the detection verdicts returned by the web antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data.
*We excluded those countries in which the number of Kaspersky Lab product users is relatively small (less than 10,000).
**Unique users whose computers have been targeted by web attacks as a percentage of all unique users of Kaspersky Lab products in the country.
In the third quarter of 2014 Croatia, Tunisia and Spain dropped out of the Top 20. The newcomers of the rating were UAE (28.76%), Indonesia (28.59%) and Germany (28.36%) which occupied the last three positions in the chart.
The countries with the safest online surfing environments were Singapore (10.5%), Sweden (12.4%), Denmark (13.2%), Japan (13.3%), South Africa (16.0%), Finland (16.1%), and the Netherlands (16.6%).
On average, 29.5% of computers connected to the Internet were subjected to at least one web attack during the past three months.Local threats
Local infection statistics for user computers are a very important indicator. This data points to threats that have penetrated a computer system through something other than the Internet, email, or network ports.
This section contains an analysis of the statistical data obtained based on antivirus scans of files on the hard drive at the moment they are created or accessed, and the results of scanning various removable data storages.
In Q3 2014, Kaspersky Lab's antivirus solutions detected 116,710,804 unique malicious and potentially unwanted objects.The Top 20 malicious objects detected on user computers Name* % of unique attacked users** 1 Trojan.Win32.Generic 18.95% 2 DangerousObject.Multi.Generic 18.39% 3 AdWare.MSIL.Kranet.heur 11.61% 4 AdWare.Win32.Agent.ahbx 5.77% 5 Trojan.Win32.AutoRun.gen 4.81% 6 AdWare.Win32.Kranet.heur 4.68% 7 AdWare.NSIS.Zaitu.heur 4.51% 8 Worm.VBS.Dinihou.r 4.51% 9 Virus.Win32.Sality.gen 4.08% 10 AdWare.Win32.Yotoon.abs 4.03% 11 AdWare.Win32.IBryte.dolh 3.14% 12 AdWare.Win32.Agent.aljt 3.12% 13 AdWare.Win32.Agent.allm 3.11% 14 AdWare.Win32.Yotoon.heur 3.10% 15 Adware.Win32.Amonetize.heur 2.86% 16 AdWare.Win32.Agent.heur 2.80% 17 WebToolbar.JS.Condonit.a 2.59% 18 Worm.Win32.Debris.a 2.56% 19 AdWare.Win32.Kranet.c 2.55% 20 Trojan.Script.Generic 2.51%
*These statistics are compiled from malware detection verdicts generated by the on-access and on-demand scanner modules on the computers of those users running Kaspersky Lab products that have consented to submit their statistical data.
**The proportion of individual users on whose computers the antivirus module detected these objects as a percentage of all individual users of Kaspersky Lab products on whose computers a malicious program was detected.
This ranking usually includes verdicts given to adware programs: in Q3 they occupied thirteen places in the Top 20.
Worms distributed via removable media were 8th and 18th in the ranking.
Viruses were represented by only one verdict Virus.Win32.Sality.gen which came 9th in the Top 20.
Q3 2014 saw a considerable increase in the number of Kaspersky Lab's file antivirus detections of adware programs and components that actively participate in distributing these programs and evading antivirus detection.Countries where users face the highest risk of local infection Country* % of unique users** 1 Vietnam 61.89% 2 Bangladesh 55.01% 3 Mongolia 54.13% 4 Nepal 53.08% 5 Algeria 51.71% 6 Cambodia 51.26% 7 Afghanistan 50.59% 8 Laos 50.55% 9 Yemen 50.38% 10 Pakistan 50.35% 11 Egypt 49.65% 12 India 49.44% 13 Iraq 49.33% 14 Iran 48.85% 15 Ethiopia 47.87% 16 Myanmar 46.71% 17 Sri Lanka 46.67% 18 Syria 46.24% 19 Qatar 46.03% 20 Tunisia 45.36%
These statistics are based on the detection verdicts returned by the antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data. The data includes detections of malicious programs located on users' computers or on removable media connected to the computers, such as flash drives, camera and phone memory cards, or external hard drives.
*When calculating, we excluded countries where there are fewer than 10,000 Kaspersky Lab users.
**The percentage of unique users in the country with computers that blocked local threats as a percentage of all unique users of Kaspersky Lab products.
The Top 20 in this category continues to be dominated by countries in Africa, the Middle East and South East Asia. Vietnam ranks first, as was the case in Q2 2014 (61.89%).
Mongolia (54.13%) moved down one step to third place, giving way to Bangladesh which ranked second with 55.01% of unique users in the country with computers that blocked local threats.
Qatar (46.03%) was Q3's newcomer. Myanmar (46.71%) and Sri Lanka (46.67%) reentered the Top 20 while Saudi Arabia, Turkey and Djibouti left the rating.
In the third quarter of 2014 local threats were detected on 44.4% of computers in Russia.
The safest countries in terms of local infection risks are: Japan (15%), Sweden (16.4%), Denmark (16.5%), Finland (18%), and Singapore (19.7%).
An average of 37.2% of computers faced at least one local threat during the quarter, which is 4.4 pp more than in Q2 2014.
The recent shutdown of SilkRoad 2.0 was just a small part of the events affecting the Tor network that unfolded last week.
Tor-related communities, such as privacy enthusiasts, but also cybercriminals (of course!), expressed worry after a global law enforcement operation targeted a number of illegal services based on Tor.
Operation Onymous, coordinated by Europol's European Cybercrime Centre (EC3), the FBI, the U.S. Immigration and Customs Enforcement's (ICE), Homeland Security Investigations (HSI) and Eurojust, resulted in 17 arrests of vendors and administrators running these online marketplaces and more than 410 hidden services being taken down.
The official announcement about Operation Onymous is available on the Europol website.
Here's an incomplete list of .onion services that were taken down during this operation: Alpaca, Black Market, Blue Sky, Bungee 54, CannabisUK, Cloud Nine, Dedope, Fake Real Plastic, FakeID, Farmer1, Fast Cash!, Flugsvamp, Golden Nugget, Hydra, Pablo Escobar Drugstore, Pandora, Pay Pal Center, Real Cards, Silk Road 2.0, Smokeables, Sol's Unified USD Counterfeit's, Super Note Counter, Tor Bazaar, Topix, The Green Machine, The Hidden Market and Zero Squad.
Examples of seized .onion sites
At the sametime , reports appeared about a number of Tor nodes being seized by authorities:
Over the last few days, we received and read reports saying that several Tor relays were seized by government officials. We do not know why the systems were seized, nor do we know anything about the methods of investigation which were used. Specifically, there are reports that three systems of Torservers.net disappeared and there is another report by an independent relay operator.
You can read more on The Tor Blog about their Thoughts and Concerns about Operation Onymous.The current state of the Dark Web
Of course, the takedown only affected some Onion sites - many are still alive. Right now there are 4 times more hidden websites online in the Tor network than those that were shutdown.
Cybercrime, just like any other illegal activity, is hard to eradicate completely. Whenever illegal services are taken down, the gap created will always be filled by other criminals willing to profit from the opportunity. The reality we have to accept is that there will always be demand for such services.
The following graph shows the amount of new .onion addresses appearing each day. After the takedown on November 7th, we noticed a higher than regular spike in the number of new hidden services being set-up.
We've also analyzed the lifetime of the Onion-sites which were taken down last week. On average, most of them were alive for at least 200 days, but usually not more than 300 days - which the following graph shows. Just some were online for less than 2 months.
The most intriguing question which is raised by the media is – what exceptional tools one needs to compromise a hidden service? In theory, when you visit a hidden service, there is no way of knowing (either for you or for anyone else) the physical location of the web server behind it. For the theory to remain solid, three conditions must be met:
- The hidden service must be properly configured
- The web server should be impenetrable - no vulnerabilities or configuration errors
- The web application should have no flaws
If any of the 3 conditions is not met, it's quite easy for a skilled person to essentially hack into that server and start to dig further.
Anyone familiar with Dark Net websites knows how poorly coded many of these websites can be. Just because a website's physical location is obscured by Tor hidden services, it doesn't mean this website's security is bullet-proof. Vulnerabilities such as SQL injection will always be present if the coding isn't done properly.
The first scenario to compromise a hidden service would be to successfully exploit such a bad coded application. It is then possible to compromise the real server where the hidden service is stored, get information about its physical location or, more preferable, install a backdoor that could collect information of what's going on the server for weeks.
There is absolutely no need to try to and look for vulnerabilities in Tor itself, it's much easier to find a misconfiguration of services or flaws in the web application. People who control illegal Dark Net sites usually rely on Tor capabilities for security, but this will never save them from bugs in 3rd party applications or their own mistakes.
Another possible scenario is to infect the administrator of an illegal site with spyware, get full access to his computer and from there get all the required information about his true identity.
This could be easier than it seems: for example, if a vulnerability is found in a hidden service, it is possible to rig it's admin page with an exploit and wait for when the drug shop administrator will access his site. Then he would be infected with malware as a result of this highly targeted waterhole attack.
Another way is to infiltrate the illegal service posing as a regular customer, by creating an account and even buying something in there, to create reputation. When the time comes to do some communication with the hidden service's support account (about the quality of the product, for instance), they can start using social engineering or even send a spearfishing message rigged with an exploit.
There are a lot of ways to compromise a hidden service, without attacking Tor's architecture itself. Of course, the possibility of having a serious security vulnerability in Tor itself should not be completely excluded either.
The Stuxnet cyber-sabotage operation remains one of the favorite discussion subjects of security researchers everywhere. Considered the first known cyber-weapon, Stuxnet targeted the Iranian nuclear program using a subtle and well designed mechanism.
For background, see our previous reports on the Stuxnet saga:
- The Day The Stuxnet Died
- Myrtus and Guava: Episode 1
- Myrtus and Guava: Episode 2
- Myrtus and Guava, Episode 3
- Myrtus and Guava, Episode 4
- Myrtus and Guava: Episode 5
- Myrtus and Guava, Episode MS10-061
- Myrtus and Guava: the epidemic, the trends, the numbers
- Back to Stuxnet: The Missing Link
One of the reasons to revisit the Stuxnet subject is the publication (November 11th, 2014) of the book "Countdown to Zero Day" by journalist Kim Zetter.
