Malware Alerts

Subscribe to Malware Alerts feed
Online headquarters of Kaspersky Lab security experts.
Updated: 24 min 16 sec ago

Stuxnet: Zero Victims

Tue, 11/11/2014 - 06:30

The Stuxnet cyber-sabotage operation remains one of the favorite discussion subjects of security researchers everywhere. Considered the first known cyber-weapon, Stuxnet targeted the Iranian nuclear program using a subtle and well designed mechanism.

For background, see our previous reports on the Stuxnet saga:

One of the reasons to revisit the Stuxnet subject is the publication (November 11th, 2014) of the book "Countdown to Zero Day" by journalist Kim Zetter.

We are quite excited about the book which includes new and previously undisclosed information about Stuxnet. Some of the information is actually based on interviews conducted by Kim Zetter with members of Kaspersky Lab's Global Research and Analysis Team. To complement the book release, we've decided to also publish new technical information about some previously unknown aspects of the Stuxnet attack.

Even though Stuxnet was discovered more than four years ago, and has been studied in detail with the publication of many research papers. However, is still not known for certain what object was originally targeted by the worm. It is most likely that Stuxnet was intended to affect the motors that drive uranium enrichment centrifuges. But where were those centrifuges located – in the Natanz plant or, perhaps, in Fordow? Or some other place?

The story of the earliest known version of the worm – "Stuxnet 0.5" – is outside the scope of this post; we are going to focus on the best known variants created in 2009 and 2010. (The differences between them are discussed in our 2012 publication - Back to Stuxnet: the missing link).

In February 2011, Symantec published a new version of its W32.Stuxnet Dossier report. After analyzing more than 3,000 files of the worm, Symantec established that Stuxnet was distributed via five organizations, some of which were attacked twice – in 2009 and 2010.

Screenshot from the Symantec report

The Symantec experts were able extract this information due to a curious feature of the worm. When infecting a new computer, Stuxnet saves information about the infected system's name, Windows domain and IP address. This information is stored in the worm's internal log and is augmented with new data when the next victim is infected. As a result, information on the path travelled by the worm can be found inside Stuxnet samples and used to establish from which computer the infection began to spread.

Example of information found in a Stuxnet file

While Symantec did not disclose the names of the organizations in its report, this information is essential for a proper understanding of how the worm was distributed.

We collected Stuxnet files for two years. After analyzing more than 2,000 of these files, we were able to identify the organizations that were the first victims of the worm's different variants in 2009 and 2010. Perhaps an analysis of their activity can explain why they became "patients zero" (the original, or zero, victims).

"Domain A"

The Stuxnet 2009 version (we will refer to it as Stuxnet.a) was created on June 22, 2009. This information is present in the worm's body – in the form of the main module's compilation date. Just a few hours after that, the worm infected its first computer. Such a short time interval between creating the file and infecting the first computer almost completely rules out infection via USB drive – the USB stick simply can't have passed from the worm's authors to the organization under attack in such a short time.

The infected machine had the name "KASPERSKY" and it was part of the "ISIE" domain.

When we first saw the computer's name, we were very much surprised. The name could mean that the initial infection affected some server named after our anti-malware solution installed on it. However, the name of the local domain, ISIE, provided us with a little bit of information that might help to determine the organization's real name.

Assuming that the victim was located in Iran, we conjectured that it could be the Iranian Society of Industrial Engineers (ISIE) or an organization affiliated with it, the Iranian institute of Industrial Engineering (IIIE). But could it have been some other ISIE located in some place other than Iran? Given that our anti-malware solution had been used on the infected computer, we considered the possibility that ISIE might even be a Russian company.

It took us a long time to establish what organization it really was, but ultimately we succeeded in identifying it with a high degree of certainty.

It is called Foolad Technic Engineering Co (FIECO). It is an Iranian company with headquarters in Isfahan. The company creates automated systems for Iranian industrial facilities (mostly those producing steel and power) and has over 300 employees.

Screenshot from the company's website

The company is directly involved with industrial control systems.

- Implementing bench scale and pilot scale projects, such as data
communication between PLC existing in a plant and a remote point
through internet, by defining home page on a CP (Communication Processor)
card connected to a S7 CPU.
- Implementing different network structures, such as, As interface, profibus
DP, Ethernet, MPI, profibus PA In electronic and light communication channels.

Clearly, the company has data, drawings and plans for many of Iran's largest industrial enterprises on its network. It should be kept in mind that, in addition to affecting motors, Stuxnet included espionage functionality and collected information on STEP 7 projects found on infected systems.

In 2010, that same organization was attacked again – this time using the third version of Stuxnet, created on April 14, 2010. On April 26, the same computer as in 2009 – "KASPERSKY.ISIE" – was infected again.

This persistence on the part of the Stuxnet creators may indicate that they regarded Foolad Technic Engineering Co. not only as one of the shortest paths to the worm's final target, but as an exceptionally interesting object for collecting data on Iran's industry.

"Domain B"

One more organization was attacked multiple times – once in 2009 and twice in 2010. Essentially, each of the three Stuxnet variants was used to infect this target. In this case, the attackers were even more persistent than in the case of Foolad Technical Engineering Co.

It should be noted that it was this victim that was the patient zero of the 2010 global epidemic. This organization's infection in the course of the second attack (in March 2010) led to the widest distribution of Stuxnet – first in Iran, then across the globe. Curiously, when that same organization was infected in June 2009 and in May 2010, the worm hardly spread at all. We share our thoughts on the reasons for that below.

Take the most widespread variant – Stuxnet 2010 (a.k.a. Stuxnet.b). It was compiled on March 1, 2010. The first infection took place three weeks later – on March 23.

In addition to the computer's name and the domain name, Stuxnet has recorded the machine's IP number. The fact that the address changed on March 29, may indicate, albeit indirectly, that it was a laptop which connected to the company's local network once in a while.

But what company is it? The domain name –"behpajooh" – immediately gives us the answer: Behpajooh Co. Elec & Comp. Engineering.

Like Foolad Technic, this company is located in Isfahan and it also develops industrial automation systems. Clearly, we are also dealing with SCADA/PLC experts here.

Screenshot from the company's website

While collecting information about Behpajooh Co, we discovered one more curious thing - a 2006 article published in a Dubai (UAE) newspaper called Khaleej Times.

According to the article, a Dubai firm was accused of smuggling bomb components into Iran. The Iranian recipient of the shipment was also named – it was a certain "Bejpajooh Inc" from Isfahan.

So why did Stuxnet spread most actively as a result of the March 2010 Behpajooh infection? We believe the answer lies in the second organization in the chain of infections that started from Behpajooh.

As the screenshot above shows, on April 24, 2010 Stuxnet spread from the corporate network of Behpajooh to another network, which had the domain name MSCCO. A search for all possible options led us to the conclusion that the most likely the victim is Mobarakeh Steel Company (MSC), Iran's largest steel maker and one of the largest industrial complexes operating in Iran, which is located not far from Isfahan, where the two victims mentioned above - Behpajooh and Foolad Technic - are based.

Stuxnet infecting the industrial complex, which is clearly connected to dozens of other enterprises in Iran and uses an enormous number of computers in its production facilities, caused a chain reaction, resulting in the worm spreading across thousands of systems in two or three months. For example, the analysis of logs shows that by July 2010 this branch of the infection reached computers in Russian and Belarusian companies.

"Domain С"

On July 7, 2009, Stuxnet 2009 hit yet another target. With it, it was designed to start the path to its ultimate intended mission. The victim computer was named "applserver" (application server?), located in the domain NEDA.

In this case, it was pretty easy to identify the victim organization. Beyond any doubt, it was the Neda Industrial Group, an organization that was put on the sanctions list by the U.S. Ministry of Justice, and charged with the illegal export of prohibited entities into Iran with potential military applications. This company's complete dossier is available on the Iran Watch site.

When tracking the chain of Stuxnet propagation, one of the group's branch organizations raises special interest: "Allegedly the controlling entity of Nedaye Micron Electronic Company in Tehran, Iran and Neda Overseas Electronics LLC in Dubai, UAE; provides services in industrial automation for power plants, the cement industry, and the oil, gas and petrochemical sector; established in the mid 1980s under the name NEDA Computer Products Incorporated as a fully private joint stock company".

Neda was attacked only once, in July 2009, and Stuxnet never left that organization, according to the infection logs available to us. However, to leave the organization may have not been its purpose in this case. As noted earlier, the capability of stealing information about STEP 7 projects from infected systems was of special interest to the creators of Stuxnet.

"Domain D"

The fourth victim in 2009 was infected on July 7, the same day when Neda was compromised. Interestingly, the infection started with the server, if we judge by the computer name – SRV1 in domain CGJ, just like it did in the Neda case.

So, what is CGJ? We spent quite some time combing through search engines and social networks, and we are practically confident that is Control-Gostar Jahed Company, another Iranian company operating in industrial automation.

Control Gostar Jahed (CGJ) (Private Joint Stock, Since 1383) Founded with the aim of localization of industrial automation technology, and employing the technical know-how and execution power of 30 full-time personnel in the Tehran office and more than 50 workshop personnel, has achieved a high capacity in providing engineering and technical services.
The companys major focus over the years has been on the following domains:
- Design, procurement, construction, programming and commissioning of control systems (DCS, PLC, ESD, F&G)
- Design, manufacture and installation of low voltage fixed and sliding panels (using the products of CUBIC Denmark)
- Upgrading hardware, software and optimization of industrial automation systems
- Consulting services and basic and detailed design of electrical and instrumentation systems
- Installation of electrical and control systems

Unlike Neda Group, Control-Gostar Jahed Company is not on the sanctions list. It was probably chosen as a target because of its impressive cooperation ties with the largest Iranian businesses in oil production, metallurgy and energy supplies.

This organization was attacked only once in 2009. That infection did not leave the target's corporate network and makes up the smallest part of all known Stuxnet propagation lines.

"Domain E"

The fifth and the last "Patient Zero" victim stands out when judged by the numbers of originally infected systems. Unlike in all above cases, the attack in this case started from three computers at once, on the same day (May 11, 2010), but at different times.

Information from three different Stuxnet files

KALASERVER, ANTIVIRUSPC, NAMADSERVER: judging by the names, there were at least two servers involved in this case too.

Such an pattern of infection makes us practically confident that email was not used as the primary infection vector. The chances are very small that the infection started from a user receiving an email containing an attachment with an exploit.

So what is Kala? There are two most verisimilar answers to this, and we do not know which is the correct one. Both are about companies affected by sanctions and directly related to Iran's nuclear program.

Well, one possibility could be Kala Naft. A dossier for this company is available on the Iran Watch site.

However, Kala Electric (a.k.a. Kalaye Electric Co.) looks like the most probable victim. This is in fact an ideal target for an attack, given Stuxnet's main objective (which is to render uranium enrichment centrifuges inoperable), available information on Iran's nuclear program, and the logic of the worm's propagation.

Of all other companies, Kala Electric is named as the main manufacturer of the Iranian uranium enrichment centrifuges, IR-1.

The company does not have a web-site, but there is quite some information available about its activities: that is one of the key structures within the entire Iranian nuclear program.

Also, quite detailed information is available on the ISIS (Institute for Science and International Security) site at www.isisnucleariran.org.

Based on Iran's revised declaration about this site, originally, Kalaye Electric was a private company that was bought by the Atomic Energy Organization of Iran (AEOI). The name "Kalaye Electric" means "electric goods," implying that Iran kept the original name to help disguise the true purpose of the facility.

Iran declared that Kalaye Electric became the primary IR-1 centrifuge development and testing site after such work was moved in 1995 from the Tehran Nuclear Research Center. The IAEA has reported that between 1997 and 2002, Iran assembled and tested IR-1 centrifuges at Kalaye

Since moving many centrifuge research and development activities to the Pilot Fuel Enrichment Plant (PFEP) at Natanz, Kalaye Electric has remained an important centrifuge research and development site.

Satellite images of Kala Electric operation facilities are also available; these are considered to be the site where the centrifuges were developed and tested.

Source: http://www.isisnucleariran.org/sites/detail/kalaye/

Thus, it appears quite reasonable that this organization of all others was chosen as the first link in the infections chain intended to bring the worm to its ultimate target. It is in fact surprising that this organization was not among the targets of the 2009 attacks.

Summary

Stuxnet remains one of the most interesting pieces of malware ever created. In the digital world, one might say it is the cyber equivalent of the atomic attacks on Nagasaki and Hiroshima from 1945.

For Stuxnet to be effective and penetrate the highly guarded installations where Iran was developing its nuclear program, the attackers had a tough dilemma to solve: how to sneak the malicious code into a place with no direct internet connections? The targeting of certain "high profile" companies was the solution and it was probably successful.

Unfortunately, due to certain errors or design flaws, Stuxnet started infecting other organizations and propagate over the internet. The attacks lost control of the worm, which infected hundreds of thousands of computers in addition to its designated targets.

Of course, one of the biggest remaining questions is - were there any other malware like Stuxnet, or was it one-of-a-kind experiment? The future will tell for sure.

The Darkhotel APT

Mon, 11/10/2014 - 04:00

 PDF version
 Technical Appendix

Much like Crouching Yeti, the Darkhotel APT is an unusually murky, long standing and well-resourced threat actor exhibiting a strange combination of characteristics.

This APT precisely drives its campaigns by spear-phishing targets with highly advanced Flash zero-day exploits that effectively evade the latest Windows and Adobe defenses, and yet they also imprecisely spread among large numbers of vague targets with peer-to-peer spreading tactics. Moreover, this crew's most unusual characteristic is that for several years the Darkhotel APT has maintained a capability to use hotel networks to follow and hit selected targets as they travel around the world. These travelers are often top executives from a variety of industries doing business and outsourcing in the APAC region. Targets have included CEOs, senior vice presidents, sales and marketing directors and top R&D staff. This hotel network intrusion set provides the attackers with precise global scale access to high value targets. From our observations, the highest volume of offensive activity on hotel networks started in August 2010 and continued through 2013, and we are investigating some 2014 hotel network events.

In addition to polluting p2p networks to infect the masses, they delegitimize Certificate Authorities to further their attacks. They abuse weakly implemented digital certificates to sign their malcode. The actor abused the trust of at least ten CAs in this manner. Currently they are stealing and re-using other legitimate certificates to sign their mostly static backdoor and infostealer toolset. Their infrastructure grows and shrinks over time, with no consistent pattern to the setup. It is both protected with flexible data encryption and poorly defended with weak functionality.

Victim categories include the following verticals:

  • Very large electronics manufacturing
  • Investment capital and private equity
  • Pharmaceuticals
  • Cosmetics and chemicals manufacturing offshoring and sales
  • Automotive manufacturer offshoring services
  • Automotive assembly, distribution, sales, and services
  • Defense industrial base
  • Law enforcement and military services
  • Non-governmental organizations

About 90 percent of the infections appear to be located in Japan, Taiwan, China, Russia and South Korea, partly because of the group's indiscriminate spread of malware. Overall, since 2008, the infection count numbers in the thousands. The more interesting travelling targets include top executives from the US and Asia doing business and investment in the APAC region. A combination of Kaspersky Security Network (KSN) detections and command and control data recorded infections in the United States, the United Arab Emirates, Singapore, Kazakhstan, South Korea, the Philippines, Hong Kong, India, Indonesia, Germany, Ireland, Mexico, Belgium, Serbia, Lebanon, Pakistan, Greece, Italy and others. This actor's victim geolocation distribution has a long tail, and multiple significant targets and victims travel frequently throughout many of these countries. So, victim geolocation changes while they are travelling frequently.

When Kaspersky Lab researchers visited Darkhotel incident destinations with honeypot machines they did not attract Darkhotel attacks, which suggests the APT acts selectively.. Further work demonstrated just how careful these attackers were to hide their activity - as soon as a target was effectively infected, they deleted their tools from the hotel network staging point, maintaining a hidden status.

Darkhotel activity and objects have leaked out in bits and pieces over the past few years, but we have identified Darkhotel tools dating back to 2007. Considering their well-resourced, advanced exploit development efforts and large, dynamic infrastructure, we expect more Darkhotel activity in the coming years. Our Darkhotel report and appendices of indicators and technical details collects and organizes this APT's activity to date.

iOS Trojan WireLurker: Statistics and New Information

Fri, 11/07/2014 - 04:59

Recently, news appeared about an interesting attack where cybercriminals infect iPhones and Mac OSX users with a rather peculiar malware dubbed WireLurker. You can find a thorough paper from Palo Alto here. First of all, it's important to note that all Kaspersky Lab users are protected against this threat. The malicious files used by WireLurker are identified by our products with the following detection names:

  • Mac OS X:
    • Trojan-Downloader.OSX.WireLurker.a
    • Trojan-Downloader.OSX.WireLurker.b
    • Trojan.OSX.WireLurker.a
  • Apple iOS:
    • Trojan-Spy.IphoneOS.WireLurker.a
    • Trojan-Spy.IphoneOS.WireLurker.b
  • Windows:
    • Trojan.Win32.Wirelurker.a

Our sensors observed connections to the malicious C&C server located in Hong Kong in July, 2014. These continued throughout the following months, although the volume remains low.

Interestingly, discussions on various online forums about this subject appeared earlier this year, notably in Chinese and Korean, but also on some English resources:

On July 14th, someone named SirBlanton complained about it on a Chinese speaking BBS:

Translation:

The discussion above happened on "bbs.maiyadi.com", which is interesting, because another subdomain on "maiyadi.com" is used by the malware as a C&C (see below).

Even earlier, on May 29th, a discussion in Korea mentioned abnormal behavior of a Mac OS X infected by this threat:

Interestingly, Mac OS X and Apple iOS are not the only platforms through which these attacks were propagated. Yesterday, our friend Jaime Blasco from Alienvault discovered a Win32 malicious tool that appears to be related.

