Feed aggregator

12 Million Home Routers Vulnerable to Takeover

Threatpost for B2B - Thu, 12/18/2014 - 12:23
Check Point has disclosed few details on a cookie vulnerability in the RomPager webserver running inside 12 million embedded devices. The flaw puts home routers at risk to attack.

Critical Remotely Exploitable Bugs Found in Schneider Electric ProClima Software

Threatpost for B2B - Thu, 12/18/2014 - 10:58
There are a number of critical, remotely exploitable command injection vulnerabilities in Schneider Electric’s ProClima software, which is used in manufacturing and energy facilities. The ProClima application is a utility that customers use to design control panel enclosures in industrial facilities to help manage the heat from enclosed electrical devices. The bugs affect ProClima versions […]

Ryan Olson on the CoolReaper Backdoor

Threatpost for B2B - Thu, 12/18/2014 - 10:01
Dennis Fisher talks with Ryan Olson of Palo Alto Networks about their discovery and analysis of the CoolReaper backdoor on some Coolpad Android devices sold in China.

White House to Blame Sony Hack on North Korea

Threatpost for B2B - Thu, 12/18/2014 - 09:57
The White House reportedly will attribute the Sony hack to North Korea, but will hold off on a public announcement until it figures out a response.

Chthonic: a New Modification of ZeuS

Secure List feed for B2B - Thu, 12/18/2014 - 06:00

In the fall of 2014, we discovered a new banking Trojan, which caught our attention for two reasons:

  • First, it is interesting from the technical viewpoint, because it uses a new technique for loading modules.
  • Second, an analysis of its configuration files has shown that the malware targets a large number of online-banking systems: over 150 different banks and 20 payment systems in 15 countries. Banks in the UK, Spain, the US, Russia, Japan and Italy make up the majority of its potential targets.

Kaspersky Lab products detect the new banking malware as Trojan-Banker.Win32.Chthonic.

The Trojan is apparently an evolution of ZeusVM, although it has undergone a number of significant changes. Chthonic uses the same encryptor as Andromeda bots, the same encryption scheme as Zeus AES and Zeus V2 Trojans, and a virtual machine similar to that used in ZeusVM and KINS malware.

Infection

We have seen several techniques used to infect victim machines with Trojan-Banker.Win32.Chthonic:

  • sending emails containing exploits;
  • downloading the malware to victim machines using the Andromeda bot (Backdoor.Win32.Androm in Kaspersky Lab classification).

When sending messages containing an exploit, cybercriminals attached a specially crafted RTF document, designed to exploit the CVE-2014-1761 vulnerability in Microsoft Office products. The file has a .DOC extension to make it look less suspicious.

Sample message with CVE-2014-1761 exploit

In the event of successful vulnerability exploitation, a downloader for the Trojan was downloaded to the victim computer. In the example above, the file is downloaded from a compromised site – hxxp://valtex-guma.com.ua/docs/tasklost.exe.

The Andromeda bot downloaded the downloader from hxxp://globalblinds.org/BATH/lider.exe.

Downloading the Trojan

Once downloaded, the downloader injects its code into the msiexec.exe process. It seems that the downloader is based on the Andromeda bot's source code, although the two use different communication protocols.

Example of common functionality of Andromeda and Chthonic downloaders

Differences in communication protocols used by Andromeda and Chthonic C&C

The Chthonic downloader contains an encrypted configuration file (similar encryption using a virtual machine was used in KINS and ZeusVM). The main data contained in the configuration file includes: a list of С&С servers, a 16-byte key for RC4 encryption, UserAgent, botnet id.

The main procedure of calling virtual machine functions

After decrypting the configuration file, its individual parts are saved in a heap - in the following format:

This is done without passing pointers. The bot finds the necessary values by examining each heap element using the RtlWalkHeap function and matching its initial 4 bytes to the relevant MAGIC VALUE.

The downloader puts together a system data package typical of ZeuS Trojans (local_ip, bot_id, botnet_id, os_info, lang_info, bot_uptime and some others) and encrypts it first using XorWithNextByte and then using RC4. Next, the package is sent to one of the C&C addresses specified in the configuration file.

In response, the malware receives an extended loader – a module in a format typical of ZeuS, i.e., not a standard PE file but a set of sections that are mapped to memory by the loader itself: executable code, relocation table, point of entry, exported functions, import table.

