Secure List feed for B2B

Syndicate content
Online headquarters of Kaspersky Lab security experts.
Updated: 58 min 6 sec ago

New gTLDs, same attacks

Thu, 07/10/2014 - 07:11

Cybercriminals around the world have already started to point their guns and attacks at the new gTLDs, the 'generic Top Level Domains' approved by ICANN and offered by registrars to people interested in buying a new domain name. Recently we found malicious activities including malware and phishing pages registered in the top level domains .club, .berlin, .blue, .computer, .camera, .futbol, .link, .pink, .report, .travel, .vacations and .xyz.

The new gTDLS were recently approved by ICANN and registrars are already offering them as a solution to those bored with the traditional .com or .org and who want more possibilities when registering internet domains. You should be prepared to see websites like"funny.dance"or "joe.dentist"or even "my.creditcard".

According nTLDStats.com, more than 1.4 million domains have already been registered using these new gTLDs:

There are now more than 322 new top level domains granted by ICANN, among these the most popular are .xyz (designated at Feb. 2014), .berlin and .club (both designated in January 2014):

Brazilian phishers and domains squatters are particularly interested in these new gTLDs, already having registered several new domains using names of local brands such as banks, online stores, and credit card companies. For example:

  • cielo-seucartaobateumbolao.xyz
  • megasaldao-americanas.xyz
  • lojadoricardoeletro.xyz
  • hsbc.club
  • santander.club
  • bradesco.club
  • ricardoeletro.club
  • ricardoeletro.computer
  • ricardoeletro.camera

These domains were registered with the intention of being used for phishing campaigns, so it comes as no surprise that the data registered in the respective "whois" databases is completely fake:

Malware is also involved. We're aware of bad guys hosting their exploit kits in such domains – the Nuclear Exploit Pack is currently using the .blue, .pink, .futbol, and .report gTLDs, as pointed out by security researcher Frank Denis.

But Brazilian bad guys aren't the only ones interested in the new gTLDs as English-speakers have showcased similar interests by already starting a fraudulent domain that sells coins for online games such as Fifa '14 and others.

Other phishers already started their phishing campaigns, even using older TLDs such as .travel (started in 2005). As you can see in the following abused domain that hosts a phishing page aimed at a Brazilian bank:

If you're a regular user, be aware of such links appearing in email messages or in social networks – they can be just as dangerous as others links. If you're a company, it's a great idea to start a brand monitoring process to insure that your company name or brand aren't being used in campaigns involving these new TLDs.

Kaspersky users are protected against all of these attacks.

Versatile DDoS Trojan for Linux

Thu, 07/10/2014 - 04:40

In February 2014, an article was published on a popular Russian IT website under a curious title - Studying the BillGates Linux Botnet. It described a Trojan with sufficiently versatile DDoS functionality. The capability that we found the most interesting was the Trojan's ability to conduct DNS Amplification-type attacks. In addition, it followed from the article that the Trojan had a sophisticated modular structure, something we had not seen in the world of Linux malware before.

The article also provided a link for downloading all of the Trojan's files (taken directly from an infected machine) - which is what we did.

The archive that we downloaded contained the following files, which, according to the author of the article, were all modules of the same Trojan:

  • atddd;
  • cupsdd;
  • cupsddh;
  • ksapdd;
  • kysapdd;
  • skysapdd;
  • xfsdxd.

The files cupsdd and cupsddh are detected by Kaspersky Lab products as Backdoor.Linux.Ganiw.a; atddd and the remaining files are detected as Backdoor.Linux.Mayday.f.

The archive with the files also contained a configuration file for cron - the Linux task scheduler. In this case, the utility is used by the Trojan as a means of getting a foothold in the system. The Trojan uses cron to perform the following tasks:

  1. Once a minute - terminate the processes of all applications that can interfere with its operation: .IptabLes, nfsd4, profild.key, nfsd, DDosl, lengchao32, b26, codelove, node24
  2. Approximately once in ninety minutes - terminate all of its processes: kysapd, atdd, skysapd, xfsdx, ksapd
  3. Approximately once in two hours - download all of its components to the /etc folder from http://www.dgnfd564sdf.com:8080/[module_name] (module_name = name of the Trojan's module, e.g., cupsdd), after deleting these files from the /etc folder
  4. Once in ninety minutes - relaunch all of its modules
  5. Every minute - purge system logs and bash command history and execute chmod 7777 [module_name]

During subsequent analysis of the files, we did not find any code responsible for saving the config file for cron. Most likely, the file was manually downloaded to the victim machine by a cybercriminal after gaining remote access to the system.

Backdoor.Linux.Mayday.f (atddd)

The file atddd is a backdoor designed to conduct various types of DDoS attacks against the servers specified. As mentioned above, Kaspersky Lab products detect it as Backdoor.Linux.Mayday.f. The files kysapdd, skysapdd, xfsdxd, ksapdd are almost exact copies of atddd - with one exception, which is discussed later in the text.

The backdoor starts its operation by calling the function daemon(1, 0), continuing to run in the background and redirecting standard input, output and errors to /dev/null

Next, atddd collects relevant information about the system, including:

  1. system version (by calling uname())
  2. number of CPU cores and their clock rates (taken from /proc/cpuinfo)
  3. CPU load (taken from /proc/stat)
  4. network load (data for interfaces with the "eth" prefix taken from /proc/net/dev)

The information listed above is stored in the g_statBase structure.

