Malware Alerts

Subscribe to Malware Alerts feed
Online headquarters of Kaspersky Lab security experts.
Updated: 46 min 50 sec ago

Sinkholing Volatile Cedar DGA Infrastructure

Tue, 03/31/2015 - 16:35

There is currently some buzz about the Volatile Cedar APT activity in the middle east, a group that deploys not only custom built RATs, but usb propagation components, as reported by Check Point [pdf].

One interesting feature of the backdoors used by this group is their ability to first connect to a set of static updater command and control (c2) servers, which then redirect to other c2. When they cannot connect to their hardcoded static c2, they fall back to a DGA algorithm, and cycle through other domains to connect with.

Statistics:

This particular actor's true impact seemed interesting, so we sinkholed some of their dynamically generated command and control infrastructure. These victim statistics present a somewhat surprising profile. Almost all of these victims are geolocated in Lebanon.

Victims checking in to DGA c2

Clearly, the bulk of the victims we observe are all communicating from ip ranges maintained by ISPs in Lebanon. And most of the other checkins appear to be research related. Almost all of the backdoors communicating with sinkholed domains are the main "explosion" backdoor. But, some of the victim systems in Lebanon communicating with our sinkhole are running the very rare "micro" backdoor written up in the paper: "Micro is a rare Explosive version. It can best be described as a completely different version of the Trojan, with similarities to the rest of Explosive "family" (such as configuration and code base). We believe that Micro is actually an old ancestor of Explosive, from which all other versions were developed. As in other versions, this version is also dependent on a self-developed DLL named "wnhelp.dll." They check in to edortntexplore.info with the URI "/micro/data/index.php?micro=4" over port 443.

While Volatile Cedar certainly does not have a high level of technological prowess, it appears that they have been effective at spreading their malware, much like the Madi APT we reported on mid-2012. Because the group is not known for spearphishing, IT administrators should be aware of their own publicly exposed attack surface like web applications, ftp servers, ssh servers, etc, and ensure they are not vulnerable to SQLi, SSI attacks, and other server side offensive activity.

Kaspersky Verdicts and MD5s:

Trojan.Win32.Explosion.a
981234d969a4c5e6edea50df009efedd

Trojan.Win32.Explosion.b
7031426fb851e93965a72902842b7c2c

Trojan.Win32.Explosion.c
6f11a67803e1299a22c77c8e24072b82

Trojan.Win32.Explosion.d
eb7042ad32f41c0e577b5b504c7558ea

Trojan.Win32.Explosion.e
61b11b9e6baae4f764722a808119ed0c

Trojan.Win32.Explosion.f
c7ac6193245b76cc8cebc2835ee13532
184320a057e455555e3be22e67663722

Trojan.Win32.Explosion.g
5d437eb2a22ec8f37139788f2087d45d

Trojan.Win32.Explosion.i
7dbc46559efafe8ec8446b836129598c

Trojan.Win32.Explosion.j
c898aed0ab4173cc3ac7d4849d06e7fa

Trojan.Win32.Explosion.k
9a5a99def615966ea05e3067057d6b37

Trojan.Win32.Explosion.l
1dcac3178a1b85d5179ce75eace04d10

Trojan.Win32.Explosion.m
22872f40f5aad3354bbf641fe90f2fd6

Trojan.Win32.Explosion.n
2b9106e8df3aa98c3654a4e0733d83e7

Trojan.Win32.Explosion.o
08c988d6cebdd55f3b123f2d9d5507a6

Trojan.Win32.Explosion.p
1d4b0fc476b7d20f1ef590bcaa78dc5d

Trojan.Win32.Explosion.q
c9a4317f1002fefcc7a250c3d76d4b01

Trojan.Win32.Explosion.r
4f8b989bc424a39649805b5b93318295

Trojan.Win32.Explosion.s
3f35c97e9e87472030b84ae1bc932ffc

Trojan.Win32.Explosion.t
7cd87c4976f1b34a0b060a23faddbd19

Trojan.Win32.Explosion.u
ea53e618432ca0c823fafc06dc60b726

Trojan.Win32.Explosion.v
034e4c62965f8d5dd5d5a2ce34a53ba9

Trojan.Win32.Explosion.w
5ca3ac2949022e5c77335f7e228db1d8

Trojan.Win32.Explosion.x
ab3d0c748ced69557f78b7071879e50a

Trojan.Win32.Explosion.y
5b505d0286378efcca4df38ed4a26c90

Trojan.Win32.Explosion.z
e6f874b7629b11a2f5ed3cc2c123f8b6

Trojan.Win32.Explosion.aa
306d243745ba53d09353b3b722d471b8

Trojan.Win32.Explosion.ab
740c47c663f5205365ae9fb08adfb127

Trojan.Win32.Explosion.ac
c19e91a91a2fa55e869c42a70da9a506

Trojan.Win32.Explosion.ad
edaca6fb1896a120237b2ce13f6bc3e6

Trojan.Win32.Explosion.ae
d2074d6273f41c34e8ba370aa9af46ad

Trojan.Win32.Explosion.af
66e2adf710261e925db588b5fac98ad8
29eca6286a01c0b684f7d5f0bfe0c0e6
2783cee3aac144175fef308fc768ea63
f58f03121eed899290ed70f4d19af307

Trojan.Win32.Agent.adsct
826b772c81f41505f96fc18e666b1acd

Trojan-Dropper.Win32.Dycler.vhp
44b5a3af895f31e22f6bc4eb66bd3eb7

??
96b1221ba725f1aaeaaa63f63cf04092

IoT Research – Smartbands

Tue, 03/31/2015 - 07:00
Summary

Nowadays technology helps the development of hardware and software tools to record and analyze different aspects of our lives. This opens up new ways of staying aware of lifestyle and aiming to improve our health and fitness. One of the big trends in this sphere are fitness trackers such as smartbands, which, in the most popular current format, are bundles consisting of a hardware device we carry on our wrist and a mobile phone application to control the device and gain insights into the recorded data. We're entrusting these gadgets with very personal and sensitive data about ourselves and letting them into dive into our very inmost self. This poses big questions for us as a security company:

  • What kind of data is being collected
  • What are the risks and where are they?
  • What other parties might be interested in getting hold of this information, what's the potential result?
  • How can users help to protect their data?

Tracking devices and their corresponding mobile applications from three leading vendors were inspected in this report to shed some light on the current state of security and privacy of wearable fitness trackers.

What is it all about? The quantified self, smartbands and what people want to achieve

We regularly measure aspects of our daily lives because we feel we have to, because it is human nature to want to stay safe. We typically set our goals for certain points in time and regularly check how well or badly we're performing.

Things we often measure:

  • Business: financial goals, project plans, salary
  • Health: weight, height, eyesight, body mass index
  • Sports: heartbeat, distance covered and altitude gain while cycling or running, average speed

But a movement known as 'quantified self' wants more. It wants to go beyond and off the beaten tracks. This movement has been around for years and people are getting together all over the world to exchange information, discuss their experiences and form a culture of self-tracking. They are searching for a healthier, more fulfilling life by measuring things in their daily routines that have been overlooked by traditional measuring schemes.

The healthy living angle of this is attracting a lot of attention these days. Most people work in offices and they only get exercise as they commute, go shopping or walk to the coffee machine. More and more people work from home and use online store to get the things they need delivered to them, so there is far less need to actually leave the house. At the same time people are more aware of their bodies than – both in terms of health and an attractive appearance.

There are several ways of measuring how healthy, fit and active we are. Heart beat monitors help us control our exercise and get hard facts about our condition. Speedometers help cyclists measuring the distance covered, what altitude gain they achieved and their average speed. But all these tools are limited. They are taken off after exercising so other everyday activities like walking or working aren't recorded. If we use multiple devices the data remains isolated on each machine and is never correlated.

We entrust fitness trackers with our personal data and invite them into our innermost self

Tweet

This is where smartbands come into play. These devices are meant to be worn on our wrist all day and night to record our level of activity and also the time and quality of sleep. This generation of devices still records single snapshots, but the high frequency of recording sets makes it look like dynamic stream. It's a bit like the difference between photography, which gathers single shots, and filming, which uses a constant stream of shots to create a dynamic image. By acquiring and correlating constant streams of different health related data, we get additional benefits and information about our daily life, some of which we may not have been aware of. This paints a more complete picture of our lifestyle.

Human nature also seeks improvement. Collecting and visualizing our activities in daily life and their effects on our body helps motivate us to set new high scores. With most smartband offerings, users can try to beat their own targets as well as competing with a broader audience of family members, friends, colleagues from work and other individuals from online training groups. These are connected by the eco-system of the vendor's cloud network or by sharing information on social networks.

Smartbands – what they are and how they work

Basic smartbands are wristbands with mostly rubber surfaces to withstand shocks and moisture. The technological heart of the device is either firmly embedded into the body of the smartband or created in the form of a capsule, which can be placed into the band. The latter format allows the user to change the band if it gets damaged or worn out over time.

Bluetooth module: The main interface to upload collected data to a smartphone app and download new instructions, like vibration alarm at a defined time. Vibration motor: Just as on a smartphone, the motor lets the device vibrate to notify users of certain events like low battery or a pre-defined alarm. Motion sensor: Similar to the motion sensors in smartphones, the sensor monitors gyroscopic and accelerating movements. Vendor-defined algorithms then translate the movement into understandable units like steps. Battery: The battery of basic smartbands usually takes 35 – 70 mAH, a very low charge compared to smartphones, which take 2000 – 4000 mAH. Since there are far fewer components and they are usually more energy efficient, smartbands can keep running for one to two weeks, depending on how much data is being collected and how often power-consuming features are used. Power/sync button: Most smartbands can be operated with a single button to power on/off and sync or pair the device with the mobile phone. Power jack: To recharge the device's battery via a USB adapter. Display: Basic smartbands offer a small LED or dot matrix display to show battery charge or essential information like time or the step count. Features

Different smartband offerings have similar features. They are all based on measuring the activity levels, longevity and quality of sleep, information on calorie balance and additional goodies.

Main features:

  • step counter and approximate distance covered
  • calorie consumption
  • sleep recorder (duration and quality)
  • self-defined fitness plan and a comparison with actual activity

More features:

  • Nutrition intake and comparison with calories burnt from activity
  • Friend list with texting functionality and comparison of activities
  • Smart alarm for gentle recovery phase, based on measured stages of sleep
  • Stopwatch
  • Training diagrams
  • Third party extensions, if offered
A closer look at the whole system What data is collected by these devices?

The fitness trackers examined in this paper offer very similar feature sets and there is a consensus among the vendors about the data that is collected by the apps.

Required:

  • Name (or nickname)
  • Birth date (or just birth year)
  • Height
  • Weight
  • Gender
  • E-mail address
  • Password for account

Optional:

  • Country
  • Training plan
  • Weight goal
  • Training goals (steps per day, hours of sleep)
  • Nutrition plan
  • Photo
  • Mood
  • Friends using the same fitness tracker
  • . . .

The apps automatically show the correct localization, taken from the active settings on the mobile phone. Units for weight and height can be adjusted, enabling users to choose between imperial and metric systems, but is initially pre-set according to the mobile phone's localization setting.

Some fitness trackers allow users to control what they share on their friend list, but not with the cloud service.

Collecting and processing the information

The data acquisition and processing is done in a chain comprising the smartband itself, a smartphone (usually Android or iOS based) or computer (running on Windows or OSX), the corresponding application to process the data and the vendor's cloud service to provide deeper insights and store historical data. In order to synchronize the individual components the system uses Bluetooth and the Internet (via 3G/4G, Wi-Fi or wired connection).

The continuous synchronization between the tracking device and mobile phone requires a steady Bluetooth connection. This can have a considerable impact on the battery time of the phone. However the tracker is able to store data without synchronization for anywhere between two and 30 days, depending on the device and the amount of information recorded. Most vendors recommend keeping Bluetooth enabled at all times to ensure the best user experience.

Stage 1: Record data and short term storage

Stage 2: Process and correlate data, send instructions to control smartband

Stage 3: long time storage, web based interface for better viewing and deeper investigation

Smartbands are currently in a state of transition. The popularity of the product is prompting new varieties to come to market, and demand is growing for different formats. The type of smartband we know at present will be known as basic smartbands; future generations will offer additional innate processing power instead of merely collecting data. Some companies already have plans for products like combined smartwatches and activity sensors including heart beat monitors.

The daily traffic for cloud synchronization is around 1 -2 MB per day, depending on the model, level of activity and which features are used. Users without mobile Internet flat rates should consider performing this task via Wi-Fi only.

Possible vectors of compromise

In general, the more devices and data transmissions between them are needed in a system, the greater the possibility of compromising the chain. Most smartband environments use the above-mentioned scheme. Other types of fitness trackers cut out the smartband and record the data on the smartphone itself or don't offer a cloud service. For these types some attack vectors are not applicable.

Synchronization between tracking device and mobile phone

The smartband is meant to be worn day and night; however, their owners may well take them off from time to time. Therefore it could be left unattended for a while and anyone with a compatible device and the appropriate app – which is usually free of charge – could theoretically synch with the device and gain access to the data it records. That data could potentially be delivered to a rogue smartphone whenever it is range.

The information from smartbands and fitness trackers includes highly personal details about an individual. These could be used against the user for:

  • Blackmail
  • Naming and shaming on the Internet

Other than that, thieves might also be interested in the victim's training schedule since it could alert them to times when the flat or home is left empty.

The good news is that each of the smartbands we reviewed features some kind of integrated protection against this risk. The apps signed out from the phone and notified the owner that the smartband had been disconnected. The only information available to a rogue user was the data collected that day, or since the last synchronization. However, since only a small fraction of today's smartband offerings were tested, this attack vector might still apply to other devices.

The bad news is, the protection mechanisms can be susceptible to attacks, as my colleague Roman Unuchek proved in his blog post "How I hacked my smart bracelet". He was able to compromise the authentication process and thereby read the tracker's recorded data as well as executing code on it. According to his research, sometimes it is even possible to hijack the device without the owner even knowing.

Synchronization between the mobile phone and the server

The synchronization between the smartphone apps and the cloud servers is a neuralgic point, since the data stream comprises both the data gathered and the credentials to access the user's account. When smartbands hit the market some years back, some curious security researchers dipped into the traffic; a great uproar soon followed as it emerged that many vendors had no encryption whatsoever in this process, meaning all data was transmitted in clear text, perfectly readable for anyone who came upon it.

The synchronization between the smartphone apps and the cloud servers is a neuralgic point

Tweet

Fortunately, all the vendors of smartbands tested in this paper did their homework, since all of them incorporated a form encryption in their apps (TLS/SSL). This way, it is no longer simple to sniff traffic over Wi-Fi.

Compromising the mobile phone

Mobile malware has been a hot topic in recent years, with the number of new samples increasing in an almost exponential fashion. In the period from 2004-13 Kaspersky Lab analyzed almost 200,000 mobile malware code samples. In 2014 alone there was an additional stream of 295,539 samples. However, this doesn't give the whole picture. These code samples are re-used and re-packaged: in 2014 we saw 4,643,582 mobile malware installation packs (on top of the 10,000,000 installation packs that had been seen in the period 2004-13). The number of mobile malware attacks per month increased tenfold – from 69,000 per month in August 2013 to 644,000 in March 2014.

All the vendors of smartbands tested in this paper incorporated a form encryption in their apps (TLS/SSL)

Tweet

The typical modus operandi of cybercriminals is to use legitimate apps or app names as a vehicle to spread their malicious creations – mainly on third party app sites. One mobile malware sample is usually packaged under just one installer package, but sometimes even a hundred could be used to increase the leverage and therefore spread it among different user groups.  Malicious fake apps for smartbands, asking the user for the login credentials and thereby hijacking the account and all the information on it are entirely plausible. In combination with other data from the compromised phone, such as GPS coordinates of check-in features from social networking apps, this would pretty much by 'game over'.

However, the daily life of a smartphone poses a far higher risk. These devices are especially prone to getting lost. For example the London Underground reported more than 15,000 phones were lost in its trains in 2013 [1]. Without a lock screen in place, all information is visible to anyone who finds a smartphone, and that includes the information stored in fitness trackers. None of the smartband apps tested for this report offered the opportunity of locking the app with separate pin.

Compromising the cloud service

Aside from targeting single devices and users, attackers could also aim for the cloud service itself and seek access to records from all users.

Sometimes not even sophisticated hacking skills are needed, as one leading smartband vendor's user portal proved in 2011. All the user profiles were indexed by a popular search engine, making it easy to simply search the Internet for specific expressions that were only found in these profiles. Back then, users had the option to make their profile "private" but they were set to "public" by default. In addition, users could manually enter descriptions for their activities and certain timeframes, e.g. to find out what is most helpful when trying to lose weight. This meant that even the most private kind of "activity" was publically visible for everyone to see, together with information on longevity and how many calories were burned [2]. The vendor subsequently took action to prevent this. This case highlights how easily information and privacy leaks can result from misconfiguration and/or lax privacy policies.

Tracker's users have the option to make their profile "private", but they're set to public by default

Tweet

One smartband vendor's API allows users to access their data via a user ID and the serial number of the smartband, as well as the more traditional username-and-password combo. However, if a third party has the required information, the essential data can be downloaded without the user's knowledge.

In 2014 we saw numerous class A exploits like Shellshock or Heartbleed targeting web servers. These attacks were performed in a scripted fashion to IP addresses throughout the world by numerous gangs. It is still not clear how much data was gathered in these mega breaches, nor what the overall effect will be. Cloud services are not exempt from attacks like this and are seen as a lucrative target. It's only a matter of time until the next big exploit is found.

Other potential traps

According to research performed by the Massachusetts Institute of Technology, one smartband is notorious for scanning the user's environment for other Bluetooth-enabled devices, like computers, mobiles, other smartbands etc. As well as gathering the addresses of these devices, it also passes them to the vendor's servers via the smartband's phone application. This way, the vendor is potentially able to create a profile of each user's infrastructure environment.

In addition, the smartband itself uses BTLE (Bluetooth Low Energy), which makes it possible to change the device's address from time to time to avoid tracking the wearer. However, the vendor chose not to use this feature.

Fake smartband apps, asking for login credentials, are entirely plausible

Tweet

One tested smartband app invited the user to install additional apps from third parties to integrate and associate the collected data for deeper insights into the state of the users' health and activity. Possible extensions include correlating the standard data with GPS recording during workouts, dedicated apps for further visualizations, apps offering additional weight control related models, apps encouraging the user to eat more healthily (e.g. more fruit) and even offering financial incentives if all goals have been completed, paid by users who didn't meet their own targets.

If integrated, user automatically agrees to share this kind of data with the supplier.

The last potential trap has been a classic for decades. People tend to reuse their passwords over and over out of convenience. Most people have a main e-mail address, which also serves as a username on many websites and services. Now if one these accounts is compromised due to a server side breach (and we read of these breaches almost every week) or a malware infection stealing the login credentials on one of the machines, this means the other accounts using the same password are in massive danger. It is widely known that cybercriminals try these credentials on many of the big web portals like online shops, online payment systems, social networks and anything else that might turn a cash profit in the digital underground.

Commercial models around smartbands, fitness trackers and other gadgets

The flood of personal information, gathered by millions of users of smartbands and other wearables, whets the appetite of others as well as cybercriminals.

This kind of information is highly valuable to companies and institutions in different sectors.

Insurance companies

Insurance companies are based around risk estimation. To do this effectively, data has to be collected and evaluated to calculate the appropriate premiums from customers. The better the data, the better companies can manage their business. This is where fitness trackers come into play. What data could possibly be better than actual data streaming in real time from the customers themselves? At the time of writing some insurance companies are launching special programs for customers who are willing to share the information gathered from their fitness trackers. In return, financial incentives are offered to customers who prove to have a healthy lifestyle, as well as vouchers for travel and additional fitness courses [4].

None of the smartband apps tested offered the opportunity to lock the app with a PIN

Tweet

What could possibly go wrong? This scheme could potentially backfire. Imagine a keen fitness enthusiast who is also not averse to extreme sports. What if the tracking device and smartphone regularly transmit data about driving to an infamously dangerous mountain bike downhill track? GPS data sent from the smartphone and additional "step" count, coming from the rocks beneath the tire while riding at 40 kilometers per hour down the hill prove that someone didn't just go there to be a spectator, and this might displease the insurer. It could result in increased insurance costs based on the customer's allegedly higher risks. Depending on the legal situation in different regions in the world there's also a chance that insurance companies would refuse to insure high-risk clients because of the data recorded by their tracking devices.

Apart from fitness trackers, there are other gadgets and apps being developed to optimize the quantified self, like toothbrushes with integrated sensors to monitor the motion of the brush in three dimensions and a Bluetooth uplink to a dedicated smartphone application [5]. The app includes mini games to teach, motivate and reward people, especially children. It also tracks how often the teeth are being brushed and for how long. Again, insurers (dental insurance in particular) would be pleased to get their hands on this data.

Employers

Companies also discovered fitness trackers for their employees. There are already examples of employers offering these devices to their workforce to measure their health and motivate them towards a healthier lifestyle. British Petroleum (BP) introduced a "wellness program", in which employees are given points for reaching certain targets and incentives like health care premiums are offered [6]. Employees thinking about joining such program should thoroughly check the privacy policy and consider what potential consequences it might have.

Advertisement industry

There are almost no mobile apps on the market that offer users the option of disabling the flow of data into the cloud. As a result vendors quickly learn about your habits and your state of health. Depending on privacy policies, this enables them to tailor advertising based on the user's information and activity. Even within a general interest or activity, advertisements can focus on specific user groups: for example beginners could be offered running shoes and basic sportswear, whereas advanced athletes are shown advertisements for more expensive equipment, LED headlamps for night-time work outs or special sports nutrition. All offers can be adjusted for your local currency and targeted at the right gender and approximate size according to the weight and height set in the app.

Other parties

After the earthquake in Northern California the smartband vendor Jawbone published a diagram on their blog that showed the impact on sleep the event had in different areas around the epicenter [7]. All data was collected from thousands of customers, aggregated and presented in an anonymized form. The data enabled Jawbone to come up with a new format to show the actual impact of the earthquake on people rather than approximate seismographic ratings for surrounding areas. The graph appeared on many news sites around the globe.

Personal information gathered by millions of smartband users whets the appetite of cybercriminals

Tweet

The year 2014 marked the first time that data recordings from smartbands were used in court, opening the way for future cases. In this case the woman in question freely provided her data to prove that her injuries from a car accident limited her activities. Her information was compared with other women of her age using a third party [8]. In this case the use of data was not controversial – the woman provided her data freely to prove her point. It is important for smartband users to remember that vendors usually include a clause in their user agreements and privacy policies to make it clear that they can disclose information in response to a court order. It is also important to understand that the gathered data won't necessarily be kept in the country where it was recorded, but could also be used in foreign countries with a different jurisdiction.

According to researchers from the Hebrew University of Jerusalem it is possible identify individuals by the distinct shake of their GoPro cameras, worn on the head, from a sample of only a few seconds [9]. This raises the question whether algorithms along these lines could allow individual smartband users to be identified by their activity and sleep patterns.

Is there a more private way to keep track of your fitness?

More private alternatives (read: self-sufficient) to smartbands include pedometers and fitness tracker apps. Both options can act as single device systems and thereby cut off potential vectors of compromise that affect common smartband systems.

Fitness tracker apps commonly use an internal gyroscopic sensor and accelerometer to keep track of activities.  Tracker apps lack the sensors to measure people's sleep and also do without some other features of smart devices. Dedicated step counter devices, called pedometers, offer a similar feature set, but are easy on the smartphones' battery. Some offerings can be synced with a smartphone, others are completely self-sufficient. They can be carried it in a pocket or clipped onto your belt.

Advice for users of smartbands

To minimize the risks of your data being compromised, there are several pieces of advice to follow. Many of them apply not only to smartband users but to anyone using apps that store personal information:

  • Only use features you really need and avoid giving out any personal information that you would not want to store  in the cloud
  • Use a strong and unique password for each account
  • Lock the home screen on your smartphone and use access protection
  • Encrypt your phone if possible
  • Use security solutions for all devices, if available
  • Read the license agreements of applications and pay close attention to how personal information might be used by the service
  • Install app and operating system updates when available
  • Uninstall/Delete applications that are not needed anymore
  • Turn off the Bluetooth and location services on phones when not needed (this also preserves battery time)
Conclusion

Smartbands have been around for almost a decade by now, so they are almost senior citizens compared with many gadgets. While some old security issues like absence of encryption or public indexing of user profiles have been fixed, they show that security is still an afterthought for many companies. Security is also a process; vulnerabilities in drivers, protocols and the whole server ecosystem are found more and more frequently, vendors need to monitor vulnerabilities and the exploit landscape and quickly patch their software on both the client side (smartphone apps) and the server side (cloud service) to secure the customer data.

Security, though, depends on both makers and users alike. Everyone involved must understand the value and sensitivity of the user data collected by the fitness tracker. Normally when a breach involving personal data happens, data like names, mail addresses, birthdates, credit card information or passwords are affected. In this context, the information is even more personal. It contains health and body related data, including details that someone would normally confide only to a handful of very close people – or possibly even the doctor alone.

Smartband vendors are sitting on a goldmine of information that would be of great value to third parties in its anonymized form and even more attractive in a user-specific context. But if vendors decided to give out this data in either format (and risk losing their users' trust), third parties need to be cautious about the data. After all, what is to stop users attaching a smartband to a hyperactive pet dog and using that to get preferential 'active lifestyle' rates from an insurance company?

Although smartbands are relatively old technology, they are still part of the breeding ground for devices and services that trade on quantifying ourselves. New kinds of devices are coming up, integrating old technology and combining them with new innovation. Gadgets like smartwatches and Google's Glass are examples of how the future might shape up in this area.

Appendix: Resources

(1) More than 15,000 lost mobile phones on London Underground pose security risks
http://www.v3.co.uk/v3-uk/news/2318727/more-than-15-000-lost-mobile-phones-on-london-underground-pose-security-risks

(2) Dear Fitbit users, kudos on the 30 minute of vigorous sex activity last night
http://gizmodo.com/5817784/dear-fitbit-users-kudos-on-the-30-minutes-of-vigorous-sexual-activity-last-night

(3) Security Analysis of Wearable Fitness Devices (Fitbit)
https://courses.csail.mit.edu/6.857/2014/files/17-cyrbritt-webbhorn-specter-dmiao-hacking-fitbit.pdf

(4) Insurance company Generali wants to collect fitness data from customers (German)
http://www.heise.de/newsticker/meldung/Neue-Krankenversicherung-Generali-will-Fitnessdaten-von-Versicherten-sammeln-2461512.html

(5) Kolibree, Smart Tooth Brush
http://kolibree.com/en/

(6) Wearables at work mean big business, says Fitbit CEO
http://www.cnbc.com/id/101318809#

(7) How the Napa Earthquake Affected Bay Area Sleepers
https://jawbone.com/blog/napa-earthquake-effect-on-sleep/

(8) Fitbit Data now being used in the Court Room
http://www.forbes.com/sites/parmyolson/2014/11/16/fitbit-data-court-room-personal-injury-claim/

(9) Egocentric Video Biometrics
http://arxiv.org/abs/1411.7591

CanSecWest 2015: everything is hackable

Fri, 03/27/2015 - 09:48

Last week, we had the privilege to participate in and present at the 15th edition of CanSecWest in beautiful Vancouver, BC, along with its famous accompaniment, the ever famous Pwn2Own competition. Yes, once again all major browsers were hacked, but they were not alone! BIOS and UEFI, 4G modems, fingerprints, credentials, virtual machines, and operating systems were among the victim systems successfully hacked by our fellow presenters.

The event gathers a very technical audience with a shared interest in the most recent attacks and the presenters delivered with a variety of demos that showcased their intended vulnerabilities beautifully and thus reinforced the conclusion that digital voodoo can turn obscure and seemingly innocuous vulnerabilities into mind-numbingly cunning attacks.

One of the most discussed presentations, and certainly one of our favorites, showcased the power of BIOS and UEFI hacking: two guys, Corey Kallenberg and Xeno Kovah of Legbacore, armed with $2,000 and 4 weeks of hard work were able to show how a long list of vendor BIOSes were not only vulnerable but could successfully be loaded with LightEater, an SMM implant capable of pilfering sensitive information from Tails OS and even exfiltrating that information in such a way as to bypass the OS entirely. We clearly agree with their conclusion, it´s time to start taking a harder look at firmware!

Firmware insecurity: absence of evidence is not evidence of absence

One of the very possible attack is the well-known 'evil maid' or the 'border guard' approach: someone with physical access to your computer can just plug a small device (see below) and successfully reflash your system's BIOS, rewriting it with malicious code, without so much as booting up the system.

Press a button and in a few seconds the handy green light will indicate the BIOS is p0wned

Another very interesting presentation by Jan "starbug" Krissler showed how high resolution photos could bypass biometric authentication. Pictures acquired through high-resolution cameras from a safe distance amounted to the successful theft of fingerprints, faces, and irises used by current biometric systems for authentication. The distance can even be extended through the use of infrared imagery! We spent the talk imagining the breach possibilities as  an increasing number of ATMs  nowadays rely on biometric input.

Please authenticate access to your bank account using a password you can never change: your fingerprint

We also saw presentations on MacOS DLL (dylib) hijacking, userland exploits on iOS 8, attacks using Windows PowerShell, and even the installation of a bootkit in a 4G modem by simply sending an SMS! All sandwiched between explanations of the work of the ever fascinating Google Project Zero Team. In one of these, Chris Evans walked the audience through how a 'simple' crash caused by a call with a negative length became an exploit on Adobe Flash Player.

Our own presentation was a walkthrough of the misuse of whitelisted tools to further all kinds of attacks, from APTs and Targeted attacks to banking trojans and ransomware. This ongoing project is intended to highlight the faulty foundations of the whitelisting approach to security and how whitelisting alone simply won't protect you, from advanced and intermediary attackers alike! Stay tuned for a post on our findings.

In the end, we expanded our view as to the true breadth of vulnerable software and hardware. on which we depend daily. Security is a truly elusive state in an ecosystem composed of interwoven, dependent systems, each responding to the diverging priorities of a developer, an administrator, a user, and, of course, an attacker as well. The role of the security researcher that lives and breathes attack vectors and obscure vulnerabilities in search of the right digital voodoo has never been more important. And we can't help but echo the sentiments of Dragos Ruiu and our own Eugene Kaspersky in thanking CanSecWest for bringing all these researchers under one roof and one banner to share that digital voodoo and successfully stave off the balkanization of our industry just a while longer.

