Feed aggregator

Adobe Patches 11 Critical Vulnerabilities in Flash Player

Threatpost for B2B - Thu, 03/12/2015 - 19:45
Adobe released an updated Flash Player with patches for 11 critical vulnerabilities, most of which lead to remote code execution.

After Delays, Samsung Patches Social Media Vulnerability in Millions of Devices

Threatpost for B2B - Thu, 03/12/2015 - 16:21
Samsung patched a vulnerability last month in SNS Provider that if exploited could have given attackers the ability to access to any personal information users stored on Facebook, LinkedIn and Twitter.

CryptoLocker Variant Coming After Gamers

Threatpost for B2B - Thu, 03/12/2015 - 15:57
A variant of CryptoLocker ransomware is targeting gamers, encrypting files associated with more than 20 popular titles in exchange for a Bitcoin payment.

BlackBerry Warns Many Products Vulnerable to FREAK Attack

Threatpost for B2B - Thu, 03/12/2015 - 14:28
BlackBerry is warning customers that a large portion of the company’s product portfolio is vulnerable to the FREAK SSL attack. Many versions of the BlackBerry OS and BlackBerry Enterprise Server are vulnerable to FREAK, as are a number of versions of BlackBerry Messenger. The advisory from BlackBerry says that there are no workarounds for the […]

SQL Injection Bug Fixed in Popular WordPress SEO Plug-In

Threatpost for B2B - Thu, 03/12/2015 - 13:28
Popular search engine optimization plugin, SEO by Yoast fixed a blind SQL injection vulnerability yesterday that could be exploited to take control of affected sites.

Obama Administration Seeks More Legal Power to Disrupt Botnets

Threatpost for B2B - Thu, 03/12/2015 - 10:31
The federal government is seeking more legal power to step in and shut down botnets through an amendment to the existing criminal law, which would allow the Department of Justice to obtain injunctions to disrupt these malicious networks. The Obama administration has proposed an amendment to existing United Stated federal law that would give it […]

Microsoft SHA-2 Advisory Causing ‘Infinite Loop’ Issues

Threatpost for B2B - Thu, 03/12/2015 - 10:16
Windows users are having issues with a security update issued this week meant to add SHA-2 code-signing and verification support to Windows 7 and Windows Server 2008 R2 machines.

Kaspersky Security Bulletin. Spam in 2014

Secure List feed for B2B - Thu, 03/12/2015 - 08:00

The year in figures

According to Kaspersky Lab, in 2014

  • The proportion of spam in email flows was 66.76%, which is 2.84 percentage points lower than in 2013
  • 74.5% of spam emails were no more than 1 KB in size
  • 16.71% of spam was sent from the USA
  • Users in the USA were targeted by 9.8% of malicious emails, the largest share of any country
  • 260, 403,422 instances that triggered the "Antiphishing" system were recorded.
  • Brazil had the highest proportion of people attacked by phishers – 27.47% of all Kaspersky Lab users in the country faced at least one attack
  • Russia suffered the highest number of total phishing attacks, with 17.28% of the global total
  • 42.59% of phishing attacks targeted global portals that integrate many services accessed from a single account.
Popularity of mobile devices and spam

The popularity of mobile devices continues to grow, and this is affecting spam in email traffic: the number of advertising services that will spread spam on mobile devices is increasing, as are the number of offers addressed to the spammers who profit from these mailings. The popularity of mobile devices also makes them a valid vector for cyber-attack: email traffic now includes malicious imitations of emails sent from smartphones as well as fake notifications from popular mobile applications.

Adverts from/for "mobile" spammers

In 2014, spammers intensified their offers to distribute ads via SMS and popular IM services (WhatsApp, Viber, etc.). They use traditional spam mailings to help search for new customers, and the number of these adverts is also increasing.

Current email traffic also includes adverts addressed to "mobile" spammers: they are offered ready-made databases of phone numbers and other contact information that is designed to attract a specific target audience. These databases, in turn, are often generated with the help of mass mailings: the spammers send phishing emails which they use to collect personal data from victims.

Imitations of emails sent from mobile devices

Spam mailings simulating emails sent from mobile devices have become very popular. We came across such emails written in several languages; they mentioned iPad, iPhone, Samsung Galaxy and other models. These messages had one thing in common - short (sometimes non-existent) text and a signature reading "Sent from my iPhone". Typically, they contain links to phishing sites or malicious attachments.

Apparently, spammers think that an email with the attached file and a signature allegedly sent from the iPhone looks reliable. Indeed, the emails sent from mobile devices rarely use a complex template. And the senders often prefer to attach a file or insert a link rather than write a long text on the smartphone.

In some cases, the emails included an archive named to suggest it contained a photo. In fact, this was yet another way to distribute malware.

The emails sent allegedly from mobile devices often contained advertising links - most often to the sites illegally selling medications. Below is the example of one of these emails where the spammers used a few key words as the text of the message.

In order to bypass filtering, spammers often try to forge technical headers of the emails (Data, X-Mailer, Message-ID) to make them look like they were sent from mobile devices. However, when checked, the content of these headers is defined as incorrect.

Fake notifications from mobile applications

The widespread use of mobile devices has given rise to yet another phenomenon - spam that imitates notifications from different mobile applications such as WhatsApp and Viber. Users are accustomed to the synchronization of cross-platform applications, to the synchronization of contact data between applications and to different notifications from them, so many mobile device owners don't think twice about an email saying a message has allegedly arrived on their mobile messenger. This is a mistake: these mobile applications are not related to the user's email account in any way, which means that these emails are obviously fake.

For example, there can't be emails telling users that they've received an image via WhatsApp because registration on WhatsApp does not require an email address.

Moreover, the "picture" is packaged in an archive, which should also arouse suspicion: packaging an image does not offer any advantage while archives are often used to hide malicious attachments. And this is what we see in this case: the archive contains a malicious program.

Yet another example: a notification about a voice message allegedly sent via Hangouts contains a hyperlink disguised as the "Play" button. After clicking "Play", instead of hearing the voice message the user is sent to a compromised legitimate site from which integrated JavaScript redirects him to an advertising page.

The notification of the voice message supposedly sent via Viber contains a "Listen to Voice Message" button that initiates the download of a malicious archive.

World events in spam

2014 was rich in global events: the crisis in Ukraine, the Ebola epidemic, the Olympics in Sochi and the FIFA World Cup in Brazil. Each of them was used by the spammers to draw attention to their mass mailings.

The Olympic games and the World Cup

The Sochi Olympics and the FIFA World Cup in Brazil were the only sporting events that featured in spam flow. In both cases the majority of spam emails were written in the language of the country where the event took place, suggesting that the fraudsters' main targets were the locals.

The spam sent out shortly before these events contained a lot of mass mailing advertising products with the symbols of the tournament. In the case of the Olympic Games, in addition to Sochi merchandise the adverts offered products harking back to the 1980 Moscow Olympics.

"Nigerian" scammers also got involved. Before the Olympics they sent emails on behalf of the fans who asked for assistance in renting accommodation in Sochi or paying for various services. The "sports fans" were allegedly ready to transfer 850,000 euro to a person who would help them. The promise of a big reward was designed to encourage victims to overlook a few preliminary costs, but once the requested money was transferred the fraudsters disappeared without delivering the promised cash and rewards.

We also saw many fraudulent emails informing recipients that they had won an official FIFA World Cup lottery. Of course, to get his money, the 'winner' faced a few minor preliminary expenses. But, of course, these so-called winners would never see any money from a competition that they had never entered in the first place.

Similar emails are constantly sent out in the run-up to the big football championships.

Besides real adverts and fraudulent messages the pre-World Cup spam also contained malicious emails with links that allegedly led to websites where fans could buy tickets to the games.

Nelson Mandela's demise

Obviously, "Nigerian" scammers do not grieve for the demise of political leaders; for them these events are the ideal pretext to spin stories of a multi-million dollar will. Nelson Mandela's death in late 2013 unleashed a wave of "Nigerian" spam. The attackers introduced themselves as representatives of different funds and informed the recipient that he had been awarded a Mandela prize; the "bankers" offered to secretly divide the Mandela family's money, etc. In some cases, the emails contained the links to real news releases, hoping that this would make the message look more reliable.

Political events in Ukraine

Unstable political situations and military conflict is yet another source of inspiration for "Nigerian" spammers. We regularly come across mass mailings exploiting conflicts in different countries, mostly in the Middle East, but in 2014 the "Nigerian" scammers focused on Ukraine. The authors of fraudulent emails posed as the disgraced Ukrainian politicians and entrepreneurs looking for a way to smuggle their millions out of the country. There were also mass mailings written on behalf of Russian businessmen who had suffered due to sanctions.

Traditionally, "Nigerian" letters offered the recipients huge money for their help. Meanwhile, if victims entered into correspondence, the scammers conned money from them to cover different alleged expenses - duties, taxes, air tickets, hotel rooms and so on.

The Ebola virus

The Ebola epidemic also attracted the attention of spammers. "Nigerians" sent out emails on behalf of infected Africans who allegedly wanted to leave their fortune to charity. The fraudsters came up with a new twist on the story which invited recipients to participate as a guest at a World Health Organization conference. The proposed fee was 350,000 and a car for the job as a WHO representative in the UK.

Malware distributors exploited people's fear of this deadly disease and sent out emails on behalf of the WHO which contained a link to information on the measures to prevent Ebola infection. Later, the emails with the similar content appeared but this time the "information from the WHO" was packed in an attached archive.

In reality both the link and the attached archive contained a malicious program designed to steal the victim's data. In the above email it was Backdoor.Win32.DarkKomet.dtzn.

Spammer tricks

The techniques that have been actively used by the spammers in recent years can be called "classic".

One well-known spammer trick is the stock spam advertising shares of small companies. These emails are part of a stock fraud scheme, the so-called pump and dump spam. The idea is simple: the fraudsters buy cheap stock then send out email mailings advertising the chance to buy stock in a certain company at super low prices, taking advantage of the sharp rise in value expected in the near future. As a result, demand for the stock in the company rises, the prices are artificially inflated and the scammers sell off their stock in the company at a tidy profit. This fraud peaked in 2006-2007 but stock spam is still in use today.

According to Kaspersky Lab, 74.5% of #spam emails sent in 2014 were smaller than 1 KB in size #KLReport

Tweet

In 2013, stock spam only contained a brief text showing the current and expected share price of the company. Some mass mailings included an auto signature which promised that an anti-virus scan had been deployed. Moreover, the language of the signature matched the language of the geographical domain which hosted the recipient's e-mail (this common technique seeks to persuade the recipient of the legitimacy and security of the email). To enhance the chances of bypassing spam filters, the name of the company in a mass mailing was usually "noised" with the "_" symbol or gaps, and the text fragments varied.

In 2014, the design of fraudulent mass mailings advertising company shares changed – the spammers made the messages look more reliable. To bypass spam filters, they used some well-known tricks:

  1. Graphic spam. The advertising text is located within the picture and company logos are used. In a single mass mailing the content, color, font size or background color of the picture can vary. (Note that modern spam filters have long used graphic analyzers that can easily detect graphic spam)
  2. Junk text is inserted at the end of each message and is designed in different colors which do not always match the background. Fragments from literary works and quotes from Wikipedia are used. It is assumed that this method will make each email unique and cause spam filters to detect them as fragments of a literary work rather than a spam message.

Apparently, spammers are trying to compensate for their archaic methods with large volumes – hundreds of millions of these fraudulent emails are sent out.

However, spammers often use more advanced techniques to create "background noise" in the text. For example, they can "noise" the main text of the message even without affecting the readability of the message. To do this, HTML tags are used. The opening and closing tags are inserted into the main text of the message in HTML code. As a result, the user sees no changes in the message but the spam filter detects each email as a unique.

Statistics The proportion of spam in email traffic

In 2014, the proportion of spam in email traffic was 66.76%, which is 2.84 percentage points lower than in the previous year. Spam levels have fallen consistently from a peak of 85.2% in 2009. This is due to the fact that adverts for legal goods and services are abandoning spam in favor of more effective legal advertising platforms.

The proportion of spam in email traffic, 2014

In 2013 the share of spam in email traffic showed almost no variation from month to month but in 2014 there were some noticeable fluctuations, especially in the first half of the year. The lowest value of the year (63.5%) was registered in March. However this was immediately followed by the highest monthly figure of 71.1% in April. The second half of the year was more stable.

Sources of spam by country

Sources of spam by country, 2014

In 2013 China was the undisputed leader among the spam source countries. However in 2014, the percentage of unwanted mail originated from this country dropped by 17.44 pp. As a result, China fell to 3rd in the annual rating, overtaken by the USA (-1.08 pp) and Russia (+1.98 pp).

The Top 10 sources of spam include three western European countries: Germany (+2.79 pp), Spain (+2.56 pp) and France (+2.33 pp). Two Asian countries - South Korea (-10.45 pp) and Taiwan (-3.59 pp) – which occupied 3rd and 4th positions in 2013 moved down to 13th and 14th places respectively in 2014.

The size of spam emails

The size of spam emails in 2014

The number of super-short spam emails is growing: in 2014 77.26% of spam emails weighed in at under 1 KB, 2.76pp more than in 2013.

These emails usually contain links to advertising websites. To generate the text of the email the spammers use robots that combine short phrases from several words taken from thematic dictionaries, or change the words in the message for synonyms. In the end they get unique messages, making the task of spam filters more difficult. The small size of the emails also helps spammers to reduce traffic costs.

Malicious attachments in email

For the fourth year in a row the most widespread malware in emails were programs that attempted to steal confidential data, usually logins and passwords for Internet banking systems.