After this, the backdoor decrypts strings defining the C&C server's IP address and port number. The encryption algorithm used is very simple: an encrypted string is taken character-by-character, with 1 added to the ASCII code of a character if its number is odd and subtracted from it if the character's number is even. As a result, the string "3/3-2/4-269-85" yields the IP-адрес "202.103.178.76", while "2/:82" stands for port number "10991".

After this, atddd reads configuration file fwke.cfg, which is located in the same folder with the malicious program. Information from the config file is saved in the g_fakeCfg structure. If the file does not exist, the backdoor attempts to create it and store the following information in it:

1st line: 0        //flag, if 1 then begin attack, if 0 then terminate attack

2nd line: 127.0.0.1:127.0.0.1        //range of outgoing IP addresses

3rd line: 10000:60000        //outgoing port range for an attack

4th line: an empty line        //domain name in the case of DNS flood (see below)

This information is subsequently sent to the C&C server and can be updated with a command from the C&C.

Next, the backdoor creates a new thread, CThreadTaskManager::ProcessMain(), in which commands to begin an attack and terminate an attack are put into the execution queue. After this, a new thread is created - CThreadHostStatus::ProcessMain(). In this thread, data on CPU and network load is updated every second and can subsequently be sent to the C&C server if requested.

After this, 20 threads are created, which read information from the task queue and, depending on the information read, launch an attack or terminate it. However, some of the threads may not be used in an attack if the relevant C&C command has a parameter (the number of threads to be used).



Then the malware enters an endless loop of processing messages from the C&C. After a connection with the C&C is established, information about system version and CPU clock rate, as well as data from the g_fakeCfg structure, is sent to the C&C every 30 seconds.

In response, the server should send 4 bytes, the first of which is the serial number of a command - from 1 to 4.



Next, if the command has parameters, the C&C sends another 4 bytes defining the amount of data that will be sent (i.e., the parameters). Then the parameters themselves are sent; their size should match the number from the previous C&C response.

About each command in greater detail:

  • 0x01. Command to launch an attack. Parameters define the attack's type and the number of threads to be used. The attack type is defined by a byte which can take values from 0x80 to 0x84. This means that 5 attack types are possible:
    • 0x80 - TCP flood. The destination port number is sent by the C&C in its response as a parameter. The source port range is defined in fwke.cfg. Each new request is sent from a new port within the range defined, in the ascending order of port numbers. The destination IP address is also defined in parameters.
    • 0x81 - UDP flood. The same as 0x80, but UDP is used as the transport layer protocol.
    • 0x82 - ICMP flood. Same as above, but via ICMP.
    • 0x83, 0x84 - two DNS flood attacks. The only difference is the domain name sent in the DNS request. In the former case, the name is generated randomly, in the second, it is defined in a parameter (the fourth line in fwke.cfg). Essentially, both attacks are similar to 0x81, except that port 53 (the default port for the DNS service) is used as destination port.
  • 0x02. Command to terminate an attack. The value in the first line of fwke.cfg is changed to 0 and the attack is terminated.
  • 0x03. Command to update the file fwke.cfg. The response also includes a structure similar to g_fakeCfg, data from which is used to create the new fwke.cfg file.
  • 0x04. Command to send the current command's execution status to the C&C server.

In addition to the above, the backdoor includes several empty methods (without any code), which have curious names: CThreadAttack::EmptyConnectionAtk, CThreadAttack::FakeUserAtk, CThreadAttack::HttpAtk. Apparently, the malware writer had plans to extend the malicious program's functionality, and this is a test version rather than a final version. The file cupsdd, which is discussed below, provides a confirmation of this.

The files kysapdd, skysapdd, xfsdxd, ksapdd are almost identical copies of atddd, with the exception that they contain different C&C server addresses: 112.90.252.76:10991, 112.90.22.197:10991, 116.10.189.246:10991 and 121.12.110.96:10991, respectively. The names of their configuration files are also different: fsfe.cfg, btgw.cfg, fake.cfg, xcke.cfg, respectively.

This means that, contrary to our expectations, the files atddd, kysapdd, skysapdd, xfsdxd, ksapdd are not modules of a single piece of malware but rather different copies of the same Trojan, each connecting to its own C&C server. However, this is not the most curious part of it by far.

Backdoor.Linux.Ganiw.a (cupsdd)

Like the files described above, this file is a backdoor designed to carry out various types of DDoS attacks. However, cupsdd is significantly more feature-rich and sophisticated than its 'colleagues', although in places its code is very similar to that found in atddd.

The backdoor starts its operation by initializing the variables it needs from the string "116.10.189.246:30000:1:1:h:578856:579372:579888" (separator - ":"), which it first decrypts using the RSA algorithm. The string contains the following variables:

g_strConnTgt=116.10.189.246 - C&C server's IP address

g_iGatsPort=30000 - C&C server's port

g_iGatsIsFx=1 and g_iIsService=1 - flags used later

g_strBillTail=h - postfix for the name of the file that will be dropped (see below)

g_strCryptStart=578856, g_strDStart=579372, g_strNStart=579888 - pointers to RSA data (encrypted string and key)

Next, the malware drops and executes a file, which is located at offset 0xb1728 from the beginning of the original file and is 335872 bytes in size, provided that the file is not already running. The malware checks whether the file is running by trying to bind a socket to 127.0.0.1:10808. If the attempt is successful, it means that the file is not running, and it needs to be dropped and executed.

If the file is already running, its process, whose PID can be found in the file /tmp/bill.lock, is terminated (kill(pid, 9)). Then the file is dropped anyway, replacing the existing copy.