The WireLurker Windows module

File name: 万能视频播放器 2.21.exe md5: fb4756b924c5943cdb73f5aec0cb7b14

Win32 WireLurker module

The file appears to have been compiled in March 2014, assuming the timestamp is not altered:

Full metadata set:

Machine Type                    : Intel 386 or later, and compatibles Time Stamp                      : 2014:03:13 03:56:21-04:00 PE Type                         : PE32 Linker Version                  : 10.0 Code Size                       : 721920 Initialized Data Size           : 1364480 Uninitialized Data Size         : 0 Entry Point                     : 0xafb86 OS Version                      : 5.1 Image Version                   : 0.0 Subsystem Version               : 5.1 Subsystem                       : Windows GUI File Version Number             : 1.0.0.1 Product Version Number          : 1.0.0.1 File Flags Mask                 : 0x003f File Flags                      : (none) File OS                         : Windows NT 32-bit Object File Type                : Executable application File Subtype                    : 0 Language Code                   : Chinese (Simplified) Character Set                   : Unicode File Description                : 绿色IPA安装器 File Version                    : 1.0.0.1 Internal Name                   : 绿色IPA安装器.exe Original Filename               : 绿色IPA安装器.exe Product Name                    : 绿色IPA安装器 Product Version                 : 1.0.0.1

The internal file name is "绿色IPA安装器" which, when translated to English, means Green IPA installer. It supposed to be an application to install IPA files on iOS devices.

Interestingly, it contains a debug path which reveals information about the build:

 E:\lifei\libimobiledevice-win32-master_last\Release\appinstaller.pdb

The application contains two IPA (Apple application archives) inside, one called "AVPlayer" and one called "apps".
AVPlayer.app appears to be a legimitated iOS application that is used by the attackers as a decoy.

The image (icon) of the app can be seen below:

The "legit" application appears to have been authored by a popular developer going by the handle "teiron@25pp.com".

The second IPA is more interesting. It appears to have been created in March 2014. "apps" communicates with the wellknown "comeinbaby[.]com": The sfbase.dylib part communicates with a different C&C: To summarize, the Win32 application described here allows the installation of the mentioned iOS payload to the victim's iPhone. The creator likely developed it just to make sure Windows users can also get infected on their iOS devices.

KSN Detections

Kaspersky Security Network (KSN) is a complex distributed infrastructure dedicated to processing cybersecurity-related data streams from millions of voluntary participants around the world. It delivers Kaspersky Lab's security intelligence to every partner or customer who is connected to the Internet, ensuring the quickest reaction times, lowest false positive rate and maintaining the highest level of protection. A detailed description of KSN can be found here. The following chart below shows detections of WireLurker on OSX:

Over 60% of the detections are coming from China, which is to be expected.

Conclusions

This incident is yet another reminder of why the use of pirated software remains dangerous, no matter which platform you're using. Downloading applications from unofficial sources, such as alternative marketplaces, file sharing websites or torrents and other P2P file sharing networks, increases the risk of malware infections. On Mac OS X for instance, it is one of the main infection vectors. The need for anti-malware protection on Mac OS X devices cannot be overstated. It's not only that your Mac OS X machine can get infected, but WireLurker showed us how the infection can move from your Mac to your iPhone. The good news is: there are plenty of options to chose from out there, including our own Kaspersky Internet Security for Mac. As a first line of defense, Mac OS X users should check their Security & Privacy settings to make sure the configuration of their system is optimal. We recommend setting up Gatekeeper so that only applications downloaded from the Mac App Store and identified developers are allowed to be installed. More information on Gatekeeper can be found here. Make sure to also check out our own guide for Mac security: 10 Simple Tips for Boosting The Security Of Your Mac This should also be a wake-up call for Apple users and the way they think about security. Just like Mac OS X malware quickly evolved from being just a myth to becoming a sad reality, we are seeing iOS being targeted more and more often lately - with nobody being able to offer protection for this platform. Anti-malware vendors are still not allowed to develop protection for iPhone users.

In the light of recent events, will this strategy change in the future?

Indicators of compromise:

C&Cs:
app.maiyadi[.]com
comeinbaby[.]com
61.147.80.73
124.248.245.78

MD5s:
3fa4e5fec53dfc9fc88ced651aa858c6
5b43df4fac4cac52412126a6c604853c
88025c70d8d9cd14c00a66d3f3e07a84
9037cf29ed485dae11e22955724a00e7
a3ce6c8166eec5ae8ea059a7d49b5669
aa6fe189baa355a65e6aafac1e765f41
bc3aa0142fb15ea65de7833d65a70e36
c4264b9607a68de8b9bbbe30436f5f28
c6d95a37ba39c0fa6688d12b4260ee7d
c9841e34da270d94b35ae3f724160d5e
dca13b4ff64bcd6876c13bbb4a22f450
e03402006332a6e17c36e569178d2097
fb4756b924c5943cdb73f5aec0cb7b14

Security Holes in Corporate Networks: Network Vulnerabilities

Fri, 11/07/2014 - 03:52

In our previous blogpost, we told you about the types of attacks that a cybercriminal can undertake while working with a regular user account without local administrator privileges. In particular, we presented an example of how the simplified inheritance of privileges within the context of domain authorization (Single-Sign-On) enables cybercriminals to gain access to various network resources and services while using the limited access allowed by a regular user account. In this blogpost, we will review in detail the possible vectors for an attack launched on a corporate network from an infected computer within it.

Once a cybercriminal has gained control over a user system in a corporate network, subsequent events form three consecutive stages: establishing a foothold in the system, analyzing the environment, and propagating malware. Each of these stages can be implemented in various ways, distinguished by the technical methods, strategies and tactics employed. The flow chart below shows the cybercriminal's possible approaches to establishing a foothold in the system, analyzing the environment, and propagating malware across the corporate network.

A flow chart of a cybercriminal's actions

It is important for information security specialists to recognize the distinctive signs of different types of attack. Using this proposed "action plan", information security specialists can detect an attack by matching events occurring in the network to various templates of cybercriminal activity.

Gaining a Foothold in the System

After penetrating a corporate network, attackers typically download utilities (including malware) to the victim computer within a few hours or minutes. These utilities are required to collect information about the system and its installed software, search for files and data, establish a connection to the C&C, steal login credentials, brute-force passwords, hack accounts, escalate privileges, infect a system, intercept network traffic, scan network devices etc.

To hide these essential tools from network administrators during the download process and avoid triggering any security system that might be in place, attackers use different maneuvers of varying degrees of complexity:

  • Files are transferred via network protocols and general-purpose ports (HTTP, FTP, HTTPS, SFTP) so they get lost in the huge amounts of daily user-generated traffic.
  • Files are downloaded from compromised servers, using Fast Flux networks or via Tor.
  • Files are transmitted in parts, in obfuscated and/or encrypted form.
  • Various types of steganography are sometimes used to transfer data, such as masking data within audio/video files, images or headers of internet protocols, especially when general-purpose ports are closed by a firewall.

When the required tools have been loaded, the cybercriminal attempts to gain access to the local administrator's or system account. The first attempt normally uses keyloggers, attempts to brute-force passwords and hack accounts, or phishing scams. Further approaches involve exploiting vulnerabilities in system services, typically to gain access to the system account (i.e. to escalate to kernel-level privileges).

Having obtained these privileges, cybercriminals can entrench themselves in the system by implanting a rootkit or bootkit in the operating system. They can also clean the system from traces of penetration, hiding their tools and traces of active infections from security tools. If the attackers failed to gain a foothold in the system in the regular way, they can set up an automatic infection of the system, e.g. by using the regular task scheduler.

Naturally, there are many ways of establishing a foothold, and scenarios may differ dramatically from the above description. However, as we said at the beginning of this article, it is important that an information security specialist understands the principles of how an attack is conducted, and realizes the tasks that cybercriminals face. Thus, at the foothold stage, the attacker's main task to arrange for reliable, lasting access to the system under attack. In general, the task of arranging remote access has two parts: establishing a data communication channel and implanting a remote control tool (backdoor).

Depending on the network configuration, firewall policies and IDS/IPS settings, attackers might use direct or reverse connection. Direct connection involves the attackers establishing a connection to the victim system, and is possible only if the system has an external IP-address and open network ports that are not blocked from outside connections by a firewall. Otherwise, reverse connection is used, when the attacked system establishes a connection to the remote server. Regardless of the connection type, data is communicated using the same methods that are used to download utilities and malware to the victim computer: data is transferred in encrypted / obfuscated format via general-purpose protocols / ports, using Fast Flux or Tor. In addition, cybercriminals can also use regular user software and services as a data communication channel, such as cloud-based file storages, e-mail, IM clients etc.

Environment analysis

At the same time as establishing a foothold – or sometimes even before – cybercriminals need to collect information about the operating system and its configuration, updates installed for software, and security tools. That information is needed to evaluate the situation on the victim computer and plan further attack activities. It is also very useful when accurately selecting the most effective utilities and exploits.

The following readily available tools are usually sufficient to collect information about the system:

  • cmd, regedit, vbs, powershell in Windows,
  • bash, grep, python, perl in Unix/Linux and Mac OS.

From the attacker's viewpoint, there are many advantages to using the above tools: they are available in any system, they are useable even with restricted user rights, and their operation is not controlled by most security tools. To tackle more complicated tasks cybercriminals use both popular and customized tools to intercept network traffic, scan network devices, connect to various network services using domain authentication etc. If the hacker's tools are written, say, in Python, the cybercriminals will certainly install the required software on the infected computer. In this case, Python (or other required software) probably will not be concealed in the system using a rootkit, as that may prevent the interpreter from working properly.

To search for and analyze other devices in the corporate network, cybercriminals apply passive and active scanning methods. In particular, using a sniffer to listen to traffic from a local network interface, anyone can easily detect various devices thanks to ARP packets or active connections, determine the URLS of servers hosting corporate applications such as Active Directory, Outlook, databases, corporate websites etc. To obtain detailed information about a specific network node, cybercriminals use network scanners (e.g. nmap) to determine available network services, guess names and versions of installed software, and detect the presence of a firewall and IDS/IPS.

Distribution

Now the attackers have a foothold in the system, have a reliable remote access channel and have sufficient information about the network. The next actions usually pursue the primary objective. That may be stealing confidential information, attacks on corporate infrastructure, gaining control over critical systems for blackmail purposes, or other personal purposes. Unless the initially attacked system is the ultimate target (that can be e.g. a CEO's laptop, a central server or a website), the attacker needs to gain control over other systems within the corporate network. Depending on the nature of the target, infection may be pinpointed or broad scale.

For example, if the attackers plan to launch an infrastructure attack, they will probably need massive infections of the servers running various business processes and the workstations of operators and administrators. On the other hand, a cybercriminal aiming to steal confidential information or conduct espionage will have to act very carefully and attack only the top priority systems.

There are a number of ways of propagating malware within a corporate network. Cybercriminals normally go for the simplest approach, such as using existing accounts. For example, by launching malicious code from under a domain account belonging to a user of an infected system, the cybercriminal can freely connect to various network services (to which the user has access) using domain authorization (Single Sign-On), i.e. without entering the login credentials. On the other hand, the cybercriminal can use a keylogger and easily get hold of the login credentials to the domain account as well as other services that do not maintain domain authorization. I addition, the cybercriminal may attempt to take advantage of vulnerabilities in the mechanisms for storing and checking credentials, or simply brute-force the password.

The most effective propagation path within corporate networks is to exploit vulnerabilities, since most corporate network security focuses on preventing attacks from outside the perimeter. Consequently, there are a multitude of varied vulnerabilities within the network, including unsecured corporate servers, test servers, management/virtualization systems etc. Practice shows that even if information security specialists and IT engineers are aware of all the vulnerabilities existing in their corporate network(s), it takes them years to fix them because it requires a lot of manpower. Nevertheless, experienced hackers are cautious about using exploits to known vulnerabilities and prefer to attack unsecured corporate services. If a local or network-based IDS/IPS is still used in the network, using exploits to known vulnerabilities may unmask the cybercriminals.

Detecting an Attack

At each stage of the attack, cybercriminals often use the environment and the available tools for their own purposes, remaining inconspicuous against the backdrop of regular users' activities. To address this problem, it is important wherever possible to reduce redundancy in the environment and the business processes; in all other cases, it is vital to monitor what's happening, identify anomalies and react to them.

A vivid example of the problem of redundancy in business processes is the free access to business assets (confidential documents, critical applications, hardware etc.), local administrator privileges, and the capability of remote connection to the corporate network for staff who do not need this level of access and privilege. This applies to the control of access rights at the domain level as well as at the level of application software: browsers do not typically need access to other processes' memory, while Microsoft Office does not need to install drivers.

For an example of environment redundancy, we can think of a regular corporate employee (not a developer, tester, administrator or information security specialist) whose desktop has software designed for network traffic interception, scanning the network, remote access, creation of local HTTP/FTP servers, use of third-party network hardware (Wi-Fi and/or 3G modems), software development tools etc.

Any effective strategy to prevent attacks from within the corporate network must prevent cybercriminals from acting secretly, and force them to take complicated and risky steps that betray their plans to information security specialists who can neutralize the threat. For that, two things must be present in the corporate network: smart security and an information security management system.

If you marry these two technologies you create a fundamentally different animal from the established information security model. It can see everything that takes place in the system and immediately reacts to threats.

Smart security tools include some antiviruses, firewalls, IDS/IPS/HIPS, Application Control, Device Control - however they must be capable of interacting with the information security management system. These security tools should not only collect all types of information and send it to the information security management system, but also execute commands that block attempts to gain access, establish connections, transfer data via the network, launch applications, read and write files etc. Naturally, for all of this to work, an information security specialist must be able to differentiate between legitimate and malicious activity.

ekoParty Security Conference

Thu, 11/06/2014 - 09:37

The ten year anniversary edition of the Electronic KnockOut Party, held annually in Buenos Aires, Argentina, was certainly special! Over the years, ekoParty has become a standard for other conferences in Latin America, bringing together researchers from all over the world for nearly a full week packed with trainings, workshops, and ground breaking talks about different aspects of the field of information security.

Ten year anniversary, epic uptime!

This year, the conference changed venues from the previously known 'Ciudad Cultural Konex' in favor of a much bigger space near the airport, the 'Aeroparque Jorge Newbery'. The loud engines from passing planes could not stop the speakers from sharing their knowledge with the audience. Organizers were prepared for this and outfitted the main stage with airport-themed decorations. Even the badges resembled boarding passes, making the most of the new venue's quirks and leaving nothing to chance.

What differentiates ekoParty from other conferences is the passion exhibited by everyone in attendance. Thanks in part to the Latin American way of doing things, ekoParty is proud of not taking itself too serious and encourages its attendees to behave the same way. A loud siren blares when it's time for the speaker to take a drink and loosen up a bit mid-talk. Rushing forward with a shot of vodka, the conference staff is alert and engaging, making sure that both speaker and audience are having fun.

The main stage, where speakers from all around the world shared their latest research.

During the first day, we were welcomed by an interesting discussion panel and a wide array of workshops to choose from. In addition, several corporate sponsors gave away free trainings to showcase some of their latest tools and also administered challenges for the duration of the conference. With tempting cash prizes and fancy gadgets on the line, some participants chose to forego the talks altogether in order to test their skills in areas such as reverse engineering, penetration testing, and networking.

By the time the talks began on the second day, the tone of the conference was set by Cesar Cerrudo who presented on how to hack traffic control systems. Using 'Live Free or Die Hard' references to engage the audience proved successful and Hollywood-worthy research was presented in a compelling and understandable way. As the day went on, attendees could choose to participate in one of the workshops (as I did with Juliano Rizzo's bitcoin security training) or keep attending assorted talks. Among the topics covered were "Exploring the Jolla Phone", "Cooking an APT the paranoid way" or even browser exploitation techniques with Alex Rad's presentation "Pointer Subterfuge in the Browser Address Space".

There were just too many topics and talks to cover all in detail but a common thread emerges. Speakers not only share their knowledge but also ask the community to join them in their research to create something useful for all parties involved. This was the case with Anibal Sacco's "IDA Synergy – Collaborative Reverse Engineering", which showed a combination of IDAPython Plugin and control version system that resulted in a new reverse engineering collaborative add-on for IDA Pro.

Though a lot of talks focused on exploiting different technologies (as in the case of Luis Colunga's presentation on Software Defined Radio), other presentations could be easily mistaken for university courses. This was the case with Alfredo Ortega's "Deep-submicron backdoors" which led the audience from concepts like Fourier transformations to CPU low-level backdoors. With a touch of 3D modeling and some lines of code in the right place, Ortega demonstrated that building a backdoored ARM CPU isn't as hard as it might seem.

The final day of the conference started early with discussions about the current state of privacy and a historical perspective on the many state-backed surveillance programs of recent years.  Just before lunch we had a great presentation by Marcio Almeida Macedo on 'Hacking RFID Billing Schemes for fun and free rides', mentioning our recent blogpost on the topic, specifically referring to vulnerabilities in the Chilean transportation system. All researchers went above and beyond to show the hardware and principles involved in their investigations, always enticing the audience to follow in their footsteps.

Malware made its appearance with Thiago Bordini who shared techniques for 'Monitoring Malicious Domains on the Internet in real time for forensic purposes'. Brazilians presenters were, of course, forced to withstand chanting and taunting from Argentinians in the crowd pleased by World Cup results. That's to be expected. The day ended with bells and whistles as Rahul Sasi presented his sequel presentation on hacking TV networks, an investigation that stemmed from a penetration testing job that ended with him finding ways to inject video signals in TV networks and even shutting down the receiver's box remotely.

A nice attendance for this edition of ekoParty Security Conference.

An emotive award's ceremony brought the event to a close by recognizing local talent and remembering Barnaby Jack's appearance years ago. The ekoParty left everyone wanting more and eager to attend the following year. ekoParty is one of those conferences were attendees get back what they put in -they can choose to just enjoy the talks or instead get involved in the many challenges, workshops, and networking activities offered. Until next year, I encourage you to check out the content covered during the conference and hope to see you there!

Hack In The Box 2014 KUL

Thu, 11/06/2014 - 07:19

The Hack In The Box (HITB) SecConf 2014 was held from the 13 to the 16 of October, in Kuala Lumpur, Malaysia. More than 500 people from around the world participated in the event. Unfortunately, 2014 was the final round of this nice event.

The event is made up of four main elements: Technical training sessions, a security conference, Capture the Flag 'Live Hacking' Attack & Defense Competition, Developer Hackathon (HackWEEKDAY) and A CommSec Village & Technology Showcase Area.

Although there were many interesting presentations at the conference, I have too little space here to introduce all of them, so let's take a look of three of them.