How I hacked my smart bracelet

Thu, 03/26/2015 - 07:00

This story began a few months ago when I got a popular brand of fitness bracelet. As this is a wearable device I installed Android Wear app, an application developed especially for wearable devices. This application easily connects to the fitness band.

However, there was something odd: the program could connect to a Nike+ Fuel Band SE, but my bracelet was another brand! It wasn't long before I realized my colleague had a Nike wristband – and he didn't even notice I had connected to his device.

After that I decided to do some research and find out how secure my wristband was.

Smart bracelets: communication with a smartphone

Today's market offers a lot of wristbands from other manufacturers. KSN provides the following statistics about the installation of Android-based applications to work with popular fitness trackers on mobile devices (the statistical data was obtained from KSN users who freely agreed to the transfer of this data).

The installation of Android-based applications designed to work with fitness trackers from different manufactures

Although this statistic demonstrates the popularity of Android applications (we cannot guarantee that the appropriate devices have users), to some extent it reflects the situation with the popularity of wearable devices.

To communicate with the smartphone most of these fitness bands use Bluetooth LE technology (also known as Bluetooth Smart). For us, this means that the devices connect in a different way from regular Bluetooth. There is no pairing password because most wristbands do not have a screen and/or a keyboard.

In some cases you can connect to a wearable device without the owner even knowing

Tweet

These wristbands use a GATT (Generic Attribute Profile) which means that every wearable device includes a set of services, each of which has a set of characteristics. Each characteristic contains a byte buffer and a list of descriptors, and each descriptor contains a value – a byte buffer.

In order to demonstrate this, I used some ready code from Android SDK, an example of an application that connects to Bluetooth LE devices. I did not have to write a single new line of code; I simply opened the existing project in Android Studio and pressed Start.

The screenshot above shows the result of my attempt to connect my fitness bracelet with the help of this application. Here we see the services and their characteristics. However, it is not easy to obtain data for my bracelet from the characteristics - it requires authentication in addition to the connection. In the case of some other devices I could read the data from the characteristics and their descriptors. This was probably the user data.

Scanning

So, using the example of the application from Android SDK I could connect to some devices. After that I have developed my own application which automatically searched for the Bluetooth LE devices attempting to connect to them and get their list of services.

Using this application I performed several scans.

  • Over two hours on the Moscow undeground subway system I could have connected to 19 devices: 11 FitBit and 8 Jawbone.
  • Over an hour in a gym in Bellevue, WA, USA I was able to connect to 25 devices: 20 Fitbit, and one each from Nike, Jawbone, Microsoft, Polar and Quans.
  • Over two hours at SAS2015 in Cancun, Mexico, I was able to connect to 10 fitness trackers: 3 Jawbone and 7 FitBit.

From just six hours of scanning I was able to connect to 54 devices despite two serious restrictions:

  1. Although the spec suggests the maximum distance for connections is 50 meters, in reality it's rarely possible to connect to a device more than 6m away.
  2. It seems that it is not possible to connect to a device that already has a connection to another phone. Thus if your wristband is connected to your phone, no one else can connect to it; it should not even be seen during scanning.

The second restriction should mean that when the wristband is connected to a smartphone, it cannot be attacked. This is not true though. And here is an example: while scanning with my app I was able to block the communication between my bracelet and its official application, even though they were connected.

It could be that the devices I found had never connected to a phone before or that the wristband was not connected to a smartphone while I was scanning (perhaps the Bluetooth on the phone was disabled). However it could also be that a pre-connected device was still available for connection despite the supposed restriction. Whatever the reason, potential fraudsters have ample opportunity to connect to fitness trackers.

However, in most cases, authentication is required in addition to the connection in order to gain access to the user data. Let's see how my bracelet's authentication process works.

My bracelet's authentication

To authenticate the bracelet on a smartphone the official application uses one of the four available services on the wristband. Each characteristic of each service is flagged with 'CharacteristicNotification' - this is how the app informs the wristband that it wants notifications of any change in this characteristic. Then the application gets a list of descriptors for each characteristic and sets the 'ENABLE_NOTIFICATION_VALUE' flag to inform the wristband that it wants notifications of any change in each descriptor.

After that one of the characteristics changes its value - the byte buffer. The application reads this buffer from the wristband: the 200f1f header and the byte array - let's call it authBytes.

The application creates a new array. Its first part is a constant array which is contained in the application and begins with 6dc351fd44; the second part of the new array is authBytes. The application receives the MD5 hash from the new array and sends it back to the device in the following structure:

  • Header (201210051f)
  • MD5
  • Verification byte

The application then sends to the device yet another array also found in this application.

After this wristband starts to vibrate and the user just needs to press the button to complete the authentication process.

With the official application the authentication process takes about 15 seconds. I have developed an application that requires only 4 seconds to make the wristband vibrate.

It is not difficult to make the user press a single button on the wristband. You just need to be persistent. You can keep trying authentication process over and over until the user finally presses the button or moves out of range.

From just six hours of scanning I was able to connect to 54 devices despite two serious restrictions

Tweet

After authentication is completed, the data on my bracelet can be accessed. Right now, wearable fitness devices do not contain much information. Typically, they have the number of steps, the phases of sleep, the pulse for the last hour or so. Approximately once an hour the app transfers this information from the wristband to the cloud.

After the authentication, it is easy to execute commands on the device. For example, to change the time you should send to the device the byte array beginning with f0020c and then the date in the form YYYY MM DD DW HH MM SS MSMSMSMS.

Things are even easier with the other fitness trackers: for some of them, part of the data is available immediately after the connection, while the application code for Nike is not even obfuscated and can be easy read (the results of one study can be found here).

Conclusion

The results of my research show that in some cases you can connect to a wearable device without the owner even knowing.

By hacking the bracelet I have the fraudster cannot get access to all user data as this is not stored on the wristband or in the phone - the official application regularly transfers information from the wristband to the cloud.

Fitness trackers are becoming more popular and offer a wider range of functions. Perhaps in the near future they will contain more sensors and hence much more user information, often medical data. However the creators of these devices seem to think very little about their safety.

Just imagine - if a wristband with the pulse sensor is hacked, store owners could look at your pulse rate while you are looking at the prices in the store. It might also become possible to find out how people react to advertising. Moreover, a hacked wearable with pulse sensor could be used as a lie detector.

The fraudster could take control of your wristband, make it vibrate constantly and demand money to make it stop

Tweet

Of course, there are more harmful actions that are more likely. For example, by using a Trojan-Ransom the fraudster could take control of your wristband, make it vibrate constantly and demand money to make it stop.

We reported our findings to my bracelet's vendor. The company's response defines the findings as a UX Bug and not a security issue. For ethical and security reasons we are not disclosing the name and the model of the bracelet this time. If you're worried about the possible consequences of cybercriminals exploiting the security issues we discovered, don't hesitate to contact the vendor of your fitness bracelet and ask if your product is affected by the method described in the article.

We also hope that this article will be helpful not only for users but also for vendors of the bracelets to make these devices safer from the IT Security perspective.

Analog OPSEC 101 – operational security in the physical world

Wed, 03/18/2015 - 06:00

For a long time we´ve been interested in operational security (OPSEC), and although you can find tons of cool technical tips about protecting digital information, we always felt that something was missing. After all, we live in a physical, or  analog world as well as a digital one, and we have encounters with other real people. After asking around, we found that one of the biggest worries of our technical community was how to behave during these interactions. So we decided to work on creating some realistic and easy to remember tips for exactly these situations.

Threat modeling

OPSEC is all about hiding information from your adversaries. We categorized our adversaries into just two groups: those who have resources and those who don´t. Plain and simple.

The first group comprises intelligence agencies, military organizations and the big bad boys. The second contains the rest. Important: no resources is not the same as no danger, but they are less able to track you unless you give away information for free.

Our tips are focused on encounters with the first group, since that is more likely to happen.

Recruitment

Agencies are always on the look-out for new assets to recruit – this is what they've been doing for centuries.

It all starts with the spotting process, identifying an asset who could meet their requirements based on the position and access to information. Next they profile the target, partly using OSINT. After that it's time to choose between the carrot and the stick, and pick out the most effective motivators on offer: money, blackmail, ideology, sex, etc.

Then some guy will approach us, maybe in person, maybe through LinkedIn. He'll probably pose as some businessman who will pay us a lot for nothing much, just a few easy reports from time to time.

When this happens we want to get to the Termination phase ASAP, ideally after being written off as a waste of time and effort.

We can just say "No", but they may keep increasing the pressure. On the other hand, we can refuse while providing alternatives, redirecting the request to another person ready to handle this.

Create a protocol for yourself and your organization in order to handle these situations effectively, minimizing the researcher ´s exposure. Be prepared in advance for situations where we are more vulnerable.

Borders

Crossing an international border can be one of the most vulnerable places. Somehow they are like a parallel dimension: although you are physically in one territory, the laws are just different, or maybe even non-existent.

We´ve learnt a few things regarding borders: there is always some exception to the law that officers might use in extreme scenarios. You can find legal advice here https://www.eff.org/wp/defending-privacy-us-border-guide-travelers-carrying-digital-devices>. However this is what you should NOT do:

  • Regardless of whether you consent to a search or not, do NOT stop the officer if he starts checking your stuff. This is a felony.
  • You don´t have to answer questions, but if you decide to do so, do not lie to the officer. Again, a felony.

This is our advice about how to react in a situation like this. These rules will provide you with peace of mind, help you stay calm and not freak out. Hopefully they will stop you overreacting, making things worse and talking too much, starting with: "I have nothing to hide, let me explain …".

  • Be cooperative.
  • Don´t make things worse.
  • Have your story prepared and be ready to back it up.
  • Golden rule: Don´t bring any valuable content with you! You should encrypt, upload and retrieve on arrival at your destination.
Other situations

Sometimes we could find ourselves going to a meeting in a strange country with a suspicion that something is not quite right. Some advice for this:

  • Don´t go alone.
  • Don´t rely on your host for transport
  • Plan exit routes and "safe" places, have your contacts ready.

In some cases the meeting itself won´t be the "trap"; it's just an excuse to get you to leave your computer in a known location the hotel, or in a cloakroom.

It is always a good idea to let someone know where you are going and tell them to react if you don´t ping them in a reasonable period of time. This also lets your adversaries know that you are ready – a simple casual comment will do the job.

Another concern is physical surveillance. To be honest, if this is done by sophisticated professionals there isn't much we can do about it and we probably won't even notice. But remember – don't try anything stupid; you're not James Bond. Acting like it's a movie can only make things worse.

If you are very concerned, escalate the situation and involve the person in your company who is responsible for dealing with local contacts. If you feel uncomfortable, move to a public place or directly move to your embassy.

Conclusions

You've probably already spotted a common theme in most of all these situations. First, keep calm and do not make things worse. You can rely on a third party to send in the cavalry when you need it. This is why your company should provide you with a single person to contact when you're in trouble. Also you might need international legal support.

However the key lesson is: do your homework. If you travel abroad, spend some time finding local contacts, get the telephone number and directions for your embassy, plan your meetings, let other people know where you are and make sure they are ready to act quickly in certain situations. Have your travel laptop ready and consider what information you bring with you. If you remember your lessons, you will be fine.

Yeti still Crouching in the Forest

Tue, 03/17/2015 - 03:53

Last July, we published details on Crouching Yeti (aka Energetic Bear), an advanced threat actor involved in several APT campaigns.

A quick summary:

  • Campaign status: Active
  • Discovery: January 2014
  • Targeted platforms: Windows
  • First known sample: 2010
  • Number of targets: 2,001-3,000
  • Top target countries : United States, Spain, Japan, Germany, France, Italy, Turkey, Ireland, Poland, China
  • Propagation method: Social engineering, Exploit, Watering hole attack, Trojanized software installers
  • Purpose/functions: Data theft
  • Special features : Interest in OPC/SCADA. Trojanized software used to administer remote OPC servers as well as modules to scan networks for OPC servers.
  • Targets: Industrial/machinery, Manufacturing, Pharmaceutical, Construction, Education, Information technology
  • Artifacts/attribution : Russian-speaking authors

This post is an update about the operational status of the campaign described in the original "Crouching Yeti" report.

Since the beginning of the research, we've been monitoring some of the C2 servers used by the components used in the attack – the Havex Trojan, the Sysmain Trojan and the ClientX backdoor. The following analysis is based on data gathered until March 04, 2015

C2 and victims:

Overall, we successfully monitored 69 C2 server (unique domains), receiving hits from 3699 victims (unique IDs of the Trojan/backdoor) connecting from 57796 different IP addresses. We gathered four additional C2s since the publication of the first report (65 in the last report).

Based on the graph below, the top five C2 servers share most of the unique victims :

Victims per C2

 

Although the trendline shows a decreasing number of hits on the C2, there are still >1.000 unique victim connections per day. These top five C2s with most of the victims coincides with the activity analyzed in the previous research and publication.

Another interesting figure is the number of hits by date which shows a decreasing trend:

The following figure shows the entire picture regarding Crouching Yeti victim country distribution including all the malware (Havex, ClientX,Sysmain) reporting to the C2s on which we have visibility. The graph contains the total dataset (inluding data for the previous report as well as the gathered during this period) and contains all the unique IP addresses observed. Be aware that there are some unique IDs using several IP addresses probably pertaining to infected computers used by travellers.

This shows the big (and updated) picture regarding Crouching Yeti victims by country. Spain, Poland and Greece are in the Top 3. Japan and especially the United States have significantly reduced position (less victims) since the last report, contrary to Poland and Italy that increased position remarkably (more victims reporting to the C2).

An additional representation of victim country distribution including the full dataset (all countries) :

Malware:

The most widely used Trojan on these C2 server is Havex with 3375 unqiue victims. Sysmain counts 314 and ClientX 10 (as in the last year's report). For Havex, version 024 is still the most widespread, followed by version 043. This is consistent with the trend observed in our last publication.

The following two graphs show the distribution of victims per malware type. We decided to divide the identified versions in two groups for purposes of clarity. The series names Report contains the data published in the first Crouching Yeti release (blue) and the Update (red) series contains the data analyzed.

During this period, the first subset shows an increase for almost all the included versions except for Havex-038 and Havex-01D which showed bigger activity in the first Crouching Yeti release . On the other hand, Havex-043 has the most significant increase during this period.

For the second subset, the picture looks pretty similar (global increase) except for Havex-01d which shows a decrease during this period.

Already before and also after the announcements around this actor other researcher digged into. Therefore the datasets are cleaned but may still include few research based non-victim systems.

The following graphs shows the operating system distribution amongst Havex victims during this period:

Apart from the increase of the category "unknown", there are no substantial differences when comparing the data analyzed in the first report :

In order to complement the data from the C2, we extracted some stats for the most relevant Trojans used by the Crouching Yeti operators. Almost all of them shows a residual impact during 2015. Nevertheless, we notice some very specific peaks during this month, especially for the Trojan.Win32.Ddex verdict. This component is a simple downloader with the functionality similar to the Havex component. All the detections are located within the Russian Federation.

In conclusion, the data analyzed during this period show us that Crouching Yeti's impact continues to increase in terms of infected victims reporting to the C2s, although internal data from KSN shows a different picture (residual number of infections). In this update, we did not see relevant changes in the infrastructure or in the C2 activity.

Taking into account the nature of this threat actor and the operational status of the infrastructure, it is likely the operators already switched infrastructure, techniques and targets.

We will continue to track this threat actor and providing updates accordingly.

Kaspersky Security Bulletin. Spam in 2014

Thu, 03/12/2015 - 08:00
The year in figures

According to Kaspersky Lab, in 2014

  • The proportion of spam in email flows was 66.76%, which is 2.84 percentage points lower than in 2013
  • 74.5% of spam emails were no more than 1 KB in size
  • 16.71% of spam was sent from the USA
  • Users in the USA were targeted by 9.8% of malicious emails, the largest share of any country
  • 260, 403,422 instances that triggered the "Antiphishing" system were recorded.
  • Brazil had the highest proportion of people attacked by phishers – 27.47% of all Kaspersky Lab users in the country faced at least one attack
  • Russia suffered the highest number of total phishing attacks, with 17.28% of the global total
  • 42.59% of phishing attacks targeted global portals that integrate many services accessed from a single account.
Popularity of mobile devices and spam

The popularity of mobile devices continues to grow, and this is affecting spam in email traffic: the number of advertising services that will spread spam on mobile devices is increasing, as are the number of offers addressed to the spammers who profit from these mailings. The popularity of mobile devices also makes them a valid vector for cyber-attack: email traffic now includes malicious imitations of emails sent from smartphones as well as fake notifications from popular mobile applications.

Adverts from/for "mobile" spammers

In 2014, spammers intensified their offers to distribute ads via SMS and popular IM services (WhatsApp, Viber, etc.). They use traditional spam mailings to help search for new customers, and the number of these adverts is also increasing.

Current email traffic also includes adverts addressed to "mobile" spammers: they are offered ready-made databases of phone numbers and other contact information that is designed to attract a specific target audience. These databases, in turn, are often generated with the help of mass mailings: the spammers send phishing emails which they use to collect personal data from victims.

Imitations of emails sent from mobile devices

Spam mailings simulating emails sent from mobile devices have become very popular. We came across such emails written in several languages; they mentioned iPad, iPhone, Samsung Galaxy and other models. These messages had one thing in common - short (sometimes non-existent) text and a signature reading "Sent from my iPhone". Typically, they contain links to phishing sites or malicious attachments.

Apparently, spammers think that an email with the attached file and a signature allegedly sent from the iPhone looks reliable. Indeed, the emails sent from mobile devices rarely use a complex template. And the senders often prefer to attach a file or insert a link rather than write a long text on the smartphone.

In some cases, the emails included an archive named to suggest it contained a photo. In fact, this was yet another way to distribute malware.

The emails sent allegedly from mobile devices often contained advertising links - most often to the sites illegally selling medications. Below is the example of one of these emails where the spammers used a few key words as the text of the message.

In order to bypass filtering, spammers often try to forge technical headers of the emails (Data, X-Mailer, Message-ID) to make them look like they were sent from mobile devices. However, when checked, the content of these headers is defined as incorrect.

Fake notifications from mobile applications

The widespread use of mobile devices has given rise to yet another phenomenon - spam that imitates notifications from different mobile applications such as WhatsApp and Viber. Users are accustomed to the synchronization of cross-platform applications, to the synchronization of contact data between applications and to different notifications from them, so many mobile device owners don't think twice about an email saying a message has allegedly arrived on their mobile messenger. This is a mistake: these mobile applications are not related to the user's email account in any way, which means that these emails are obviously fake.

For example, there can't be emails telling users that they've received an image via WhatsApp because registration on WhatsApp does not require an email address.

Moreover, the "picture" is packaged in an archive, which should also arouse suspicion: packaging an image does not offer any advantage while archives are often used to hide malicious attachments. And this is what we see in this case: the archive contains a malicious program.

Yet another example: a notification about a voice message allegedly sent via Hangouts contains a hyperlink disguised as the "Play" button. After clicking "Play", instead of hearing the voice message the user is sent to a compromised legitimate site from which integrated JavaScript redirects him to an advertising page.

The notification of the voice message supposedly sent via Viber contains a "Listen to Voice Message" button that initiates the download of a malicious archive.

World events in spam

2014 was rich in global events: the crisis in Ukraine, the Ebola epidemic, the Olympics in Sochi and the FIFA World Cup in Brazil. Each of them was used by the spammers to draw attention to their mass mailings.

The Olympic games and the World Cup

The Sochi Olympics and the FIFA World Cup in Brazil were the only sporting events that featured in spam flow. In both cases the majority of spam emails were written in the language of the country where the event took place, suggesting that the fraudsters' main targets were the locals.

The spam sent out shortly before these events contained a lot of mass mailing advertising products with the symbols of the tournament. In the case of the Olympic Games, in addition to Sochi merchandise the adverts offered products harking back to the 1980 Moscow Olympics.

"Nigerian" scammers also got involved. Before the Olympics they sent emails on behalf of the fans who asked for assistance in renting accommodation in Sochi or paying for various services. The "sports fans" were allegedly ready to transfer 850,000 euro to a person who would help them. The promise of a big reward was designed to encourage victims to overlook a few preliminary costs, but once the requested money was transferred the fraudsters disappeared without delivering the promised cash and rewards.

We also saw many fraudulent emails informing recipients that they had won an official FIFA World Cup lottery. Of course, to get his money, the 'winner' faced a few minor preliminary expenses. But, of course, these so-called winners would never see any money from a competition that they had never entered in the first place.

Similar emails are constantly sent out in the run-up to the big football championships.

Besides real adverts and fraudulent messages the pre-World Cup spam also contained malicious emails with links that allegedly led to websites where fans could buy tickets to the games.

Nelson Mandela's demise

Obviously, "Nigerian" scammers do not grieve for the demise of political leaders; for them these events are the ideal pretext to spin stories of a multi-million dollar will. Nelson Mandela's death in late 2013 unleashed a wave of "Nigerian" spam. The attackers introduced themselves as representatives of different funds and informed the recipient that he had been awarded a Mandela prize; the "bankers" offered to secretly divide the Mandela family's money, etc. In some cases, the emails contained the links to real news releases, hoping that this would make the message look more reliable.

Political events in Ukraine

Unstable political situations and military conflict is yet another source of inspiration for "Nigerian" spammers. We regularly come across mass mailings exploiting conflicts in different countries, mostly in the Middle East, but in 2014 the "Nigerian" scammers focused on Ukraine. The authors of fraudulent emails posed as the disgraced Ukrainian politicians and entrepreneurs looking for a way to smuggle their millions out of the country. There were also mass mailings written on behalf of Russian businessmen who had suffered due to sanctions.

Traditionally, "Nigerian" letters offered the recipients huge money for their help. Meanwhile, if victims entered into correspondence, the scammers conned money from them to cover different alleged expenses - duties, taxes, air tickets, hotel rooms and so on.

The Ebola virus

The Ebola epidemic also attracted the attention of spammers. "Nigerians" sent out emails on behalf of infected Africans who allegedly wanted to leave their fortune to charity. The fraudsters came up with a new twist on the story which invited recipients to participate as a guest at a World Health Organization conference. The proposed fee was 350,000 and a car for the job as a WHO representative in the UK.

Malware distributors exploited people's fear of this deadly disease and sent out emails on behalf of the WHO which contained a link to information on the measures to prevent Ebola infection. Later, the emails with the similar content appeared but this time the "information from the WHO" was packed in an attached archive.

In reality both the link and the attached archive contained a malicious program designed to steal the victim's data. In the above email it was Backdoor.Win32.DarkKomet.dtzn.

Spammer tricks

The techniques that have been actively used by the spammers in recent years can be called "classic".

One well-known spammer trick is the stock spam advertising shares of small companies. These emails are part of a stock fraud scheme, the so-called pump and dump spam. The idea is simple: the fraudsters buy cheap stock then send out email mailings advertising the chance to buy stock in a certain company at super low prices, taking advantage of the sharp rise in value expected in the near future. As a result, demand for the stock in the company rises, the prices are artificially inflated and the scammers sell off their stock in the company at a tidy profit. This fraud peaked in 2006-2007 but stock spam is still in use today.

According to Kaspersky Lab, 74.5% of #spam emails sent in 2014 were smaller than 1 KB in size #KLReport

Tweet

In 2013, stock spam only contained a brief text showing the current and expected share price of the company. Some mass mailings included an auto signature which promised that an anti-virus scan had been deployed. Moreover, the language of the signature matched the language of the geographical domain which hosted the recipient's e-mail (this common technique seeks to persuade the recipient of the legitimacy and security of the email). To enhance the chances of bypassing spam filters, the name of the company in a mass mailing was usually "noised" with the "_" symbol or gaps, and the text fragments varied.

In 2014, the design of fraudulent mass mailings advertising company shares changed – the spammers made the messages look more reliable. To bypass spam filters, they used some well-known tricks:

  1. Graphic spam. The advertising text is located within the picture and company logos are used. In a single mass mailing the content, color, font size or background color of the picture can vary. (Note that modern spam filters have long used graphic analyzers that can easily detect graphic spam)
  2. Junk text is inserted at the end of each message and is designed in different colors which do not always match the background. Fragments from literary works and quotes from Wikipedia are used. It is assumed that this method will make each email unique and cause spam filters to detect them as fragments of a literary work rather than a spam message.

Apparently, spammers are trying to compensate for their archaic methods with large volumes – hundreds of millions of these fraudulent emails are sent out.

However, spammers often use more advanced techniques to create "background noise" in the text. For example, they can "noise" the main text of the message even without affecting the readability of the message. To do this, HTML tags are used. The opening and closing tags are inserted into the main text of the message in HTML code. As a result, the user sees no changes in the message but the spam filter detects each email as a unique.

Statistics The proportion of spam in email traffic

In 2014, the proportion of spam in email traffic was 66.76%, which is 2.84 percentage points lower than in the previous year. Spam levels have fallen consistently from a peak of 85.2% in 2009. This is due to the fact that adverts for legal goods and services are abandoning spam in favor of more effective legal advertising platforms.

The proportion of spam in email traffic, 2014

In 2013 the share of spam in email traffic showed almost no variation from month to month but in 2014 there were some noticeable fluctuations, especially in the first half of the year. The lowest value of the year (63.5%) was registered in March. However this was immediately followed by the highest monthly figure of 71.1% in April. The second half of the year was more stable.

Sources of spam by country

Sources of spam by country, 2014

In 2013 China was the undisputed leader among the spam source countries. However in 2014, the percentage of unwanted mail originated from this country dropped by 17.44 pp. As a result, China fell to 3rd in the annual rating, overtaken by the USA (-1.08 pp) and Russia (+1.98 pp).

The Top 10 sources of spam include three western European countries: Germany (+2.79 pp), Spain (+2.56 pp) and France (+2.33 pp). Two Asian countries - South Korea (-10.45 pp) and Taiwan (-3.59 pp) – which occupied 3rd and 4th positions in 2013 moved down to 13th and 14th places respectively in 2014.

The size of spam emails

The size of spam emails in 2014

The number of super-short spam emails is growing: in 2014 77.26% of spam emails weighed in at under 1 KB, 2.76pp more than in 2013.

These emails usually contain links to advertising websites. To generate the text of the email the spammers use robots that combine short phrases from several words taken from thematic dictionaries, or change the words in the message for synonyms. In the end they get unique messages, making the task of spam filters more difficult. The small size of the emails also helps spammers to reduce traffic costs.

Malicious attachments in email

For the fourth year in a row the most widespread malware in emails were programs that attempted to steal confidential data, usually logins and passwords for Internet banking systems.

The Top 10 malicious programs spread by email in 2014

Trojan-Spy.HTML.Fraud.gen topped the rating again. It is generally distributed using phishing emails and is designed to look like an html page where users are invited to enter their confidential data.

Email-Worm.Win32.Bagle.gt is in second place. The main functionality of all email worms, including Bagle, is to collect electronic addresses from compromised computers and to send copies of itself to all email addresses found on an infected computer. Bagle email worms can also receive remote commands to integrate with other malicious applications.

#Spam levels have fallen consistently from a peak of 85.2% in 2009 to 66.76% in 2014 #KLReport

Tweet

Third came Trojan.JS.Redirector.adf, which was the most widespread malware in Q3. The malware spreads via email in a passwordless ZIP archive. It appears as an HTML page with an integrated script which, when opened by users, redirects them to an infected site. There it usually offers to load Binbot — a service for the automatic trading of binary options, which are currently popular on the net.

Representatives of the Bublic family occupy 4th and 7th positions in the Top 10. Their main functionality is the unauthorized download and installation of new versions of malware onto victim computers. They often download a ZeuS/Zbot modification. The Trojans of the Bublic family appear as EXE files but use the Adobe document icon to mislead the victim.

Email-Worm.Win32.Mydoom.l is in 5th place. This network worm with a backdoor functionality is spread as an email attachment via file sharing services and writable network resources. It harvests email addresses from infected computers so they can be used for further mass mailings. The worm also enables attackers to remotely control the infected computer.

In 2014, the proportion of spam in email traffic was 66.76% #KLReport

Tweet

Trojan-Banker.Win32.ChePro.ilc. ended the year in sixth position. This downloader appears as a CPL applet (a component of the control panel) and, as is typical for this type of malware, it downloads Trojans developed to steal bank information and passwords. These banking Trojans mainly target online customers of Brazilian and Portuguese banks.

Eighth isTrojan-Downloader.Win32.Dofoil.ea. This Trojan downloads other malicious programs onto the victim computer to steal various user information (mainly passwords) and send it to the fraudsters.

Backdoor.Win32.Androm.daxcame 9th. This malicious program belongs to the Andromeda/Gamarue family of universal bot modules. The main features of these malware programs are the ability to download, store and run executable files, downloading and loading DLL (without saving on disk), downloading plugins and the ability to update and delete themselves. The bot's functionality is enhanced with a system of plugins that can be downloaded by the cybercriminals whenever necessary.

Exploit.JS.CVE-2010-0188.f rounds off the Top 10. This particular exploit appears as a PDF file and uses a vulnerability in version 9.3 and lower of Adobe Reader. This vulnerability has been known for a long time and poses no danger to users who update their software regularly. However, when it encounters an old version of Adobe the exploit downloads and runs the executable file Trojan-Dropper.Win32.Agent.lcqs. The dropper installs and runs the malicious script Backdoor.JS.Agent.h, which collects information about the system, sends it to the attackers' server and receives various commands in response. The commands and the results of their execution are transmitted in an encrypted form.

The Andromeda family remains the most widespread malware family. It accounted for 11.49% of all malware detected in malicious attachments. These programs allow the attackers to secretly control infected computers, which often become part of a botnet.

Second came ZeuS/Zbot (9.52%), one of the most popular and widely-available programs designed to steal banking information and, as a consequence, users' money. This program is often downloaded on to a victim computer by loader programs distributed via spam mailings.

Bublik (8.53%) completes the Top 3. This is a family of malicious loader programs that downloads modifications of the Zeus/Zbot family onto a compromised computer.

Countries targeted by malicious mailshots

Distribution of email antivirus activations by country, 2014

For the third year in a row the Top 3 countries most targeted by malicious mailshots remains unchanged: the US, the UK and Germany. The USA (9.80%) maintained its leading position despite the 2.22 pp decrease in the number of antivirus activations. Britain came second with 9.63% (-1.63 percentage points). Germany was third with 9.22%.

Of special note is France (3.16%) which climbed from 16th to 9th position in the rating.

Russia (3.24%) occupied 8th place, one position up from the previous year.

