Malware Alerts

Subscribe to Malware Alerts feed
Online headquarters of Kaspersky Lab security experts.
Updated: 33 min 41 sec ago

August Update Tuesday - OneNote's First RCE, IE Memory Corruption

Tue, 08/12/2014 - 14:34

The second Tuesday of the month is here along with Microsoft's August security updates, and with it brings interesting updates of OneNote and Internet Explorer. The full list is nine security bulletins long.

OneNote has been a part of Microsoft's drive into mobile and cloud technologies, away from traditional Wintel computing, providing Office-integrated note-taking multi-user collaborative functionality across tablets and mobile devices. I noticed a bunch of Blackhat attendees using this software. While the vulnerability is limited to all versions of Microsoft OneNote 2007,, and there have been a couple of releases since, I believe that this vulnerability is the first RCE enabled by a component exclusively delivered with the OneNote software. In this case, it is the file parser that reads onenote (.ONE) files that enables remote code execution attacks. This software package now is available for Windows, Mac, Windows RT, Windows Phone, iOS, Android and Symbian, but the vulnerable OneNote code appears to be available only for TabletPCs and the Windows platform. cve-2014-2815 was privately reported to Microsoft.

Another big Bulletin pushed today for Internet Explorer addresses 25 critical RCE vulnerabilities(!) across IE 6 - 11 on Windows clients Vista through 8.1, all memory corruption issues. The browsers on related server installs are rated moderate. Some of these vulnerabilities have been actively exploited ItW, so it is an urgent update issue.

And Adobe released their own patch separately from the Microsoft update process to fix an extraordinary sandbox vulnerability abused by APT that we reported a while back. Be sure to check out those details. It effects fairly recent versions of Reader sandboxes.

CVE-2014-0546 used in targeted attacks - Adobe Reader Update

Tue, 08/12/2014 - 11:09

Today Adobe released the security bulletin APSB14-19, crediting Kaspersky Lab for reporting CVE-2014-0546.

This out of band patch fixes a rather creative sandbox escape technique that we observed in a very limited number of targeted attacks.

At the moment, we are not providing any details on these attacks as the investigation is still ongoing. Although these attacks are very rare, just to stay on the safe side we recommend everyone to get the update from the Adobe site as soon as possible.

You can grab the Adobe Reader updates here.

Spam and phishing in Q2 2014

Tue, 08/12/2014 - 08:00

 PDF Version

Spam: quarterly highlights Spam and legislation

On 1 July, new anti-spam legislation (CASL) came into effect in Canada. The new law covers commercial communications including email, messages on social networks and instant messaging services as well as SMS. Now, before a company starts sending emails, it must get the recipients' consent. Canadian companies appear to have taken the new law seriously: in the second quarter, we saw a lot emails from Canadian companies asking users for permission to send their mailings. As well as asking for permission, these emails also contained offers links to lotteries.

Some companies actually used the law as an excuse to collect subscribers' addresses. We came across requests asking users for permission to send them mass mailings even in the addresses of traps that have never been signed up to any mailing lists. Moreover, many of the users who received these sorts of request marked them as spam.

This flow of requests shows that many Canadian mass mailing distributors have never thought about the wishes of users before, but have just sent out their messages to the addresses on their lists.

There are two general views of the new law. On the one hand, an anti-spam law in yet another country will undoubtedly help the fight against spam. On the other hand, legitimate Canadian businesses that use mass mailing fear they may now be regarded as illegal. Microsoft first decided to stop sending out all its security news, but changed its mind a few days later, which is not all that surprising: despite the severity of the law, CASL includes a number of exceptions, and Microsoft's mass mailings don't fall under its jurisdiction. Among the CASL exceptions are mass mailings with various information about a product or service that the user has purchased from a company; mailings aimed at collecting donations; non-commercial mailings, etc.

Playing the market again!

In Q2 2014, we saw a new wave of spam advertising offers to buy stock in small companies. This is a well-known form of stock fraud called 'pump and dump'. The peak of this type of spam was registered in 2006-2007, although fraudsters continue to use it.

Pump-and-dump spam is a form of stock market fraud where spammers buy shares in small companies, artificially inflate the prices by spreading information they were allegedly going to significantly increase in value in the near future and then sell the shares at a higher price.

Interestingly, in addition to these well-known fraudulent tricks, the scammers also applied some time-tested methods to bypass filtering:

  1. A random set of sentences inserted at the end of each email that use a color close to that of the background (mailings included random sentences from Wikipedia);
  2. Image spam: the main information is contained in a picture; the color, the text size, the font, the background color and angle of the picture vary from email to email in the mailing.

Image spam was also popular in 2006-2007, and then virtually disappeared, as anti-spam vendors developed graphical analyzers and learned to successfully block these sorts of emails. Also, because of excessive 'background noise', this spam is unlikely to attract many users. These 'stock market' mailings appear to spread in huge volumes: spammers send out hundreds of millions of emails hoping for a minimal response.

Spam and the World Cup

In the first quarter of 2014, the Winter Olympics was the most popular sporting theme for spammers while in Q2 they switched their attention to the FIFA World Cup. You can get more information about phishing and malware attacks that used the World Cup theme from our blog. Apart from dangerous emails, there were messages offering hotel bookings and tickets to the matches as well as adverts for World Cup-related souvenirs and messages inviting bets on the results.

As is usual in such cases, the theme of the World Cup was exploited in spam that had no direct connection to the event. For example, one resourceful German used the theme to advertise Viagra.

"Remain the champion in your bedroom after the World Cup is over," states the advert above.

Sent from iPhone: mobile-themed email

To continue the theme of integration between email spam and mobile devices, we should note that in the second quarter of 2014 mass mailings imitating messages sent from iPad and iPhone were particularly popular. The range of emails was quite diverse – from pharmaceutical offers to messages with malicious attachments. All of them contained the same line in the body of the message: 'Sent from iPhone/iPad'.

In the first example, the link, following several redirects, opened a site advertising medication to enhance male potency; the second attachment contained a malicious program detected by Kaspersky Lab as Trojan-PSW.Win32.Tepfer.tmyd.

The mailings were most likely sent by different groups of spammers as the technical headers (such as Data, X-Mailer, Message-ID) were very different. For example, in some emails the headers were written carelessly while in the others the fields were empty. The only thing they had in common with real messages sent from the iOS-based devices was the phrase in the body of the message. In other emails the headers were not just accurate, they were imitations of the headers used by the real Apple mail client:

X-Mailer: iPhone Mail (9B206)
Message-Id: UNQC4G8K-NTOU-2PNZ-JUVC-WHRCD5GXS1QF@*****.**

However, on closer examination, the headers only looked like the real thing (in terms of the number of symbols and the location of hyphens). The fact is that real messages sent from iOS mobile devices use hex code to record Message-ID. The hexadecimal format includes numbers from 0 to 9 and the letters ABCDEF, which means there can be nothing else apart from these numbers and letters in the Message-ID. The fake emails just contained a random set of letters and numbers.

Redirects

To bypass filtering, criminals often try to hide the address of the site the user is prompted to visit. There are many ways to hide spam links. One of the most widespread is when the links in emails lead to compromised sites from which the user is redirected to the target site. This site may contain an advertisement and/or malicious code. Usually, compromised sites are included in the system redirects simply because cybercriminals can hack them, but sometimes the fraudsters intentionally seek them out. For example, we came across a mass mailing which redirected the user to an advertisement for pharmaceuticals via a compromised site. Moreover, the sites that had been compromised were actually pharmaceutical sites (rxpharmacy *****. com). Cybercriminals use such targeting to make the link appear as genuine as possible to the user.

In addition, we have recently come across a lot of hacked sites belonging to religious societies. It is unlikely they were targeted or subjected to social engineering deliberately – they were probably just poorly protected.

Malicious attachments in email


Top 10 malicious programs spread by email in Q2 2014

As is now traditional, the list of malware spread by email is topped by Trojan-Spy.HTML.Fraud.gen. This threat appears as an HTML phishing website where a user has to enter his personal data which is then forwarded to cybercriminals. Noticeably, the percentage of this malicious program decreased by 1.67 percentage points from the previous quarter.

Trojan-Banker.Win32.ChePro.ilc. ended the quarter in second position. This banking Trojan mainly targets online customers of Brazilian and Portuguese banks.

For the first time in a while, exploits made it into the Top 10, with one (Exploit.JS.CVE-2010-0188.f) coming straight in at third place. Exploits in email are especially dangerous as they are created in the form of harmless documents rather than executable files. This particular exploit appears in the form of a PDF file and uses a vulnerability in version 9.3 and lower of Adobe Reader. This vulnerability has been known for a long time and poses no danger to users who update their software regularly. However, if the Adobe version is old, the exploit downloads and runs the executable file detected by Kaspersky Lab as Trojan-Dropper.Win32.Agent.lcqs. The dropper installs and runs a java script (Backdoor.JS.Agent.h) which collects information about the system, sends it to the attackers' server and receives various commands in return from the server. The commands and the results of their execution are transmitted in an encrypted form.

In Q2 2014, representatives of the Bublik family occupied fourth, sixth, seventh and eighth places. Their main functionality is the unauthorized download and installation of new versions of malware onto victim computers. These Trojans appear in the form of the .EXE files, although they imitate Adobe documents with the help of an icon. They often download the notorious ZeuS/Zbot to users' computers.

The Email-Worm.Win32.Bagle.gt ranked fifth in Q2. The main functionality of this type of worm is to harvest the email addresses from compromised computers. The Bagle family worm can also receive remote commands to install other malware on the infected computer.

Yet another exploit – Exploit.Win32.CVE-2012-0158.j – ended the quarter in ninth place. It was designed to look like a Microsoft Word document and exploits a vulnerability in the mscomctl.ocx code in Microsoft Office. Its activity results in the installation and launch of malicious programs on the user computer.

The Top 10 in Q2 was rounded off by Trojan-Spy.Win32.Zbot.sivm from the Zbot family. Zbot is a family of Trojans that can execute different malicious operations (their functionality is updated over time) but most often they are used to steal banking information. Zbot can also install CryptoLocker, a malicious program that demands money to decrypt user data.

With regards to the most popular malware families rather than individual modifications, the distribution in Q2 was slightly different:


Top 10 malware families spread by email in Q2 2014

Bublik (which often downloads other malware, specifically the Zbot family of Trojans), as well as Zbot itself, are far ahead of their competitors in the rating. These two malware families account for over a third of all email antivirus detections. This is because the majority of malware is used to steal money and Zeus/Zbot is one of the most popular and widely available of these programs.

The Androm family is in third place. The Andromeda family of malware consists of backdoors that allow cybercriminals to secretly control a compromised computer. Machines infected by these programs often become parts of botnets.