We are quite excited about the book which includes new and previously undisclosed information about Stuxnet. Some of the information is actually based on interviews conducted by Kim Zetter with members of Kaspersky Lab's Global Research and Analysis Team. To complement the book release, we've decided to also publish new technical information about some previously unknown aspects of the Stuxnet attack.
Even though Stuxnet was discovered more than four years ago, and has been studied in detail with the publication of many research papers. However, is still not known for certain what object was originally targeted by the worm. It is most likely that Stuxnet was intended to affect the motors that drive uranium enrichment centrifuges. But where were those centrifuges located – in the Natanz plant or, perhaps, in Fordow? Or some other place?
The story of the earliest known version of the worm – "Stuxnet 0.5" – is outside the scope of this post; we are going to focus on the best known variants created in 2009 and 2010. (The differences between them are discussed in our 2012 publication - Back to Stuxnet: the missing link).
In February 2011, Symantec published a new version of its W32.Stuxnet Dossier report. After analyzing more than 3,000 files of the worm, Symantec established that Stuxnet was distributed via five organizations, some of which were attacked twice – in 2009 and 2010.
Screenshot from the Symantec report
The Symantec experts were able extract this information due to a curious feature of the worm. When infecting a new computer, Stuxnet saves information about the infected system's name, Windows domain and IP address. This information is stored in the worm's internal log and is augmented with new data when the next victim is infected. As a result, information on the path travelled by the worm can be found inside Stuxnet samples and used to establish from which computer the infection began to spread.
Example of information found in a Stuxnet file
While Symantec did not disclose the names of the organizations in its report, this information is essential for a proper understanding of how the worm was distributed.
We collected Stuxnet files for two years. After analyzing more than 2,000 of these files, we were able to identify the organizations that were the first victims of the worm's different variants in 2009 and 2010. Perhaps an analysis of their activity can explain why they became "patients zero" (the original, or zero, victims)."Domain A"
The Stuxnet 2009 version (we will refer to it as Stuxnet.a) was created on June 22, 2009. This information is present in the worm's body – in the form of the main module's compilation date. Just a few hours after that, the worm infected its first computer. Such a short time interval between creating the file and infecting the first computer almost completely rules out infection via USB drive – the USB stick simply can't have passed from the worm's authors to the organization under attack in such a short time.
The infected machine had the name "KASPERSKY" and it was part of the "ISIE" domain.
When we first saw the computer's name, we were very much surprised. The name could mean that the initial infection affected some server named after our anti-malware solution installed on it. However, the name of the local domain, ISIE, provided us with a little bit of information that might help to determine the organization's real name.
Assuming that the victim was located in Iran, we conjectured that it could be the Iranian Society of Industrial Engineers (ISIE) or an organization affiliated with it, the Iranian institute of Industrial Engineering (IIIE). But could it have been some other ISIE located in some place other than Iran? Given that our anti-malware solution had been used on the infected computer, we considered the possibility that ISIE might even be a Russian company.
It took us a long time to establish what organization it really was, but ultimately we succeeded in identifying it with a high degree of certainty.
It is called Foolad Technic Engineering Co (FIECO). It is an Iranian company with headquarters in Isfahan. The company creates automated systems for Iranian industrial facilities (mostly those producing steel and power) and has over 300 employees.
Screenshot from the company's website
The company is directly involved with industrial control systems.
- Implementing bench scale and pilot scale projects, such as data
communication between PLC existing in a plant and a remote point
through internet, by defining home page on a CP (Communication Processor)
card connected to a S7 CPU.
- Implementing different network structures, such as, As interface, profibus
DP, Ethernet, MPI, profibus PA In electronic and light communication channels.
Clearly, the company has data, drawings and plans for many of Iran's largest industrial enterprises on its network. It should be kept in mind that, in addition to affecting motors, Stuxnet included espionage functionality and collected information on STEP 7 projects found on infected systems.
In 2010, that same organization was attacked again – this time using the third version of Stuxnet, created on April 14, 2010. On April 26, the same computer as in 2009 – "KASPERSKY.ISIE" – was infected again.
This persistence on the part of the Stuxnet creators may indicate that they regarded Foolad Technic Engineering Co. not only as one of the shortest paths to the worm's final target, but as an exceptionally interesting object for collecting data on Iran's industry."Domain B"
One more organization was attacked multiple times – once in 2009 and twice in 2010. Essentially, each of the three Stuxnet variants was used to infect this target. In this case, the attackers were even more persistent than in the case of Foolad Technical Engineering Co.
It should be noted that it was this victim that was the patient zero of the 2010 global epidemic. This organization's infection in the course of the second attack (in March 2010) led to the widest distribution of Stuxnet – first in Iran, then across the globe. Curiously, when that same organization was infected in June 2009 and in May 2010, the worm hardly spread at all. We share our thoughts on the reasons for that below.
Take the most widespread variant – Stuxnet 2010 (a.k.a. Stuxnet.b). It was compiled on March 1, 2010. The first infection took place three weeks later – on March 23.
In addition to the computer's name and the domain name, Stuxnet has recorded the machine's IP number. The fact that the address changed on March 29, may indicate, albeit indirectly, that it was a laptop which connected to the company's local network once in a while.
But what company is it? The domain name –"behpajooh" – immediately gives us the answer: Behpajooh Co. Elec & Comp. Engineering.
Like Foolad Technic, this company is located in Isfahan and it also develops industrial automation systems. Clearly, we are also dealing with SCADA/PLC experts here.
Screenshot from the company's website
While collecting information about Behpajooh Co, we discovered one more curious thing - a 2006 article published in a Dubai (UAE) newspaper called Khaleej Times.
According to the article, a Dubai firm was accused of smuggling bomb components into Iran. The Iranian recipient of the shipment was also named – it was a certain "Bejpajooh Inc" from Isfahan.
So why did Stuxnet spread most actively as a result of the March 2010 Behpajooh infection? We believe the answer lies in the second organization in the chain of infections that started from Behpajooh.
As the screenshot above shows, on April 24, 2010 Stuxnet spread from the corporate network of Behpajooh to another network, which had the domain name MSCCO. A search for all possible options led us to the conclusion that the most likely the victim is Mobarakeh Steel Company (MSC), Iran's largest steel maker and one of the largest industrial complexes operating in Iran, which is located not far from Isfahan, where the two victims mentioned above - Behpajooh and Foolad Technic - are based.
Stuxnet infecting the industrial complex, which is clearly connected to dozens of other enterprises in Iran and uses an enormous number of computers in its production facilities, caused a chain reaction, resulting in the worm spreading across thousands of systems in two or three months. For example, the analysis of logs shows that by July 2010 this branch of the infection reached computers in Russian and Belarusian companies."Domain С"
On July 7, 2009, Stuxnet 2009 hit yet another target. With it, it was designed to start the path to its ultimate intended mission. The victim computer was named "applserver" (application server?), located in the domain NEDA.
In this case, it was pretty easy to identify the victim organization. Beyond any doubt, it was the Neda Industrial Group, an organization that was put on the sanctions list by the U.S. Ministry of Justice, and charged with the illegal export of prohibited entities into Iran with potential military applications. This company's complete dossier is available on the Iran Watch site.
When tracking the chain of Stuxnet propagation, one of the group's branch organizations raises special interest: "Allegedly the controlling entity of Nedaye Micron Electronic Company in Tehran, Iran and Neda Overseas Electronics LLC in Dubai, UAE; provides services in industrial automation for power plants, the cement industry, and the oil, gas and petrochemical sector; established in the mid 1980s under the name NEDA Computer Products Incorporated as a fully private joint stock company".
Neda was attacked only once, in July 2009, and Stuxnet never left that organization, according to the infection logs available to us. However, to leave the organization may have not been its purpose in this case. As noted earlier, the capability of stealing information about STEP 7 projects from infected systems was of special interest to the creators of Stuxnet."Domain D"
The fourth victim in 2009 was infected on July 7, the same day when Neda was compromised. Interestingly, the infection started with the server, if we judge by the computer name – SRV1 in domain CGJ, just like it did in the Neda case.
So, what is CGJ? We spent quite some time combing through search engines and social networks, and we are practically confident that is Control-Gostar Jahed Company, another Iranian company operating in industrial automation.
Control Gostar Jahed (CGJ) (Private Joint Stock, Since 1383) Founded with the aim of localization of industrial automation technology, and employing the technical know-how and execution power of 30 full-time personnel in the Tehran office and more than 50 workshop personnel, has achieved a high capacity in providing engineering and technical services.
The companys major focus over the years has been on the following domains:
- Design, procurement, construction, programming and commissioning of control systems (DCS, PLC, ESD, F&G)
- Design, manufacture and installation of low voltage fixed and sliding panels (using the products of CUBIC Denmark)
- Upgrading hardware, software and optimization of industrial automation systems
- Consulting services and basic and detailed design of electrical and instrumentation systems
- Installation of electrical and control systems
Unlike Neda Group, Control-Gostar Jahed Company is not on the sanctions list. It was probably chosen as a target because of its impressive cooperation ties with the largest Iranian businesses in oil production, metallurgy and energy supplies.
This organization was attacked only once in 2009. That infection did not leave the target's corporate network and makes up the smallest part of all known Stuxnet propagation lines."Domain E"
The fifth and the last "Patient Zero" victim stands out when judged by the numbers of originally infected systems. Unlike in all above cases, the attack in this case started from three computers at once, on the same day (May 11, 2010), but at different times.
Information from three different Stuxnet files
KALASERVER, ANTIVIRUSPC, NAMADSERVER: judging by the names, there were at least two servers involved in this case too.
Such an pattern of infection makes us practically confident that email was not used as the primary infection vector. The chances are very small that the infection started from a user receiving an email containing an attachment with an exploit.
So what is Kala? There are two most verisimilar answers to this, and we do not know which is the correct one. Both are about companies affected by sanctions and directly related to Iran's nuclear program.
However, Kala Electric (a.k.a. Kalaye Electric Co.) looks like the most probable victim. This is in fact an ideal target for an attack, given Stuxnet's main objective (which is to render uranium enrichment centrifuges inoperable), available information on Iran's nuclear program, and the logic of the worm's propagation.
Of all other companies, Kala Electric is named as the main manufacturer of the Iranian uranium enrichment centrifuges, IR-1.