The Top 10 malicious programs spread by email in 2014

Trojan-Spy.HTML.Fraud.gen topped the rating again. It is generally distributed using phishing emails and is designed to look like an html page where users are invited to enter their confidential data.

Email-Worm.Win32.Bagle.gt is in second place. The main functionality of all email worms, including Bagle, is to collect electronic addresses from compromised computers and to send copies of itself to all email addresses found on an infected computer. Bagle email worms can also receive remote commands to integrate with other malicious applications.

#Spam levels have fallen consistently from a peak of 85.2% in 2009 to 66.76% in 2014 #KLReport

Tweet

Third came Trojan.JS.Redirector.adf, which was the most widespread malware in Q3. The malware spreads via email in a passwordless ZIP archive. It appears as an HTML page with an integrated script which, when opened by users, redirects them to an infected site. There it usually offers to load Binbot — a service for the automatic trading of binary options, which are currently popular on the net.

Representatives of the Bublic family occupy 4th and 7th positions in the Top 10. Their main functionality is the unauthorized download and installation of new versions of malware onto victim computers. They often download a ZeuS/Zbot modification. The Trojans of the Bublic family appear as EXE files but use the Adobe document icon to mislead the victim.

Email-Worm.Win32.Mydoom.l is in 5th place. This network worm with a backdoor functionality is spread as an email attachment via file sharing services and writable network resources. It harvests email addresses from infected computers so they can be used for further mass mailings. The worm also enables attackers to remotely control the infected computer.

In 2014, the proportion of spam in email traffic was 66.76% #KLReport

Tweet

Trojan-Banker.Win32.ChePro.ilc. ended the year in sixth position. This downloader appears as a CPL applet (a component of the control panel) and, as is typical for this type of malware, it downloads Trojans developed to steal bank information and passwords. These banking Trojans mainly target online customers of Brazilian and Portuguese banks.

Eighth isTrojan-Downloader.Win32.Dofoil.ea. This Trojan downloads other malicious programs onto the victim computer to steal various user information (mainly passwords) and send it to the fraudsters.

Backdoor.Win32.Androm.daxcame 9th. This malicious program belongs to the Andromeda/Gamarue family of universal bot modules. The main features of these malware programs are the ability to download, store and run executable files, downloading and loading DLL (without saving on disk), downloading plugins and the ability to update and delete themselves. The bot's functionality is enhanced with a system of plugins that can be downloaded by the cybercriminals whenever necessary.

Exploit.JS.CVE-2010-0188.f rounds off the Top 10. This particular exploit appears as a PDF file and uses a vulnerability in version 9.3 and lower of Adobe Reader. This vulnerability has been known for a long time and poses no danger to users who update their software regularly. However, when it encounters an old version of Adobe the exploit downloads and runs the executable file Trojan-Dropper.Win32.Agent.lcqs. The dropper installs and runs the malicious script Backdoor.JS.Agent.h, which collects information about the system, sends it to the attackers' server and receives various commands in response. The commands and the results of their execution are transmitted in an encrypted form.

The Andromeda family remains the most widespread malware family. It accounted for 11.49% of all malware detected in malicious attachments. These programs allow the attackers to secretly control infected computers, which often become part of a botnet.

Second came ZeuS/Zbot (9.52%), one of the most popular and widely-available programs designed to steal banking information and, as a consequence, users' money. This program is often downloaded on to a victim computer by loader programs distributed via spam mailings.

Bublik (8.53%) completes the Top 3. This is a family of malicious loader programs that downloads modifications of the Zeus/Zbot family onto a compromised computer.

Countries targeted by malicious mailshots

Distribution of email antivirus activations by country, 2014

For the third year in a row the Top 3 countries most targeted by malicious mailshots remains unchanged: the US, the UK and Germany. The USA (9.80%) maintained its leading position despite the 2.22 pp decrease in the number of antivirus activations. Britain came second with 9.63% (-1.63 percentage points). Germany was third with 9.22%.

Of special note is France (3.16%) which climbed from 16th to 9th position in the rating.

Russia (3.24%) occupied 8th place, one position up from the previous year.

Spammers' tricks

In 2014, spammers had a mix of old and new distribution tricks to lure in users.

We came across emails containing attached archives with the .arj extension. This format was introduced long ago and is rarely used now. Therefore, even users who are wary of attached archives do not always recognize this attachment as potentially dangerous. The ARJ archiver has a further advantage as it can reduce file sizes to the minimum.

In addition to nonstandard archives, spammers also sent out malicious emails containing files with unusual extensions for attachments, such as .scr. This extension usually denotes a screensaver.

One of the most common types of malicious spam and phishing are fake bank notifications. In 2014, spammers began to complicate the design of fake messages by adding more links to official resources and services from the organizations that were mimicked in the fake notifications. Obviously, the attackers hoped that an email with a few legitimate links would be recognized as legitimate by users and spam filters alike. Meanwhile, the email contained a single fraudulent link; after clicking it an archive containing a malicious program was downloaded onto the victim computer.

In some cases, cybercriminals used different URL shorteners to mask the real link. Eventually they redirected the user to a popular cloud storage where a malicious program was hosted under the disguise of an important document.

Phishing

When preparing statistics on phishing we applied the methodology that was first used in our report "Financial cyber threats in 2013" published in April 2014. As a result the data on phishing for 2014 should be compared with the data in that report (not with the report "Spam in 2013").

The data source

The report is based on the data about Antiphishing system activations collected by Kaspersky Security Network. The Antiphishing system contains of three components:

2 deterministic:

  • Offline phishing contains a database of the most relevant phishing wildcards* and is located on users' devices. It is triggered when the system encounters a link that matches one of the phishing wildcards in the database
  • Cloud anti-phishing contains all known phishing wildcards*. The system refers to the cloud if the user encounters a link that is not included in the local anti-phishing database. Cloud databases are updated much quicker than local databases.

Heuristic:

  • The heuristic web component of the antiphishing system. This component is triggered when a user clicks on a link to a page with phishing content but information about this page is not yet available in the Kaspersky Lab databases.

* Phishing wildcards are a set of symbols to describe a group of links detected by the system as phishing. One phishing wildcard can help detect several thousand active links to phishing sites.

In 2014 the computers of users of Kaspersky Lab products recorded 260,403,422 instances that triggered the antiphishing system. Of these, 55% (143,827, 512) involved activation of the deterministic component, and 45% (116, 575, 910) came from the heuristic web component.

Phishing links: not only in email

The deterministic components of the antiphishing system (cloud and offline) check links in the user's browser and messages received via IM or email. Only 6.4% of all the activations of these components come from links in emails. This suggests that today, instead of traditional phishing mass mailings, phishers are using other ways to spread links and new scams.

Kaspersky's #antiphishing system was triggered 260,403,422 times in 2014 #KLReport

Tweet

Currently links to phishing sites are more often distributed via social networks. It's not just about using stolen accounts; fraudsters are also involving unwitting users in sending out phishing links to their friends in social networks.

For example, in July 2014 this particular trick was used to spread a link to the petition in support of Uruguayan footballer Luis Suárez via social networks. To sign the petition, users had to enter their personal data, which then went to the phishers. After that, the victim was invited to share the link with his friends on Facebook. As a result, the link to the phishing page spread quickly among football fans and their friends.

An example of a phishing page distributed with the help of social networks

Phishing emails

All this should not be taken as evidence that fraudsters have stopped spreading phishing links via email. It is still the most popular way of distributing links to fake pages of financial institutions. Perhaps that's why scammers usually send out emails containing links to phishing sites on weekdays when the users check their e-mail \at work.

Activation of the deterministic components of the antiphishing system on the users' mail clients

Fraudulent schemes utilizing phishing emails with malicious attachments, HTML files or HTML forms inserted in the body of the message are also popular with fraudsters.

Attaching HTML files or HTML forms allows fraudsters to reduce the costs of maintaining the page on the Web. The standard scheme looks like this. User receive a fake notification from an organization that informs them their accounts have been blocked, their data has leaked or some suspicious activity was logged. To help solve the problem, users should update their personal information in the attached file or form. The data entered by the victims goes straight to the scammers. Over the past year we found dozens of mailings like this purporting to come from various financial institutions and other organizations.

An email with an attached HTML file

A phishing attack using HTML attachments to target the customers of a specific organization is often a means of extracting a wide range of financial information from victims, not of all of which necessarily relates to the company used in the scam.

An email with an attached HTML file

The examples above show the tricks that fraudsters use trying to get not only credentials to access online accounts, but also other personal information including bank card data.

Big game hunting

As mentioned above, when attacking customers of various organizations, fraudsters often try to get not only the victim's account data but also the bank card details and other confidential information. In this way, some scammers collect valid e-mail address, perhaps to sell them to spammers. Others pose as a bank or similar organization that is concerned about security and use that mask to steal the user's financial information and then his money.

The increased danger of phishing schemes consists of this: no matter what anti-fraud schemes are in place to protect customers (double, triple verification, one-time passwords, etc), they can only protect the account. If the user passes personal data to fraudsters there is little that can be done to stop that information being used to access the account.

We have already given examples of an "extended" phishing attack that utilizes HTML attachments. Yet another example is this phishing attack on PayPal. The traditional scam directs victims to a phishing page that mimics the site of the payment system. Unwary users input their usernames and passwords, sending them to the fraudsters. A further page opens and request bank card data and other information. The users believe they are safely logged onto PayPal and enter the information without a second thought. Once the scammers have that info, they redirect users to the official PayPal site leaving their victims none the wiser about the data theft.

A phishing attack on PayPal

The attackers may not be able to get into the victim's PayPal account because the company has additional protection measures. But they will have enough information to be able to steal money in other ways.

A phishing attack on one of the largest organizations in the telecommunications industry is another good example. At first glance, the fraudsters need a login and password to access the user's personal account. However, once the victim enters a fake account, the scammers not only ask for the card data but also for all other information that may be useful for them to manipulate the victim's money.

A phishing attack targeting the victim's personal information

The geography of attacks

In 2014 phishing attacks were registered in almost all countries worldwide.

Top 10 countries by percentage of attacked users

Brazil had the highest proportion of users subjected to phishing attacks (27.47%).

The percentage of users on whose computers the antiphishing system was triggered out of the total number of users of Kaspersky Lab products in the country, 2014

Top 10 countries by percentage of attacked users

  Country % of users 1 Brazil 27.45 2 Australia 23.76 3 India 23.08 4 France 22.92 5 Ecuador 22.82 6 Russia 22.61 7 Kazakhstan 22.18 8 Canada 21.78 9 Ukraine 20.11 10 Japan 19.51

In 2014, the percentage of attacked users in Brazil grew by 13.81 percentage points compared with 2013 (when Brazil was 23th in the rating). This intense burst of phishing activity in Brazil is probably connected to the 2014 World Cup, which brought thousands of fans from around the world to the South American country.

The distribution of attacks by country

Russia had the greatest share of phishing attacks, with 17.28% of the global total. The percentage of users in this country on whose computers the Kaspersky Lab antiphishing system was up 6.08pp from the previous year.

Distribution of phishing attacks by country in 2014

The increase in the number of attacks on the users in Russia is probably related to the deteriorating financial situation in the country in 2014. People are making more transactions as they try to invest their savings and make online purchases. At the same time many users are worried, giving scammers more opportunities to apply their social engineering techniques and play on those fears.

Last year's leader - the US (7.2%) - moved down to second place, with a 23.6 percentage point drop in the number of attacked users. It is followed by India (7.15%) and Brazil (7.03%), where rates increased by 3.7 pp and 5.11 pp respectively.

Organizations under attack

These statistics on the organizations used in phishing attacks are based on the triggering of the heuristic component of the antiphishing system. The heuristic component is triggered when a user follows a link to a phishing page and there is no information about this page in the Kaspersky Lab databases.

Distribution of organizations subject to phishing attacks by category, 2014

In 2014 we saw changes in the organizations targeted by phishers. Last year's leader, the 'Social networking and blogs' category dropped 19.62 pp to 15.77%, and was overtaken by 'Global portals', which gained 19.29 pp and reached 42.59%. Global Portals was previously described as 'E-mail' in earlier reports. The change is no big surprise: Google, Yahoo!, Yandex and similar companies are constantly developing their services and offering new options, from email and social networks to e-wallets. This is very convenient for users because everything is available under one account; it's also a boon for scammers because one password can unlock a huge range of digital resources. That's why Yahoo! and Google came into the top 3 most-frequently attacked organizations, sandwiching Facebook.

Top 3 attacked organizations

  Organisation % of phishing links 1 Yahoo! 23.3 2 Facebook 10.02 3 Google 8.73

In 2014 the numbers for Yahoo! (23.3%) grew by 13.3 percentage points compared with the previous year (partly due to a sharp increase in the number of fraudulent links to fake Yahoo! pages at the beginning of January 2014).

The share of phishing attacks on financial institutions was 28.74%, a 2.71 pp drop from 2013. Within this sector the percentage of attacks on the banking sector declined (down 13.79 pp from 2013). At the same time the numbers for "Online stores" and "Payment systems" rose by 4.78 pp and 9.19 pp respectively.

Distribution of financial phishing by the type of organization attacked, 2013

Distribution of financial phishing by the type of organization attacked, 2014

You can read more about financial phishing in our report "Financial cyber threats in 2014: times have changed".

Conclusion

The percentage of spam in email traffic continues to decline; we do not expect a significant change in these numbers in 2015.