Code with section IDs matching the module structures

It should be noted that the imports section includes only API function hashes. The import table is set up using the Stolen Bytes method, using a disassembler included in the loader for this purpose. Earlier, we saw a similar import setup in Andromeda.

Fragment of the import setup function in Andromeda and Chthonic

Header of a structure with module

The extended loader also contains a configuration file encrypted using the virtual machine. It loads the Trojan's main module, which in turn downloads all the other modules. However, the extended loader itself uses AES for encryption, and some sections are packed using UCL. The main module loads additional modules and sets up import tables in very much the same way as the original Chthonic downloader, i.e. this ZeuS variant has absorbed part of the Andromeda functionality.

The entire sequence in which the malware loads, including the modules that are described below, is as follows:

Modules

Trojan-Banker.Win32.Chthonic has a modular structure. To date, we have discovered the following modules:

Name Description Has a 64bit version main Main module (v4.6.15.0 - v4.7.0.0) Yes info Collects system information Yes pony Module that steals saved passwords No klog Keylogger Yes http Web injection and formgrabber module Yes vnc Remote access Yes socks Proxy server Yes cam_recorder Recording video from the web camera Yes

The impressive set of functions enables the malware to steal online banking credentials using a variety of techniques. In addition, VNC and cam recorder modules enable attackers to connect to the infected computer remotely and use it to carry out transactions, as well as recording video and sound if the computer has a webcam and microphone.

Injections

Web injections are Chthonic's main weapon: they enable the Trojan to insert its own code and images into the code of pages loaded by the browser. This enables the attackers to obtain the victim's phone number, one-time passwords and PINs, in addition to the login and password entered by the victim.

For example, for one of the Japanese banks the Trojan hides the bank's warnings and injects a script that enables the attackers to carry out various transactions using the victim's account:

Online banking page screenshots before and after the injection

Interesting functions in injected script

The script can also display various fake windows in order to obtain the information needed by the attackers. Below is an example of a window which displays a warning of non-existent identification problems and prompts the user to enter TAN:

Fake TAN entry window

Our analysis of attacks against customers of Russian banks has uncovered an unusual web injection scenario. When opening an online banking web page in the browser, the entire contents of the page is spoofed, not just parts of it as in an ordinary attack. From the technical viewpoint, the Trojan creates an iframe with a phishing copy of the website that has the same size as the original window.

Below is a fragment of injected code, which replaces everything between title and body closing tags with the following text:

And here is the script itself:

Additionally, the bot receives a command to establish a backconnect connection if the injection is successful:

Coverage

There are several botnets with different configuration files. Overall, the botnets we are aware of target online banking systems of over 150 different banks and 20 payment systems in 15 countries. The cybercriminals seem most interested in banks in the UK, Spain, the US, Russia, Japan and Italy.

Chtonic target distribution by country

It is worth noting that, in spite of the large number of targets on the list, many code fragments used by the Trojan to perform web injections can no longer be used, because banks have changed the structure of their pages and, in some cases, the domains as well. It should also be noted that we saw some of these fragments in other bots' config files (e.g., Zeus V2) a few years back.

Conclusion

We can see that the ZeuS Trojan is still actively evolving and its new implementations take advantage of cutting-edge techniques developed by malware writers. This is significantly helped by the ZeuS source code having been leaked. As a result, it has become a kind of framework for malware writers, which can be used by anyone and can easily be adapted to cybercriminals' new needs. The new Trojan – Chthonic – is the next stage in the evolution of ZeuS: it uses Zeus AES encryption, a virtual machine similar to that used by ZeusVM and KINS, and the Andromeda downloader.

What all of this means is that we will undoubtedly see new variants of ZeuS in the future.