The company does not have a web-site, but there is quite some information available about its activities: that is one of the key structures within the entire Iranian nuclear program.
Also, quite detailed information is available on the ISIS (Institute for Science and International Security) site at www.isisnucleariran.org.
Based on Iran's revised declaration about this site, originally, Kalaye Electric was a private company that was bought by the Atomic Energy Organization of Iran (AEOI). The name "Kalaye Electric" means "electric goods," implying that Iran kept the original name to help disguise the true purpose of the facility.
Iran declared that Kalaye Electric became the primary IR-1 centrifuge development and testing site after such work was moved in 1995 from the Tehran Nuclear Research Center. The IAEA has reported that between 1997 and 2002, Iran assembled and tested IR-1 centrifuges at Kalaye
Since moving many centrifuge research and development activities to the Pilot Fuel Enrichment Plant (PFEP) at Natanz, Kalaye Electric has remained an important centrifuge research and development site.
Satellite images of Kala Electric operation facilities are also available; these are considered to be the site where the centrifuges were developed and tested.
Thus, it appears quite reasonable that this organization of all others was chosen as the first link in the infections chain intended to bring the worm to its ultimate target. It is in fact surprising that this organization was not among the targets of the 2009 attacks.Summary
Stuxnet remains one of the most interesting pieces of malware ever created. In the digital world, one might say it is the cyber equivalent of the atomic attacks on Nagasaki and Hiroshima from 1945.
For Stuxnet to be effective and penetrate the highly guarded installations where Iran was developing its nuclear program, the attackers had a tough dilemma to solve: how to sneak the malicious code into a place with no direct internet connections? The targeting of certain "high profile" companies was the solution and it was probably successful.
Unfortunately, due to certain errors or design flaws, Stuxnet started infecting other organizations and propagate over the internet. The attackers lost control of the worm, which infected hundreds of thousands of computers in addition to its designated targets.
Of course, one of the biggest remaining questions is - were there any other malware like Stuxnet, or was it one-of-a-kind experiment? The future will tell for sure.
Much like Crouching Yeti, the Darkhotel APT is an unusually murky, long standing and well-resourced threat actor exhibiting a strange combination of characteristics.
This APT precisely drives its campaigns by spear-phishing targets with highly advanced Flash zero-day exploits that effectively evade the latest Windows and Adobe defenses, and yet they also imprecisely spread among large numbers of vague targets with peer-to-peer spreading tactics. Moreover, this crew's most unusual characteristic is that for several years the Darkhotel APT has maintained a capability to use hotel networks to follow and hit selected targets as they travel around the world. These travelers are often top executives from a variety of industries doing business and outsourcing in the APAC region. Targets have included CEOs, senior vice presidents, sales and marketing directors and top R&D staff. This hotel network intrusion set provides the attackers with precise global scale access to high value targets. From our observations, the highest volume of offensive activity on hotel networks started in August 2010 and continued through 2013, and we are investigating some 2014 hotel network events.
In addition to polluting p2p networks to infect the masses, they delegitimize Certificate Authorities to further their attacks. They abuse weakly implemented digital certificates to sign their malcode. The actor abused the trust of at least ten CAs in this manner. Currently they are stealing and re-using other legitimate certificates to sign their mostly static backdoor and infostealer toolset. Their infrastructure grows and shrinks over time, with no consistent pattern to the setup. It is both protected with flexible data encryption and poorly defended with weak functionality.
Victim categories include the following verticals:
- Very large electronics manufacturing
- Investment capital and private equity
- Cosmetics and chemicals manufacturing offshoring and sales
- Automotive manufacturer offshoring services
- Automotive assembly, distribution, sales, and services
- Defense industrial base
- Law enforcement and military services
- Non-governmental organizations
About 90 percent of the infections appear to be located in Japan, Taiwan, China, Russia and South Korea, partly because of the group's indiscriminate spread of malware. Overall, since 2008, the infection count numbers in the thousands. The more interesting travelling targets include top executives from the US and Asia doing business and investment in the APAC region. A combination of Kaspersky Security Network (KSN) detections and command and control data recorded infections in the United States, the United Arab Emirates, Singapore, Kazakhstan, South Korea, the Philippines, Hong Kong, India, Indonesia, Germany, Ireland, Mexico, Belgium, Serbia, Lebanon, Pakistan, Greece, Italy and others. This actor's victim geolocation distribution has a long tail, and multiple significant targets and victims travel frequently throughout many of these countries. So, victim geolocation changes while they are travelling frequently.
When Kaspersky Lab researchers visited Darkhotel incident destinations with honeypot machines they did not attract Darkhotel attacks, which suggests the APT acts selectively.. Further work demonstrated just how careful these attackers were to hide their activity - as soon as a target was effectively infected, they deleted their tools from the hotel network staging point, maintaining a hidden status.
Darkhotel activity and objects have leaked out in bits and pieces over the past few years, but we have identified Darkhotel tools dating back to 2007. Considering their well-resourced, advanced exploit development efforts and large, dynamic infrastructure, we expect more Darkhotel activity in the coming years. Our Darkhotel report and appendices of indicators and technical details collects and organizes this APT's activity to date.
Recently, news appeared about an interesting attack where cybercriminals infect iPhones and Mac OSX users with a rather peculiar malware dubbed WireLurker. You can find a thorough paper from Palo Alto here. First of all, it's important to note that all Kaspersky Lab users are protected against this threat. The malicious files used by WireLurker are identified by our products with the following detection names:
- Mac OS X:
- Apple iOS:
Our sensors observed connections to the malicious C&C server located in Hong Kong in July, 2014. These continued throughout the following months, although the volume remains low.
Interestingly, discussions on various online forums about this subject appeared earlier this year, notably in Chinese and Korean, but also on some English resources:
On July 14th, someone named SirBlanton complained about it on a Chinese speaking BBS:
The discussion above happened on "bbs.maiyadi.com", which is interesting, because another subdomain on "maiyadi.com" is used by the malware as a C&C (see below).
Even earlier, on May 29th, a discussion in Korea mentioned abnormal behavior of a Mac OS X infected by this threat:
Interestingly, Mac OS X and Apple iOS are not the only platforms through which these attacks were propagated. Yesterday, our friend Jaime Blasco from Alienvault discovered a Win32 malicious tool that appears to be related.The WireLurker Windows module
File name: 万能视频播放器 2.21.exe md5: fb4756b924c5943cdb73f5aec0cb7b14
Win32 WireLurker module
The file appears to have been compiled in March 2014, assuming the timestamp is not altered:
Full metadata set:
The internal file name is "绿色IPA安装器" which, when translated to English, means Green IPA installer. It supposed to be an application to install IPA files on iOS devices.
Interestingly, it contains a debug path which reveals information about the build:
The application contains two IPA (Apple application archives) inside, one called "AVPlayer" and one called "apps".
AVPlayer.app appears to be a legimitated iOS application that is used by the attackers as a decoy.
The image (icon) of the app can be seen below:
The "legit" application appears to have been authored by a popular developer going by the handle "firstname.lastname@example.org".
The second IPA is more interesting. It appears to have been created in March 2014. "apps" communicates with the wellknown "comeinbaby[.]com": The sfbase.dylib part communicates with a different C&C: To summarize, the Win32 application described here allows the installation of the mentioned iOS payload to the victim's iPhone. The creator likely developed it just to make sure Windows users can also get infected on their iOS devices.KSN Detections
Kaspersky Security Network (KSN) is a complex distributed infrastructure dedicated to processing cybersecurity-related data streams from millions of voluntary participants around the world. It delivers Kaspersky Lab's security intelligence to every partner or customer who is connected to the Internet, ensuring the quickest reaction times, lowest false positive rate and maintaining the highest level of protection. A detailed description of KSN can be found here. The following chart below shows detections of WireLurker on OSX:
Over 60% of the detections are coming from China, which is to be expected.Conclusions
This incident is yet another reminder of why the use of pirated software remains dangerous, no matter which platform you're using. Downloading applications from unofficial sources, such as alternative marketplaces, file sharing websites or torrents and other P2P file sharing networks, increases the risk of malware infections. On Mac OS X for instance, it is one of the main infection vectors.
The need for anti-malware protection on Mac OS X devices cannot be overstated. It's not only that your Mac OS X machine can get infected, but WireLurker showed us how the infection can move from your Mac to your iPhone. The good news is: there are plenty of options to chose from out there, including our own Kaspersky Internet Security for Mac.
As a first line of defense, Mac OS X users should check their Security & Privacy settings to make sure the configuration of their system is optimal. We recommend setting up Gatekeeper so that only applications downloaded from the Mac App Store and identified developers are allowed to be installed. More information on Gatekeeper can be found here.
Make sure to also check out our own guide for Mac security: 10 Simple Tips for Boosting The Security Of Your Mac
This should also be a wake-up call for Apple users and the way they think about security. Just like Mac OS X malware quickly evolved from being just a myth to becoming a sad reality, we are seeing iOS being targeted more and more often lately - with nobody being able to offer protection for this platform. Anti-malware vendors are still not allowed to develop protection for iPhone users.
In the light of recent events, will this strategy change in the future?
Indicators of compromise:
In our previous blogpost, we told you about the types of attacks that a cybercriminal can undertake while working with a regular user account without local administrator privileges. In particular, we presented an example of how the simplified inheritance of privileges within the context of domain authorization (Single-Sign-On) enables cybercriminals to gain access to various network resources and services while using the limited access allowed by a regular user account. In this blogpost, we will review in detail the possible vectors for an attack launched on a corporate network from an infected computer within it.
Once a cybercriminal has gained control over a user system in a corporate network, subsequent events form three consecutive stages: establishing a foothold in the system, analyzing the environment, and propagating malware. Each of these stages can be implemented in various ways, distinguished by the technical methods, strategies and tactics employed. The flow chart below shows the cybercriminal's possible approaches to establishing a foothold in the system, analyzing the environment, and propagating malware across the corporate network.
A flow chart of a cybercriminal's actions
It is important for information security specialists to recognize the distinctive signs of different types of attack. Using this proposed "action plan", information security specialists can detect an attack by matching events occurring in the network to various templates of cybercriminal activity.Gaining a Foothold in the System
After penetrating a corporate network, attackers typically download utilities (including malware) to the victim computer within a few hours or minutes. These utilities are required to collect information about the system and its installed software, search for files and data, establish a connection to the C&C, steal login credentials, brute-force passwords, hack accounts, escalate privileges, infect a system, intercept network traffic, scan network devices etc.