Spammers' tricks

In 2014, spammers had a mix of old and new distribution tricks to lure in users.

We came across emails containing attached archives with the .arj extension. This format was introduced long ago and is rarely used now. Therefore, even users who are wary of attached archives do not always recognize this attachment as potentially dangerous. The ARJ archiver has a further advantage as it can reduce file sizes to the minimum.

In addition to nonstandard archives, spammers also sent out malicious emails containing files with unusual extensions for attachments, such as .scr. This extension usually denotes a screensaver.

One of the most common types of malicious spam and phishing are fake bank notifications. In 2014, spammers began to complicate the design of fake messages by adding more links to official resources and services from the organizations that were mimicked in the fake notifications. Obviously, the attackers hoped that an email with a few legitimate links would be recognized as legitimate by users and spam filters alike. Meanwhile, the email contained a single fraudulent link; after clicking it an archive containing a malicious program was downloaded onto the victim computer.

In some cases, cybercriminals used different URL shorteners to mask the real link. Eventually they redirected the user to a popular cloud storage where a malicious program was hosted under the disguise of an important document.

Phishing

When preparing statistics on phishing we applied the methodology that was first used in our report "Financial cyber threats in 2013" published in April 2014. As a result the data on phishing for 2014 should be compared with the data in that report (not with the report "Spam in 2013").

The data source

The report is based on the data about Antiphishing system activations collected by Kaspersky Security Network. The Antiphishing system contains of three components:

2 deterministic:

  • Offline phishing contains a database of the most relevant phishing wildcards* and is located on users' devices. It is triggered when the system encounters a link that matches one of the phishing wildcards in the database
  • Cloud anti-phishing contains all known phishing wildcards*. The system refers to the cloud if the user encounters a link that is not included in the local anti-phishing database. Cloud databases are updated much quicker than local databases.

Heuristic:

  • The heuristic web component of the antiphishing system. This component is triggered when a user clicks on a link to a page with phishing content but information about this page is not yet available in the Kaspersky Lab databases.

* Phishing wildcards are a set of symbols to describe a group of links detected by the system as phishing. One phishing wildcard can help detect several thousand active links to phishing sites.

In 2014 the computers of users of Kaspersky Lab products recorded 260,403,422 instances that triggered the antiphishing system. Of these, 55% (143,827, 512) involved activation of the deterministic component, and 45% (116, 575, 910) came from the heuristic web component.

Phishing links: not only in email

The deterministic components of the antiphishing system (cloud and offline) check links in the user's browser and messages received via IM or email. Only 6.4% of all the activations of these components come from links in emails. This suggests that today, instead of traditional phishing mass mailings, phishers are using other ways to spread links and new scams.

Kaspersky's #antiphishing system was triggered 260,403,422 times in 2014 #KLReport

Tweet

Currently links to phishing sites are more often distributed via social networks. It's not just about using stolen accounts; fraudsters are also involving unwitting users in sending out phishing links to their friends in social networks.

For example, in July 2014 this particular trick was used to spread a link to the petition in support of Uruguayan footballer Luis Suárez via social networks. To sign the petition, users had to enter their personal data, which then went to the phishers. After that, the victim was invited to share the link with his friends on Facebook. As a result, the link to the phishing page spread quickly among football fans and their friends.

An example of a phishing page distributed with the help of social networks

Phishing emails

All this should not be taken as evidence that fraudsters have stopped spreading phishing links via email. It is still the most popular way of distributing links to fake pages of financial institutions. Perhaps that's why scammers usually send out emails containing links to phishing sites on weekdays when the users check their e-mail \at work.

Activation of the deterministic components of the antiphishing system on the users' mail clients

Fraudulent schemes utilizing phishing emails with malicious attachments, HTML files or HTML forms inserted in the body of the message are also popular with fraudsters.

Attaching HTML files or HTML forms allows fraudsters to reduce the costs of maintaining the page on the Web. The standard scheme looks like this. User receive a fake notification from an organization that informs them their accounts have been blocked, their data has leaked or some suspicious activity was logged. To help solve the problem, users should update their personal information in the attached file or form. The data entered by the victims goes straight to the scammers. Over the past year we found dozens of mailings like this purporting to come from various financial institutions and other organizations.

An email with an attached HTML file

A phishing attack using HTML attachments to target the customers of a specific organization is often a means of extracting a wide range of financial information from victims, not of all of which necessarily relates to the company used in the scam.

An email with an attached HTML file

The examples above show the tricks that fraudsters use trying to get not only credentials to access online accounts, but also other personal information including bank card data.

Big game hunting

As mentioned above, when attacking customers of various organizations, fraudsters often try to get not only the victim's account data but also the bank card details and other confidential information. In this way, some scammers collect valid e-mail address, perhaps to sell them to spammers. Others pose as a bank or similar organization that is concerned about security and use that mask to steal the user's financial information and then his money.

The increased danger of phishing schemes consists of this: no matter what anti-fraud schemes are in place to protect customers (double, triple verification, one-time passwords, etc), they can only protect the account. If the user passes personal data to fraudsters there is little that can be done to stop that information being used to access the account.

We have already given examples of an "extended" phishing attack that utilizes HTML attachments. Yet another example is this phishing attack on PayPal. The traditional scam directs victims to a phishing page that mimics the site of the payment system. Unwary users input their usernames and passwords, sending them to the fraudsters. A further page opens and request bank card data and other information. The users believe they are safely logged onto PayPal and enter the information without a second thought. Once the scammers have that info, they redirect users to the official PayPal site leaving their victims none the wiser about the data theft.

A phishing attack on PayPal

The attackers may not be able to get into the victim's PayPal account because the company has additional protection measures. But they will have enough information to be able to steal money in other ways.

A phishing attack on one of the largest organizations in the telecommunications industry is another good example. At first glance, the fraudsters need a login and password to access the user's personal account. However, once the victim enters a fake account, the scammers not only ask for the card data but also for all other information that may be useful for them to manipulate the victim's money.

A phishing attack targeting the victim's personal information

The geography of attacks

In 2014 phishing attacks were registered in almost all countries worldwide.

Top 10 countries by percentage of attacked users

Brazil had the highest proportion of users subjected to phishing attacks (27.47%).

The percentage of users on whose computers the antiphishing system was triggered out of the total number of users of Kaspersky Lab products in the country, 2014

Top 10 countries by percentage of attacked users

  Country % of users 1 Brazil 27.45 2 Australia 23.76 3 India 23.08 4 France 22.92 5 Ecuador 22.82 6 Russia 22.61 7 Kazakhstan 22.18 8 Canada 21.78 9 Ukraine 20.11 10 Japan 19.51

In 2014, the percentage of attacked users in Brazil grew by 13.81 percentage points compared with 2013 (when Brazil was 23th in the rating). This intense burst of phishing activity in Brazil is probably connected to the 2014 World Cup, which brought thousands of fans from around the world to the South American country.

The distribution of attacks by country

Russia had the greatest share of phishing attacks, with 17.28% of the global total. The percentage of users in this country on whose computers the Kaspersky Lab antiphishing system was up 6.08pp from the previous year.

Distribution of phishing attacks by country in 2014

The increase in the number of attacks on the users in Russia is probably related to the deteriorating financial situation in the country in 2014. People are making more transactions as they try to invest their savings and make online purchases. At the same time many users are worried, giving scammers more opportunities to apply their social engineering techniques and play on those fears.

Last year's leader - the US (7.2%) - moved down to second place, with a 23.6 percentage point drop in the number of attacked users. It is followed by India (7.15%) and Brazil (7.03%), where rates increased by 3.7 pp and 5.11 pp respectively.

Organizations under attack

These statistics on the organizations used in phishing attacks are based on the triggering of the heuristic component of the antiphishing system. The heuristic component is triggered when a user follows a link to a phishing page and there is no information about this page in the Kaspersky Lab databases.

Distribution of organizations subject to phishing attacks by category, 2014

In 2014 we saw changes in the organizations targeted by phishers. Last year's leader, the 'Social networking and blogs' category dropped 19.62 pp to 15.77%, and was overtaken by 'Global portals', which gained 19.29 pp and reached 42.59%. Global Portals was previously described as 'E-mail' in earlier reports. The change is no big surprise: Google, Yahoo!, Yandex and similar companies are constantly developing their services and offering new options, from email and social networks to e-wallets. This is very convenient for users because everything is available under one account; it's also a boon for scammers because one password can unlock a huge range of digital resources. That's why Yahoo! and Google came into the top 3 most-frequently attacked organizations, sandwiching Facebook.

Top 3 attacked organizations

  Organisation % of phishing links 1 Yahoo! 23.3 2 Facebook 10.02 3 Google 8.73

In 2014 the numbers for Yahoo! (23.3%) grew by 13.3 percentage points compared with the previous year (partly due to a sharp increase in the number of fraudulent links to fake Yahoo! pages at the beginning of January 2014).

The share of phishing attacks on financial institutions was 28.74%, a 2.71 pp drop from 2013. Within this sector the percentage of attacks on the banking sector declined (down 13.79 pp from 2013). At the same time the numbers for "Online stores" and "Payment systems" rose by 4.78 pp and 9.19 pp respectively.

Distribution of financial phishing by the type of organization attacked, 2013

Distribution of financial phishing by the type of organization attacked, 2014

You can read more about financial phishing in our report "Financial cyber threats in 2014: times have changed".

Conclusion

The percentage of spam in email traffic continues to decline; we do not expect a significant change in these numbers in 2015.

We expect a further reduction in the amount of advertising spam and an increase in the number of fraudulent and malicious emails. At the same time we will see more carefully designed fake messages, in which attackers will use even more elaborated tricks (such as malicious attachments with unusual extensions like .arj, .scr).

Fraudsters use a variety of methods to distribute phishing content. However, time-proven phishing mass mailings are still popular and are likely to remain so for a long time.

For their phishing attacks scammers choose the clients of the most popular organizations, thereby increasing the likelihood of a successful attack. At the same time, many attacks are conducted in order to get maximum personal, primarily financial, information from the victim. We assume that this trend will continue in the future.

'Locked Out'

Thu, 03/12/2015 - 07:00

Today the great majority of malware is created with the aim of enrichment.  One of the tactics often used by evildoers is to encrypt files and demand a ransom for their decryption. Kaspersky Lab classes such programs as Trojan-Ransom malware, although there is another widely used and resonant name – encrypters.

Encrypters have become a serious problem for users, especially corporate users.  And related topics attract the most posts and readers on our forum.

Despite all the efforts of the anti-virus companies we don't expect an easy victory over encrypters in the short term.  There are at least two good reasons for this:

  1. Encrypters are constantly evolving.  It is a battle of arms and armour: the defence gets better – the weapons get better.
  2. The attack is not carried out on the user's computer but on the system of computer + user.  That is, one of the attack vectors is human.  A person is subject to emotions and irrational acts.  A person is capable of ignoring the warnings of the defence systems or turning it off altogether.  This is precisely what the evildoers are counting on.

In this article we look at the evolution of complication of the encryption schemes used by virus writers and the methods they adopt to put pressure on their victims.  At the end of the article there is some advice for users which might help them protect important files.

The evolution of encrypters: from simple to complex

Serious antivirus companies devote special attention to protection against encrypters. To counter the improved systems of defence virus writers need to change their programs regularly. And they change almost everything: the encryption schemes, means of obfuscation and even the formats of executable files.

Virus writers change the encryption schemes, means of obfuscation and even the formats of executable files

Tweet

We will consider the evolution of encrypters in terms of the methods of encryption and cypher schemes employed. Depending on the cypher scheme used and the method of obtaining the key, in some cases it is possible to easily decypher the encrypted data and in others it is impossilbe to do so within a reasonable time.

Encryption with an XOR operation

We begin with programs that use the most primitive encryption.  A typical example of such malware is the Trojan-Ransom.Win32.Xorist family.  It has the following characteristics:

  • Xorist is one of the few encrypters that carries out its threat and damages the users files when several incorrect attempts are made to enter the password.
  • An XOR operation is used to perform the encryption.  The vulnerability of this encryption scheme is that it is possible to easily decrypt files because of the well-known standard file headers.  To counter this attack Xorist encrypts files not from the very beginning but after an interval.  By default this interval is 104h bytes but this can be changed at compilation.
  • To complicate the encryption algorithm the key is randomised with the help of the first letter of the file name.

Fragment of a file encrypted by an encrypter of the Xorist family: the eight byte key is clearly visible

On the whole, despite all the cunning of the creators of Xorist the files encrypted by it can be entirely decrypted relatively easily.  Maybe for that reason at the moment the Xorist family of malware is hardly ever encountered in the wild.

To combat Trojan-Ransom.Win32.Xorist the specialists of Kaspersky Lab created the utility XoristDecryptor.

Symmetrical Encryption

A symmetrical encrytion scheme is a scheme that uses a pair of keys for encrytion and decryption that are symmetrical to each other (this is why this scheme is called symmetrical).  In the great majority of cases in such schemes one and the same key is used for encryption and decryption.

If the key is embedded in the body of the encrypter, if one has access to the body of the malware it is possible to extract the key and create an effective utility to decrypt the files.  Such malware usually tries to delete itself after encrypting the files.  An example of this type of program could be one of the modifications of the Rakhni family.  Keys that were detected were added to the utility RakhniDecryptor.

If the key is recieved from the attacker's server or generated and sent to it then having an example of the malware yields little — an example of the key is necessary, and it is on the attacker's server.  If it is possible to recover the key (for obvious reasons the malware tries to delete such key after use) then it is possible to create a utility for decryption.  In this case a system that caches the internet traffic of the user may be useful.  An example of this type of malware is Trojan-Ransom.Win32.Cryakl.

Assymetric encryption

Assymetric encryption is the name given to those schemes in which the encryption and decryption keys are not related in an obvious symmetrical way.  The encrytion key is called the open or public key and the decryption key is the secret or private key.  Calculating the private key from a known public key is a very complicated mathematical task which is not possible in a reasonable time using modern computing capabilities.

At the heart of assymetrical cypher schemes is the so-called trapdoor one-way function.  Put simply this is a mathematical function that depends on a parameter (secret).  Without knowing the secret parameter the value of the function is calculated comparatively easily going one way (for a given value argument we can calculate the value of the function) and extremely difficult in the reverse direction (knowing the value of the function to calculate the value of the argument).  However everything changes knowing the secret parameter — with its help it is possible to reverse the function without particular difficulty.

Assymetric encryption with one key pair

If the public key is embeded in the body of the malware the presence of the malware without the private key is almost no help in decyphering the files (but does help in detecting the program and others like it in the future).

However if the private key becomes known (and it should at least be contained in the decrypter which the evildoer is offering for sale), then it becomes possible to decrypt the data for all users affected by the modification of the program using that public key.

An example of malware of this type is Trojan-Ransom.Win32.Rector.  The characteristics of this family are as follows:

  • Uses assymetric encryption and the public key is hidden in the body of the encrypter.
  • To speed up the encryption of files it doesn't encrypt them all at once but in small sections.  The encrypted sections are added on to the end of the file and their space is filled in with sequences with a frequency of one byte.  Because of this the encrypted file gains a typical 'scratched' appearance.

File fragment encrpted by a program from the Rector family

  • One defect of this scheme for the evildoer is that for the decryption of the files it is necessary to hand over the private key, which can be used to decypher all files encrypted by this modification of the malware.

Thus, although direct decryption of the files is impossible, several users suffering from one and the same modification of the malware can unite and buy one decoder for all of them.  Also users and other interested persons send decoders to us.  The private codes received are added to the RectorDecryptor.

If the public key is obtained from the evildoer's server (which allows the use of a unique public key for each user) then the presence of the body of the malware doesn't help in the decryption of the data — it is necessary to have the private key.  However the body of the program helps identify and block the malware server and this helps protect other users.

Encryption using several keys

To ensure a unique decoder for each user schemes with several keys are used.  For this the key for encryption of data is generated on the victim's computer.  It might be a symmetric key or an assymetric key pair.  The algorithm for key generation is chosen so that the resulting key is unique for each affected user.  In other words the chances of these keys being the same in any two cases should be extremely small.  However sometimes the malware creators make a mistake and the key is generated from a relatively small range of possible values.  In this case the user's data can be decyphered by trying all possible values of the key.  However such cases have been rare lately.

The user's data is encrypted using the generated key.  Then the key that is necessary to decypher the data is encrypted itself using another public key.  This public key is generated earlier and the accompanying private key is not in the body of the encrypter but instead that private key is known to the evildoer.  Then the original key necessary for decyphering the data is deleted and only the encrypted version remains on the user's computer.

Now, having received the encrypted copy of the key the evildoer can extract the key from it that is needed to decypher the user's data and include it in the decoder.  And this decoder will be useless for other affected users.  Which, from the point of view of the evildoers, is a great improvement over the two-key schemes described above.

There is no algorithm to decrypt files encrypted with the RSA with a key length of 1024 bits in an acceptable time

Tweet

An example of malware using a scheme with several keys is the Trojan-Ransom.BAT.Scatter family. The Scatter family has several significant features:

  • A more advanced encryption scheme is used with two pairs of assymetric keys, which allows the evildoers to encrypt the files of the victim without revealing their private key.
  • Samples of this family are written in scripting languages, which allows the malicious functions to be easily changed.  Scripts are easier to obfuscate and this process is easier to automate.
  • The samples have a modular structure.  The modules are downloaded from the wrongdoers' website during the running of the script.
  • Renamed legitimate utilities are used for the encryption of files and deletion of the keys. 
  • A high level of automation of the process has been achieved.  Almost everything is automated, the malware objects are automatically generated, letters are sent out automatically.  Furthermore, according to the malefactors the process of handling letters from victims and further contact with the victims has been automated.  The decyphering of test files of the victim, evaluation of the cost of the information, the provision of bills, checking payment and sending out decoders all happen automatically.  It is difficult for us to check the truth of this information but taking into account data obtained from studying the modules of Trojan-Downloader.BAT.Scatter there is no reason not to believe these claims. 

The Scatter family appeared quite recently: the first samples were detected by Kaspersky Lab specialists at the end of July 2014.  In a short time it significantly evolved, providing itself with the functionality of Email-Worm and Trojan-PSW.

From 25 July 2014 to 25 January 2015 we detected 5989 attacks with the use of Trojan-Downloader.JS.Scatter on 3092 users.

Number of detected downloadings of Trojan-Downloader.JS.Scatter. The spike in the middle of November is the result of a new modification spreading in the USA

The geography of distribution of Trojan-Downloader.JS.Scatter downloads 25 July 2014 — 25 January 2015

This family is worth discussing in more detail as we can say with certainty that the Trojan-Downloader.*.Scatter family is a new step in the evolution of encrypters.

Technical details: Scatter, a new evolutionary step

The Scatter program family is multimodule script multifunction malware. As an example we chose the modification of the encryption module which is detected as Trojan-Ransom.BAT.Scatter.ab which started to appear with regularity in the middle of October.

More Trojan-Downloader.JS.Scatter.i download module

The malware download module is spread in email attachments. The filenames are specially chosen by the attackers to make the letter seem legitimate and end up with the accounting staff.

FullName HitsCount ./draft collation act.zip// unpaid bills. Draft collation act for two months – accountancy dept agreed till 14 October 2014_mail.attachment_scannеd.avast.ok.dос .js 4386 scan copy of debts 2014.zp//unpaid bills . Draft collation act for two months – accountanct dept agreed till 14 October 2014._mail.attachment_scannеd.avast.ok.dос .js 402 unpaid bills. Draft collation act for two months – accountancy dpet agreed till 14 October 2014_mail.attachment_scannеd.avast.ok.dос .js 241 Draft collation act.zip 22

The most popular names of the Scatter download modification appearing in the first half of October

If a user attempts to open the attachment they start the downloader, which is an obfuscated JavaScript and is detected by Kaspersky Lab as Trojan-Downloader.JS.Scatter.i

Fragment of the obfuscated code of the downloader Trojan-Downloader.JS.Scatter.i

After being started by the user the downloader downloads five other objects from the malefactor's site.  These files are saved in a directory defined by the variable %TEMP%.  Not all of these five objects are harmful:

  • fake.keybtc – is a renamed version of the legitimate program gnupg gpg.exe intended for carrying out cryptographic operations.
  • night.keybtc – is a renamed version of the library iconv.dll necessary for gpg.exe to work properly
  • trash.keybtc – is a renamed version of the utility sdelete.exe from Microsoft designed to reliably delete files.
  • key.block – is a malicious command script that uses the utilities above to encrypt files.  This object is detected by Kaspersky Lab as Trojan-Ransom.BAT.Scatter.ab
  • doc.keybtc – this file is in the Microsoft Word format.  The downloader renames this file as word.doc and then tries to run it.  If there is a program for looking at .doc files on the user's computer the user sees the following picture:

The beginning of the Microsoft Word document shown to the user by the downloader Trojan-Downloader.JS.Scatter.i

This document doesn't contain any malicious code.  Its task is too reduce the alertness of the user and distract his attention from the processes taking place on his/her computer.

In the meantime the downloader renames the file key.block to key.cmd and runs it.  At that the work of the downloader is finished and Trojan-Ransom.BAT.Scatter begins.

The sequence of actions of the encrypter Trojan-Ransom.BAT.Scatter.ab 1. Preparation
1.1. Rename the legitimate files it needs with extensions that can be used.
1.2. Check the presence of the special file containing in its name the client identifier and the current date. If such a file exists the encrypter considers that the files are already encrypted and doesn't do anything else. This prevents the rewriting of the special files KEY.PRIVATE and UNIQUE.PRIVATE, created by the Trojan during encryption (more details on these below).
1.3. Check the presence of the directory %AppData%\BitCoin. If this directory exists then later the Trojan tries to steal the BitCoin wallet data.
1.4. Check the existence of the file "%TEMP%\partner.id". This confirms the information found earlier about the presence of the partner programs spread by Scatter. (It is interesting that in some communications on infected computers the wrongdoers offered their victims to decypher their files in exchange for certain services and even promised money for these services. It is possible that in this way they are trying to turn the user into a partner.)
1.5. Generate a key pair (public and private keys: files pubring.gpg and secring.gpg respectively) with the parameters:
Key-Type: RSA
Key-Length: 1024

This type of encryption is currently considered effective: there is no algorithm to decrypt files encrypted with the algorithm RSA with a key length of 1024 bits in an acceptable time without knowing the private key.

1.6. Extract the public key from the body of the malware and  use it to encrypt the file secring.gpg, the private key of the key pair, as a result obtaining the file secring.gpg.gpg.  After that secring.gpg is deleted with the help of the legitimate utilitysdelete.exe and its location rewritten 16 times.  If for some reason it is impossible to delete the unencrypted key using sdelete the Trojan tries to delete it itself, writing over it several times with rubbish.  Multiple rewriting of the location of the file is necessary so that the private key can not be recovered even using special programs for restoring deleted data.
1.7. Copy the encrypted private key (secring.gpg.gpg) under the name %TEMP%\KEY.PRIVATE", which the malware tries to do twice for reliability.  Then it once more checks the presence of KEY.PRIVATE.  If it isn't there and neither is secring.gpg the Trojan doesn't carry out encryption and goes straight to distribution of its loader (item 3)
2. Encryption
2.1. Before the start of encryption the Trojan generates a script with a list of files which it will encrypt.  It does this in two stages:
  • First it looks for and adds to the file databin.lst the paths to files with the following extensions:
    *.xls *.xlsx *.doc *.docx *.cdr *.slddrw *.dwg *.pdf.
  • Then it adds to databin.lst the paths to files with the following extensions:
    *.mdb *.1cd *.accdb *.zip *.rar *.max *.cd *.jpg.

Why does it do this?  The RSA algorithm is reliable but extremely slow.  Therefore the malware 'is afraid' that it might start encrypting large files or a directory with a lot of photographs and that something might interfere with it.  For instance the user might switch off the computer.  Therefore the Trojan first of all tries to encrypt small files that are potentially important for the organisation and then moves on to media such as disks and other large volumes of data.

Apart from the list for encryption, the names of files and their size the database UNIQUE.BASE is added to the file.  This database contains the name of the computer and name of the user.  Later the database created will help the evildoers evaluate the size and value of the encrypted information, so as not to undersell their 'goods' and seek the maximum price for decryption.

Then the list of files and database are filtered from files located in utility directories.  As a result the 'filtered' files UNIQUE1.BASE and bitdata1.bin are created.

2.2. The file UNIQUE1.BASE is encrypted with the public key pubring.gpg, which was generated at the begining of the operation of the encrypter. The resulting encrypted file is renamed UNIQUE.PRIVATE and the file UNIQUE1.BASE is deleted.
2.3. The files UNIQUE.PRIVATE and KEY.PRIVATE are copied straightaway in several places so that the user can find them easily. These files are encrypted and the user can not decypher them without knowing the private key of the attackers.
2.4. The Trojan generates a message to the user and adds it to the autoloader:

Fragment of the message of the evildoers (translation from the Russian):

For system administrators:

1. Your information has been encrypted using RSA-1024 assymetric encryption, used by the military.  Breaking it is impossible.
During encryption the special ID-file KEY.PRIVATE was copied to various places on the computer.  Do not lose it!
For each computer a new ID-file is created.  It is unique and contains the code for decryption.  You will need this.
'Temporarily blocked' means that the files are modified on the byte-level using a public 1024 bit RSA key.

2. And so, our further actions are as follows:

2.1. You can contact us only using the email address ************@gmail.com
2.2. First of all you need a guarantee that we can decypher your files.
2.3. Contact us.  The structure of your email should be as follows:

  • include your ID-file KEY.PRIVATE (!!) - look for it on your computer, without it it will not be possible to re-establish your data.
  • 1-2 encrypted files to check the possibility of decryption
  • the approximate number of encrypted files/computers

2.4. You will recieve a guarantee and the cost of your key within one hour
2.5. Next payment should be made, the minimum cost will be 150 euros
2.6. We will send you your key, you should put it in the same directory as the decoder (DECODE.exe)
2.7. When the decoder is started the concealed decryption of your data is carried out.  You should not start this process more than once.
2.8. The process of decryption might take up to 12 hours in stealth mode.  At the end of the process the computer will reboot.

2.5. The Trojan renames bitdata1.bin (the script for the encryption of data generated earlier) as bitdata.cmd and starts it running. As a result the user's files are encrypted and the email address of the evildoers is added to their extensions.
2.6. After successful encryption the mark BITM is added to all files UNIQUE.PRIVATE and KEY.PRIVATE
3. Distribution of loader by electronic mail
3.1. The Trojan downloads additional components allowing it to collect passwords from the same site of the wrongdoers that the loader used earlier.  These components are downloaded in parts and assembled on the victim's computer.
3.2. With the help of the downloaded components the evildoer looks for user passwords for mail services Mail.ru, Yandex.ru and Gmail on the infected computer.  Any passwords found are sent to a special email address of the malefactor and data from any located BitCoin wallets are also sent there.
3.3. The malware generates 15 variants of letters.  They are all linked by a legal and not an accounting theme on this occasion.

With the help of passwords to mail services obtained earlier the Trojan connects with the mail servers and obtains the headers of letters received.  Email sendouts and automatic mesages are filtered out of the emails received.  All the remaining email addresses are sent one of the 15 possible versions of the letters, selected with the help of a random number generator.

It is interesting that regardless of the text of the letters, one and the same attachment is added — the archive with password '1'.  This archive is downloaded from the same site of the attacker before the start of the mail out.  Inside the archive is a file with a long name in Russian, which translates as:

Complaint concerning unpaid debts. Legal department — Confirmed and agreed for dispatch to debtor_October 2014_ Avast.ОК.dос .js

In several cases the theme of the letter and the name of the attachment do not match each other — this is a drawback of the automatic generation of letters and malware objects.

The object with the long name is the JavaScript Trojan-Downloader.JS.Scatter.i described earlier but already with another obfuscation.

Code fragment of the downloader Trojan-Downloader.JS.Scatter.i with another obfuscation

Despite the obfuscation both scripts are successfully detected by Kaspersky Lab products, both by signature and using heuristics written over a year ago, before the appearance of this type of malware.

To the aid of the bad guys: the human factor

The business of cyber-blackmailers is flourishing. In 2014 Kaspersky Lab recorded more than seven million attacks on its users with the use of objects from the Trojan-Ransom family.

In 2014 Kaspersky Lab recorded more than 7 million attacks with the use of encrypters

Tweet

Number of attacks by encrypters blocked every month by Kaspersky Lab in 2014

Malefactors ever more frequently prefer to receive payment in the crypto-currency BitCoin.  Although prices for users by habit are indicated in rubles, US dollars and euros.  The prices for decryption for simple users start at 1000 rubles and increase to several hundred dollars.  In the case of encryption of the files of an organisation the appetite of the malefactors increases by on average a factor of five.  There are cases known when 5000 euros was demanded for file decryption.  Unfortunately, for companies that have lost their data it is often simpler to pay than lose important information.  It is no surprise that organisations are the main target of evildoers utilising encrypters.

Why are encrypters able to inflict such damage?

As was mentioned above, most antivirus companies constantly improve their defences against encrypters.  For instance Kaspersky Lab has implemented special technical 'Protection against Encrypter Programs' in its products.  However, as is well known, the weakest point in IT protection is the user.  And in the case of encrypters this is extremely relevant.

We conduct special events dedicated to combatting this type of malware.  These events include a whole complex of measures: analysis of all incidents that have occured at organisations contacting our technical help service (using both our own and other antivirus products); search for and collection of samples of encrypters; analysis of the work of each defensive component of our products in each event that happened; improvement of existing and development of new methods of detecting and remedying the consequences of the actions of encrypters.  This is painstaking work and takes a lot of time, but it is necessary for our products to deal successfully with this constantly changing threat.

In our research we often see file encryption attacks made possible by employees working with antivirus disabled

Tweet

During these investigations we often come across instances of the encryption of files in organisations as a consequence of their employees working with the antivirus program switched off.  And these are not isolated cases, our technical help service encounters such cases several times a week.

It seems to us that one possible reason for such carelessness among users, strange as it may seem, is down to significant technical progress.  The improved defences of browswers and operating systems has led to a state where today users encounter the threats of malicous programs less often than previously.  As a result some of them, not thinking, switch off individual components of their antivirus products or don't use them at all.

Much has been said about the need to regularly update programs.  Nevertheless we once again note the importance of keeping anti-virus programs up to date.  We have investigated cases of encryption of files at organisations that happened for one simple reason: the user, on arriving at work, started to read their mail not waiting for the anti-virus database to update — and that update contained a signature capable of identifying the malware involved.