The name of the file that is dropped is generated from the name of the current file that is running + postfix from the variable g_strBillTail. In our case, the file was named cupsddh and was located in the same folder with the dropper.

After this, the current process forks and the child process calls the function system("/path/to/cupsddh"), which executes the file dropped.

Next, the function daemon(1, 0) is called, for the same purpose as in the case of the sample described above (atddd).

After this, the malware handles the situation if cupsdd was executed earlier and is currently active. For this purpose, it checks whether the file /tmp/gates.lock exists. If it does exist, the current process is terminated (exit(0)). If not, the file (/tmp/gates.lock) is created and the PID of the current process is written to it.

Then, if flag g_iIsService == 1, the backdoor sets itself to run at system startup by creating the following script named DbSecuritySpt in /etc/init.d/:

#!/bin/bash
/path/to/cupsdd

The malware also creates symbolic links to the script in /etc/rc[1-5].1/S97DbSecuritySpt



Next, the malware reads the configuration file conf.n (if it exists) from the same folder as the one in which cupsdd is located. The first 4 bytes of the file define the size of the data which follows. All the data is stored in the structure g_cnfgDoing.

Then the malware reads the file containing commands - cmd.n. The format is the same as in conf.n. The data is stored in the structure g_cmdDoing.

After this, the malware obtains all the necessary information about the system, including:

  • The operating system's name and kernel version (e.g., Linux 3.11.0-15-generic), by calling uname()
  • CPU clock rate, taken from /proc/cpuinfo
  • Number of CPU cores, taken from /proc/cpuinfo, and CPU load, taken from /proc/stat
  • Network load, taken from /proc/net/dev
  • Hard drive size in megabytes, taken from /proc/meminfo
  • Information about network interfaces, taken from /proc/net/dev

All the data is stored in the structure g_statBase.

Next, a new stream, CThreadTaskGates::ProcessMain, is created, in which the following commands are processed:

  • 0x03. DoConfigCommand(). Update the configuration file conf.n.
  • 0x05. DoUpdateCommand(). Start a new thread, CThreadUpdate::ProcessMain, in which update one of its components. The command accepts a number from 1 to 3 as a parameter. Each of the numbers is associated with one of the following strings:

    1 - "Alib" - the file /usr/lib/libamplify.so
    2 - "Bill" - the dropped module (cupsddh)
    3 - "Gates" - the dropper (cupsdd)



Depending on the parameter, one of the malicious program's components is updated. An update is launched by sending 6 bytes containing the string "EF76#^" to the C&C server, followed by one of the strings described above (depending on the parameter).

The C&C responds by sending 4 bytes containing the length (in bytes) of the file that will be transferred next. Then the C&C transfers the file itself in 1024-byte packets.

First, the file is saved in the /tmp folder under a random name consisting of digits. Then, depending on the file that was received, the existing file cupsdd (or cupsddh) is replaced or the file is copied to /usr/lib/libamplify.so

Next, the temporary file is deleted from /tmp, and the chmod command is used to set 755 permissions for the resulting file. After this, in the case of updating cupsddh, the active process is terminated and the new file is launched. In the case of updating cupsdd, the final stage (starting from copying a file from /tmp) is carried out by cupsddh, to which the relevant command is sent.

  • 0x07. DoCommandCommand(). Write a new command to cmd.n.
  • 0x02. StopUpdate(). Close the current connection, which was established in order to update modules.

Next, the backdoor starts several threads, in which it simultaneously performs several additional operations:

  • CThreadClientStatus updates the data on CPU and network load in the g_statBase structure every second.
  • CThreadRecycle removes completed tasks from the queue.
  • CThreadConnSender reads commands from the queue and passes them to the cupsddh module via a TCP connection with 127.0.0.1 on port 10808. In response it receives the status of their execution.
  • CThreadMonBill checks whether the module cupsddh is running once every minute. If not, it drops and executes it again.
  • CThreadLoopCmd reads commands from g_cmdDoing (the file cmd.n) and executes them using the call system(cmd).

Next, the main thread enters the loop of receiving and processing commands from the C&C server. There are two possibilities in this case, depending on the g_iGatsIsFx flag:

  1. If the flag is set (==1), the malware simply uses the new thread to send information about the system and the current configuration from g_cnfgDoing to the C&C and waits to receive commands in response, like the sample (atddd) described above;
  2. If the flag is not set, then the communication session is initiated by the C&C. In other words, the malware waits for the C&C to connect and begins to transfer the data mentioned above only when a connection has been established.



Commands received from the C&C are divided into two queues: either for execution in the current module (in the thread CThreadTaskGates described above) or for passing to the cupsddh module (thread CThreadConnSender).

Backdoor.Linux.Ganiw.a (cupsddh)

The file is packed with UPX. After being unpacked, it calls daemon(1,0). It creates the file /tmp/bill.lock, in which it stores the PID of the current process. cupsddh stores system data in the structure g_statBase, which is identical to that used by cupsdd.

Next, it populates the structure g_provinceDns with the IP addresses of DNS servers converted to binary data in network byte order using the function inet_addr(), taking data from the string array g_sProvinceDns (offset in unpacked file: 0x8f44с, size 4608 bytes).

cupsddh executes command "insmod /usr/lib/xpacket.ko" in an attempt to load the kernel module into the kernel. However, the file is not present on 'clean' systems, and the malware does not make any attempt to download it or obtain it in any other way.



Next, data from the file /usr/libamplify.so (as it turns out, this is not a library but one more config file) is loaded into the structure g_AmpResource. The file has the following format: 1st dword is the number of dwords that follow. Apparently, it contains the list of IP addresses for DNS servers that are currently relevant, i.e., those suitable for DNS Amplification type DDoS attacks.

