Feed aggregator

Analysis: Spam in May 2014

Secure List feed for B2B - Mon, 06/30/2014 - 07:00
In the run-up to the summer, spammers offered their potential customers seedlings and seeds for gardening. In addition, English-language festive spam in May was dedicated to Mother’s Day - the attackers sent out adverts offering flowers and candies.

Blog: RECON 2014

Secure List feed for B2B - Sun, 06/29/2014 - 19:07
Today was the last day of the REcon 2014 conference where reverse engineers from all over the world meet and share their research. The event started with trainings, where I (Nicolas) gave a 4 days training on malware reverse engineering. During those 4 days, we covered various kind of topics such as how to unpack/decrypt malware, identify cryptography algorithms, deal with obfuscated code, analyze shellcode etc.

RECON 2014

Secure List feed for B2B - Sun, 06/29/2014 - 13:23


Today was the last day of the REcon 2014 conference where reverse engineers from all over the world meet and share their research.

The event started with trainings, where I (Nicolas) gave a 4 days training on malware reverse engineering. During those 4 days, we covered various kind of topics such as how to unpack/decrypt malware, identify cryptography algorithms, deal with obfuscated code, analyze shellcode etc.

My colleague Marta Janus did a talk explaining the various techniques used by malwares to evade detection and sandboxing, and covered a lot of obfuscations tricks used in current malware.

The presentations this year were quite interesting and a few of them directly related to what we do in the labs, including graph representation of binaries , tools to help speed up analysis and handle code obfuscation.

You can find the full schedule of the conference here

The slides and the videos of every talks will be uploaded in the future on the REcon website.

Meanwhile, you can already download some of the research tools:

PANDA is the Platform for Architecture-Neutral Dynamic Analysis. It is a platform based on QEMU 1.0.1 and LLVM 3.3 for performing dynamic software analysis, abstracting architecture-level details away with a clean plugin interface. It is currently being developed in collaboration with MIT Lincoln Laboratory, Georgia Tech, and Northeastern University.

FUNCAP is a script to record function calls (and returns) across an executable using IDA debugger API, along with all the arguments passed. It dumps the info to a text file, and also inserts it into IDA's inline comments. This way, static analysis that usually follows the behavioral runtime analysis when analyzing malware, can be directly fed with runtime info such as decrypted strings returned in function's arguments

One presentation mentioned a framework for Reverse Engineering which i consider worthy to list here.

MIASM 2 is a a free and open source (GPLv2) reverse engineering framework. Miasm aims at analyzing/modifying/generating binary programs. Abilities to represent assembly semantic using intermediate language, emulating using jit (dynamic code analysis, unpacking) and expression simplification for automatic de-obfuscation.

See you next year at RECON 2015

Twitter: @nicolasbrulez

New Oil and Natural Gas ISAC Launches

Threatpost for B2B - Fri, 06/27/2014 - 14:54
A new information sharing group popped up this week in the oil and natural gas industries that hopes to formalize the trade of threat intelligence and indicators of compromise

FBI Issued More Than 19k National Security Letters in 2013

Threatpost for B2B - Fri, 06/27/2014 - 14:06
The United States federal government issued more than 19,000 National Security Letters--perhaps its most powerful tool for domestic intelligence collection--in 2013, and those NSLs contained more than 38,000 individual requests for information.

20-Year Old Vulnerability Patched in LZO Compression Algorithm

Threatpost for B2B - Fri, 06/27/2014 - 13:31
A 20-year old vulnerability in the Lempel-Ziv-Oberhumer (LZO) compression algorithm was finally patched this week.

Zero-Day Patched in TimThumb WordPress Script

Threatpost for B2B - Fri, 06/27/2014 - 11:02
A zero-day vulnerability has been patched in the PHP-based image resizer TimThumb, popular in WordPress themes, after it was publicly disclosed this week.