On the other hand it is worth remembering that no product, no matter how modern, can provide 100% protection against malware appearing on the computer.  Belief in the absolute defence of a 'super-anitvirus program' leads to users being careless — for instance opening file attachments in suspicious letters or unthinkingly clicking on dangerous links.  The availability of 'advanced' systems of defence does not relieve the user of the need to follow the security policy.

Make back-up copies of all important files on separate media off the computer

Tweet

The lack of back-up copies of important files plays its part in the success of encrypters.  Earlier it was possible to lose data not only as a result of the operation of malware but because of failure of the data medium or one's own legitimate programs, used to operate on important data.  But in recent decades the reliability of media and programs has improved dramatically.  And most users have stopped making back-up copies of their data.  As a result, if a computer is infected with an encrypter it simply paralyses the normal work of the company and the chances of the attacker receiving money for decrypting the data increase accordingly.

Traps for the unwary: how users are attacked

If you compile a hit parade of the methods used to spread encrypters the first and second places would be taken resoundingly by email. In the first case the dangerous object is contained directly in the letter and in the second the letter doesn't contain the object itself but a hyperlink to it. In third place in terms of popularity we see attacks via a system for remote control of the computer (Microsoft's Remote Desktop Protocol or RDP). Such attacks as a rule are carried out on an organisation's servers.

RDP attack

Let's start with the rarest and simplest method.  In the event of an RDP attack the evildoer, having obtained remote access to the computer, first of all switches off the antivirus program and then runs the encrypter.  The main factors allowing such an attack via RDP are the use of weak passwords or a leak of information about the password from the user's record files. The introduction of a strict password policy will help resist such an attack:

  • a password must be tough to crack (complicated);
  • a password should be known only to its user;
  • a password should be changed regularly.
Attack via electronic mail

If an attack by RDP occurs without the user's involvement; an attack via email must be activated by the user him or herself by running a received file or clicking on a link in a letter.  This is achieved by social engineering methods used by the wrongdoer or, to put it more simply, by lying to the user.  The wrongdoer's strategy is often built on the fact that the person under attack is chosen because they have a job totally unrelated to information security.  Such people may not even know of the existence of such threats as malicious encryption of files.

The person under attack is chosen because they have a job totally unrelated to information security

Tweet Letter topics

The organisation receives a letter that sounds frightening, for instance a court case has been initiated against the organisation, the details of which are contained in the document attached.

A example 'letter from the court'. The attachment contains a Trojan-encrypter

The thinking of the evildoers is probably something like the following: frighten the victim with some imaginary threat, the fear of which outweighs the worry about opening an unknown email attachment.

For organisations this approach works especially well: the simple employee receiving such a letter bears an unexpected responsibility.  The employee tries to share the responsibility and consults his/her colleagues.  The evildoer's chances  that someone will open the attachment increase.  In several incident investigations  it turned out that the in-house lawyers of the victim organisations insisted that the attachment be opened.

Be suspicious of links and attachments in unexpected letters

Tweet

And to reduce the suspicions of the recipient the author of the letter might use official logos:

An example of a letter containing a link to a malicious object

Or the executable file might be built into a Microsoft Word document and be masked by an icon:

An example of how an executable file can be hidden in a Microsoft Word document

The malefactors also use a scheme when a Microsoft Word document contains unreadable text and a request to allow macros, supposedly to correct the appearance of the text. In actual fact after the operation of the macro the Trojan-encrypter will be loaded onto the computer.

An example of a Microsoft Word document 'convincing' the user to execute a malicious macro
The red text says 'To correct the display switch on macros'

The thing about filenames

The next social engineering technique is the use of special words in the names of files contained in the archives attached to the letter (or downloaded by the user). For instance it could be the word 'checked' or 'secure' plus the name of various anti-virus products. The aim of the malefactors is to make the user believe that the attachment has been checked by an anti-virus product.

An example of a malicious attachment using the name of an anti-virus product and the extension .js

The extensions for executable files are specially chosen to be unknown to the casual user.  Usually .scr, .com and .js are used.

A special mention goes to attachments apparently providing 'free security tutorials from Kaspersky Lab'.  Such letters are also sent in the name of other security companies.

Recommendations for users

Detailed recommendations for system administrators can be found here.
Here we give some brief recommendations for users:

  • Make back-up copies of all important files on separate media off the computer.
  • Switch on display extensions for registered file types.  This will help you to check that the document sent to you really is a document and not an executable file.  You need to check this even if the letter comes from a known sender.
  • Be suspicious of links and attachments in unexpected letters.  Curiosity and fear are the favourite instruments of wrongdoers, causing users to forget about being cautious and to open attachments.
  • Use the latest version of anti-virus products. As a rule their effectiveness increases with every new version thanks to new modules.  We earnestly recommend the users of our products to enable KSN.
  • And finally, wait for the anti-virus database to be updated before reading your morning mail.
  • System administrators (in addition to everything else) should keep users aware of threats.

Inside the EquationDrug Espionage Platform

Wed, 03/11/2015 - 07:00
Introduction

EquationDrug is one of the main espionage platforms used by the Equation Group, a highly sophisticated threat actor that has been engaged in multiple CNE (computer network exploitation) operations dating back to 2001, and perhaps as early as 1996. (See full report here [PDF]).

EquationDrug, which is still in use, dates back to 2003, although the more modern GrayFish platform is being pushed to new victims.

EquationDrug represents the main espionage platform from the #EquationAPT Group

Tweet

It's important to note that EquationDrug is not just a Trojan, but a full espionage platform, which includes a framework for conducting cyberespionage activities by deploying specific modules on the machines of selected victims. The concept of a cyberespionage platform is neither new nor unique. Other threat actors known to use such sophisticated platforms include Regin and Epic Turla.

The EquationDrug platform can be extended through plugins (or modules). It is pre-built with a default set of plugins supporting a number of basic cyberespionage functions. These include common features such as file collection and the making of screenshots. Sophistication is added by storing stolen data inside a custom-encrypted virtual file system before it is sent to the command and control servers.

The name "EquationDrug" or "Equestre" was assigned to this framework by Kaspersky Lab researchers. The only reference left by the framework developers was a short string "UR", as seen in several string artifacts left in the binaries.

Platform Architecture

The EquationDrug platform includes dozens of executables, configurations and protected storage locations. Putting all the pieces of this puzzle together in the right order may take time for those who are not familiar with the platform.

The platform includes executables, configurations and protected storage locations #EquationAPT

Tweet

The architecture of the whole framework resembles a mini-operating system with kernel-mode and user-mode components carefully interacting with each other via a custom message-passing interface. The platform includes a set of drivers, a platform core (orchestrator) and a number of plugins. Every plugin has a unique ID and version number that defines a set of functions it can provide. Some of the plugins depend on others and might not work unless dependencies are resolved.

Similar to popular OS kernel designs, such as on Unix-based systems, some of the essential modules are statically linked to the platform core, while others are loaded on demand.

The hypothesis that these attackers have been active since the 90s seems realistic #EquationAPT

Tweet

The platform is started by the kernel mode driver component ("msndsrv.sys" on Windows 2000 or above and "mssvc32.vxd" on Windows 9x). The driver then waits for the system to start and initiates execution of the user-mode loader "mscfg32.exe". The loader then starts the platform's central module (an orchestrator) from the "mscfg32.dll" module. Additional drivers and libraries may be loaded by different components of the platform, either built-in or auxiliary.

Platform Components

The EquationDrug platform can be as sophisticated as a space station, but it appears to be of no use without its cyberespionage features. This function is provided by plugin modules that are part of the massive framework described above. We discovered dozens of plugins and each is a sophisticated element that can communicate with the core and become aware of the availability of other plugins.

The plugins we discovered probably represent just a fraction of the attackers' potential. Each plugin is assigned a unique plugin ID number (WORD), such as 0x8000, 0x8002, 0x8004, 0x8006, etc. All plugin IDs are even numbers and they all start from byte 0x80. The biggest plugin ID we have seen is 0x80CA. To date, we have found 30 unique plugin IDs in total. Considering the fact that the developers assigned plugin IDs incrementally, and assuming that other plugin IDs were assigned to modules that we have not yet discovered, it's not hard to calculate that 86 modules have yet to be discovered.

86 modules have yet to be discovered #EquationAPT

Tweet

The most interesting modules we have seen contain the following functionality:

  • Network traffic interception for stealing or re-routing.
  • Reverse DNS resolution (DNS PTR records).
  • Computer management:
    • Start/stop processes
    • Load drivers and libraries
    • Manage files and directories
  • System information gathering:
    • OS version
    • Computer name
    • User name
    • Locale
    • Keyboard layout
    • Timezone
    • Process list
  • Browsing network resources and enumerating and accessing shares.
  • WMI information gathering.
  • Collection of cached passwords.
  • Enumeration of processes and other system objects.
  • Monitoring LIVE user activity in web browsers.
  • Low-level NTFS filesystem access based on the popular Sleuthkit framework.
  • Monitoring removable storage drives.
  • Passive network backdoor (runs Equation shellcode from raw traffic).
  • HDD and SSD firmware manipulation.
  • Keylogging and clipboard monitoring.
  • Browser history, cached passwords and form auto-fill data collection.
Code Artifacts

During our research we paid attention to unique identifiers and codenames used by the developers in the malware. Most of this information is carefully protected with obfuscation or encryption algorithms to prevent quick recognition, but anyone who breaks through this layer of encryption may discover some interesting internal strings, as demonstrated below:

Some other interesting text strings include:

SkyhookChow Target
SkyhookChow Payload
Dissecorp
Manual/DRINKPARSLEY/2008-09-30/10:06:46.468-04:00
VTT/82053737/STRAITACID/2008-09-03/10:44:56.361-04:00
VTT/82051410/LUTEUSOBSTOS/2008-07-30/17:27:23.715-04:00
STRAITSHOOTER30.ex_
BACKSNARF_AB25
c:\users\rmgree5\co\standalonegrok_2.1.1.1\gk_driver\gk_sa_driver…
To install: run with no arguments
Attempting to drop
SFCriteria_Check failed!
SFDriver
Error detected! Uninstalling...
Timeout waiting for the "canInstallNow" event from the implant-specific EXE!
Trying to call privilege lib...
Hiding directory
Hiding plugin...
Merging plugin...
Merging old plugin key...
Couldn't reset canInstallNowEvent!
Performing UR-specific pre-install...
Work complete.
Merged transport manager state.
!!SFConfig!!

Some other names, such as kernel object and file names, abbreviations, resource code page and several generic messages, point to English-speaking developers. Due to the limited number of such text strings it's hard to tell reliably if the developers were native English speakers.

Link Timestamp Analysis

We have gathered a reasonably large number of executable samples to which we have been able to apply link timestamp analysis.

A link timestamp is a 4-bytes value stored in an executable file header. This value is automatically set by compiler software when a developer builds a new executable. The value contains a detailed timestamp including minutes and even seconds of compilation time (think of it as the file's moment of birth).

Link timestamp analysis require the collection of the timestamps of all available executables, grouping them according to certain criteria, such as the hour or day of the week, and putting them on a chart. Below are some charts built using this approach.


Can we trust this information? The answer is: not fully, because the link timestamp can be altered by the developer in a way that's not always possible to spot. However, certain indicators such as matching the year on the timestamp with the support of technology popular in that year leads  us to believe that the timestamps were, at the very least, not wholly replaced. Looking at this from the other side, the easiest option for the developer is to wipe the timestamp completely, replacing it with zeroes. This was not found in the case of EquationDrug. In fact, the timestamps look very realistic and match the working days and hours of a well-organized software developer from timezone UTC-3 or UTC-4, if you assume that they come to work at 8 or 9 am.

The timestamps match the working days of software developer from timezone UTC-3 or UTC-4 #EquationAPT

Tweet

And finally, in case you are wondering if the developers work on public holidays, you can check this for yourself against the full list of their working dates:

2001.08.17 2007.12.11 2009.04.16 2011.10.20 2012.08.31 2013.06.11 2001.08.23 2007.12.17 2009.06.05 2011.10.26 2012.09.28 2013.06.26 2003.08.16 2008.01.01 2009.12.15 2012.03.06 2012.10.23 2013.08.09 2003.08.17 2008.01.23 2010.01.22 2012.03.22 2012.11.02 2013.08.28 2005.03.16 2008.01.24 2010.02.19 2012.04.03 2012.11.06 2013.10.16 2005.09.08 2008.01.29 2010.02.22 2012.04.04 2013.01.08 2013.11.04 2006.06.15 2008.01.30 2010.03.27 2012.04.05 2013.02.07 2013.11.26 2006.09.18 2008.04.24 2010.06.15 2012.04.12 2013.02.21 2013.12.04 2006.10.04 2008.05.07 2011.02.09 2012.07.02 2013.02.22 2013.12.05 2006.10.16 2008.05.09 2011.02.23 2012.07.09 2013.02.27 2013.12.13 2007.07.12 2008.06.17 2011.08.08 2012.07.17 2013.04.16   2007.10.02 2008.09.17 2011.08.30 2012.08.02 2013.05.08   2007.10.16 2008.09.24 2011.09.02 2012.08.03 2013.05.14   2007.12.10 2008.12.05 2011.10.04 2012.08.14 2013.05.24   Conclusions

EquationDrug represents the main espionage platform from the Equation Group. It's been in use for over 10 years, replacing EquationLaser until it was replaced itself by the even more sophisticated GrayFish platform.

The EquationDrug case demonstrates an interesting trend: a growth in code sophistication #EquationAPT

Tweet

The EquationDrug case demonstrates an interesting trend that we have been seeing while analyzing supposedly nation-state cyberattack tools: a growth in code sophistication. It is clear that nation-state attackers are looking for better stability, invisibility, reliability and universality in their cyberespionage tools. You can make a basic browser password-stealer or a sniffer within days.  However, nation-states are focused on creating frameworks for wrapping such code into something that can be customized on live systems and provide a reliable way to store all components and data in encrypted  form, inaccessible to normal users. While traditional cybercriminals mass-distribute emails with malicious attachments or infect websites on a large scale, nation-states create automatic systems infecting only selected users. While traditional cybercriminals typically reuse one malicious file for all victims, nation-states prepare malware unique to each victim and even implement restrictions preventing decryption and execution outside of the target computer.

Nation-state attackers create automatic systems infecting only selected users #EquationAPT

Tweet

Sophistication of the framework is what makes this type of actor different from traditional cybercriminals, who prefer to focus on payload and malware capabilities such as implementing a long list of custom third-party software credential database parsers.

The difference in tactics between cybercriminals and nation-state attackers appears to be due to relative resource availability. It's known that cybercriminals attempt to infect as many users as possible and that they can sometimes compromise hundreds of thousands of systems. It would will take many years to check all those machines manually, analyzing who owns them, what data is stored on them, and what custom software they run.

Cybercriminals probably don't even have enough disk space to collect all the potentially interesting data from the victims hit by their large scale infections. That is why cybercriminals prefer to extract tiny chunks of the most important data (credentials, credit card numbers, etc) on the machine of the victim and transfer only few kilobytes from each compromised host. Such data, when combined from all users, normally takes up gigabytes of disk space.

Nation-state attackers have sufficient resources to store as much data as they want. They have access to virtually unlimited data storage. However, they don't need, and often try to avoid, infecting random users, for the obvious reason of avoiding attention and remaining invisible. Implementing custom data format parsers in the malware not only doesn't help them find all the valuable data on the victim's machine, but may also attract extra attention from security software running on the system. They mostly prefer to have a generic remote system management tool that can copy any information they might need even if it causes some redundancy. However, copying large volumes of information might slow down network connection and attract attention, especially in some countries with poorly developed internet infrastructure. To date, nation-state attackers have had to balance between these two poles: copying victims' entire hard drives while stealing only tiny bits of passwords and keys.

Nation-state attackers use a remote system management tool that can copy any information they need #EquationAPT

Tweet

Now, if you wonder why EquationDrug, a powerful cyberespionage platform, doesn't include Skype or ICQ password stealing-capability, the answer is that they most likely copy the database as a whole and parse on the server-side. We believe that this will become a unique trademark of nation-state attackers in the future.

Some code paths in EquationDrug modules lead to OS version checks including a test for Windows 95, which is accepted as one of supported platforms. While some other checks will not pass on Windows 95, the presence of this code means that this OS was supported in some earlier variants of the malware. Considering this and the existence of components designed to run on Windows 9x (such as VXD-files), as well as compilation timestamps dating back to early 2000s, the hypothesis  that these attackers have been active since the 90s seems realistic. This makes the current attacker an outstanding actor operating longer than any other in the field.

Technical Details Kernel mode stage 0 (Windows 9x) - mssvc32.vxd MD5 0a5e9b15014733ee7685d8c8be81fb0d Size 6 710 bytes Format Linear Executable (LE)

This VXD driver handles only two control messages: W32_DeviceIoControl and Dynamic_Init. The DeviceIoControl part is not completely implemented and the driver is only able to check for some known control codes.  However it does nothing. This handler looks more like a code stub rather than actual payload.

On the Dynamic_Init event, the driver retrieves the location of the user-mode loader executable from the following registry value:

[HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\MemSubSys] Config

If the value is not present in the registry, it uses the following fallback string hardcoded in the binary:

C:\WINDOWS\SYSTEM\SVCHOST32.EXE

Next, it installs a callback procedure using Windows function _SHELL_CallAtAppyTime. This procedure will be called when CPU is running in ring-3 mode, so that a new executable (loader process) can be started via the traditional way. This is a standard trick that was used by developers in the 90s to initiate a call to DLL export in ring-3 from ring-0 in Windows 9x OS family.

Kernel mode stage 0 and rootkit (Windows 2000 and above) - msndsrv.sys MD5 c4f8671c1f00dab30f5f88d684af1927 Size 105 392 bytes Format PE32 Native Compiled 2008.01.23 14:12:33 (GMT) Location %System32%\drivers\msndsrv.sys

This module can create log files in the following known locations:

%systemroot%\system32\mslog32.dat
%systemroot%\system32\msperf32.dat (default location)

The driver acts as the first stage of the EquationDrug platform on Windows 2000+ and implements rootkit functions for hiding the components of the platform. Additionally, it implements a NDIS driver for filtering network traffic.

When started and initialized, the driver retrieves the location of the user-mode loader executable from the registry value:

[HKLM\System\CurrentControlSet\Services\%driver name%] Config

The %driver name% is not hardcoded and is obtained dynamically from the current module name, which means that different instances may check different registry keys and this may not be a reliable way to check for infection. The sample we analyzed used "msndsrv" as the %driver name%.

Next, it crafts and injects a shellcode in "services.exe" or "winlogon.exe". The shellcode is designed to spawn the loader process from the executable called "mscfg32.exe".

The rootkit code in the driver hooks several Native API functions that lets it hide or protect registry keys, files and running processes. The components of EquationDrug can modify the list of protected objects by sending DeviceIoControl messages to the driver. The driver also maintains a persistent list of protected objects that is stored in the following registry values:

[HKLM\System\CurrentControlSet\Services\%driver name%] 1
[HKLM\System\CurrentControlSet\Services\%driver name%] 2

These values are also protected by the rootkit. They can be revealed by booting Windows in Safe Mode.

The driver contains the following unused strings:

  • \\.\mailslot\dskInfo
  • Dissecorp
User-mode loader - mscfg32.exe, svchost32.exe MD5 c3af66b9ce29efe5ee34e87b6e136e3a Size 22 016 bytes Format PE32 EXE Compiled 2008.01.23 14:26:05 (GMT) Location %System32%\mscfg32.exe

This module opens a unique event named "D0385CB7-B834-45d1-A501-1A1700E6C34E". If the event exists, it waits for 10 seconds and attempts to open a file whose name can be decrypted as "\\.\MSNDSRV". If the device file is successfully opened, the code issues a device request with IOCTL code 0x80000194 and no parameters.

This module uses RC5 in CBC-like mode with a key length of 96-bit for string encryption.

Careful analysis reveals some bits of uninitialized memory found next to encryption key locations. This is unused but partly meaningful memory, because it seems to contain short chunks of strings resembling some local filepaths:

  • "rver\8" (probably part of "Server\8..." string)
  • "LInj" (could be a part of "DLLInjector" or similar)

It's apparent that some parts of the code were designed to run on Windows 9x, for example a call to RegisterServiceProcess Windows API function makes sense only on Windows 9x OS family, because this API function doesn't exist on Windows NT platform.

The module uses a unique algorithm for generating registry value names. The code contains strings, such as "SkyhookChow Target", that are converted to GUID-like strings by calculating SHA1 hash and using its hexadecimal representation as a string. The resulting strings are used as actual registry value names in [HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\MemSubSys] registry key.

Sample registry value names:

Original String GUID-like registry value name SkyhookChow Target {B6F5CD13-A74D-8B82-A6AA-6FA1BE2484C1-6832DF06} SkyhookChow Payload {F4CF0326-6DCD-EEC8-5323-01CEDB66741A-B55F6F12}

These registry values are encrypted using an RC5 algorithm using a hardcoded 1024-bit key with 24 rounds.

The registry value:

[HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\MemSubSys] {F4CF0326-6DCD-EEC8-5323-01CEDB66741A-B55F6F12} ("SkyhookChow Payload")
should contain the location of the orchestrator DLL file ("mscfg32.dll"). If the value is not present a default value "%SYSTEM%\mscfg32.dll" is used.

The registry value:

[HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\MemSubSys] {B6F5CD13-A74D-8B82-A6AA-6FA1BE2484C1-6832DF06} ("SkyhookChow Target")
may contain the location of the executable file that will be used as a "shell" process for the orchestrator library.

The module attempts to start the "shell" process in suspended mode. If there is no "SkyhookChow Target" value or the specified executable fails to start, the module tries different failsafe locations of the programs that can be used instead:

  1. Default browser set in the registry [HKLM\SOFTWARE\Clients\StartMenuInternet\{current @default value}\shell\open\command]
  2. %SystemRoot%\System32\svchost.exe
  3. %SystemRoot%\System32\lsass.exe
  4. Spoolsv service binary from the [HKLM\SYSTEM\CurrentControlSet\Services\Spooler] ImagePath registry value.
  5. Default html file handler from [HKLM\SOFTWARE\Classes\htmlfile\shell\open\command]registry value.
  6. Internet Explorer path from [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\] IEXPLORE.EXE registry value.

Next, the module injects extra code into a newly started target process. The injected code loads the payload DLL ("mscfg32.dll") into the target process and waits for the parent process to exit. When the parent process quits, it unloads the payload DLL and exits as well. The rest of the logic relies on the loaded DLL in that new process. See the description of the "mscfg32.dll" module below.

The module communicates with the Stage0/Rootkit driver "msndsrv.sys" by sending DeviceIoControl messages to the device "\\.\MSNDSRV". It activates the rootkit for its own process, for the target process holding the orchestrator and for all the files involved.

Platform orchestrator - mscfg32.dll, svchost32.dll MD5 5767b9d851d0c24e13eca1bfd16ea424 Size 249 856 bytes Format PE32 DLL Compiled 2008.01.24 22:11:34 (GMT) Location %System%\mscfg32.dll

Creates mutex: "01C482BA-BD31-4874-A08B-A93EA5BCE511", or terminates if one already exists.

Writes a timestamped log file to one of the following locations:

  • %SystemRoot%\temp\~yh56816.tmp
  • C:\Windows\Temp\~yh56816.tmp
  • %Registry_SystemRoot_Value%\temp\~yh56816.tmp
  • Value of [HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\MemSubSys] D

The file "~yh56816.tmp" retains the history of execution. It comprises debug records of simple structure:

        Stage: DWORD | DateTimeLow: DWORD | DateTimeHigh: DWORD

Basically, it logs the execution of every stage of the orchestrator and the time of execution. The Stage is an integer number starting from 1.

This module spawns a new thread in the DllMain function which contains the main function body. The procedure disables application error popups shown by the default exception handler. This is probably done only in the "Release" version of the malware, because the following code generates exceptions that are reported to the user if application error popups are not disabled. We assume that the "Debug" version of the code doesn't suppress error popups when exception occurs as this helps with the debugging of the code.

The module checks the OS version and if it encounters an unsupported operating system the code generates an exception which terminates the application. The list of OS versions that pass this test:

  • Windows 95/98/ME
  • Windows NT 4.0 and above.

If the module runs on Win9x, it executes Win9x-specific function RegisterServiceProcess to hide from the Windows Task Manager application. If the module is NOT running on WinNT6.0+, it then attempts to open a virtual device file with one of the following names:

  • \\.\MSSVC32 on Win9x
  • \\.\MSNDSRV on WinNT

If the device file is successfully opened, the module activates a rootkit for its process and for the file location "%SYSTEM%\unilay.dll" local path. This is followed by finding and terminating a process named "winproc.exe" which is the name of another component of the platform. Note that this part of the code is executed only on platforms different from WinNT 6.x (Windows Vista and later).

The module was designed to fetch or update its main configuration data from different places. There are some default values set inside the code, such as some timeout values and the following C&Cs:

  • www.waeservices[.]com
  • 213.198.79.49

These default values can be overwritten later.

Next, it locates a data section called "Share2" in the current module and verifies the starting magic number. If it is 0x63959700, it then decrypts the rest of the data in the section and interprets it as a configuration block. However, data from the next location can override all previous settings. This is a registry value with special name.

The naming of the registry location is the same GUID-like SHA1 value as the one used in the loader ("mscfg32.exe"), and is produced from the source string "Configuration":

[HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\MemSubSys] {42E14DD3-F07A-78F1-7659-26AE141569AC-E0B3EE89}

The configuration block stored in the registry value is encrypted using RC5 with the 1024-bit key. Both the loader and the orchestrator share the same key for encrypting and decrypting the registry values in the "MemSubSys" key.

The decrypted configuration block consists of a series of tagged configuration records in the following format:

        [RecordType:DWORD][RecordSize: DWORD][RecordValue: %RecordSize%]

We retrieved a copy of a configuration block and decrypted and partly interpreted it. We are including the results for one of the configuration blocks:

Time value: 1 year 0 months 1 days 22 hours 6 mins 52 secs. The orchestrator is expected to set this field to the time of initial configuration.
Binaries: 3x1024-bit encryption keys
1b8e7818dad6345c53c2707a2c44648eee700d5cf34fea6a19a3fa0a6a871c72963fdded 91e2703c82b7747b8793e3063700da32cfb8d907dcce1beb36edd575418d1134ef188b 27ec3ce23711a656b0a8bf28921fbf1c39b4c90ad561e4174ed90f26ce11245bb9deb4b 4720403f47ca865ec8bbd3c1df9d93d042ff5b52ec6
05000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000
ed04953f3452068ae6439f04c7904c8be5e98e66e2cd0f267d65240aeed88bd4d3c6105 c99950dd42ccde4bc6bbaf9f6cb1b4e628d943e91f8f97f2aff705fdd25e3af6ba0bc4fd13 d67a2bcb751bb8f21f3d4b66c599f3e572802911394d142f8cf3a299d6d4558f9f0f01634 9afd1888472f4f8c729ffe913f670931f1a227
C&C domain: www[dot]waeservices[dot]com
C&C IP address: 213.198.79.49
C&C port: 443
Timestamp: 2010-12-08 11:35:57
Tool Reference: VTT/82055898/STEALTHFIGHTER/ 2008-10-16/14:59:06.229-04:00
TimeoutA: 25200 sec (7 hours)
TimeoutB: 32400 sec (9 hours)
TimeoutC: 3600 sec (1 hour)
TimeoutD: 172800 sec (48 hours)
+Several Unknown Values

Other configuration blocks we discovered contained similar information, with only some unique values:

Timestamp: 2009-11-23 14:10:15
Tool Reference: Manual/DRINKPARSLEY/2008-09-30/10:06:46.468-04:00
Tool Reference: VTT/82053737/STRAITACID/2008-09-03/10:44:56.361-04:00
Tool Reference: STRAITSHOOTER30.ex_
Tool Reference: VTT/82051410/LUTEUSOBSTOS/2008-07-30/17:27:23.715-04:00
Tool Reference: BACKSNARF_AB25

During the next step, the module obtains PE file version information from the resource section. It loads the version info using hard-coded module names, which are supposed to match the current module name:

  • SVCHOST32.DLL for Windows 9x
  • MSCFG32.DLL for Windows NT

If file version information is available, it gets language-specific values of the PrivateBuild block. The codepage and languages that are verified: Unicode, LANG_NEUTRAL and LANG_ENGLISH_US. When this check passes, the module gets @default registry value from the following location:

  • [HKLM\SOFTWARE\Classes\CLSID\{091FD378-422D-A36E-8487-83B57ADD2109}] TypeLib

If the key is not found, the code checks for registry value TypeLib in the following key:

  • [HKLM\SOFTWARE\Classes\CLSID\{091FD378-422D-A36E-8487-83B57ADD2109}]

If such a value is found, it is then deleted along with the Version value if it exists in the same key.

The string obtained from one of two possible registry values is processed as if this value is a CLSID-like string: the code takes the last 16 hexadecimal digits, splits them in two 8-chars values, converts them to binary form (two DWORDs) and reverses the order of bytes in each DWORD and XORs, the first value with 0x8ED400C0, and the second with 0x4FC2C17B.  Next, the first DWORD value becomes second and the second becomes first. In this order, they are stored in a structure in memory. These two values seem to be very important as they override a few values in the previously known configuration. If they don't exist, values from the current configuration replace them and are stored back in the registry following the reverse procedure:

  1. [HKLM\SOFTWARE\Classes\CLSID\{091FD378-422D-A36E-8487-83B57ADD2109}\Version] is created and @default value is set to version obtained from file version information PrivateBuild field (i.e. 3.04.00.0001). This seems to be used as kit version number.
  2. [HKLM\SOFTWARE\Classes\CLSID\{091FD378-422D-A36E-8487-83B57ADD2109}\Version] is created and @default value is set to a CLSID like string generated from the following:
    • Fixed prefix string: "{8C936AF9-243D-11D0-"
    • Two important DWORD values in the format of "%04X-%04X%08X}" string.