Targets of malicious mass mailings by country


Distribution of email antivirus detections by country in Q2 2014

The TOP 20 countries with the highest number of antivirus detections saw some change from the first quarter of 2014. The percentage of malicious spam targeting users in the US decreased slightly (-3.5 pp). However, this was enough to see it drop from first to third place, allowing the UK and Germany to take the lead. Among the other significant changes was the 2.5 times increase in the proportion of malicious spam sent to Brazil which moved this country up from 15th to fifth place. This was due to the ChePro family banker: over 80% of instances of this malicious program were sent to Brazilian users.

Special features of malicious spam

Cybercriminals often mask spam with malicious attachments in emails from well-known organizations – delivery services, stores, social networks. However, as a rule, all such mass mailings imitate emails regularly received by users (bills, delivery status notifications, etc.). In Q2, we registered a more creative mass mailing supposedly sent by Starbucks coffee house chain that made use of a social engineering technique.

The message claimed that one of the recipient's friends, who requested anonymity, had allegedly made an order at for him at Starbucks. To view the menu, find out the address and the exact time that the order was available, the recipient had to open the attachment, an executable that the cybercriminals hadn't even bothered to mask.

Statistics The proportion of spam in email traffic


The percentage of spam in email traffic in January-June 2014

The percentage of spam in all email traffic during the second quarter the year came to 68.6%, up 2.2 pp from the previous quarter. A peak was reached in April and since then the share of unwanted messages in email traffic has been falling gradually.

Sources of spam by country

Previously our statistical data on the sources of spam by country was based on information received from spam traps in different countries. However, the spam from the traps differs from the spam received by ordinary users. For example, spam targeting specialized companies does not reach the traps. That is why we have changed the data source, and now with KSN (Kaspersky Security Network) we compile statistical reports on spam based on the messages that the users of our products receive worldwide. Since the information for the statistical report in June was received from a different source, comparing the results with the statistics for the previous quarter would be incorrect.


Sources of spam by country in Q2 2014

The US tops the rating of the most popular spam sources, accounting for 13.4% of junk mail sent worldwide. This is not surprising since the US is the country with the largest number of Internet users. Even with high user awareness about the dangers of the Internet, not everyone can avoid an infection on their computer, which can result in the machine becoming part of a botnet that spreads spam.

The distribution of other spam sources by country is quite uniform. This makes sense in that botnets are distributed throughout the world, meaning there are infected computers in almost every country.

Russia came second having accounted for 6% of world spam. Vietnam is in third place (5%).

According to our statistics, in many countries a significant amount of incoming junk mail is "domestic spam", i.e. it originates and is addressed to users in one country. In Q2, 18% of spam sent to Russian users originated in Russia.  In the US "domestic spam" accounted for 27.2% of the country's junk mail. The same trend can be seen in other large countries from which a significant share of the world spam is sent. In smaller countries, spam mostly comes from abroad.

The size of spam emails


Size of spam emails: Q2 2014

The distribution of spam emails by size was almost identical to that in the previous quarter. Small spam emails weighing in at under 1 KB are by far the most common – they are easier and quicker to send.

In Q2 we registered some decline in the proportion of 2-5 KB emails (-2.7 pp) and a small growth in 5-10 KB emails. This might be due to the increase in the share of image spam: firstly, there were lots of mass mailings of stock market fraud containing pictures (see above) and secondly, Russian-language spam of the "How to lose weight" and "Fake designer goods" categories also included a lot of images.

Phishing

In Q2 2014, Kaspersky Lab's anti-phishing component registered 60,090,173 detections. Phishers attacked users in Brazil most often: at least once during the quarter the Anti-Phishing component of the system was activated on computers the of 23.2% of Brazilian users.


The geography of phishing attacks in Q2 2014*

* The percentage of users on whose computers the Anti-Phishing component was activated, from the total number of all Kaspersky Lab users

Top 10 countries by the percentage of attacked users:

  Country % of attacked users 1 Brazil 23.2% 2 India 19.2% 3 Puerto Rico 18.6% 4 Japan 17.1% 5 France 17.0% 6 Armenia 16.8% 7 Dominican Republic 16.2% 8 Russia 16.1% 9 Australia 16.1% 10 UK 15.8%

Brazil only entered the Top 10 in 2014. The increase in phisher activity targeting Brazilian users may be down to the World Cup being held in the country.

Targets of attacks by organization

The statistics on phishing targets is based on detections of Kaspersky Lab's anti-phishing component. It is activated every time a user enters a phishing page while information about it is not included in Kaspersky Lab databases. It does not matter how the user enters this page – by clicking the link contained in a phishing email or in the message in a social network or, for example, as a result of malware activity. After the activation of the security system, the user sees a banner in the browser warning about a potential threat.

In our previous reports we referred to the TOP 100 organizations when analyzing the most attractive targets for phishing attacks. In Q2, we analyzed the statistics for all attacked organizations.

During attacks on organizations from the Banks, E-pay systems, and Online stores and e-auctions categories the attackers were interested in users' personal information in order to gain access to their e-accounts. As a result, we have merged these three categories into one - Online finances.


Organizations most frequently targeted by phishers, by category – Q2 2014

Below is a similar chart for the previous quarter:


Organizations most frequently targeted by phishers,  by category – Q1 2014

As in Q1 2014, in the second quarter the Global Internet portals category tops the rating of organizations most often attacked by phishers: its share dropping by just 1.7 pp. This category incorporates portals that combine many services including search and email services. The data stolen from such portal allows fraudsters to access all their services. Most often the phishers imitate the authorization pages of email services.


Phishing attacks on global Internet portals *

* The rating does not show the safety level of phisher targets but reflects the popularity and credibility of the services with users, which affects their attractiveness to phishers

Financial phishing accounted for 24.84% of all attacks, a 1.8 pp growth compared with the previous quarter. The percentage of detections on Banks and Online stores increased by 0.93 and 0.85 pp respectively.

Social networks remained in third.


Phishing attacks on social networks *

* The rating does not show the safety level of phisher targets but reflects the popularity and credibility of the services with users, which affects their attractiveness to phishers

In the first quarter, Facebook accounted for 79.5% of the total number of user attempts to click on links leading to fake social networking sites. In Q2, the number of phishing attacks on Facebook users decreased significantly (-23.54 pp) while the percentage of user attempts to visit fake pages on the Russian social networks Odnoklassniki (Classmates) (+18.7 pp) and VKontakte (+10.68 pp) rose sharply.

Top 3 most organizations most frequently targeted by phishers   Organization % phishing links 1 Yahoo! 30.96% 2 Google Inc 8.68% 3 Facebook 8.1%

In Q2 2014, the share of phishing links to the pages of Yahoo! services reached 30.96% of all attacks.

Yahoo! topped the rating of the most popular phisher targets in the first quarter of 2014 with 31.94% of all attacks after a sharp increase in the number of such fraudulent links in early January.


The number of daily detections on phishing sites imitating Yahoo! pages, Q1 2014

In the second quarter there were no peaks in the detection of phishing links to fake Yahoo! pages

In January of this year in its blog, Yahoo! announced the introduction of HTTPS by default for its email service. This security measure, in addition to protecting the transmitted data can help fight phishers: now, in the event of a phishing attack when the domain name in the address bar remains unchanged (for example, the DNS server is substituted), the absence of a secure connection icon in the address bar should alert the user. However, the absence of a secure connection is just one sign of a phishing page, while its presence does not guarantee the site authenticity.


An example of a phishing page imitating the authorization page of the Yahoo! email service

In Q2, Google (8.68%) became the second most popular phishing target outstripping Facebook. Previously, phishers used to imitate the entry page of the Gmail service while now they have switched to the authentication page common to all Google services. This is a highly attractive target for phishers - "One account. All of Google."

In the second quarter of 2014 we came across a very interesting example demonstrating the appetite of phishers who are obviously not satisfied with just targeting Google:

This phishing page imitating the authentication page for all Google accounts provides the owners of AOL, Hotmail and Yahoo email accounts with the option of choosing passwords.

Last year's leader, Facebook, dropped one place and settled in third in the rating of Anti-Phishing component detections (8.02%). The percentage of phishing attacks targeting users of social networks lags far behind that of the visitors to global Internet portals, but the former is still of interest for phishers on the hunt for users' accounts worldwide.

Hot topics in phishing

The main "seasonal" theme for phishers was the FIFA World Cup.


"Chance to win the tickets to the next match of the World Cup"

Fraudsters exploited the football theme until the end of the World Cup. The first football-related mass mailings emerged in early 2014 and then appeared regularly throughout the first half of the year. Typically, the phishers imitated messages from well-known organizations (mainly FIFA) and asked the user to follow a link to a site offering the chance to win a valuable prize. The prize, like the example above, was usually tickets to a World Cup match. The user had to enter his personal information including his credit card details, i.e. information that is especially interesting for the scammers.

Additionally, in Q2 phishers turned their attention to the popular fast-food restaurant McDonald's. In April, the attackers tried to lure card data from Portuguese-speaking users. The fake email informed the recipient of the chance to win 150 euros from McDonald's. To do this, he had to follow the link in the email and participate in the survey. The phishing page which opened once the user clicked the link suggested he answer a few questions and enter his credit card data for the alleged money transfer. This was exactly what the criminals were after – many unsuspecting users send their personal information to third parties without being aware of the fraudsters' plans.

Noticeably, the fraudulent email was written in Portuguese and most likely addressed to residents in Brazil and Portugal while the text of the survey was in English, which is quite typical for this type of "survey".

Conclusion

In the second quarter of 2014 we came across a lot of mailings from various Canadian organizations willing to get users' agreement to receive mass mailings before the new anti-spammer law comes into force there. In a bid to attract new users, the companies sent out the requests to email addresses on lists that included many that were not already among the recipients of their mailings. Nevertheless, the law has begun to yield some favorable results even before it comes into force.

One of the most popular spam themes in Q2 was the stock market spam used in fraudulent "pump and dump" schemes. Interestingly, the distributors of this time-tested theme tried to bypass filtering using some well-known methods – image spam and "white text".

The mobile theme in spam continued with fake notifications sent from iOS-based devices. Most imitations did not take into consideration the details and specifics of this operating system, meaning these mailings were easily detected.

In Q2 2014, Fraud.gen remained the most popular malicious program distributed via mail. This malicious program was designed to steal users' banking data. Second came Brazilian banking Trojan ChePro. Among the most popular malware families were Bublik and Zeus/Zbot. Interestingly, after a long break the TOP 10 welcomed back two exploits, one of which went straight in at third place.

The World Cup theme was actively exploited both for advertising goods and for malicious and phishing spam. The percentage of malicious spam sent to Brazil in Q2 increased 2.5 times compared with the previous quarter (mainly due to the Trojan Banker family ChePro). Brazil also came first in the rating of countries most often attacked by phishers. The Global Internet portals category took the lead among the organizations most frequently targeted in phishing attacks.

According to KSN statistics, the US topped the list of the most popular spam sources by country. Russia was second followed by Vietnam. Interestingly, in many large countries a significant portion of spam received by their users originated from their own territories.