After this, the module creates two threads: CThreadTask and CThreadRecycle. The former executes commands from a queue comprising commands which came from the cupsdd module. The latter removes commands that have been executed. Next, the main thread binds a socket to 127.0.0.1:10808 and enters an endless loop, receiving commands from the cupsdd module and putting the commands received into the above queue.

The following commands are possible:

  • 0x01. Start an attack according to the parameters received. See a more detailed description below.
  • 0x02. Terminate the current attack, setting the relevant flag.
  • 0x03. Update the current configuration in the g_cnfgDoing structure, which is used during an attack. Also, update the current local MAC address, as well as the MAC and IP address of the current gateway in the structure g_statBase.
  • 0x05. The final stage of updating the cupsdd module (described above).

Two main attack modes are possible: normal mode and kernel mode.

Kernel mode

This mode uses pktgen, a kernel-level packet generator built into Linux. Its advantage to the attacker is that traffic is generated with the greatest speed possible for the given network interface. In addition, the packets generated in this way cannot be detected using ordinary sniffers, e.g., the standard tcpdump, since packets are generated at kernel level.



The packet generator is controlled using a set of scripts/configs in the /proc/net/pktgen folder, but the module pktgen must first be loaded into the kernel by calling the command "modprobe pktgen". However, I did not find any such calls. Apparently, the call "insmod /usr/lib/xpacket.ko" is used instead, although, as mentioned above, the file is absent from the system by default. As a result, kernel mode is not operational in this version of the malware.

Nevertheless, the malware attempts to write several files to the /proc/net/pktgen folder, namely:

  1. the file /proc/net/pktgen/kpktgend_%d for each CPU core, where %d is the core number, beginning from 0. The file's contents is as follows:

    rem_device_all
    add_device eth%d
    max_before_softirq 10000



  2. the file /proc/net/pktgen/eth%d for each CPU core, where %d is the core number, beginning from 0. The file's contents is as follows:

    count 0
    clone_skb 0
    delay 0
    TXSIZE_RND
    min_pkt_size %d
    max_pkt_size %d
    IPSRC_RND
    src_min %s
    src_max %s
    UDPSRC_RND
    udp_src_min %d
    udp_src_max %d
    dst %s
    udp_dst_min %d
    udp_dst_max %d
    dst_mac %02x:%02x:%02x:%02x:%02x:%02x        //MAC address of the gateway from g_statBase
    is_multi %d
    multi_dst %s        //if there are several addresses to be used in an attack (i.e., if the value in the previous line is not equal to 0), they are set in these lines, the number of which matches the previous parameter
    pkt_type %d
    dns_domain %s
    syn_flag %d
    is_dns_random %d
    dns_type %d
    is_edns %d
    edns_len %d
    is_edns_sec %d

    The values of most pktgen parameters are passed from cupsdd via command parameters.

  3. the file /proc/net/pktgen/pgctrl, which contains the string "start".
Normal attack mode

As in the case of atddd, normal attack mode uses raw sockets.

The following attack types are possible in this mode:

  • CAttackSyn - TCP-SYN flood.
  • CAttackUdp - UDP flood (as in the case of atddd)
  • CAttackDns - DNS flood (as in the case of atddd)
  • CAttackIcmp - ICMP flood (as in the case of atddd)
  • CAttackCc - HTTP flood.
  • CAttackAmp - DNS Amplification.

The last attack type on the list above is different in that packets are sent to vulnerable DNS servers, with the attack target specified as the sender's IP address. As a result, the cybercriminal sends a small packet with a DNS request and the DNS server responds to the attack target with a significantly larger packet. The list of vulnerable DNS servers is stored in the file libamplify.so, which is written to disk following the relevant command from the C&C.

Post Scriptum. BillGates v1.5

This version of the Trojan appeared a little later and is probably currently the latest. Essentially, this is the same cupsdd, only a little 'shaped up'. Overall, there is more logic in the code, plus there are a couple of new functions.

The most significant changes were made to the Gates module, i.e., the file cupsdd. Now it has three operating modes. The choice of mode is based on the folder from which the file is launched. Specifically, if it is launched from /usr/bin/pojie, then monitoring mode is enabled, otherwise the module operates in installation and updating mode, which is later superseded by the mode in which it controls the Bill module.

  1. Installation and updating mode.

    First, the module terminates its process working in monitoring mode, if it exists. Its PID is kept in the file /tmp/moni.lock.
    Next, it reinstalls and re-launches the Bill module.
    Next, if a process working in the 'controlling the Bill module' mode exists, that process is terminated. Its PID is kept in the file /tmp/gates.lock.
    If the flag g_iIsService is set (it is defined in the same way as in the previous version), the module sets itself to run at system startup in the same way as before (in the previous version).
    Next, the module writes its path to the file /tmp/notify.file and then copies itself to the file /usr/bin/pojie. After this, it launches its copy, which is, obviously, set to run in monitoring mode, and then changes its own operating mode to controlling the Bill module.

  2. Monitoring mode.

    Writes the PID of the current process to the file /tmp/moni.lock. Next, it starts two threads - one to monitor the Bill module and the other to monitor the Gates module operating in controlling Bill mode. If one of these processes is currently not running, the relevant file is created and launched again.

  3. Controlling the Bill module mode.

    The actions of the Gates module are exactly the same as they were in the previous version of the Trojan (after installing the Bill module and initializing the relevant variables and structures of the Trojan).