We collected and decrypted several samples of such values. According to the code, they are initialized with values of the Microsoft filetime format. So, we decided to interpret them as filetime values:

20101C04EC2C17B: 1 year(s) 7 month(s) 21 day(s) 23 hour(s) 32 min(s) 1 sec(s)
81E01C04EC2C17B: 1 year(s) 7 month(s) 8 day(s) 12 hour(s) 13 min(s) 5 sec(s)
E0001C04EC2C17B: 1 year(s) 7 month(s) 21 day(s) 1 hour(s) 6 min(s) 15 sec(s)
77101C04EC2C17B: 1 year(s) 5 month(s) 20 day(s) 19 hour(s) 15 min(s) 4 sec(s)
30F01C04EC2C17B: 1 year(s) 8 month(s) 0 day(s) 6 hour(s) 10 min(s) 33 sec(s)
C0901C04EC2C17B: 1 year(s) 8 month(s) 2 day(s) 6 hour(s) 29 min(s) 39 sec(s)
66701C04EC2C17B: 1 year(s) 6 month(s) 9 day(s) 2 hour(s) 10 min(s) 23 sec(s)
F6501C04EC2C17B: 1 year(s) 6 month(s) 6 day(s) 19 hour(s) 53 min(s) 22 sec(s)
01401C04EC2C17B: 1 year(s) 6 month(s) 25 day(s) 23 hour(s) 34 min(s) 13 sec(s)

After that, the module stores current time values in encrypted form in the registry value:

[HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\MemSubSys] {08DAB849-0E1E-A1F0-DCF1-457081E091DB-117DB663} (encoded SHA1 of "StartTime")

The module contains an additional compressed Windows DLL file in the resource section, which is extracted as "unilay.dll" (see below). This DLL exports a number of functions that are just wrappers of the system API used to work with files and the registry, and also start processes and load additional DLL files.

The orchestrator contains several built-in plugins that form the core of the platform. These are initialized in the first place, and then additional plugins are loaded. All the plugins are indexed in a single encrypted registry value:

[HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\MemSubSys] 1

This value has information about all the components of the current kit. It may include Unicode strings with paths to extra DLLs which serve as plugins. Each DLL exports at least four functions which are imported by ordinal numbers from 1 to 4.

The structure of the registry value "1":

[Count:DWORD]{ [Plugin Id:WORD][Plugin Path Length:DWORD][Plugin Path String:VARIABLE] }

Plugins interact with each other and with the orchestrator by exchanging messages of pre-defined format. The message transport is implemented as a global object that contains four communication streams. Every stream contains a pair of kernel synchronization object handles (a semaphore with fixed maximum value defaulted to 1000 and a mutex) and a message queue as an array. A dedicated thread processes messages that appear in the message queues.

A message arrives in a parcel, represented as two DWORD values that contain the size of the message and a pointer to the message data. The message data starts with a DWORD identifying a class of message (a request, reply, etc).

The orchestrator contains the following built-in plugins (listed by internal ID): 8000, 8022, 8024, 803C, 8046, 800A, 8042, 8002, 8004, 8006, 8008, 8070, 808E. Several additional built-in modules have been discovered in newer versions of the orchestrator that was shipped with the GrayFish platform.

EquationDrug Plugins: Plugin ID File name Description 8000 Built-in Core, basic API for other modules 8002 wshcom.dll C&C communication using Windows sockets 8004 Built-in Additional message queue 8006 Built-in Memory allocation / storage 8008 vnetapi32.dll& C&C communication code based on DoubleFantasy, using WinInet API 800A Built-in C&C communication orchestrator 800C perfcom.dll HTTP communication 8022 khlp680w.dll System API: execute processes, load libraries, manipulate files and directories 8024 cmib158w.dll Collects system information: OS version, computer name, user name, locale, keyboard layout, timezone, process lists 8034 cmib456w.dll Management of the VFS backed by encrypted ".FON" files in the "Fonts\Extension" directory. Provides encryption using RC5 for these files 803E nls_874w.dll Network sniffer 803C Built-in Communication with the NDIS filter part of "msndsrv.sys" 8040 khlp807w.dll Network exploration API, share enumeration and access 8042 Built-in Compression library based on Nrv2d / UCL 8046 Built-in Communication with the rootkit part of "msndsrv.sys" 8048 mstkpr.dll Disk forensics and direct NTFS reader based on sources of SleuthKit 8050 khlp760w.dll Additional encryption facilities for the file-backed VFS 8058 khlp733w.dll Collects local system information, WMI information, cached passwords 8070 khlp747w.dll Enumerates processes and system objects 807A mscoreep32.dll Plugins for monitoring Internet Explorer and Mozilla browser activities 808A khlp866w.dll Compression library based on Zlib 808E Built-in Reverse (PTR record) DNS resolver 8094 Built-in In-memory storage 809C Built-in In-memory storage 80AA nls933w.dll HDD / SSD firmware manipulation 80AE wpl913h.dll Keylogger and clipboard monitoring (aka "GROK") 80BE vnetapi.dll C&C communication via WinHTTP API 80C6 webmgr.dll Extracts web history, Mozilla/Internet Explorer-saved form data and cached credentials 80CA wshapi.dll C&C communications interface via Windows sockets Additional components Unilay.DLL

This module provides a compatibility layer for accessing system API functions for Windows 9x. It redirects Unicode ("W") variants of Windows API functions to corresponding ANSI variants by converting Unicode string parameters to multi-byte strings and calling the respective ANSI API.

MD5 EF4405930E6071AE1F7F6FA7D4F3397D Size 9 728 bytes Compiled 2008.01.23 14:23:10 (GMT) Format PE32 DLL, linker version 6.0 (Microsoft Visual C++ 6.0)

Exported functions (redirected to ANSI variants):

  • 100017EF: CopyFileW
  • 10001039: CreateDirectoryW
  • 10001111: CreateFileW
  • 100011B3: CreateProcessW
  • 10001177: DeleteFileW
  • 10001516: FindFirstChangeNotificationW
  • 10001466: FindFirstFileExW
  • 10001300: FindFirstFileW
  • 100014C6: FindNextFileW
  • 10001564: GetCurrentDirectoryW
  • 1000188F: GetFileAttributesW
  • 100016C6: GetStartupInfoW
  • 10001602: GetSystemDirectoryW
  • 10001664: GetWindowsDirectoryW
  • 10001853: LoadLibraryW
  • 1000178B: MoveFileExW
  • 1000172D: MoveFileW
  • 10001913: RegCreateKeyExW
  • 100019F5: RegDeleteKeyW
  • 10001DDF: RegDeleteValueW
  • 10001A39: RegEnumKeyExW
  • 10001BE2: RegEnumValueW
  • 1000199B: RegOpenKeyExW
  • 10001B23: RegQueryInfoKeyW
  • 10001D57: RegSetValueExW
  • 100010D5: RemoveDirectoryW
  • 10001E81: SHGetFileInfoW
  • 100015C6: SetCurrentDirectoryW
  • 100018CB: SetFileAttributesW
  • 10001E23: lstrcmpW
Network-sniffer/patcher - atmdkdrv.sys MD5s 8d87a1845122bf090b3d8656dc9d60a8
214f7a2c95bdc265888fbcd24e3587da Size 41 440, 43 840 bytes Format PE32 Native Compiled 2009.04.16 17:19:30 (GMT)
2008.05.07 19:55:14 (GMT) Version Info
  • FileDescription: Network Services
  • LegalCopyright: Copyright (C) Microsoft Corp. 1981-2000
  • InternalName: atmdkdrv.sys

or

  • FileDescription: CineMaster C 1.1 WDM Main Driver
  • LegalCopyright: Copyright 1999 RAVISENT Technologies Inc.
  • InternalName: ATMDKDRV.SYS

Creates a file storage "\SystemRoot\fonts\vgafixa1.fon". Its first word is set to 0x21 at the beginning of the DriverEntry function, and is replaced with 0x20 at the end of DriverEntry.

This driver appears to have been put together in "quick-and-dirty hack" style, using parts of the "mstcp32.sys" sniffer and other unknown drivers. It contains a lot of unused code which is partially broken or disabled. These include a broken "Dynamically disable/enable windows audit logging" subsystem and an incomplete "Patcher mode".

There are three algorithms used for strings encryption - RC5; alphabet encryption like the one used in "mstcp32.sys"; and XOR with a pre-seeded random number generator. Decrypted strings are immediately encrypted back until the next usage to avoid in-memory detection.

The driver's filename and device name differ across the samples. They depend on the name of the registry key that is used to start the driver.

The driver may operate in one of two independent modes - as a network sniffer or as a memory patcher. The mode of operation is selected on startup, based on the "Config2" value of the driver's registry key. By default the driver starts in "sniffer mode".

Sniffer mode

The sniffer code is similar to the one used in the driver's "tdip.sys" and "mstcp32.sys" and uses NT4 NDIS-4, XP NDIS-5 interfaces, targeting incoming traffic on Ethernet and VPN (ndiswanip) interfaces. It captures only directed packets (containing a destination address equal to the station address of the NIC). Packers-filtering engine rules may be set via DeviceIoControl messages. Filtered packets are stored in-memory until requested. Maximum packets storage list length is 128 items per filtering rule.

Patcher mode

Almost broken, it does nothing interesting except, possibly, replace the thread's ServiceTable to an unchanged, clear copy taken from the on-disk image of "ntoskrnl.exe".

Sniffer only IOCTLs:
44038004 - add filtering rule
44038008 - clear stored packet in specified filtering rules list
4403800C - enable specified filtering rule
44038010 - disable specified filtering rule
44038014 - get stored packet from specified filtering rules list
44038018 - process packet like the one received from the wire (filter and store)
4403801C - set maximum rules list length
44038020 - get maximum rules list length
80000004 - enablePacketsFiltering
80000008 - disablePacketsFiltering (PauseSniffer)
800024B4 - send packet to the specified network interface

Common IOCTLs:
80000028 - do nothing (broken/unused part)
80000038 - set external object (broken/unused part)
8000003C - get 4 dwords struct (broken/unused part)
80000040 - copy 260 bytes from the request (broken/unused part)
80000320 - set I/O port mapping (broken/unused part)
80000324 - clear I/O port mapping (broken/unused part)
80000328 - set external PnP Event (broken/unused part)
80000640 - replace specified thread's SDT (ETHREAD.ServiceTable field) to a given copy

Backdoor driven by network sniffer - "mstcp32.sys", "fat32.sys" MD5s 74DE13B5EA68B3DA24ADDC009F84BAEE
B2C7339E87C932C491E34CDCD99FEB07
311D4923909E07D5C703235D83BF4479
21C278C88D8F6FAEA64250DF3BFFD7C6 Size 57 328 - 57 760 bytes Format PE32 Native Compiled 2007.10.02 12:42:14 (GMT)
2001.08.17 20:52:04 (GMT) Version Info
  • FileDescription: TCP/IP driver
  • LegalCopyright: Copyright (C) Microsoft Corp. 1981-1999
  • InternalName: mstcp32.sys

This is a sniffer tool similar to "tdip.sys" and it uses NT4 NDIS-4, XP NDIS-5 interfaces.  It targets incoming traffic on Ethernet and VPN (ndiswanip) interfaces, but instead of dumb packet dumping, it uses received packets as commands for the "process injector" subsystem that is able to extract and execute code from the specially crafted network packets.

Default filtering rules are stored in the "Options" registry value of the driver's registry key. It captures only directed packets (containing a destination address equal to the station address of the NIC).

The driver's filename and device name differ across the samples. They depend on the name of the registry key that is used to start the driver.

Code Patcher

The driver patches OS code to dynamically disable or enable Windows audit logging.

It patches the function "LsapAdtWriteLog" in "lsasrv.dll" module of the "lsass.exe" process.

It searches for pre-defined signatures of the function "LsapAdtWriteLog" of known Windows versions - 4.0, 5.0, 5.1, 5.2 (NT4, Win2000, XP, WinSrv2003).

Then it selects a corresponding offset to replace the opcodes:

  • 'jz' to never taken 'jo' in case of XP
  • jmp over inner logic to procedure epilog in case of Windows Server 2003 so LsapAdtWriteLog skips logging of audit records

The module also patches "SepAdtLogAuditRecord" inside "ntoskrnl.exe" to "retn 4" instead of the first opcode of the function.

The disabled audit can be restored after a timeout or on-event by a dedicated thread.

Expected IOCTL codes:

  • 80000004 - setFilteringRules
  • 80000008 - disablePacketsFiltering (PauseSniffer)
  • 80000028 - do nothing (possible broken GetDriverName)
  • 80000038 - disable_audit
  • 8000003C - enable_audit
Code Injector

The code-builder within this module facilitates exploitation by providing up to four predefined execution templates, which seem to be suitable for generating several code patterns.

Below is a list of the execution templates we found:

  • locate a DLL via PEB structure and resolve exports
  • call single function
  • call four functions
  • call six functions

Using these as a base for the templates, the code-builder inserts parameters and proper offsets to call one of the following code patterns:

  • Locate and call WinExec
  • Locate and call LoadLibraryW, GetProcAddress, call exported procedure, FreeLibrary
  • Locate and call LoadLibraryW, GetProcAddress, call GetModuleHandle, FreeLibrary
  • Locate and call OpenProcess, VirtualAllocEx, WriteProcessMemory, CreateRemoteThread, VirtualFreeEx, CloseHandle

The code injection procedure allocates memory via ZwAllocateVirtualMemory in services.exe and copies implanted code. After that it uses KeInsertQueueApc to let the code run and waits 30 seconds for APC to complete.

When the module starts, it reads registry value [HKLM\System\CurrentControlSet\Services\%driver name%] Processes. This value may contain a list of process names that should be started by injected executable code but only after services.exe and winlogon.exe has been started. The injection of code into winlogon.exe and services.exe ensures that the newly started process will have SYSTEM user privileges. During the injection stage Windows Audit Logging is fully disabled to avoid leaving any suspicious records in Windows Logs.

Magic Packet Recognition

All incoming packets are first filtered by BPF-like rules. The filtering rules are located in [HKLM\System\CurrentControlSet\Services\%driver name%] Options registry value or passed via corresponding IOCTL. Packets that passed through the filter are added in the end of processing queue.

Packets from the queue must have valid checksum values. After checking that, the code XOR-decrypts additional data from the end of the packet. The decrypted end of the packet contains another control structure that defines which encryption algorithm is used to decipher packet body. Supported algorithms include RC5 and RSA. There is a 1024-bits RSA public key hardcoded inside the module body, while a 96-bits RC5 key is generated dynamically.

The backdoor command may arrive in a single packet or be split into pieces and come with several packets. There is a procedure for re-assembling pieces together: a multi-packet command is added to a special packet collector which puts all the pieces together before passing it further.

Backdoor command is stored in the first byte of the decrypted request and can be one of the following values:

Command Byte Short Name Description 0 StatusCheck Reply with encrypted DriverName, packet collector keys, "Processes" and "Params" registry values, names of processes for code injection (defaults are "services.exe" and "winlogon.exe"), list of unprocessed commands from packet collector. 1 Panic Disable packet filtering, securely delete driver file, clear related registry keys, set ClearPageFileAtShutdown flag, unbind adapters, delete devices and prepare for unloading. However, the driver cannot unload itself and it remains in the memory until reboot, which means it can be detected via DRIVER_OBJECT structure. 2 CodeInject Injects code implant received from packet body. 3 CallWinExec Disable Windows Audit and start new process via standard code injection in Winlogon.exe. 4 ResetCollector Drop all packets with specific key from packet collector. 5 Unused or disabled 6 GenerateRC5Key Generates RC5 session key. 96-bits RC5 key is generated by taking a SHA1 hash of value from KeTickCount, XOR-encrypt with SHA1 hash of two PerformanceFrequency values, which is followed by nine more additional SHA1 hashing. 7 SetRegProcesses Sets new "Processes" registry value. 8 DeleteRegProcesses Deletes current "Processes" registry value. 9 SetRegParams Sets a universal "Params" registry value which is used for storing any information, i.e. could be a unique victim marker or exploitation stage number. a Unused or disabled b Ping Reply with classic ICMP Echo Response packet. c ChangeInjectTarget Set new target injection processes (defaults are "Winlogon.exe" and "Services.exe"). Effective until reboot.

Note: "mstcp32" is mentioned together with rootkit-like behavior in 2004 here: http://www.pcreview.co.uk/forums/mstcp32-t1445152.html

Network Sniffer - tdip.sys MD5s 20506375665a6a62f7d9dd22d1cc9870
60dab5bb319281747c5863b44c5ac60d Size 22448 - 28800 bytes Format PE32 Native Compiled 2006.10.16 18:42:40 (GMT)
2003.08.17 21:47:33 (GMT)

Supports the following versions of Windows: NT4 using NDIS-4 and XP using NDIS-5. Doesn't use Vista and later NDIS-6 features. However, later NDIS versions are backward-compatible, so the driver is still valid for current versions of Windows.

Version Info:

  • FileDescription: IP Transport Driver
  • LegalCopyright: © Microsoft Corporation. All rights reserved.
  • FileVersion: 5.1.2600.2180
  • InternalName: tdip.sys

This driver is a packet sniffer for incoming-only traffic on Ethernet and VPN (ndiswanip) interfaces or any used with ms_pschedmp as an alternative connection.

It implements a BPF (Berkeley packet filter) style packet-filtering system that is configured from the driver's registry configuration values or from DeviceIoControl messages.

The captured network packets may be written to disk in libpcap format (magic 0xA1B2C3D4 version 2.4) and encrypted with one-byte XOR, key 0xE3.

The driver's configuration is stored in the registry key:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdip]

  • Options - packet filtering rules in BPF format
  • Tag - selector of filtered packet types / Defaults in case of MediumWan to NDIS_PACKET_TYPE_BROADCAST|NDIS_PACKET_TYPE_MULTICAST|NDIS_PACKET_TYPE_DIRECTED;
    (or NDIS_PACKET_TYPE_BROADCAST|NDIS_PACKET_TYPE_DIRECTED in any other case)
  • ImageFile - full path name to the resulting pcap file
  • Duration - used as Length of the original packet in dump file. (default 0xffff)
  • Backup - max size of the pcap file

IOCTLs:

  • 0x80002004 getCurrentState
  • 0x80002008 setFilteringRules
  • 0x8000200C getFilteringRules
  • 0x80002024 getDumpFileSize
  • 0x80002010/0x80002014/0x80002018/0x8000201C pause/resume
  • 0x80002020 getVersion - returns 2.4.0

Driver has three logical parts, and uses an incomplete function pointer table as interface:

  1. Business logic: filtering rules, packet dumping, device ioctl, options
  2. Ndis driver skeleton
  3. Primitives lib: Strings, XORing, registry I/O

The code is of very good quality. It looks more complicated than Winpcap 2.3 (released 28 mar 2002), but less so than Winpcap 3.0 (released by 10 apr 2003). Interestingly, the driver identifies itself as "version 2.4" in the pcap file despite there being no Winpcap version 2.4.

Key/clipboard logger driver - msrtvd.sys MD5s 98dea1bce37bf7087360e1958400589b
bb8f56874189d5dfe9294f0553a49b83
f6bf3ed3bcd466e5fd1cbaf6ba658716 Size 31 488 - 36 736 bytes Format PE32 Native Compiled 2010.02.19 22:45:18 (GMT)
2008.09.17 16:23:54 (GMT) Version Info
  • FileDescription: MSRTvd interface driver
  • LegalCopyright: © Microsoft Corporation. All rights reserved.
  • InternalName: msrtvd.sys

This is a keylogger and clipboard monitoring tool.

On startup, the driver creates a device named "\Device\Gk0" and a symbolic link named "\DosDevices\Gk".

Then it attaches to the csrss.exe process and disassembles user32.dll and ntdll.dll routines to obtain win32k.sys and ntoskrnl.exe SDT services indexes and pointers of needed Nt/Zw APIs.

Then, using a built-in disassembler, it obtains pointers to NtUserPeekMessage, NtUserGetMessage, NtUserGetClipboardData and using the disassembler again selects the parts of the code that will be then hooked by splicing.

The interceptor routines are copied from a special PE section named ".msda". These routines are able to collect key press chains and clipboard text data, add information about current Time, ProcessName, ForegroundWindowText,and UserName related to this event.

A dedicated thread ("dumper") gathers the collected data, compresses the results with LZO appends it every 30 minutes to a file "%system-wide TEMP%\tm154o.da".

Most strings inside are encrypted by XOR with a pre-seeded random number generator.

IOCTLs:

  • 0x22002C -start dumper thread
  • 0x220030 - stop dumper thread
  • 0x220034 - check if the driver has new data to dump
  • 0x220038 - set two external events signaled on dump data availability (it references a plugin possibility)
  • 0x22003C - restart dumper thread
  • 0x220040 - get size of available data
Collector plugin for Volrec - msrstd.sys MD5s 69e7943f3d48233de4a39a924c59ed2c
15d39578460e878dd89e8911180494ff Size 13 696 - 17 408 bytes Format PE32 Native Compiled 2009.06.05 16:21:55 (GMT)
2009.12.15 16:33:52 (GMT) Version Info
  • FileDescription: msrstd driver
  • LegalCopyright: © Microsoft Corporation. All rights reserved.
  • InternalName: msrstd.sys

This driver is a plugin that collects events from the "volrec.sys" driver, and delivers them by sending DeviceIoControl messages. It collects events about file and disk volume operations.

On startup the driver obtains a pointer to "\Device\volrec", then creates a control device "\Device\msrstd0" and a symbolic link to it named "\DosDevices\msrstd"

All strings inside the driver are encrypted by XOR with a pre-seeded random number generator.

For file events the driver collects the filenames, and caches data about read and write operations. For disk volume events it queries disk properties and reads volume labels and disk serial numbers of removable drives (USB, FireWire drives).

IOCTLs:

0x220004 - turn on VolumeEvents collection
0x220008 - turn off VolumeEvents collection
0x22000C - retrieve previously stored VolumeEvent (operationType, deviceTypeFlags, VolumeLabel, volumeSerialNumber, DosDriveLetter)
0x220010 - turn on FileEvents collection
0x220014 - turn off FileEvents collection
0x220018 - retrieve previously stored FileEvent (fileName, deviceTypeFlags, VolumeLabel, volumeSerialNumber, DosDriveLetter)
0x22001C - connect to Volrec.sys (send ioctl 0x220004), enable plugin operation
0x220020 - disconnect from Volrec.sys (send ioctl 0x220008), disable plugin operation

Filesystem filter driver – volrec.sys, scsi2mgr.sys MD5s a6662b8ebca61ca09ce89e1e4f43665d
c17e16a54916d3838f63d208ebab9879 Size 14 464-14 848 byres Format PE32 Native Compiled 2009.06.05 16:21:57 (GMT)
2009.12.15 16:33:57 (GMT) Version Info
  • FileDescription: Volume recognizer driver
  • LegalCopyright: © Microsoft Corporation. All rights reserved.
  • InternalName: volrec.sys

This driver is a generic filesystem filter which feeds system events to user-mode plugins.

On startup the driver creates a control device named "\Device\volrec" and a symbolic link to it named "\DosDevices\volrec0". It then attaches all available filesystem devices.  It is also, able to handle removable storage devices.

All strings inside the driver are encrypted by XOR with a pre-seeded random number generator.

IOCTLs:

  • 0x220004 - setup plugin interface
  • 0x220008 - disable plugin calls

The driver handles the following system events:

  • file opened, created or closed
  • data is read or written to a file
  • new volume is mounted, unmounted
  • new USB or FireWire device attached
HDD/SSD operation helper driver - WIN32M.SYS MD5s 2b444ac5209a8b4140dd6b747a996653
b3487fdd1efd2d1ea1550fef5b749037 Size 19 456 - 26 631 bytes Format PE32 Native, PE32+ Native Compiled 2001.08.23 17:03:19 (GMT)
2013.05.14 15:58:36 (GMT) Description This module will be the subject of a dedicated blogpost. HDD/SSD firmware operation - nls_933w.dll MD5s 11fb08b9126cdb4668b3f5135cf7a6c5
9f3f6f46c67d3fad2479963361cf118b Size 212 480 - 310 272 bytes Format PE32 DLL, PE32+ DLL Compiled 2010.06.15 16:23:37 (GMT)
2013.05.14 16:12:35 (GMT) Version Info (64bit dll only)
  • FileDescription: Windows Networking Library
  • LegalCopyright: Copyright (C) Microsoft Corp. 1981-2001
  • FileVersion: 80AA
  • InternalName: nls_933w.dll
  • OriginalFilename: nls_933w.dll
  • PrivateBuild: 4.0.1.0
  • ProductName: Microsoft(R) Windows (R) 2000 Operating System
  • ProductVersion: 5.0.2074.0
  • Full Version: 1.0.0.1
Description This (80AA) plugin is a HDD firmware flashing tool which includes an API and the ability to read/write arbitrary information into hidden sectors on the disk.
The plugin will be the subject of a separate blogpost.

Patch Tuesday March 2015 - Stuxnet LNK 0day Fixed

Tue, 03/10/2015 - 20:05

Wait, what? Wasn't the Stuxnet LNK vulnerability CVE-2010-2568, in part reported by Sergey I. Ulasen, patched years ago? Didn't Kim Zetter have enough time to write 448 pages of thoroughly footnoted research on this digital weaponry?

Yes, it was, but MS10-046 didn't completely fix all of the vulnerable code path. And, we just might start to call it the Fanny LNK 0day, after the poorly QA'd USB worm spread across Pakistan using the same LNK exploit. However, we have not observed a newer implementation of this LNK exploit in-the-wild. Yet.

So, machines have remained vulnerable to an actively exploited codebase providing USB support since at least 2008. German researcher Michael Heerklotz reported the remaining flaws in January, and an excellent technical writeup describing his findings is posted on the ZDI blog here. Essentially, an attacker has to create a malicious LNK file with a link path of exactly 257 characters containing embedded unescaped spaces, and two "target" files - one with embedded unescaped spaces and one without. This is not difficult on a usb stick, and it bypasses much of the effective defenses Microsoft has developed for years. "Microsoft has gone to a great deal of effort to make exploitation of memory corruption bugs more difficult. This is a classic example of the Defender's Dilemma -- the defender must be strong everywhere, while the attacker needs to find only one mistake." In this case, it's more that the attacker had to chain together a complex series of overlooked steps.

Microsoft's release of thirteen other bulletins includes a large rollup of fixes for RCE across all versions of Internet Explorer, IE6 - IE11. This MS15-018 bulletin is rated critical, and it requires a reboot.

SMS Trojan bypasses CAPTCHA

Tue, 03/10/2015 - 07:00

Late last year, we encountered an SMS Trojan called Trojan-SMS.AndroidOS.Podec which used a very powerful legitimate system to protect itself against analysis and detection. After we removed the protection, we saw a small SMS Trojan with most of its malicious payload still in development. Before long, though, we intercepted a fully-fledged version of Trojan-SMS.AndroidOS.Podec in early 2015.

The updated version proved to be remarkable: it can send messages to premium-rate numbers employing tools that bypass the Advice of Charge system (which notifies users about the price of a service and requires authorization before making the payment). It can also subscribe users to premium-rate services while bypassing CAPTCHA. This is the first time Kaspersky Lab has encountered this kind of capability in any Android-Trojan.

Distribution

This article discusses Trojan-SMS.AndroidOS.Podec, version 1.23 (the version was identified from analyzing its code). The hash sums are:

72ADCF52448B2F7BC8CADA8AF8657EEB
0D5708158B8782F115670BD51833AC5C

This version of the Trojan circulates in Russia and neighboring countries.

Country Number of attempts to infect unique users Russia 3666 Kazakhstan 339 Ukraine 305 Belarus 70 Kyrgyzstan 23

The number of infections over time:

Number of attempts to infect unique users

Sources of Infection

According to statistics collected with the help of Kaspersky Security Network, the main sources from which the Trojan in our study spreads are various domains with imposing names (Apk-downlad3.ru, minergamevip.com, etc.), as well as the servers of the popular Russian social network VKontakte (VK, vk.com) that are used to store users' content.

A pie chart of file infection sources

As we see, in most cases the infection is sourced from the social network's servers. Unfortunately, VK's file storage system is anonymous, so there is no way to analyze how malware emerges from it. However, further research identified a number of communities that distribute Trojan-SMS.AndroidOS.Podec on this social network:

  • http://vk.com/vzlomannye_igry_dlya_android
  • http://vk.com/skachat_minecraft_0_9_0_android
  • http://vk.com/minecraft_pe_0_9
  • http://vk.com/vzlom_igry_android_mody
  • http://vk.com/igry_android_cheats
  • http://vk.com/android_mody_apk
  • http://vk.com/novye_igry_na_android
  • http://vk.com/skachat_hill_climb_racing_bpan
  • http://vk.com/na_android_igry

(The Russian names of these groups refer to cracking Android games in some form)

All the groups listed here were filled with similar content: images, links and messages.

Each group is about one or more cracked games. The cybercriminals seem to be hoping that potential victims will be attracted by the chance to get free access to content that is usually paid-for.

Nearly all messages on the groups' walls are links leading to sites purportedly containing Android games and applications. The same is true for the "Links" section. In reality, the only purpose these sites served was to spread different versions of Trojan-SMS.AndroidOS.Podec.

Eight groups in the social network with similar visual designs

These groups have a lot in common: the way in which they are managed and designed (e.g. using keywords in place of descriptions, an abundance of simple broad-language messages characteristic of bots, etc.), the links they host to fake sites that seem to be copies of one idea. This suggests that black SEO (Search Engine Optimization) specialists were involved in distributing the Trojan. The above practices help bring links to the malicious resources (sites and groups) closer to the top of search engine results, attracting yet more visitors.

All these clone communities have the same administrator, who is a VK user identified as 'kminetti'. These communities are also advertised on that user's personal page. The user's account was created on 12 October 2011; in 2012, the account's wall started hosting links to sites and communities spreading malicious applications for mobile devices.

Examples of messages posted by the administrator of the malicious communities

Earlier, this account was used as a bot hosting links to web resources to increase their citation indexes (CI).

Examples of the posts placed by the communities' administrator to increase CIs of third-party resources

It can be concluded from all of the above that the VKontakte social network is the main vehicle for distributing Trojan-SMS.AndroidOS.Podec.

The Infection Procedure

The mobile Trojan sample that became available for Kaspersky Lab's analysts masquerades as a popular application, 'Minecraft Pocket Edition'. The file is 688 Kbyte in size, which may be an advantage in the eyes of inexperienced users with a slow and/or expensive Internet access. The official Minecraft application is 10 to 13 MB in size.

When launched, the application asks for device administrator privileges. This step makes sure that neither user nor a security solution can subsequently delete the Trojan. If the user rejects the request, the Trojan keeps repeating it until the privilege is granted. This process effectively blocks the normal use of the device.

Privilege escalation request

When Trojan-SMS.AndroidOS.Podec receives the requested escalated privileges, the legitimate Minecrast app is downloaded from a third-party resource and installed on the SD card. This behavior follows the instructions provided in the configuration file that comes alongside with the Trojan; the same file specifies the link to the legitimate APK file. However, the configuration file does not always contain a link to the application; in this case, the Trojan simply stops any activities observable by the user after it receives the requested privilege escalation.