Warkitteh, Mainframes and planes – DefCon22

Mon, 08/11/2014 - 05:07

This years DefCon just ended and thousands of hackers, security professionals and other visitors heading back home.  This years schedule was again a good mix of talks, but which to attend is not that easy due to the mass of visitors. That's why the organizers will move again next year to a different location, in order to deal with the growth of participants and events happening.

Five main tracks of talks, skytalks, contests and areas for different interests fills participation schedule for three days easily. Some talks got lots of attention as the experiment by Gene Bransfield, who utilized a cat to map WiFis in the neighborhood, named "Warkitteh". Hacking airplanes let one quick think of horror scenarios, but, as Phil Polstra stated, it's not possible to override the pilot. But also attacks on Mainframes were discussed. Mainframes are special systems, mainly used in enterprise and government segement. Several talks focused on hacking connected devices, reflecting the general IoT (Internet of Things) trend.

This years DefCon-Badge was again an electronic one, open for hacking and modifying. This ranked from basic to advanced LED/Light-extensions to Quadcopter mounting.

 

 

A Post-PC BlackHat?

Sat, 08/09/2014 - 18:38

This year's BlackHat had a particularly wide range of topics. A more diverse range of topics means that more targets are under attack. This should come as no surprise.

On the one hand companies like Microsoft and Google have hardened their software against easy vulnerability exploitation.
On the other hand we're seeing a plethora of new (types of) devices getting equipped with network connectivity. Those devices come with limited or no built-in security.

This focus on embedded devices is also reflected in the amount of research done on the embedded devices within our phones and personal computers. There was a demonstration of a practical attack against smartphone baseband processors over the OMA DM protocol. The lack of built-in security, or the ability to easily add security controls, again demonstrates this major weakness in today's defense capabilities.

My colleague Vitaly Kamluk demonstrated, together with Anibal Sacco from Cubica Labs, how Computrace, popular low-jacking software, can be leveraged by attackers to perform remote code execution. Short of disabling the feature, which sometimes isn't even possible, there's no easy mitigation.

We're increasingly relying on more technology that can only be somewhat reliably protected by turning it off. This is not a sustainable path. While I appreciate that our personal operating systems appear to be getting safer, I'm rather pessimistic for the post-PC world.

Blackhat 2014 Floating Big in the Cybersecurity Bubble

Sat, 08/09/2014 - 12:25

Blackhat2014 USA was held at the Mandalay Bay, Las Vegas, after being held at Caesar's for the past 15 years or so. While the location wasn't central like Caesar's, the hotel was more spacious, easier to navigate, cleaner, and generally an improvement.

Jeff Moss inspired the Blackhat 2014 crowd with his introduction, and suggested that we are in a bubble that will pass. The cybersecurity crowd not only is finally taken seriously, but has never been more relevant, and is close to its peak of relevance. Access control manufacturers, medical device makers, automotive producers like Tesla, all of these enterprises are now not only listening. They are baking security better into their production processes, and this is good. We have made some progress. But with this relevance, when we look back, what can we say we contributed?

Dan Geer's rich keynote wound through a long list of policy proposals for a set of current cybersecurity challenges. Although I can't agree with everything he says, he is one of my favorite thinker-speaker-writers in the space and I find myself seeking out his talks. Interesting topics included mandatory reporting on cybersecurity failures on a national level, strikeback, resiliency, and the right to be forgotten. There were more. Many more. A text version of "Cybersecurity as Realpolitik" is online, and I recommend setting aside a block of time for dense, thoughtful material like this.

Dan supports mandatory reporting for breaches as laid out in "Surviving on a Diet of Poisoned Fruit", and real support for a cybersecurity failure reporting regime. He laid out current precedent in relevant law requiring reporting for other subject matter, and basic examples of why it would work. The CDC's communicable disease reporting and Mitre's anonymized near-miss aviation reporting center are strong examples of systems where self reporting on sensitive events, communicable disease and airline flight near misses, is both working and beneficial. He made the strong case that such a collection of cybersecurity data can be practical and is highly valuable, and it is time for national government or quasi-governmental entities to support transparent, anonymous collections.

The legitimacy of defensive strikeback is something that Dan dismissed onstage for strange reasons, but his text version gives it a LIMITED YES. He claimed that while Microsft and the Fbi are pulling off examples of successful strikeback activity, smaller organizations do not have the means to properly perform a strikeback effort. This is strange because small businesses can pool resources when they are under attack, co-ops and other pooling structures can help solve that problem. The US Chamber of Commerce, for example, is an incredibly powerful organization partly acting on behalf of small businesses pooling resources to get things done. The Chamber is incredibly powerful in the US, and small businesses benefit in some ways from some of those efforts (and perhaps suffer from some of them as well). And he didn't address the idea that strikeback doesn't need to be messy, extremely destructive, or sustained to put a quick end to a variety of attacks. But remotely stopping a large scale DDoS attack launched from compromised servers does not necessarily require attribution, and certainly does not require very messy or destructive solutions. They can be precise, and attribution is often possible. Everyone makes mistakes. He mentioned that difficulty in attribution compounds the problem. The bigger issue here is that these events cross multiple jurisdictions, definitions of law, and law enforcement organizations. And for some activity that would be otherwise criminal in different parts of the world, there is little if any enforcement.

Dan's take on the right to be forgotten brings out some unsettling Foucaltian subject matter, "I've spoken elsewhere about how we are all intelligence agents now, collecting on each other on behalf of various overlords" and that he wants to maintain some rights in the digital world to defend privacy, "I want to choose whether to misrepresent myself". But it's refreshing to hear a thought leader describe his desire and right to hop out of the digital panopticon.

Kaspersky Lab's Vitaly Kamluk, Sergey Belov, and Cubica's Anibal Sacco presented on "Absolute Backdoor Revisted", a surprising update on the state of security for a widely deployed low level utility. They presented a set of unusual behaviors implemented by this software that I rarely see exhibited by legitimate software but very frequently by malware. And then they abused it in multiple live demos, remotely wiping a brand new Windows 8 x64 laptop just out of the box via Absolute Computrace vulnerabilities.

Several years would seem to be ample opportunity to fix severe problems in update mechanisms, and it seems that the work has recently begun in response to the research review.

Web services came under serious attack this year. "Pivoting in Amazon Clouds" from Andres Riancho was interesting in light of the recent attacks on Elasticsearch sites abused in the Amazon cloud, demonstrating post-exploitation issues that enable attackers to further burrow into the cloud. He released a nice Nimbostratus tool and Hacme environment that aided his past penetration tests and EC2 security issue understanding. And Mobile Device Management systems were demonstrated to be chock full of web application problems with SQLi, poorly chosen crypto and encoding schemes, and poorly designed custom authentication schemes briefly put on the screen by Stephen Breen in "Mobile Device Mismanagement".

Finally, if you find a minute to get away from the Defcon fun, check out the Epic Turla report and IoC release (pdf) from GReAT that was published during Blackhat this year.

Organ donation: home delivery

Fri, 08/08/2014 - 05:17

Promises to marry a potential groom if he covers his bride-to-be's travel expenses to his hometown are a fairly common feature of fraudulent spam. Less common are more 'noble' offers of help, though even these charitable offers usually come at a price.

In a recent mailing, a resident from the Ukrainian city of Odessa expressed his wish to become an organ donor, but for a considerable fee. In the email, he provided an overview of his current state of health – "good, not perfect" – his biometric data (height – 1.74 m, weight - 63 kg) and even his blood type. The price for which he was willing to sell a kidney or his liver was not specified; the main condition was that the operation had to be done in a European clinic.

It is obvious that anyone who decides to take him up on his offer will have to pay a considerable sum of money. It is highly likely that our "man from Odessa" will also want money to pay for his trip to Europe or to carry out tests in a good laboratory, before disappearing once he receives a money transfer. Honesty and offers made in spam are just incompatible. Moreover, no one should ever enter into negotiations with people who send unsolicited emails, especially when it concerns health issues.

3 reasons to visit "SYN City" – aka Las Vegas

Thu, 08/07/2014 - 18:03

Summer, sand and sun may let you think about vacation at a beach, but not IT-Security interested people. Every year gatherings happen in Las Vegas attracting amateurs and professionals from around the globe – BlackHat and Defcon. But also the local BSides conference, BSidesLV, takes place before - which teamed-up with Passwordscon this year.

 

 

Seven streams of presentations with a wide spectrum of topics were offered at Tuscany. At Passwordscon talks were given on securing passwords and attacking. Among these topics as "Target specific automated dictionary generation" which covered ways to automatically create dictionaries used for attacks against password hashes from one specified source. Rick Redman, from KoreLogic, gave a defense talk "Password Topology Histogram Wear-Leveling, a.k.a. PathWell". As attacks are getting easier because of better Hardware, not using stronger hash-types and defenses as password policies may lead to predictable passwords a new approach on defending passwords on enterprise level was presented. This is based on targeting the topology of passwords by limiting the use of password topologies and ban common password topologies.

Password topology means how the password is created. For example the topology of "Passw0rd" is uppercase (u) + 4x lowercase (l) + digit (d) + 2x lowercase (l) (simple: ulllldll). By using Levenshtein distance algorithm the change of topologies may be measured on a password change, to enforce new topologies rather than just updating any character in a password, to make cracking more difficult. [Link]

Dimitri Fousekis also focused on passwords in enterprise underlining the importance of "associate the password with data ownership" in order to avoid users disrespecting the importance of a good password.

 

 

The Epic Turla Operation

Thu, 08/07/2014 - 09:55

 Technical Appendix with IOCs

Executive Summary

Over the last 10 months, Kaspersky Lab researchers have analyzed a massive cyber-espionage operation which we call "Epic Turla". The attackers behind Epic Turla have infected several hundred computers in more than 45 countries, including government institutions, embassies, military, education, research and pharmaceutical companies.

The attacks are known to have used at least two zero-day exploits:

  • CVE-2013-5065 - Privilege escalation vulnerability in Windows XP and Windows 2003
  • CVE-2013-3346 - Arbitrary code-execution vulnerability in Adobe Reader

We also observed exploits against older (patched) vulnerabilities, social engineering techniques and watering hole strategies in these attacks. The primary backdoor used in the Epic attacks is also known as "WorldCupSec", "TadjMakhal", "Wipbot" or "Tavdig".

When G-Data published on Turla/Uroburos back in February, several questions remained unanswered. One big unknown was the infection vector for Turla (aka Snake or Uroburos). Our analysis indicates that victims are infected via a sophisticated multi-stage attack, which begins with the Epic Turla. In time, as the attackers gain confidence, this is upgraded to more sophisticated backdoors, such as the Carbon/Cobra system. Sometimes, both backdoors are run in tandem, and used to "rescue" each other if communications are lost with one of the backdoors.