To hide these essential tools from network administrators during the download process and avoid triggering any security system that might be in place, attackers use different maneuvers of varying degrees of complexity:
- Files are transferred via network protocols and general-purpose ports (HTTP, FTP, HTTPS, SFTP) so they get lost in the huge amounts of daily user-generated traffic.
- Files are downloaded from compromised servers, using Fast Flux networks or via Tor.
- Files are transmitted in parts, in obfuscated and/or encrypted form.
- Various types of steganography are sometimes used to transfer data, such as masking data within audio/video files, images or headers of internet protocols, especially when general-purpose ports are closed by a firewall.
When the required tools have been loaded, the cybercriminal attempts to gain access to the local administrator's or system account. The first attempt normally uses keyloggers, attempts to brute-force passwords and hack accounts, or phishing scams. Further approaches involve exploiting vulnerabilities in system services, typically to gain access to the system account (i.e. to escalate to kernel-level privileges).
Having obtained these privileges, cybercriminals can entrench themselves in the system by implanting a rootkit or bootkit in the operating system. They can also clean the system from traces of penetration, hiding their tools and traces of active infections from security tools. If the attackers failed to gain a foothold in the system in the regular way, they can set up an automatic infection of the system, e.g. by using the regular task scheduler.
Naturally, there are many ways of establishing a foothold, and scenarios may differ dramatically from the above description. However, as we said at the beginning of this article, it is important that an information security specialist understands the principles of how an attack is conducted, and realizes the tasks that cybercriminals face. Thus, at the foothold stage, the attacker's main task to arrange for reliable, lasting access to the system under attack. In general, the task of arranging remote access has two parts: establishing a data communication channel and implanting a remote control tool (backdoor).
Depending on the network configuration, firewall policies and IDS/IPS settings, attackers might use direct or reverse connection. Direct connection involves the attackers establishing a connection to the victim system, and is possible only if the system has an external IP-address and open network ports that are not blocked from outside connections by a firewall. Otherwise, reverse connection is used, when the attacked system establishes a connection to the remote server. Regardless of the connection type, data is communicated using the same methods that are used to download utilities and malware to the victim computer: data is transferred in encrypted / obfuscated format via general-purpose protocols / ports, using Fast Flux or Tor. In addition, cybercriminals can also use regular user software and services as a data communication channel, such as cloud-based file storages, e-mail, IM clients etc.Environment analysis
At the same time as establishing a foothold – or sometimes even before – cybercriminals need to collect information about the operating system and its configuration, updates installed for software, and security tools. That information is needed to evaluate the situation on the victim computer and plan further attack activities. It is also very useful when accurately selecting the most effective utilities and exploits.
The following readily available tools are usually sufficient to collect information about the system:
- cmd, regedit, vbs, powershell in Windows,
- bash, grep, python, perl in Unix/Linux and Mac OS.
From the attacker's viewpoint, there are many advantages to using the above tools: they are available in any system, they are useable even with restricted user rights, and their operation is not controlled by most security tools. To tackle more complicated tasks cybercriminals use both popular and customized tools to intercept network traffic, scan network devices, connect to various network services using domain authentication etc. If the hacker's tools are written, say, in Python, the cybercriminals will certainly install the required software on the infected computer. In this case, Python (or other required software) probably will not be concealed in the system using a rootkit, as that may prevent the interpreter from working properly.
To search for and analyze other devices in the corporate network, cybercriminals apply passive and active scanning methods. In particular, using a sniffer to listen to traffic from a local network interface, anyone can easily detect various devices thanks to ARP packets or active connections, determine the URLS of servers hosting corporate applications such as Active Directory, Outlook, databases, corporate websites etc. To obtain detailed information about a specific network node, cybercriminals use network scanners (e.g. nmap) to determine available network services, guess names and versions of installed software, and detect the presence of a firewall and IDS/IPS.Distribution
Now the attackers have a foothold in the system, have a reliable remote access channel and have sufficient information about the network. The next actions usually pursue the primary objective. That may be stealing confidential information, attacks on corporate infrastructure, gaining control over critical systems for blackmail purposes, or other personal purposes. Unless the initially attacked system is the ultimate target (that can be e.g. a CEO's laptop, a central server or a website), the attacker needs to gain control over other systems within the corporate network. Depending on the nature of the target, infection may be pinpointed or broad scale.
For example, if the attackers plan to launch an infrastructure attack, they will probably need massive infections of the servers running various business processes and the workstations of operators and administrators. On the other hand, a cybercriminal aiming to steal confidential information or conduct espionage will have to act very carefully and attack only the top priority systems.
There are a number of ways of propagating malware within a corporate network. Cybercriminals normally go for the simplest approach, such as using existing accounts. For example, by launching malicious code from under a domain account belonging to a user of an infected system, the cybercriminal can freely connect to various network services (to which the user has access) using domain authorization (Single Sign-On), i.e. without entering the login credentials. On the other hand, the cybercriminal can use a keylogger and easily get hold of the login credentials to the domain account as well as other services that do not maintain domain authorization. I addition, the cybercriminal may attempt to take advantage of vulnerabilities in the mechanisms for storing and checking credentials, or simply brute-force the password.
The most effective propagation path within corporate networks is to exploit vulnerabilities, since most corporate network security focuses on preventing attacks from outside the perimeter. Consequently, there are a multitude of varied vulnerabilities within the network, including unsecured corporate servers, test servers, management/virtualization systems etc. Practice shows that even if information security specialists and IT engineers are aware of all the vulnerabilities existing in their corporate network(s), it takes them years to fix them because it requires a lot of manpower. Nevertheless, experienced hackers are cautious about using exploits to known vulnerabilities and prefer to attack unsecured corporate services. If a local or network-based IDS/IPS is still used in the network, using exploits to known vulnerabilities may unmask the cybercriminals.Detecting an Attack
At each stage of the attack, cybercriminals often use the environment and the available tools for their own purposes, remaining inconspicuous against the backdrop of regular users' activities. To address this problem, it is important wherever possible to reduce redundancy in the environment and the business processes; in all other cases, it is vital to monitor what's happening, identify anomalies and react to them.
A vivid example of the problem of redundancy in business processes is the free access to business assets (confidential documents, critical applications, hardware etc.), local administrator privileges, and the capability of remote connection to the corporate network for staff who do not need this level of access and privilege. This applies to the control of access rights at the domain level as well as at the level of application software: browsers do not typically need access to other processes' memory, while Microsoft Office does not need to install drivers.
For an example of environment redundancy, we can think of a regular corporate employee (not a developer, tester, administrator or information security specialist) whose desktop has software designed for network traffic interception, scanning the network, remote access, creation of local HTTP/FTP servers, use of third-party network hardware (Wi-Fi and/or 3G modems), software development tools etc.
Any effective strategy to prevent attacks from within the corporate network must prevent cybercriminals from acting secretly, and force them to take complicated and risky steps that betray their plans to information security specialists who can neutralize the threat. For that, two things must be present in the corporate network: smart security and an information security management system.
If you marry these two technologies you create a fundamentally different animal from the established information security model. It can see everything that takes place in the system and immediately reacts to threats.
Smart security tools include some antiviruses, firewalls, IDS/IPS/HIPS, Application Control, Device Control - however they must be capable of interacting with the information security management system. These security tools should not only collect all types of information and send it to the information security management system, but also execute commands that block attempts to gain access, establish connections, transfer data via the network, launch applications, read and write files etc. Naturally, for all of this to work, an information security specialist must be able to differentiate between legitimate and malicious activity.
The ten year anniversary edition of the Electronic KnockOut Party, held annually in Buenos Aires, Argentina, was certainly special! Over the years, ekoParty has become a standard for other conferences in Latin America, bringing together researchers from all over the world for nearly a full week packed with trainings, workshops, and ground breaking talks about different aspects of the field of information security.
This year, the conference changed venues from the previously known 'Ciudad Cultural Konex' in favor of a much bigger space near the airport, the 'Aeroparque Jorge Newbery'. The loud engines from passing planes could not stop the speakers from sharing their knowledge with the audience. Organizers were prepared for this and outfitted the main stage with airport-themed decorations. Even the badges resembled boarding passes, making the most of the new venue's quirks and leaving nothing to chance.
What differentiates ekoParty from other conferences is the passion exhibited by everyone in attendance. Thanks in part to the Latin American way of doing things, ekoParty is proud of not taking itself too serious and encourages its attendees to behave the same way. A loud siren blares when it's time for the speaker to take a drink and loosen up a bit mid-talk. Rushing forward with a shot of vodka, the conference staff is alert and engaging, making sure that both speaker and audience are having fun.
During the first day, we were welcomed by an interesting discussion panel and a wide array of workshops to choose from. In addition, several corporate sponsors gave away free trainings to showcase some of their latest tools and also administered challenges for the duration of the conference. With tempting cash prizes and fancy gadgets on the line, some participants chose to forego the talks altogether in order to test their skills in areas such as reverse engineering, penetration testing, and networking.
By the time the talks began on the second day, the tone of the conference was set by Cesar Cerrudo who presented on how to hack traffic control systems. Using 'Live Free or Die Hard' references to engage the audience proved successful and Hollywood-worthy research was presented in a compelling and understandable way. As the day went on, attendees could choose to participate in one of the workshops (as I did with Juliano Rizzo's bitcoin security training) or keep attending assorted talks. Among the topics covered were "Exploring the Jolla Phone", "Cooking an APT the paranoid way" or even browser exploitation techniques with Alex Rad's presentation "Pointer Subterfuge in the Browser Address Space".
There were just too many topics and talks to cover all in detail but a common thread emerges. Speakers not only share their knowledge but also ask the community to join them in their research to create something useful for all parties involved. This was the case with Anibal Sacco's "IDA Synergy – Collaborative Reverse Engineering", which showed a combination of IDAPython Plugin and control version system that resulted in a new reverse engineering collaborative add-on for IDA Pro.