Part of the configuration file containing the link to legitimate Minecraft installation file

Then the Trojan deletes its shortcut from the apps list and replaces it with the real Minecraft shortcut. However, traces of the Trojan's presence remain in the install apps list and in the device administrators' list:

The option of deleting the malicious app is deactivated. If the device user later seeks to de-escalate the Trojan's privileges the machine responds with weird and unsettling behavior: the screen locks, then shuts down for some moments. When the screen comes back on the device displays the configuration menu and there is no evidence of any attempt to strip the malicious app of its admin privileges.

Protection against analysis

The cybercriminals apparently invested serious time and effort into developing Trojan-SMS.AndroidOS.Podec, as demonstrated by the techniques used to prevent code analysis. As well as introducing garbage classes and obfuscation into the code, the cybercriminals used an expensive legitimate code protector which makes it fairly difficult to gain access to the source code of the Android application. This protector provides code integrity control tools, hides calls of all methods and manipulations involving class fields, and encrypts all strings.

Here is an example of protected code:

This is the same code after the protection is removed:

Managing the Trojan

Trojan-SMS.AndroidOS.Podec's activities are managed using C&C servers. The system works like this. First the Trojan contacts a C&C server via an HTTP protocol, and waits for an SMS with instructions. Trojan-SMS.AndroidOS.Podec has a main and a backup list of C&C domain names – a specific C&C server is chosen from the list following a random algorithm. If there is no response from that server within 3 days, a C&C from the backup list is used. This implements an adaptive algorithm to connect to a C&C server, which works even if specific domain names are blocked.

The C&C domain names and the entire traffic (both HTTM and SMS) are encrypted with AES encryption algorithm in CBC/NoPadding mode with a 128 bit key. The encryption key and the initialization vector are originally located in the file fXUt474y1mSeuULsg.kEaS (the name of this file changes from version to version), located in the 'assets' folder of the app source. Most of the file content is junk; useful information is contained between tags, appearing in the form of [a]string[/a].

From the strings between tags, the required encryption parameters (the key and the vector) are obtained in an encrypted form. Then they are decrypted by simply replacing one substring with others.

After decryption the commands form an XML document, in which the tags represent specific commands, and the contents of tags are command parameters. Below is the list of Trojan-SMS.AndroidOS.Podec capabilities implemented via commands:

  1. Collect information about the device (cell phone service provider, IMEI, phone number, interface language, country and city, etc.)
  2. Collect a list of installed applications.
  3. Receive information about USSD.
  4. Send SMS messages.
  5. Set a filter on incoming messages.
  6. Set filters on incoming and outgoing calls.
  7. Display advertisements to the user (display a separate notification, open an advertisement page, start a dialog, and other ways to show commercial content)
  8. Delete messages, as specified
  9. Delete call records, as specified
  10.  Upload the source HTML code of a specified page to the cybercriminals' server.
  11.  Perform a DDoS attack. Ramp up website visitor counters.
  12.  Subscribe the user to paid content.
  13.  Do a self-update.
  14.  Perform an outgoing call.
  15.  Export incoming messages according to conditions specified by C&C.
  16.  Delete an app, as instructed by C&C.

Even a quick analysis of the Trojan's executable code reveals an abundance of ways of working with HTML and HTTP. As well as features regarded as standard for this type of Trojans (e.g. sending and intercepting text messages, placing phone calls, manipulations with SMSs and call logs), Trojan-SMS.AndroidOS.Podec can also configure web page visits and send their code to C&C. However, this Trojan's most interesting feature is its CAPTCHA recognition capability.

A flow chart of Trojan-SMS.AndroidOS.Podec in operation is provided below.

Thus, the web resource's communication capabilities are the source of two different threats:

  1. The Trojan contains functions with which one can launch a simple HTML Flood DDoS attack. The associated strings in the configuration file are as follows:
  2. The resulting link is loaded; the function sleep() is called with the parameter 'seconds'. This process is repeated as often as the 'limit' parameter specifies.

    The scheme used by the cybercriminals enables them to configure the frequency and number of access attempts; therefore, it can be used to ramp up web site visitor counters, thus generating profits from advertising and from partnership programs.

  3. One of the most dangerous capabilities in Trojan-SMS.AndroidOS.Podec is the use of configurable webpage visit rules, with CAPTCHA recognition supported. With this, the Trojan can subscribe the user to premium-rate subscriptions without the user's knowledge or consent. This capability is unique to this Trojan, so let us review it in more detail.
Paid subscriptions

There are two main models of subscribing to content on a web resource:

  • Pseudo-subscription. In this model, users visit a web resource and enter their phone numbers. An SMS is then sent, asking users to pay for the service by sending a reply message with any text. When users send that message, a certain amount of money is deducted from their phone accounts, depending on the specific service provider's prices. These messages arrive automatically, and users make up their minds each time whether to send the reply message or not. It is for this reason that this model is often referred to as pseudo-subscription.
  • MT subscription. In this model, users enter their mobile phone numbers on a web page and receive an SMS with a validation code. Then users enter that code on the service provider's website, accepting the subscription terms and conditions. After that, the service provider will automatically deduct the sum stipulated in the subscription terms and conditions from the subscriber's account. In the Russian segment of the Internet, a number of partnership contracts are available that can aggregate this type of payments. This means that the cybercriminals do not have to directly deal with the cellular service providers when they create a service to which users can subscribe to paid content; partnership programs will do the agent's job. Under this model, the revenue is lower for the service creators, but the financial transactions are more anonymous.

Subscribing to paid services through a Trojan can be costly for users. In case of pseudo-subscriptions, one reply message may cost between $0.5 and $10. In case of MT subscription, the price in each specific case is agreed directly with the mobile service provider via the partnership program. The most dangerous factors here are that money is deducted 1) covertly and 2) on a regular basis. Users who are subscribed to several such "sources of content" may have to spend a lot of time and effort trying to find out where and how money from their accounts is going.

Example of the Trojan in operation

We were able to intercept Trojan-SMS.AndroidOS.Podec's communication with its C&C server. This communication session unfolded as follows:

  • The RuMaximum.com website was accessed – this site provides online test services for users. To get their results, users have to subscribe to the site.
  • This test in Russian is "What type of dog is most like you?"

  • With a GET request, the Trojan imitates a user taking a test. Then it finishes with a link that looks like http://rumaximum.com/result.php?test=0&reply[1]=0&reply[2]=0&reply[3]=0&reply[4]=0&reply[5]=0&reply[6]=0&reply[7]=0&reply[8]=0&reply[9]=0&reply[10]=0. This URL leads to the following web document:
  • Results of the test "What type of dog are you similar to?"
    "Yes, I am 18 years old or older, and I consent to the Terms and Conditions below.
    Enter your phone number."

  • After the user enters a phone number, a unique "landing page" of the service provider is generated, demanding a CAPTCHA authentication and for a validation code that was sent to the phone by SMS. The Trojan fills out both fields and validates the subscription. Then, the user is redirected to the test results via the e-commerce system totmoney.ru.
  • Results of the test "What type of dog are you similar to?"
    You are a German shepherd, a versatile dog. You can guard the state border or help the blind across the street. You learn things easily and keep your head cool in any circumstances. A good manager too!

The Trojan does all of these actions automatically using the configuration sent from the C&C. The victim, however, has no idea that any of this is happening.

Paid subscription capability

In the XML configuration sent from the C&C server, there is a field which subscribes the user to paid content. It looks like this:

Let's have a closer look at the configuration field:

  1. verify is an array of strings with the separator "-S-". It contains the information required to obtain the CAPTCHA value.
  2. verify[0]: if this field is not equal to zero, CAPTCHA recognition is required, otherwise further processing is done. This may contain the image file in base64 coding (done for processing static images and CAPTCHA), or an image ID;
    verify[1] is the key of the service 'http://antigate.com' used to recognize CAPTCHA and required to login at the service;
    verify[2] is the minimum image length, used for housekeeping purposes;
    verify[3] is the maximum image length, used for housekeeping purposes;
    verify[4] is the language of the symbols in the image.

  3. service is the accessed service;
  4. search is an array of strings with the separator "-S-", used to search for substrings in the link and to take a decision about the appropriate type of subscription depending on the search results;
  5. images is not used in this version;
  6. actions is an array of strings with the separator "-S-". Contains the final links that the services follows to initiate/complete the subscription process;
  7. type is request type;
  8. source indicates whether the webpage's source code should be sent to C&C;
  9. domain: If the page's source code should be sent to C&C, domain indicates the destination C&C.

The Observable interface is used to fetch the code of HTML pages and send it to C&C. The required information is sent to this interface, whenever needed, with the help of JavaScript when the page is loaded.

The webpage source code is required for cybercriminals to analyze the structure and to prepare an appropriate configuration for the paid subscription module. Also, this service provides source codes of webpages to ensure that the page's code is received in a form that can be used to show it to the victim. This makes it easier for the cybercriminals to analyze the page and start the subscription.

The function which completes the subscription to paid content is located in the class CustomWebView, which is inherited from the class WebViewClient. In it, the method onLoadResource was redefined (this method is used to get a link to the image), as was the onPageFinished method,which is used to post-process the loaded web-resource. Post-processing is based on analyzing the configuration and then visiting the required links with the help of the loadUrl function. When required, the CAPTCHA processor is called as well.

Bypassing CAPTCHA

Different partnership programs have different requirements from the design of a web resource where subscription tools will be hosted. For instance, there is often a requirement that for a CAPTCHA module to confirm that the request was not made from a bot. In most cases, the partnership program forwards the browser to the service provider's site where users are prompted to enter a CAPTCHA code to confirm their subscription requests. As explained above, Trojan-SMS.AndroidOS.Podec's key characteristic is that it can bypass CAPTCHA protection systems.

Trojan Podec can subscribe users to premium-rate services while bypassing CAPTCHA

Tweet

The CAPTCHA processor communicates with the service Antigate.com which provides image-to-text manual recognition services. Here is what the service says on its web-page:

Antigate.Com is an online service which provides real-time captcha-to-text decodings. This works easy: your software uploads a captcha to our server and receives text from it within seconds.

Source: antigate.com

In other words, the text from the CAPTCHA image is recognized by a person working for this service. According to the information Antigate.com provides on its website, most of its workers are based in India.

Source: antigate.com

Distribution of Antigate.com employees between countries

The Trojan communicates with Antigate.com via an HTTP API service: a POST request is used to the send the image containing a text to be recognized; then, with the help of GET requests, the recognition status is monitored. The recognized result (if received in reasonable time) is inserted into the links from the 'actions' field of the received configuration. Then the links are opened with the help of the loadUrl()function.

If the subscription mechanism requires SMS validation the Trojan uses the filter set by the cybercriminals to search for the message containing the validation code, and uses regular expressions to extract the code from there.

The general subscription procedure

General flow chart of subscription to paid content

In general, the model of subscribing to paid content consists of the Observer SubscribeService which listens to the events as they occur in the HTMLOUT interface. When data (a downloaded page) is received from there, it is sent to C&C with the help of the class Submitter, which inherits the class AsyncTask. Also, SubscribeService accepts command parameters from the manager routine as input, initializes CustomWebView and starts to process the task with the help of SubscribeTask. SubscribeTask launches CustomWebView in which input parameters are processed, and decision is made about how the subscription should be performed. If required, CaptchaProcessor is launched, which is responsible for communications with the text recognition service and handling the requests that require validation code and the characters from the CAPTCHA image.

Conclusion

From the analysis of Trojan-SMS.AndroidOS.Podec samples that arrived earlier, we can conclude that the Trojan is under ongoing development. The code is being refactored, new capabilities are added, and module architectures are being reworked.

We suspect this Trojan is being developed by a team of Android developers in close cooperation with Black SEO specialists specializing in fraud, illegal monetization and traffic generation. The following evidence supports this theory:

  1. The Trojan is distributed via the VKontakte social network employing social engineering tools;
  2. A commercial protector is used to conceal the malicious code;
  3. The scheme includes a complicated procedure of extorting money from the victim while bypassing CAPTCHA.

Also, there are certain features in the code of the analyzed version of Trojan-SMS.AndroidOS.Podec which have not yet been used but which may reveal the malware writer's further plans. For instance, there is an auxiliary function isRooted(), which helps to check whether the device's owner has super-user privileges. This function is not used in the Trojan's main code, so we can assume that a payload designed to exploit super-user privileges may emerge in future versions of the Trojan.

Users of Kaspersky Lab's products are already secured against all existing versions of Trojan-SMS.AndroidOS.Podec. Nonetheless, we recommend that users only install applications sourced from official stores, such as Google Play. The user should always be alert to cybercriminals' tricks and avoid downloading cracked apps advertised as free of charge. If you download and launch a Trojan, you can potentially lose much more money than you may earn from not paying to purchase legitimate software.

With acknowledgements to Mobile TeleSystems OAO, a GSM cell phone operator in Russia, and specifically to its experts in partnership programs traffic.

Understanding the operations of a scam

Mon, 03/09/2015 - 05:00

Currently, in Sweden, we're facing a big issue with scammers trying to buy items for sale on various auction websites, but when you initiate contact with the potential buyer things get nasty and you might lose money. This is nothing new, and most of the auction websites have written about this to inform their users, but they do not explain in detail how these scams actually work – their FAQs only advise people to be careful. So I know that there are a lot of questions unanswered for worried users.

Since one of these scammers tried to scam my wife, I decided to follow their scam and document the entire process, so that I could inform not only law enforcement but also our readers on how these scams actually work. When you know how the scam works, it will be much easier to spot them and avoid being scammed.

So, let me give you the background.

Our daughter got a new bike, so we decided to sell the old one on Blocket, the biggest website for personal ads (buying/selling) in Sweden.

After a few days my wife received an SMS (which unfortunately has been deleted). The SMS came from a Polish number, and the person wrote in very good English. They said that they were interested in the bike, but wanted to have more information, and gave my wife an email address. I told her NOT to reply via SMS but to email the person, because sometimes the bad guys send SMS from premium numbers, which means that when you reply to the SMS it will cost you much more than a normal SMS.

I told my wife to be very brief in her answers, which you can see in her initial email response below:

As you can see, the person starts to ask valid questions about the bike, which means that it's not a bot, it's actually someone who manually responded to this ad. I have no idea how they select their victims, but it is obviously a manual process.

We decided to take this even further, to see the next step in the scam, so we replied with the information about the bike – there was also still be a chance that the person was not a scammer and really wanted the bike.

It was after this email that everything started to get nasty. They accepted our offer, but what was so strange was that the person confirmed their Polish identity. Even if you look up the person on social media their identity seems to be Polish. So we decided to continue.

The person asked for our name, PayPal details and the total price, which we obviously sent them. They also said that they were going to cover the shipping cost for the bike, and had already involved a shipping company.

We shared our information, and waited for them to reply. They were VERY fast in replying to all the emails; it almost seemed as though there were a lot of people with access to the same mail account, but we weren't able to confirm this. In the email they sent just before the money transfer they also included an address in Poland. This address hasn't been confirmed, but we are trying to find out who lives at that address which can be found in the screenshot below. Within minutes they just stated that they had completed the transfer, which you can see in the second screenshot.


I did get two emails from something that looked like PayPal, but when you look more closely you can see that the email is not coming from PayPal at all. This is a very clever, but common, trick that is also used in phishing attacks.  When you look at the email you can see that it's actually being sent from service@e-pay-team.com which is hosted on Google Mail.  What is so interesting with this email is that it's most likely created manually too, because it contains details such as the price we asked for the bike.


At this point no money had been transferred to my PayPal account - the emails were just fake. The fraudsters next tried to get me to transfer the shipping cost, in this case 1700 SEK (about $200 USD), from our account to the company "P.S.S Logistics". The process they outlined for transferring the money was to visit a Western Union office, and transfer it to this shipping company; but when you look more closely at the emails they sent, they wanted us to transfer it to a private person. There is a company called "P.S.S Logistics", but its registered in South Africa, the fraudsters started to use this name, but when you transfer the money it goes to an individual named "Bamise Seon" in Nigeria.


At this point I wondered if the scammers were working with hacked accounts, because all of the individuals exist on various social media networks. For example, the person who keeps email using the Polish name "Pawel Dylewski" can be found on Google Plus. And the individual in Nigeria can be found on Facebook. If you look closely on the screen captures I took from Facebook, you can see that there are two identities, one female and one male, and they are both connected to each other by the same name. In the screenshot below you can see that it's written: "Send HER a friend request", which indicates that this profile belongs to a female. You can also see that she has one friend, a person with the same name, but with a profile picture of a man and more information.

I am currently working with PayPal, Western Union, Google and law enforcement, to share the intelligence I have collected, but I also want to share this story. We need to inform everyone who is actively selling/buying things online to keep a close eye on the details. If the deal sounds too good to be true, in most cases it is.

The scheme in bullet points:
  1. You receive an SMS from a potential buyer containing an email for further contact?
  2. In some cases the SMS is sent from a premium number, so when you reply you will be charged for the premium service.
  3. Once the email conversation starts, the buyer wants to pay with an online payment service - for example, PayPal - offering full payment, including shipping.
  4. They send FAKE emails pretending to come from PayPal, stating that their money has been transferred to your account. But the money won't be transferred to your account until you have completed the deal.
  5. The deal can only be completed if you transfer money for the shipping costs to a shipping company - for example, via Western Union.
  6. The shipping company does not exist, it's actually the personal account of the scammer; which means that they want you to transfer a sum from your own pocket in the hope that they will pay the full amount (including the amount for your item) into your PayPal account.
Some useful tips when communicating with strangers over Internet:
  • Please do not use SMS to communicate, because fraudsters might use premium numbers to charge you a lot of money.
  • Please double-check any email address: for example, in this case it did not come from "paypal.com", but "e-pay-team.com".
  • Never transfer any money to anyone; and always make sure you have received payment BEFORE you ship the item you are selling.
  • Never pay with a credit card unless you are 100% sure that the website is legitimate; try to use secure payment methods such as PayPal.

PS: We sold the bike today. To a REAL person

Animals in the APT Farm

Fri, 03/06/2015 - 06:00

In 2014, researchers at Kaspersky Lab discovered and reported on three zero-days that were being used in cyberattacks in the wild.

Two of these zero-day vulnerabilities are associated with an advanced threat actor we call Animal Farm. Over the past few years, Animal Farm has targeted a wide range of global organizations. Victims include:

  • Government organizations
  • Military contractors
  • Humanitarian aid organizations
  • Private companies
  • Journalists and media organizations
  • Activists

Our colleagues at Cyphort, G-DATA and ESET have recently published blogs about Bunny, Casper and Babar, some of the Trojans used by the Animal Farm group.

The Farm includes several Trojans, which we have grouped into six major families:

Here's a brief description of the animals in the farm:

  • Bunny - an old "validator"-style Trojan used with a PDF zero-day attack in 2011.
  • Dino - a full-featured espionage platform.
  • Babar - the most sophisticated espionage platform from the Animal Farm group.
  • NBot - malware used in a botnet-style operation by the group. It has DDoS capabilities.
  • Tafacalou - a validator-style Trojan used by the attackers in recent years. Confirmed victims get upgraded to Dino or Babar.
  • Casper – the most recent "validator"-style implant from the Animal Farm group.

The group has been active since at least 2009 and there are signs that earlier malware versions  were developed as far back as 2007.

Over the years we have tracked multiple campaigns by the Animal Farm group. These can be identified by a specific code found either in the malware configuration or extracted from the C&C logs.

Most recently, the group deployed the Casper Trojan via a watering-hole attack in Syria. A full description of this zero-day attack can be found in this blog post by Kaspersky Lab's Vyacheslav Zakorzhevsky.

In addition to these, the Animal Farm attackers used at least one unknown, mysterious malware during an operation targeting computer users in Burkina Faso.

KSN & Sinkholing statistics

During the investigation we sinkholed a large number of C&C servers used by the Animal Farm group. This allowed us to compile a comprehensive picture of both targets and victims.

The malware known as Tafacalou (aka "TFC", "Transporter") is perhaps of greatest interest here, because it acts as an entry point for the more sophisticated spy platforms Babar and Dino. Based on the Tafacalou infection logs, we observed that most of the victims are in the following countries: Syria, Iran, Malaysia, USA, China, Turkey, Netherlands, Germany, Great Britain, Russia, Sweden, Austria, Algeria, Israel, Iraq, Morocco, New Zealand, Ukraine.

What does "Tafacalou" mean?

"Tafacalou" is the attacker's internal name for one of the validator (1st stage) Trojans. We tried various spellings of this word to see if it means anything in a specific language, and the most interesting option is one with its origins in the Occitan language: "Ta Fa Calou."

The expression "Fa Calou" is the French interpretation of the Occitane "Fa Calor" which means "it's getting hot" (see http://ejournaux.blogspot.com/2008/07/la-langue-occitane-et-ses-quelques.html). 'Ta Fa Calou" could therefore be taken to mean "so it's getting hot" based on the Occitan language.

According to Wikipedia: 'Occitan is a Romance language spoken in southern France, Italy's Occitan Valleys, Monaco, and Spain's Val d'Aran; collectively, these regions are sometimes referred to unofficially as "Occitania".

Note: A detailed technical report on Animal Farm is available to customers of Kaspersky Intelligent Services.  For more information, contact intelreports@kaspersky.com

Who's Really Spreading through the Bright Star?

Wed, 03/04/2015 - 12:14

Security researchers recently announced that that the official website for the Korean Central News Agency of the Democratic People's Republic of Korea has been serving malware disguised as a Flash Player update. The immediately conspicuous code is still active on the KCNA front page. The javascript variables at the top of the front page source code are part of an interwoven js mechanism meant to check for specific requirements before redirecting the visitor to a relative location, /download/FlashPlayer10.zip.

The malware delivery site has been live, although response to connection attempts is intermittent at best. The zip file contains two executables with the common Flash installer names.This malware has been around since the end of 2012.

What appears to be rushed attribution and pretty faux-intelligence diagrams proposes the standard hypothesis that the malware was placed there by the site's developers in an attempt to infect the endpoints of those outsiders interested in the goings-on of the DPRK. This may not be the case, because incidents are usually more complex than they seem. And clearly, this is a significant piece of the puzzle - there was human involvement in adding this web page filtering. It is not a part of the viral routines in its handful of components. Instead, the malware's trigger, system requirements, and technical and operational similarities with the more recent DarkHotel campaigns point in the direction of an external actor, possibly looking to keep tabs on the geographically dispersed DPRK internet-enabled elite.

The larger spread of victims include telecommunications network engineering staff, wealth management and trading staff, a pharmaceutical's electrical engineering staff, distributed software development teams, business management and related school faculty and IT, and many, many more.

Website Attack and Geographic Spread

One of the most notable characteristics is that the malware isn't being delivered to every site visitor. The delivery trigger is contingent on the absence of the legitimate Flash Player 10 or newer being present on the target's Windows system. If a user attempts to view the videos or picture slideshows linked on the bottom right pane of the front page, the user is presented with a gif in place of the desired content indicating that flash player is required. Naturally, clicking on the gif will redirect to the malicious zip file. It's also interesting that this malware has no Linux or OS X variant, deliverables are exclusively Windows executables. It's also interesting that the malware components were first detected in Nov of 2012, two months prior to the first known appearance of the Flashplayer bundle on the kcna.kp website. While we don't know definitively the exact origin of these infections, at this point, we suspect it was in fact the kcna website. There are no other known sources.

 

KSN data also includes few select cases where Firefox users were served up the malware while visiting a page known for cross-site scripting, described in the following section "Potential XSS-Enabled Watering Hole". Basically, the timing and resource location of this vulnerability presents the definite possibility of an external actor's intrusion.

The delivery of a zip file dependent on user interaction and self-infection initially implies a fairly low level of attack sophistication, but let's go farther than the social engineering elements of the attack and consider the victim profiling too. From this web site in particular, the attackers are initially targeting users with not only a low-level of technical expertise and general knowledge, but also tragically outdated Windows systems. Flash Player version 10 was released on October 2008, and newer browsers like Google Chrome include a more recent flash plug-in out of the box. These attacks took place in the third quarter of 2012 at the earliest.

Most likely, the intended victims are known to use outdated systems that fit these specifications. This is the case in North Korea, where Global Stats places nearly half of desktop computers systems still running Windows XP. In comparison, South Korea has a steady Windows 7 adoption rate of nearly 80% over the past year.

So what is the actual geographic spread of the malware? Well, the two main associated components mscaps.exe and wtime32.dll were detected on systems mostly in China, followed by South Korea, and Russia. We can infer that these systems were infected at some point and were victim systems of the kcna.kp spread malware:

China 450 Korea, Republic of 43 Russian Federation 25 Malaysia 20 Italy 11 India 10 Korea, Democratic People's Republic of 7 Germany 7 Hong Kong 6 Iran, Islamic Republic of 4

However, reading into the geolocation of the top hits is not as straightforward as it may seem. Reports suggest that NK elites have access to various internet providers that may geolocate their ip in Chinese, Russian, and Hong Kong IP ranges.

 

Potential XSS-Enabled Watering Hole

Given the recent branding of NK threat actor as the culprit of the Sony hack, original reporting has had no difficulty accepting the idea that this is an attack perpetrated from within the DPRK in order to keep track of those people interested in the official state media. Let's examine the difficulties in arriving at that conclusion.

First, the site itself was vulnerable to XSS in the early 2013 time frame, when the Flashplayer installer bundle first appeared on the site. The site's vulnerability is recorded here by "Hexspirit"  on XSSed in April 2013. As a matter of fact, the first pages we are aware of that referred to the flashplayer bundle on kcna.kp by the exact same XSS-vulnerable page were seen in Jan 2013:

hxxp://www.kcna.kp/kcna.user.home.photo.retrievePhotoList.kcmsf;jsessionid=xxx

So, the flashplayer bundle may have been delivered by any APT actor and not simply the site's governmental sponsor. Coupling that possibility with the Darkhotel APT's penchant for delivering Flashplayer installers from compromised resources, this scenario holds weight. Also, the strong possibility that the site's developers unknowingly maintained infected machines is present.

The operational angle of placing malware on the state's official news site is dependent on who is most likely to view this site or directed to it and be interested in its content -- to the point of arriving at the download trigger deep in the media section. Sure, we can consider that key elements in the international community, like dissidents, think tanks, and foreign institutions are likely to keep an eye on NK state news but their systems are unlikely to fit the Flash player requirements for the infection. We also have seen forums maintaining emotionally charged discussions containing links to photo images redirecting to the Flash installer malware. Perhaps forum participants were targeted actively in this way as well. So this watering hole attack may be focused inward, intentionally targeting the geographically-spread North Korean internet-enabled elite and other interested readers by an external threat actor.

Malware Similarities to Darkhotel APT Toolset 

The original finding includes a preliminary analysis of the quirky inner workings of the malware dropper, delving into the two executables masquerading as Flash Player 10 updates. Let's go a step further and discuss the following similarities between the viral code hosted on kcna.kp and the previously documented Darkhotel malware in the following categories:

  • Social engineering
  • Distribution
  • Data collection
  • Network configuration and simple obfuscation
  • Infection and injection behavior
  • Timestamps and timelines

A referent for these malware similarities can be found in descriptions of the malware distributed during the DarkHotel campaigns. Comparisons follow.

Social engineering

The most blatant and obvious similarity between these campaigns is the approach of delivering spoofed FlashPlayer installers bound with backdoors from compromised server resources. This is the first page out of the Darkhotel playbook and one of its most distinct qualities now replicated in the KCNA attack. The benefits of this approach are significant, especially when considering that the malware in the case of KCNA is not digitally signed and requires express user interaction for execution.

Data Collection

On a technical level, it's interesting to recall the Darkhotel information stealer from 2012. Its purpose is to collect identifying data points from victim systems. The data points of interest to the DH information stealer are very similar to that of its KCNA equivalent (shown below):

Coincidentally, the KCNA dropper collects much the same identifying data points from victim systems. The Darkhotel item missing from this list is the 'CPU Name and Identifier', supplanted by 'time of infection'.

The Darkhotel stealer maintained the stolen data in a specific internal format of label-colon-value as follows:

The KCNA stealer maintained the stolen data in the following internal format, very similar to the Darkhotel format (label-colon-value):

Network configuration and simple obfuscation

This package's network callback includes several unusual Fully Qualified Domain Names (FQDNs). This network configuration is specifically hardcoded within wtime32.dll:

a.gwas.perl.sh
a-gwas-01.dyndns.org
a-gwas-01.slyip.net

It's interesting that the malware is configured with three connectback command & control servers, just like the network configuration of tens of the Darkhotel backdoors. Also, a very simple routine locates these strings within the wtime32.dll component's .data section and decodes them as global variables. Those strings are obfuscated within the binary with a simple XOR 0x12 loop. The later Darkhotel samples maintain a somewhat more complicated approach, but not by much. Here are strangely obfuscated strings:

Software\Microsoft\Active Setup\Installed Components
{ef2b00e3-19da-4e78-b118-6b6451b719f2}
{a96adc11-e20e-4e21-bfac-3e483c40906e}
Software\Microsoft\Windows\CurrentVersion\Run
JREUpdate
mscaps.exe
a.gwas.perl.sh
a-gwas-01.slyip.net
a-gwas-01.dyndns.org
update.microsoft.com
20
%SystemRoot%\system32
%APPDATA%\Microsoft\Protect\SETUP
%SystemRoot%\system32\gdi32.dll

Targeting Specificity

The Darkhotel actor is unusual in the varying degrees of specificity it uses to spread its malware: "This APT precisely drives its campaigns by spear-phishing targets with highly advanced Flash zero-day exploits that effectively evade the latest Windows and Adobe defenses, and yet they also imprecisely spread among large numbers of vague targets with peer-to-peer spreading tactics."

In other words, the group is surprisingly open to their worms spreading indiscriminately across entire countries, hitting tens of thousands of systems. This is also the case in the KCNA campaign wherein malware is positioned in a way meant to attract a specific target audience with uncommon system requirements and yet the malware itself is designed to spread indiscriminately (via a mechanism described below).

Infection and Injection Behaviors

Much like the Darkhotel toolset, the KCNA malware includes viral code. The routine is maintained in the fil.dll code. After sleeping for a couple of minute intervals, the code repeatedly looks through attached network drives for executables to infect. It infects these files with its explorer shellcode and the @AE1.tmp dropper itself. It's a strange infection strategy --notably, the shellcode blob does not transfer control back into the original file.