To summarize, in the new version of the Trojan its authors have added a little 'robustness' without making any significant functionality changes.

It is also worth noting that the hard-coded IP address of the C&C server has remained the same (116.10.189.246) in this version, but the port number has changed - it is now 36008 instead of 30000 in the previous version.

Cloud Services: Holes in Corporate Network Security

Wed, 07/09/2014 - 07:00

The most popular uses of cloud services include: storing image scans of passports and other personal documents; synchronization of password, contact list, and email/message databases; creating sites; storing versions of source codes, etc. When cloud-based data storage service Dropbox announced a patched vulnerability in its link generator, it once again sparked online discussions about how important it is to encrypt confidential data before uploading it to an online storage, even a private one. Well, File encryption (FLE) does indeed protect confidential information stored in the cloud, even if there are vulnerabilities in controlling access to user documents with certain cloud storage services.

It's tempting to think that you can secure yourself against all possible risks by encrypting your data before you upload it to a cloud storage service, or by foregoing cloud services altogether. But is that really true? As it turns out, no, it isn't.

The Internet is full of recommendations on how to "effectively use cloud-based storage services" including advice on how to remotely control a PC, monitor your computer while you are away, manage your torrent downloads, and many other things. In other words, users create all types of loopholes all by themselves. These loopholes can then be easily exploited by a Trojan, a worm, not to mention a cybercriminal, especially in targeted attacks.

So we asked ourselves: how likely is it that a corporate network can be infected via a cloud service?

At the Black Hat 2013 conference, Jacob Williams, Chief Scientist at CSRgroup Computer Security Consultants, gave a presentation on using Dropbox to penetrate a corporate network. While conducting a trial penetration test (pen test), Jacob used the Dropbox thin client installed on a laptop located outside of a corporate network to spread malware to devices within that network.

Jacob first used phishing to infect an employee's computer, then embedded malicious scripts into documents stored in the laptop's cloud-hosted folder. Dropbox automatically updated (synchronized) the infected documents on all the devices attached to the user's account. Dropbox is not unique in this respect: all applications providing access to popular cloud file services have an automatic synchronization feature, including Onedrive (aka Skydrive), Google Disk, Yandex Disk, etc.

When the user opened the infected document on a workstation located within the corporate network, the malicious scripts embedded in the document installed the backdoor DropSmack on that workstation - it was specifically crafted by Jacob for this pen test. As its name suggests, DropSmack's main feature is that it uses the Dropbox cloud file storage service as a channel to manage the backdoor and leak corporate documents through the corporate firewall.




Flow chart of Jacob Williams's experiment

In the pen test, Jacob used a stunningly simple method to penetrate the corporate network - it is an obvious loophole!

We also decided to check if cybercriminals are using Dropbox, OneDrive, Yandex Disk or Google Disk to spread malware for real. We collected information from KSN about instances of malware detected in cloud-based folders belonging to Kaspersky Lab product users, and found out infections like these were detected for very few users: in May this year, only 8,700 people encountered an infection in their cloud-based folder. Among Kaspersky Lab's home product users, such instances account for only 0.42% of all malware detection cases, and 0.24% for corporate product users.

We should point out one important detail: if a piece of malware is uploaded from one device, all clients connected to the infected account will download it to their devices, and they will do so via HTTPS. Even if a security solution detects the malware in the synchronization folder and deletes it, the cloud client will keep downloading it from the cloud in an endless loop.

According to the data we collected, some 30% of malware detected in cloud folders on home computers had penetrated to these computers via synchronization mechanisms. For corporate users this number reaches 50%. Thus, the infection mechanism demonstrated by Jacob Williams in his demonstration malware, does cause infections in real life. Fortunately, we have not (yet) detected targeted attacks launched using cloud-based data storage services.

If we look into the malware we detected in the cloud folders on users' computers, files for Win32, MSIL, VBS, PHP, JS, Excel, Word and Java dominate. It should be noted that there is a small difference between corporate and home users: for corporate users, infected MS Office files occur more often, while home users also face unique threats on their lists in the form of malicious Android applications.

TOP 10 verdicts:

 

Consumer Corporate 1 Email-Worm.Win32.Runouce.b Email-Worm.Win32.Brontok.dam.a 2 Email-Worm.Win32.Brontok.q Virus.Win32.Sality.gen 3 not-a-virus:AdWare.Win32.RivalGame.kr Virus.Win32.Tenga.a 4 Virus.Win32.Nimnul.a Trojan-Dropper.VBS.Agent.bp 5 Trojan-Clicker.HTML.IFrame.aga Trojan.Win32.Agent.ada 6 Exploit.Win32.CVE-2010-2568.gen Trojan.Win32.MicroFake.ba 7 Virus.Win32.Sality.gen Exploit.Win32.CVE-2010-2568.gen 8 Worm.Win32.AutoRun.dtbv Worm.Win32.AutoRun.dtbv 9 Trojan-Dropper.VBS.Agent.bp Trojan.Win32.Qhost.afes 10 Trojan.Win32.Genome.vqzz Virus.Win32.Nimnul.a

More often than not, virus writers use cloud storage as a place to host their malware rather than a platform to spread them. During the research, we did not encounter a single worm or backdoor (except DropSmack) specifically targeting cloud-based file storages. Naturally, these services try to counter malware which takes up storage room in the cloud. In addition hosting malware affects the service's reputation, although cloud services are not formally responsible for what files their clients upload to the storage. Regular scans of all files contained in the cloud will obviously require a lot of resources that the services would rather use to store data.