Once the attackers obtain the necessary credentials without the victim noticing, they deploy the rootkit and other extreme persistence mechanisms.

The attacks are still ongoing as of July 2014, actively targeting users in Europe and the Middle East.

Note: A full analysis of the Epic attacks is available to the Kaspersky Intelligent Services subscribers. Contact: intelreports@kaspersky.com

The Epic Turla attacks

The attacks in this campaign fall into several different categories depending on the vector used in the initial compromise:

  • Spearphishing e-mails with Adobe PDF exploits (CVE-2013-3346 + CVE-2013-5065)
  • Social engineering to trick the user into running malware installers with ".SCR" extension, sometimes packed with RAR
  • Watering hole attacks using Java exploits (CVE-2012-1723), Flash exploits (unknown) or Internet Explorer 6,7,8 exploits (unknown)
  • Watering hole attacks that rely on social engineering to trick the user into running fake "Flash Player" malware installers

The attackers use both direct spearphishing and watering hole attacks to infect their victims. Watering holes (waterholes) are websites of interest to the victims that have been compromised by the attackers and injected to serve malicious code.

So far we haven't been able to locate any e-mail used against the victims, only the attachments. The PDF attachments do not show any "lure" to the victim when opened, however, the SCR packages sometime show a clean PDF upon successful installation.

Some of known attachment names used in the spearphishing attacks are:

  • ؤتمر جنيف.rar (translation from Arabic: "Geneva conference.rar")
  • NATO position on Syria.scr
  • Note_№107-41D.pdf
  • Talking Points.scr
  • border_security_protocol.rar
  • Security protocol.scr
  • Program.scr

In some cases, these filenames can provide clues about the type of victims the attackers are targeting.

The watering hole attacks

Currently, the Epic attackers run a vast network of watering holes that target visitors with surgical precision.

Some of the injected websites include:


The website of the City Hall of Pinor, Spain


A site promoting entrepreneurship in the border area of Romania


Palestinian Authority Ministry of Foreign Affairs

In total, we observed more than 100 injected websites. Currently, the largest number of injected sites is in Romania.

Here's a statistic on the injected websites:

The distribution is obviously not random, and it reflects some of the interests of the attackers. For instance, in Romania many of the infected sites are in the Mures region, while many of the Spanish infected sites belong to local governments (City Hall).

Most of the infected sites use the TYPO3 CMS (see: http://typo3.org/), which could indicate the attackers are abusing a specific vulnerability in this publishing platform.

Injected websites load a remote JavaScript into the victim's browser:

The script "sitenavigatoin.js" is a Pinlady-style browser and plugin detection script, which in turn, redirects to a PHP script sometimes called main.php or wreq.php. Sometimes, the attackers register the .JPG extension with the PHP handler on the server, using "JPG" files to run PHP scripts:


Profiling script

The main exploitation script "wreq.php", "main.php" or "main.jpg" performs a numbers of tasks. We have located several versions of this script which attempt various exploitation mechanisms.

One version of this script attempts to exploit Internet Explorer versions 6, 7 and 8:


Internet Explorer exploitation script

Unfortunately, the Internet Explorer exploits have not yet been retrieved.

Another more recent version attempts to exploit Oracle Sun Java and Adobe Flash Player:


Java and Flash Player exploitation scripts

Although the Flash Player exploits couldn't be retrieved, we did manage to obtain the Java exploits:

Name MD5 allj.html 536eca0defc14eff0a38b64c74e03c79 allj.jar f41077c4734ef27dec41c89223136cf8 allj64.html 15060a4b998d8e288589d31ccd230f86 allj64.jar e481f5ea90d684e5986e70e6338539b4 lstj.jar 21cbc17b28126b88b954b3b123958b46 lstj.html acae4a875cd160c015adfdea57bd62c4

The Java files exploit a popular vulnerability, CVE-2012-1723, in various configurations.

The payload dropped by these Java exploits is the following:

MD5: d7ca9cf72753df7392bfeea834bcf992

The Java exploit use a special loader that attempts to inject the final Epic backdoor payload into explorer.exe. The backdoor extracted from the Java exploits has the following C&C hardcoded inside:

www.arshinmalalan[.]com/themes/v6/templates/css/in.php

This C&C is still online at the moment although it redirects to a currently suspended page at "hxxp://busandcoachdirectory.com[.]au". For a full list of C&C servers, please see the Appendix.

The Epic Turla attackers are extremely dynamic in using exploits or different methods depending on what is available at the moment. Most recently, we observed them using yet another technique coupled with watering hole attacks.  This takes advantage of social engineering to trick the user into running a fake Flash Player (MD5: 030f5fdb78bfc1ce7b459d3cc2cf1877):

In at least one case, they tried to trick the user into downloading and running a fake Microsoft Security Essentials app (MD5: 89b0f1a3a667e5cd43f5670e12dba411):

The fake application is signed by a valid digital certificate from Sysprint AG:

Serial number: ‎00 c0 a3 9e 33 ec 8b ea 47 72 de 4b dc b7 49 bb 95
Thumbprint: ‎24 21 58 64 f1 28 97 2b 26 22 17 2d ee 62 82 46 07 99 ca 46


Valid signature from Sysprint AG on Epic dropper

This file was distributed from the Ministry of Foreign Affairs of Tajikistan's website, at "hxxp://mfa[.]tj/upload/security.php".

The file is a .NET application that contains an encrypted resource. This drops the malicious file with the MD5 7731d42b043865559258464fe1c98513.

This is an Epic backdoor which connects to the following C&Cs, with a generic internal ID of 1156fd22-3443-4344-c4ffff:

hxxp://homaxcompany[.]com/components/com_sitemap/
hxxp://www.hadilotfi[.]com/wp-content/themes/profile/

A full list with all the C&C server URLs that we recovered from the samples can be found in the technical Appendix.

The Epic command-and-control infrastructure

The Epic backdoors are commanded by a huge network of hacked servers that deliver   command and control functionality.

The huge network commanded by the Epic Turla attackers serves multiple purposes. For instance, the motherships function as both exploitation sites and command and control panels for the malware.

Here's how the big picture looks like:


Epic Turla lifecycle

The first level of command and control proxies generally talk to a second level of proxies, which in turn, talk to the "mothership" server. The mothership server is generally a VPS, which runs the Control panel software used to interact with the victims. The attackers operate the mothership using a network of proxies and VPN servers for anonymity reasons. The mothership also work as the exploitation servers used in the watering hole attacks, delivering Java, IE or fake applications to the victim.

We were able to get a copy of one of the motherships, which provided some insight into the operation.

It runs a control panel which is password protected:


Epic mothership control panel login

Once logged into the Control panel, the attackers can see a general overview of the system including the number of interesting potential targets:


Epic control panel status overview

A very interesting file on the servers is task.css, where the attackers define the IP ranges they are interested in. To change the file, they are using the "Task editor" from the menu. Depending on the "tasks", they will decide whether to infect the visitors or not. In this case, we found they targeted two ranges belonging to:

  • "Country A" - Federal Government Network
  • "Country B" - Government Telecommunications and Informatics Services Network

It should be noted though, the fact that the attackers were targeting these ranges doesn't necessarily mean they also got infected. Some other unknown IPs were also observed in the targeting schedules.

There is also an "except.css" file where attackers log the reasons they didn't try to exploit certain visitors. There are three possible values:

  • TRY
  • DON'T TRY -> Version of the browser and OS does not meet the conditions
  • DON'T TRY -> (2012-09-19 10:02:04) - checktime < 60

These are the "don't meet the conditions" reasons observed in the logs:

  • Windows 7 or 2008 R2
  • MSIE 8.0
  • Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET CLR 1.1.4322; .NET4.0C; .NET4.0E)
  • Adobe Shockwave 11.5.1.601
  • Adobe Flash 10.3.181.14
  • Adobe Reader 10.1.0.0
  • Win Media Player 12.0.7601.17514
  • Quick Time null
  • MS Word null
  • Java null
The Epic / Tavdig / Wipbot backdoor

For this first stage of the attack, the threat actor uses a custom backdoor. In some cases, the backdoor is packaged together with the CVE-2013-5065 EoP exploit and heavily obfuscated. This makes the analysis more difficult.

The CVE-2013-5065 exploit allows the backdoor to achieve administrator privileges on the system and run unrestricted. This exploit only works on unpatched Microsoft Windows XP systems.

Other known detection names for the backdoor is Trojan.Wipbot (Symantec) or Tavdig.

The main backdoor is about 60KB in size and implements a C&C protocol on top of normal HTTP requests. The communication protocol uses requests in the C&C replies, which the malware decrypts and processes. The replies are sent back to the C&C through the same channel.

The malware behavior is defined by a configuration block. The configuration block usually contains two hard-coded C&C URLs. He have also seen one case where the configuration block contains just one URL. The configuration can also be updated on the fly by the attackers, via the C&C.

The backdoor attempts to identify the following processes and, if found, it will terminate itself:

  • tcpdump.exe
  • windump.exe
  • ethereal.exe
  • wireshark.exe
  • ettercap.exe
  • snoop.exe
  • dsniff.exe

It contains an internal unique ID, which is used to identify the victim to the C&C. Most samples, especially old ones, have the ID 1156fd22-3443-4344-c4ffff. Once a victim is confirmed as "interesting", the attackers upload another Epic backdoor which has a unique ID used to control this specific victim.

During the first C&C call, the backdoor sends a pack with the victim's system information. All further information sent to the C&C is encrypted with a public key framework, making decryption impossible. The commands from the C&C are encrypted in a simpler manner and can be decrypted if intercepted because the secret key is hardcoded in the malware.

Through monitoring, we were able to capture a large amount of commands sent to the victims by the attackers, providing an unique view into this operation. Here's a look at one of the encrypted server replies:

Once a victim is infected and "checks in" with the server, the attackers send a template of commands:

Next, the attackers try to move through the victim's network using pre-defined or collected passwords:

Listing all .doc files recursively is also a common "theme":

In total, we have decoded several hundreds of these command packages delivered to the victims, providing an unique insight into the inner workings of the attackers.

In addition to generic searches, some very specific lookups have been observed as well.  These include searches for:

  • *NATO*.msg
  • eu energy dialogue*.*
  • EU*.msg
  • Budapest*.msg

In this case, the attackers were interested to find e-mails related to "NATO", "Energy Dialogue within European Unition" and so on.

For some of the C&C servers, the attackers implemented RSA encryption for the C&C logs, which makes it impossible to decrypt them. This scheme was implemented in April 2014.

Lateral movement and upgrade to more sophisticated backdoors

Once a victim is compromised, the attackers upload several tools that are used for lateral movement.

One such tool observed in the attacks and saved as "C:\Documents and Settings\All users\Start Menu\Programs\Startup\winsvclg.exe" is:

Name: winsvclg.exe
MD5: a3cbf6179d437909eb532b7319b3dafe
Compiled: Tue Oct 02 13:51:50 2012

This is a keylogger tool that creates %temp%\~DFD3O8.tmp. Note: the filename can change across victims. On one Central Asian government's Ministry of Foreign Affairs victim system, the filename used was "adobe32updt.exe".