The injection behavior is both intricate and indiscriminate as the malware not only infects executables on network shares but also locally. As an example, the size of an infected Skype installer on a network drive increased in size from its original 1,513 kb to 3,221 kb.

Great strides, however inelegant, were taken in adding to the malware's injection capabilities beyond simple executables. For this purpose, the malware drops a copy of command-line WinRar version 4.1.0 (released January 2012) in %USERS%\AppData\Roaming\Microsoft\Identities\\Rar.exe. This Winrar software is used in order to access ZIP, RAR, ISO, and 7Z files in search of any executable contents to infect. Archives in the aforementioned formats containing executables are infected and then repackaged under their original filenames but with their new executable contents under the Daws.awfy scheme.

All resultant infected files are detected by our products as Trojan-Dropper.Win32.Daws.awfy. Several networks were affected by this viral code, and almost one thousand unique md5s representing related infected files across various systems were recorded as "Trojan-Dropper.Win32.Daws.awfy".

Viral Victimology

Given the malware's viral propagation capabilities, we can distinguish the infection spread data above, which relates directly to the Flashplayer hosted on KCNA, from the malware's viral spread through network shares and removable drives. While each count in this list represents a unique organization or system that detected a set of KCNA-viral infected files on their drives, the total infected file detection count is almost 20,000 files. Focusing on the Daws.awfy spread, we get a different picture of the malware's reach:

Country Systems and organzations encountering infected files China 481 Malaysia 51 Russia 47 Korea, Republic of 34 Taiwan 14 Senegal 14 Korea, Democratic People's Republic of 11* India 9 Mexico 9 Qatar 9

It's important to note the different conditions that apply to North Korea. First of all, the limited IP space means that multiple unique systems share IP addresses --in the case of DPRK victims above, the number is based on unique systems instead of unique IP addresses. Next, we attribute the relatively low number of network-based infections to the restrictive policies that keep many users from connecting to the larger Internet from KP ip ranges in the first place. A network- and usb-based viral infector is a great tool for a malicious actor to use the few front-facing systems in order to infect computers on an isolated intranet, like the one connecting most machines inside NK. However, that very isolation makes it impossible to precisely quantify the malware's success inside that intranet at this time.

Timestamps and timelines

KCNA malware dropper compilation timestamp: Tue, 13 Mar 2012 02:24:49 GMT.
Darkhotel information stealer compilation timestamp: Mon, 30 Apr 2012 00:25:59 GMT.

Also interesting is that mostly all of the additional KCNA malware related components were compiled in mid-March 2012.

The first Darkhotel APT spoofed flashplayer installer incidents recorded in our KSN data began in 2012 and peaked in 2013. This KCNA incident would fall in the peak timeframe for this type of offensive activity for Darkhotel. 

Noteworthy Components

In addition to the legitimate flash player upgrade that this archive maintains, the backdoor components that it drops to disk and executes seem to be clustered as Windows Live components (i.e.: Defender, IM Messenger). The two most interesting dropped files are the following:

78d3c8705f8baf7d34e6a6737d1cfa18,c:\windows\system32\mscaps.exe
978888892a1ed13e94d2fcb832a2a6b5,c:\windows\system32\wtime32.dll

The mscaps.exe component's reboot persistence setting is added to the registry here: HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{a96adc11-e20e-4e21-bfac-3e483c40906e}, where its stubpath is set to '"C:\WINDOWS\system32\mscaps.exe"  /s /n /i:U shell32.dll'. This setting ensures that every time the explorer.exe shell is started or restarted on the system, this executable injects its code.

Other analyses of this malware failed to mention the presence of Madshi's madCodeHook. It is a legitimate commercial DLL injection and api hooking framework, in this case used to inject the att.dll spyware component specifically into the following communications applications:

  • Internet Explorer -- iexplore.exe, ieuser.exe
  • Mozilla Firefox, firefox.exe
  • Google Chrome, chrome.exe
  • Microsoft Outlook Express, msimn.exe
  • Microsoft Outlook, outlook.exe
  • Windows Mail, winmail.exe
  • Windows Live Mail, wlmail.exe
  • MSN Messenger, msnmsgr.exe
  • Yahoo! Messenger, yahoomessenger.exe
  • Windows FTP Client, ftp.exe

The LoadLibraryExW hook is placed here:

The hook jmp listed here:

Related string parsing loop here:

Other analysis notes that ws2_32.dll, or the winsock2 library, is dropped to disk and copied to mydll.dll. The reason for this is most likely to maintain stable Winsock2 hooks across Windows OS. In the past, some madCodeHooks set on Winsock2 api proved to be unstable, so these guys just include one that they know works.

This implementation throws a wrench in the works, it is certainly a dissimilarity. The madCodeHook library was not observed in Darkhotel malware.

The wtime32.dll component is dropped to disk and loaded at startup into explorer.exe. It is then injected into each of the listed "interesting" processes. It is a very interesting bot component, communicating with its three c2 domains and listening for further commands. It maintains 13 primitive interactive bot commands:

Command Command Description cmd run provided cmd and output to file as a part of newly created and killed process, i.e. "cmd /c tree > file 2>&1" inf collect system information - operating system version, username, computername, system drive, local time, all connected drives and properties, network adapter properties, disk free space, enumerate all installed programs as per-user or per-machine cap capture screenshot and send to c2 dlu incomplete function dll open a process with all access, write a dll to memory and remotely create thread (load a dll into a remote process) put receive, decrypt, and write specified file to disk got report status on retrieved file get collect, encrypt, and retrieve specified file exe run provided executable name with WinExec del record file attributes to specified c2 and delete specified file dir record and report to c2 all files in current directory tree and their attributes: filename, file size, last write time, archive or directory, hidden, system quit exit thread prc process request

Its functionality includes older technologies used here that we just don't see anymore. Not only does it provide for NTFS, FAT32, FAT16, and FAT filesystem I/O routines, but it implements the older FAT12 I/O routines as well. Low level Windows95 raw disk access is enabled with CreateFileA on \\.\vwin32 through the vwin32 virtual driver.

Finally, the KCNA malware does have a unique trick up its sleeve. Its dropped components' ability to scan connected drives and network shares to copy their contents and deliver a special something to further its spread. So in its own crude way, this malware could hop across usb-enabled air-gapped networks by infecting both executables and archives on usb sticks.

Conclusions

The KCNA incident and the related viral bot's spread leaves more questions than solid answers. Chalking this campaign up to DPRK operations is certainly a simplistic thing to do and unsupported here. The possibility for the spread of an internal network virus or the possibility of an XSS-enabled website compromise are both high. Some similarities with the Darkhotel toolset are present, including the network configuration, spoofing technique, as well as the format and selection of stolen data. Were these to be related campaigns, particularities of the KCNA malware show that the Darkhotel actor may still have some tricks up its sleeve.


Appendix

Components Dropped by the KCNA Malware

78d3c8705f8baf7d34e6a6737d1cfa18, mscaps.exe, Tue, 12 Apr 2011 09:15:59 GMT
978888892a1ed13e94d2fcb832a2a6b5, wtime32.dll, 213kb, Trojan.Win32.Agent.hwgw, CompiledOn:Wed, 29 Feb 2012 00:50:36 GMT
2d9df706d1857434fcaa014df70d1c66, arc.dll, 1029kb, Trojan.Win32.Agent.hwgw, CompiledOn:Tue, 13 Mar 2012 02:34:00 GMT
fffa05401511ad2a89283c52d0c86472, att.dll, 229KB, Trojan.Win32.Agent.hwgw, CompiledOn:Tue, 13 Mar 2012 02:24:32 GMT
1fcc5b3ed6bc76d70cfa49d051e0dff6, dis.dll, 120.kb, Trojan.Win32.Agent.hwgw, CompiledOn:Tue, 13 Mar 2012 02:24:36 GMT
d0c9ada173da923efabb53d5a9b28d54, fil.dll, 126kb, UDS:DangerousObject.Multi.Generic, CompiledOn:Tue, 13 Mar 2012 02:24:41 GMT
daac1781c9d22f5743ade0cb41feaebf, launch.exe, 172KB, HEUR:Trojan.Win32.Generic, CompiledOn:Tue, 13 Mar 2012 02:24:52 GMT
6a9461f260ebb2556b8ae1d0ba93858a, sha.dll, 89KB, Trojan.Win32.Agent.hwgw, CompiledOn:Tue, 13 Mar 2012 02:24:43 GMT
f1c9f4a1f92588aeb82be5d2d4c2c730, usd.dll, 99KB, Trojan.Win32.Agent.hwgw, CompiledOn:Tue, 13 Mar 2012 02:24:46 GMT
59ee2ff6dbac2b6cd3e98cb0ff581bdb, WdExt.exe, 1.66MB, Trojan.Win32.Agent.hwgw, CompiledOn:Tue, 13 Mar 2012 02:24:49 GMT
f415ea8f2435d6c9656cc6525c65bd3c, wtmps.exe, 1.94MB, Trojan-Dropper.Win32.Daws.awfy, CompiledOn:Mon, 05 Mar 2012 08:37:55 GMT

 

Related MD5s, Domains, and Detections

Trojan.Win32.Agent.hwgw
78d3c8705f8baf7d34e6a6737d1cfa18, mscaps.exe
2d9df706d1857434fcaa014df70d1c66, arc.dll
1e7c6907b63c4a485e7616aa04351da7, @aedf66.tmp.exe
1fcc5b3ed6bc76d70cfa49d051e0dff6, dis.dll
523b4b169dde3bcab81311cfdee68e92, wdext.exe
541989816355fd606838260f5b49d931, wdext.exe
5e34f85278bf3504fc1b9a59d2e7479b, wdext.exe
6a9461f260ebb2556b8ae1d0ba93858a, sha.dll
78ba5b642df336009812a0b52827e1de, wdexe.exe
7f15d9149736966f1df03fc60e87b8ac, wdext.exe
7f3a38093bd60da04d0fa5f50867d24f
82206de94db9fb9413e7b90c2923d674
a59d9476cfe51597129d5aec64a8e422, @ae465f.tmp.exe
f1c9f4a1f92588aeb82be5d2d4c2c730, usd.dll
fffa05401511ad2a89283c52d0c86472, att.dll
d0c9ada173da923efabb53d5a9b28d54, fil.dll

Trojan-Dropper.Win32.Daws.awfy
2f7b96b196a1ebd7b4ab4a6e131aac58
8948f967b61fecf1017f620f51ab737d
...and almost 800 other executables that were infected on network shares and attached drives

c2 Domains
a.gwas.perl.sh,211.233.75.83
a-gwas-01.dyndns.org
a-gwas-01.slyip.net

Skyfall Meets Skype

Wed, 03/04/2015 - 10:14

The portmanteau-named SKYPEFALL.EXE is the latest, very active, malware-spamming campaign spreading through Skype. We first registered this attack on March 3 using both Spanish and English to lure victims. How does this attack work?

The victim receives a Skype message in the following format:

Dios Mio! [user name in Skype] video: http://********skype.info/video/?n=[user name in Skype]

Oh, My God ! [user name in Skype] video: http://********skype.info/video/?n=[user name in Skype]

If they click on the link and use Internet Explorer, it leads them to a fake video Website full of fabricated comments meant to peak the users interest while inviting the victim to download a plugin in order to watch the video itself:



Again, the URL used in the malicious message sent through Skype is available only if the browser referrer points to Internet Explorer. If the victim uses any other browser, the URL is simply unavailable.

The initial setup.exe is a RAR auto-extractible file with embedded instructions. It includes a full GUI installation package.

The victim receives both Adware-like functionality as well as Backdoor capabilities. Once it is installed on the victim's machine, it abuses the new victim's Skype friends list to continue spamming the aforementioned messages. The instructions for its behavior are downloaded from another server and look like this:

{
"skype_restart_mins": 120,
"old_friend_hours": 48,
"del_msgs_limit": 5,
"send_strategy": 1,
"max_loc_msgs": 60}

The malware also includes an embedded SMTP client that would potentially allow the attackers to send spam through the victim's machine.
The attackers leading this campaign are changing this binary on the Web every few hours. In this way, they are trying to evade any consistent AV detection.

Dating Lisa for 1 Euro

Wed, 03/04/2015 - 10:11

Last night I got a unexpected SMS in German language on one of my phones. A message from "Lisa", pretending to know me, including an url luring the reader to a picture of her.

The short-url points to the domain "m.bensbumsblog.com", which is already known for being used in SMS-spam for dating-websites, redirecting to a dating website. As there was no preregistration or request for this SMS, this clearly belongs into the category unsolicited bulk message.

The final target of the link is "daily-date.de". This website requires registration (username, password, mail-address and several personal questions). Finally it offers premium access to the system, which means searching, meeting and texting people as well as watching pictures, not for free though. This campaign offers a 14-day trail for 1€.

The domain "bensbumsblog.com" is protected by an anonymizing service to avoid identifying the owner. Although the IP-address is owned by a cloud service (according to RIPE lookup) and rented by some marketing company (IP reverse lookup).
The final website "daily-date.de" belongs to a German company, located in Berlin.
A look at the click-statistics from "bit.ly" shows that this campaign started on 03.03.2015 and got more than 10,000 clicks within 18 hours, most of them from Germany. Most clicks appeared in the first 3 hours of the campaign (started around 18:00 CET).

The "bit.ly"-user "benbu", who setup this Link, already created 15 Bitlinks/Short-URLs (active since 2nd of march 2015).

Amount of Bitlinks Target/Campaign 6 DailyDates (this campaign) 1 Easy money/credit cards 8 Coupons

Spam is a common problem, not only via email. Although SMS-Spam is more common in Asia but less common in Europe.

Having a look at other campaigns by this user, not all were successful. Besides this campaign, 6 others got some clicks. All mostly targeting Germany.

Created Target/Campaign Clicks 02.03.2015 Coupons 2630 02.03.2015 Coupons 1764 02.03.2015 Coupons 250 02.03.2015 DailyDates 993 03.03.2015 Coupons 1878 03.03.2015 Coupons 1004

In general make sure that you don't just click on any link you get as there might also be malicious content behind. To improve protection of your mobile (smartphone/tablet) always ensure you install updates. Further you should have security software installed to be protected against mobile malware.

 

 

Threats to Children Online: The Danger is Real

Wed, 03/04/2015 - 06:00

 Download Full Report PDF

The Internet has long ceased to be the preserve of grown-ups. Children today are often far more active Internet users than their parents. But is it safe enough for children to use without fear of facing inappropriate content? To find out we decided to investigate potential online threats to children.

The research is based on data processed by our Kaspersky Security Network. We analyzed data from more than a million Kaspersky Lab customers. Each of them had encountered dangerous content at least once in the last year.

The results show that more than half (59.5%) of users encountered pornography; over a quarter (26.6%) landed on websites dedicated to gambling; every fifth user stumbled across sites featuring weapons; and almost the same number were confronted by strong language.

Percentage of users worldwide encountered dangerous content in 2014

Two thirds (67.29%) came across chat services. Only a small proportion of these services, such as those with anonymity functions or predominately adult subscribers, represent a potential threat to children. As a result it is difficult to take overall chat service encounters as an accurate indication of the level of risk to young people.  However, the data does confirm the popularity of chat; and the greater the popularity of chat services in any given country, the greater the probability that children might occasionally or even intentionally enter into an unsafe chat environment. So, if nothing else, evidence of frequent encounters with chat services could be a sign for parents to pay more attention to the nature of these services and the likelihood of their child being drawn in.

Websites carrying these kinds of inappropriate content (adult, chat, gambling and weapons), along with others featuring drugs, tobacco and alcohol, were the ones blocked most often by Kaspersky Lab protection solutions. The frequency of detections demonstrates just how easy it is for users to encounter such content online. The higher the frequency: the greater the probability.

The most frequent use of parental controls were from China, USA, German, the UK and Russia #KLReport

Tweet

In geographical terms, the countries with the most frequent Parental Control detections were China, the USA, Germany, the UK and Russia. France, Vietnam, Brazil and Algeria also ranked in the top ten in terms of inappropriate content detection – but were relatively safer due to a lower frequency of detection.

Each of the top ten most affected countries has its own distinct characteristics when it comes to the prevailing online threats for children. For instance, adult content was the biggest threat to users in Germany (with 172 detections per user), China (144.18 detections per user), and the US (126.16 detections). Content about alcohol, tobacco and drugs was a major threat to users from Russia, Germany, the USA and France. The frequency of detection was especially high in these countries. This kind of content also proved popular in Brazil and the UK.

Parents should choose parental control solutions to help protect their children #KLReport

Tweet

The fact that the threat landscape for children changes significantly from country to country is one of the most remarkable findings to emerge from the research. It is a clear sign for parents around the world to pay special attention to what their children are doing online in their own country, as every situation will be different. To protect young people, we recommend that adults choose protection solutions with Parental Control technologies and make full use of safe "children" modes in search engines and applications that allow access to multimedia content and which are used by children.

However, although Parental Control technologies can block access to web sites with content that is dangerous or distressing for children, they cannot offer reliable protection in situations where safe-by-default web services like social networks or chats are misused by predators or users conducting cyberbullying campaigns.

Internet security deserves to be taken as seriously as real-life physical security #KLReport

Tweet

Internet security deserves to be taken as seriously as real-life physical security. That's why we urge parents to take an active part in their children's real and digital lives.  Only then can they be sure that they won't miss the moment when their child might need their support.

Read more about online threats to children in the full text of the research.

The Enemy on your Phone

Thu, 02/26/2015 - 05:00

Many people believe that there are no malware programs on smartphones. There was a time when there was some truth in this. A few years ago mobile platform operators originally designed their products with very high security levels. Mobile operating systems did not allow malicious programs to easily seize control and make themselves at home on devices.

Sadly that's no longer the case. Mobile devices are fundamentally different, they can do much more. A modern smartphone is a full-blown working tool, an entertainment center and a tool to manage your personal finances. The more it can do, the more attractive it is to cybercriminals. They want to steal a slice of that pie and the more tempting the prize, the more they create malicious applications, and invent methods to infect computers and to distribute malware.

Since Q1 2012, the number of malicious programs has grown more than tenfold, to exceed 12,000,000 in Q4 2014

Tweet

The evidence for this is clear when we look at the rapid growth in the numbers of mobile Trojans. The rate of growth is impressive: since Q1 2012, the number of malicious programs has grown more than tenfold, to exceed 12,000,000 in Q4 2014.

The number of detected malicious installation packages

Looking at the types of malicious programs is also revealing. It is easy to see that SMS Trojans and multi-purpose backdoors are giving way to malicious adware and Trojan bankers. However, just because a specific type of malware is losing its market share, this doesn't mean it is disappearing: it should be also remembered that the overall number of malware programs targeting mobile devices keeps growing.

Distribution of mobile malware by function (files from Kaspersky Lab's collection)

Malware writers don't create tons of malicious programs to build up a private collection or show off on some forum. All malware programs find their victims, and it is at times surprising to see how a seemingly innocuous loophole can allow them onto users' mobile devices.

Do it yourself

Believe it or not, users often infect their mobile devices with their own hands.

The ways to get malicious code on a regular computer without any user involvement are well known. Cybercriminals hack websites, users visit the sites and a hidden frame is opened in their browsers to download malware on to the victim machine using an arsenal of exploits.

On mobile platforms, everything is different. The underlying principles behind these platforms mean there are almost no vulnerabilities that would enable cybercriminals to attack a device without the user's knowledge and consent. So criminals need some help from users: Trojans must be installed and launched by their intended victims. It's like the old joke about the first, primitive virus: 'please delete all your important data and reformat your hard drive'.

A classic method to make money with mobile malware is to send premium-rate SMS messages from your phone

Tweet

Installing programs is one of the weakest places in mobile platforms, especially Android. Under iOS, you have to spend time fiddling around before you can install a program from anywhere other than App Store; however, Android allows users to do that by checking just one box in the settings. Once that's done, the system will check the digital signature of any installation package, and theoretically that should protect your device against malicious programs. But here's the snag: there are no Android certification centers, so anyone can create their own signature. Of course cybercriminals just sign off their own security confirmation and the installation goes ahead without a hitch when the user clicks 'OK'.

And many users do click 'OK'. After all, it's often easier than investigating everything about the app you're allowing onto your device.

Information security is usually far from the thoughts of a regular user. People love a bargain and find it hard to resist a free download of a useful program or a favorite game from some helpful-looking website. Often the application, once installed, will work as expected, except that money is drained from the phone's account at an alarming rate, and the user's credit card will soon get empty… Or, if users are invited to watch an exclusive video on an interesting site, perhaps they'd take a minute to update their Flash Players?

Fake Adobe Flash Player update page. Users are told to update an outdated version of Flash Player on their devices

Inexperienced users do not know that the update process for software on smartphones is different than on computers, so cybercriminals can trick them into installing anything under the guise of a useful upgrade.

Cybercriminals are extremely aggressive and astute when pursuing their targets: malicious applications are typically distributed in the form of various tempting software programs, games, porn clips or players for watching porn.

Where to find malware

Since users have to install malicious programs on their smartphones with their own hands, cybercriminals need to somehow entice them to a web resource where the malware is available. "Black SEO" is one of the methods used to do that. Black SEO is a type of search optimization that encourages search engines to display a link to the preferred malicious resource at the top of the search results. As soon as the site receives a top position in the search results, a harvest of unwitting users can be reaped.

A bored user types "Android games download" in a search engine and receives a link to web-site in the first or second line at the top of search results. That site may indeed contain games, but they come with some unpleasant extras. People tend to trust the sites from the top lines of search results. Users think that since thousands of people visit a web-site, it will also have the game or program they are looking for. Users do not think about security. That's a big mistake.

To bring the malicious site to the top of the search results, cybercriminals often use botnets: thousands of bots send search requests to Google and Yandex and visit the cybercriminals' site, boosting its ranking. Links to the cybercriminals' site are also published on all types of forums, bulletin boards, and in comments on news sites. The crawler bots of search engines find them there, so the rankings grow even faster.

Of course search engines try to stop this abuse of their services. They block hundreds of malicious sites. But that's not a big problem for cybercriminals: they keep creating and promoting new sites with the help of automatic tools.

SMS spam is yet another means of enticing users to sites containing malicious applications. It could be a simple, non-targeted mass-mailing of messages containing a link to the site: at least some of the recipients will follow the link. As soon as such program lands on somebody's smartphone, it will start to send SMS messages containing the malicious link to the owner's entire contact list. A message from a person you know raises few suspicions, especially if the text looks natural, so many do indeed follow the link they received, hoping to see some photos or jokes that their friend is sharing. But once opened, the site actually hosts malware samples from the cybercriminal.

Another method allows cybercriminals to exploit the popularity of legitimate resources. Cybercriminals hack popular online resources high visitor traffic, such as news sites, online stores, specialized portals. If the site's software contains known vulnerabilities, a code is embedded to the page and redirects the users to another site containing malware. If no vulnerabilities could be found, cybercriminals can still try to steal the site admin's credentials by using phishing and social engineering. If they succeed they can do anything to the site, including posting malware on the site itself.

Fake Android Market

In addition mobile malicious applications are distributed "almost honestly" – via app stores. This might be a legitimate program containing embedded malicious code; a specially created application which imitates some useful functionalities; or a bare-bones malicious program, with just a name and an icon as a camouflage.

Fake Google Play

Such programs are usually uploaded to unofficial app stores which either neglect security measures altogether or only take a cursory look at the content that gets published. However, there have been cases when dangerous programs got uploaded to official app stores – Google Play and even Apple App Store, which is historically more secure. Naturally, the manufacturers promptly clean their stores, but cybercriminals never sit on their hands either.

How cybercriminals make money

Once malware lands on your smartphone, it starts its mission of making money for its owner, naturally at your expense. A modern mobile device is a real goldmine for a cybercriminal; it only takes the appropriate mining skills.

Mobile malware: methods of making money

Expensive tricks

The least damaging money-spinner used by cybercriminals is obtrusive adware. It doesn't do much harm, but it doesn't take long for all those pop-up ads to get annoying. Getting rid of them is often more of a challenge: it takes quite an effort to find out which program is actually producing the banners. It could be Angry Birds HD, or it could be that something that has a name you cannot read aloud and masquerades as a system application.

There is also a curious category of fake apps that do nothing at all – neither good nor bad – but still cost good money. Some of these are clear dummies on offer in paid-apps sections of application stores, like a program that promises to make you rich but only displays an image of a diamond on the smartphone's screen. Others pretend to be useful applications, such as antivirus programs, and demand payments from the user for protection against Trojans that have supposedly overrun the device.

Money from your telephone

A classical method to make illegal money with mobile malware is to send SMS to premium-rate numbers. A Trojan running on your phone simply sends several premium-rate SMS messages and drains your account. Your phone service provider sends money from your account to the renter of the premium-rate number (the cybercriminal) without asking any questions, since premium-rate numbers are still a popular way to pay for different types of online services.

Another way to make money from the owners of infected smartphones is to steal their valuable data. There are tons of things of interest in your address book, SMS messages and email. At the very least, your address book can be used to replenish the spam databases, so your contacts will receive piles of ads and malicious links. Also, if you've ever sent or received web site administrator credentials and have not updated them since then, you can be sure that the cybercriminals will appreciate it and will adopt your site into the their malicious "family".

Smartphone or your wallet?

Ransomware Trojans for PCs are abundant. Recently, they've started emerging on mobile devices. The scam is simple: once installed on your mobile device, the Trojan displays a screen making threats and demanding a ransom. You can no longer work with your device. All you can do is to enter the special code that they promise to send you as soon as you pay them a specified amount of money.

Message displayed by this ransomware sample: "Your phone has been blocked for viewing banned porn (Pedophilia, Zoophilia)! All photo and video materials have been sent for further investigation. To unblock your phone and delete this material, you must pay a 1,000-ruble fine within 24 hours. To do this, top up number XXXX at the nearest payment kiosk. Warning! If the fine is not paid, all data will be made public"

It is impossible to delete the Trojan unless you hard reset the settings and the contents of the device's flash memory. For many the value of the data on the device makes it worth paying the ransom. However, the cybercriminals do not always send the unblock code even after the ransom is paid.

The key to your bank

However, none of the above scams are anything like as costly as this relatively new way of stealing from mobile device owners. In recent years mobile banking services have become increasingly popular. Every major bank has developed an app that allows clients to manage their money from their smartphone or, at the very least, use SMS banking services.

Mobile banking #malware threats increased since 2013 - from less than 100 to 13,000 by Oct. 2014

Tweet

Suddenly many smartphones are the key to bank accounts – often to several accounts at the same time. This offers many opportunities to make illegal profits – and promises greater rewards than the traditional SMS and ransomware scams of old. Not surprisingly, cybercriminals have been quick to embrace this new opportunity.

The statistics clearly show how much interest mobile virus writers have in users' bank accounts. At the start of 2013, there were less than a hundred Trojan bankers in Kaspersky Lab's collection; at the October 2014, there are more than 13,000 of them.

The number of detected banking malware programs

Banking Trojans are enjoying a surge in popularity all over the world but Russia is facing the brunt of this boom. Russia is a place where malware writers test-run their creations before using them in other countries.

Geography of mobile banking threats. January – October 2014
(Number of attempted installations of banking Trojans)

For cybercriminals, SMS banking is the easiest path to other people's money. It doesn't even require new tools – existing SMS Trojans work just fine. Banks often assume the client's phone is a trusted environment and follow SMS instructions without query.. Clients can send money from their bank accounts to their own or somebody else's mobile phone account. Using that feature, the cybercriminals send an appropriate SMS and send money from the victim to their phone number. After that it is easy to withdraw the money using advanced mobile payment systems.

Quite often, banking Trojans work in partnership with computer Trojans; Faketoken is one example. When the user's computer is infected with a banking Trojan it waits until they visit their online banking account. Then the malware program becomes active and displays a window to the user, asking them to download an Android application which is allegedly required to securely confirm the transaction. Gullible users obediently install Faketoken on their smartphones. After that it is only a matter of time: the malware on the computer steals the credentials, and the cybercriminals gain access to the user's banking account. They make a transaction and Faketoken intercepts the one-time confirmation code (mTAN) sent by the bank in an SMS. In the end some Vasily P. collects a hefty sum of money divested from the user's account, and cashes it immediately at an ATM. We saw this piece of malware attacking users in 55 countries, including Germany, Sweden, France, Italy, the UK and the USA.

A third method is to use independent mobile banking Trojans which can masquerade as a mobile banking applications or simply spoof the banking application's interface. The Trojan gets hold of the users' credentials and sends the information to its C&C server. The cybercriminal uses the intercepted data to make a transaction. Svpeng is a good example of this tactic. This mobile Trojan opens a window on top of a legitimate application window, imitating the banking applications of the largest Russian and Ukrainian banks.

Phishing window imitating the bank's own application

Using these programs, cybercriminals can strip you of all your savings in an instant, drain your accounts and close your deposits. They can also put you in debt by running up your entire available credit.

Don't dig a hole for yourself

The proportion of malicious applications among all applications installed by users varies from country to country. Here are the figures for some countries for January – October 2014 (according to Kaspersky Security Network data):

Vietnam 2.34% Switzerland 0.36% Poland 1.88% India 0.34% Chezh 1.02% Canada 0.23% France 0.84% Germany 0.18% Belgium 0.74% Brazil 0.17% China 0.73% Italy 0.09% Ukraine 0.70% Austria 0.07% Russia 0.69% USA 0.07% Mexico 0.62% Hong Kong 0.05% Spain 0.54% New Zeland 0.05% Belarus 0.50% Norway 0.04% Iran 0.38% Japan 0.01%

The fact is it's fairly easy to protect yourself against all these sophisticated mobile threats. Mobile platform developers have taken good care of security and the user is often the weakest link in the security chain. This is good and bad at the same time. It's a problem because many users don't pay much attention to their security. But the plus side is that you only need to follow a few simple recommendations to safeguard yourself against all the above threats.

We recommend that you follow the following simple rules.

  • Do not jailbreak / root your smartphone. While it will give you extra opportunities on your phone, it will also give the green light to cybercriminals.
  • On an Android phone, disable the option of installing software from untrusted sources.
  • Install a mobile security product on your phone. It will analyze all applications before installation.
  • Try not to follow any links arriving in SMS, even if they come from people you know.
  • If you do follow a link in an SMS, do not accept any downloads or installations.
  • Only updates your applications with downloads from official stores, not third-party sites.

Equation Group: from Houston with love

Thu, 02/19/2015 - 04:00

In 2009, an international scientific conference on Energy and Space technologies was held in Houston, USA. Leading scientists from several countries were invited to attend. As is traditional for such events, the organizers sent out a post-meeting CDROM containing a presentation with the best photos from the event. It is unlikely that any of the recipients expected that while they were enjoying the beautiful pictures and memories a nation-state sponsored Trojan Horse was activating silently in the background.