We expect a further reduction in the amount of advertising spam and an increase in the number of fraudulent and malicious emails. At the same time we will see more carefully designed fake messages, in which attackers will use even more elaborated tricks (such as malicious attachments with unusual extensions like .arj, .scr).

Fraudsters use a variety of methods to distribute phishing content. However, time-proven phishing mass mailings are still popular and are likely to remain so for a long time.

For their phishing attacks scammers choose the clients of the most popular organizations, thereby increasing the likelihood of a successful attack. At the same time, many attacks are conducted in order to get maximum personal, primarily financial, information from the victim. We assume that this trend will continue in the future.

'Locked Out'

Secure List feed for B2B - Thu, 03/12/2015 - 07:00

Today the great majority of malware is created with the aim of enrichment.  One of the tactics often used by evildoers is to encrypt files and demand a ransom for their decryption. Kaspersky Lab classes such programs as Trojan-Ransom malware, although there is another widely used and resonant name – encrypters.

Encrypters have become a serious problem for users, especially corporate users.  And related topics attract the most posts and readers on our forum.

Despite all the efforts of the anti-virus companies we don't expect an easy victory over encrypters in the short term.  There are at least two good reasons for this:

  1. Encrypters are constantly evolving.  It is a battle of arms and armour: the defence gets better – the weapons get better.
  2. The attack is not carried out on the user's computer but on the system of computer + user.  That is, one of the attack vectors is human.  A person is subject to emotions and irrational acts.  A person is capable of ignoring the warnings of the defence systems or turning it off altogether.  This is precisely what the evildoers are counting on.

In this article we look at the evolution of complication of the encryption schemes used by virus writers and the methods they adopt to put pressure on their victims.  At the end of the article there is some advice for users which might help them protect important files.

The evolution of encrypters: from simple to complex

Serious antivirus companies devote special attention to protection against encrypters. To counter the improved systems of defence virus writers need to change their programs regularly. And they change almost everything: the encryption schemes, means of obfuscation and even the formats of executable files.

Virus writers change the encryption schemes, means of obfuscation and even the formats of executable files

Tweet

We will consider the evolution of encrypters in terms of the methods of encryption and cypher schemes employed. Depending on the cypher scheme used and the method of obtaining the key, in some cases it is possible to easily decypher the encrypted data and in others it is impossilbe to do so within a reasonable time.

Encryption with an XOR operation

We begin with programs that use the most primitive encryption.  A typical example of such malware is the Trojan-Ransom.Win32.Xorist family.  It has the following characteristics:

  • Xorist is one of the few encrypters that carries out its threat and damages the users files when several incorrect attempts are made to enter the password.
  • An XOR operation is used to perform the encryption.  The vulnerability of this encryption scheme is that it is possible to easily decrypt files because of the well-known standard file headers.  To counter this attack Xorist encrypts files not from the very beginning but after an interval.  By default this interval is 104h bytes but this can be changed at compilation.
  • To complicate the encryption algorithm the key is randomised with the help of the first letter of the file name.

Fragment of a file encrypted by an encrypter of the Xorist family: the eight byte key is clearly visible

On the whole, despite all the cunning of the creators of Xorist the files encrypted by it can be entirely decrypted relatively easily.  Maybe for that reason at the moment the Xorist family of malware is hardly ever encountered in the wild.

To combat Trojan-Ransom.Win32.Xorist the specialists of Kaspersky Lab created the utility XoristDecryptor.

Symmetrical Encryption

A symmetrical encrytion scheme is a scheme that uses a pair of keys for encrytion and decryption that are symmetrical to each other (this is why this scheme is called symmetrical).  In the great majority of cases in such schemes one and the same key is used for encryption and decryption.

If the key is embedded in the body of the encrypter, if one has access to the body of the malware it is possible to extract the key and create an effective utility to decrypt the files.  Such malware usually tries to delete itself after encrypting the files.  An example of this type of program could be one of the modifications of the Rakhni family.  Keys that were detected were added to the utility RakhniDecryptor.

If the key is recieved from the attacker's server or generated and sent to it then having an example of the malware yields little — an example of the key is necessary, and it is on the attacker's server.  If it is possible to recover the key (for obvious reasons the malware tries to delete such key after use) then it is possible to create a utility for decryption.  In this case a system that caches the internet traffic of the user may be useful.  An example of this type of malware is Trojan-Ransom.Win32.Cryakl.

Assymetric encryption

Assymetric encryption is the name given to those schemes in which the encryption and decryption keys are not related in an obvious symmetrical way.  The encrytion key is called the open or public key and the decryption key is the secret or private key.  Calculating the private key from a known public key is a very complicated mathematical task which is not possible in a reasonable time using modern computing capabilities.

At the heart of assymetrical cypher schemes is the so-called trapdoor one-way function.  Put simply this is a mathematical function that depends on a parameter (secret).  Without knowing the secret parameter the value of the function is calculated comparatively easily going one way (for a given value argument we can calculate the value of the function) and extremely difficult in the reverse direction (knowing the value of the function to calculate the value of the argument).  However everything changes knowing the secret parameter — with its help it is possible to reverse the function without particular difficulty.

Assymetric encryption with one key pair

If the public key is embeded in the body of the malware the presence of the malware without the private key is almost no help in decyphering the files (but does help in detecting the program and others like it in the future).

However if the private key becomes known (and it should at least be contained in the decrypter which the evildoer is offering for sale), then it becomes possible to decrypt the data for all users affected by the modification of the program using that public key.

An example of malware of this type is Trojan-Ransom.Win32.Rector.  The characteristics of this family are as follows:

  • Uses assymetric encryption and the public key is hidden in the body of the encrypter.
  • To speed up the encryption of files it doesn't encrypt them all at once but in small sections.  The encrypted sections are added on to the end of the file and their space is filled in with sequences with a frequency of one byte.  Because of this the encrypted file gains a typical 'scratched' appearance.

File fragment encrpted by a program from the Rector family

  • One defect of this scheme for the evildoer is that for the decryption of the files it is necessary to hand over the private key, which can be used to decypher all files encrypted by this modification of the malware.

Thus, although direct decryption of the files is impossible, several users suffering from one and the same modification of the malware can unite and buy one decoder for all of them.  Also users and other interested persons send decoders to us.  The private codes received are added to the RectorDecryptor.

If the public key is obtained from the evildoer's server (which allows the use of a unique public key for each user) then the presence of the body of the malware doesn't help in the decryption of the data — it is necessary to have the private key.  However the body of the program helps identify and block the malware server and this helps protect other users.

Encryption using several keys

To ensure a unique decoder for each user schemes with several keys are used.  For this the key for encryption of data is generated on the victim's computer.  It might be a symmetric key or an assymetric key pair.  The algorithm for key generation is chosen so that the resulting key is unique for each affected user.  In other words the chances of these keys being the same in any two cases should be extremely small.  However sometimes the malware creators make a mistake and the key is generated from a relatively small range of possible values.  In this case the user's data can be decyphered by trying all possible values of the key.  However such cases have been rare lately.

The user's data is encrypted using the generated key.  Then the key that is necessary to decypher the data is encrypted itself using another public key.  This public key is generated earlier and the accompanying private key is not in the body of the encrypter but instead that private key is known to the evildoer.  Then the original key necessary for decyphering the data is deleted and only the encrypted version remains on the user's computer.

Now, having received the encrypted copy of the key the evildoer can extract the key from it that is needed to decypher the user's data and include it in the decoder.  And this decoder will be useless for other affected users.  Which, from the point of view of the evildoers, is a great improvement over the two-key schemes described above.

There is no algorithm to decrypt files encrypted with the RSA with a key length of 1024 bits in an acceptable time

Tweet

An example of malware using a scheme with several keys is the Trojan-Ransom.BAT.Scatter family. The Scatter family has several significant features:

  • A more advanced encryption scheme is used with two pairs of assymetric keys, which allows the evildoers to encrypt the files of the victim without revealing their private key.
  • Samples of this family are written in scripting languages, which allows the malicious functions to be easily changed.  Scripts are easier to obfuscate and this process is easier to automate.
  • The samples have a modular structure.  The modules are downloaded from the wrongdoers' website during the running of the script.
  • Renamed legitimate utilities are used for the encryption of files and deletion of the keys. 
  • A high level of automation of the process has been achieved.  Almost everything is automated, the malware objects are automatically generated, letters are sent out automatically.  Furthermore, according to the malefactors the process of handling letters from victims and further contact with the victims has been automated.  The decyphering of test files of the victim, evaluation of the cost of the information, the provision of bills, checking payment and sending out decoders all happen automatically.  It is difficult for us to check the truth of this information but taking into account data obtained from studying the modules of Trojan-Downloader.BAT.Scatter there is no reason not to believe these claims. 

The Scatter family appeared quite recently: the first samples were detected by Kaspersky Lab specialists at the end of July 2014.  In a short time it significantly evolved, providing itself with the functionality of Email-Worm and Trojan-PSW.

From 25 July 2014 to 25 January 2015 we detected 5989 attacks with the use of Trojan-Downloader.JS.Scatter on 3092 users.

Number of detected downloadings of Trojan-Downloader.JS.Scatter. The spike in the middle of November is the result of a new modification spreading in the USA

The geography of distribution of Trojan-Downloader.JS.Scatter downloads 25 July 2014 — 25 January 2015

This family is worth discussing in more detail as we can say with certainty that the Trojan-Downloader.*.Scatter family is a new step in the evolution of encrypters.

Technical details: Scatter, a new evolutionary step

The Scatter program family is multimodule script multifunction malware. As an example we chose the modification of the encryption module which is detected as Trojan-Ransom.BAT.Scatter.ab which started to appear with regularity in the middle of October.

More Trojan-Downloader.JS.Scatter.i download module

The malware download module is spread in email attachments. The filenames are specially chosen by the attackers to make the letter seem legitimate and end up with the accounting staff.

FullName HitsCount ./draft collation act.zip// unpaid bills. Draft collation act for two months – accountancy dept agreed till 14 October 2014_mail.attachment_scannеd.avast.ok.dос .js 4386 scan copy of debts 2014.zp//unpaid bills . Draft collation act for two months – accountanct dept agreed till 14 October 2014._mail.attachment_scannеd.avast.ok.dос .js 402 unpaid bills. Draft collation act for two months – accountancy dpet agreed till 14 October 2014_mail.attachment_scannеd.avast.ok.dос .js 241 Draft collation act.zip 22

The most popular names of the Scatter download modification appearing in the first half of October

If a user attempts to open the attachment they start the downloader, which is an obfuscated JavaScript and is detected by Kaspersky Lab as Trojan-Downloader.JS.Scatter.i

Fragment of the obfuscated code of the downloader Trojan-Downloader.JS.Scatter.i

After being started by the user the downloader downloads five other objects from the malefactor's site.  These files are saved in a directory defined by the variable %TEMP%.  Not all of these five objects are harmful:

  • fake.keybtc – is a renamed version of the legitimate program gnupg gpg.exe intended for carrying out cryptographic operations.
  • night.keybtc – is a renamed version of the library iconv.dll necessary for gpg.exe to work properly
  • trash.keybtc – is a renamed version of the utility sdelete.exe from Microsoft designed to reliably delete files.
  • key.block – is a malicious command script that uses the utilities above to encrypt files.  This object is detected by Kaspersky Lab as Trojan-Ransom.BAT.Scatter.ab
  • doc.keybtc – this file is in the Microsoft Word format.  The downloader renames this file as word.doc and then tries to run it.  If there is a program for looking at .doc files on the user's computer the user sees the following picture:

The beginning of the Microsoft Word document shown to the user by the downloader Trojan-Downloader.JS.Scatter.i

This document doesn't contain any malicious code.  Its task is too reduce the alertness of the user and distract his attention from the processes taking place on his/her computer.

In the meantime the downloader renames the file key.block to key.cmd and runs it.  At that the work of the downloader is finished and Trojan-Ransom.BAT.Scatter begins.

The sequence of actions of the encrypter Trojan-Ransom.BAT.Scatter.ab 1. Preparation
1.1. Rename the legitimate files it needs with extensions that can be used.
1.2. Check the presence of the special file containing in its name the client identifier and the current date. If such a file exists the encrypter considers that the files are already encrypted and doesn't do anything else. This prevents the rewriting of the special files KEY.PRIVATE and UNIQUE.PRIVATE, created by the Trojan during encryption (more details on these below).
1.3. Check the presence of the directory %AppData%\BitCoin. If this directory exists then later the Trojan tries to steal the BitCoin wallet data.
1.4. Check the existence of the file "%TEMP%\partner.id". This confirms the information found earlier about the presence of the partner programs spread by Scatter. (It is interesting that in some communications on infected computers the wrongdoers offered their victims to decypher their files in exchange for certain services and even promised money for these services. It is possible that in this way they are trying to turn the user into a partner.)
1.5. Generate a key pair (public and private keys: files pubring.gpg and secring.gpg respectively) with the parameters:
Key-Type: RSA
Key-Length: 1024

This type of encryption is currently considered effective: there is no algorithm to decrypt files encrypted with the algorithm RSA with a key length of 1024 bits in an acceptable time without knowing the private key.