Though a lot of talks focused on exploiting different technologies (as in the case of Luis Colunga's presentation on Software Defined Radio), other presentations could be easily mistaken for university courses. This was the case with Alfredo Ortega's "Deep-submicron backdoors" which led the audience from concepts like Fourier transformations to CPU low-level backdoors. With a touch of 3D modeling and some lines of code in the right place, Ortega demonstrated that building a backdoored ARM CPU isn't as hard as it might seem.
The final day of the conference started early with discussions about the current state of privacy and a historical perspective on the many state-backed surveillance programs of recent years. Just before lunch we had a great presentation by Marcio Almeida Macedo on 'Hacking RFID Billing Schemes for fun and free rides', mentioning our recent blogpost on the topic, specifically referring to vulnerabilities in the Chilean transportation system. All researchers went above and beyond to show the hardware and principles involved in their investigations, always enticing the audience to follow in their footsteps.
Malware made its appearance with Thiago Bordini who shared techniques for 'Monitoring Malicious Domains on the Internet in real time for forensic purposes'. Brazilians presenters were, of course, forced to withstand chanting and taunting from Argentinians in the crowd pleased by World Cup results. That's to be expected. The day ended with bells and whistles as Rahul Sasi presented his sequel presentation on hacking TV networks, an investigation that stemmed from a penetration testing job that ended with him finding ways to inject video signals in TV networks and even shutting down the receiver's box remotely.
An emotive award's ceremony brought the event to a close by recognizing local talent and remembering Barnaby Jack's appearance years ago. The ekoParty left everyone wanting more and eager to attend the following year. ekoParty is one of those conferences were attendees get back what they put in -they can choose to just enjoy the talks or instead get involved in the many challenges, workshops, and networking activities offered. Until next year, I encourage you to check out the content covered during the conference and hope to see you there!
The Hack In The Box (HITB) SecConf 2014 was held from the 13 to the 16 of October, in Kuala Lumpur, Malaysia. More than 500 people from around the world participated in the event. Unfortunately, 2014 was the final round of this nice event.
The event is made up of four main elements: Technical training sessions, a security conference, Capture the Flag 'Live Hacking' Attack & Defense Competition, Developer Hackathon (HackWEEKDAY) and A CommSec Village & Technology Showcase Area.
Although there were many interesting presentations at the conference, I have too little space here to introduce all of them, so let's take a look of three of them.
Filippo Valsorda gave a presentation entitled "Exploiting ECDSA Failures in the Bitcoin Blockchain". Elliptic Curve Digital Signature Algorithm (ECDSA) is an EC-based signature scheme as implemented in TLS, DNSsec and PS3. He pointed out that ECDSA might not be as secure as it is believed to be.
Haroon Meer, Marco Slaviero and Azhar Desai picked up the topic of "sockpuppet"- a false online identity adopted for deceptive purposes – in their presentation. They demonstrated mass-posting, mass-voting and mass-down-voting at some forums, with the help of only one line of bash script. The presentation was entitled "Weapons of Mass Distraction: Sock Puppetry for Fun & Profit".
Mike Ryan's "The NSA Playset: Bluetooth Smart Attack Tools" presentation introduced a series of tools used by the NSA and demonstrated keyboard hijacking via Bluetooth using some of the tools.
For those who are interested, the presentation materials are available at the official web site of HITB2014.
The CTF session was also quite interesting. Let's take a look at Challenge 2.
As a problem to solve, a pcap file was provided. It was a capture of some network traffic.
Inspecting the file, you could find that ICMPv6 packets contain unknown strings that start with "G01". In fact, the strings are G-codes, computer numerical control commands (for industrial hardware, 3D printers, etc.). If is it run using emulator software, a string is displayed – this is the answer to the problem.
In my opinion, CTF is a good exercise for IT engineers, because it gives the chance to learn technologies that are not familiar to you.
In the closing session, the event organizers announced the end of HITB KUL and the beginning of a new event "HITB GSEC". This is planned to take place in Singapore in October 2015.
I hope the new HITB GSEC will be as fantastic as HITB KUL and I'm looking forward to meeting great security specialists there again!!
A few months ago, I requested an online quote for some home repairs. The recipient was a very well-known company here in US. The service I got actually was very good. Under my explicit approval the company kept my email address and has been sending me several promotions that I had signed up to.
However, the latest one was unusual - it arrived with at least 20 recipients explicitly exposed including my full email address in the list.
Cybercriminals and other threat actors also have normal lives - they shop at the same places we do, they eat the same food we eat, and they hire the same services we do. So, imagine what happens when a malicious actor receives one of these emails! It's a perfect source of information for spearphishing attacks.
I say this because the attacker would have enough information to know the potential victims are customers or potential customers of that particular brand, knowing the benefits of abusing the brand to launch attacks in the name of that store.
Since the advertisement I get is customized, meaning it refers to a very specific part of town, then the attacker would also know his victims live in a particular city. This also brings a lot of advantages when preparing the attack.
Finally, the attacker even knows how the store legitimately promotes their services. And I mean which format the store uses:
In my case, I got a PDF file attachment. So, in case the attacker launches a spear phishing campaign with a malicious file, the victims wouldn't suspect anything malicious since nothing is out of the ordinary.
So who might abuse this technique and what can we do about it?
The most likely actor would be a classic cyber-criminal. However, any threat actor in need can resort to the same scheme.
What is the best practice when you get such advertisement emails? I prefer to use online viewers, embedded into many modern Webmail providers. Instead of downloading the file to the disk and then opening it locally, you can visualize it online:
So in case of any local app exploit, let's say for Adobe Reader, the exploit won't work and you will still be able to read the document.
Certainly leaks like the aforementioned, despite not being particularly big, definitely expose people to become victims of new spear-phishing campaigns.
You may follow me on twitter: @dimitribest
The BlackEnergy malware is crimeware turned APT tool and is used in significant geopolitical operations lightly documented over the past year. An even more interesting part of the BlackEnergy story is the relatively unknown custom plugin capabilities to attack ARM and MIPS platforms, scripts for Cisco network devices, destructive plugins, a certificate stealer and more. Here, we present available data - it is difficult to collect on this APT. We will also present more details on targets previously unavailable and present related victim profile data.
These attackers are careful to hide and defend their long-term presence within compromised environments. The malware's previously undescribed breadth means attackers present new technical challenges in unusual environments, including SCADA networks. Challenges, like mitigating the attackers' lateral movement across compromised network routers, may take an organization's defenders far beyond their standard routine and out of their comfort zone.Brief History
BlackEnergy2 and BlackEnergy3 are known tools. Initially, cybercriminals used BlackEnergy custom plugins for launching DDoS attacks. There are no indications of how many groups possess this tool. BlackEnergy2 was eventually seen downloading more crimeware plugins - a custom spam plugin and a banking information stealer custom plugin. Over time, BlackEnergy2 was assumed into the toolset of the BE2/Sandworm actor. While another crimeware group continues to use BlackEnergy to launch DDoS attacks, the BE2 APT appears to have used this tool exclusively throughout 2014 at victim sites and included custom plugins and scripts of their own. To be clear, our name for this actor has been the BE2 APT, while it has been called "Sandworm Team" also.The Plugins and Config Files
Before evidence of BlackEnergy2 use in targeted attacks was uncovered, we tracked strange activity on one of the BlackEnergy CnC servers in 2013. This strangeness was related to values listed in newer BlackEnergy configuration files. As described in Dmitry's 2010 Black DDoS' analysis, a configuration file is downloaded from the server by main.dll on an infected system. The config file provides download instructions for the loader. It also instructs the loader to pass certain commands to the plugins. In this particular case in 2013, the config file included an unknown plugin set, aside from the usual 'ddos' plugin listing. Displayed below are these new, xml formatted plugin names "weap_hwi", "ps", and "vsnet" in a BlackEnergy configuration file download from a c2 server. This new module push must have been among the first for this group, because all of the module versions were listed as "version 1", including the ddos plugin:
Config downloaded from BE2 server
The 'ps' plugin turned out to be password stealer. The 'vsnet' plugin was intended to spread and launch a payload (BlackEnergy2 dropper itself at the moment) in the local network by using PsExec, as well as gaining primary information on the user's computer and network.
Most surprising was the 'weap_hwi' plugin. It was a ddos tool compiled to run on ARM systems:
At first, we didn't know whether the ARM plugin was listed intentionally or by mistake, so we proceeded to collect the CnC's config files. After pulling multiple config files, we confirmed that this ARM object inclusion was not a one-off mistake. The server definitely delivered config files not only for Windows, but also for the ARM/MIPS platform. Though unusual, the ARM module was delivered by the same server and it processed the same config file.Linux plugins
Over time we were able to collect several plugins as well as the main module for ARM and MIPS architectures. All of these ARM/MIPS object files were compiled from the same source and later pushed out in one config: "weap_msl", "weap_mps", "nm_hwi", "nm_mps", "weap_hwi", and "nm_msl". It's interesting that the BE2 developers upgraded the ddos plugin to version 2, along with the nm_hwi, nm_mps, and nm_msl plugins. They simultaneously released version 5 of the weap_msl, weap_mps, and weap_hmi plugins. Those assignments were not likely arbitrary, as this group had developed BlackEnergy2 for several years in a professional and organized style:
Config with a similar set of plugins for different architectures
Here is the list of retrieved files and related functionality:weap DDoS Attack (various types) ps password stealer handling a variety of network protocols (SMTP, POP3, IMAP, HTTP, FTP, Telnet) nm scans ports, stores banners snif logs IP source and destination, TCP/UDP ports hook main module: CnC communication, config parser, plugins loader uper rewrites hook module with a new version and launches it
Weap, Snif, Nm plugin grammar mistakes and mis-spellings
The developers' coding style differed across the 'Hook' main module, the plugins, and the Windows main.dll. The hook main module contained encrypted strings and handled all the function calls and strings as the references in a large structure. This structure obfuscation may be a rewrite effort to better modularize the code, but could also be intended to complicate analysis. Regardless, it is likely that different individuals coded the different plugins. So, the BE2 effort must have its own small team of plugin and multiplatform developers.
Hook module structure
After decrypting the strings, it became clear that the Linux Hook main module communicated with the same CnC server as other Windows modules:
The CNC's IP address in the Linux module
This Linux module can process the following commands, some of which are similar to the Windows version:die
delete all BlackEnergy2 files and system traces kill
delete all BlackEnergy2 files and system traces and reboot lexec
launch a command using bin/sh rexec
download and launch file using 'fork/exec' update
rewrite self file migrate
update the CnC server Windows Plugins
After the disclosure of an unusual CnC server that pushed Linux and the new Windows plugins we paid greater attention to new BE2 samples and associated CnCs.