Photo slideshow played from the CD

Interestingly, it looks as if most of the attendees brought pens and paper instead of laptops.

Self-elevating Autorun

The disk contains two files in the root folder, an autorun.inf and autorun.exe. This is typical of many CDROMs. The autorun.inf simply executes the main EXE from root.  Here's what it looks like:

[AutoRun]
open=Autorun.exe
icon=Presentation\Show.exe,0

More interesting is the autorun.exe binary, which has the following attributes:

Date of compilation 2009.12.23 13:37:33 (GMT) Size 62464 bytes MD5 6fe6c03b938580ebf9b82f3b9cd4c4aa

The program starts by checking the current user's privileges. If the current user has no administrative rights, it tries to elevate privileges using three different exploits for vulnerabilities in the Windows kernel. These vulnerabilities were patched by the following Microsoft patches:

  • MS09-025
  • MS12-034
  • MS13-081

Considering the date the CDROM was shipped, it means that two of the exploits were zero-days. It's notable that the code attempts different variants of kernel exploits, and does so in a loop, one by one, until one of them succeeds. The exploit set from the sample on the CDROM includes only three exploits, but this exploitation package supports the running of up to 10 different exploits, one after another. It's not clear whether this means that there is also a malware with 10 EoP exploits in it, or whether it's just a logical limitation.

The code has separate payloads for Windows NT 4.0, 2000, XP, Vista and Windows 2008, including variations for certain service pack versions. In fact, it runs twice: firstly, to temporarily elevate privileges, then to add the current user to the local administrators group on the machine, for privilege elevation persistence.

Such attacks were crafted only for important victims who couldn't otherwise be reached #EquationAPT #TheSAS2015

Tweet

If these actions are successful, the module starts another executable from the disk, rendering the photo slideshow with pictures from the Houston conference.

At the end, just before exiting, the code runs an additional procedure that does some special tests. If the date of execution fell before 1 July 2010 and it detects no presence of Bitdefender Total Security 2009/2010 or any Comodo products, it loads an additional DLL file from the disk named "show.dll", waits for seven seconds, unloads the DLL and exits.

If the date fell after 1 July 2010, or any of the above products are installed, it drops execution immediately.

The "Show" Begins – introducing DoubleFantasy

The main loader and privilege escalation tool, "autorun.exe" fires up a special dropper, which is actually an Equation Group DoubleFantasy implant installer. The installer is stored as "show.dll" in the "Presentation" folder of the CDROM.

The DLL file has the following attributes:

Date of compilation 2009.03.20 17:42:21 (GMT) Size 151'552 bytes MD5 ef40fcf419954226d8c029aac8540d5a Filename show.dll Short Description DoubleFantasy installer

First it locates data in the resource section, unpacks (UCL) and XOR-decrypts configuration data from one of the resources.

Next it creates the following registry keys:

  • HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{6AF33D21-9BC5-4f65-8654-B8059B822D91}
  • HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{6AF33D21-9BC5-4f65-8654-B8059B822D91}\Version

After that it sets the (Default) value for "Version" subkey as "008.002.000.003", which identifies the implant version.

It also attempts to self-delete on the next reboot, which fails if it's started from the CD.

When run by the exploitation package "Autorun.exe", the program already has administrative privileges from one of the three exploits. However, the code checks again if it's running with administrative privileges, and attempts to elevate using just two kernel vulnerabilities:

  • MS09-025
  • MS12-034

This indicates that the DoubleFantasy installer has been designed to run independently from the disk from Houston with its "Autorun.exe".  In fact, we've observed the independent use of the DoubleFantasy installer in other cases as well.

The installer checks for security software using a list of registry keys and values stored in the resource section. The keys are checked in quite a delicate "non-alarming" way using key enumeration instead of direct key access. List of top level keys checked:

  • HKLM\Software\KasperskyLab\protected\AVP7\profiles\Behavior_Blocking\profiles\pdm\settings
  • HKLM\Software\KasperskyLab\AVP6\profiles\Behavior_Blocking\profiles\pdm\settings
  • HKLM\Software\Agnitum\Outpost Firewall
  • HKLM\Software\PWI, Inc.
  • HKLM\Software\Network Ice\BlackIce
  • HKLM\Software\S.N.Safe&Software
  • HKLM\Software\PCTools\ThreatFire
  • HKLM\Software\ProSecurity
  • HKLM\Software\Diamond Computer Systems
  • HKLM\Software\GentleSecurity\GeSWall

If any of them exist, the installer will mark the system by setting a special registry key:  HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{6AF33D21-9BC5-4f65-8654-B8059B822D91}\MiscStatus

The mark will be in the form of {CE0F7387-0BB5-E60B-xxxx-xxxxxxxxxxxx} for the (Default) value data and will then exit.

If no security software is identified, it will unpack (UCL) and XOR-decrypt the main payload, which is extracted into %system%\ee.dll.

Remarkably, it loads the DLL using its own custom loader instead of using standard system LoadLibrary API call.

The module looks as if it was built using a set of components or libraries that perform:

  • Privilege escalation (it seems to be an early version of the same lib used in autorun.exe)
  • Security software detection
  • Resource parsing and unpacking
  • Loading of PE files

This library code supports Win9x and the Windows NT family from NT4.0 to NT6.x. It should be mentioned that these libraries are not very well merged together. For instance, some parts of the code are unused.

Here's what the DoubleFantasy decoded configuration block looks like:

Decoded DoubleFantasy configuration block

Some of the C&Cs from DoubleFantasy configuration:

  • 81.31.34.175 (Czech Republic)
  • 195.128.235.231 (Italy)

The DoubleFantasy malware copied into the victim's machine has the following properties:

Date of compilation 2009.03.31 15:32:42 (GMT) Size 69'632 bytes MD5 b8c0eb946de83fe8440fefbacf7de4a2 Filename ee.dll Short Description DoubleFantasy implant

It should be noted that both the installer and the malware appear to have been compiled several months before "autorun.exe" from the CDROM, suggesting that they are more or less generic implants. It also suggests that the "autorun.exe" was probably compiled specially for the CDROM-based attack.

The DoubleFantasy Malware is the first step in the infection of a victim by the #EquationAPT Group #TheSAS2015

Tweet

The Equation Group's DoubleFantasy implant is a validator-style Trojan which sends basic information about the system to the attackers. It also allows them to upload a more sophisticated Trojan platform, such as EquationDrug or GrayFish. In general, after one of these sophisticated platforms are installed, the attackers remove the DoubleFantasy implant. In case the victim doesn't check out, for example, if they are a researcher analysing the malware, the attackers can simply choose to uninstall the DoubleFantasy implant and clean up the victim's machine.

In fact, there are several known versions of the DoubleFantasy payload. The disk from Houston used version 8.2.0.3; while other versions were mostly delivered using web-exploits.

Decrypting configuration blocks from all known DoubleFantasy samples, we obtained the following internal version numbers:

  • 8.1.0.4 (MSREGSTR.EXE)
  • 008.002.000.006
  • 008.002.001.001
  • 008.002.001.004
  • 008.002.001.04A (subversion "IMIL3.4.0-IMB1.8.0")
  • 008.002.002.000
  • 008.002.003.000
  • 008.002.005.000
  • 008.002.006.000
  • 011.000.001.001
  • 012.001.000.000
  • 012.001.001.000
  • 012.002.000.001
  • 012.003.001.000
  • 012.003.004.000
  • 012.003.004.001
  • 013.000.000.000

Interestingly, the most popular versions are 8 and 12:

We will describe some of the versions that we managed to discover including 8.2.0.3, 8.1.0.4 and 12.2.0.1.

DoubleFantasy Payload v.8.2.0.3 Md5 b8c0eb946de83fe8440fefbacf7de4a2 Size 69'632 bytes Type Win32 GUI DLL Timestamp Tue Mar 31 14:32:42 2009 (GMT) Filenames ee.dll, actxprxy32.dll

This module uses a technique known as DLL COM hijacking which provides a capability to load the code in different processes.

Initialization

First of all, it checks if the running module is named "ee.dll" and, if so, will undertake the final installation steps:

  • Try to find configuration settings in registry key HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{6AF33D21-9BC5-4f65-8654-B8059B822D91}\TypeLib, in value "DigitalProductId". If this value exists it decodes it using base64 and decrypts using RC5 (with a 16-bytes HEX key: 66 39 71 3C 0F 85 99 81 20 19 35 43 FE 9A 84 11).
  • If the key was not found in the registry, it loads configuration from a resource.
  • It copies itself to one of the two variants of filenames. Then it substitutes one of the system components by renaming and replacing the original.
Original File Registry Key Registry Value New Value
(Variant 1)
New Value
(Variant 2)
linkinfo.dll HKLM\System\CurrentControlSet\ Control\SessionManager\KnownDLLs LINKINFO LI.DLL LINK32.DLL hgfs1.dll HKLM\SYSTEM\CurrentControlSet\ Services\hgfs\networkprovider ProviderPath hgfs32.dll hgfspath.dll midimap.dll HKLM\SOFTWARE\Microsoft\ Windows NT\CurrentVersion\Drivers32 midimapper midimapper.dll midimap32.dll actxprxy.dll HKCR\CLSID\ {C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\ InProcServer32 (Default) actxprxy32.dll actxprxyserv.dll
  • Set 64-bit value from config to (Default) value of HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{6AF33D21-9BC5-4f65-8654-B8059B822D91}\TypeLib key in form of {8C936AF9-243D-11D0-xxxx-xxxxxxxxxxxx}, it seems to be used later as victim ID when connecting to C&C server.
  • Set (Default) value of HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{6AF33D21-9BC5-4f65-8654-B8059B822D91}\Version to "008.002.000.003" string.
  • Upon the creation of a key it performs additional steps to set KEY_ALL_ACCESS rights for Everyone.
  • Update start time, encode and write back config to registry value HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{6AF33D21-9BC5-4f65-8654-B8059B822D91}\DigitalProductId

If an error occurs, it sets HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{6AF33D21-9BC5-4f65-8654-B8059B822D91}\MiscStatus\(Default) value to "0". Registry value {CE0F7387-0BB5-E60B-8B4E-xxxxxxxxxxxx} then contains xor-encrypted error code.

If there is an initialization error, if the hosting process is "explorer.exe" or "avp.exe", it supresses any exceptions and continues execution. This could indicate that if there were any errors in these processes they must not be shut down because of them.

To correctly hijack the replaced COM objects, the code exports a set of functions bound to original DLL files.

CompareLinkInfoReferents = linkinfo.CompareLinkInfoReferents
CompareLinkInfoVolumes = linkinfo.CompareLinkInfoVolumes
CreateLinkInfo = linkinfo.CreateLinkInfo
DestroyLinkInfo = linkinfo.DestroyLinkInfo
DisconnectLinkInfo = linkinfo.DisconnectLinkInfo
DllCanUnloadNow = actxprxy.DllCanUnloadNow
DllGetClassObject = actxprxy.DllGetClassObject
DllRegisterServer = actxprxy.DllRegisterServer
DllUnregisterServer = actxprxy.DllUnregisterServer
DriverProc = midimap.DriverProc
GetCanonicalPathInfo = linkinfo.GetCanonicalPathInfo
GetLinkInfoData = linkinfo.GetLinkInfoData
GetProxyDllInfo = actxprxy.GetProxyDllInfo
IsValidLinkInfo = linkinfo.IsValidLinkInfo
NPAddConncection = hgfs1.NPAddConncection
NPAddConncection3 = hgfs1.NPAddConncection3
NPCancelConncection = hgfs1.NPCancelConncection
NPCloseEnum = hgfs1.NPCloseEnum
NPEnumResource = hgfs1.NPEnumResource
NPFormatNetworkName = hgfs1.NPFormatNetworkName
NPGetCaps = hgfs1.NPGetCaps
NPGetConnection = hgfs1.NPGetConnection
NPGetResourceInformation = hgfs1.NPGetResourceInformation
NPGetResourceParent = hgfs1.NPGetResourceParent
NPOpenEnum = hgfs1.NPOpenEnum
ResolveLinkInfo = linkinfo.ResolveLinkInfo
modMessage = midimap.modMessage
modmCallback = midimap.modmCallback

The implants periodically run checks against a special file defined in config. If that file has changed since the last check, or at least a week has passed since the last check, it does the following:

  • Perform a connectivity check via public domains (specified in config, i.e. "www.microsoft.com" and "www.yahoo.com") using HTTP POST requests.
  • If Internet access is available, connect to one of two C&C IPs or hostnames (specified in config: i.e. 81.31.34.175 and 195.128.235.23). Standard HTTP/HTTPS ports 80 and 443 are probed.
  • Send a POST request to the C&C with additional headers "EIag: 0d1975bfXXXXXXXX9c:eac',0Dh,0Ah" – where XXXX XXXX – is part of ClientID
  • Request additional data: victim ID, version, MAC address. The data is encrypted using RC5 and encoded using Base64. (RC5 key: 8B 4C 25 04 56 85 C9 75 06 33 C0 5E C2 08 31 F6).

The C&C communication code performs the following:

  • Received data is decoded using Base64 and decrypted using RC5. The result is interpreted as a backdoor command.
  • Results of the command execution are sent back to the C&C. It then attempts to fetch the next command from the server.
  • Uninstalls itself if it can't connect to the C&C server within 180 days (configurable).

The following commands are supported by the backdoor:

Cmd code Command Name Description Download&Run Group J (0x4a) Create File Create an empty file; if file already exists get its size. D (0x44) Append File Append chunk of data to a file (created by the "J" cmd). V (0x56) Run or Copy

Check CRC16 of file received via D command, delete it if the check fails.
Depending on the commands flag:

  • Copy file to a new location
  • Load file as a DLL
  • Start file as a new process
  • Load DLL using custom built-in loader and call "dll_u" export.
Upload Group K (0x4b) Get File Size Get file size. S (0x53) Read File Read file specified by 'K' command, send it to C&C. It can delete the file after transfer (under some condition). Service Group ` (0x60) Get Info Collect info (IP and MAC addresses, implant version, system proxy server, Windows Registered Owner and Organization, Windows version and ProductID, Locale/Language and Country, Windows directory path, connection type, list of all HKLM\Software subkeys). p (0x70) Set Victim ID Prepare to change Victim ID. u (0x75) Set Interval Change C&C connection interval (seven days by default). v (0x76) Set C&C IP Change primary C&C IP address. x (0x78) Set File Path Change path and name of File-under-inspection. (0x80) Read File Delete file specified in command. B (0x42) Reset Victim ID Change Victim ID to the one set by Set Victim ID command:
Subcmd 0 – reconnect to C&C
Subcmd 1 – reset RC5 context
Subcmd 2 – uninstall DoubleFantasy Payload v.8.1.0.4 Location %System%\MSREGSTR.EXE MD5 9245184228af33d3d97863daecc8597e Size 31'089 Type Win32 GUI EXE Timestamp Wed Mar 22 18:25:55 2006 (GMT) Version Info FileDescription  Registration Software
LegalCopyright  Copyright © Microsoft Corp. 1993-1995
CompanyName  Microsoft Corporation
FileVersion        4.00.950
InternalName    MSREGSTR 
OriginalFilename  MSREGSTR.EXE

Compared to version 8.2, version 8.1 implements the same tasks slightly differently.

Differences:

  • This is an EXE file running as a service process.
  • Configuration data stored in the overlay of the file, instead of in resources.
  • Other registry keys are used as a config storage – set of subkeys under HKLM\Software\Microsoft\Windows\CurrentVersion\Setup\Common
  • RC6 encryption and Base64 encoding is not used. The network traffic data is sent in plaintext or simply XOR-encrypted.
  • The number of supported remote commands is only four.
  • The command encoding type is different.
  • Supports Windows 9x family.
DoubleFantasy Payload v.12.2.0.1 Location %System%\actxprxy32.dll MD5 562be0b1930fe5de684c2c530619d659
769d099781220004540a8f6697a9cef1 Size 151552 Type Win32 GUI DLL Timestamp Wed Aug 04 07:55:07 2004 (GMT), probably fake

The implementation of version 12.2 is similar to version 8.2, although it is twice the size due to the addition of a big new library.

The main purpose of this new library to steal user names and passwords from:

  • live running Internet Explorer or Firefox browser memory
  • Internet Explorer proxy configuration, stored in the Windows registry
  • Windows protected storage (up to Windows XP)
  • Windows authentication subsystem (Vista+)

In addition to browsers, the library can also inject malicious code and read the memory of other processes in order to obtain and decrypt users' passwords. The same library is also used inside the main EQUATIONDRUG orchestrator and TRIPLEFANTASY modules.

The library gathers stolen credentials and then probes them when accessing proxy server while connecting to the Internet, and, if a probe was successful, the valid credentials are encrypted with RC6 and encoded with BASE64 to be used later.

In this version the data encryption RC6 key is:
        66 39 71 3C 0F 85 99 81 20 19 35 43 FE 9A 84 11

The traffic encryption RC6 key is:
        32 EC 89 D8 0A 78 47 22 BD 58 2B A9 7F 12 AB 0C

The stolen user data is stored in the Windows registry as @WriteHeader value, inside two random keys in the   HKLM\SOFTWARE\Classes\CLSID\{77032DAA-B7F2-101B-A1F0-01C29183BCA1}\Containers node

Summary

The disk used in the Houston attack represents a rare and unusual operation for the Equation Group. We presume that such attacks were crafted only for important victims who couldn't otherwise be reached, for instance, through a web-based attack vector. This is confirmed by the fact that the exploitation library had three exploits inside, two of which were zero-days at the time.

The DoubleFantasy Malware is usually the first step in the infection of a victim by the Equation Group. Once the victim has been confirmed by communicating with the backdoor and checking various system parameters, a more sophisticated malware system is deployed, such as EquationDrug or Grayfish.

During the upcoming blogposts, we will continue to describe the more sophisticated malware families used by the Equation Group: EquationDrug and GrayFish.

BE2 Extraordinary Plugins, Siemens Targeting, Dev Fails

Tue, 02/17/2015 - 18:37

Our November post introducing our BlackEnergy2 (BE2) research described new findings on the group's activity. We presented both details on their plugins and significant findings about some of their targets and victims. In this post, let's examine several additional plugins more closely, targeting details around BE2 Siemens exploitation, and some of their unusual coding failures.

We previously introduced an unknown set of plugins and functionality for the linux platform, six in total. For the windows platform, we collected 17 plugins. The last post noted the difficulty in collecting on this group. We finish descriptions for our set in this post.

bs
cert
dstr
fs
grc
jn
kl
prx
ps
rd
scan
sn
ss
tv
upd
usb
vsnet

We also collected plugins for the MIPS/ARM architectures, as noted in the previous BE2 post.

weap
ps
nm
snif
hook
uper

Extraordinary Functionality

Let's first examine some of the newest and most surprising Windows plugins. It's interesting that all of these plugins use a custom "FindByHash" function to evade detection schemes and to slow analysis...

The "Destroy" plugin, dstr

8a0a9166cd1bc665d965575d32dfa972
dstr.dll, 26,474 bytes
CompiledOn: 2014.06.17 08:42:43

The most troubling plugin in the list is the "dstr" plugin. It is a Windows-only plugin. It was used to overwrite data by the BE2 actor, destroying data stored on hard drives by overwriting file contents. While its use may be intended to cover their tracks, it is heavy handed to use this type of tool to cover one's tracks in a network. Most likely it is a tool of sabotage, much like the Destover wiper seen on Sony Pictures Entertainment's networks. However, it's interesting that the BE2 developers created wiper code different from the Destover and Shamoon wiper malware we saw in the Saudi Aramco and SPE attacks. Instead of re-using the commercial EldoS RawDisk drivers in their malware, the BE2 developers wrote their own low-level disk and file destruction routines. It's also a much more chilling deployment of wipers - instead of a poorly defended media studio, it was delivered to ICS environments.

In order to overwrite stored data on all Windows versions, the dstr plugin supports both user-mode and kernel-mode wiper functionality, which is somewhat surprising. The component maintains both an embedded win32 library and win64 driver modules for its kernel mode functionality. They are rc4 encrypted.

User-mode functionality

The plugin identifies device id's for the system's HDD and creates a handle to the system's physical drive, with "GENERIC_READ or GENERIC_WRITE" access. Several calls to DeviceIoControl collects data on the physical location of the volume, and the size and properties of this disk. It uses DeviceIoControl with the IOCTL_DISK_GET_DRIVE_GEOMETRY control code in order to retrieve Bytes Per Sector value. dstr then wipes out all open handles to the disk by dismounting it with the FSCTL_DISMOUNT_VOLUME control code.

This routine prepares the system for overwrite and ensures no conflicts for plugin file I/O. Then it makes multiple WriteFile calls to write a zeroed out buffer to disk.

The dstr plugin maintains code for unlocking and deleting the BE2 driver from disk, furthering the group's goal of keeping their traces hidden from researchers. And notice the FindByHash set of calls above, this sfc_os call disables Windows File Protection for a minute while an application can delete or modify the locked file. So this plugin and its call can proceed and delete the driver.

The plugin looks over all the services in the %system32%\drivers folder and checks the write permission. If access is provided, it unlocks the file, rewrites the embedded driver under the existing driver name and launches it.

Drivers and kernel mode functionality

Decrypted 32-bit driver

c4426555b1f04ea7f2e71cf18b0e5b6c
driver.sys, 5,120 bytes
2014.06.10 13:12:22 GMT

Decrypted 64-bit driver

2cde6f8423e5c01da27316a9d1fe8510
driver.sys, 9,136 bytes
2014.06.10 13:12:04 GMT

The 32-bit and 64-bit drivers are identical and compiled from the same source code. These small Windows drivers are supposed to support FAT32 and NTFS file systems, and contain two large code implementation mistakes. In spite of these flaws, it is clear that the author's goal was to parse a file system and then write random data across files.

Extraordinary Fails

These coding fails are unique to this dstr plugin, suggesting a development team effort behind the plugin set code.

Fail #1: The authors reversed the routines for FAT32 and NTFS data wiping when checking the presence of the "FAT32" string in the first 1024-bytes of the system drive.

Fail #2: In the FAT32 routine the Root Directory Sector Number is calculated and is dealt as the absolute offset inside the file rather than next multiplying this number by the bytes per sector

In comparison, there is no such mistake in the NTFS routine and the calculation of the MFT offset is implemented properly:

Goal - File Content Corruption

Apart from that, it is interesting that the authors implement NTFS wiping in an unusual way with strange logic compared to FAT32 'straightforward' wiping. The plugin accomplishes checks for FILE records and at first skips them. Then under certain conditions it rewrites non-FILE record sectors with random buffer which probably corresponds to some file contents and proceeds looping. Then it ends up rewriting the first sectors of MFT and MFT mirror.

grc, plus.google.com replacement communications plugin

ee735c244a22b4308ea5d36afee026ab
grc.dll, 15,873 bytes
2013.09.25 07:19:31

This plugin creates a backup communications channel to yet another legitimate service. Most likely this backup channel is used to cloak outbound communications on monitored networks. We have seen APT using everything from Twitter to Google Docs to hide communications in plain sight, and this time the abused service is Google Plus.

This plugin implements the standard Windows HTTP services to interact with Google Plus over https, seeking to find a png file.

The plugin is provided with a specific Google Plus id to connect with, and uses the OLE stream Windows structured storage API along with the GDI+ bitmap functions to handle and parse this png file. This png file content is actually encrypted data containing the new BE configuration file just as it was obtained using 'normal' C&C communication.  It is encrypted with RC4, just like the embedded dstr drivers. But unlike to the 'typical' RC4 BE decryption scheme that uses RC4 once, here it uses RC4 three times: once with hardcoded key found in the grc binary, the second time using the key extracted from the previous decrypted result, and the third time using the 'id' machine's identifier that is normally served as the encryption key during the C&C communication.

Universal serial bus data collection plugin, usb

0d4de21a2140f0ca3670e406c4a3b6a9
usb.dll, 34,816 bytes
2014.03.21 07:02:48

The usb plugin collects all available information on connected USB drives, and writes out all of these details to a text file, packs it, provides to the main BlackEnergy code, which communicates to a c2.

It uses multiple api calls to collect information on multiple types of connected usb storage devices. It enumerates all usb storage devices connected to the system and retrieves data from all, including SCSI mass storage devices. And, most interestingly, it may be the first implementation of BadUSB-related techniques in APT re-purposed COTS malware that we have seen in the wild.

The code queries scsi devices directly and sends them two types of SCSI commands. The first command with the opcode 0x1A which corresponds to MODE SENSE may result just in the logging of the failed call ('SendSCSICommand return false' message).

The second type of SCSI command remains mysterious. It uses undefined opcode 0xf0 and there is no direct evidence of its purpose as it is stated to be vendor specific. This mysterious opcode is referenced around the same time frame of the plugin development in BadUSB offensive research http://algorithmics.bu.edu/twiki/bin/view/EC521/SectionA1/Group5FinalReport. Here, it is noticed in the USB traffic generated by an SMI controller tool. To be specific, there are two calls with the opcode 0xf0 in the code, each passed its own parameters. One of the parameters, 0x2A, is mentioned in the paper to return the string containing the firmware version, NAND flash ID, and controller part number. But this returned information is not logged anywhere.

Also the code loops to retrieve detailed physical data about every attached storage device:

  • number of cylinders
  • media type (floppy, fixed hard drive, removable media, etc)
  • number of tracks per cylinder
  • sectors per track
  • number of bytes per sector
  • physical disk size in bytes
  • Device Instance ID

Motherboard and firmware data collection plugin, bios

4747376b00a5dd2a787ba4e926f901f4
bs.dll, 210,432 bytes
2014.07.29 00:40:53

The bios plugin gathers low level host system information:

  • BIOS
  • motherboard
  • processor
  • OS

It uses several techniques to gather this information:

  • WMI
  • CPUID
  • win32 api

As a Windows Management Instrumentation (WMI) client application, it initializes COM and connects to the \\root\cimv2 namespace to use the IWbemServices pointer and make WMI requests. The code executes wql queries ("wql" is "sql for wmi", a subset of sql) to gather victim host details, like the query "SELECT Description, Manufacturer, Name, ProcessorId FROM Win32_Processor". Here are several queries from the BlackEnergy2 plugin code:

  • SELECT Description, Manufacturer, Name, ProcessorId FROM Win32_Processor
  • SELECT Product, Manufacturer, Version FROM Win32_BaseBoard
  • SELECT Name, OSArchitecture, Version, BuildNumber FROM Win32_OperatingSystem
  • SELECT SerialNumber, Description, Manufacturer, SMBIOSBIOSVersion FROM Win32_BIOS

These wql calls provide the attacker with the data like the lines below:

Description=Intel64 Family 6 Model 60 Stepping 3
Manufacturer=GenuineIntel
Name=Intel(R) Core(TM) i7-4710MQ CPU @ 2.50GHz
ProcessorId=1FEAFBCF000116A9

Product=7MPXM1
Manufacturer=AsusTek
Version=??

Name=Microsoft Windows 8.1 Pro
OSArchitecture=64-bit
Version=6.3.9600
BuildNumber=9600 

SerialNumber=7DTLG45
Description=A12
Manufacturer=AsusTek
SMBIOSBIOSVersion=A12

This selectivity is fairly usual. And the plugin does not modify its own behavior based the collected values. What can we infer about the selection of only these values, as they are only being collected and sent back to the attackers? Here are some possibilities:

  • the attackers want to evade sandbox and honeypot/decoy environments, and use this collected data to id the host system.
  • the attackers have prior knowledge of the environment they are attempting to penetrate, down to the equipment make. Or, they have an idea of the types of hardware they would expect or want to see. In ICS and SCADA environments, these details could be very valuable for an attacker setting up shop. These details could aid in establishing persistence, evaluating true resource capacity and capabilities, tracking down the source of the equipment, or aiding further lateral movement
  • the attackers know nothing about the network they are penetrating. They are collecting this information to better understand where this plugin really is running in the victim environment and planning their next moves

When using standard win32 api, the application implements calls to retrieve information on system locales. Oddly, there is special handling for one nordic locale in this particular plugin, "Norwegian-Nynorsk".

The CPU data collection functionality first calls the Intel cpuid instruction directly. It also directly handles multi-cpu systems and each of their feature sets. This SMP support is hard coded into the plugin.

Additional BE2 Siemens Exploitation Details

Targeting details for BE2 actor events are interesting. When focusing on research sites and energy engineering facilities, the group remotely exploited Siemens' Simatic WinCC systems. In these events, the attackers attempted to force the ccprojectmgr.exe process to download and execute a specific BlackEnergy2 payload. Let's examine a couple of example targets here. Based on the different delays for return, the attacks were possibly not automated.

Target A:

The first exploit attempt ksn recorded was March 2014. The attackers returned with a second failed attempt to exploit that same research system on April 2014, approximately 30 days, 2 hours later.

Target B:

The BE2 actor then attacked a new target system in May 2014 and failed, and returned with an exploit attempt on that same system in July 2014.

So it looks like there may be a timing cycle to their visits, but the volumes here are too low to be significant.

In all four of these attempts on two different targets, the attackers tried to download their payload from hxxp://94.185.85(dot)122/favicon.ico. The payload changed slightly from March 2014 to the very end of July 2014, presenting the following md5(s). All of these droppers are BE2 malware, modify an existing kernel driver service like "ACPIEC" and start it to load the BE2 kernel module. Note that the attackers planned on re-using the same c2 for the first target, but changed the callback c2 for the second target. None of these components are signed:

fda6f18cf72e479570e8205b0103a0d3 → drops df84ff928709401c8ad44f322ec91392, driver, debug string:"xxxxxxxx.pdb". C2: 144.76.119.48 (DE, Hetzner Online AG, AS24940)
fe6295c647e40f8481a16a14c1dfb222 → drops 39835e790f8d9421d0a6279398bb76dc, driver, debug string:"xxxxxxxx.pdb". C2: 144.76.119.48 (DE, Hetzner Online AG, AS24940)
ac1a265be63be7122b94c63aabcc9a66 → drops b973daa1510b6d8e4adea3fb7af05870, driver. C2: 95.143.193.131 (SE, Internetport Sweden AB, AS49770)
8e42fd3f9d5aac43d69ca740feb38f97 → drops f4b9eb3ddcab6fd5d88d188bc682d21d, driver. C2: 46.165.222.6 (DE, Leaseweb Germany GmbH, AS16265)

 

Pages