Filippo Valsorda gave a presentation entitled "Exploiting ECDSA Failures in the Bitcoin Blockchain". Elliptic Curve Digital Signature Algorithm (ECDSA) is an EC-based signature scheme as implemented in TLS, DNSsec and PS3. He pointed out that ECDSA might not be as secure as it is believed to be.

Haroon Meer, Marco Slaviero and Azhar Desai picked up the topic of "sockpuppet"- a false online identity adopted for deceptive purposes – in their presentation. They demonstrated mass-posting, mass-voting and mass-down-voting at some forums, with the help of only one line of bash script. The presentation was entitled "Weapons of Mass Distraction: Sock Puppetry for Fun & Profit".

Mike Ryan's "The NSA Playset: Bluetooth Smart Attack Tools" presentation introduced a series of tools used by the NSA and demonstrated keyboard hijacking via Bluetooth using some of the tools.

For those who are interested, the presentation materials are available at the official web site of HITB2014.

The CTF session was also quite interesting. Let's take a look at Challenge 2.

As a problem to solve, a pcap file was provided. It was a capture of some network traffic.

Inspecting the file, you could find that ICMPv6 packets contain unknown strings that start with "G01". In fact, the strings are G-codes, computer numerical control commands (for industrial hardware, 3D printers, etc.). If is it run using emulator software, a string is displayed – this is the answer to the problem.

In my opinion, CTF is a good exercise for IT engineers, because it gives the chance to learn technologies that are not familiar to you.

In the closing session, the event organizers announced the end of HITB KUL and the beginning of a new event "HITB GSEC". This is planned to take place in Singapore in October 2015.

I hope the new HITB GSEC will be as fantastic as HITB KUL and I'm looking forward to meeting great security specialists there again!!

From the horse's mouth: brands leaking your information open the door to effective spearphishing

Mon, 11/03/2014 - 10:13

A few months ago, I requested an online quote for some home repairs. The recipient was a very well-known company here in US. The service I got actually was very good. Under my explicit approval the company kept my email address and has been sending me several promotions that I had signed up to.

However, the latest one was unusual - it arrived with at least 20 recipients explicitly exposed including my full email address in the list.

Cybercriminals and other threat actors also have normal lives - they shop at the same places we do, they eat the same food we eat, and they hire the same services we do. So, imagine what happens when a malicious actor receives one of these emails! It's a perfect source of information for spearphishing attacks.

I say this because the attacker would have enough information to know the potential victims are customers or potential customers of that particular brand, knowing the benefits of abusing the brand to launch attacks in the name of that store.
Since the advertisement I get is customized, meaning it refers to a very specific part of town, then the attacker would also know his victims live in a particular city. This also brings a lot of advantages when preparing the attack.
Finally, the attacker even knows how the store legitimately promotes their services. And I mean which format the store uses:

In my case, I got a PDF file attachment. So, in case the attacker launches a spear phishing campaign with a malicious file, the victims wouldn't suspect anything malicious since nothing is out of the ordinary.

So who might abuse this technique and what can we do about it?

The most likely actor would be a classic cyber-criminal. However, any threat actor in need can resort to the same scheme.

What is the best practice when you get such advertisement emails? I prefer to use online viewers, embedded into many modern Webmail providers. Instead of downloading the file to the disk and then opening it locally, you can visualize it online:

So in case of any local app exploit, let's say for Adobe Reader, the exploit won't work and you will still be able to read the document.

Certainly leaks like the aforementioned, despite not being particularly big, definitely expose people to become victims of new spear-phishing campaigns.

You may follow me on twitter: @dimitribest

BE2 Custom Plugins, Router Abuse, and Target Profiles

Mon, 11/03/2014 - 02:58

The BlackEnergy malware is crimeware turned APT tool and is used in significant geopolitical operations lightly documented over the past year. An even more interesting part of the BlackEnergy story is the relatively unknown custom plugin capabilities to attack ARM and MIPS platforms, scripts for Cisco network devices, destructive plugins, a certificate stealer and more. Here, we present available data - it is difficult to collect on this APT. We will also present more details on targets previously unavailable and present related victim profile data.

These attackers are careful to hide and defend their long-term presence within compromised environments. The malware's previously undescribed breadth means attackers present new technical challenges in unusual environments, including SCADA networks. Challenges, like mitigating the attackers' lateral movement across compromised network routers, may take an organization's defenders far beyond their standard routine and out of their comfort zone.

 

Brief History

BlackEnergy2 and BlackEnergy3 are known tools. Initially, cybercriminals used BlackEnergy custom plugins for launching DDoS attacks. There are no indications of how many groups possess this tool. BlackEnergy2 was eventually seen downloading more crimeware plugins - a custom spam plugin and a banking information stealer custom plugin. Over time, BlackEnergy2 was assumed into the toolset of the BE2/Sandworm actor. While another crimeware group continues to use BlackEnergy to launch DDoS attacks, the BE2 APT appears to have used this tool exclusively throughout 2014 at victim sites and included custom plugins and scripts of their own.

 

The Plugins and Config Files

Before evidence of BlackEnergy2 use in targeted attacks was uncovered, we tracked strange activity on one of the BlackEnergy CnC servers in 2013. This strangeness was related to values listed in newer BlackEnergy configuration files. As described in Dmitry's 2010 Black DDoS' analysis, a configuration file is downloaded from the server by main.dll on an infected system. The config file provides download instructions for the loader. It also instructs the loader to pass certain commands to the plugins. In this particular case in 2013, the config file included an unknown plugin set, aside from the usual 'ddos' plugin listing. Displayed below are these new, xml formatted plugin names "weap_hwi", "ps", and "vsnet" in a BlackEnergy configuration file download from a c2 server. This new module push must have been among the first for this group, because all of the module versions were listed as "version 1", including the ddos plugin:

Config downloaded from BE2 server

The 'ps' plugin turned out to be password stealer. The 'vsnet' plugin was intended to spread and launch a payload (BlackEnergy2 dropper itself at the moment) in the local network by using PsExec, as well as gaining primary information on the user's computer and network.
Most surprising was the 'weap_hwi' plugin. It was a ddos tool compiled to run on ARM systems:

Weap_hwi plugin

At first, we didn't know whether the ARM plugin was listed intentionally or by mistake, so we proceeded to collect the CnC's config files. After pulling multiple config files, we confirmed that this ARM object inclusion was not a one-off mistake. The server definitely delivered config files not only for Windows, but also for the ARM/MIPS platform. Though unusual, the ARM module was delivered by the same server and it processed the same config file.

Linux plugins

Over time we were able to collect several plugins as well as the main module for ARM and MIPS architectures. All of these ARM/MIPS object files were compiled from the same source and later pushed out in one config: "weap_msl", "weap_mps", "nm_hwi", "nm_mps", "weap_hwi", and "nm_msl". It's interesting that the BE2 developers upgraded the ddos plugin to version 2, along with the nm_hwi, nm_mps, and nm_msl plugins. They simultaneously released version 5 of the weap_msl, weap_mps, and weap_hmi plugins. Those assignments were not likely arbitrary, as this group had developed BlackEnergy2 for several years in a professional and organized style:

Config with a similar set of plugins for different architectures

Here is the list of retrieved files and related functionality:

weap DDoS Attack (various types) ps password stealer handling a variety of network protocols (SMTP, POP3, IMAP, HTTP, FTP, Telnet) nm scans ports, stores banners snif logs IP source and destination, TCP/UDP ports hook main module: CnC communication, config parser, plugins loader uper rewrites hook module with a new version and launches it

 

Weap, Snif, Nm plugin grammar mistakes and mis-spellings

The developers' coding style differed across the 'Hook' main module, the plugins, and the Windows main.dll. The hook main module contained encrypted strings and handled all the function calls and strings as the references in a large structure. This structure obfuscation may be a rewrite effort to better modularize the code, but could also be intended to complicate analysis. Regardless, it is likely that different individuals coded the different plugins. So, the BE2 effort must have its own small team of plugin and multiplatform developers.

Hook module structure

After decrypting the strings, it became clear that the Linux Hook main module communicated with the same CnC server as other Windows modules:

The CNC's IP address in the Linux module

This Linux module can process the following commands, some of which are similar to the Windows version:

die
delete all BlackEnergy2 files and system traces kill
delete all BlackEnergy2 files and system traces and reboot lexec
launch a command using bin/sh rexec
download and launch file using 'fork/exec' update
rewrite self file migrate
update the CnC server

 

Windows Plugins

After the disclosure of an unusual CnC server that pushed Linux and the new Windows plugins we paid greater attention to new BE2 samples and associated CnCs.

During an extended period, we were able to collect many Windows plugins from different CnC servers, without ever noticing Linux plugins being downloaded as described above. It appears the BE2/SandWorm gang protected their servers by keeping their non-Windows hacker tools and plugins in separate servers or server folders. Finally, each CnC server hosts a different set of plugins, meaning that each server works with different victims and uses plugins based on its current needs. Here is the summary list of all known plugins at the moment:

fs searches for given file types, gets primary system and network information ps password stealer from various sources ss makes screenshots vsnet spreads payload in the local network  (uses psexec, accesses admin shares), gets primary system and network information rd remote desktop scan scans ports of a given host grc backup channel via plus.google.com jn file infector (local, shares, removable devices) with the given payload downloaded from CnC cert certificate stealer sn logs traffic, extracts login-passwords from different protocol (HTTP, LDAP, FTP, POP3, IMAP, Telnet ) tv sets password hash in the registry for TeamViewer prx Proxy server dstr Destroys hard disk by overwriting with random data (on application level and driver level) at a certain time kl keylogger upd BE2 service file updater usb gathers information on connected USBs  (Device instance ID,  drive geometry) bios gathers information on BIOS, motherboard, processor,  OS

We are pretty sure that our list of BE2 tools is not complete. For example, we have yet to obtain the router access plugin, but we are confident that it exists. Evidence also supports the hypothesis that there is a decryption plugin for victim files (see below).

Our current collection represents the BE2 attackers' capabilities quite well. Some plugins remain mysterious and their purpose is not yet clear, like 'usb' and 'bios'. Why would the attackers need information on usb and bios characteristics? It suggests that based on a specific USB and BIOS devices, the attackers may upload specific plugins to carry out additional actions. Perhaps destructive, perhaps to further infect devices. We don't know yet.
It's also interesting to point out another plugin – 'grc'. In some of the BE2 configuration files, we can notice an value with a "gid" type:

The addr number in the config

This number is an ID for the plus.google.com service and is used by the 'grc' plugin to parse html. It then downloads and decrypts a PNG file. The decrypted PNG is supposed to contain a new CNC address, but we never observed one. We are aware of two related GooglePlus IDs. The first one, plus.google.com/115125387226417117030/, contains an abnormal number of views. At the time of writing, the count is 75 million:

BE2 plus profile

The second one - plus.google.com/116769597454024178039/posts - is currently more modest at a little over 5,000 views. All of that account's posts are deleted.

Tracked Commands

During observation of the described above "router-PC" CnC we tracked the following commands delivered in the config file before the server went offline. Our observation of related actions here:

u ps start password stealing (Windows) Ps_mps/ps_hwi start start password stealing (Linux, MIPS,  ARM) uper_mps/uper_hwi start rewrite hook module with a new version and launch it (Linux, MIPS, ARM) Nm_mps/nm_hwi start  –ban -middle Scan ports and retrieve banners on the router subnet  (Linux, MIPS,  ARM) U fsget * 7 *.docx, *.pdf, *.doc * search for docs with the given filetypes (Windows) S sinfo retrieve information on installed programs and launch commands: systeminfo, tasklist, ipconfig, netstat, route table, trace route to google.com (Windows) weap_mps/weap_hwi host188.128.123.52 port[25,26,110,465,995]  typetcpconnect DDoS on 188.128.123.52 (Linux, MIPS,  ARM) weap_mps/weap_hwi  typesynflood port80 cnt100000 spdmedium host212.175.109.10 DDoS on 212.175.109.10 (Linux, MIPS,  ARM)

The issued commands for the Linux plugins suggest the attackers controlled infected MIPS/ARM devices. We want to pay special attention to the DDoS commands meant for these routers. 188.128.123.52 belongs to the Russian Ministry of Defense and 212.175.109.10 belongs to the Turkish Ministry of Interior's government site. While many researchers suspect a Russian actor is behind BE2, judging by their tracked activities and the victim profiles, it's still unclear whose interests they represent. 

While observing some other CnCs and pulling down config files, we stumbled upon some strange mistakes and mis-typing. They are highlighted in the image below:

BE2 config file mistakes

First, these mistakes suggest that the BE2 attackers manually edit these config files. Secondly, it shows that even skilled hackers make mistakes.

Hard-Coded Command and Control

The contents of the config files themselves are fairly interesting. They all contain a callback c2 with a hardcoded ip address, some contain timeouts, and some contain the commands listed above. We include a list of observed hardcoded ip C2 addresses here, along with the address owner and geophysical location of the host:

C2 IP address Owner Country 184.22.205.194 hostnoc.net US 5.79.80.166 Leaseweb NL 46.165.222.28 Leaseweb NL 95.211.122.36 Leaseweb NL 46.165.222.101 Leaseweb NL 46.165.222.6 Leaseweb NL 89.149.223.205 Leaseweb NL 85.17.94.134 Leaseweb NL 46.4.28.218 Hetzner DE 78.46.40.239 Hetzner DE 95.143.193.182 Serverconnect SE 188.227.176.74 Redstation GB 93.170.127.100 Nadym RU 37.220.34.56 Yisp NL 194.28.172.58 Besthosting.ua UA 124.217.253.10 PIRADIUS MY 84.19.161.123 Keyweb DE 109.236.88.12 worldstream.nl NL 212.124.110.62 digitalone.com US 5.61.38.31 3nt.com DE 5.255.87.39 serverius.com NL

 

It's interesting that one of these servers is a Tor exit node. And, according to the collected config files, the group upgraded their malware communications from plain text http to encrypted https in October 2013.

 

BE2 Targets and Victims

BlackEnergy2 victims are widely distributed geographically. We identified BlackEnergy2 targets and victims in the following countries starting in late 2013. There are likely more victims.

  • Russia
  • Ukraine
  • Poland
  • Lithuania
  • Belarus
  • Azerbaijan
  • Kyrgyzstan
  • Kazakhstan
  • Iran
  • Israel
  • Turkey
  • Libya
  • Kuwait
  • Taiwan
  • Vietnam
  • India
  • Croatia
  • Germany
  • Belgium
  • Sweden

Victim profiles point to an expansive interest in ICS:

  • power generation site owners
  • power facilities construction
  • power generation operators
  • large suppliers and manufacturers of heavy power related materials
  • investors

However, we also noticed that the target list includes government, property holding, and technology organizations as well:

  • high level government
  • other ICS construction
  • federal land holding agencies
  • municipal offices
  • federal emergency services
  • space and earth measurement and assessment labs
  • national standards body
  • banks
  • high-tech transportation
  • academic research

 

Victim cases

We gained insight into significant BE2 victim profiles over the summer of 2014. Interesting BE2 incidents are presented here.

Victim #1

The BE2 attackers successfully spearphished an organization with an exploit for which there is no current CVE, and a metasploit module has been available This email message contained a ZIP archive with EXE file inside that did not appear to be an executable. This crafted zip archive exploited a WinRAR flaw that makes files in zip archives appear to have a different name and file extension.

BE2 spearphish example

The attached exe file turned out to be 'BlackEnergy-like' malware, which researchers already dubbed 'BlackEnergy3' - the gang uses it along with BlackEnergy2. Kaspersky Lab detects 'BlackEnergy3' malware as Backdoor.Win32.Fonten – naming it after its dropped file "FONTCACHE.DAT"

When investigating computers in the company's network, only BE2 associated files were found, suggesting BE3 was used as only a first-stage tool on this network. The config files within BE2 contained the settings of the company's internal web proxy:

BE2 config file contains victim's internal proxy

As the APT-specific BE2 now stores the downloaded plugins in encrypted files on the system (not seen in older versions – all plugins were only in-memory), the administrators were able to collect BE2 files from the infected machines. After decrypting these files, we could retrieve plugins launched on infected machines: ps, vsnet, fs, ss, dstr.
By all appearances, the attackers pushed the 'dstr' module when they understood that they were revealed, and wanted to hide their presence on the machines. Some machines already launched the plugin, lost their data and became unbootable.

Desstructive dstr command in BE2 config file

Also on some machines some documents were encrypted, but unfortunately no appropriate plugin who was responsible for that was found.

Victim #2

The second organization was hacked via the first victim's stolen VPN credentials. After the second organization was notified about the infection they started an internal investigation. They confirmed that some data was destroyed on their machines, so the BE2 attackers have exhibited some level of destructive activity. And, they revealed that their Cisco routers with different IOS versions were hacked. They weren't able to connect to the routers any more by telnet and found the following "farewell" tcl scripts in the router's file system:

Ciscoapi.tcl – contains various wrappers over cisco EXEC-commands as described in the comments.
The comment includes a punchy message for "kasperRsky":

BE2 ciscoapi.tcl fragment

Killint.tcl – uses Ciscoapi.tcl, implements destroying functions:

BE2 killint.tcl fragment

The script tries to download ciscoapi.tcl from a certain FTP server which served as a storage for BE2 files. The organization managed to discover what scripts were hosted on the server before BE/SandWorm gang deleted them, and unfortunately couldn't restore them after they were deleted. The BE2 actor performs careful, professional activity covering their tracks:
ciscoapi.tcl
killint.tcl
telnetapi2.tcl
telnetu.tcl
stub.tcl
stub1.tcl

There is evidence that the logs produced by some scripts were also stored on the FTP server, in particular the information on CDP neighbors which is provided by one of the procedures of ciscoapi.tcl.

Victim #3

The third organization got compromised by the same type of attack as the first one (an EXE file spoofing a doc within a Zip archive). All the plugins discovered in BE2 files were known, and there was no revelation of hacked network devices on their side and no destroyed data. The noticeable thing is that many computers contained both BE2 and BE3 files and some config files contained the following URL:
hxxps://46.165.222(dot)28/upgrade/f3395cd54cf857ddf8f2056768ff49ae/getcfg.php

The URL contains the md5 of the string 'router'. One of the discovered config files contained a URL with an as yet unidentified md5:
hxxps://46.165.222(dot)28/upgrade/bf0dac805798cc1f633f19ce8ed6382f/upgrade.php

Victim set #4

A set of victims discovered installed Siemens SCADA software in their ICS environment was responsible for downloading and executing BlackEnergy. Starting in March 2014 and ending in July 2014, Siemens "ccprojectmgr.exe" downloaded and executed a handful of different payloads hosted at 94.185.85.122/favicon.ico. They are all detected as variants of "Backdoor.Win32.Blakken".