In addition to these custom tools, we observed the usage of standard administration utilities. For instance, another tool often uploaded by the attackers to the victim's machine is "winrs.exe":

Name: winrs.exe
MD5: 1369fee289fe7798a02cde100a5e91d8

This is an UPX packed binary, which contains the genuine "dnsquery.exe" tool from Microsoft, unpacked MD5:  c0c03b71684eb0545ef9182f5f9928ca.

In several cases, an interesting update has been observed --  a malware from a different, yet related family.

Size: 275,968 bytes
MD5: e9580b6b13822090db018c320e80865f
Compiled: Thu Nov 08 11:05:35 2012

another example:

Size: 218,112 bytes
MD5: 071d3b60ebec2095165b6879e41211f2
Compiled: Thu Nov 08 11:04:39 2012

This backdoor is more sophisticated and belongs to the next level of cyber-espionage tools called the "Carbon system" or Cobra by the Turla attackers. Several plugins for the "Carbon system" are known to exist.


Decoded configuration for e9580b6b13822090db018c320e80865f

Note: the command and control servers www.losguayaberos[.]com and thebesttothbrushes[.]com have been sinkholed by Kaspersky Lab.

Other packages delivered to the victims include:

MD5: c7617251d523f3bc4189d53df1985ca9
MD5: 0f76ef2e6572befdc2ca1ca2ab15e5a1

These top level packages deploy both updated Epic backdoors and Turla Carbon system backdoors to confirmed victims, effectively linking the Epic and Turla Carbon operations together.

The Turla Carbon dropper from these packages has the following properties:

MD5: cb1b68d9971c2353c2d6a8119c49b51f

This is called internally by the authors "Carbon System", part of the "Cobra" project, as it can be seen from the debug path inside:

This acts as a dropper for the following modules, both 32 and 64 bit:

MD5 Resource number 4c1017de62ea4788c7c8058a8f825a2d 101 43e896ede6fe025ee90f7f27c6d376a4 102 e6d1dcc6c2601e592f2b03f35b06fa8f 104 554450c1ecb925693fedbb9e56702646 105 df230db9bddf200b24d8744ad84d80e8 161 91a5594343b47462ebd6266a9c40abbe 162 244505129d96be57134cb00f27d4359c 164 4ae7e6011b550372d2a73ab3b4d67096 165

The Carbon system is in essence an extensible platform, very similar to other attack platforms such as the Tilded platform or the Flame platform. The plugins for the Carbon system can be easily recognized as they always feature at least two exports named:

  • ModuleStart
  • ModuleStop


Carbon system plugin with characteristic exports

Several Epic backdoors appear to have been designed to work as Carbon system plugins as well - they require a specialized loader to start in victim systems that do not have the Carbon system deployed.

Some modules have artifacts which indicate the Carbon system is already at version 3.x, although the exact Carbon system version is very rarely seen in samples:

The author of the Carbon module above can be also seen in the code, as "gilg", which also authored several other Turla modules.

We are planning to cover the Turla Carbon system with more details in a future report.

Language artifacts

The payload recovered from one of the mothership servers (at newsforum.servehttp[.]com/wordpress/wp-includes/css/img/upload.php, MD5: 4dc22c1695d1f275c3b6e503a1b171f5, Compiled: Thu Sep 06 14:09:55 2012) contains two modules, a loader/injector and a backdoor. Internally, the backdoor is named "Zagruzchick.dll":

The word "Zagruzchick" means "boot loader" in Russian.

The Control panel for the Epic motherships also sets the language to codepage "1251":

Codepage 1251 is commonly used to render Cyrillic characters.

There are other indications that the attackers are not native English language speakers:

  • Password it´s wrong!
  • Count successful more MAX
  • File is not exists
  • File is exists for edit

The sample e9580b6b13822090db018c320e80865f that was delivered to several Epic victims as an upgraded backdoor, has the compilation code page language set to "LANG_RUSSIAN".

The threat actor behind the "Epic" operation uses mainly hacked servers to host their proxies. The hacked servers are controlled through the use of a PHP webshell. This shell is password protected; the password is checked against an MD5 hash:

The MD5 "af3e8be26c63c4dd066935629cf9bac8" has been solved by Kaspersky Lab as the password "kenpachi". In February 2014 we observed the Miniduke threat actor using the same backdoor on their hacked servers, although using a much stronger password.

Once again, it is also interesting to point out the usage of Codepage 1251 in the webshell, which is used to render Cyrillic characters.

There appears to be several links between Turla and Miniduke, but we will leave that for a future blogpost.

Victim statistics

On some of the C&C servers used in the Epic attacks, we were able to identify detailed victim statistics, which were saved for debugging purposes by the attackers.

This is the country distribution for the top 20 affected countries by victim's IP:

According to the public information available for the victims' IPs, targets of "Epic" belong to the following categories:

  • Government
    •  Ministry of interior (EU country)
    •  Ministry of trade and commerce (EU country)
    •  Ministry of foreign/external affairs (Asian country, EU country)
    •  Intelligence (Middle East, EU Country)
  • Embassies
  • Military (EU country)
  • Education
  • Research (Middle East)
  • Pharmaceutical companies
  • Unknown (impossible to determine based on IP/existing data)
Summary

When G-Data published their Turla paper, there were few details publicly available on how victims get infected with this malware campaign. Our analysis indicates this is a sophisticated multi-stage infection; which begins with Epic Turla. This is used to gain a foothold and validate the high profile victim. If the victim is interesting, they get upgraded to the Turla Carbon system.

Most recently, we observed this attack against a Kaspersky Lab user on August 5, 2014, indicating the operation remains fresh and ongoing.

Note: A full analysis of the Epic attacks is available to the Kaspersky Intelligent Services customers. Contact: intelreports@kaspersky.com

We would like to add the following at the end of the blogpost, right before the detection names:

Further reading

If you'd like to read more about Turla/Uroburos, here's a few recommendations:

Kaspersky products' detection names for all the malware samples described in this post:

Backdoor.Win32.Turla.an
Backdoor.Win32.Turla.ao
Exploit.JS.CVE-2013-2729.a
Exploit.JS.Pdfka.gkx
Exploit.Java.CVE-2012-1723.eh
Exploit.Java.CVE-2012-1723.ou
Exploit.Java.CVE-2012-1723.ov
Exploit.Java.CVE-2012-1723.ow
Exploit.Java.CVE-2012-4681.at
Exploit.Java.CVE-2012-4681.au
Exploit.MSExcel.CVE-2009-3129.u
HEUR:Exploit.Java.CVE-2012-1723.gen
HEUR:Exploit.Java.CVE-2012-4681.gen
HEUR:Exploit.Java.Generic
HEUR:Exploit.Script.Generic
HEUR:Trojan.Script.Generic
HEUR:Trojan.Win32.Epiccosplay.gen
HEUR:Trojan.Win32.Generic
HackTool.Win32.Agent.vhs
HackTool.Win64.Agent.b
Rootkit.Win32.Turla.d
Trojan-Dropper.Win32.Dapato.dwua
Trojan-Dropper.Win32.Demp.rib
Trojan-Dropper.Win32.Injector.jtxs
Trojan-Dropper.Win32.Injector.jtxt
Trojan-Dropper.Win32.Injector.jznj
Trojan-Dropper.Win32.Injector.jznk
Trojan-Dropper.Win32.Injector.khqw
Trojan-Dropper.Win32.Injector.kkkc
Trojan-Dropper.Win32.Turla.b
Trojan-Dropper.Win32.Turla.d
Trojan.HTML.Epiccosplay.a
Trojan.Win32.Agent.iber
Trojan.Win32.Agent.ibgm
Trojan.Win32.Agentb.adzu
Trojan.Win32.Inject.iujx
Trojan.Win32.Nus.g
Trojan.Win32.Nus.h

 Technical Appendix with IOCs

Android Backdoor disguised as a Kaspersky mobile security app

Wed, 08/06/2014 - 11:23

This week, our virus lab handled a case where a customer received a phishing email with an Android Backdoor archive masquerading as a Kaspersky mobile security app (we are aware that those who created this app are also disguising it as apps from other major AV brands).

It prompts recipients to install the fake Kaspersky Android app to protect their mobile security. From the context we can presume the intended targets are users in Poland.

Most email phishing attacks tend to target PC users, but this time the attackers have turned their attention to mobile platforms. We think it's a new trend in spreading virus. Mobile security is related to user privacy. In most cases, a mobile device is more important than PC for users. It contains user contacts, text messages, photos and call logs. And mobile security is generally considered to be a weak point. So, most people will believe these phishing emails and are likely to install the fake mobile security app.

In this case, the Android apk in the phishing email is a powerful and aggressive backdoor which is detected as Backdoor.AndroidOS.Zerat.a. The backdoor is full of malicious functions, but the GUI is a little simple and crude.

Maybe it only wants you to install it and click the button. By executing, it links to hxxp://winrar.nstrefa.pl/path/DeviceManager.php to register the victim device info.

Then it visits hxxp://winrar.nstrefa.pl/path/Linker.php to get commands.

According to the commands, it will perform lots of malicious activities.

Some of the commands are shown below.
Getting location:

Recording:

Intercepting text messages:

Browsing history:

Recording call:

Store and upload:

This is a new type of mobile security threat that works just like a phishing site or phishing SMS. With the phishing email, the backdoor will spread more easily. There is reason to believe that more increasingly complex mobile attacks with follow. Composite attacks on mobile platforms are simply a matter of time.

In this day and age it is very important to protect our privacy and device security. It's recommended to follow these tips:

  • Download a mobile security app from the official Kaspersky website.
  • Don't trust strange emails.
  • Don't just open and execute files in email attachments.

Android Worm on Chinese Valentine's day

Wed, 08/06/2014 - 08:30

On August 2, the Chinese Vlentine's Day, an Android SMS worm struck China. It is called XXshenqi.apk. In the space of six hours, it infected about 500,000 devices. It has received widespread coverage in the local media. It's not just an SMS worm, containing two malicious modules: XXshenqi.apk and its asset Trogoogle.apk.

The function of XXshenqi.apk is to send SMS to spread itself and to drop another backdoor on the victim device. It is detected as Trojan.AndroidOS.Xshqi.a by Kaspersky Lab.

After installation, it sends an SMS to all the names on the victim's contact lists to get them to install the Trojan as well.




Then it probes whether or not com.android.Trogoogle.apk is present on the mobile device. If not, it displays a dialog window to prompt the user to install Trogoogle.apk.

Trogoogle.apk is a resource file in the assets folder of XXshenqi.apk.

After that, it asks the user to register the app. The Trojan will steal the user's personal ID and name and send them to those controlling the malware.