PayPal 2FA Bypass Shows Difficulty of Getting Authentication Right

Threatpost for B2B - Fri, 06/27/2014 - 10:00
Oftentimes, looking at a given security vulnerability or mistake by a vendor, it’s easy to wonder how on earth the bug got through in the first place or the company didn’t catch the problem earlier. That definitely could have been the case with the recently disclosed bypass of PayPal’s two-factor authentication mechanism, but, as is […]

Patched Code Execution Bug Affects Most Android Users

Threatpost for B2B - Thu, 06/26/2014 - 13:22
Researchers at IBM disclosed a serious buffer overflow vulnerability in Android 4.3 and earlier that could lead to code execution. The bug is patched in KitKat, but most users are on older versions.

Massachusetts Supreme Court Rules Defendant Must Decrypt Data

Threatpost for B2B - Thu, 06/26/2014 - 10:45
Encryption software has been enjoying a prolonged day in the sun for about the last year. Thanks to the revelations of Edward Snowden about the NSA’s seemingly limitless capabilities, security experts have been pounding the drum about the importance of encrypting not just data in transit, but information stored on laptops, phones and portable drives. […]

Cloned Android Banking App Hides Phishing Scheme

Threatpost for B2B - Wed, 06/25/2014 - 14:49
A cloned banking application targeting customers of a large bank in Israel has been removed from Google Play after it was discovered to be stealing users' log-in credentials.

VMware Patches Apache Struts Flaws in vCOPS

Threatpost for B2B - Wed, 06/25/2014 - 13:59
VMware has patched several serious security vulnerabilities in its vCenter Operations Center Management suite, one of which could lead to remote code execution on vulnerable machines.

Use the force Luuuk

Secure List feed for B2B - Wed, 06/25/2014 - 13:14

Stealing more than half a million euro in just a week - it sounds like a Hollywood heist movie. But the organizers of the Luuuk banking fraud pulled it off with a Man-in-the-Browser (MITB) campaign against a specific European bank. The stolen money was then automatically transferred to preset mule accounts. When GReAT discovered Luuuk's control panel it immediately got in touch with the bank and launched an investigation.

On January 20th 2014 Kaspersky Lab detected a suspicious server containing several log files including events from bots reporting to a command and control web panel. The information sent seemed to be related to a financial fraud; it included details of the victims and the sums of money stolen.


Figure 1: Example of log file

After further analysis we found additional files in the server containing logs with different content and showing potentially fraudulent banking transactions, as well as source code in JavaScript related to the C2 infrastructure. This information provided valuable data about the bank that had been targeted and other details such as the money-mule system and operational details used in this scheme.


Figure 2: Source code control panel

Once we analyzed all the available data, it was clear that the C2 was the server-side portion of a banking Trojan infrastructure. We believe the fraud was being perpetrated using Man-in-the-Browser techniques and was also capable of performing automatic transactions to pre-set money mule accounts.

We decided to name this C2 luuuk after the path the administration panel used in the server:/server/adm/luuuk/

Below is a summary of the relevant information extracted from the server side component:

  • Around 190 victims, mostly located in Italy and Turkey.
  • Fraudulent transactions worth more than 500,000 € (according to logs) .
  • Fraudulent transfer descriptions.
  • Victims' and mules' IBANs.

The control panel was hosted in the domain uvvya-jqwph.eu, resolving to the IP address 109.169.23.134 during the analysis.

The fraudulent campaign targeted users of a single bank. Even though we were not able to get the malicious code used on the victims, we believe the criminals used a banking Trojan performing Man-in-the-Browser operations to get the credentials of their victims through a malicious web injection. Based on the information available in some of the log files, the malware stole usernames, passwords and OTP codes in real time.


Figure 3: Fraudulent transaction log example.

This kind of injections are very common in all the variations of Zeus (Citadel, SpyEye, IceIX, etc.) and all of these are well-known in Italy. During our investigation it was not possible to find the infection vector, however banking Trojans use a variety of methods to infect victims including spam and drive-by downloads.