Build IDs

Each config file within BE2 main.dll has a field called build_id which identifies the malware version for the operators. Currently this particular BE/SandWorm gang uses a certain pattern for the build ids containing three hex numbers and three letters, as follows:

0C0703hji

The numbers indicate the date of file creation in the format: Year-Month-Day. Still, the purpose of the letters is unknown, but most likely it indicates the targets. The hex numbers weren't used all the time, sometimes we observed decimal numbers:

100914_mg

100929nrT

Most interesting for us was the earliest build id we could find. Currently it is "OB020Ad0V", meaning that the BE2/SandWorm APT started operating as early as the beginning of 2010.

 

Appendix: IoC

While BE dropper installs its driver under a randomly picked non-used Windows driver name, like %system32%\drivers\AliIde.sys. The driver is self-signed on 64-bit systems
However, new "APT" BE2 uses one of the following filenames that are used as an encrypted storage for plugins and the network settings. They are consistent and serve as stable IoC:

%system32%\drivers\winntd_.dat
%system32%\drivers\winntd.dat
%system32%\drivers\wincache.dat
%system32%\drivers\mlang.dat
%system32%\drivers\osver32nt.dat
%LOCALAPPDATA%\adobe\wind002.dat
%LOCALAPPDATA%\adobe\settings.sol
%LOCALAPPDATA%\adobe\winver.dat
%LOCALAPPDATA%\adobe\cache.dat

BE2 also uses start menu locations for persistence:
Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\flashplayerapp.exe

BE3 uses the following known filenames:
%USERPROFILE%\NTUSER.LOG
%LOCALAPPDATA%\FONTCACHE.DAT

BE2 MD5s:
d57ccbb25882b16198a0f43285dafbb4
7740a9e5e3feecd3b7274f929d37bccf
948cd0bf83a670c05401c8b67d2eb310
f2be8c6c62be8f459d4bb7c2eb9b9d5e
26a10fa32d0d7216c8946c8d83dd3787
8c51ba91d26dd34cf7a223eaa38bfb03
c69bfd68107ced6e08fa22f72761a869
3cd7b0d0d256d8ff8c962f1155d7ab64
298b9a6b1093e037e65da31f9ac1a807
d009c50875879bd2aefab3fa1e20be09
88b3f0ef8c80a333c7f68d9b45472b88
17b00de1c61d887b7625642bad9af954
27eddda79c79ab226b9b24005e2e9b6c
48937e732d0d11e99c68895ac8578374
82418d99339bf9ff69875a649238ac18
f9dcb0638c8c2f979233b29348d18447
72372ffac0ee73dc8b6d237878e119c1
c229a7d86a9e9a970d18c33e560f3dfc
ef618bd99411f11d0aa5b67d1173ccdf
383c07e3957fd39c3d0557c6df615a1a
105586891deb04ac08d57083bf218f93
1deea42a0543ce1beeeeeef1ffb801e5
7d1e1ec1b1b0a82bd0029e8391b0b530
1f751bf5039f771006b41bdc24bfadd3
d10734a4b3682a773e5b6739b86d9b88
632bba51133284f9efe91ce126eda12d
a22e08e643ef76648bec55ced182d2fe
04565d1a290d61474510dd728f9b5aae
3c1bc5680bf93094c3ffa913c12e528b
6a03d22a958d3d774ac5437e04361552
0217eb80de0e649f199a657aebba73aa
79cec7edf058af6e6455db5b06ccbc6e
f8453697521766d2423469b53a233ca7
8a449de07bd54912d85e7da22474d3a9
3f9dc60445eceb4d5420bb09b9e03fbf
8f459ae20291f2721244465aa6a6f7b9
4b323d4320efa67315a76be2d77a0c83
035848a0e6ad6ee65a25be3483af86f2
90d8e7a92284789d2e15ded22d34ccc3
edb324467f6d36c7f49def27af5953a5
c1e7368eda5aa7b09e6812569ebd4242
ec99e82ad8dbf1532b0a5b32c592efdf
391b9434379308e242749761f9edda8e
6bf76626037d187f47a54e97c173bc66
895f7469e50e9bb83cbb36614782a33e
1feacbef9d6e9f763590370c53cd6a30
82234c358d921a97d3d3a9e27e1c9825
558d0a7232c75e29eaa4c1df8a55f56b
e565255a113b1af8df5adec568a161f3
1821351d67a3dce1045be09e88461fe9
b1fe41542ff2fcb3aa05ff3c3c6d7d13
53c5520febbe89c25977d9f45137a114
4513e3e8b5506df268881b132ffdcde1
19ce80e963a5bcb4057ef4f1dd1d4a89
9b29903a67dfd6fec33f50e34874b68b
b637f8b5f39170e7e5ada940141ddb58
c09683d23d8a900a848c04bab66310f1
6d4c2cd95a2b27777539beee307625a2
e32d5c22e90cf96296870798f9ef3d15
64c3ecfd104c0d5b478244fe670809cc
b69f09eee3da15e1f8d8e8f76d3a892a
294f9e8686a6ab92fb654060c4412edf
6135bd02103fd3bab05c2d2edf87e80a
b973daa1510b6d8e4adea3fb7af05870
8dce09a2b2b25fcf2400cffb044e56b8
6008f85d63f690bb1bfc678e4dc05f97
1bf8434e6f6e201f10849f1a4a9a12a4
6cac1a8ba79f327d0ad3f4cc5a839aa1
462860910526904ef8334ee17acbbbe5
eeec7c4a99fdfb0ef99be9007f069ba8
6bbc54fb91a1d1df51d2af379c3b1102
8b152fc5885cb4629f802543993f32a1
6d1187f554040a072982ab4e6b329d14
3bfe642e752263a1e2fe22cbb243de57
c629933d129c5290403e9fce8d713797
1c62b3d0eb64b1511e0151aa6edce484
811fcbadd31bccf4268653f9668c1540
0a89949a3a933f944d0ce4c0a0c57735
a0f594802fbeb5851ba40095f7d3dbd1
bf6ce6d90535022fb6c95ac9dafcb5a5
df84ff928709401c8ad44f322ec91392
fda6f18cf72e479570e8205b0103a0d3
39835e790f8d9421d0a6279398bb76dc
fe6295c647e40f8481a16a14c1dfb222
592c5fbf99565374e9c20cade9ac38aa
ad8dc222a258d11de8798702e52366aa
bc21639bf4d12e9b01c0d762a3ffb15e
3122353bdd756626f2dc95ed3254f8bf
e02d19f07f61d73fb6dd5f7d06e9f8d2
d2c7bf274edb2045bc5662e559a33942
ac1a265be63be7122b94c63aabcc9a66
e06c27e3a436537a9028fdafc426f58e
6cf2302e129911079a316cf73a4d010f
38b6ad30940ddfe684dad7a10aea1d82
f190cda937984779b87169f35e459c3a
698a41c92226f8e444f9ca7647c8068c
bc95b3d795a0c28ea4f57eafcab8b5bb
82127dc2513694a151cbe1a296258850
d387a5e232ed08966381eb2515caa8e1
f4b9eb3ddcab6fd5d88d188bc682d21d
8e42fd3f9d5aac43d69ca740feb38f97
a43e8ddecfa8f3c603162a30406d5365
ea7dd992062d2f22166c1fca1a4981a1
7bf6dcf413fe71af2d102934686a816b
cf064356b31f765e87c6109a63bdbf43
4a46e2dc16ceaba768b5ad3cdcb7e097
2134721de03a70c13f2b10cfe6018f36
7add5fd0d84713f609679840460c0464
cc9402e5ddc34b5f5302179c48429a56
9803e49d9e1c121346d5b22f3945bda8
c5f5837bdf486e5cc2621cc985e65019
2b72fda4b499903253281ebbca961775
7031f6097df04f003457c9c7ecbcda1c
6a6c2691fef091c1fc2e1c25d7c3c44c
9bd3fa59f30df5d54a2df385eba710a5
5100eb13cac2fc3dec2d00c5d1d3921c
0a2c2f5cf97c65f6473bdfc90113d81e
30b74abc22a5b75d356e3a57e2c84180
a0424e8436cbc44107119f62c8e7491b
c1ba892d254edd8a580a16aea6f197e9
e70976785efcfaeed20aefab5c2eda60
397b5d66bac2eb5e950d2a4f9a5e5f2c
4e9bde9b6abf7992f92598be4b6d1781
54d266dee2139dd82b826a9988f35426
5b4faa2846e91e811829a594fecfe493
907448af4388072cdc01e69b7b97b174
ccad214045af69d06768499a0bd3d556
1395dfda817818c450327ab331d51c1b
715e9e60be5a9b32075189cb04a0247e
3835c8168d66104eed16c2cd99952045
f32c29a620d72ec0a435982d7a69f683
95e9162456d933fff9560bee3c270c4e
da01ef50673f419cf06b106546d06b50
2dd4c551eacce0aaffedf4e00e0d03de
34f80f228f8509a67970f6062075e211
81ca7526881a0a41b6721048d2f20874
d642c73d0577dd087a02069d46f68dac

BE3 MD5s:
f0ebb6105c0981fdd15888122355398c
7cb6363699c5fd683187e24b35dd303e
4d5c00bddc8ea6bfa9604b078d686d45
f37b67705d238a7c2dfcdd7ae3c6dfaa
46649163c659cba8a7d0d4075329efa3
628ef31852e91895d601290ce44650b1
723eb7a18f4699c892bc21bba27a6a1a
8b9f4eade3a0a650af628b1b26205ba3
f6c47fcc66ed7c3022605748cb5d66c6
6c1996c00448ec3a809b86357355d8f9
faab06832712f6d877baacfe1f96fe15
2c72ef155c77b306184fa940a2de3844
2e62e8949d123722ec9998d245bc1966
b0dc4c3402e7999d733fa2b668371ade
93fa40bd637868a271002a17e6dbd93b
f98abf80598fd89dada12c6db48e3051
8a7c30a7a105bd62ee71214d268865e3
2f6582797bbc34e4df47ac25e363571d
81d127dd7957e172feb88843fe2f8dc1
3e25544414030c961c196cea36ed899d

 

Parallel and Previous Research

Botnet History Illustrated by BlackEnergy 2, PH Days, Kaspersky Lab - Maria Garnaeva and Sergey Lozhkin, May 2014

BlackEnergy and Quedagh (pdf), F-Secure, September 2014

Sandworm, iSIGHT Partners, October 2014

Alert (ICS-ALERT-14-281-01A) Ongoing Sophisticated Malware Campaign Compromising ICS (Update A), ICS-CERT, October 2014

 

A false choice: the Ebola virus or malware?

Thu, 10/23/2014 - 09:31

In September we came across mentions of people in Africa suffering from the Ebola virus and unusual invitations to a conference of the World Health Organisation (WHO) in the subject line of so-called "Nigerian" emails.  The aim of the conmen was, as usual, to swindle money from trusting recipients who entered into conversation with the authors of the letters.

In October it was the turn of the cybercriminals, who used the tumult around the Ebola virus to send letters containing malware. Once again the WHO was indicated as the sender of the letters, which is unsurprising as this is the organisation that deals with various diseases and epidemics on a worldwide level.

In the text of the letters we detected the evildoers tried to convince recipients that the WHO has prepared a file with general information and security measures that will help protect users and those around them from the deadly virus and other diseases. Furthermore the recipient was also asked to distribute this information to help the WHO.

To mask the real link a link abbreviation service was used, which finally redirected users to a popular cloud data storage service. There the criminals had stored the malware program Backdoor.Win32.DarkKomet.dtzn disguised as a document from the WHO. This malware is designed to steal personal data. We note that access to the file was blocked quite quickly by the service administrators and, probably for that reason, the evildoers decided to change their letter. The very next day our traps caught a similar communication supposedly from the WHO, only this time the archive with the same malware program was inserted into the letter itself.

Cybercriminals rarely miss a chance to use current events and the names of famous organisations to trick the recipients of their spam. And so, having fallen for the convincing header and failed to pay attention for even a moment, users risk compromising their personal data and surrendering control of their computer to criminals. It is worth remembering that modern anti-virus solutions provide protection but it is only the considered actions of users that can keep their personal data safe.

Spam in September 2014

Thu, 10/23/2014 - 07:00
Spam in the spotlight

In September, "Nigerian" scammers sent out stories relating to the breaking news of the Ebola epidemic. There was festive spam, focusing on both the US Labor Day celebration and the upcoming winter holidays: spammers have started to offer products and services for Christmas. A large part of the major theme mailings promoted products and services using popular social networking sites: the spammers promised an instant influx of new customers and income growth.

The Ebola virus in "Nigerian" spam

In July, the first reports about the Ebola outbreak in Africa appeared in the media. While the world's attention was focused on how to fight the epidemic and prevent it spreading further, scammers used the disease to create new stories for their "Nigerian" letters.

In September, we came across several mailings which mentioned Ebola. In addition to the popular "Nigerian" legends written supposedly on behalf of people with various diseases the fraudsters made up quite unusual stories. For example, an email from a rich Liberian lady dying from Ebola contained a long story about her children who died from the virus and about the local medical center which refused to help her. She was willing to donate more than $1.5 million to a recipient who would transfer this money to charities. The message contained a detailed description of the situation that is unusual for "Nigerian" letters. However, this long story was still nothing more than yet another trick to make recipients believe the story and start corresponding with the scammers.

The authors of another fraudulent mailing introduced themselves as an employee of the World Health Organization and tried an unusual tack to attract attention – the reader was invited to a conference where Ebola would be discussed along with other medical issues. The recipient was not only invited to participate in the conference as a guest but was also offered 350,000 Euro and an automobile for his work as the WHO Representative in the UK. If the victim was interested in the offer, he had to provide his personal data. Apparently, the scammers hoped that the offer of money and work in an international company would ease all the user's doubts.

Holiday spam

In early September, the United States celebrated Labor Day and the spammers were determined not to miss out on the event. Traditionally, in the run-up to the holidays people are attracted by discounts and sales. This time, companies selling print cartridges offered discounts not only for Labor Day but also the beginning of the new school year. Pharmaceutical spam advertizing drugs for weight loss also offered discounts related to the holiday.

Spam traffic around the world also contained adverts for goods and services related to Christmas. English-language messages offered a Christmas party on board a ship and urged early booking to get the lowest prices. In addition, the spammers encouraged people to start thinking of buying Christmas gifts in September and order digital devices directly from Chinese manufacturers as well as ordering a Christmas tree for the holiday.

Earnings and advertising on social networking sites

Another major theme this month was spam messages advertising various ways to earn money online using popular social networking sites. Most often, spammers offered to create an individual profile or a group in Twitter, Facebook or LinkedIn, to design a page according to the concept of the company and the goods it sells, to provide the first subscribers as well as to create the primary content and begin to actively promote it. Naturally, all this came at a cost. After such a comprehensive approach to creating a community in a social network the authors of the mailings promised a sharp increase in the customer numbers and sales volumes. Users were asked to apply by following a link in the email.

Spammers also spent plenty of time offering professional business promotion by placing photos and videos on specialist social networking sites. The authors of these mailings also promised to provide their customers with the necessary number of subscribers, for example, in Instagram, to place the photos of goods and to achieve the first results within the next three days. The recipients were often invited to make a video presentation of the company or the product and to post it on the popular video hosting YouTube. The spammers also promised that users could make "an obscene amount of money" with the help of YouTube by spending just 40 minutes a day on it. However, these mailings were nothing more than adverts about yet another author marketing course on DVD. To buy the DVD the recipient needed to follow a link in the email to enter the necessary website and make an order.

In September, we also came across the mailings containing invitations to seminars and webinars dedicated to the "art" of group and community administration on social networks. The authors of these training sessions promised to reveal all the secrets of an administrator's work (for example, on Facebook or LinkedIn), leading to a stable monthly income for students. To register for a webinar, the recipient had to click on the link in the email.

According to the authors of foreign language spam mailings, the most popular source for attracting new customers and revenue growth was, of course, Facebook. So the  spammers proposed using the network to promote personal ads, to link specific redirects to posts and photos – in this case the number of potential customers would depend on the quality of the content and the willingness of the users to click the links published in the communities. To accomplish this, they suggested special software which could be bought via spam mailings. Sites with detailed descriptions of the software had been created a few months ago and their names contained such words as "customers", "income", "Facebook"

Spam for collectors

Among the most interesting mailings of the month were collector-oriented spam messages sent. English-language users were offered a free booklet on British medals from the First World War. The emails with the generous offer supposedly came from the SSAFA, a charity created to assist British war veterans and their families. However the official website of this organization had no information on the promotion while online feedback pointed out that the mailing was unsolicited. The message linked to an order page where recipients were asked to provide contact details including a phone number. This is one of the ways the fraudsters collect user personal data which will later be used for promotional purposes. For example, a phone database can be used for cold calls to sell goods and services.

Another mass mailing was distributed on behalf of a collector. In his emails he spoke about his hobby - collecting badges and stickers with the logos of various organizations. He wrote to different companies asking for samples for his collection. Although it's unlikely that these emails were fraudulent, they were unsolicited and therefore were classified as spam.

Statistics The percentage of spam in email traffic

The percentage of spam in email traffic

The percentage of spam in September's email traffic averaged 66.5%, which is 0.7 percentage points down from August. The amount of unsolicited email consistently decreased throughout the month – in early September the percentage of spam averaged 69.3% while in the end it dropped to 63.1%.

Sources of spam by country

In September, the Top 3 most popular sources of spam were as follows. The USA remained in first position (12%) although its contribution was down nearly 4 percentage points from the previous month. Vietnam moved from fourth to second place with 9.3%; up 4.6 percentage points. Russia was in third place with 5.8% - there was little change in its numbers and it dropped one place in the table.

Sources of spam around the world

China was in 4th position with 5.6% of all distributed spam; its contribution dropped by nearly 1 pp. It is followed by India (4.7%): with almost 2 pp growth this country rocketed from 10th in August to 5th in September.