During an extended period, we were able to collect many Windows plugins from different CnC servers, without ever noticing Linux plugins being downloaded as described above. It appears the BE2/SandWorm gang protected their servers by keeping their non-Windows hacker tools and plugins in separate servers or server folders. Finally, each CnC server hosts a different set of plugins, meaning that each server works with different victims and uses plugins based on its current needs. Here is the summary list of all known plugins at the moment:fs searches for given file types, gets primary system and network information ps password stealer from various sources ss makes screenshots vsnet spreads payload in the local network (uses psexec, accesses admin shares), gets primary system and network information rd remote desktop scan scans ports of a given host grc backup channel via plus.google.com jn file infector (local, shares, removable devices) with the given payload downloaded from CnC cert certificate stealer sn logs traffic, extracts login-passwords from different protocol (HTTP, LDAP, FTP, POP3, IMAP, Telnet ) tv sets password hash in the registry for TeamViewer prx Proxy server dstr Destroys hard disk by overwriting with random data (on application level and driver level) at a certain time kl keylogger upd BE2 service file updater usb gathers information on connected USBs (Device instance ID, drive geometry) bios gathers information on BIOS, motherboard, processor, OS
We are pretty sure that our list of BE2 tools is not complete. For example, we have yet to obtain the router access plugin, but we are confident that it exists. Evidence also supports the hypothesis that there is a decryption plugin for victim files (see below).
Our current collection represents the BE2 attackers' capabilities quite well. Some plugins remain mysterious and their purpose is not yet clear, like 'usb' and 'bios'. Why would the attackers need information on usb and bios characteristics? It suggests that based on a specific USB and BIOS devices, the attackers may upload specific plugins to carry out additional actions. Perhaps destructive, perhaps to further infect devices. We don't know yet.
It's also interesting to point out another plugin – 'grc'. In some of the BE2 configuration files, we can notice an value with a "gid" type:
The addr number in the config
This number is an ID for the plus.google.com service and is used by the 'grc' plugin to parse html. It then downloads and decrypts a PNG file. The decrypted PNG is supposed to contain a new CNC address, but we never observed one. We are aware of two related GooglePlus IDs. The first one, plus.google.com/115125387226417117030/, contains an abnormal number of views. At the time of writing, the count is 75 million:
BE2 plus profile
The second one - plus.google.com/116769597454024178039/posts - is currently more modest at a little over 5,000 views. All of that account's posts are deleted.Tracked Commands
During observation of the described above "router-PC" CnC we tracked the following commands delivered in the config file before the server went offline. Our observation of related actions here:u ps start password stealing (Windows) Ps_mps/ps_hwi start start password stealing (Linux, MIPS, ARM) uper_mps/uper_hwi start rewrite hook module with a new version and launch it (Linux, MIPS, ARM) Nm_mps/nm_hwi start –ban -middle Scan ports and retrieve banners on the router subnet (Linux, MIPS, ARM) U fsget * 7 *.docx, *.pdf, *.doc * search for docs with the given filetypes (Windows) S sinfo retrieve information on installed programs and launch commands: systeminfo, tasklist, ipconfig, netstat, route table, trace route to google.com (Windows) weap_mps/weap_hwi host184.108.40.206 port[25,26,110,465,995] typetcpconnect DDoS on 220.127.116.11 (Linux, MIPS, ARM) weap_mps/weap_hwi typesynflood port80 cnt100000 spdmedium host18.104.22.168 DDoS on 22.214.171.124 (Linux, MIPS, ARM)
The issued commands for the Linux plugins suggest the attackers controlled infected MIPS/ARM devices. We want to pay special attention to the DDoS commands meant for these routers. 126.96.36.199 belongs to the Russian Ministry of Defense and 188.8.131.52 belongs to the Turkish Ministry of Interior's government site. While many researchers suspect a Russian actor is behind BE2, judging by their tracked activities and the victim profiles, it's still unclear whose interests they represent.
While observing some other CnCs and pulling down config files, we stumbled upon some strange mistakes and mis-typing. They are highlighted in the image below:
BE2 config file mistakes
First, these mistakes suggest that the BE2 attackers manually edit these config files. Secondly, it shows that even skilled hackers make mistakes.Hard-Coded Command and Control
The contents of the config files themselves are fairly interesting. They all contain a callback c2 with a hardcoded ip address, some contain timeouts, and some contain the commands listed above. We include a list of observed hardcoded ip C2 addresses here, along with the address owner and geophysical location of the host:C2 IP address Owner Country 184.108.40.206 hostnoc.net US 220.127.116.11 Leaseweb NL 18.104.22.168 Leaseweb NL 22.214.171.124 Leaseweb NL 126.96.36.199 Leaseweb NL 188.8.131.52 Leaseweb NL 184.108.40.206 Leaseweb NL 220.127.116.11 Leaseweb NL 18.104.22.168 Hetzner DE 22.214.171.124 Hetzner DE 126.96.36.199 Serverconnect SE 188.8.131.52 Redstation GB 184.108.40.206 Nadym RU 220.127.116.11 Yisp NL 18.104.22.168 Besthosting.ua UA 22.214.171.124 PIRADIUS MY 126.96.36.199 Keyweb DE 188.8.131.52 worldstream.nl NL 184.108.40.206 digitalone.com US 220.127.116.11 3nt.com DE 18.104.22.168 serverius.com NL
It's interesting that one of these servers is a Tor exit node. And, according to the collected config files, the group upgraded their malware communications from plain text http to encrypted https in October 2013.BE2 Targets and Victims
BlackEnergy2 victims are widely distributed geographically. We identified BlackEnergy2 targets and victims in the following countries starting in late 2013. There are likely more victims.
Victim profiles point to an expansive interest in ICS:
- power generation site owners
- power facilities construction
- power generation operators
- large suppliers and manufacturers of heavy power related materials
However, we also noticed that the target list includes government, property holding, and technology organizations as well:
- high level government
- other ICS construction
- federal land holding agencies
- municipal offices
- federal emergency services
- space and earth measurement and assessment labs
- national standards body
- high-tech transportation
- academic research
We gained insight into significant BE2 victim profiles over the summer of 2014. Interesting BE2 incidents are presented here.
The BE2 attackers successfully spearphished an organization with an exploit for which there is no current CVE, and a metasploit module has been available This email message contained a ZIP archive with EXE file inside that did not appear to be an executable. This crafted zip archive exploited a WinRAR flaw that makes files in zip archives appear to have a different name and file extension.
BE2 spearphish example
The attached exe file turned out to be 'BlackEnergy-like' malware, which researchers already dubbed 'BlackEnergy3' - the gang uses it along with BlackEnergy2. Kaspersky Lab detects 'BlackEnergy3' malware as Backdoor.Win32.Fonten – naming it after its dropped file "FONTCACHE.DAT"
When investigating computers in the company's network, only BE2 associated files were found, suggesting BE3 was used as only a first-stage tool on this network. The config files within BE2 contained the settings of the company's internal web proxy:
BE2 config file contains victim's internal proxy
As the APT-specific BE2 now stores the downloaded plugins in encrypted files on the system (not seen in older versions – all plugins were only in-memory), the administrators were able to collect BE2 files from the infected machines. After decrypting these files, we could retrieve plugins launched on infected machines: ps, vsnet, fs, ss, dstr.
By all appearances, the attackers pushed the 'dstr' module when they understood that they were revealed, and wanted to hide their presence on the machines. Some machines already launched the plugin, lost their data and became unbootable.
Desstructive dstr command in BE2 config file
Also, on some machines, documents were encrypted, but no related plugin could be found.
The second organization was hacked via the first victim's stolen VPN credentials. After the second organization was notified about the infection they started an internal investigation. They confirmed that some data was destroyed on their machines, so the BE2 attackers have exhibited some level of destructive activity. And, they revealed that their Cisco routers with different IOS versions were hacked. They weren't able to connect to the routers any more by telnet and found the following "farewell" tcl scripts in the router's file system:
Ciscoapi.tcl – contains various wrappers over cisco EXEC-commands as described in the comments.
The comment includes a punchy message for "kasperRsky":
BE2 ciscoapi.tcl fragment
Killint.tcl – uses Ciscoapi.tcl, implements destroying functions:
BE2 killint.tcl fragment
The script tries to download ciscoapi.tcl from a certain FTP server which served as a storage for BE2 files. The organization managed to discover what scripts were hosted on the server before BE/SandWorm gang deleted them, and unfortunately couldn't restore them after they were deleted. The BE2 actor performs careful, professional activity covering their tracks:
There is evidence that the logs produced by some scripts were also stored on the FTP server, in particular the information on CDP neighbors which is provided by one of the procedures of ciscoapi.tcl.
The third organization got compromised by the same type of attack as the first one (an EXE file spoofing a doc within a Zip archive). All the plugins discovered in BE2 files were known, and there was no revelation of hacked network devices on their side and no destroyed data. The noticeable thing is that many computers contained both BE2 and BE3 files and some config files contained the following URL:
The URL contains the md5 of the string 'router'. One of the discovered config files contained a URL with an as yet unidentified md5:
Victim set #4
A set of victims discovered installed Siemens SCADA software in their ICS environment was responsible for downloading and executing BlackEnergy. Starting in March 2014 and ending in July 2014, Siemens "ccprojectmgr.exe" downloaded and executed a handful of different payloads hosted at 22.214.171.124/favicon.ico. They are all detected as variants of "Backdoor.Win32.Blakken".Build IDs
Each config file within BE2 main.dll has a field called build_id which identifies the malware version for the operators. Currently this particular BE/SandWorm gang uses a certain pattern for the build ids containing three hex numbers and three letters, as follows:
The numbers indicate the date of file creation in the format: Year-Month-Day. Still, the purpose of the letters is unknown, but most likely it indicates the targets. The hex numbers weren't used all the time, sometimes we observed decimal numbers:
Most interesting for us was the earliest build id we could find. Currently it is "OB020Ad0V", meaning that the BE2/SandWorm APT started operating as early as the beginning of 2010.Appendix: IoC
While BE dropper installs its driver under a randomly picked non-used Windows driver name, like %system32%\drivers\AliIde.sys. The driver is self-signed on 64-bit systems
However, new "APT" BE2 uses one of the following filenames that are used as an encrypted storage for plugins and the network settings. They are consistent and serve as stable IoC:
BE2 also uses start menu locations for persistence:
BE3 uses the following known filenames:
Botnet History Illustrated by BlackEnergy 2, PH Days, Kaspersky Lab - Maria Garnaeva and Sergey Lozhkin, May 2014
BlackEnergy and Quedagh (pdf), F-Secure, September 2014
Sandworm, iSIGHT Partners, October 2014
Alert (ICS-ALERT-14-281-01A) Ongoing Sophisticated Malware Campaign Compromising ICS (Update A), ICS-CERT, October 2014
In September we came across mentions of people in Africa suffering from the Ebola virus and unusual invitations to a conference of the World Health Organisation (WHO) in the subject line of so-called "Nigerian" emails. The aim of the conmen was, as usual, to swindle money from trusting recipients who entered into conversation with the authors of the letters.