1.6. Extract the public key from the body of the malware and  use it to encrypt the file secring.gpg, the private key of the key pair, as a result obtaining the file secring.gpg.gpg.  After that secring.gpg is deleted with the help of the legitimate utilitysdelete.exe and its location rewritten 16 times.  If for some reason it is impossible to delete the unencrypted key using sdelete the Trojan tries to delete it itself, writing over it several times with rubbish.  Multiple rewriting of the location of the file is necessary so that the private key can not be recovered even using special programs for restoring deleted data.
1.7. Copy the encrypted private key (secring.gpg.gpg) under the name %TEMP%\KEY.PRIVATE", which the malware tries to do twice for reliability.  Then it once more checks the presence of KEY.PRIVATE.  If it isn't there and neither is secring.gpg the Trojan doesn't carry out encryption and goes straight to distribution of its loader (item 3)
2. Encryption
2.1. Before the start of encryption the Trojan generates a script with a list of files which it will encrypt.  It does this in two stages:
  • First it looks for and adds to the file databin.lst the paths to files with the following extensions:
    *.xls *.xlsx *.doc *.docx *.cdr *.slddrw *.dwg *.pdf.
  • Then it adds to databin.lst the paths to files with the following extensions:
    *.mdb *.1cd *.accdb *.zip *.rar *.max *.cd *.jpg.

Why does it do this?  The RSA algorithm is reliable but extremely slow.  Therefore the malware 'is afraid' that it might start encrypting large files or a directory with a lot of photographs and that something might interfere with it.  For instance the user might switch off the computer.  Therefore the Trojan first of all tries to encrypt small files that are potentially important for the organisation and then moves on to media such as disks and other large volumes of data.

Apart from the list for encryption, the names of files and their size the database UNIQUE.BASE is added to the file.  This database contains the name of the computer and name of the user.  Later the database created will help the evildoers evaluate the size and value of the encrypted information, so as not to undersell their 'goods' and seek the maximum price for decryption.

Then the list of files and database are filtered from files located in utility directories.  As a result the 'filtered' files UNIQUE1.BASE and bitdata1.bin are created.

2.2. The file UNIQUE1.BASE is encrypted with the public key pubring.gpg, which was generated at the begining of the operation of the encrypter. The resulting encrypted file is renamed UNIQUE.PRIVATE and the file UNIQUE1.BASE is deleted.
2.3. The files UNIQUE.PRIVATE and KEY.PRIVATE are copied straightaway in several places so that the user can find them easily. These files are encrypted and the user can not decypher them without knowing the private key of the attackers.
2.4. The Trojan generates a message to the user and adds it to the autoloader:

Fragment of the message of the evildoers (translation from the Russian):

For system administrators:

1. Your information has been encrypted using RSA-1024 assymetric encryption, used by the military.  Breaking it is impossible.
During encryption the special ID-file KEY.PRIVATE was copied to various places on the computer.  Do not lose it!
For each computer a new ID-file is created.  It is unique and contains the code for decryption.  You will need this.
'Temporarily blocked' means that the files are modified on the byte-level using a public 1024 bit RSA key.

2. And so, our further actions are as follows:

2.1. You can contact us only using the email address ************@gmail.com
2.2. First of all you need a guarantee that we can decypher your files.
2.3. Contact us.  The structure of your email should be as follows:

  • include your ID-file KEY.PRIVATE (!!) - look for it on your computer, without it it will not be possible to re-establish your data.
  • 1-2 encrypted files to check the possibility of decryption
  • the approximate number of encrypted files/computers

2.4. You will recieve a guarantee and the cost of your key within one hour
2.5. Next payment should be made, the minimum cost will be 150 euros
2.6. We will send you your key, you should put it in the same directory as the decoder (DECODE.exe)
2.7. When the decoder is started the concealed decryption of your data is carried out.  You should not start this process more than once.
2.8. The process of decryption might take up to 12 hours in stealth mode.  At the end of the process the computer will reboot.

2.5. The Trojan renames bitdata1.bin (the script for the encryption of data generated earlier) as bitdata.cmd and starts it running. As a result the user's files are encrypted and the email address of the evildoers is added to their extensions.
2.6. After successful encryption the mark BITM is added to all files UNIQUE.PRIVATE and KEY.PRIVATE
3. Distribution of loader by electronic mail
3.1. The Trojan downloads additional components allowing it to collect passwords from the same site of the wrongdoers that the loader used earlier.  These components are downloaded in parts and assembled on the victim's computer.
3.2. With the help of the downloaded components the evildoer looks for user passwords for mail services Mail.ru, Yandex.ru and Gmail on the infected computer.  Any passwords found are sent to a special email address of the malefactor and data from any located BitCoin wallets are also sent there.
3.3. The malware generates 15 variants of letters.  They are all linked by a legal and not an accounting theme on this occasion.

With the help of passwords to mail services obtained earlier the Trojan connects with the mail servers and obtains the headers of letters received.  Email sendouts and automatic mesages are filtered out of the emails received.  All the remaining email addresses are sent one of the 15 possible versions of the letters, selected with the help of a random number generator.

It is interesting that regardless of the text of the letters, one and the same attachment is added — the archive with password '1'.  This archive is downloaded from the same site of the attacker before the start of the mail out.  Inside the archive is a file with a long name in Russian, which translates as:

Complaint concerning unpaid debts. Legal department — Confirmed and agreed for dispatch to debtor_October 2014_ Avast.ОК.dос .js

In several cases the theme of the letter and the name of the attachment do not match each other — this is a drawback of the automatic generation of letters and malware objects.

The object with the long name is the JavaScript Trojan-Downloader.JS.Scatter.i described earlier but already with another obfuscation.

Code fragment of the downloader Trojan-Downloader.JS.Scatter.i with another obfuscation

Despite the obfuscation both scripts are successfully detected by Kaspersky Lab products, both by signature and using heuristics written over a year ago, before the appearance of this type of malware.

To the aid of the bad guys: the human factor

The business of cyber-blackmailers is flourishing. In 2014 Kaspersky Lab recorded more than seven million attacks on its users with the use of objects from the Trojan-Ransom family.

In 2014 Kaspersky Lab recorded more than 7 million attacks with the use of encrypters

Tweet

Number of attacks by encrypters blocked every month by Kaspersky Lab in 2014

Malefactors ever more frequently prefer to receive payment in the crypto-currency BitCoin.  Although prices for users by habit are indicated in rubles, US dollars and euros.  The prices for decryption for simple users start at 1000 rubles and increase to several hundred dollars.  In the case of encryption of the files of an organisation the appetite of the malefactors increases by on average a factor of five.  There are cases known when 5000 euros was demanded for file decryption.  Unfortunately, for companies that have lost their data it is often simpler to pay than lose important information.  It is no surprise that organisations are the main target of evildoers utilising encrypters.

Why are encrypters able to inflict such damage?

As was mentioned above, most antivirus companies constantly improve their defences against encrypters.  For instance Kaspersky Lab has implemented special technical 'Protection against Encrypter Programs' in its products.  However, as is well known, the weakest point in IT protection is the user.  And in the case of encrypters this is extremely relevant.

We conduct special events dedicated to combatting this type of malware.  These events include a whole complex of measures: analysis of all incidents that have occured at organisations contacting our technical help service (using both our own and other antivirus products); search for and collection of samples of encrypters; analysis of the work of each defensive component of our products in each event that happened; improvement of existing and development of new methods of detecting and remedying the consequences of the actions of encrypters.  This is painstaking work and takes a lot of time, but it is necessary for our products to deal successfully with this constantly changing threat.

In our research we often see file encryption attacks made possible by employees working with antivirus disabled

Tweet

During these investigations we often come across instances of the encryption of files in organisations as a consequence of their employees working with the antivirus program switched off.  And these are not isolated cases, our technical help service encounters such cases several times a week.

It seems to us that one possible reason for such carelessness among users, strange as it may seem, is down to significant technical progress.  The improved defences of browswers and operating systems has led to a state where today users encounter the threats of malicous programs less often than previously.  As a result some of them, not thinking, switch off individual components of their antivirus products or don't use them at all.

Much has been said about the need to regularly update programs.  Nevertheless we once again note the importance of keeping anti-virus programs up to date.  We have investigated cases of encryption of files at organisations that happened for one simple reason: the user, on arriving at work, started to read their mail not waiting for the anti-virus database to update — and that update contained a signature capable of identifying the malware involved.

On the other hand it is worth remembering that no product, no matter how modern, can provide 100% protection against malware appearing on the computer.  Belief in the absolute defence of a 'super-anitvirus program' leads to users being careless — for instance opening file attachments in suspicious letters or unthinkingly clicking on dangerous links.  The availability of 'advanced' systems of defence does not relieve the user of the need to follow the security policy.

Make back-up copies of all important files on separate media off the computer

Tweet

The lack of back-up copies of important files plays its part in the success of encrypters.  Earlier it was possible to lose data not only as a result of the operation of malware but because of failure of the data medium or one's own legitimate programs, used to operate on important data.  But in recent decades the reliability of media and programs has improved dramatically.  And most users have stopped making back-up copies of their data.  As a result, if a computer is infected with an encrypter it simply paralyses the normal work of the company and the chances of the attacker receiving money for decrypting the data increase accordingly.

Traps for the unwary: how users are attacked

If you compile a hit parade of the methods used to spread encrypters the first and second places would be taken resoundingly by email. In the first case the dangerous object is contained directly in the letter and in the second the letter doesn't contain the object itself but a hyperlink to it. In third place in terms of popularity we see attacks via a system for remote control of the computer (Microsoft's Remote Desktop Protocol or RDP). Such attacks as a rule are carried out on an organisation's servers.

RDP attack

Let's start with the rarest and simplest method.  In the event of an RDP attack the evildoer, having obtained remote access to the computer, first of all switches off the antivirus program and then runs the encrypter.  The main factors allowing such an attack via RDP are the use of weak passwords or a leak of information about the password from the user's record files. The introduction of a strict password policy will help resist such an attack:

  • a password must be tough to crack (complicated);
  • a password should be known only to its user;
  • a password should be changed regularly.
Attack via electronic mail

If an attack by RDP occurs without the user's involvement; an attack via email must be activated by the user him or herself by running a received file or clicking on a link in a letter.  This is achieved by social engineering methods used by the wrongdoer or, to put it more simply, by lying to the user.  The wrongdoer's strategy is often built on the fact that the person under attack is chosen because they have a job totally unrelated to information security.  Such people may not even know of the existence of such threats as malicious encryption of files.

The person under attack is chosen because they have a job totally unrelated to information security

Tweet Letter topics

The organisation receives a letter that sounds frightening, for instance a court case has been initiated against the organisation, the details of which are contained in the document attached.

A example 'letter from the court'. The attachment contains a Trojan-encrypter

The thinking of the evildoers is probably something like the following: frighten the victim with some imaginary threat, the fear of which outweighs the worry about opening an unknown email attachment.

For organisations this approach works especially well: the simple employee receiving such a letter bears an unexpected responsibility.  The employee tries to share the responsibility and consults his/her colleagues.  The evildoer's chances  that someone will open the attachment increase.  In several incident investigations  it turned out that the in-house lawyers of the victim organisations insisted that the attachment be opened.

Be suspicious of links and attachments in unexpected letters

Tweet

And to reduce the suspicions of the recipient the author of the letter might use official logos:

An example of a letter containing a link to a malicious object

Or the executable file might be built into a Microsoft Word document and be masked by an icon:

An example of how an executable file can be hidden in a Microsoft Word document

The malefactors also use a scheme when a Microsoft Word document contains unreadable text and a request to allow macros, supposedly to correct the appearance of the text. In actual fact after the operation of the macro the Trojan-encrypter will be loaded onto the computer.

An example of a Microsoft Word document 'convincing' the user to execute a malicious macro
The red text says 'To correct the display switch on macros'

The thing about filenames

The next social engineering technique is the use of special words in the names of files contained in the archives attached to the letter (or downloaded by the user). For instance it could be the word 'checked' or 'secure' plus the name of various anti-virus products. The aim of the malefactors is to make the user believe that the attachment has been checked by an anti-virus product.

An example of a malicious attachment using the name of an anti-virus product and the extension .js

The extensions for executable files are specially chosen to be unknown to the casual user.  Usually .scr, .com and .js are used.

A special mention goes to attachments apparently providing 'free security tutorials from Kaspersky Lab'.  Such letters are also sent in the name of other security companies.

Recommendations for users

Detailed recommendations for system administrators can be found here.
Here we give some brief recommendations for users:

  • Make back-up copies of all important files on separate media off the computer.
  • Switch on display extensions for registered file types.  This will help you to check that the document sent to you really is a document and not an executable file.  You need to check this even if the letter comes from a known sender.
  • Be suspicious of links and attachments in unexpected letters.  Curiosity and fear are the favourite instruments of wrongdoers, causing users to forget about being cautious and to open attachments.
  • Use the latest version of anti-virus products. As a rule their effectiveness increases with every new version thanks to new modules.  We earnestly recommend the users of our products to enable KSN.
  • And finally, wait for the anti-virus database to be updated before reading your morning mail.
  • System administrators (in addition to everything else) should keep users aware of threats.

Dropbox Patches Remotely Exploitable Vulnerability in SDK

Threatpost for B2B - Wed, 03/11/2015 - 14:56
Developers at Dropbox recently fixed a remotely exploitable vulnerability in the Android SDK version of the app that enabled attackers to connect applications on some devices to a Dropbox account without the user's consent.

Details Surface on Stuxnet Patch Bypass

Threatpost for B2B - Wed, 03/11/2015 - 13:01
HP's Zero Day Initiative published details of a bypass for a five-year-old Windows patch for the .LNK vulnerability exploited by Stuxnet.