South Korea (3.2%) also increased its share by 1.3pp and placed 7th, up eight from the previous month. Meanwhile, Germany (2.9%) lost 0.7 pp and fell from 6th to 9th place in September. The Top 10 was completed with Taiwan with 2.5% of all distributed spam. France, Spain and Italy also produced a little more than 2% of the world spam.

Sources of spam in Europe by country

Vietnam was September's leading source of spam sent to European users (11.1%). Next came the USA with 9.1% and Russia on 6%.

They are followed by China (5.3%), India (4.5%), Argentina (3.7%) and South Korea (3.5%). About 3% of European spam originated from each of Brazil, Germany and.

The rating also includes Taiwan (2.7%), Spain (2.6%), Italy (2.5%) and Mexico (2.3%) in 11th-14th place. Iran was in 15th position with 2.2% of spam sent to European users. The percentage of spam that originated from elsewhere did not exceed 2%.

Malicious attachments in email traffic

In September, the Top 10 malicious programs distributed via email were:

Top 10 malicious programs distributed via email

Dofoil:Trojan-Downloader.Win32.Dofoil.dx, Trojan-Downloader.Win32.Dofoil.dy and Trojan-Downloader.Win32.Dofoil.dz occupied 1st, 6th and 9th places respectively. This type of malware downloads other malicious programs onto the victim computer and uses them to steal user data (primarily passwords) which it then sends to the fraudsters.

Trojan-Spy.HTML.Fraud.gen was in 2nd position. As we wrote before, this piece of malware from the Fraud.gen family is a fake data entry HTML page that is sent to users by email, disguised as an important message from large commercial banks, online stores, software companies etc.

Trojan-Banker.HTML.PayPal.b came 4th. This malicious program appears in the form of the HTML page imitating a PayPal form. Recipients of an email containing this attachment is asked to fill in the form to update their PayPal account after the launch of the new IT security system. The German-language form includes fields like E-Mail Adresse, PayPal passwort,  Vollständiger Name, Nachname der Mutter (Fakultativ),  Geburtsdatum, Telefonnummer,  Adresse,  Stadt,  Land, Postzahl,    Kartennummer, Verfallsdatum,   Kartenprüfnummer, VBV Passwort / MasterCard. It seems the fraudsters are targeting German-speaking PayPal users.

Trojan-Downloader.MSWord.Agent.ba and Trojan-Downloader.MSWord.Agent.bf placed 5th and 8th in the ranking. These programs imitate a .doc file with built-in macros written in Visual Basic for Applications (VBA), which are executed when opening the document. The macros download and run malicious software, such as representatives of the Andromeda family.

Trojan.Win32.Vundo.adc completed the list of the most popular malicious programs distributed via email. This program downloads other malware, for example, Trojan-Banker.Win32.Fibbit, which compromises the data passing through banking client applications. The Trojan intercepts keystrokes, copies data from the clipboard, searches for file certificates with the .jks extension, makes screenshots and tries to read the "keys.dat" file. All the stolen data is packed in the CAB archive and sent to the attacker's server.

Distribution of email antivirus detections by country

For several month in a row, the three countries with the most antivirus detections have been Germany, the UK and the USA, each jostling for position at the top.  In September, Germany took the lead (9.11%) followed by the UK (8.45%) and the USA (8.26%)

Russia was a big mover once again– after unexpectedly rising to 4th place in August it lost 4.14 percentage points and dropped down to 13th.

Special features of malicious spam

In September many mailings containing malicious attachments dealt with matters of hiring and firing. We registered a mass mailing that told recipient their employment contract withan organization (the company name varied from email to email) had been terminated for violations of the company's internal policy. The messages even provided number and date of the alleged violations. The email also stated that recipients had already been issued written warnings demanding improved behavior in future. However, since nothing had been done, the labor contract was terminated.

To appeal this decision the recipient was invited to consult the lawyer before a specified deadline. The email contained an attached archive with documents about the supposed violations.  To view the document, the recipient had to open the attachment. In fact, though, the attachment contained a representative of the Trojan-Downloader.Win32.Cabby family. This malware downloads other malicious software onto a victim computer, including various modifications of the Zbot family of programs.

Phishing

In September, Kaspersky Lab's anti-phishing component registered 18,779,357 detections, 13,874,415 detections less than in the previous month. This decline in the amount of phishing was caused by the end of the summer slowdown and the beginning of the business season. It should also be noted that September is often a month for presentations and other major company events. In the run-up to these, phisher activity grows leading to a spike in the number of fraudulent attempts at the end of the summer

In September, Brazil (17.8%) was once again the leading country for phishing attacks, even though its share was down 1.7 percentage points. Australia dropped to 3rd with 11.1% of all antivirus detections. Second came India (13.4%). The UAE (10.5%) and France (10.4%) were in 4th and 5th positions respectively.

The geography of phishing attacks*, September 2014

* The percentage of users on whose computers the Anti-Phishing component was activated, from the total number of all Kaspersky Lab users

Top 10 countries by the percentage of attacked users:

  Country % of users 1 Brazil 17.8 2 India 13.4 3 Australia 11.2 4 UAE 10.5 5 France 10.4 6 Canada 9.9 7 China 9.9 9 Columbia 9.4 8 Bangladesh 9.0 10 UK 8.0 Targets of attacks by organization

The statistics on phishing targets are based on detections made by Kaspersky Lab's anti-phishing component. It is activated every time a user enters a phishing page that has not previously been included in Kaspersky Lab databases. It does not matter how the user enters this page – by clicking the link contained in a phishing email or in the message in a social network or, for example, as a result of malware activity. After the activation of the security system, the user sees a banner in the browser warning of a potential threat.

In September, Global Internet Portals were again the leading category among the organizations most often attacked by phishers with 24.7%, even though the share decreased by 6.1 pp. The contribution of Social networks (20.2%) rose by 2.8 pp from the previous month.

Organizations most frequently targeted by phishers, by category – September 2014

Financial phishing accounted for 36.9%of all detections made by Kaspersky Lab's anti-phishing component, a 1.7 pp growth compared with the previous month. The percentage of detections affecting Banks accounted for 18.9% (+0.5pp), followed by online stores (11.4%, +1.4%) and E-payment systems (7.3%, +0.5%).

Top 3 organizations most frequently targeted by phishers   Organization % of detections 1 Facebook 11.16% 2 Yahoo! 7.10% 3 Google 6.31%

In September, Facebook (11.1%) was most heavily targeted by phishers: its share was up 1.1 pp. Yahoo came 2nd with 7.1% of all Anti-Phishing component detections. The share of Google services halved compared to August and accounted for 6.3%, placing this organization 3rd.

September's spam traffic contained phishing mailings aimed at stealing logins and passwords to accounts with the popular Chinese online store Alibaba.com. The scammers tried to convince recipients to update their accounts or confirm their use with refer to a new security system and account maintenance. The design of fake the messages used the official logo and the Auto Signature of Alibaba.com as well as the standard anti-virus notification about the absence of threats in the email. The 'From' field named Alibaba.com as the sender and the sender's address contained mainly legitimate domain names. However, on closer examination, an observant recipient could notice spelling mistakes in the addresses of senders and see domain names which obviously did not belong to the company.

Phishing pages were included directly in the fake emails and had a similar design. Recipients had to fill in the fields entering not only email addresses and passwords but also company names, countries of residence and mobile phone numbers. This way the fraudsters collected additional information about their victims for use in future scams.

Conclusion

In September, the percentage of spam in email traffic decreased by 0.7pp and averaged 66.5%. The main distributors of spam were the USA (12%), Vietnam (9.3%) and Russia (5.8%).

A Trojan downloader from the Dofoil family topped the rating of the most popular malware spread via email. This malicious program is used to download other malware onto victim computers.

In September, Kaspersky Lab's anti-phishing component registered 18,779,357 detections. According to the statistics, 17.8% of all detections targeted the users in Brazil. Australia, which was August's leader, moved down to 3rd position (11.1%). Global Internet Portals remained the leading category among the organizations most often attacked by phishers with 24.7% of all attacks. Financial phishing accounted for 36.9% of all detections made by Kaspersky Lab's anti-phishing component, a 1.7 pp growth compared with the previous month. In September's the Top 3 organizations most frequently targeted by phishers Facebook took the lead with (11.1%) of all detections.

In September, "Nigerian" scammers switched their attention from events in Ukraine to health issues, in particular to the Ebola virus which was rarely far from the headlines this month.

Promotional mailings offered goods and services dedicated to America's Labor Day celebrations, as well as to the popular winter holidays celebrated worldwide. From now on we expect to see a sharp rise in the percentage of spam dedicated to Christmas and New Year festivities until it reaches its December peak.

Leave your passwords at the Checkout Desk

Thu, 10/23/2014 - 04:20

Hotels, Restaurants and Airports used to offer customers free tablets while using their facilities. Recently while attending an event and staying in one such hotel, I had the chance to use a free iPad especially installed in my room.

To my surprise, it not only contained the event agenda and provided a free WiFi connection, but also included a lot of private personal information from previous guests who had stayed in the same room.

When I speak about private personal information, I mean accounts with pre-saved passwords, authorized sessions on social networks, search results from the browser (mostly pornographic content), full contacts automatically saved into the address book, iMessages and even a pregnancy calculator with real information. It was not hard even to figure out that the identity of the woman who had used it, since she also left her personal contact information on the device:

Having full names and email addresses cached on the device, it was not hard to Google a little bit and find out that some of the users were very public people working for the government of the country where I was staying.

Most of sessions were still open, even allowing the posting / sending of messages in the name of the user:

This is completely unacceptable, from a security perspective. Basically a potential attacker had the chance not only read sent and received messages but also to impersonate the victim by sending messages in their name.

I also see this scenario as a perfect personal data collector for high profile spear phishing campaigns. On the other hand, if a potential attacker came from a classic cybercrime sphere, they might blackmail their victims. Moreover, it would be extremely easy for the criminal to do this, since they would have all kinds of data of the victims, including the name of pornographic movies watched on each specific date and time. Bearing in mind that some of the potential victims are public people and work for the government, most probably such blackmail would be successful.

So, what's wrong here? Well, I would say everything. First, it is unwise to use a free public device for personal and private communication. You just never know if the device is backdoored or who might be behind such hospitality? Second, if a public facility wants to offer its guests free portable devices for the duration of their stay, it's important that such devices are a properly configured first, to apply sensible security policies such as not storing personal information, not saving passwords and so on.

Maybe I'm too suspicious, but having an unknown and untrusted device like a tablet in my room, which is equipped with an embedded camera and a mic, I just preferred to switch it off and store it inside a drawer. I had to do this every afternoon since the cleaning staff put it back  on the desk every day I was at the hotel.

You have also remember that, even if such a free device is properly configured and does not visibly store any private information, you can't be sure that the next guest is not an expert in forensic analysis, in which case they could just take an image of the whole device and then recover your personal information step by step.

You may follow me on twitter: @dimitribest

Android NFC hack allow users to have free rides in public transportation

Tue, 10/21/2014 - 12:39

"Tarjeta BIP!" is the electronic payment system used in Chile to pay for public transportation via NFC incorporated in the user's smartphone. Numerous projects enabling mobile NFC ticketing for public transportation have been already executed worldwide. This is a trend. It means that criminal minds should be interested in it. Moreover, they are.

More and more people keep talking about the feature of payments via NFC. The problem in this particular case is that somebody reversed the "Tarjeta BIP!" cards and found a means to re-charge them for free. So, on Oct. 16 the very first widely-available app for Android appeared, allowing users to load these transportation cards with 10k Chilean pesos, a sum  equal to approximately $17 USD.

MD5 (PuntoBIP.apk) = 06a676fd9b104fd12a25ee5bd1874176

Immediately after appearing on the Internet, many users downloaded it and proved they were able to recharge their travel cards. All they had to do is to install the mentioned app on a NFC capable Android device, to approach the travel card to the phone and then to push the button "Cargar 10k", which means "Refill the card with 10,000" Chilean pesos.

According to the metadata of the .dex file package, it was compiled on October 16, 2014 and it has 884.5 kB (884491 Byte) size. The feature it incorporates interacts directly with the NFC port: android.hardware.nfc

The app has four main features: "número BIP" - to get the number of the card, "saldo BIP" - to get the available balance, "Data carga" - to refill available balance and finally, maybe the most interesting is "cambiar número BIP" - allowing the user to change the card number altogether. Why would we say this last feature is the most interesting? Well, a source suggested the authorities were going to block fraudulently refilled BIP cards. However, as we can see, the app is able to change the BIP number.

Since the original links to download the app were taken down, new links appeared, now pointing to new servers and actually hosting a new app:

MD5 (PuntoBIP-Reloaded.apk) = 2c20d1823699ae9600dad9cd59e03021

This is a modified version of the previous app, compiled on the next business day Oct 17, 2014 and which is a lot bigger 2.7 MB (2711229 Byte). This includes an advertisement module which shows ads via the doubleclick network.

Since both apps allow users to hack a legitimate application, they are now detected by Kaspersky as HEUR:HackTool.AndroidOS.Stip.a

Since the app is a hot one and a lot of people from Chile are looking for it, I expect some bad guys to come along and create fake similar apps but trojanized to infect mobile users and take some advantage of their interest.

At the same time, it is important to mention that mobile payments are getting more and more popular. NFC is one of the most promising ports in this field. This is a good example of how fresh new payment schemes often present the same old problems.

Thanks to Roman Unuchek for his analytical insights.

You may follow me on twitter: @dimitribest

The Ventir Trojan: assemble your MacOS spy

Thu, 10/16/2014 - 10:00

We got an interesting file (MD5 9283c61f8cce4258c8111aaf098d21ee) for analysis a short while ago. It turned out to be a sample of modular malware for MacOS X. Even after preliminary analysis it was clear that the file was not designed for any good purpose: an ordinary 64-bit mach-o executable contained several more mach-o files in its data section; it set one of them to autorun, which is typical of Trojan-Droppers.

Further investigation showed that a backdoor, a keylogger and a Trojan-Spy were hidden inside the sample. It is particularly noteworthy that the keylogger uses an open-source kernel extension. The extension's code is publicly available, for example, on GitHub!

Depending on their purpose, these files are detected by Kaspersky Lab antivirus solutions as Trojan-Dropper.OSX.Ventir.a, Backdoor.OSX.Ventir.a, Trojan-Spy.OSX.Ventir.a and not-a-virus:Monitor.OSX.LogKext.c.

Source file (Trojan-Dropper.OSX.Ventir.a)

As soon as it is launched, the dropper checks whether it has root access by calling the geteuid () function. The result of the check determines where the Trojan's files will be installed:

  • If it has root access, the files will be installed in /Library/.local and /Library/LaunchDaemons;
  • If it does not have root access, the files will be installed in ~/Library/.local and ~/Library/LaunchAgents ("~" stands for the path to the current user's home directory).

All files of the Trojan to be downloaded to the victim machine are initially located in the "__data" section of the dropper file.

Location of the Trojan's files inside the dropper

As a result, the following files will be installed on the infected system:

  1. Library/.local/updated – re-launches files update and EventMonitor in the event of unexpected termination.
  2. Library/.local/reweb – used to re-launch the file updated.
  3. Library/.local/update – the backdoor module.
  4. Library/.local/libweb.db – the malicious program's database file. Initially contains the Trojan's global settings, such as the C&C address.
  5. Library/LaunchAgents (or LaunchDaemons)/com.updated.launchagent.plist – the properties file used to set the file Library/.local/updated to autorun using the launchd daemon.
  6. Depending on whether root access is available:

    А) if it is – /Library/.local/kext.tar. The following files are extracted from the archive:

    • updated.kext – the driver that intercepts user keystrokes
    • Keymap.plist – the map which matches the codes of the keys pressed by the user to the characters associated with these codes;
    • EventMonitor – the agent which logs keystrokes as well as certain system events to the following file: Library/.local/.logfile.

    B) if it isn't – ~/Library/.local/EventMonitor. This is the agent that logs the current active window name and the keystrokes to the following file: Library/.local/.logfile

After installing these files, the Trojan sets the file updated to autorun using launchctl – the standard console utility (launchctl load% s/com.updated.launchagent.plist command).

Next, if root access is available, the dropper loads the logging driver into the kernel using the standard utility OSX kextload (kextload /System/Library/Extensions/updated.kext command)

After that, Trojan-Dropper.OSX.Ventir.a launches the file reweb and removes itself from the system.

Updated and reweb files

The file updated terminates all processes with the name reweb (killall -9 reweb command). After that, it regularly checks whether the processes EventMonitor and update are running and restarts them if necessary.

The file reweb terminates all processes with the names updated and update and then runs the file Library/.local/updated.

Update (Backdoor.OSX.Ventir.a) file

The backdoor first allocates the field values from the config table of the libweb.db database to local variables for further use.

To receive commands from C&C, the  malware uses an HTTP GET request in the following format: http://220.175.13.250:82/macsql.php?mode=getcmd&key=1000&udid=000C29174BA0, where key is some key stored in libweb.db in the config table; udid is the MAC address and 220.175.13.250:82 is the IP-address and port of the C & C server.

This request is sent regularly at short intervals in an infinite loop.

The backdoor can process the following commands from C&C:

  • reboot – restart the computer;
  • restart – restart the backdoor by launching reweb file;
  • uninstall – completely remove the backdoor from the system
  • show config – send data from the config table to the C&C server;
  • down exec – update the file update, download it from the C&C-server;
  • down config – update configuration file libweb.db, download it from the C&C server;
  • upload config – send the file libweb.db to the C&C server;
  • update config:[parameters] – update the config table in the libweb.db database file; values of fields from the table are sent as parameters;
  • executeCMD:[ parameter] – execute the command specified in the parameter using the function popen(cmd, "r"); send the command's output to the C & C server;
  • executeSYS:[parameter] – execute the command specified in the parameter using the function system(cmd);
  • executePATH:[parameter] – run file from the Library/.local/ directory; the file name is sent in the parameter;
  • uploadfrompath:[parameter] – upload file with the name specified in the parameter from the Library/.local/ directory to the C&C server;
  • downfile:[parameters] – download file with the name specified in a parameter from the C&C server and save it to the path specified in another parameter.