As a result of this research, we concluded that there is a relatively low risk of a corporate network being infected via cloud storage: over a period of a year, just 1 out of 1,000 corporate users using cloud services risks infection. It should be remembered, however, that in some cases even a single infected computer in a corporate network can lead to substantial damage.

Here are some measures that can be used to protect corporate networks:

  • Tighten up Firewall/IDS security settings, block access to popular online storage services. The big disadvantage this approach has is that it requires constant and close monitoring of new blacklist candidates as they emerge online.
  • Install a multi-purpose Security Suite. It must incorporate a heuristic and behavior-based antivirus, access restriction features (HIPS), a tool to control the functioning of the operating system (System Watcher or Hypervisor), and a tool to prevent exploitation of vulnerabilities, etc. Once installed, the product must be carefully configured.
  • Remember that even the most sophisticated Security Suite can miss an APT attack. Therefore, attention should be paid to Application Control (it should be configured at Default deny). This is perhaps one of the most reliable tools that will block any unknown software, including malware spread during a targeted attack. The most difficult task arising while deploying Application Control is to configure appropriate rules so that all permitted applications can be launched and updated without problems. To this end, the manufacturers of products which include the Application Control feature have developed dedicated tools: software updates via trusted update programs, preset software whitelists including all possible system and user files, access to huge cloud services and information databases about the entire diversity of whitelisted software.
  • In special cases, Application control should be used to restrict the use of cloud clients within the corporate network. Only trusted employees should be allowed to launch the applications with which to synchronize cloud folders.

As for networks with the most rigorous security requirements, such as those managing power plant operations and water supplies, which guard state secrets or control defense facilities - for all of these we thoroughly recommend not using cloud-based file storage services at all.

Suarez phishing 'petition' dupes users and their friends

Tue, 07/08/2014 - 04:00

At the end of last week we came across a curious method of distributing links to a phishing page that collects users’ personal data.

The FIFA World Cup in Brazil is attracting not only football fans in all parts of the world, but cybercriminals too. The phishing page is designed to imitate the FIFA website. Visitors are asked to sign a petition in defense of Luis Alberto Suárez, a forward for the Uruguayan national team. (On June 24, in a last group stage match between Uruguay and Italy, Suarez bit Italy defender Giorgio Chiellini on the shoulder. As a result, Suarez was disqualified for nine official matches for the national team and banned from all football-related activity for four months. He was also slapped with a fine).

To sign the petition, the user needs to fill out a form, entering his or her name, country of residence, mobile phone number and email address:


Phishing page asking football fans to sign a petition

The phishing page matches the design of the official website and all links on it redirect users to FIFA’s official site, fifa.com. The phishing domain was created on June 27, 2014. According to the whois database, it was registered in the name of a person residing in London. The data collection form was developed by the phishers using Google.Docs. Personal data obtained from the form can be used to send spam, phishing and SMS messages, as well as malicious apps. In addition, armed with users’ email addresses and telephone numbers the cybercriminals can conduct targeted attacks involving banking Trojans for computers and mobile devices. This technique is used to get round two-factor authentication in online banking systems in cases when a one-time password is sent via SMS.

After filling out the ‘petition’ form, victims were encouraged to share a link to the page with their friends on Facebook:


Window prompting users to share the link to the ‘petition’ with friends


Pop-up Facebook window

Unsuspecting fans shared links to the fake petition on their Facebook pages. This enabled the phishing link to spread widely across Facebook in a matter of days.


Example of an unsuspecting user sharing a link to the phishing page on a social network

Messages with links to the phishing page were also seen on dedicated forums, from which users probably reached the phishing page originally.

Miniduke is back: Nemesis Gemina and the Botgen Studio

Thu, 07/03/2014 - 04:46
A 2014 update on one of the world's most unusual APT operations

In 2013, together with our partner CrySyS Lab, we announced our research on a new APT actor we dubbed "Miniduke". It stood out from the "APT bunch" for several reasons, including:

  • Its use of a customized backdoor written in Assembler (who still writes in Assembler in the age of Java and .NET?)
  • A unique command and control mechanism that uses multiple redundancy paths, including Twitter accounts
  • Stealthy transfer of updates as executables hidden inside GIF files (a form of steganography)

We have pointed out that this threat actor used malware developed using "old-school" virus writing techniques and habits.

Our analysis was continued later by researchers from CIRCL/Luxembourg and several other AV companies. Recently, we became aware of an F-Secure publication on the same topic (under the name "CosmicDuke").

In the wake of our publications from 2013, the Miniduke campaigns have stopped or at least decreased in intensity. However, in the beginning of 2014 they resumed attacks in full force, once again grabbing our attention.

We believe it's time to uncover more information on their operations.

"Old" Miniduke in 2014

The old style Miniduke implants from 2013 are still around and being used during the current campaigns.