In October it was the turn of the cybercriminals, who used the tumult around the Ebola virus to send letters containing malware. Once again the WHO was indicated as the sender of the letters, which is unsurprising as this is the organisation that deals with various diseases and epidemics on a worldwide level.
In the text of the letters we detected the evildoers tried to convince recipients that the WHO has prepared a file with general information and security measures that will help protect users and those around them from the deadly virus and other diseases. Furthermore the recipient was also asked to distribute this information to help the WHO.
To mask the real link a link abbreviation service was used, which finally redirected users to a popular cloud data storage service. There the criminals had stored the malware program Backdoor.Win32.DarkKomet.dtzn disguised as a document from the WHO. This malware is designed to steal personal data. We note that access to the file was blocked quite quickly by the service administrators and, probably for that reason, the evildoers decided to change their letter. The very next day our traps caught a similar communication supposedly from the WHO, only this time the archive with the same malware program was inserted into the letter itself.
Cybercriminals rarely miss a chance to use current events and the names of famous organisations to trick the recipients of their spam. And so, having fallen for the convincing header and failed to pay attention for even a moment, users risk compromising their personal data and surrendering control of their computer to criminals. It is worth remembering that modern anti-virus solutions provide protection but it is only the considered actions of users that can keep their personal data safe.
In September, "Nigerian" scammers sent out stories relating to the breaking news of the Ebola epidemic. There was festive spam, focusing on both the US Labor Day celebration and the upcoming winter holidays: spammers have started to offer products and services for Christmas. A large part of the major theme mailings promoted products and services using popular social networking sites: the spammers promised an instant influx of new customers and income growth.The Ebola virus in "Nigerian" spam
In July, the first reports about the Ebola outbreak in Africa appeared in the media. While the world's attention was focused on how to fight the epidemic and prevent it spreading further, scammers used the disease to create new stories for their "Nigerian" letters.
In September, we came across several mailings which mentioned Ebola. In addition to the popular "Nigerian" legends written supposedly on behalf of people with various diseases the fraudsters made up quite unusual stories. For example, an email from a rich Liberian lady dying from Ebola contained a long story about her children who died from the virus and about the local medical center which refused to help her. She was willing to donate more than $1.5 million to a recipient who would transfer this money to charities. The message contained a detailed description of the situation that is unusual for "Nigerian" letters. However, this long story was still nothing more than yet another trick to make recipients believe the story and start corresponding with the scammers.
The authors of another fraudulent mailing introduced themselves as an employee of the World Health Organization and tried an unusual tack to attract attention – the reader was invited to a conference where Ebola would be discussed along with other medical issues. The recipient was not only invited to participate in the conference as a guest but was also offered 350,000 Euro and an automobile for his work as the WHO Representative in the UK. If the victim was interested in the offer, he had to provide his personal data. Apparently, the scammers hoped that the offer of money and work in an international company would ease all the user's doubts.Holiday spam
In early September, the United States celebrated Labor Day and the spammers were determined not to miss out on the event. Traditionally, in the run-up to the holidays people are attracted by discounts and sales. This time, companies selling print cartridges offered discounts not only for Labor Day but also the beginning of the new school year. Pharmaceutical spam advertizing drugs for weight loss also offered discounts related to the holiday.
Spam traffic around the world also contained adverts for goods and services related to Christmas. English-language messages offered a Christmas party on board a ship and urged early booking to get the lowest prices. In addition, the spammers encouraged people to start thinking of buying Christmas gifts in September and order digital devices directly from Chinese manufacturers as well as ordering a Christmas tree for the holiday.
Another major theme this month was spam messages advertising various ways to earn money online using popular social networking sites. Most often, spammers offered to create an individual profile or a group in Twitter, Facebook or LinkedIn, to design a page according to the concept of the company and the goods it sells, to provide the first subscribers as well as to create the primary content and begin to actively promote it. Naturally, all this came at a cost. After such a comprehensive approach to creating a community in a social network the authors of the mailings promised a sharp increase in the customer numbers and sales volumes. Users were asked to apply by following a link in the email.
Spammers also spent plenty of time offering professional business promotion by placing photos and videos on specialist social networking sites. The authors of these mailings also promised to provide their customers with the necessary number of subscribers, for example, in Instagram, to place the photos of goods and to achieve the first results within the next three days. The recipients were often invited to make a video presentation of the company or the product and to post it on the popular video hosting YouTube. The spammers also promised that users could make "an obscene amount of money" with the help of YouTube by spending just 40 minutes a day on it. However, these mailings were nothing more than adverts about yet another author marketing course on DVD. To buy the DVD the recipient needed to follow a link in the email to enter the necessary website and make an order.
In September, we also came across the mailings containing invitations to seminars and webinars dedicated to the "art" of group and community administration on social networks. The authors of these training sessions promised to reveal all the secrets of an administrator's work (for example, on Facebook or LinkedIn), leading to a stable monthly income for students. To register for a webinar, the recipient had to click on the link in the email.
According to the authors of foreign language spam mailings, the most popular source for attracting new customers and revenue growth was, of course, Facebook. So the spammers proposed using the network to promote personal ads, to link specific redirects to posts and photos – in this case the number of potential customers would depend on the quality of the content and the willingness of the users to click the links published in the communities. To accomplish this, they suggested special software which could be bought via spam mailings. Sites with detailed descriptions of the software had been created a few months ago and their names contained such words as "customers", "income", "Facebook"
Statistics The percentage of spam in email traffic
The percentage of spam in email traffic
The percentage of spam in September's email traffic averaged 66.5%, which is 0.7 percentage points down from August. The amount of unsolicited email consistently decreased throughout the month – in early September the percentage of spam averaged 69.3% while in the end it dropped to 63.1%.Sources of spam by country
In September, the Top 3 most popular sources of spam were as follows. The USA remained in first position (12%) although its contribution was down nearly 4 percentage points from the previous month. Vietnam moved from fourth to second place with 9.3%; up 4.6 percentage points. Russia was in third place with 5.8% - there was little change in its numbers and it dropped one place in the table.
Sources of spam around the world
China was in 4th position with 5.6% of all distributed spam; its contribution dropped by nearly 1 pp. It is followed by India (4.7%): with almost 2 pp growth this country rocketed from 10th in August to 5th in September.
South Korea (3.2%) also increased its share by 1.3pp and placed 7th, up eight from the previous month. Meanwhile, Germany (2.9%) lost 0.7 pp and fell from 6th to 9th place in September. The Top 10 was completed with Taiwan with 2.5% of all distributed spam. France, Spain and Italy also produced a little more than 2% of the world spam.
Sources of spam in Europe by country
Vietnam was September's leading source of spam sent to European users (11.1%). Next came the USA with 9.1% and Russia on 6%.
They are followed by China (5.3%), India (4.5%), Argentina (3.7%) and South Korea (3.5%). About 3% of European spam originated from each of Brazil, Germany and.
The rating also includes Taiwan (2.7%), Spain (2.6%), Italy (2.5%) and Mexico (2.3%) in 11th-14th place. Iran was in 15th position with 2.2% of spam sent to European users. The percentage of spam that originated from elsewhere did not exceed 2%.Malicious attachments in email traffic
In September, the Top 10 malicious programs distributed via email were:
Top 10 malicious programs distributed via email
Dofoil:Trojan-Downloader.Win32.Dofoil.dx, Trojan-Downloader.Win32.Dofoil.dy and Trojan-Downloader.Win32.Dofoil.dz occupied 1st, 6th and 9th places respectively. This type of malware downloads other malicious programs onto the victim computer and uses them to steal user data (primarily passwords) which it then sends to the fraudsters.
Trojan-Spy.HTML.Fraud.gen was in 2nd position. As we wrote before, this piece of malware from the Fraud.gen family is a fake data entry HTML page that is sent to users by email, disguised as an important message from large commercial banks, online stores, software companies etc.
Trojan-Banker.HTML.PayPal.b came 4th. This malicious program appears in the form of the HTML page imitating a PayPal form. Recipients of an email containing this attachment is asked to fill in the form to update their PayPal account after the launch of the new IT security system. The German-language form includes fields like E-Mail Adresse, PayPal passwort, Vollständiger Name, Nachname der Mutter (Fakultativ), Geburtsdatum, Telefonnummer, Adresse, Stadt, Land, Postzahl, Kartennummer, Verfallsdatum, Kartenprüfnummer, VBV Passwort / MasterCard. It seems the fraudsters are targeting German-speaking PayPal users.
Trojan-Downloader.MSWord.Agent.ba and Trojan-Downloader.MSWord.Agent.bf placed 5th and 8th in the ranking. These programs imitate a .doc file with built-in macros written in Visual Basic for Applications (VBA), which are executed when opening the document. The macros download and run malicious software, such as representatives of the Andromeda family.
Trojan.Win32.Vundo.adc completed the list of the most popular malicious programs distributed via email. This program downloads other malware, for example, Trojan-Banker.Win32.Fibbit, which compromises the data passing through banking client applications. The Trojan intercepts keystrokes, copies data from the clipboard, searches for file certificates with the .jks extension, makes screenshots and tries to read the "keys.dat" file. All the stolen data is packed in the CAB archive and sent to the attacker's server.