Some of the commands processed by the backdoor module

EventMonitor (Trojan-Spy.OSX.Ventir.a) file

This file is downloaded to the system if the dropper cannot get root access. Once launched, Trojan-Spy.OSX.Ventir.a installs its own system event handler using Carbon Event Manager API functions. The new handler intercepts all keystroke events and logs them to the file ~/Library/.local/.logfile. Modifier buttons (e.g., shift) are logged as follows: [command], [option], [ctrl], [fn], [ESC], [tab], [backspace], etc.

Keyboard event handler

Immediately before processing a keystroke, the malware determines the name of the process whose window is currently active. To do this, it uses GetFrontProcess and CopyProcessName functions from Carbon API. The name of the process is also logged as [Application {process_name} is the frontwindow]. This enables the Trojan's owner to determine in which application the phrase logged was entered.

kext.tar (not-a-virus:Monitor.OSX.LogKext.c) file

As mentioned above, the kext.tar archive is downloaded to the infected computer if Trojan-Dropper.OSX.Ventir has successfully got root access. The archive contains three files:

  • updated.kext
  • EventMonitor
  • Keymap.plist

The updated.kext software package is an open-source kernel extension (kext) designed to intercept keystrokes. This extension has long been detected by Kaspersky Lab products as not-a-virus:Monitor.OSX.LogKext.c and the source code (as it mentioned earlier) is currently available to the general public.

The file Keymap.plist is a map which matches the codes of keys pressed to their values. The file EventMonitor uses it to determine key values based on the codes provided to it by the file updated.kext.

The file EventMonitor is an agent file that receives data from the updated.kext kernel extension, processes it and records it in the /Library/.local/.logfile log file. Below is a fragment of the log that contains a login and password intercepted by the Trojan

As the screenshot demonstrates, as soon as a victim enters the username and password to his or her email account on yandex.ru, the data is immediately logged and falls into the cybercriminals' hands.

This threat is especially significant in view of the recent leaks of login and password databases from Yandex, Mail.ru and Gmail. It is quite possible that malware from the Ventir family was used to supply data to the databases published by cybercriminals.

In conclusion, it should be noted that Trojan-Dropper.OSX.Ventir.a with its modular structure is similar to the infamous Trojan.OSX.Morcut (aka OSX/Crisis), which had approximately the same number of modules with similar functionality. Using open-source software makes it much easier for cybercriminals to create new malware. This means we can safely assume that the number of Trojan-Spy programs will only grow in the future.

Microsoft Security Updates October 2014

Tue, 10/14/2014 - 18:23

This morning was possibly one of the most information rich in the history of Microsoft's patch Tuesdays. Last month, we pointed out the Aurora Panda/DeputyDog actor was losing an IE 0day being patched, and that seemed unusual. This month, several vulnerabilities abused with 0day exploits by known APT actors are being patched and the actors are being publicly noted. So today Microsoft pushes out eight security bulletins MS14-056 through MS14-063, including three rated critical.

The most interesting of today's vulnerabilities are two that are enabled by Windows functionality, but are useful for spearphishing targets with Office-type data file attachments - an Excel file, PowerPoint Show, Word document, and so on. The first of the two remind us of the Duqu attacksMS14-058 patches yet another kernel level font handling flaw CVE-2014-4148, the same kind of issue seen in the Duqu spearphish exploits. This one is rated critical by Microsoft. No one particular actor has been associated with this attack or exploit just yet.

The Windows OLE vulnerability patched with MS14-060 is surprisingly rated "Important" by Microsoft. The APT known as the "Sandworm team" deployed CVE-2014-4114 in incidents against targets alongside other known exploits. The group was known for deploying new variants of the BlackEnergy bot in cyber-espionage campaigns, hitting geopolitical and military targets. In one incident, the team sent spearphish as a PowerPoint slide deck containing the 0day OLE exploit to Ukrainian government and US academic organizations. When opened, the slides dropped newer variants of BlackEnergy to the victim systems. These newer variants of BlackEnergy maintain functionality dedicated to cyber espionage tasks.The most interesting characteristics of these BlackEnergy trojans are the custom plugins or modules, but that's for a different blog post.

Another group known as Hurricane Panda attempted to exploit CVE-2014-4113 in targeted environments. This escalation of privilege issue can present a real problem in situations where an attacker has gotten in to a network and is attempting to burrow in further. This bug also exists in Windows kernel code, and is patched by the same MS14-058 bulletin mentioned above.

The Internet Explorer update addresses fourteen vulnerabilities, rated critical for IE6 through IE11. They do not affect Server Core installations.

More can be read about October 2014 Microsoft Security Bulletins here.

Tic Tac Toe with a twist

Fri, 10/10/2014 - 05:00

Attempts by cybercriminals to disguise malware as useful applications are common to the point of being commonplace. However, the developers of Gomal, a new mobile Trojan, not only achieved a new level of camouflage by adding Tic Tac Toe game to their malicious program, but also implemented interesting techniques which are new to this kind of malware.

It all started with a Tic Tac Toe game being sent to us for analysis. At first glance, the app looked quite harmless:

However, the list of permissions requested by the game made us wonder. Why would it need to access the Internet, the user's contacts and the SMS archive or to be able to process calls and record sound? We analyzed the 'game' and it turned out to be a piece of multi-purpose spyware. The malicious app is now detected by Kaspersky Lab products as Trojan-Spy.AndroidOS.Gomal.a.

A thorough analysis of the malicious program showed that the game code accounts for less than 30% of the executable file's size. The rest is functionality for spying on the user and stealing personal data.

Game code is marked in green, malicious functionality – in red

What does this functionality include? First and foremost, the malware has sound recording functions, which are now standard for mobile spyware:

It also has SMS-stealing functionality:

In addition, the Trojan collects information about the device and sends all the data collected to its masters' server. But Trojan-Spy.AndroidOS.Gomal.a has something really curious up its sleeve – a package of interesting libraries distributed with it.

The package includes an exploit used to obtain root privileges on the Android device. The extended privileges give the app access to various services provided by Linux (the operating system on which Android is based), including the ability to read process memory and /maps.

After obtaining root access, the Trojan gets down to work. For example, it steals emails from Good for Enterprise, if the app is installed on the smartphone. The application is positioned as a secure email client for corporate use, so the theft of data from it can mean serious problems for the company where the owner of the device works. In order to attack Good for Enterprise, the Trojan uses the console to get the ID of the relevant process (ps command) and reads virtual file /proc/ /maps. The file contains information about memory blocks allocated to the application.

After getting the list of memory blocks, the malware finds the block [heap] containing the application's string data and creates its dump using one more library from its package. Next, the dump file created is searched for signatures characteristic of emails and the messages found are sent to the cybercriminals' server.

Gomal also steals data from logcat – the logging service built into Android that is used for application debugging. Developers very often have their applications outputting critically important data to Logcat even after the apps have been released. This enables the Trojan to steal even more confidential data from other programs.

As a result, the seemingly harmless game of Tic Tac Toe gives cybercriminals access to an enormous amount of the user's personal data and corporate data belonging to his employer. The techniques used by Gomal were originally implemented in Windows Trojans, but now, as we can see, they have moved on to Android malware. And, most dangerously, the principles upon which this technique is based can be used to steal data from applications other than Good for Enterprise – it is likely that a range of mobile malware designed to attack popular email clients, messengers and other programs will appear in the near future.

To reduce the risk of infection by mobile malware we recommend that users:
  • Do not activate the "Install applications from third-party sources" option
  • Only install applications from official channels (Google Play, Amazon Store, etc.)
  • When installing new apps, carefully study which rights they request
  • If the requested rights do not correspond with the app's intended functions, do not install the app
  • Use protection software

Tyupkin: Manipulating ATM Machines with Malware

Tue, 10/07/2014 - 04:00

Earlier this year, at the request of a financial institution, Kaspersky Lab's Global Research and Analysis Team performed a forensics investigation into a cyber-criminal attack targeting multiple ATMs in Eastern Europe.

During the course of this investigation, we discovered a piece of malware that allowed attackers to empty the ATM cash cassettes via direct manipulation.

At the time of the investigation, the malware was active on more than 50 ATMs at banking institutions in Eastern Europe.  Based on submissions to VirusTotal, we believe that the malware has spread to several other countries, including the U.S., India and China.

Due to the nature of the devices where this malware is run, we do not have KSN data to determine the extent of the infections. However, based on statistics culled from VirusTotal, we have seen malware submissions from the following countries:


This new malware, detected by Kaspersky Lab as Backdoor.MSIL.Tyupkin, affects ATMs from a major ATM manufacturer running Microsoft Windows 32-bit.

The malware uses several sneaky techniques to avoid detection. First of all, it is only active at a specific time at night.  It also uses a key based on a random seed for every session. Without this key, nobody can interact with the infected ATM.

When the key is entered correctly, the malware displays information on how much money is available in every cassette and allows an attacker with physical access to the ATM to withdraw 40 notes from the selected cassette.

Most of the analyzed samples were compiled around March 2014. However this malware has evolved over time. In its last variant (version .d) the malware implements anti debug and anti emulation techniques, and also disables McAfee Solidcore from the infected system.

Analysis

According to footage from security cameras at the location of the infected ATMs, the attackers were able to manipulate the device and install the malware via a bootable CD.

The attackers copied the following files into the ATM:

C:\Windows\system32\ulssm.exe
%ALLUSERSPROFILE%\Start Menu\Programs\Startup\AptraDebug.lnk

After some checks of the environment, the malware removes the .lnk file and create a key in the registry:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"AptraDebug" = "C:\Windows\system32\ulssm.exe"

The malware is then able to interact with ATM through the standard library MSXFS.dll – Extension for Financial Services (XFS).

The malware runs in an infinite loop waiting for user input. In order to make it more difficult to detect, Tyupkin accepts (by default) commands only on Sunday and Monday nights.

It accepts the following commands:

  • XXXXXX – Shows the main window.
  • XXXXXX – Self deletes with a batch file.
  • XXXXXX – Increases the malware activity period.
  • XXXXXX – Hides the main window.

After every command the operator must press "Enter" on the ATM's pin pad.

Tyupkin also uses session keys to prevent interaction with random users. After entering the "Show the main window" command, the malware shows the message "ENTER SESSION KEY TO PROCEED!" using a random seed for each session.

The malicious operator must know the algorithm to generate a session key based on the seed shown. Only when this key is successfully entered that it is possible to interact with the infected ATM.

After that, the malware shows the following message:

CASH OPERATION PERMITTED.
TO START DISPENSE OPERATION -
ENTER CASSETTE NUMBER AND PRESS ENTER.

When the operator chooses the cassette number, the ATM dispenses 40 banknotes from it.

When the session key entered is incorrect, the malware disables the local network and shows the message:

DISABLING LOCAL AREA NETWORK...
PLEASE WAIT...

It is not clear why the malware disables the local network.  This is likely done to to delay or disrupt remote investigations.

Video with a demonstration in a real ATM is available in the following link: http://youtu.be/QZvdPM_h2o8

Conclusion

Over the last few years, we have observed a major uptick in ATM attacks using skimming devices and malicious software.  Following major reports of skimmers hijacking financial data at banks around the world, we have seen a global law enforcement crackdown that led to arrests and prosecution of cyber-criminals.

The successful use of skimmers to secretly swipe credit and debit card data when customers slip their cards into ATMs at banks or gas stations is well known and has led to a greater awareness for the public to be on the lookout – and take precautions – when using public ATMs.

Now we are seeing the natural evolution of this threat with cyber-criminals moving up the chain and targeting financial institutions directly.   This is done by infecting ATMs directly or direct APT-style attacks against the bank.  The Tyupkin malware is one such example of attackers moving up the chain and finding weaknesses in the ATM infrastructure.

The fact that many ATMs run on operating systems with known security weaknesses and the absence of security solutions is another problem that needs to be addressed urgently.

Our recommendations for the banks is to review the physical security of their ATMs and consider investing in quality security solutions.

Mitigation recommendations

We recommend that financial institutions and businesses that operate ATMs on premises consider the following mitigation guidance:

  • Review the physical security of their ATMs and consider investing in quality security solutions.
  • Change default upper pool lock and keys in all ATMs. Avoid using default master keys provided by the manufacturer.
  • Install and make sure that ATM security alarm works. It was observed that the cyber-criminals behind Tyupkin infected only those ATMs that had no security alarm installed.
  • For the instructions on how to verify that your ATMs are not currently infected in one step, please contact us at intelreports@kaspersky.com. For the full scan of the ATM's system and deleting the backdoor, please use free Kaspersky Virus Removal Tool (you may download it here).
General advice for on-premise ATM operators
  • Ensure the ATM is in an open, well-lit environment that is monitored by visible security cameras. The ATM should be securely fixed to the floor with an anti-lasso device that will deter criminals.
  • Regularly check the ATM for signs of attached third-party devices (skimmers).
  • Be on the lookout for social engineering attacks by criminals who may be masquerading as inspectors or security alarms, security cameras or other devices on premises.
  • Treat intruder alarms seriously and act accordingly by notifying law enforcement authorities of any potential breach.
  • Consider filling the ATM with just enough cash for a single day of activity.
  • For more advices both for merchants and users please visit http://www.link.co.uk/AboutLINK/site-owners/Pages/Security-for-ATMs.aspx

Mobile Cyber-threats: A Joint Study by Kaspersky Lab and INTERPOL

Mon, 10/06/2014 - 06:55

 PDF version

International Cooperation to Combat Cybercrime

Cyber-threats, including those targeting mobile devices, are directly linked to cybercrime. In most developed countries, creating and distributing malicious software is a criminal offence. Although such criminal acts are perpetrated in virtual environments, their victims lose real assets, such as personal data and money.

Combating cybercrime is particularly difficult because cybercriminals do not need to cross the borders of other countries to commit crimes in those territories. At the same time, enforcement authorities in these same countries have to overcome numerous barriers in order to administer justice. Therefore, international cooperation between information security experts and law enforcement authorities is required to effectively combat crime in the virtual world. Kaspersky Lab is an international company that brings together IT security experts from all over the world and seeks to provide detailed and highly qualified technical consultations to assist local law-enforcement agencies investigating cybercrime.

To cooperate as effectively as possible against international cybercrime, Kaspersky Lab and the International Criminal Police Organization (INTERPOL) have established a partnership, under which Kaspersky Lab experts will share their expertise in cyber-threat analysis with INTERPOL officers.

This "Mobile cyber-threats" report has been prepared by Kaspersky Lab and INTERPOL within that partnership framework. It aims to evaluate how widespread mobile threats are, and to alert the international IT security and law enforcement community to the problem of crime in the area of mobile communications.

Introduction: The Mobile Leader and Target no. 1

Smartphones and tablets have long been established as popular personal electronics devices. A joint Kaspersky Lab and B2B International survey conducted in the spring of 2014 found that 77% of the Internet users surveyed use several devices to access the World Wide Web; alongside traditional computers, they typically use smartphones and tablets. So what types of smartphones and tablets are used?

According to IDC's Q2 2014 report, the sales of such devices have, for the first time ever, passed the mark of 300,000,000 devices sold per quarter. This is an important milestone in the market that has been growing for several years.

According to the same IDC report, the distribution of operating systems for mobile devices looks like this:

Figure 1. Distribution of mobile operating systems in Q2 2014, according to IDC. Source: IDC

As the diagram shows, nearly 85% of the mobile device market was occupied by Android in Q2 2014. These numbers are an acknowledgement of Android's undisputed leadership among mobile environments. This operating system is free for device manufacturers and can be easily modified to match various business needs, which has helped it achieve popularity among smartphone and tablet developers as well as consumers across the world. This also means that Android-based devices inevitably attract the attention of cybercriminals who are  creating and distributing malicious programs.

Kaspersky Lab experts estimate that 98.05% of all existing mobile malware targets the users of Android devices. So, how much is "all existing malware"? Kaspersky Lab experts report that in the first half of 2014 alone, 175,442 new unique Android malicious programs were detected. That is 18.3% (or 32,231 malicious programs) more than in the entire year of 2013.

For these and other reasons, it is safe to say that that vast majority of mobile cyber-threats are targeting Android.

Figure 2. The distribution of Kaspersky Lab products' malware detections in 2013 between different mobile environments

It is easy to understand why cybercriminals create so many malicious programs targeting Android devices: these days, smartphones are increasingly often used as a tool to pay online for merchandise and services.

Apps can be installed through Google Play as well as third parties such as Amazon App store. Third party apps pose a security threat to users who enable the installation of apps from unverified sources. These unverified packages may carry malware that would be installed on a device without the user's permission or knowledge.

Another danger is the possibility of an attacker gaining access to personal data such as the user's cloud storage accounts and associated email identifiers. This information can be used to access personal content that is stored in cloud base storage without the user's knowledge or permission.

Smartphones can also be regarded as a kind of mobile sensor, since they routinely collect a multitude of personal information about their owners. In other words,  mobile devices users are a very valuable target for cybercriminals.

Figure 3. The scheme of actors involved in cybercrime. Source: INTERPOL

Information is the new currency and this has led to a drastic change in the structure of organized criminal groups, which now support a larger group of actors. The bottom to top approach leaves us with three basic categories (1) The Infectors, (2) The Analysts, and (3) The Investors. The Infectors' role is to mass-propagate and exploit devices as well as pick up data from the devices with very little discrimination about the type of data collected - the more the better. The Analysts' job revolves around studying and processing the data that was collected,  monetizing it by offering it on underground markets, blackmailing individuals or using the information to invest into markets that would eventually allow the criminals to profit from illegally obtained information or insider trading. The  Investors are responsible for funding and providing financial support to the pyramid –obviously they then receive the majority of the profits made over time.

This model has overtaken the lone hacker scenario, which is now merely a media misconception. When it comes to mobile devices, it has been underlined that they can be a greater source of personal or business information than desktop computers. That, coupled with the fact that these devices are often less secure, has caused Infectors to refocus their efforts onto the mobile device sector.

Of course these and other factors have an effect on how often smartphone and tablet users encounter dangerous software while accessing the Internet from their mobile devices.

How much risk is there in being an active Android user, and how can users reduce that risk? Details on this are provided in this report.

Methodology

This study focused on the 12 -period of 1 August 2013 through 31 July 2014. This study period was chosen based on Kaspersky Lab data. Kaspersky Lab began to collect statistics on attacks against Android users in May 2012. During the more than two years that followed, it was the above mentioned time frame that showed that the number of Android threats, the number of attacks and the number of attacked users grew particularly sharply.