It still relies on Twitter accounts which contain a hardcoded C&C URL pointing to the command and control server. One such account was the following, observed in February 2014:

Although the format of the C&C URL was changed from previous variants, the encoding algorithm is the same. The line above can be decoded into the full C&C URL:

hxxp://algherolido.it/img/common/thumb/thumb.php

This decoded URL was an active C&C, from which several updates have been collected:

Update 1:

MD5 93382e0b2db1a1283dbed5d9866c7bf2 Size 705536 bytes Compilation Sat Dec 14 18:44:11 2013

This Trojan is a large package, due to the use of a custom packer. The bundle has a specific debug string inside:

C:\Projects\nemesis-gemina\nemesis\bin\carriers\ezlzma_x86_exe.pdb

The package executes a smaller Trojan module:

MD5 b80232f25dbceb6953994e45fb7ff749 Size 27648 bytes Compilation timestamp Wed Mar 05 09:44:36 2014 C&C hxxp://rtproductionsusa.com/wp-includes/images/smilies/icon_gif.php

Another update that has been observed on the C&C server was:

Update 2:

MD5 7fcf05f7773dc3714ebad1a9b28ea8b9 Size 28160 bytes Compilation timestamp Fri Mar 07 10:04:58 2014 C&C hxxp://tangentialreality.com/cache/template/yoo_cache.php

We have observed another similar Trojan, although not on the C&Cs directly:

MD5 edf7a81dab0bf0520bfb8204a010b730,
ba57f95eba99722ebdeae433fc168d72 (dropped) Size 700K, 28160 (dropped) Compilation timestamps Sat Dec 14 18:44:11 2013 (top)
Fri Jan 10 12:59:36 2014 (dropped) C&C hxxp://store.extremesportsevents.net/index.php?i=62B...[snip]

The use of the Nemesis Gemina packer in the Miniduke payloads made us look for further samples in our collection. This led us to several new findings.

The "New" Miniduke Malware (the "CosmicDuke")

After the 2013 exposure, the actor behind Miniduke appears to have switched to using another custom backdoor, capable of stealing various types of information.

The malware spoofs popular applications designed to run in the background, including file information, icons and even file size:

The main "new" Miniduke backdoor (aka TinyBaron or CosmicDuke) is compiled using a customizable framework called "BotGenStudio", which has flexibility to enable/disable components when the bot is constructed.

The components can be divided into 3 groups

  1. Persistence
  2. Reconnaissance
  3. Exfiltration
Persistence

Miniduke/CosmicDuke is capable of starting via Windows Task Scheduler, via a customized service binary that spawns a new process set in the special registry key, or is launched when the user is away and the screensaver is activated.

Reconnaissance

The malware can steal a variety of information, including files based on extensions and file name keywords:

*.exe;*.ndb;*.mp3;*.avi;*.rar;*.docx;*.url;*.xlsx;*.pptx;*.ppsx;*.pst;*.ost;*psw*;*pass*;
*login*;*admin*;*sifr*;*sifer*;*vpn;*.jpg;*.txt;*.lnk; *.dll;*.tmp;*.obj;*.ocx;*.js

Note: we believe the "*sifr*" and "*sifer*" keywords above refer to the transliteration of the English word "Cypher" in some languages.

Also, the backdoor has many other capabilities including:

  • Keylogger
  • Skype password stealer
  • General network information harvester
  • Screen grabber (grabs images every 5 minutes)
  • Clipboard grabber (grabs clipboard contents every 30 seconds)
  • Microsoft Outlook, Windows Address Book stealer
  • Google Chrome password stealer
  • Google Talk password stealer
  • Opera password stealer
  • TheBat! password stealer
  • Firefox, Thunderbird password stealer
  • Drives/location/locale/installed software harvester
  • WiFi network/adapter information harvester
  • LSA secrets harvester
  • Protected Storage secrets harvester
  • Certificate/private keys exporter
  • URL History harvester
  • InteliForms secrets harvester
  • IE Autocomplete, Outlook Express secrets harvester
  • and more...
Exfiltration

The malware implements several methods to exfiltrate information, including uploading data via FTP and three variants of HTTP-based communication mechanisms. A number of different HTTP connectors act as helpers, trying various methods in case one of them is restricted by local security policies or security software. These three methods are:

  • Direct TCP connection and HTTP session via Winsock library
  • HTTP session via Urlmon.dll
  • HTTP session via invisible instance of Internet Explorer as OLE object
Implementation Specifics

Each victim is assigned a unique ID, making it possible to push specific updates to an individual victim. As we noted, Miniduke/CosmicDuke is protected with a custom obfuscated loader which heavily consumes CPU resources for 3-5 minutes before passing execution to the payload. This not only complicates analysis of the malware but is also used to drain resources reserved for execution in emulators integrated in security software. Besides its own obfuscator, it makes heavy use of encryption and compression based on the RC4 and LZRW algorithms respectively. Implementations of these algorithms have tiny differences from the standardized code which perhaps looks like a mistake in the code. Nevertheless, we believe that these changes were introduced on purpose to mislead researchers.

One of the more technically advanced parts of Miniduke is the data storage. The internal configuration of the malware is encrypted, compressed and serialized as a complicated registry-like structure which has various record types including strings, integers and internal references.

In addition, Miniduke uses an unusual method to store the exfiltrated data. When a file is uploaded to the C&C server it is split into small chunks (~3KB), which are compressed, encrypted and placed in a container to be uploaded to the server. If the source file is large enough it may be placed into several hundred different containers that are uploaded independently. These data chunks are probably parsed, decrypted, unpacked, extracted and reassembled on the attacker' side. This method is used to upload screenshots made on the victim's machine. Creating such a complicated storage might be an overhead; however, all those layers of additional processing guarantees that very few researchers will get to the original data while offering an increased reliability against network errors.