Facebook Issues Present Possible Threat to Users

Threatpost for B2B - Wed, 03/11/2015 - 11:39
UPDATE–A security researcher has identified a pair of security issues in Facebook, one of which can be used to to upload an arbitrary file to the site, and the other of which can allow an attacker to gain control of a victim’s machine under some limited circumstances with user interaction. The more serious of the vulnerabilities, which […]

Equation APT Group Attack Platform A Study in Stealth

Threatpost for B2B - Wed, 03/11/2015 - 07:00
The EquationDrug cyberespionage platform is a complicated system that is used selectively against only certain target machines, one that can be extended via a collection of 116 malware plug-ins, researchers at Kaspersky Lab said.

Inside the EquationDrug Espionage Platform

Secure List feed for B2B - Wed, 03/11/2015 - 07:00
Introduction

EquationDrug is one of the main espionage platforms used by the Equation Group, a highly sophisticated threat actor that has been engaged in multiple CNE (computer network exploitation) operations dating back to 2001, and perhaps as early as 1996. (See full report here [PDF]).

EquationDrug, which is still in use, dates back to 2003, although the more modern GrayFish platform is being pushed to new victims.

EquationDrug represents the main espionage platform from the #EquationAPT Group

Tweet

It's important to note that EquationDrug is not just a Trojan, but a full espionage platform, which includes a framework for conducting cyberespionage activities by deploying specific modules on the machines of selected victims. The concept of a cyberespionage platform is neither new nor unique. Other threat actors known to use such sophisticated platforms include Regin and Epic Turla.

The EquationDrug platform can be extended through plugins (or modules). It is pre-built with a default set of plugins supporting a number of basic cyberespionage functions. These include common features such as file collection and the making of screenshots. Sophistication is added by storing stolen data inside a custom-encrypted virtual file system before it is sent to the command and control servers.

The name "EquationDrug" or "Equestre" was assigned to this framework by Kaspersky Lab researchers. The only reference left by the framework developers was a short string "UR", as seen in several string artifacts left in the binaries.

Platform Architecture

The EquationDrug platform includes dozens of executables, configurations and protected storage locations. Putting all the pieces of this puzzle together in the right order may take time for those who are not familiar with the platform.

The platform includes executables, configurations and protected storage locations #EquationAPT

Tweet

The architecture of the whole framework resembles a mini-operating system with kernel-mode and user-mode components carefully interacting with each other via a custom message-passing interface. The platform includes a set of drivers, a platform core (orchestrator) and a number of plugins. Every plugin has a unique ID and version number that defines a set of functions it can provide. Some of the plugins depend on others and might not work unless dependencies are resolved.

Similar to popular OS kernel designs, such as on Unix-based systems, some of the essential modules are statically linked to the platform core, while others are loaded on demand.

The hypothesis that these attackers have been active since the 90s seems realistic #EquationAPT

Tweet

The platform is started by the kernel mode driver component ("msndsrv.sys" on Windows 2000 or above and "mssvc32.vxd" on Windows 9x). The driver then waits for the system to start and initiates execution of the user-mode loader "mscfg32.exe". The loader then starts the platform's central module (an orchestrator) from the "mscfg32.dll" module. Additional drivers and libraries may be loaded by different components of the platform, either built-in or auxiliary.

Platform Components

The EquationDrug platform can be as sophisticated as a space station, but it appears to be of no use without its cyberespionage features. This function is provided by plugin modules that are part of the massive framework described above. We discovered dozens of plugins and each is a sophisticated element that can communicate with the core and become aware of the availability of other plugins.

The plugins we discovered probably represent just a fraction of the attackers' potential. Each plugin is assigned a unique plugin ID number (WORD), such as 0x8000, 0x8002, 0x8004, 0x8006, etc. All plugin IDs are even numbers and they all start from byte 0x80. The biggest plugin ID we have seen is 0x80CA. To date, we have found 30 unique plugin IDs in total. Considering the fact that the developers assigned plugin IDs incrementally, and assuming that other plugin IDs were assigned to modules that we have not yet discovered, it's not hard to calculate that 86 modules have yet to be discovered.

86 modules have yet to be discovered #EquationAPT

Tweet

The most interesting modules we have seen contain the following functionality:

  • Network traffic interception for stealing or re-routing.
  • Reverse DNS resolution (DNS PTR records).
  • Computer management:
    • Start/stop processes
    • Load drivers and libraries
    • Manage files and directories
  • System information gathering:
    • OS version
    • Computer name
    • User name
    • Locale
    • Keyboard layout
    • Timezone
    • Process list
  • Browsing network resources and enumerating and accessing shares.
  • WMI information gathering.
  • Collection of cached passwords.
  • Enumeration of processes and other system objects.
  • Monitoring LIVE user activity in web browsers.
  • Low-level NTFS filesystem access based on the popular Sleuthkit framework.
  • Monitoring removable storage drives.
  • Passive network backdoor (runs Equation shellcode from raw traffic).
  • HDD and SSD firmware manipulation.
  • Keylogging and clipboard monitoring.
  • Browser history, cached passwords and form auto-fill data collection.
Code Artifacts

During our research we paid attention to unique identifiers and codenames used by the developers in the malware. Most of this information is carefully protected with obfuscation or encryption algorithms to prevent quick recognition, but anyone who breaks through this layer of encryption may discover some interesting internal strings, as demonstrated below:

Some other interesting text strings include:

SkyhookChow Target
SkyhookChow Payload
Dissecorp
Manual/DRINKPARSLEY/2008-09-30/10:06:46.468-04:00
VTT/82053737/STRAITACID/2008-09-03/10:44:56.361-04:00
VTT/82051410/LUTEUSOBSTOS/2008-07-30/17:27:23.715-04:00
STRAITSHOOTER30.ex_
BACKSNARF_AB25
c:\users\rmgree5\co\standalonegrok_2.1.1.1\gk_driver\gk_sa_driver…
To install: run with no arguments
Attempting to drop
SFCriteria_Check failed!
SFDriver
Error detected! Uninstalling...
Timeout waiting for the "canInstallNow" event from the implant-specific EXE!
Trying to call privilege lib...
Hiding directory
Hiding plugin...
Merging plugin...
Merging old plugin key...
Couldn't reset canInstallNowEvent!
Performing UR-specific pre-install...
Work complete.
Merged transport manager state.
!!SFConfig!!

Some other names, such as kernel object and file names, abbreviations, resource code page and several generic messages, point to English-speaking developers. Due to the limited number of such text strings it's hard to tell reliably if the developers were native English speakers.

Link Timestamp Analysis

We have gathered a reasonably large number of executable samples to which we have been able to apply link timestamp analysis.

A link timestamp is a 4-bytes value stored in an executable file header. This value is automatically set by compiler software when a developer builds a new executable. The value contains a detailed timestamp including minutes and even seconds of compilation time (think of it as the file's moment of birth).

Link timestamp analysis require the collection of the timestamps of all available executables, grouping them according to certain criteria, such as the hour or day of the week, and putting them on a chart. Below are some charts built using this approach.


Can we trust this information? The answer is: not fully, because the link timestamp can be altered by the developer in a way that's not always possible to spot. However, certain indicators such as matching the year on the timestamp with the support of technology popular in that year leads  us to believe that the timestamps were, at the very least, not wholly replaced. Looking at this from the other side, the easiest option for the developer is to wipe the timestamp completely, replacing it with zeroes. This was not found in the case of EquationDrug. In fact, the timestamps look very realistic and match the working days and hours of a well-organized software developer from timezone UTC-3 or UTC-4, if you assume that they come to work at 8 or 9 am.

The timestamps match the working days of software developer from timezone UTC-3 or UTC-4 #EquationAPT

Tweet

And finally, in case you are wondering if the developers work on public holidays, you can check this for yourself against the full list of their working dates:

2001.08.17 2007.12.11 2009.04.16 2011.10.20 2012.08.31 2013.06.11 2001.08.23 2007.12.17 2009.06.05 2011.10.26 2012.09.28 2013.06.26 2003.08.16 2008.01.01 2009.12.15 2012.03.06 2012.10.23 2013.08.09 2003.08.17 2008.01.23 2010.01.22 2012.03.22 2012.11.02 2013.08.28 2005.03.16 2008.01.24 2010.02.19 2012.04.03 2012.11.06 2013.10.16 2005.09.08 2008.01.29 2010.02.22 2012.04.04 2013.01.08 2013.11.04 2006.06.15 2008.01.30 2010.03.27 2012.04.05 2013.02.07 2013.11.26 2006.09.18 2008.04.24 2010.06.15 2012.04.12 2013.02.21 2013.12.04 2006.10.04 2008.05.07 2011.02.09 2012.07.02 2013.02.22 2013.12.05 2006.10.16 2008.05.09 2011.02.23 2012.07.09 2013.02.27 2013.12.13 2007.07.12 2008.06.17 2011.08.08 2012.07.17 2013.04.16 2007.10.02 2008.09.17 2011.08.30 2012.08.02 2013.05.08 2007.10.16 2008.09.24 2011.09.02 2012.08.03 2013.05.14 2007.12.10 2008.12.05 2011.10.04 2012.08.14 2013.05.24 Conclusions

EquationDrug represents the main espionage platform from the Equation Group. It's been in use for over 10 years, replacing EquationLaser until it was replaced itself by the even more sophisticated GrayFish platform.

The EquationDrug case demonstrates an interesting trend: a growth in code sophistication #EquationAPT

Tweet

The EquationDrug case demonstrates an interesting trend that we have been seeing while analyzing supposedly nation-state cyberattack tools: a growth in code sophistication. It is clear that nation-state attackers are looking for better stability, invisibility, reliability and universality in their cyberespionage tools. You can make a basic browser password-stealer or a sniffer within days.  However, nation-states are focused on creating frameworks for wrapping such code into something that can be customized on live systems and provide a reliable way to store all components and data in encrypted  form, inaccessible to normal users. While traditional cybercriminals mass-distribute emails with malicious attachments or infect websites on a large scale, nation-states create automatic systems infecting only selected users. While traditional cybercriminals typically reuse one malicious file for all victims, nation-states prepare malware unique to each victim and even implement restrictions preventing decryption and execution outside of the target computer.

Nation-state attackers create automatic systems infecting only selected users #EquationAPT

Tweet

Sophistication of the framework is what makes this type of actor different from traditional cybercriminals, who prefer to focus on payload and malware capabilities such as implementing a long list of custom third-party software credential database parsers.

The difference in tactics between cybercriminals and nation-state attackers appears to be due to relative resource availability. It's known that cybercriminals attempt to infect as many users as possible and that they can sometimes compromise hundreds of thousands of systems. It would will take many years to check all those machines manually, analyzing who owns them, what data is stored on them, and what custom software they run.

Cybercriminals probably don't even have enough disk space to collect all the potentially interesting data from the victims hit by their large scale infections. That is why cybercriminals prefer to extract tiny chunks of the most important data (credentials, credit card numbers, etc) on the machine of the victim and transfer only few kilobytes from each compromised host. Such data, when combined from all users, normally takes up gigabytes of disk space.

Nation-state attackers have sufficient resources to store as much data as they want. They have access to virtually unlimited data storage. However, they don't need, and often try to avoid, infecting random users, for the obvious reason of avoiding attention and remaining invisible. Implementing custom data format parsers in the malware not only doesn't help them find all the valuable data on the victim's machine, but may also attract extra attention from security software running on the system. They mostly prefer to have a generic remote system management tool that can copy any information they might need even if it causes some redundancy. However, copying large volumes of information might slow down network connection and attract attention, especially in some countries with poorly developed internet infrastructure. To date, nation-state attackers have had to balance between these two poles: copying victims' entire hard drives while stealing only tiny bits of passwords and keys.

Nation-state attackers use a remote system management tool that can copy any information they need #EquationAPT

Tweet

Now, if you wonder why EquationDrug, a powerful cyberespionage platform, doesn't provide all stealing capability as standard in its malware core, the answer is that they prefer to customize the attack for each one of their victims. Only if they have chosen to actively monitor you and the security products on your machines have been disarmed, will you receive a plugin for the live tracking of your conversations or other specific functions related to your activities. We believe modularity and customization will become a unique trademark of nation-state attackers in the future.

Some code paths in EquationDrug modules lead to OS version checks including a test for Windows 95, which is accepted as one of supported platforms. While some other checks will not pass on Windows 95, the presence of this code means that this OS was supported in some earlier variants of the malware. Considering this and the existence of components designed to run on Windows 9x (such as VXD-files), as well as compilation timestamps dating back to early 2000s, the hypothesis  that these attackers have been active since the 90s seems realistic. This makes the current attacker an outstanding actor operating longer than any other in the field.

Technical Details Kernel mode stage 0 (Windows 9x) - mssvc32.vxd MD5 0a5e9b15014733ee7685d8c8be81fb0d Size 6 710 bytes Format Linear Executable (LE)

This VXD driver handles only two control messages: W32_DeviceIoControl and Dynamic_Init. The DeviceIoControl part is not completely implemented and the driver is only able to check for some known control codes.  However it does nothing. This handler looks more like a code stub rather than actual payload.

On the Dynamic_Init event, the driver retrieves the location of the user-mode loader executable from the following registry value:

[HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\MemSubSys] Config

If the value is not present in the registry, it uses the following fallback string hardcoded in the binary:

C:\WINDOWS\SYSTEM\SVCHOST32.EXE

Next, it installs a callback procedure using Windows function _SHELL_CallAtAppyTime. This procedure will be called when CPU is running in ring-3 mode, so that a new executable (loader process) can be started via the traditional way. This is a standard trick that was used by developers in the 90s to initiate a call to DLL export in ring-3 from ring-0 in Windows 9x OS family.