Distribution of email antivirus detections by country
For several month in a row, the three countries with the most antivirus detections have been Germany, the UK and the USA, each jostling for position at the top. In September, Germany took the lead (9.11%) followed by the UK (8.45%) and the USA (8.26%)
Russia was a big mover once again– after unexpectedly rising to 4th place in August it lost 4.14 percentage points and dropped down to 13th.Special features of malicious spam
In September many mailings containing malicious attachments dealt with matters of hiring and firing. We registered a mass mailing that told recipient their employment contract withan organization (the company name varied from email to email) had been terminated for violations of the company's internal policy. The messages even provided number and date of the alleged violations. The email also stated that recipients had already been issued written warnings demanding improved behavior in future. However, since nothing had been done, the labor contract was terminated.
To appeal this decision the recipient was invited to consult the lawyer before a specified deadline. The email contained an attached archive with documents about the supposed violations. To view the document, the recipient had to open the attachment. In fact, though, the attachment contained a representative of the Trojan-Downloader.Win32.Cabby family. This malware downloads other malicious software onto a victim computer, including various modifications of the Zbot family of programs.Phishing
In September, Kaspersky Lab's anti-phishing component registered 18,779,357 detections, 13,874,415 detections less than in the previous month. This decline in the amount of phishing was caused by the end of the summer slowdown and the beginning of the business season. It should also be noted that September is often a month for presentations and other major company events. In the run-up to these, phisher activity grows leading to a spike in the number of fraudulent attempts at the end of the summer
In September, Brazil (17.8%) was once again the leading country for phishing attacks, even though its share was down 1.7 percentage points. Australia dropped to 3rd with 11.1% of all antivirus detections. Second came India (13.4%). The UAE (10.5%) and France (10.4%) were in 4th and 5th positions respectively.
The geography of phishing attacks*, September 2014
* The percentage of users on whose computers the Anti-Phishing component was activated, from the total number of all Kaspersky Lab users
Top 10 countries by the percentage of attacked users:Country % of users 1 Brazil 17.8 2 India 13.4 3 Australia 11.2 4 UAE 10.5 5 France 10.4 6 Canada 9.9 7 China 9.9 9 Columbia 9.4 8 Bangladesh 9.0 10 UK 8.0 Targets of attacks by organization
The statistics on phishing targets are based on detections made by Kaspersky Lab's anti-phishing component. It is activated every time a user enters a phishing page that has not previously been included in Kaspersky Lab databases. It does not matter how the user enters this page – by clicking the link contained in a phishing email or in the message in a social network or, for example, as a result of malware activity. After the activation of the security system, the user sees a banner in the browser warning of a potential threat.
In September, Global Internet Portals were again the leading category among the organizations most often attacked by phishers with 24.7%, even though the share decreased by 6.1 pp. The contribution of Social networks (20.2%) rose by 2.8 pp from the previous month.
Organizations most frequently targeted by phishers, by category – September 2014
Financial phishing accounted for 36.9%of all detections made by Kaspersky Lab's anti-phishing component, a 1.7 pp growth compared with the previous month. The percentage of detections affecting Banks accounted for 18.9% (+0.5pp), followed by online stores (11.4%, +1.4%) and E-payment systems (7.3%, +0.5%).Top 3 organizations most frequently targeted by phishers Organization % of detections 1 Facebook 11.16% 2 Yahoo! 7.10% 3 Google 6.31%
In September, Facebook (11.1%) was most heavily targeted by phishers: its share was up 1.1 pp. Yahoo came 2nd with 7.1% of all Anti-Phishing component detections. The share of Google services halved compared to August and accounted for 6.3%, placing this organization 3rd.
September's spam traffic contained phishing mailings aimed at stealing logins and passwords to accounts with the popular Chinese online store Alibaba.com. The scammers tried to convince recipients to update their accounts or confirm their use with refer to a new security system and account maintenance. The design of fake the messages used the official logo and the Auto Signature of Alibaba.com as well as the standard anti-virus notification about the absence of threats in the email. The 'From' field named Alibaba.com as the sender and the sender's address contained mainly legitimate domain names. However, on closer examination, an observant recipient could notice spelling mistakes in the addresses of senders and see domain names which obviously did not belong to the company.
Phishing pages were included directly in the fake emails and had a similar design. Recipients had to fill in the fields entering not only email addresses and passwords but also company names, countries of residence and mobile phone numbers. This way the fraudsters collected additional information about their victims for use in future scams.
In September, the percentage of spam in email traffic decreased by 0.7pp and averaged 66.5%. The main distributors of spam were the USA (12%), Vietnam (9.3%) and Russia (5.8%).
A Trojan downloader from the Dofoil family topped the rating of the most popular malware spread via email. This malicious program is used to download other malware onto victim computers.
In September, Kaspersky Lab's anti-phishing component registered 18,779,357 detections. According to the statistics, 17.8% of all detections targeted the users in Brazil. Australia, which was August's leader, moved down to 3rd position (11.1%). Global Internet Portals remained the leading category among the organizations most often attacked by phishers with 24.7% of all attacks. Financial phishing accounted for 36.9%of all detections made by Kaspersky Lab's anti-phishing component, a 1.7 pp growth compared with the previous month. In September's the Top 3 organizations most frequently targeted by phishers Facebook took the lead with (11.1%) of all detections.
In September, "Nigerian" scammers switched their attention from events in Ukraine to health issues, in particular to the Ebola virus which was rarely far from the headlines this month.
Promotional mailings offered goods and services dedicated to America's Labor Day celebrations, as well as to the popular winter holidays celebrated worldwide. From now on we expect to see a sharp rise in the percentage of spam dedicated to Christmas and New Year festivities until it reaches its December peak.
Hotels, Restaurants and Airports used to offer customers free tablets while using their facilities. Recently while attending an event and staying in one such hotel, I had the chance to use a free iPad especially installed in my room.
To my surprise, it not only contained the event agenda and provided a free WiFi connection, but also included a lot of private personal information from previous guests who had stayed in the same room.
When I speak about private personal information, I mean accounts with pre-saved passwords, authorized sessions on social networks, search results from the browser (mostly pornographic content), full contacts automatically saved into the address book, iMessages and even a pregnancy calculator with real information. It was not hard even to figure out that the identity of the woman who had used it, since she also left her personal contact information on the device:
Having full names and email addresses cached on the device, it was not hard to Google a little bit and find out that some of the users were very public people working for the government of the country where I was staying.
Most of sessions were still open, even allowing the posting / sending of messages in the name of the user:
This is completely unacceptable, from a security perspective. Basically a potential attacker had the chance not only read sent and received messages but also to impersonate the victim by sending messages in their name.
I also see this scenario as a perfect personal data collector for high profile spear phishing campaigns. On the other hand, if a potential attacker came from a classic cybercrime sphere, they might blackmail their victims. Moreover, it would be extremely easy for the criminal to do this, since they would have all kinds of data of the victims, including the name of pornographic movies watched on each specific date and time. Bearing in mind that some of the potential victims are public people and work for the government, most probably such blackmail would be successful.
So, what's wrong here? Well, I would say everything. First, it is unwise to use a free public device for personal and private communication. You just never know if the device is backdoored or who might be behind such hospitality? Second, if a public facility wants to offer its guests free portable devices for the duration of their stay, it's important that such devices are a properly configured first, to apply sensible security policies such as not storing personal information, not saving passwords and so on.
Maybe I'm too suspicious, but having an unknown and untrusted device like a tablet in my room, which is equipped with an embedded camera and a mic, I just preferred to switch it off and store it inside a drawer. I had to do this every afternoon since the cleaning staff put it back on the desk every day I was at the hotel.
You have also remember that, even if such a free device is properly configured and does not visibly store any private information, you can't be sure that the next guest is not an expert in forensic analysis, in which case they could just take an image of the whole device and then recover your personal information step by step.
You may follow me on twitter: @dimitribest
"Tarjeta BIP!" is the electronic payment system used in Chile to pay for public transportation via NFC incorporated in the user's smartphone. Numerous projects enabling mobile NFC ticketing for public transportation have been already executed worldwide. This is a trend. It means that criminal minds should be interested in it. Moreover, they are.
More and more people keep talking about the feature of payments via NFC. The problem in this particular case is that somebody reversed the "Tarjeta BIP!" cards and found a means to re-charge them for free. So, on Oct. 16 the very first widely-available app for Android appeared, allowing users to load these transportation cards with 10k Chilean pesos, a sum equal to approximately $17 USD.MD5 (PuntoBIP.apk) = 06a676fd9b104fd12a25ee5bd1874176
Immediately after appearing on the Internet, many users downloaded it and proved they were able to recharge their travel cards. All they had to do is to install the mentioned app on a NFC capable Android device, to approach the travel card to the phone and then to push the button "Cargar 10k", which means "Refill the card with 10,000" Chilean pesos.
According to the metadata of the .dex file package, it was compiled on October 16, 2014 and it has 884.5 kB (884491 Byte) size. The feature it incorporates interacts directly with the NFC port: android.hardware.nfc
The app has four main features: "número BIP" - to get the number of the card, "saldo BIP" - to get the available balance, "Data carga" - to refill available balance and finally, maybe the most interesting is "cambiar número BIP" - allowing the user to change the card number altogether. Why would we say this last feature is the most interesting? Well, a source suggested the authorities were going to block fraudulently refilled BIP cards. However, as we can see, the app is able to change the BIP number.
Since the original links to download the app were taken down, new links appeared, now pointing to new servers and actually hosting a new app:MD5 (PuntoBIP-Reloaded.apk) = 2c20d1823699ae9600dad9cd59e03021
This is a modified version of the previous app, compiled on the next business day Oct 17, 2014 and which is a lot bigger 2.7 MB (2711229 Byte). This includes an advertisement module which shows ads via the doubleclick network.
Since both apps allow users to hack a legitimate application, they are now detected by Kaspersky as HEUR:HackTool.AndroidOS.Stip.a
Since the app is a hot one and a lot of people from Chile are looking for it, I expect some bad guys to come along and create fake similar apps but trojanized to infect mobile users and take some advantage of their interest.
At the same time, it is important to mention that mobile payments are getting more and more popular. NFC is one of the most promising ports in this field. This is a good example of how fresh new payment schemes often present the same old problems.
Thanks to Roman Unuchek for his analytical insights.
You may follow me on twitter: @dimitribest