Figure 4. Detections by Kaspersky Lab's security products of cyber-attacks on Android devices throughout the entire history of observations. All data sourced from Kaspersky Security Network, unless stated otherwise

Naturally, this dramatic increase partly comes from the increasing numbers of users who purchased Kaspersky Lab's mobile security products. However, this is not the sole, nor even the main factor, behind this growth.

Apart from changes in the numbers of launched attacks and attacked users, this study will also focus on the geographic distribution of attacks and users. Additionally, a list of the most widespread malicious programs for Android will be analyzed.

Data used in this research was sourced from the cloud-based Kaspersky Security Network (KSN), which includes more than 5,000,000 users of Android-based smartphones and tablets protected by Kaspersky Lab products. This research analyzes threat data collected from these devices.

The Main Findings
  • Over a 12 month period, Kaspersky Lab security products reported 3,408,112 malware detections on the devices of 1,023,202 users.
  • Over the 10 month period from August 2013 through March 2014, the number of attacks per month was up nearly tenfold, from 69,000 in August 2013 to 644,000 in March 2014.
  • The number of users attacked also increased rapidly, from 35,000 in August 2013 to 242,000 in March.
  • 59.06% of malware detections related to programs capable of stealing users' money
  • About 500,000 users have encountered mobile malware designed to steal money at least once.
  • Russia, India, Kazakhstan, Vietnam, Ukraine and Germany are the countries with the largest numbers of attacks reported.
  • Trojans designed to send SMSs were the most widespread malicious programs in the reporting period. They accounted for 57.08% of all detections.
  • The number of modifications for mobile banking Trojans increased 14 times over 12 months, from a few hundred to more than 5000.
Part 1: General trends in the evolution of mobile threats

There are those who believe that Android is a secure platform. When confronted with the fact that new Android malware emerges every day, these people often say that those malicious programs are in fact very rare and pose only a limited threat to the owners of Android devices. For a long time, these views have been justified. If we look at the historical course of the number of existing Android threats (see Figure 4), we will indeed see that before the summer of 2013 the numbers of attacks and attacked users were well below 100,000 a month. That looked very modest as compared to PC attack numbers.

However, this situation changed dramatically during the period analyzed in this paper. In the 12 months from August 2013 through July 2014, over 1,020,000 Android users across the globe encountered more than 3,400,000 attacks. That was six times more than the number of attacks in the whole of the previous 1.5 years when records were kept.

Over the reporting period, the number of attacks showed a dramatic growth, increasing nearly 10 times from 69,000 in August 2013 to 644,000 in March 2014. Then there was a sudden fall in activity, down to 216,000 incidents in June.

Figure 5. Number of Kaspersky Lab Android product detections of malware targeting Android devices. August 2013 through July 2014

At the end of the Holiday season, there was no decrease in the activity, despite expectations. Instead, there was a further dramatic spike. The decline only began in April.

The geographic distribution of attacks and attacked users

More than half (52%) of attacks during the study period were reported in Russia. This is primarily due to the fact that Russian residents form a particularly large proportion of the users who agreed to have their statistics sent to Kaspersky Security Network.

Figure 6. Top 15 countries with highest numbers of users attacked between April 2013 and July 2014

Another contributing factor is the wide popularity of various mobile payment services in Russia. These allow users to pay for goods or services by sending premium SMSs. This encourages cybercriminals to create and distribute Android malware exploiting these services.

However, it may be misleading to think that the malware industry is well-developed in Russia and comparatively calm in the rest of the world. Russian-speaking cybercriminals are definitely interested in foreign markets. Two banking Trojans, Faketoken and Svpeng, are vivid examples of such attempts at globalization. These two were created to launch attacks on the clients of foreign banks, and only a few versions target Russian users.

Part 2: The 'Star' Performers

As predicted, the number of attacks increased over time, more malware modifications were detected.

Figure 7. Number of modifications of Android malicious applications, as detected by Kaspersky Lab in August 2013 – July 2014

This number rose by a factor of nearly 3.4 over the year, from 120,500 malware modifications in August 2013 to 410,800 in July 2014.

For the study period the top 10 most widespread malware are mostly malicious programs from the Trojan-SMS type – these accounted for 57.08% of all attacks. Following that, RiskTool programs, accounting for 12.52% detections. These are nominally legitimate programs that can also be used for malicious purposes, such as sending SMS with a visual notification of the user, transmitting geo-data etc. Aggressive advertising software (adware) came in third (7.37%.)

Figure 8. Distribution of attacks by malware types: Top 10 most active malware types. August 2013 – July 2014

These overall statistics are affected by the large number of Russian users and the popularity of SMS payments in Russia. To eliminate any possible "Russian" bias, we also looked at the cyber-threat landscape described without data collected from users in Russia.

Figure 9. Distribution of attacks by malware types, excluding data from Russian users. August 2013 – July 2014

As can be seen in the diagram, the numbers have changed. However, the overall situation remains broadly similar: Trojan SMS is still the most widespread type of malware. Below is a graph showing the Top 10 countries with the largest numbers of reported attacks involving Trojan SMS malware:

Figure 10. Top 10 countries with the largest numbers of reported attacks involving Trojan-SMS malware. August 2013 – July 2014

Attacks involving Trojan-SMS malware are most frequent in Russia. Residents of Kazakhstan, Ukraine, the UK, Spain, Vietnam, Malaysia, Germany, India, France and other countries also encounter attacks involving this type of malware.

Malware created with the sole aim of stealing money from victims (i.e. Trojan-SMS and Trojan-Banker malware types) accounted for 59.06% of attacks and was reported on the devices of 49.28% of users during the study period. In absolute numbers that represents half a million users who agreed to have their statistics on detected threats sent to KSN.

It is hardly surprising that cybercriminals actively use financial Trojans. As reported in a B2B International report , 53% of polled smartphone and tablet users say they use the devices to pay online. In other words, theoretically cybercriminals can potentially make money on every second user of a mobile device. Statistics show that approximately every second user is indeed attacked by cybercriminals.

Legitimate surveillance

Approximately 2.72% of all detections, or 92,600 detections, involved "Monitor" class programs. In Kaspersky Lab's classification, this stands for conditionally legitimate applications designed to conduct surveillance over smartphone users. These applications can track the user's location, read his/her messages, and access other personal information. The manufacturers of such software advertise it as a useful tool to help look after children and the elderly, but Kaspersky Lab classifies it as insecure. A total of 41,400 users encountered such applications in the 12-month period. On average, each of these users encountered such programs twice.

Interestingly, the geographical distribution of these programs is noticeably different from the overall global distribution of malware detections.

Figure 11. The geographical distribution of detected "legitimate" spyware in the "Monitor" class. August 2013 – July 2014

India is in first position with 19.73% of all detections. Russia is in second place with 14.72% of all detections (even though it is the leader of the general threat ranking). Users in the USA also quite often encounter these applications (7.59% detections); followed by the UK (6.8%) and Germany (4.56%). Kaspersky Lab experts have no reason to assume all these detection cases are attempts to secretly install these programs on a device protected by a Kaspersky Lab product. However, this scenario is possible, so Kaspersky Lab security products detect Monitor-class programs as potentially dangerous.

Part 3: Trojan-SMS and the 'Legitimate' Business of Affiliate Programs

During the reporting period, 452 different modifications of 62 different Trojans capable of using SMS messaging were detected.

Figure 12: Distribution of attacks involving the most widespread SMS Trojans during the period from August 2013 to July 2014

Malware from the Agent family had the largest proportion of detection (28.57%), followed by FakeInst (22.4%) in second place and Stealer (21.59%) in third.

According to Kaspersky Lab experts, affiliate programs are one of the most common ways of delivering malicious code.

A typical setup for a malicious affiliate program is as follows: a group of cybercriminals creates an affiliate website and invite Internet users to become their accomplices and make money by distributing a malicious program. A unique modification of the malware and a landing page from which it will be downloaded to victims' devices is created for each user who agrees to take part. After that, participants of the affiliate program buy Internet traffic from third parties or bring in users by redirecting requests from compromised websites, displaying banners on popular Web resources or creating their own sites and promoting them using search-engine optimization. The objective is to have as many Android users as possible visit the page hosting the malicious application. After each successful installation, the newly-infected device starts sending SMS messages to premium numbers, making money for the cybercriminals. Part of that money is paid to the affiliate partners. Criminal groups that sell Web traffic usually resort to various social engineering techniques, attracting users with pornography, free games, etc..

According to Kaspersky Lab experts, about 38% of users who end up on these landing pages will download malicious apps from them. About 5% of users go on to install these applications. Cybercriminals can earn millions of dollars in net profits from this activity.

During the study period, Kaspersky Lab experts observed at least four large active affiliate programs, accounting for about one quarter of all attacks recorded over that time. All of these affiliate programs were primarily active in Russia and countries of the former Soviet Union, but each program used a different family of SMS Trojans.

Figure 13: Activity of four affiliate programs distributing Android malware from August 2013 to July 2014

In the beginning of the period under consideration, there were three 'leaders' in this market: Fakeinst.am, Opfake.bo and Opfake.a, of which Opfake.bo was the most active and successful. However, the situation changed radically in October 2013 with the appearance of a new player – Stealer.a. It was different from competing malware in that it had more extensive functionality and spread very actively. By November 2013 it was the most frequently detected affiliate program and remained at the top throughout the rest of the research period.

2014: bad news for malicious affiliate programs

The abovementioned attacks conducted using SMS Trojans were different from typical malicious campaigns targeting PCs in one important respect. Legitimate legal entities, mostly registered in Russia, were involved in distributing Android Trojans and profited from the consequences of infecting smartphones. The business model of affiliate programs that distribute applications and premium content is not illegal, but there is indirect evidence that the companies behind some of the affiliate programs described above worked with cybercriminals as well as those who distribute legitimate content and apps.

This situation continued for a long time, because neither the heavy penalties issued by mobile-phone operators for mounting fraud campaigns nor criminal liability for distributing malware managed to stop cybercriminals or the organizations that worked with them. However, everything changed in early 2014: shortly before changes in legislation aiming, among other things, to curtail SMS fraud came into effect, mobile-phone operators adopted an Advice of Charge (AoC) mechanism. Every time a customer (or an SMS Trojan) attempts to send a message to a premium number, the operator notifies the customer how much the service will cost and requests additional confirmation from the user.

Early in the year the mechanism was applied to selected types of premium SMS services and as of May 1, 2014 a new law made it obligatory for mobile-phone operators to notify their customers of any attempts to start any mobile subscription. This coincided with a radical fall in the number of attacks involving SMS Trojans.

The major surge in the number of attacks, particularly those involving Stealer.a, could have been an attempt to make as much money as possible before AoC was universally adopted. Kaspersky Lab experts observed that in spring 2014 the three affiliate programs which distributed Fakeinst.am, Opfake.bo and Opfake.a stopped active operation. Kaspersky Lab experts have no reason to believe that the three affiliate programs have run out of steam completely, but they lack their earlier vigor and the reduced number of attacks involving SMS Trojans is a good, albeit indirect, indication of this.

The most active program of the four – the one distributing Stealer.a – has also lost a lot of ground in terms of the number of attacks, but users often still come across versions of this malicious app.

Curiously, although all these affiliate programs were set up and maintained by Russian-speaking cybercriminals and their scams mostly targeted users from Russia and the former Soviet Union, parts of Europe saw fewer attacks involving SMS Trojans in spring, too.

Figure 14: Changes in the number of attacks involving Trojan-SMS in European countries where Kaspersky Lab products detected this type of malware from April to June 2014

The diagram above shows data about attacks involving Trojan-SMS in the European countries in the Top 10 for attacks using Trojan-SMS. The diagram shows that four of the five countries which ranked among those attacked most often have seen the number of attacks fall.

Towards the end of the period there was also a slight growth in the number of attacks in Germany by Agent.ao malware, which was distributed by an affiliate program primarily targeting that country. All other affiliate programs which had been active in Europe and Asia were noticeably less active.

Figure 15: Attacks involving Agent family Trojans from August 2013 to July 2014

In other words, the number of attacks was falling almost everywhere in the post-Soviet space, in Europe and in Asia.

This may be due to two reasons. First, cybercriminals wind down their activity during the vacation season, which begins in spring. Additionally, the Russian legislative developments described above may also have contributed to the decline. Kaspersky Lab experts have frequently observed that Russian-speaking developers of Android malware have global ambitions and adapt their malware, including Trojan-SMS, to attack markets where languages other than Russian are spoken. However, the number of detections recorded outside the post-Soviet space has always been significantly smaller than in Russia and its neighbors – in other words, it is unlikely that most distant targets brought much money to the owners of affiliate programs based in Russia. So when the main 'players' in a Russian segment of Android malware wound down their activity, this naturally resulted in the closure of their foreign 'projects'.

Admittedly, Kaspersky Lab experts do not have the solid evidence needed to confirm this theory, though if it is it would be an example of how anti-fraud measures in one country can have a beneficial effect – albeit a small one – elsewhere in the world.

Mobile banking Trojans: dangerous trends

A total of 67,500 attacks involving Trojan-Banker malware against 37.7 thousand users were recorded in the analysis period. Trojan-Banker is a type of malware designed to steal online banking credentials. The total number of banking Trojans targeting mobile devices grew from 423 in August of 2013 to 5,967 in July 2014. That is a more than 14-fold increase!

Figure 16: Changes in the number of attacks and users attacked by Trojan-Banker malware from August 2013 to July 2014

However, even though there were more malware variants, the decline in the use of Trojan-SMS malware also affected Trojan-Bankers. This was primarily because one of the banking Trojans was distributed using the same affiliate networks as Trojan-SMS malware.

Figure 17: Geographical distribution of users affected by Trojan-Banker on Android from August 2013 to July 2014

The overall downward trend was sparked by the Faketoken Trojan-Banker, which could steal one-time passwords sent to confirm bank transactions and operated in conjunction with 'desktop' banking Trojans.

Figure 18: Attacks involving Faketoken, compared to all attacks involving mobile banking Trojans from August 2013 to July 2014

As the diagram above shows, from August to March Faketoken was virtually the only widespread mobile banking Trojan. However Faketoken was distributed by one of the affiliate networks that wound down in April 2014 and from that time it too began to dwindle. Subsequently the overall number of mobile banker detections remained at a higher level than Faketoken and showed a small increase in overall attack numbers.

This rising trend was led by two other programs targeting online banking users – Svpeng and Marcher.

Figure 19: Changes in the number of attacks involving Marcher and Svpeng banking Trojans from March to July 2014

As the diagram shows, the number of attacks involving Svpeng fell from late May to late June; however, in June Kaspersky Lab experts discovered a new Svpeng variant. Previously it was a mostly 'Russian-speaking' and exclusively 'banking' Trojan, but in its new variant Svpeng acquired ransomware Trojan functionality. It displayed messages saying the phone was blocked and demanding several hundred dollars to unblock it. Analysis of the content used by the malware has demonstrated that US users were its main targets.

As for Marcher, at first glance it seems to be just one more 'Russian' banking Trojan – 98.84% of users affected by it live in Russia. However, when Kaspersky Lab experts analyzed the Trojan's code they found that the objectives pursued by the Trojan are not quite so obvious.

After infecting a device, the malware tracks the launch of just two apps. If the user starts Google Play, Marcher displays a false window requesting credit card data.

Initially, Marcher was only able to attack Google Play users, but in March 2014 Kaspersky Lab experts discovered a variant that targeted the mobile client of a large German bank's online banking system. If the user launches the bank's mobile banking client, another fake window displays fields for user credentials for the online banking system.

Although so far users of Kaspersky Lab mobile products in Germany have not encountered this threat, this situation may change in the future. Kaspersky Lab experts will track the evolution of this and other dangerous Android threats.

Other Threats: Bitcoin Miners and Ransomware Bitcoin Mining Malware on Mobile – notable mention

In April 2014, Google Play removed a new category of malware applications that were directly aiming at mining crypto-currencies. "BadLepricon" malware, one of the first to be detected was masquerading as a fully operational live wallpaper application. Infected mobile devices were overheating once the hidden process of crypto-mining currencies was triggered. Even though the processing power of a single mobile device was quite minimal and not really an effective miner, it is estimated that a massive infection of devices could contribute to big profits for the actors managing the malware.

There have been further reports and detections from the Anti-Virus community, some of which indicated that similar malware applications were released on the Google Play market and had over one million downloads, raising serious questions on the profitability of that model. Even though the malware does not target personal information, this type of malware still falls in the category of unauthorized access to a personal device, which makes it illegal to use an individual's machine without the owner's prior consent. It is expected that further variants of crypto-mining malware will emerge in the coming months, possibly focusing on mining altcoins or the family of clonecoins, which are easier to mine than bitcoins at this stage.

Crypto-ransomware finds its way to Android

Crypto-ransomware refers to a class of malware that infects a machine then encrypts targeted files with specific extensions and demands payment before providing the key to decrypt the files. Crypto-ransomware found its way to Android OS in 2014 after gaining a reputation as a growing problem for Internet security companies and law enforcement in general.

Simplelocker A, a piece of crypto-ransomware tailored for Android, was the focus of research by INTERPOL. This variant uses AES-256 to encrypt the data within specific file extensions hosted on the SD card of a mobile device, making it impossible to access the files. More interestingly, the malware itself communicates with its C&C servers by routing to an onion on the Tor Network for further anonymity. Simplelocker.A has been mainly targeting Russian speaking countries. However, security experts believe that it is only a proof of concept with a far more developed, mature and complicated version expected to surface soon in Google Play.

Conclusions and Recommendations

The data analyzed in this study shows that mobile cybercrime is an extremely widespread phenomenon across the globe. It's important to remember that the study only reflects data on users protected against mobile malware and can only give a general idea of the extent to which different threats are widespread and dangerous.

One thing that is certain is that the number of threats is growing and the damage that can be caused by them, potentially, runs to millions of dollars.

Another conclusion is that the cybercriminals involved in distributing malware which targets mobile device users commit their crimes outside the borders of the countries where they live.

It is obvious that the problem needs to be addressed by IT security experts and law enforcement agencies in the countries where the perpetrators presumably reside, not only in those countries where their crimes are perpetrated. Security solutions can simply block the threats on user devices, but the criminals will simply find other victims who are not so well protected. The only thing that can stop them is the involvement of law enforcement organizations.