Victim geography and profiles

Based on our analysis, the victims of Miniduke and CosmicDuke fall into these categories:

  • government
  • diplomatic
  • energy
  • telecom operators
  • military, including military contractors
  • individuals involved in the traffic and selling of illegal and controlled substances

From one of the old style Miniduke servers we were able to extract a list of victims and their corresponding countries. We were able to identify victims in three of these countries which belonged to the "government" category. Here's the list of countries affected:

  • Australia
  • Belgium
  • France
  • Germany
  • Hungary
  • Netherlands
  • Spain
  • Ukraine
  • United States

One of the CosmicDuke servers we analyzed had a long list of victims dating back to April 2012. This server had 265 unique identifiers assigned to victims from 139 unique IPs. Geographical distribution of the victims was as follows (top10):

84 Georgia 61 Russia 34 United States 14 United Kingdom 9 Kazakhstan 8 India 8 Belarus 6 Cyprus 4 Ukraine 4 Lithuania


According to our analysis, the attackers were more interested in expanding their operations and scanned IP ranges and servers in Azerbaijan, Greece and Ukraine.

Command and control server analysis and hacking tools

During the analysis, we were able to obtain a copy of one of the CosmicDuke command and control servers. It appears it was also used for other operations by the group members, including hacking into other servers on the internet.

The attackers have deployed a number of publicly available hacking tools on this server in order to scan and compromise websites of victim organizations as well as collect information for future targeted attacks.

Here is the list of hacking tools found on the server:

Hydra: "A very fast network logon cracker which support many different services"

Fierce2: "A semi-lightweight enumeration scanner that helps penetration testers locate non-contiguous IP space and hostnames for a specified domains using things like DNS, Whois and ARIN"

The Harvester: "The objective of this program is to gather emails, subdomains, hosts, employee names, open ports and banners from different public sources like search engines, PGP key servers and SHODAN computer database"

RitX: "A Reverse IP Lookup Tool that will allows you to use an IP address or domain name to identify all currently domains hosted on a server using multiple services and various techniques"

Joomscan: "OWASP Joomla! Vulnerability Scanner"

Ncrack: "High-speed network authentication cracking tool. It allows for rapid, yet reliable large-scale auditing of multiple hosts"

Sqlmap: "An open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers"

WPScan: "A black box WordPress vulnerability scanner"

Note: tool descriptions were copied from their public websites

Attribution and Artifacts, connections with other campaigns

Although the attackers use English in several places, indicating knowledge of this language, there are certain indicators to suggest they are not native English speakers.

The following strings were discovered in a block of memory appended to the malware component used for persistence:

www.mirea.ru
e.mail.ru
gmt4
c:\documents and settings\владимир\local settings\...

The C&C hosts appear to have been compromised by the attackers, which uploaded a specific webshell.




The Miniduke attackers' webshell on hacked hosts

For the webshell, it is interesting to point to the use of Codepage 1251, which is commonly used to render Cyrillic characters. The password used to protect the shell, is checked against the MD5 hash "35c7c2d1fe03f0eeaa4630332c242a36". (BTW: can you crack it? It took us some days to solve it!)

Perhaps it is noteworthy to say that the same webshell has been observed in the operations of another advanced threat actor known as Turla, Snake or Uroburos.

Another interesting aspect is the debug path strings from the malware, which indicate several build environments or groups of "users" of the "Bot Gen Studio", "NITRO" and "Nemesis Gemina":

c:\botgenstudio\generations\fdd88801\bin\Bot.pdb
c:\botgenstudio\generations\fed14e50\bin\Bot.pdb
D:\SVA\NITRO\BotGenStudio\Interface\Generations\80051A85\bin\bot.pdb
d:\sva\nitro\botgenstudio\interface\generations\805f8183\bin\Bot.pdb
d:\production\nitro\sva\generations\80deae99\bin\Bot.pdb
C:\Projects\nemesis-gemina\nemesis\bin\carriers\ezlzma_x86_exe.pdb
C:\Projects\NEMESIS\nemesis-gemina\nemesis\bin\carriers\ezlzma-boost-kitchen_sink_x86_exe.pdb
D:\PRODUCTION\NITRO\SVA\Generations\80911F82\bin\bot.pdb

Based on the compilation timestamps, we were able to put together the following chart indicating the activity of the Miniduke/CosmicDuke attackers on a 'Day of the Week' basis:

It appears the attackers follow the Mon-Fri work week, however, they do work on the weekends from time to time.

In terms of activity hours, the attackers appear to be working between 6am and 7pm GMT. Most of the work is done between 6am and 4pm though.



Conclusions

Although they stopped or at least decreased in intensity following our announcement last year, the Miniduke attacks are now back in force. The old style Miniduke malware is still being used, deploying previously known stages packed with a new obfuscator observed with the mysterious "Bot Gen Studio" for the "NITRO" and "Nemesis Gemina" projects.

While the old style Miniduke implants were used to target mostly government victims, the new style CosmicDuke implants have a somehow different typology of victims. The most unusual is the targeting of individuals that appear to be involved in the traffic and reselling of controlled and illegal substances, such as steroids and hormones. These victims in the NITRO project have been observed only in Russia. One possibility is that "Bot Gen Studio" is a malware platform also available as a so-called "legal spyware" tool, similar to others, such as HackingTeam's RCS, widely used by law enforcement agencies. Another possibility is that it's simply available in the underground and purchased by various competitors in the pharmaceutical business to spy on each other.

At the same time, the "Nemesis Gemina" project focuses on government, diplomatic, energy, military and telecom operators.

One of the big questions here is: Are the Miniduke attackers still "elite"? Though the old malware is still in use, the new malware is no longer pure assembler; instead, it's written in C/C++.

The new samples of Miniduke/CosmicDuke use a powerful obfuscator. For almost all of the samples we analyzed, it jumps to the beginning of dynamic PE loader - always from the same "l33t" address (if memory layout allowed it during the bot construction):



Hence, you could say that CosmicDuke is still "l33t"!