A few md5:

12b6717d2b16e24c5bd3c5f55e59528c
148563b1ca625bbdbb60673db2edb74a
6db7ecc5c90c90b6077d5aef59435e02
5a1b8c82479d003aa37dd7b1dd877493
2ab73f2d1966cd5820512fbe86986618
329d62ee33bec5c17c2eb5e701b28639
615e46c2ff5f81a11e73794efee96b38
77b42fb633369de146785c83270bb289
78575db9f70374f4bf2f5a401f70d8ac
97d010a31ba0ddc0febbd87190dc6078
b670dceef9bc29b49f7415c31ffb776a
bafcf2476bea39b338abfb524c451836
c15d1caccab5462e090555bcbec58bde
ceb9d5c20280579f316141569d2335ca
d0c017fef12095c45fe01b7773a48d13
d438a17c15ce6cec4b60d25dbc5421cd

Attackers Compromise ICANN, Access Zone Files System

Threatpost for B2B - Wed, 12/17/2014 - 19:46
Unknown hackers were able to compromise vital systems belonging to ICANN, the organization that manages the global top-level domain system, and had access to the system that manages the files with data on resolving specific domain names.

Google Releases End-To-End Chrome Extension to Open Source

Threatpost for B2B - Wed, 12/17/2014 - 13:57
Google announced that it was making the source code for its End-to-End Chrome Extension available for review on GitHub. End-to-End encrypts and signs Gmail messages.

Manufacturer’s Backdoor Found on Popular Chinese Android Smartphone

Threatpost for B2B - Wed, 12/17/2014 - 11:59
Chinese smartphones from Coolpad contain a backdoor, dubbed CoolReaper by Palo Alto researchers, is being used to install apps without user consent.

Google Adds Content Security Policy Support to Gmail

Threatpost for B2B - Wed, 12/17/2014 - 10:32
Google has added another layer of security for users of Gmail on the desktop, which now supports content security policy, a standard that's designed to help mitigate cross-site scripting and other common Web-based attacks.

Sony: Employee Health Information May Have Been Compromised

Threatpost for B2B - Tue, 12/16/2014 - 11:12
Sony Pictures Entertainment has sent a letter to employees warning them that, along with huge amounts of corporate and employee information, some personal health data belonging to SPE employees may also have been compromised in the attack that hit the company in late November.

Researchers Go Inside Illegal Underground Hacking Markets

Threatpost for B2B - Tue, 12/16/2014 - 10:50
Researchers at Dell SecureWorks have looked at services and pricing available inside illegal online marketplaces selling crimeware, stolen identities, credit cards, and hacking services.

Two Cisco Products Vulnerable to POODLE Attack on TLS

Threatpost for B2B - Tue, 12/16/2014 - 09:10
Two of Cisco’s products are vulnerable to the POODLE attack via the TLS implementation in those products. The vulnerability affects Cisco’s Adaptive Security Appliance software and its Application Control Engine module. The POODLE attack was disclosed in October by researchers from Google, who discovered that if an attacker can force a vulnerable Web server to fall back from […]

Google Blacklists WordPress Sites Peddling SoakSoak Malware

Threatpost for B2B - Mon, 12/15/2014 - 14:08
Up to 100,000 sites hosted on WordPress may be vulnerable to new campaign that's pushing malware and multiple exploit kits to the browser.

Mike Mimoso on the Sony Breach

Threatpost for B2B - Mon, 12/15/2014 - 12:25
Dennis Fisher and Mike Mimoso talk about the details of the Sony breach, including the question of attribution, Sony's response to the attack, media outlets publishing the stolen data and the rise of destructive malware attacks.

Google Proposes Marking ‘HTTP’ as Insecure in 2015

Threatpost for B2B - Mon, 12/15/2014 - 12:05
Google proposes that browser vendors begin issuing address bar warnings to users that HTTP connections provide no data security protection.

Shellshock Worm Exploiting Unpatched QNAP NAS Devices

Threatpost for B2B - Mon, 12/15/2014 - 11:35
A worm exploiting the Bash vulnerability in QNAP network attached storage devices has been discovered. The attack opens a backdoor and for now is carrying out a click-fraud scam against JuiceADV.

Honeywell PoS Software Vulnerable to Stack Buffer Overflows

Threatpost for B2B - Mon, 12/15/2014 - 10:13
There are stack buffer overflows in two components of a Honeywell point-of-sale software package that can allow attackers to run arbitrary code on vulnerable systems. The vulnerabilities lie in the HWOPOSScale.ocx and HWOPOSSCANNER.ocx components of Honeywell’s OLE for Retail Point-of-Sale package, which is designed to help integrate PoS hardware with Windows PoS systems. Versions of the Honeywell […]
Syndicate content