Trogoogle.apk contains more malicious functions. It is a backdoor and detected as Backdoor.AndroidOS.Trogle.a by Kaspersky Lab. It hides its icon after installation so the user is unaware of its presence. It will then respond to commands to perform malicious activity. The commands include:

"readmessage"
"sendmessage"
"test"
"makemessage"
"sendlink"

It also monitors the victim's text messages and sends them to the malware owner by email or SMS.

The fact that this Trojan combintion appeared on the Chinese Valentine's Day is premeditated, taking advantage of user credulity on this special day. And it uses social engineering techniques to spread as much as possible and infect more devices. This Trojan is a good example of why it's always worth thinking twice about trusting a link received on your mobile phone. No matter who sends it, it could still be a malicious program.

Obfuscated malicious office documents adopted by cybercriminals around the world

Wed, 08/06/2014 - 03:00

After going out of fashion for a number of years, malicious macros inside Office files have recently experienced a revival. And why not, especially if they are a lot cheaper than exploits and capable of doing the same job?

Yes, that's right, cybercriminals are busily recycling this old technique, introducing new obfuscation forms to make it more effective. Let's look at two examples.

Sample 1

This is an excel file with malicious embedded macros. However if you use standard Office tools to look at the macros, you will not see anything malicious at all:

That is because the sample all macros are obfuscated with a base64 encoding technique.

After de-obfuscation you can see clearly the URLs used to download the payloads:

This is a very simple technique but it is effective against simple heuristics that use string analysis of all incoming email attachments, and this is reflected in a very low VT detection https://www.virustotal.com/en/file/c916540dcab796e7c034bfd948c54d9b87665c62334d8fea8d3724d9b1e9cfc9/analysis/1403955807/

This particular sample is also interesting since in some Excel versions it is able to run macros automatically without prompting the user, enabling it. Once it has run, it drops a password-stealing Trojan directly onto the victim's system.

Sample 2

This another example is a fake Aeromexico ticket.

There is no obfuscation but the URL is written from right to left, which again it might be quite useful against simple GREP analysis techniques:

It is interesting to note that the first sample was found in the wild in Venezuela, the second in Mexico and then the third in Brazil:

This one drops a ChePro banker. All three malicious samples drop only Trojans that steal financial data, but the same technique can be easily used to drop any type of malware.

So does it mean that only Latin American cybercriminals use this technique? The answer is no, not really. Our relative user's infections statistics show that actually the countries with the most attempted infections using this kind of malware are Germany and then Poland.

However, the technique is seen elsewhere, including Spain, Mexico, Brazil and others.

While analyzing malicious macro office files, you can see that the original document is created by one user and then somebody else (another criminal) assists in embedding the malicious macros.

The same technique can be easily used to drop any kind of malware in any country since this is all about social engineering and it will easily pass through email gateway security because it is basically an office document, and security email policies allow those.

You may follow me on twitter: @dimitribest

The echo of Stuxnet

Tue, 08/05/2014 - 06:00

 Full PDF version

At Kaspersky Lab we regularly conduct threat studies dedicated to a particular type of cyber threat. This summer we decided to look closely at what versions of Windows Operating System are most popular among our users and also at what kind of vulnerabilities are used in cyber-attacks involving exploits. As a result we prepared a study called "Windows usage and vulnerabilities'. Some of its results were rather predictable – but some were really surprising.

The summer of 2010 saw the appearance of Stuxnet, a computer worm which, as it turned out later, had been designed specifically to sabotage the uranium enrichment process at several factories in Iran. Stuxnet was a real sensation which demonstrated what malware was capable of when precisely targeted and rigorously prepared. To proliferate, the worm used an exploit for the CVE-2010-2568 vulnerability. It is an error in processing tags in Windows OS enabling the download of the random dynamic library without the user's awareness. The vulnerability affected Windows XP, Vista, and Windows 7 as well as Windows Server 2003 and 2008.

The first malware exploiting this vulnerability was registered in July 2010. The worm Sality uses this vulnerability to distribute its own code: Sality generates vulnerable tags and distributes them through the LAN. If a user opens a folder containing one of these vulnerable tags, the malicious program immediately begins to launch. After Sality and Stuxnet this vulnerability was used by the well-known Flame and Gauss spyware.

In autumn 2010, Microsoft released a security update which patches this vulnerability. Despite this, Kaspersky Lab detection systems are still registering tens of millions of detections of CVE-2010-2568 exploits. Over the study period, more than 50 million detections on more than 19 million computers worldwide were recorded.

It's worth noting the distribution of computer operating systems on which detections of the exploit for LNK vulnerability were registered. The lion's share of detections (64.19%) registered over the last eight months involved XP and only 27.99% were on Windows 7. Kaspersky Lab products protecting Windows Server 2003 and 2008 also regularly report detection of these exploits (3.99% and 1.58% detections respectively). The large number of detections coming from XP users suggests that most of these computers either don't have an installed security solution or use a vulnerable version of Windows - or both. The detections coming from server systems prove the presence of malicious tags exploiting the CVE-2010-2568 vulnerability on network folders with open access.

The geographical distribution of all registered CVE-2010-2568 detections is also interesting.


CVE-2010-2568 detections, country distribution Nov 2013 - June 2014

Vietnam (42.45%), India (11.7%) and Algeria (5.52%) are among the leaders for the number of Kaspersky Lab detections of one of the most dangerous Windows vulnerabilities currently known. Interestingly, according our research, the outdated XP OS is also widely used in all these countries. Here are the top countries for XP use in June 2014:

Vietnam 38.79% China 27.35% India 26.88% Algeria 24.25% Italy 20.31% Spain 19.26% Russian Federation 17.40% France 12.04% Germany 8.54% United States 4.52%

Top 10 countries with largest share of Windows XP users
in overall volume of users of Kaspersky Lab products.

It's not surprising that CVE-2010-2568 exploits are still popular in some of these countries. So many users of outdated versions of Windows mean these exploits are effective even though almost four years have passed since the disclosure and patching of the vulnerability.

Other findings from this research are available in the full report.

IT threat evolution Q2 2014

Mon, 08/04/2014 - 07:00

 PDF version

Q2 in figurers
  • According to KSN data, Kaspersky Lab products detected and neutralized a total of 995,534,410 threats in the second quarter of 2014.
  • Kaspersky Lab solutions repelled 354,453,992 attacks launched from online resources located all over the world.
  • Kaspersky Lab's web antivirus detected 57,133,492 unique malicious objects: scripts, web pages, exploits, executable files, etc.
  • 145,386,473 unique URLs were recognized as malicious by web antivirus.
  • 39% of web attacks neutralized by Kaspersky Lab products were carried out using malicious web resources located in the US and Germany.
  • Kaspersky Lab's antivirus solutions detected 528,799,591 virus attacks on users' computers. A total of 114,984,065 unique malicious and potentially unwanted objects were identified in these incidents.
  • In Q2 2014, 927,568 computers running Kaspersky Lab products were attacked by banking malware.
  • A total of 3,455,530 notifications about attempts to infect those computers with financial malware were received.
Overview Targeted attacks and malware campaigns 'Somebody's poisoned the water-hole'

In April, we reported a new Flash Player zero-day that we believe was used in watering-hole attacks from a compromised Syrian web site. The site (http://jpic.gov.sy), launched in 2011 by the Syrian Ministry of Justice, was designed to enable citizens to complain about law and order violations. We believe that this attack was developed to target Syrian dissidents complaining about the government.

We analyzed two new SWF exploits (both detected proactively by Kaspersky Lab products) in mid-April that didn't use any vulnerabilities that we already knew about – the vulnerability was later confirmed by Adobe as a new zero-day (CVE-2014-0515). This was located in the Pixel Bender component (no longer supported by Adobe) used for video and image processing. While the first exploit is fairly standard and was able to infect practically any unprotected computer, the second functions only on computers where the Adobe Flash Player 12 ActiveX and Cisco MeetingPlace Express add-ins are installed. The authors were counting on the developers not finding a vulnerability in that component in the hope that the exploit would remain active for longer. This suggests that the attackers were not targeting victims en masse.

It seems likely that victims were redirected to the exploits by means of an iframe or a script on the compromised site. When we published our blog on this zero-day, we had seen more than 30 detections on the computers of seven different people – all of them located in Syria.

We believe that this attack was carefully planned by high-caliber attackers, as evidenced by the use of professionally-written zero-day exploits used to compromise a single resource.

Technical details on the exploits can be found here.

The Italian (and Turkish) job

In June we reported on our research into an attack against the clients of a large European bank that resulted in the theft of half a million euros in just one week.

We uncovered the first signs of the campaign in January, when we discovered a suspicious server containing logs relating to financial fraud transactions – including details of the victims and sums of money that had been stolen. Further analysis revealed further information, showing the bank being targeted, the money mule system, operational details of the attack and JavaScript related to the command-and-control (C2) part of the campaign. It became clear that this was the server-side portion of a banking Trojan infrastructure. We named the C2 'luuuk' after the path in the administration panel used in the server – '/server/adm/luuuk'.

The campaign targeted customers of a single bank. Although we were unable to obtain the malware used to infect the victims, we believe the criminals used a banking Trojan that performed 'Man-in-the-Browser' operations to steal the victims' credentials through a malicious web injection. Based on the information available in some of the log files, the malware stole usernames, passwords and one-time passcodes (OTP) in real time.

Such injections are common in all variants of Zeus (Citadel, SpyEye, IceIX, etc.). We weren't able to identify the infection vector but banking Trojans use a variety of methods to infect victims, including spam and drive-by downloads. Following the publication of our post, researchers at Fox-IT InTELL sent us information potentially related to this campaign. This data indicated that the Luuuk server could be related to the ZeusP2P (aka Murofet), as we had originally suspected. However there was no definitive proof of this since the injected code couldn't be found on the server when we performed our analysis.

The attackers used stolen credentials to check the victim's account balance and perform malicious transactions automatically, probably operating in the background of a legitimate banking session. This is consistent with one of the malicious artefacts (a VNC server) that we found bound to the malicious server used by the attackers.

The stolen money was then transferred automatically to preset money mule accounts. The classification of pre-defined money mules used by the attackers was very interesting. There were four different money mule groups, each defined by the amount of money the mules in the group could accept – probably a reflection of the level of trust between them.

We identified 190 victims in total, most of them located in Italy and Turkey. The sums stolen from each victim ranged from €1,700 to €39,000 and amounted to €500,000.

The attackers removed all the sensitive components on 22 January, two days after our investigation started. Based on the transaction activity, we believe that this represents an infrastructure change rather than a complete shutdown of the operation. Our analysis of attack indicates that the cybercriminals behind the campaign are highly professional and very active. They have also shown proactive operational security activities, changing tactics and removing traces when discovered.

When we first found the C2 server, we reported the matter to the bank concerned and to the appropriate law enforcement agencies. We are maintaining our contact with these agencies and continue to investigate the attack.