The attackers used the stolen credentials to check the victim?s balance and perform several malicious transactions automatically, probably operating in the background of a legitimate banking session. That would be consistent with one of the malicious artifacts (a VNC server) we found binded to the malicious server used by the attackers.

Despite the "usual" techniques implemented to steal the users' money (user/password/OTP bypass) what is really interesting in this campaign is the classification of the predefined money mules used to transfer the stolen money.

According to the transaction logs, there were 4 different money-mule (or drop) groups:

  • 13test: The limit that the drops in this group can accept is between 40,000 and 50,000 Euros, although there are some drops that have different limits, between 20,000 and 30,000.
  • 14test: The limit that the drops in this group can accept is between 15,000 and 20,000 Euros, although there are some drops in this group that have different limits, between 45,000 and 50,000.
  • 14smallings: The limit that the drops in this group can accept is between 2,500 and 3,000 Euros.
  • 16smallings: The limit that the drops in this group can accept is between 1,750 and 2,000 Euros, although there are drops in this group that can accept a quantity between 2,500 and 3,000 Euros (as in the group 14smallings).

This could be an indicator of a well-organized mule infrastructure. Different groups have different limits on the money that can be transferred to its mules, an indicator of the levels of trust between them.

The operators of this control panel removed all the sensitive components on January 22nd, two days after our investigation started. Based on the transaction activity we believe that this could be an infrastructure change rather than a complete shutdown of the operation.

In addition, based on the fraudulent transaction activity detected in the server and several additional indicators, we believe that the criminals behind the operation are very active. Also they have shown proactive operational security activities, changing tactics and cleaning traces when discovered.

Kaspersky Lab is maintaining contacts with different LEAs and the affected financial institution in order to prosecute the criminals.

Kaspersky Fraud Prevention vs. the Luuuk

The evidence uncovered by Kaspersky Lab's experts indicates that the campaign was most probably organized by professional criminals. However, the malicious tools they used to steal money can be countered effectively by security technologies. For instance, Kaspersky Lab has developed Kaspersky Fraud Prevention - a multi-tier platform to help financial organizations protect their clients from online financial fraud. The platform includes components that safeguard client devices from many types of attacks, including Man-in-the-Browser attacks, as well as tools that can help companies detect and block fraudulent transactions.

UPDATE

After the publication of the post, our colleagues at Fox-IT InTELL sent us some potentially related information regarding this campaign. According to this new information, the Luuuk server could be related to the ZeusP2P (aka Murofet) infrastructure as we originally suspected.

We received two decrypted configuration files belonging to the ZeusP2P with a reference to the same server where Luuuk was hosted:

The configuration belongs to a botnet named "it" (for Italy). The Luuuk server is being used to host the code that is injected in the victims´ browser. It also manages the automatic transfers to a predefined set of money mules (drops) accounts.

We were also able to analyze the binaries using these configurations. The first one (c8a3657ea19ec43dcb569772308a6c2f) is a ZeusP2P (Murofet) sample that was first seen back in August 2013, months before the malicious transactions were made. It tries to connect to several of the sinkholed servers used to take down GameOver.


Sinkholed domains used by the sample.

This additional data reinforces the theory that the Zeus family is behind the Luuuk server - in this particular case it appears to be of the ZeusP2P flavor. However, this is not definitive proof that the malicious transactions in the campaign were performed by this family, as the injected code on the server was not there when we analyzed it.

Still, it would be quite unusual for two different malware campaigns to use the same server almost simultaneously to provide the necessary infrastructure. So we will continue our investigations based on the hypothesis that this Luuuk campaign used ZeusP2P samples for their infections and malicious transactions. Now we will try to get the Javascript code injected to close the circle.

We would like to thank Fox-IT for sharing this information.

Flaw Lets Attackers Bypass PayPal Two-Factor Authentication

Threatpost for B2B - Wed, 06/25/2014 - 11:39
There's a vulnerability in the way that PayPal handles certain requests from mobile clients that can allow an attacker to bypass the two-factor authentication mechanism for the service and transfer money from a victim's account to any recipient he chooses.
Syndicate content