Kernel mode stage 0 and rootkit (Windows 2000 and above) - msndsrv.sys MD5 c4f8671c1f00dab30f5f88d684af1927 Size 105 392 bytes Format PE32 Native Compiled 2008.01.23 14:12:33 (GMT) Location %System32%\drivers\msndsrv.sys

This module can create log files in the following known locations:

%systemroot%\system32\mslog32.dat
%systemroot%\system32\msperf32.dat (default location)

The driver acts as the first stage of the EquationDrug platform on Windows 2000+ and implements rootkit functions for hiding the components of the platform. Additionally, it implements a NDIS driver for filtering network traffic.

When started and initialized, the driver retrieves the location of the user-mode loader executable from the registry value:

[HKLM\System\CurrentControlSet\Services\%driver name%] Config

The %driver name% is not hardcoded and is obtained dynamically from the current module name, which means that different instances may check different registry keys and this may not be a reliable way to check for infection. The sample we analyzed used "msndsrv" as the %driver name%.

Next, it crafts and injects a shellcode in "services.exe" or "winlogon.exe". The shellcode is designed to spawn the loader process from the executable called "mscfg32.exe".

The rootkit code in the driver hooks several Native API functions that lets it hide or protect registry keys, files and running processes. The components of EquationDrug can modify the list of protected objects by sending DeviceIoControl messages to the driver. The driver also maintains a persistent list of protected objects that is stored in the following registry values:

[HKLM\System\CurrentControlSet\Services\%driver name%] 1
[HKLM\System\CurrentControlSet\Services\%driver name%] 2

These values are also protected by the rootkit. They can be revealed by booting Windows in Safe Mode.

The driver contains the following unused strings:

  • \\.\mailslot\dskInfo
  • Dissecorp
User-mode loader - mscfg32.exe, svchost32.exe MD5 c3af66b9ce29efe5ee34e87b6e136e3a Size 22 016 bytes Format PE32 EXE Compiled 2008.01.23 14:26:05 (GMT) Location %System32%\mscfg32.exe

This module opens a unique event named "D0385CB7-B834-45d1-A501-1A1700E6C34E". If the event exists, it waits for 10 seconds and attempts to open a file whose name can be decrypted as "\\.\MSNDSRV". If the device file is successfully opened, the code issues a device request with IOCTL code 0x80000194 and no parameters.

This module uses RC5 in CBC-like mode with a key length of 96-bit for string encryption.

Careful analysis reveals some bits of uninitialized memory found next to encryption key locations. This is unused but partly meaningful memory, because it seems to contain short chunks of strings resembling some local filepaths:

  • "rver\8" (probably part of "Server\8..." string)
  • "LInj" (could be a part of "DLLInjector" or similar)

It's apparent that some parts of the code were designed to run on Windows 9x, for example a call to RegisterServiceProcess Windows API function makes sense only on Windows 9x OS family, because this API function doesn't exist on Windows NT platform.

The module uses a unique algorithm for generating registry value names. The code contains strings, such as "SkyhookChow Target", that are converted to GUID-like strings by calculating SHA1 hash and using its hexadecimal representation as a string. The resulting strings are used as actual registry value names in [HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\MemSubSys] registry key.

Sample registry value names:

Original String GUID-like registry value name SkyhookChow Target {B6F5CD13-A74D-8B82-A6AA-6FA1BE2484C1-6832DF06} SkyhookChow Payload {F4CF0326-6DCD-EEC8-5323-01CEDB66741A-B55F6F12}

These registry values are encrypted using an RC5 algorithm using a hardcoded 1024-bit key with 24 rounds.

The registry value:

[HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\MemSubSys] {F4CF0326-6DCD-EEC8-5323-01CEDB66741A-B55F6F12} ("SkyhookChow Payload")
should contain the location of the orchestrator DLL file ("mscfg32.dll"). If the value is not present a default value "%SYSTEM%\mscfg32.dll" is used.

The registry value:

[HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\MemSubSys] {B6F5CD13-A74D-8B82-A6AA-6FA1BE2484C1-6832DF06} ("SkyhookChow Target")
may contain the location of the executable file that will be used as a "shell" process for the orchestrator library.

The module attempts to start the "shell" process in suspended mode. If there is no "SkyhookChow Target" value or the specified executable fails to start, the module tries different failsafe locations of the programs that can be used instead:

  1. Default browser set in the registry [HKLM\SOFTWARE\Clients\StartMenuInternet\{current @default value}\shell\open\command]
  2. %SystemRoot%\System32\svchost.exe
  3. %SystemRoot%\System32\lsass.exe
  4. Spoolsv service binary from the [HKLM\SYSTEM\CurrentControlSet\Services\Spooler] ImagePath registry value.
  5. Default html file handler from [HKLM\SOFTWARE\Classes\htmlfile\shell\open\command]registry value.
  6. Internet Explorer path from [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\] IEXPLORE.EXE registry value.

Next, the module injects extra code into a newly started target process. The injected code loads the payload DLL ("mscfg32.dll") into the target process and waits for the parent process to exit. When the parent process quits, it unloads the payload DLL and exits as well. The rest of the logic relies on the loaded DLL in that new process. See the description of the "mscfg32.dll" module below.

The module communicates with the Stage0/Rootkit driver "msndsrv.sys" by sending DeviceIoControl messages to the device "\\.\MSNDSRV". It activates the rootkit for its own process, for the target process holding the orchestrator and for all the files involved.

Platform orchestrator - mscfg32.dll, svchost32.dll MD5 5767b9d851d0c24e13eca1bfd16ea424 Size 249 856 bytes Format PE32 DLL Compiled 2008.01.24 22:11:34 (GMT) Location %System%\mscfg32.dll

Creates mutex: "01C482BA-BD31-4874-A08B-A93EA5BCE511", or terminates if one already exists.

Writes a timestamped log file to one of the following locations:

  • %SystemRoot%\temp\~yh56816.tmp
  • C:\Windows\Temp\~yh56816.tmp
  • %Registry_SystemRoot_Value%\temp\~yh56816.tmp
  • Value of [HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\MemSubSys] D

The file "~yh56816.tmp" retains the history of execution. It comprises debug records of simple structure:

        Stage: DWORD | DateTimeLow: DWORD | DateTimeHigh: DWORD

Basically, it logs the execution of every stage of the orchestrator and the time of execution. The Stage is an integer number starting from 1.

This module spawns a new thread in the DllMain function which contains the main function body. The procedure disables application error popups shown by the default exception handler. This is probably done only in the "Release" version of the malware, because the following code generates exceptions that are reported to the user if application error popups are not disabled. We assume that the "Debug" version of the code doesn't suppress error popups when exception occurs as this helps with the debugging of the code.

The module checks the OS version and if it encounters an unsupported operating system the code generates an exception which terminates the application. The list of OS versions that pass this test:

  • Windows 95/98/ME
  • Windows NT 4.0 and above.

If the module runs on Win9x, it executes Win9x-specific function RegisterServiceProcess to hide from the Windows Task Manager application. If the module is NOT running on WinNT6.0+, it then attempts to open a virtual device file with one of the following names:

  • \\.\MSSVC32 on Win9x
  • \\.\MSNDSRV on WinNT

If the device file is successfully opened, the module activates a rootkit for its process and for the file location "%SYSTEM%\unilay.dll" local path. This is followed by finding and terminating a process named "winproc.exe" which is the name of another component of the platform. Note that this part of the code is executed only on platforms different from WinNT 6.x (Windows Vista and later).

The module was designed to fetch or update its main configuration data from different places. There are some default values set inside the code, such as some timeout values and the following C&Cs:

  • www.waeservices[.]com
  • 213.198.79.49

These default values can be overwritten later.

Next, it locates a data section called "Share2" in the current module and verifies the starting magic number. If it is 0x63959700, it then decrypts the rest of the data in the section and interprets it as a configuration block. However, data from the next location can override all previous settings. This is a registry value with special name.

The naming of the registry location is the same GUID-like SHA1 value as the one used in the loader ("mscfg32.exe"), and is produced from the source string "Configuration":

[HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\MemSubSys] {42E14DD3-F07A-78F1-7659-26AE141569AC-E0B3EE89}

The configuration block stored in the registry value is encrypted using RC5 with the 1024-bit key. Both the loader and the orchestrator share the same key for encrypting and decrypting the registry values in the "MemSubSys" key.

The decrypted configuration block consists of a series of tagged configuration records in the following format:

        [RecordType:DWORD][RecordSize: DWORD][RecordValue: %RecordSize%]

We retrieved a copy of a configuration block and decrypted and partly interpreted it. We are including the results for one of the configuration blocks:

Time value: 1 year 0 months 1 days 22 hours 6 mins 52 secs. The orchestrator is expected to set this field to the time of initial configuration.
Binaries: 3x1024-bit encryption keys
1b8e7818dad6345c53c2707a2c44648eee700d5cf34fea6a19a3fa0a6a871c72963fdded 91e2703c82b7747b8793e3063700da32cfb8d907dcce1beb36edd575418d1134ef188b 27ec3ce23711a656b0a8bf28921fbf1c39b4c90ad561e4174ed90f26ce11245bb9deb4b 4720403f47ca865ec8bbd3c1df9d93d042ff5b52ec6
05000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000
ed04953f3452068ae6439f04c7904c8be5e98e66e2cd0f267d65240aeed88bd4d3c6105 c99950dd42ccde4bc6bbaf9f6cb1b4e628d943e91f8f97f2aff705fdd25e3af6ba0bc4fd13 d67a2bcb751bb8f21f3d4b66c599f3e572802911394d142f8cf3a299d6d4558f9f0f01634 9afd1888472f4f8c729ffe913f670931f1a227
C&C domain: www[dot]waeservices[dot]com
C&C IP address: 213.198.79.49
C&C port: 443
Timestamp: 2010-12-08 11:35:57
Tool Reference: VTT/82055898/STEALTHFIGHTER/ 2008-10-16/14:59:06.229-04:00
TimeoutA: 25200 sec (7 hours)
TimeoutB: 32400 sec (9 hours)
TimeoutC: 3600 sec (1 hour)
TimeoutD: 172800 sec (48 hours)
+Several Unknown Values

Other configuration blocks we discovered contained similar information, with only some unique values:

Timestamp: 2009-11-23 14:10:15
Tool Reference: Manual/DRINKPARSLEY/2008-09-30/10:06:46.468-04:00
Tool Reference: VTT/82053737/STRAITACID/2008-09-03/10:44:56.361-04:00
Tool Reference: STRAITSHOOTER30.ex_
Tool Reference: VTT/82051410/LUTEUSOBSTOS/2008-07-30/17:27:23.715-04:00
Tool Reference: BACKSNARF_AB25

During the next step, the module obtains PE file version information from the resource section. It loads the version info using hard-coded module names, which are supposed to match the current module name:

  • SVCHOST32.DLL for Windows 9x
  • MSCFG32.DLL for Windows NT

If file version information is available, it gets language-specific values of the PrivateBuild block. The codepage and languages that are verified: Unicode, LANG_NEUTRAL and LANG_ENGLISH_US. When this check passes, the module gets @default registry value from the following location:

  • [HKLM\SOFTWARE\Classes\CLSID\{091FD378-422D-A36E-8487-83B57ADD2109}] TypeLib

If the key is not found, the code checks for registry value TypeLib in the following key:

  • [HKLM\SOFTWARE\Classes\CLSID\{091FD378-422D-A36E-8487-83B57ADD2109}]

If such a value is found, it is then deleted along with the Version value if it exists in the same key.

The string obtained from one of two possible registry values is processed as if this value is a CLSID-like string: the code takes the last 16 hexadecimal digits, splits them in two 8-chars values, converts them to binary form (two DWORDs) and reverses the order of bytes in each DWORD and XORs, the first value with 0x8ED400C0, and the second with 0x4FC2C17B.  Next, the first DWORD value becomes second and the second becomes first. In this order, they are stored in a structure in memory. These two values seem to be very important as they override a few values in the previously known configuration. If they don't exist, values from the current configuration replace them and are stored back in the registry following the reverse procedure:

  1. [HKLM\SOFTWARE\Classes\CLSID\{091FD378-422D-A36E-8487-83B57ADD2109}\Version] is created and @default value is set to version obtained from file version information PrivateBuild field (i.e. 3.04.00.0001). This seems to be used as kit version number.
  2. [HKLM\SOFTWARE\Classes\CLSID\{091FD378-422D-A36E-8487-83B57ADD2109}\Version] is created and @default value is set to a CLSID like string generated from the following:
    • Fixed prefix string: "{8C936AF9-243D-11D0-"
    • Two important DWORD values in the format of "%04X-%04X%08X}" string.

We collected and decrypted several samples of such values. According to the code, they are initialized with values of the Microsoft filetime format. So, we decided to interpret them as filetime values:

20101C04EC2C17B: 1 year(s) 7 month(s) 21 day(s) 23 hour(s) 32 min(s) 1 sec(s)
81E01C04EC2C17B: 1 year(s) 7 month(s) 8 day(s) 12 hour(s) 13 min(s) 5 sec(s)
E0001C04EC2C17B: 1 year(s) 7 month(s) 21 day(s) 1 hour(s) 6 min(s) 15 sec(s)
77101C04EC2C17B: 1 year(s) 5 month(s) 20 day(s) 19 hour(s) 15 min(s) 4 sec(s)
30F01C04EC2C17B: 1 year(s) 8 month(s) 0 day(s) 6 hour(s) 10 min(s) 33 sec(s)
C0901C04EC2C17B: 1 year(s) 8 month(s) 2 day(s) 6 hour(s) 29 min(s) 39 sec(s)
66701C04EC2C17B: 1 year(s) 6 month(s) 9 day(s) 2 hour(s) 10 min(s) 23 sec(s)
F6501C04EC2C17B: 1 year(s) 6 month(s) 6 day(s) 19 hour(s) 53 min(s) 22 sec(s)
01401C04EC2C17B: 1 year(s) 6 month(s) 25 day(s) 23 hour(s) 34 min(s) 13 sec(s)

After that, the module stores current time values in encrypted form in the registry value:

[HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\MemSubSys] {08DAB849-0E1E-A1F0-DCF1-457081E091DB-117DB663} (encoded SHA1 of "StartTime")

The module contains an additional compressed Windows DLL file in the resource section, which is extracted as "unilay.dll" (see below). This DLL exports a number of functions that are just wrappers of the system API used to work with files and the registry, and also start processes and load additional DLL files.