'Legal' spyware goes mobile

In June, we published the results of our latest research into the 'legal' software called Remote Control System (RCS) developed by the Italian company HackingTeam. It's not the first time we've focused on this company's software. However, there have been significant developments since our previous article on RCS.

First, we discovered a feature that can be used to fingerprint the RCS command-and-control (C2) servers. When a special request is sent to an RCS server, it responds with the following error message:

We were able to use this method to scan the entire IPv4 space, which enabled us to find all the IP addresses of RCS C2 servers across the globe. We found 326 in total, most of them located in the US, Kazakhstan and Ecuador. You can see the list here. Several IPs were identified as 'government'-related, based on their WHOIS information. Of course, we can't be sure that the servers located in a specific country are being used by law enforcement agencies in that country, but this would make sense: after all, it would avoid cross-border legal problems and avoid the risk of servers being seized by others.

Second, we discovered a number of mobile malware modules for Android, iOS, Windows Mobile and BlackBerry coming from HackingTeam. They are all controlled using the same configuration type – a good indication that they are related and belong to the same product family. Unsurprisingly, we were particularly interested in those relating to Android and iOS, because of the popularity of those platforms.

The modules are installed using infectors – special executables for either Windows or Mac OS that run on already-infected computers. The iOS module supports only jailbroken devices. This does limit its ability to spread, but the method of infection used by RCS means that an attacker can run a jailbreaking tool (such as Evasi0n) from an infected computer to which the phone is connected – as long as the device isn't locked.

The iOS module allows an attacker to access data on the device (including e-mail, contacts, call history, cached web pages), to secretly activate the microphone and to take regular camera shots. This gives complete control over the whole environment in and around a victim's computer.

The Android module is protected by the DexGuard optimiser/obfuscator, so it was difficult to analyse. But we were able to determine that it matches the functionality of the iOS module, plus offering support for hijacking information from the following applications: 'com.tencent.mm', 'com.google.android.gm', 'android.calendar', 'com.facebook', 'jp.naver.line.android' and 'com.google.android.talk'.

You can find the full list of functions here.

This new data highlights the sophistication of such surveillance tools. Kaspersky Lab's policy in relation to such tools is very clear. We seek to detect and remediate any malware attack, regardless of its origin or purpose. For us, there's no such thing as 'right' or 'wrong' malware; and we've issued public warnings about the risks of so-called 'legal' spyware in the past. It's imperative that these surveillance tools don't fall into the wrong hands – that's why the IT security industry can't make exceptions when it comes to detecting malware.

MiniDuke re-loaded

The beginning of 2014 saw the re-activation of MiniDuke, an APT campaign from early 2013. The original campaign stood out for several reasons. It included a custom backdoor written in the 'old school' Assembler programming language. The attack was managed using an unusual command-and-control (C2) infrastructure: it made use of multiple redundancy paths, including Twitter accounts. The developers transferred their updated executables hidden inside GIF files.

The targets of the new MiniDuke operation (known also as TinyBaron and CosmicDuke) include government, diplomatic, energy, military and telecom operators. But unusually, the list of victims includes those involved in the trafficking and reselling of illegal substances, including steroids and hormones. The reason for this isn't clear. It's possible that the customizable backdoor is available as so-called 'legal spyware'. But it may simply be that it's available in the underground market and has been purchased by various competitors in the pharmaceutical business to spy on each other.

The campaign targets countries across the world, including Australia, Belgium, France, Germany, Hungary, the Netherlands, Spain, Ukraine, and the USA.

One of the servers we analyzed contained a long list of victims dating back to April 2012. There were 265 different identifiers on the server, assigned to victims from 139 unique IPs: the geographical distribution of the victims included Georgia, Russia, the USA, the UK, Kazakhstan, India, Belarus, Cyprus, Ukraine and Lithuania.

Our analysis revealed that the attackers were expanding their field of operations, scanning IP ranges and servers in Azerbaijan, Ukraine and Greece.

The malware spoofs popular applications designed to run in the background - including file information, icons and even file size. The backdoor itself is compiled using 'BotGenStudio', a customizable framework that allows the attackers to enable and disable components when the bot is constructed. The malware's components can be categorized according to their functions.

(1) Persistence. The malware is able to start via Windows Task Scheduler at a specific time, or when the screensaver is activated.

(2) Reconnaissance. The malware not only steals files with specific extensions, but also harvests passwords, history, network information, address books, information displayed on the screen (screenshots are made every five minutes) and other sensitive data.

Each victim is assigned a unique ID, making it possible to push specific updates to an individual victim. The malware is protected with a custom obfuscated loader which heavily consumes CPU resources for three to five minutes before executing the payload. This makes it hard to analyze. But it also drains the resources that security software needs to emulate the execution of the malware. On top of its own obfuscator, the malware makes heavy use of encryption and compression based on the RC4 and LZRW algorithms. They are implemented slightly differently to the standard versions - we believe that this has been done deliberately to mislead researchers.

One of the more technically advanced parts of the malware relates to data storage. The internal configuration of the malware is encrypted, compressed and serialized as a complicated registry-like structure, which has various record types including strings, integers and internal references.

(3) Exfiltration. The malware implements several methods to transfer stolen data, including upload via FTP and three types of HTTP-based communication. When a file is uploaded to the C2 server it is split into small chunks (of around 3KB), which are compressed, encrypted and placed in a container to be uploaded to the server. If it's a large file, it may be placed into several hundred different containers that are all uploaded independently. It's likely that these data chunks are parsed, decrypted, unpacked, extracted and reassembled on the attacker's side. While this method might be an overhead, the layers of additional processing ensures that very few researchers will get to the original data, and offers increased reliability against network errors.

As is the case with any APT, attribution is virtually impossible. While the attackers use English in several places, there are indications that it's not their native language. We found strings in a block of memory appended to the malware component used for persistence that suggest they may be Russian. This was true also of the use of Codepage 1251 in the webshell used by the attackers to compromise the C2 hosts - this is commonly used to render Cyrillic characters. The same webshell was observed in the operations of another APT – Turla, Snake or Uroburos).

Online fraudsters – their [World] Cup runneth over!

Fraudsters are always on the lookout for opportunities to make money off the back of major sporting events and the FIFA World Cup is no different. In the run up to the tournament, we highlighted the various ways in which the scammers were trying to take advantage of unwary visitors to Brazil for football's major showcase event.

One obvious way for scammers to cash-in is through phishing attacks. It's common for phishers to compromise a legitimate site and host their page there. But Brazilian phishers have gone the extra mile to stage attacks that are very difficult for ordinary people to spot. They registered domains using the names of well-known local brands – including credit card companies, banks and online stores. However, the cybercriminals went one mile further still. Not only were the sites very professionally designed – they gave their sites an even greater feel of authenticity by buying SSL certificates from Certification Authorities such as Comodo, EssentialSSL, Starfield, Register.com and others. Clearly, a site with a 'legitimate' SSL certificate is likely to fool even security conscious consumers.

They are also taking advantage of how easy it is to buy certificates in order to distribute digitally-signed malware. They start by sending messages offering free World Cup tickets, with a link that leads to a banking Trojan:

Some of these e-mails contain personal details, stolen from a breached database, to add credibility to the bogus offer.

However, Brazilian cybercriminals aren't restricting their activities to phishing alone.  We also reported how they were using malware installed on Point-of-Sale and PIN-pad devices in order to capture credit card data. These devices are connected to a computer via USB or serial port, to communicate with electronic funds transfer (EFT) software. The Trojans they use infect the computer and sniff the data transmitted through these ports. These PIN-pads are equipped with security features to ensure that security keys are erased if someone tries to tamper with the device. The PIN is encrypted as soon as it's entered – commonly using triple DES encryption. But Track 1 data (credit card number, expiry data, service code and CVV) and public CHIP data aren't encrypted on old, outdated devices – instead, they're sent in plain text to the computer via USB or serial port. This gives the cybercriminals all they need to clone the card.

Cybercriminals also take advantage of our desire to stay connected wherever we go – to share our pictures, to update our social network accounts, to find out the latest news or to locate the best places to eat, shop or stay. Unfortunately, mobile roaming charges can be very high, so often people look for the nearest Wi-Fi access point. This is dangerous, as we described in our report on Wi-Fi in Brazil. Data sent and received over open Wi-Fi networks can be intercepted. So passwords, PINs and other sensitive data can be stolen easily. On top of this, cybercriminals also install fake access points, configured to direct all traffic through a host that can be used to control it – even functioning as a 'man-in-the-middle' device that is able to intercept and read encrypted traffic.

Our report also highlighted the dangers of charging a mobile device using a USB port installed in a public place. Malicious AC/DC chargers can charge your device's battery, but they can also silently steal data from your device – or even install malware.

There's another way the fraudsters can make money from people, even if they're not looking for World Cup tickets. With a big audience all over the world, often in distant time zones, fans can find themselves away from their TV at the time they want to watch the game. That's when they start looking for a live online stream of the action. Unfortunately, searching for live broadcasts on the Internet can prove to be very expensive or result in your computer getting infected. That's because some of the advertisements you find when you search lead to fraudulent or malicious content. When you go to the web site, it asks you to download a special plugin so you can watch the online broadcast. But it turns out to be an adware program that may show you nothing, but will drain your computer's resources. Adware straddles the thin line between cybercrime and legitimate software. So it's little wonder that our statistics show ongoing detections of this type of software. You can find our full report here.

Pay the taxman – but avoid the phishers

Phishers don't just try to exploit major sporting events. They also base the campaigns around more mundane aspects of life. In May, many people in Colombia received an e-mail accusing them of tax evasion and fraud. To add a further 'edge' to the communication, the cybercriminals claimed that this was the third notification about the matter. The e-mail contained a link that led to an infected Word document. Microsoft Office blocks embedded macros, so the attackers included instructions on how the victim should enable macros.

If the victim clicks on the document, another malicious file is downloaded to their computer, from a hacked server in Ecuador. This is designed to steal passwords for online games, PayPal, file-sharing systems, social networks (including Facebook and Twitter), online bank accounts and more.

The use of scare tactics in general, and fake communications from tax authorities in particular, are common methods used by phishers around the world.

In April, we published an in-depth report on financial cybercrime, based on data from the Kaspersky Security Network. You can read the report on phishing here.

Malware stories: loading early – the use of bootkits by cybercriminals

When malware writers are developing their code one of their key objectives is to load their malicious content as early as possible in the boot process. This gains the maximum possible control over the system. Bootkits represent the most advanced technology in this area, allowing malicious code to start before the operating system itself loads. This technology has been implemented in numerous malicious programs. Notable examples include XPAJ and TDSS, but there are many others, including targeted attack campaigns such as The Mask.

Bootkits have evolved over the years from proof-of-concept to mass distribution, as we explained here. They have now effectively become open-source software, thanks to the publication of the source-code for the Carberp banking Trojan – the Cidox bootkit was used to protect Carberp and its source-code was published alongside that of Carberp.