To avoid falling victim to cybercriminals involved in distributing mobile malware, Kaspersky Lab and INTERPOL experts recommend the following security measures:

For individual users:
  • Protect your Android devices with secure passwords to prevent attackers from accessing personal data by stealing your device and brute-forcing the password.
  • Unblocking the option that enables apps from third-party sources to be installed on the device is not a good idea. As a rule, Google Play, which is the main distribution channel for Android apps, carefully verifies the software it distributes. Even if you need to use a third-party application for some reason, be sure to block this option again after installing the app.
  • Antivirus software developers often create applications designed to test devices for unclosed vulnerabilities. Such applications are regularly updated to include data on newly-discovered vulnerabilities. We recommend using these apps once in a while.
  • Use a security solution on your device and make sure it scans files as they are downloaded and protects the device from other types of Internet attacks. Although Android malware has not so far been as widespread as malicious software targeting PCs, this thought is unlikely to comfort you if you fall victim to mobile malware.
  • When conducting banking transactions, be sure to use two-factor authentication. Ideally, temporary codes used to access your bank account should be sent to a different phone from the one from which you connect to online banking. Using simple devices with no smartphone features for this purpose is recommended, since this minimizes the chances of these devices being infected with a banking Trojan. And, generally, it is a good idea to use two-factor authentication wherever possible.
  • You should use encryption if you have any valuable information (financial, personal or work-related) on your device. Then, even if your device is stolen, the attackers won't be able to access your data.
  • If you believe that you may have fallen victim to or witnessed a cybercrime, do not hesitate to contact law enforcement as soon as possible. In most countries, creating and distributing malware or stealing personal information is a crime that is investigated by dedicated law enforcement agencies.
For corporations:
  • The Bring Your Own Device approach, which allows employees to use their personal devices for work, can expose your company to virtually all 'consumer' IT security risks: sensitive corporate data stored on an employee's personal phone could be a valuable find for cybercriminals. A security solution with Mobile Device Management capabilities, including encryption and remotely wiping data from smartphones, will help you to keep your sensitive business-related information secure.
  • If your employees are not aware of simple IT security rules, this is likely to cause security incidents. This is why, in an environment where nearly all the employees have Internet-enabled devices, training people to handle their mobile devices appropriately will be a worthwhile investment.
  • Be sure to contact law enforcement and expert organizations in the event of an IT security incident. Many companies keep information about incidents secret for fear of reputational losses and do not initiate investigations into cybercriminal activities. However, a cybercriminal who escapes prosecution is free to come back and cause even greater damage in future.
For law enforcement and regulatory agencies
  • There are many highly-qualified experts in digital forensics and malware analysis, whose participation in cybercrime investigations could speed up the process of collecting evidence and searching for suspects and make it more effective.
  • Today, cybercriminals launch attacks against people in other countries without fear, taking advantage of the many jurisdictional issues that beset international multi-jurisdictional investigations. The more effectively cyber police forces of different countries work together, the harder it will be for cybercriminals to avoid liability.
Note on Responsible Distribution of Information

This document presents an analysis of the cyber-threat landscape as it relates to Android-based mobile platforms. It is based on information about instances of Kaspersky Lab security products detecting applications considered insecure or malicious due to their functionality. To avoid possible misinterpretation of the facts presented in this document, Kaspersky Lab would like to highlight a number of issues related to the way this report was prepared.

1. Terminology

The report uses several terms describing how a security product interacts with malicious software. The term "Attack" is among those used most frequently. In Kaspersky Lab's terminology, an attack is an instance of a security product detecting any software considered malicious on the protected device, regardless of whether an attempt to execute malicious code was detected. The term "User" denotes exclusively the owner of the device protected by Kaspersky Lab's product.

2. Dataset and its geographical distribution

All calculations and conclusions made in this study rely on data from Kaspersky Lab's mobile customer community, which exceeds 5 million users in over 200 countries and territories. It should be emphasized that the number of Kaspersky Lab's product users varies from country to country, so the results of this study may not fully reflect the situation existing in some countries. However, many years' experience of monitoring the statistics collected by Kaspersky Security Network (KSN) shows that in most cases KSN data is about 95% accurate concerning the prevalence of specific cyber-threats or cyber-threat classes, and concerning on the percentage distribution of consumers using devices running different operating systems. It also correlates very well with data received from other sources, namely from companies which specialize in collecting and analyzing statistical data.

Responsible distribution of information

This study can be freely shared or distributed. Kaspersky Lab requests that those who find the information presented in this document interesting and useful make allowances for the abovementioned issues related to the ways in which KSN statistics are collected when preparing public materials in which this information is to be used.

Virus Bulletin 2014: new times, same challenges

Fri, 10/03/2014 - 09:11

During the last week of September the antimalware industry got together in one of the oldest and most legendary information security conferences in the world, the 24th Virus Bulletin International Conference (VB2014), held in the beautiful Seattle, USA. Kaspersky Lab was there to present and share a wide range of ongoing research topics with the security community.

In the first day of the conference we were shown over and over how the Linux operating it's not so malware free any more. Dismantling the myth, we had several talks on the topic, amongst them "Ebury and CDorked. Full disclosure" and "Linux-based Apache malware infections: biting the hand that serves us all" brought attention to non-traditional malware, and how the Apache web server is caught in the middle of this *nix world, becoming an efficient platform for attacking and infecting unsuspecting clients.

My colleague Santiago Pontiroli presented about the current "bitcoin bonanza" and how cybercrime is quickly targeting cryptocurrencies and their users. While sharing some of the most interesting malware samples that target bitcoin and other alternative currencies, the audience got an overview of the benefits that digital currencies offer to Latin American countries and the reasons behind criminals' activity.

The icing on the first day's cake was the presentation shared by Patrick Wardle who covered "Methods of malware persistence on Mac OS X", again showing us that not everything in the malware ecosystem is about Microsoft.

With so many good talks to attend in the second day, sometimes making the right decision was rather difficult. A very interesting presentation by Jérôme Segura, regarding Technical Support Scams, demonstrated in detail how to build a honeypot to catch these scammers while emphasizing the importance of user awareness and education.

I presented a one year research about the attacks against "boletos", an old and very popular payment system from Brazil based in printed documents and a barcode, showing how local bad guys have adapted their trojans to change them, redirecting payments to their accounts, and stealing millions of dollars in the process.

It was the turn for my colleague David Jacoby to present an extremely funny (yet informative) presentation on how he hacked his own home, exploiting different vulnerabilities on networked devices such as Smart TVs, printers, NAS, etc. Interactively demonstrating how exposing these devices to attacks would mean compromising an entire home network, all the presentation was displayed with funny GIFs and (interestingly enough) the slides were hand crafted with MS Paint.

Security Researchers from Microsoft gave us a run down on .NET malware analysis with their last minute paper ".NET malware dynamic instrumentation for automated and manual analysis". As malware developers are increasingly relying on high level programming languages for their malicious creations, tools like the one presented in this talk will become essential for malware analysts looking to become proficient in .NET malicious applications study.

And the last Kaspersky presentation was from Vicente Diaz on "OPSEC for security researchers". Working as a security researcher nowadays is not an easy task, especially now that we no longer deal only with technical aspects. The global picture of the security landscape these days features new actors including governments, big companies, criminal gangs and intelligence services. That puts researchers in some tricky situations.

The closing panel was funny and informative, with David Jacoby bringing awareness to the community on how disclosure of important vulnerabilities (like Heartbleed, and now the infamous Shellshock) should be handled, and what roles do vendors play in this scenario. After the keynote address by Katie Moussouris of HackerOne on "Bounties and standards and vuln disclosure, oh my!", the final panel left us with a cohesive feeling for the conference, bringing into the spotlight what the industry as a whole should be facing in terms of vulnerabilities disclosure and the same challenges we had to protect connected devices, the Internet of Things, crypto currencies and payment systems.

Times change but the same challenges remain, one thing is clear, we are still here to protect the user and fight against cybercrime.

OPSec for security researchers

Fri, 10/03/2014 - 07:00

Being a security researcher nowadays is no easy task, especially as we are no longer dealing with purely technical matters. Today's global security landscape includes several new actors including governments, big companies, criminal gangs and intelligence services. This puts researchers in a difficult situation.

According to one of many definitions of OPSec:

"Operational security identifies critical information to determine if friendly actions can be observed by adversaryintelligence systems"

We are hearing reports of researchers facing threats from criminal gangs, or being approached by state intelligence services. Others have found themselves under surveillance or had their devices compromised when on the road.

How can we minimize these risks? What can we do to avoid leaking information that could put us in an uncomfortable situation in the future?

Sometimes we are the public faces of a research project, but at other times we don't want to be in a visible position.

The golden rule in Operational Security is using silence as a defensive discipline. If you don't really need to say something, then keep quiet. When you need to communicate with someone, do it in a secure way that doesn't compromise the content of your message and, if possible, doesn't generate metadata around it.

This is an incredibly difficult objective to accomplish: it's a natural instinct to want to impress others and on many occasions we will face adversaries who are well trained in obtaining the information that they want. We all like to tell interesting stories.

The second golden rule is that OPSec does not work retrospectively, so we should very careful about what we are doing now if we don't want it to come back and bite us in the future.

In terms of OPSec, every security analyst should aspire to being just another guy in the line. If we attract too much attention to ourselves, surveillance could easily escalate beyond electronic means – and that is basically game over. In today's world of massive surveillance, standing out will alert the attention of anyone who can access the relevant data. And in today's world of information leakage and "big internet companies", it´s difficult to know exactly who has access to which data:

(example of data leaked from an aggregator and published as a service)

There are some interesting examples of how anomalies have been detected from metadata and then successfully used in investigations (http://en.wikipedia.org/wiki/Abu_Omar_case). And then there is the routine application of this in mass surveillance and data mining.

So what can we do?

The first rule of implementing OPSec is don´t try to accomplish more than you can. The fact is bad OPSec might be worse than no OPSec at all.

The main feature needed for effective OPSEC is not technical, but psychological: be meticulous, and maintain a healthy level of paranoia.

However electronic surveillance is obviously much more common and every bit of information will be there forever. Let´s look at our minimum toolset to avoid leaking information and thin about some basic tips.

Encryption

Obviously we should use as much encryption as possible. But remember that there is an inherent weakness. Once your keys are compromised, all the info that was encrypted in the past is compromised with them. As time passes, the likelihood of your keys being compromised will grow. So it's much better to use IM with OTP.

Today's big question: what is happening with TrueCrypt, the most popular encryption software?

According to the Audit project, there is no obvious flaw or backdoor. However a couple of months ago we saw this:

There are still many open questions, but you can find a trusted TrueCrypt repository at: https://github.com/AuditProject/truecrypt-verified-mirror

Email

Email simply leaves too much metadata, even when the message is encrypted with PGP (by the way, use keys bigger than 2048). IM with OTP is better.

External providers cannot be trusted.

IM

Pidgin and Adium seem to be ok. But remember not to log your chats and don't overlook the non-technical factor: you don´t know who is on the other side of the conversation (even when you have verified the key).

TOR

I'd definitely recommend using an anonymizing network to shake off most of the groups that could track you. However it cannot be considered truly "secure" in the sense that most of output nodes are controlled by people that can correlate their logs with the source of the connection. We saw an example of this in the Harvard bomb:

http://www.theverge.com/2013/12/18/5224130/fbi-agents-tracked-harvard-bomb-threats-across-tor

Also TOR has been the target of many attack attempts, like this recent one:

So don´t blindly trust TOR for anything very sensitive, but use it for your daily activities. Never reveal your true IP.

Telephone

A total nightmare in terms of OPSec. The simple recommendation is to get rid of it! But this won't happen.

At least don´t do anything sensitive with it, instead use burner phones, and don´t use them at  home or work.

Conclusions

Perfect OPSec is almost impossible. However implementing basic OPSec practices should become second nature for every researcher. Once you internalize the need to apply OPSec you will be more careful and hopefully, avoid rookie mistakes like talking too much and bragging about your research.

The most important things, beyond any tool, are being meticulous, applying the right level of OPSec according to your situation and understanding what you can actually hope to achieve.

This is just a brief introduction to a complex topic, but we hope it could be a useful eye-opener, especially for our fellow security researchers.

Breaches in corporate network protection: access control

Tue, 09/30/2014 - 09:43

In almost any company the IT security department faces two priority tasks: ensuring that critical systems operate continuously and reducing the risk of attacks on the corporate network. One of the most effective approaches to both these problems is to restrict the privileges of system users.

In terms of IT security, critical systems have two basic properties - integrity and availability - that affect their operational continuity. To protect a corporate network from attacks it is necessary to reduce the attack surface by reducing the number of devices and network services available from outside the corporate network and by protecting the systems and services that require such access (web services, gateways, routers, workstations, etc.). The main vector of attack on a corporate network is the user computers connected to the Internet on that network.

Theoretically, to protect critical systems from unauthorized changes and reduce the possibility of attacks on the corporate network, you should:

  • specify those objects (equipment, systems, business applications, valuable documents, etc.) on the corporate network  that require protection;
  • describe the company's business processes and use those to help determine the levels of access to the protected objects;
  • ensure that each subject (a user or a corporate application) has a unique account;
  • limit subjects' access to objects, i.e. to restrict the rights of the subjects within the business processes;
  • ensure that all operations between the subjects and the objects are logged and the logs are stored in a safe place.

In practice, it works more like this:

  • All corporate documents are stored centrally in shared folders on one of the servers of the company (for example, on the Document Controller server)
  • access to critical systems is denied to everybody but administrators - any administrator - can log into the system remotely to quickly repair any failure
  • Sometimes administrators use a "shared" account
  • All employees have limited privileges as a 'standard user' but on request anyone can get local administrator rights.

Technically, it is much easier to protect critical systems than workstations: changes in business processes are rare, regulations vary little and can be drawn up to account for even the smallest details. By contrast the users' work environment is chaotic, their processes change rapidly and the protection requirements change along with them. In addition, many users are suspicious of any restrictions, even when there is no impact on workflow. Therefore, the traditional protection of users is based on the principle 'it is better to miss malicious software than to block something really important'.

Last year, Avecto conducted a study called "2013 Microsoft Vulnerabilities Study: Mitigating Risk by Removing User Privileges" and concluded that "by removing local administrator rights it is possible to reduce the risk of exploitation of 92% of critical vulnerabilities in Microsoft software". The conclusion seems logical but it should be noted that Avecto did not test vulnerabilities; it only analyzed data from the Microsoft Vulnerability Bulletin 2013. Nevertheless, it is clear that malicious software running without administrator rights cannot install a driver, create/modify files in protected directories (% systemdrive%,% windir%,% programfiles%, etc.), change system configurations (including writing to the HKLM registry hive) and most importantly - cannot use privileged API functions.

In reality, though, the lack of administrator rights is not a serious obstacle for either malicious software or a hacker penetrating into the corporate network. Firstly, any system has dozens of vulnerabilities that open up the necessary rights up to kernel level privileges. Secondly, there are threats which only require standard user privileges to be implemented. The diagram below shows possible attack vectors that do not require any administrator rights. Let's have a closer look at them.

Local attacks

With only standard user privileges, the attacker gets full access to the memory of all processes running under the user account. This is enough to integrate malicious code into processes in order to remotely control the system (backdoor), to intercept keystrokes (keylogger), to modify the content in the browser, etc.

Since most antivirus programs can control attempts to implement unknown code in the processes, attackers often use more secretive methods. Thus, an alternative method applied to implement a backdoor or a keylogger in the browser process is to use plugins and extensions. Standard user privileges are enough to download a plugin, and that code can do almost everything a fully-featured Trojan is capable of. That includes remotely controlling the web browser, logging data entries in browser traffic, interacting with web services and modifying page content (phishing).

Fraudsters are also interested in standard office applications (such as email and IM-clients) which can be used to attack other network users (including phishing and social engineering). Scammers can access programs like Outlook, The Bat, Lync, Skype, etc. via API and local services of such applications as well as by injecting code into the relevant processes.

Of course it's not just applications that are of value to fraudsters; the data stored on the PC is also a potential goldmine. In addition to corporate documents, attackers often look for different application files containing passwords, encrypted data, digital keys (SSH, PGP), etc. If the user's computer has the source code, attackers could try to implement their code into it.

Domain attacks

Since the accounts of most corporate users are domain accounts, the domain authentication mechanisms (Windows Authentication) provide the user with access to various network services on a corporate network. This access is often provided automatically without any additional verification of the username and password. As a result, if the infected user has access to the corporate database, attackers can easily take advantage of it.

Domain authorization also allows attackers to access all network folders and disks available to the user, share internal resources via the intranet and sometimes evenaccess other workstations on the same network segment.

In addition to network folders and databases, the corporate network often includes various network services such as remote access, FTP, SSH, TFS, GIT, SVN, etc. Even if dedicated non-domain accounts are used to access these services, attackers can easily utilize them while the user is working on his computer (i.e. during an active session).

Protection

It is almost impossible to provide high level of protection for workstations by denying users administrative rights. Installing antivirus software on a workstation will increase its security but won't solve all problems. To achieve high security levels, Application Control technology should consist of three key elements:

  1. Default Deny, which only allows the installation and running of software that has been approved by the administrator. In this case, the administrator does not have to put each individual application (hash) on the list of trusted software. There is a wide variety of generic tools available to enable dynamic whitelisting of all software signed by an approved certificate, created by an approved developer, obtained from a trusted source or contained in the Whitelisting database of a security software provider.
  2. Application Control that can restrict the work of trusted applications according to their functions. For example, for normal operation the browser should be able to create network connections but it does not need to read/write other processes in the memory, connect to online databases or store files on the network.
  3. Update management that ensures all software on workstations is updated promptly, reducing the risk of infection via update mechanisms.

In addition, specific products which feature Application Control can provide a range of useful functions based on this technology: inventory, control over software installed on the network, event logs (which will be useful in the case of incident investigation), etc.

On the one hand, the combination of technologies can provide users with everything they need for work and even for entertainment and is flexible enough to deal with changing requirements. On the other hand, the chances of an attacker gaining access to the protected system are extremely limited. No doubt, this is the best balance between flexibility and security in protecting a corporate network.

Pages