The orchestrator contains several built-in plugins that form the core of the platform. These are initialized in the first place, and then additional plugins are loaded. All the plugins are indexed in a single encrypted registry value:

[HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\MemSubSys] 1

This value has information about all the components of the current kit. It may include Unicode strings with paths to extra DLLs which serve as plugins. Each DLL exports at least four functions which are imported by ordinal numbers from 1 to 4.

The structure of the registry value "1":

[Count:DWORD]{ [Plugin Id:WORD][Plugin Path Length:DWORD][Plugin Path String:VARIABLE] }

Plugins interact with each other and with the orchestrator by exchanging messages of pre-defined format. The message transport is implemented as a global object that contains four communication streams. Every stream contains a pair of kernel synchronization object handles (a semaphore with fixed maximum value defaulted to 1000 and a mutex) and a message queue as an array. A dedicated thread processes messages that appear in the message queues.

A message arrives in a parcel, represented as two DWORD values that contain the size of the message and a pointer to the message data. The message data starts with a DWORD identifying a class of message (a request, reply, etc).

The orchestrator contains the following built-in plugins (listed by internal ID): 8000, 8022, 8024, 803C, 8046, 800A, 8042, 8002, 8004, 8006, 8008, 8070, 808E. Several additional built-in modules have been discovered in newer versions of the orchestrator that was shipped with the GrayFish platform.

EquationDrug Plugins: Plugin ID File name Description 8000 Built-in Core, basic API for other modules 8002 wshcom.dll C&C communication using Windows sockets 8004 Built-in Additional message queue 8006 Built-in Memory allocation / storage 8008 vnetapi32.dll& C&C communication code based on DoubleFantasy, using WinInet API 800A Built-in C&C communication orchestrator 800C perfcom.dll HTTP communication 8022 khlp680w.dll System API: execute processes, load libraries, manipulate files and directories 8024 cmib158w.dll Collects system information: OS version, computer name, user name, locale, keyboard layout, timezone, process lists 8034 cmib456w.dll Management of the VFS backed by encrypted ".FON" files in the "Fonts\Extension" directory. Provides encryption using RC5 for these files 803E nls_874w.dll Network sniffer 803C Built-in Communication with the NDIS filter part of "msndsrv.sys" 8040 khlp807w.dll Network exploration API, share enumeration and access 8042 Built-in Compression library based on Nrv2d / UCL 8046 Built-in Communication with the rootkit part of "msndsrv.sys" 8048 mstkpr.dll Disk forensics and direct NTFS reader based on sources of SleuthKit 8050 khlp760w.dll Additional encryption facilities for the file-backed VFS 8058 khlp733w.dll Collects local system information, WMI information, cached passwords 8070 khlp747w.dll Enumerates processes and system objects 807A mscoreep32.dll Plugins for monitoring Internet Explorer and Mozilla browser activities 808A khlp866w.dll Compression library based on Zlib 808E Built-in Reverse (PTR record) DNS resolver 8094 Built-in In-memory storage 809C Built-in In-memory storage 80AA nls933w.dll HDD / SSD firmware manipulation 80AE wpl913h.dll Keylogger and clipboard monitoring (aka "GROK") 80BE vnetapi.dll C&C communication via WinHTTP API 80C6 webmgr.dll Extracts web history, Mozilla/Internet Explorer-saved form data and cached credentials 80CA wshapi.dll C&C communications interface via Windows sockets Additional components Unilay.DLL

This module provides a compatibility layer for accessing system API functions for Windows 9x. It redirects Unicode ("W") variants of Windows API functions to corresponding ANSI variants by converting Unicode string parameters to multi-byte strings and calling the respective ANSI API.

MD5 EF4405930E6071AE1F7F6FA7D4F3397D Size 9 728 bytes Compiled 2008.01.23 14:23:10 (GMT) Format PE32 DLL, linker version 6.0 (Microsoft Visual C++ 6.0)

Exported functions (redirected to ANSI variants):

  • 100017EF: CopyFileW
  • 10001039: CreateDirectoryW
  • 10001111: CreateFileW
  • 100011B3: CreateProcessW
  • 10001177: DeleteFileW
  • 10001516: FindFirstChangeNotificationW
  • 10001466: FindFirstFileExW
  • 10001300: FindFirstFileW
  • 100014C6: FindNextFileW
  • 10001564: GetCurrentDirectoryW
  • 1000188F: GetFileAttributesW
  • 100016C6: GetStartupInfoW
  • 10001602: GetSystemDirectoryW
  • 10001664: GetWindowsDirectoryW
  • 10001853: LoadLibraryW
  • 1000178B: MoveFileExW
  • 1000172D: MoveFileW
  • 10001913: RegCreateKeyExW
  • 100019F5: RegDeleteKeyW
  • 10001DDF: RegDeleteValueW
  • 10001A39: RegEnumKeyExW
  • 10001BE2: RegEnumValueW
  • 1000199B: RegOpenKeyExW
  • 10001B23: RegQueryInfoKeyW
  • 10001D57: RegSetValueExW
  • 100010D5: RemoveDirectoryW
  • 10001E81: SHGetFileInfoW
  • 100015C6: SetCurrentDirectoryW
  • 100018CB: SetFileAttributesW
  • 10001E23: lstrcmpW
Network-sniffer/patcher - atmdkdrv.sys MD5s 8d87a1845122bf090b3d8656dc9d60a8
214f7a2c95bdc265888fbcd24e3587da Size 41 440, 43 840 bytes Format PE32 Native Compiled 2009.04.16 17:19:30 (GMT)
2008.05.07 19:55:14 (GMT) Version Info
  • FileDescription: Network Services
  • LegalCopyright: Copyright (C) Microsoft Corp. 1981-2000
  • InternalName: atmdkdrv.sys

or

  • FileDescription: CineMaster C 1.1 WDM Main Driver
  • LegalCopyright: Copyright 1999 RAVISENT Technologies Inc.
  • InternalName: ATMDKDRV.SYS

Creates a file storage "\SystemRoot\fonts\vgafixa1.fon". Its first word is set to 0x21 at the beginning of the DriverEntry function, and is replaced with 0x20 at the end of DriverEntry.

This driver appears to have been put together in "quick-and-dirty hack" style, using parts of the "mstcp32.sys" sniffer and other unknown drivers. It contains a lot of unused code which is partially broken or disabled. These include a broken "Dynamically disable/enable windows audit logging" subsystem and an incomplete "Patcher mode".

There are three algorithms used for strings encryption - RC5; alphabet encryption like the one used in "mstcp32.sys"; and XOR with a pre-seeded random number generator. Decrypted strings are immediately encrypted back until the next usage to avoid in-memory detection.

The driver's filename and device name differ across the samples. They depend on the name of the registry key that is used to start the driver.

The driver may operate in one of two independent modes - as a network sniffer or as a memory patcher. The mode of operation is selected on startup, based on the "Config2" value of the driver's registry key. By default the driver starts in "sniffer mode".

Sniffer mode

The sniffer code is similar to the one used in the driver's "tdip.sys" and "mstcp32.sys" and uses NT4 NDIS-4, XP NDIS-5 interfaces, targeting incoming traffic on Ethernet and VPN (ndiswanip) interfaces. It captures only directed packets (containing a destination address equal to the station address of the NIC). Packers-filtering engine rules may be set via DeviceIoControl messages. Filtered packets are stored in-memory until requested. Maximum packets storage list length is 128 items per filtering rule.

Patcher mode

Almost broken, it does nothing interesting except, possibly, replace the thread's ServiceTable to an unchanged, clear copy taken from the on-disk image of "ntoskrnl.exe".

Sniffer only IOCTLs:
44038004 - add filtering rule
44038008 - clear stored packet in specified filtering rules list
4403800C - enable specified filtering rule
44038010 - disable specified filtering rule
44038014 - get stored packet from specified filtering rules list
44038018 - process packet like the one received from the wire (filter and store)
4403801C - set maximum rules list length
44038020 - get maximum rules list length
80000004 - enablePacketsFiltering
80000008 - disablePacketsFiltering (PauseSniffer)
800024B4 - send packet to the specified network interface

Common IOCTLs:
80000028 - do nothing (broken/unused part)
80000038 - set external object (broken/unused part)
8000003C - get 4 dwords struct (broken/unused part)
80000040 - copy 260 bytes from the request (broken/unused part)
80000320 - set I/O port mapping (broken/unused part)
80000324 - clear I/O port mapping (broken/unused part)
80000328 - set external PnP Event (broken/unused part)
80000640 - replace specified thread's SDT (ETHREAD.ServiceTable field) to a given copy

Backdoor driven by network sniffer - "mstcp32.sys", "fat32.sys" MD5s 74DE13B5EA68B3DA24ADDC009F84BAEE
B2C7339E87C932C491E34CDCD99FEB07
311D4923909E07D5C703235D83BF4479
21C278C88D8F6FAEA64250DF3BFFD7C6 Size 57 328 - 57 760 bytes Format PE32 Native Compiled 2007.10.02 12:42:14 (GMT)
2001.08.17 20:52:04 (GMT) Version Info
  • FileDescription: TCP/IP driver
  • LegalCopyright: Copyright (C) Microsoft Corp. 1981-1999
  • InternalName: mstcp32.sys

This is a sniffer tool similar to "tdip.sys" and it uses NT4 NDIS-4, XP NDIS-5 interfaces.  It targets incoming traffic on Ethernet and VPN (ndiswanip) interfaces, but instead of dumb packet dumping, it uses received packets as commands for the "process injector" subsystem that is able to extract and execute code from the specially crafted network packets.

Default filtering rules are stored in the "Options" registry value of the driver's registry key. It captures only directed packets (containing a destination address equal to the station address of the NIC).

The driver's filename and device name differ across the samples. They depend on the name of the registry key that is used to start the driver.

Code Patcher

The driver patches OS code to dynamically disable or enable Windows audit logging.

It patches the function "LsapAdtWriteLog" in "lsasrv.dll" module of the "lsass.exe" process.

It searches for pre-defined signatures of the function "LsapAdtWriteLog" of known Windows versions - 4.0, 5.0, 5.1, 5.2 (NT4, Win2000, XP, WinSrv2003).

Then it selects a corresponding offset to replace the opcodes:

  • 'jz' to never taken 'jo' in case of XP
  • jmp over inner logic to procedure epilog in case of Windows Server 2003 so LsapAdtWriteLog skips logging of audit records

The module also patches "SepAdtLogAuditRecord" inside "ntoskrnl.exe" to "retn 4" instead of the first opcode of the function.

The disabled audit can be restored after a timeout or on-event by a dedicated thread.

Expected IOCTL codes:

  • 80000004 - setFilteringRules
  • 80000008 - disablePacketsFiltering (PauseSniffer)
  • 80000028 - do nothing (possible broken GetDriverName)
  • 80000038 - disable_audit
  • 8000003C - enable_audit
Code Injector

The code-builder within this module facilitates exploitation by providing up to four predefined execution templates, which seem to be suitable for generating several code patterns.

Below is a list of the execution templates we found:

  • locate a DLL via PEB structure and resolve exports
  • call single function
  • call four functions
  • call six functions

Using these as a base for the templates, the code-builder inserts parameters and proper offsets to call one of the following code patterns:

  • Locate and call WinExec
  • Locate and call LoadLibraryW, GetProcAddress, call exported procedure, FreeLibrary
  • Locate and call LoadLibraryW, GetProcAddress, call GetModuleHandle, FreeLibrary
  • Locate and call OpenProcess, VirtualAllocEx, WriteProcessMemory, CreateRemoteThread, VirtualFreeEx, CloseHandle

The code injection procedure allocates memory via ZwAllocateVirtualMemory in services.exe and copies implanted code. After that it uses KeInsertQueueApc to let the code run and waits 30 seconds for APC to complete.

When the module starts, it reads registry value [HKLM\System\CurrentControlSet\Services\%driver name%] Processes. This value may contain a list of process names that should be started by injected executable code but only after services.exe and winlogon.exe has been started. The injection of code into winlogon.exe and services.exe ensures that the newly started process will have SYSTEM user privileges. During the injection stage Windows Audit Logging is fully disabled to avoid leaving any suspicious records in Windows Logs.

Magic Packet Recognition

All incoming packets are first filtered by BPF-like rules. The filtering rules are located in [HKLM\System\CurrentControlSet\Services\%driver name%] Options registry value or passed via corresponding IOCTL. Packets that passed through the filter are added in the end of processing queue.

Packets from the queue must have valid checksum values. After checking that, the code XOR-decrypts additional data from the end of the packet. The decrypted end of the packet contains another control structure that defines which encryption algorithm is used to decipher packet body. Supported algorithms include RC5 and RSA. There is a 1024-bits RSA public key hardcoded inside the module body, while a 96-bits RC5 key is generated dynamically.

The backdoor command may arrive in a single packet or be split into pieces and come with several packets. There is a procedure for re-assembling pieces together: a multi-packet command is added to a special packet collector which puts all the pieces together before passing it further.

Backdoor command is stored in the first byte of the decrypted request and can be one of the following values:

Command Byte Short Name Description 0 StatusCheck Reply with encrypted DriverName, packet collector keys, "Processes" and "Params" registry values, names of processes for code injection (defaults are "services.exe" and "winlogon.exe"), list of unprocessed commands from packet collector. 1 Panic Disable packet filtering, securely delete driver file, clear related registry keys, set ClearPageFileAtShutdown flag, unbind adapters, delete devices and prepare for unloading. However, the driver cannot unload itself and it remains in the memory until reboot, which means it can be detected via DRIVER_OBJECT structure. 2 CodeInject Injects code implant received from packet body. 3 CallWinExec Disable Windows Audit and start new process via standard code injection in Winlogon.exe. 4 ResetCollector Drop all packets with specific key from packet collector. 5 Unused or disabled 6 GenerateRC5Key Generates RC5 session key. 96-bits RC5 key is generated by taking a SHA1 hash of value from KeTickCount, XOR-encrypt with SHA1 hash of two PerformanceFrequency values, which is followed by nine more additional SHA1 hashing. 7 SetRegProcesses Sets new "Processes" registry value. 8 DeleteRegProcesses Deletes current "Processes" registry value. 9 SetRegParams Sets a universal "Params" registry value which is used for storing any information, i.e. could be a unique victim marker or exploitation stage number. a Unused or disabled b Ping Reply with classic ICMP Echo Response packet. c ChangeInjectTarget Set new target injection processes (defaults are "Winlogon.exe" and "Services.exe"). Effective until reboot.

Note: "mstcp32" is mentioned together with rootkit-like behavior in 2004 here: http://www.pcreview.co.uk/forums/mstcp32-t1445152.html

Network Sniffer - tdip.sys MD5s 20506375665a6a62f7d9dd22d1cc9870
60dab5bb319281747c5863b44c5ac60d Size 22448 - 28800 bytes Format PE32 Native Compiled 2006.10.16 18:42:40 (GMT)
2003.08.17 21:47:33 (GMT)

Supports the following versions of Windows: NT4 using NDIS-4 and XP using NDIS-5. Doesn't use Vista and later NDIS-6 features. However, later NDIS versions are backward-compatible, so the driver is still valid for current versions of Windows.

Version Info:

  • FileDescription: IP Transport Driver
  • LegalCopyright: © Microsoft Corporation. All rights reserved.
  • FileVersion: 5.1.2600.2180
  • InternalName: tdip.sys

This driver is a packet sniffer for incoming-only traffic on Ethernet and VPN (ndiswanip) interfaces or any used with ms_pschedmp as an alternative connection.

It implements a BPF (Berkeley packet filter) style packet-filtering system that is configured from the driver's registry configuration values or from DeviceIoControl messages.

The captured network packets may be written to disk in libpcap format (magic 0xA1B2C3D4 version 2.4) and encrypted with one-byte XOR, key 0xE3.

The driver's configuration is stored in the registry key:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdip]

  • Options - packet filtering rules in BPF format
  • Tag - selector of filtered packet types / Defaults in case of MediumWan to NDIS_PACKET_TYPE_BROADCAST|NDIS_PACKET_TYPE_MULTICAST|NDIS_PACKET_TYPE_DIRECTED;
    (or NDIS_PACKET_TYPE_BROADCAST|NDIS_PACKET_TYPE_DIRECTED in any other case)
  • ImageFile - full path name to the resulting pcap file
  • Duration - used as Length of the original packet in dump file. (default 0xffff)
  • Backup - max size of the pcap file

IOCTLs:

  • 0x80002004 getCurrentState
  • 0x80002008 setFilteringRules
  • 0x8000200C getFilteringRules
  • 0x80002024 getDumpFileSize
  • 0x80002010/0x80002014/0x80002018/0x8000201C pause/resume
  • 0x80002020 getVersion - returns 2.4.0

Driver has three logical parts, and uses an incomplete function pointer table as interface:

  1. Business logic: filtering rules, packet dumping, device ioctl, options
  2. Ndis driver skeleton
  3. Primitives lib: Strings, XORing, registry I/O

The code is of very good quality. It looks more complicated than Winpcap 2.3 (released 28 mar 2002), but less so than Winpcap 3.0 (released by 10 apr 2003). Interestingly, the driver identifies itself as "version 2.4" in the pcap file despite there being no Winpcap version 2.4.

Key/clipboard logger driver - msrtvd.sys MD5s 98dea1bce37bf7087360e1958400589b
bb8f56874189d5dfe9294f0553a49b83
f6bf3ed3bcd466e5fd1cbaf6ba658716 Size 31 488 - 36 736 bytes Format PE32 Native Compiled 2010.02.19 22:45:18 (GMT)
2008.09.17 16:23:54 (GMT) Version Info
  • FileDescription: MSRTvd interface driver
  • LegalCopyright: © Microsoft Corporation. All rights reserved.
  • InternalName: msrtvd.sys

This is a keylogger and clipboard monitoring tool.

On startup, the driver creates a device named "\Device\Gk0" and a symbolic link named "\DosDevices\Gk".

Then it attaches to the csrss.exe process and disassembles user32.dll and ntdll.dll routines to obtain win32k.sys and ntoskrnl.exe SDT services indexes and pointers of needed Nt/Zw APIs.

Then, using a built-in disassembler, it obtains pointers to NtUserPeekMessage, NtUserGetMessage, NtUserGetClipboardData and using the disassembler again selects the parts of the code that will be then hooked by splicing.

The interceptor routines are copied from a special PE section named ".msda". These routines are able to collect key press chains and clipboard text data, add information about current Time, ProcessName, ForegroundWindowText,and UserName related to this event.

A dedicated thread ("dumper") gathers the collected data, compresses the results with LZO appends it every 30 minutes to a file "%system-wide TEMP%\tm154o.da".

Most strings inside are encrypted by XOR with a pre-seeded random number generator.

IOCTLs:

  • 0x22002C -start dumper thread
  • 0x220030 - stop dumper thread
  • 0x220034 - check if the driver has new data to dump
  • 0x220038 - set two external events signaled on dump data availability (it references a plugin possibility)
  • 0x22003C - restart dumper thread
  • 0x220040 - get size of available data
Collector plugin for Volrec - msrstd.sys MD5s 69e7943f3d48233de4a39a924c59ed2c
15d39578460e878dd89e8911180494ff Size 13 696 - 17 408 bytes Format PE32 Native Compiled 2009.06.05 16:21:55 (GMT)
2009.12.15 16:33:52 (GMT) Version Info
  • FileDescription: msrstd driver
  • LegalCopyright: © Microsoft Corporation. All rights reserved.
  • InternalName: msrstd.sys

This driver is a plugin that collects events from the "volrec.sys" driver, and delivers them by sending DeviceIoControl messages. It collects events about file and disk volume operations.

On startup the driver obtains a pointer to "\Device\volrec", then creates a control device "\Device\msrstd0" and a symbolic link to it named "\DosDevices\msrstd"

All strings inside the driver are encrypted by XOR with a pre-seeded random number generator.

For file events the driver collects the filenames, and caches data about read and write operations. For disk volume events it queries disk properties and reads volume labels and disk serial numbers of removable drives (USB, FireWire drives).

IOCTLs:

0x220004 - turn on VolumeEvents collection
0x220008 - turn off VolumeEvents collection
0x22000C - retrieve previously stored VolumeEvent (operationType, deviceTypeFlags, VolumeLabel, volumeSerialNumber, DosDriveLetter)
0x220010 - turn on FileEvents collection
0x220014 - turn off FileEvents collection
0x220018 - retrieve previously stored FileEvent (fileName, deviceTypeFlags, VolumeLabel, volumeSerialNumber, DosDriveLetter)
0x22001C - connect to Volrec.sys (send ioctl 0x220004), enable plugin operation
0x220020 - disconnect from Volrec.sys (send ioctl 0x220008), disable plugin operation

Filesystem filter driver – volrec.sys, scsi2mgr.sys MD5s a6662b8ebca61ca09ce89e1e4f43665d
c17e16a54916d3838f63d208ebab9879 Size 14 464-14 848 byres Format PE32 Native Compiled 2009.06.05 16:21:57 (GMT)
2009.12.15 16:33:57 (GMT) Version Info
  • FileDescription: Volume recognizer driver
  • LegalCopyright: © Microsoft Corporation. All rights reserved.
  • InternalName: volrec.sys

This driver is a generic filesystem filter which feeds system events to user-mode plugins.

On startup the driver creates a control device named "\Device\volrec" and a symbolic link to it named "\DosDevices\volrec0". It then attaches all available filesystem devices.  It is also, able to handle removable storage devices.

All strings inside the driver are encrypted by XOR with a pre-seeded random number generator.

IOCTLs:

  • 0x220004 - setup plugin interface
  • 0x220008 - disable plugin calls

The driver handles the following system events:

  • file opened, created or closed
  • data is read or written to a file
  • new volume is mounted, unmounted
  • new USB or FireWire device attached
HDD/SSD operation helper driver - WIN32M.SYS MD5s 2b444ac5209a8b4140dd6b747a996653
b3487fdd1efd2d1ea1550fef5b749037 Size 19 456 - 26 631 bytes Format PE32 Native, PE32+ Native Compiled 2001.08.23 17:03:19 (GMT)
2013.05.14 15:58:36 (GMT) Description This module will be the subject of a dedicated blogpost. HDD/SSD firmware operation - nls_933w.dll MD5s 11fb08b9126cdb4668b3f5135cf7a6c5
9f3f6f46c67d3fad2479963361cf118b Size 212 480 - 310 272 bytes Format PE32 DLL, PE32+ DLL Compiled 2010.06.15 16:23:37 (GMT)
2013.05.14 16:12:35 (GMT) Version Info (64bit dll only)
  • FileDescription: Windows Networking Library
  • LegalCopyright: Copyright (C) Microsoft Corp. 1981-2001
  • FileVersion: 80AA
  • InternalName: nls_933w.dll
  • OriginalFilename: nls_933w.dll
  • PrivateBuild: 4.0.1.0
  • ProductName: Microsoft(R) Windows (R) 2000 Operating System
  • ProductVersion: 5.0.2074.0
  • Full Version: 1.0.0.1
Description This (80AA) plugin is a HDD firmware flashing tool which includes an API and the ability to read/write arbitrary information into hidden sectors on the disk.
The plugin will be the subject of a separate blogpost.

Patch Tuesday March 2015 - Stuxnet LNK 0day Fixed

Secure List feed for B2B - Tue, 03/10/2015 - 20:05

Wait, what? Wasn't the Stuxnet LNK vulnerability CVE-2010-2568, reported by Sergey Ulasen, patched years ago? Didn't Kim Zetter have enough time to write 448 pages of thoroughly footnoted research on this digital weaponry?

Yes, it was, but MS10-046 didn't completely fix all of the vulnerable code path. And, we just might start to call it the Fanny LNK 0day, after Equation's poorly QA'd USB worm spread across Pakistan exploiting the same LNK vulnerability years earlier than Stuxnet. Now, to be precise, this fix patches the newly generated label CVE-2015-0096, but the flawed functionality still is maintained with LNK handling code used to support custom icons from .cpl files. And, we have not observed a different implementation of this newly report LNK exploit in-the-wild. Yet.

So, machines have remained vulnerable to an actively exploited codebase providing custom icon-loading support since at least 2008. German researcher Michael Heerklotz reported the remaining flaws in January, and an excellent technical writeup describing his findings is posted on the ZDI blog here. Essentially, an attacker has to create a malicious LNK file with a link path of exactly 257 characters containing embedded unescaped spaces, and two "target" files - one with embedded unescaped spaces and one without. This is not difficult on a usb stick, and it bypasses much of the effective defenses Microsoft has developed for years. "Microsoft has gone to a great deal of effort to make exploitation of memory corruption bugs more difficult. This is a classic example of the Defender's Dilemma -- the defender must be strong everywhere, while the attacker needs to find only one mistake." In this case, it's more that the attacker had to chain together a complex series of overlooked steps.

Microsoft's release of thirteen other bulletins includes a large rollup of fixes for RCE across all versions of Internet Explorer, IE6 - IE11. This MS15-018 bulletin is rated critical, and it requires a reboot.

Microsoft Patches Old Stuxnet Bug, FREAK Vulnerability

Threatpost for B2B - Tue, 03/10/2015 - 14:24
Microsoft's March 2015 Patch Tuesday security bulletins include patches for an old Stuxnet LNK vulnerability and the FREAK SSL vulnerability.

Patched Windows Machines Exposed to Stuxnet LNK Flaw All Along

Threatpost for B2B - Tue, 03/10/2015 - 13:00
Microsoft released a new patch for the LNK vulnerability exploited by Stuxnet after it learned original patch from 2010 failed and left Windows machines exposed.

CloudFlare Aims to Defeat Massive DDoS Attacks with Virtual DNS

Threatpost for B2B - Tue, 03/10/2015 - 11:13
DDoS attacks have been a persistent problem for the the better part of 20 years, and as ISPs and enterprises have adjusted their defenses, attackers have adapted their tactics. One of the more effective tools in the attackers’ arsenal now is the use of botnets to generate massive numbers of DNS queries for a target […]
Syndicate content