It's clear that the evolution of bootkits must be seen within the overall context of the cat-and-mouse battle between malware writers and anti-malware researchers. They are always looking for new ways to evade detection; we're continually investigating ways to make protection of our customer more effective. Our report also looks at the security benefits offered by UEFI (Unified Extensible Firmware Interface), as well as how malware writers might try to subvert it.

Web security and data breaches: Windows XP – unsupported, but still out there

Support for Windows XP ended on 8 April: this means no new security updates, non-security hotfixes, free or paid assisted support options or online technical content updates. Sadly, there are still a lot of people running Windows XP – our data for the period since 8 April 2014 indicate that about 18 per cent of infections are on machines running Windows XP. This is a lot of people wide open to attack now that security patches have dried up:  effectively, every vulnerability discovered since then is a zero-day vulnerability – that is, one for which there is no chance of a patch.

This problem will be compounded as application vendors stop developing updates for Windows XP. Every un-patched application will become yet another potential point of compromise, further increasing the potential attack surface. In fact, this process has already started: the latest version of Java doesn't support Windows XP.

Switching to a newer operating system might seem like a straightforward decision. But although Microsoft gave plenty of notice about the end of support, it's not so difficult to see why migration to a new operating system might be problematic for some businesses. On top of the cost of switching, it may also mean investing in new hardware and even trying to replace a bespoke application developed specifically for the company – one that will not run on a later operating system. So it's no surprise see some organizations paying for continued support for XP.

So if you don't switch right now, can you stay secure? Will your anti-virus software protect you?

Certainly it will provide protection. But this only holds good if by 'anti-virus' we mean a comprehensive Internet security product that makes use of proactive technology to defend against new, unknown threats – in particular, functionality to prevent the use of exploits. A basic anti-virus product, based largely on signature-based scanning for known malware, is insufficient. Remember too that, as times goes by, security vendors will implement new protection technologies that may well not be Windows XP-compatible.

At best, you should see this as a stop-gap, while you finalize your migration strategy. Malware writers will undoubtedly target Windows XP while significant numbers of people continue to run it, since an un-patched operating system will offer them a much bigger window of opportunity. Any Windows XP-based computer on a network offers a weak point that can be exploited in a targeted attack on the company. If compromised this will become a stepping-stone into the wider network.

There's no question that switching to a newer operating system is inconvenient and costly for individuals and businesses alike. But the potential risk of using an increasingly insecure operating system is likely to outweigh the inconvenience and cost.

Mobile threats The quarter in figures

In the second quarter of 2014 the following were detected:

  • 727,790 installation packages;
  • 65,118 new malicious mobile programs;
  • 2,033 mobile banking Trojans.

The sum total of malicious mobile objects detected was 1.7 times lower than in the first quarter. We link this with the start of the holiday season. In June we noticed a reduction in attempts to infect mobile devices using Trojans.

Mobile banking Trojans

Although the total number of threats decreased in the second quarter, we detected 2033 mobile banking Trojans in this period, 1.7 times more than last quarter. From the beginning of 2014 the number of banking Trojans has increased by almost a factor of four, and over a year (from July 2012) - 14.5 times.


Number of mobile banking Trojans detected, Q2 2014

This growth reflects two factors:

  1. the interest of cybercriminals in "big" money;
  2. active countermeasures from antivirus companies.

We note that the geography of infection by mobile banking Trojans has changed:


The geography of infection by mobile banking Trojans, Q2 2014

The top 10 countries attacked by banking Trojans

  Country Number of attacks % of all attacks 1 Russia 13800 91.7% 2 USA 792 5.3% 3 Ukraine 136 0.9% 4 Italy 83 0.6% 5 Belarus 68 0.5% 6 Republic of Korea 30 0.2% 7 Kazakhstan 25 0.2% 8 China 19 0.1% 9 United Kingdom 17 0.1% 10 Germany 12 0.1%

As before, Russia is in the first place in the rating but in the second place is the USA, and by a big margin over all other countries. Kazakhstan, which was in second place in this rating in the first quarter, is now in seventh place.

New developments from the virus writers First mobile encryptor

In the middle of May an announcement appeared on one of the virus writing forums offering a unique Trojan-encryptor for sale at $5000, working on the Android OS. On 18 May we detected the first mobile encryptor in the wild. This malware was detected by Kaspersky Lab as Trojan-Ransom.AndroidOS.Pletor.a.

After the Trojan is started it uses the AES encryption algorithm to encrypt the contents of the memory card of the smartphone, including media files and documents. Immediately after the start of the encryption Pletor displays a ransom demand on the screen. To receive money from the user the QIWI VISA WALLET, MoneXy system or standard transfer of money to a telephone number are used.

By the end of the second quarter we had managed to identify more than 47 versions of the Trojan. They all contain the key necessary to decipher all the files.

For communication with the cybercriminals one version of the Trojan uses the TOR network, others HTTP and SMS. Trojans from this second group show the user a video image of himself in the window with the demand for money, transmitted in real time using the frontal camera of the smartphone.

We note that the virus writers use the same social engineering mechanisms as the creators of early encryptors for Windows: the telephone is supposedly blocked for accessing prohibited pornographic content and all the photos and videos on the phone are "transferred for examination". In addition for non-payment of the "fine" the blackmailers threaten to send all the data to "public sources".

Pletor is targeted at citizens of Russia and Ukraine and the messages are in Russian and the ransom is demanded in rubles or hryvnia (the sum is the equivalent of about 300 euros). However we have found instances of this malware in 13 countries - mostly on the territory of the former USSR.

Disabler evolution

In terms of attack technique there is a clear tendency towards development of ransom-disablers. Here also cybercriminals are adopting methods of frightening their victims that were used by the creators of Windows malware.

The first version of the Svpeng mobile malware, which has Trojan-ransom capability, was detected at the beginning of 2014. The Trojan blocks the phone, allegedly because its owner has viewed child pornography. To unblock the mobile device the cybercriminals demand payment of a "fine" of 500 dollars.

In early June we discovered a new version of Svpeng aimed mostly at users in the USA. However users in the UK, Switzerland, Germany, India and Russia were also attacked.

This version of Svpeng completely blocks the mobile device so that the user can not even access the switch off/reboot menu. The smartphone can only be turned off by a long push on the off button but the Trojan starts immediately after it is switched on again.

At the same time the cybercriminals have used a time-tested social engineering trick. When it starts the Trojan imitates the scanning of the telephone and apparently finds forbidden content. To frighten the user the window announcing the "find" bears the FBI logo.

The Trojan blocks the phone and demands the payment of 200 dollars to unblock it. The creators of the Trojan use MoneyPak vouchers to receive the money.

In this window Svpeng shows a photograph of the user, taken using the frontal camera, which is reminiscent of Trojan-Ransom.AndroidOS.Pletor.a which we discussed above, except that Pletor transmits a video image.

By the end of the second quarter we had managed to find 64 versions of the new Svpeng. Each version mentions the Cryptor class, although no use of this class was detected. Perhaps the criminals intend in future to use the malware to encrypt users' data and demand a ransom for decrypting it.

Not only Android

As earlier, the main target of cybercriminals is the Android platform. More than 99% of new mobile malware is aimed at Android.

However this doesn't mean we can forget about other mobile platforms. Thus, in the second quarter of 2014 new malware objects appeared for the Apple iOS platform (but only for "jailbroken" devices). Along with their malware cybercriminals have used the protective functions of iOS for evil aims. An attack on Apple ID allowed the wrongdoers to completely block a device and demand money from their victim to restore its functionality.

The exposure of Hacking Team also came with a sting in the tail, as it was revealed that their arsenal contained modules for attacking "jailbroken" iOS devices.

The platform Windows Phone was not left out either. Here the virus writers had not come up with any technical innovations but took the route of inserting false applications without any useful function whatsoever in the official paid app store. And our brand was not unscathed: the crooks also used the trademark and logo of Kaspersky Lab.

In this way two vulnerabilities were revealed in the Windows Phone Store at once:

  1. the lack of checks that brand names are being properly used;
  2. the lack of checks of functionality.

The same publishers' false apps also appeared on Google Play.

Mobile threats: statistics

The sum total of malicious mobile objects detected was 1.7 times lower than in the first quarter: 727,790 installation packages, 65,118 new mobile malware programs, 2033 mobile banking Trojans. Probably the reduction in activity is down to the start of the holiday season.

Distribution of mobile threats by type


Distribution of mobile threats by type, Q2 2014

The rating of malware objects for mobile devices for the second quarter of 2014 was headed by potentially unwanted advertising applications (27%). Holding on to their position are SMS-Trojans with 22%. Whilst the figures for these two types of mobile threats have more or less remained unchanged over the quarter RiskTool has risen from fifth to third place, its share in the flow of mobile malware detected has risen from 8.6% to 18%. These are legal applications that are potentially dangerous for the user - careless use by the smartphone user or a malicious attacker could lead to financial loss.

TOP 20 malicious mobile programs   Name % of attacks* 1 Trojan-SMS.AndroidOS.Stealer.a 25.42% 2 RiskTool.AndroidOS.SMSreg.gc 6.37% 3 RiskTool.AndroidOS.SMSreg.hg 4.82% 4 Trojan-SMS.AndroidOS.FakeInst.a 4.57% 5 Trojan-SMS.AndroidOS.Agent.ao 3.39% 6 AdWare.AndroidOS.Viser.a 3.27% 7 Trojan-SMS.AndroidOS.Opfake.a 2.89% 8 Trojan-SMS.AndroidOS.Erop.a 2.76% 9 Trojan-SMS.AndroidOS.FakeInst.ff 2.76% 10 Trojan-SMS.AndroidOS.Agent.en 2.51% 11 Trojan-SMS.AndroidOS.Agent.ev 2.43% 12 RiskTool.AndroidOS.SMSreg.eh 2.41% 13 Trojan-SMS.AndroidOS.Opfake.bw 1.96% 14 Trojan-SMS.AndroidOS.Opfake.bo 1.53% 15 RiskTool.AndroidOS.MimobSMS.a 1.48% 16 Trojan-SMS.AndroidOS.Skanik.a 1.35% 17 Trojan-SMS.AndroidOS.Agent.mw 1.33% 18 RiskTool.AndroidOS.SMSreg.ey 1.31% 19 Trojan-SMS.AndroidOS.Agent.ks 1.24% 20 Trojan-SMS.AndroidOS.Agent.ay 1.21%

* The percentage of all attacks recorded on the mobile devices of unique users.

In the TOP 20 detected threats SMS Trojans dominate as before, these malicious programs occupied 15 places in the rating.

Throughout the second quarter, against a background of a reduced number of attacks, we observed a steady growth in attempts to attack users with the Trojan Trojan-SMS.AndroidOS.Stealer.a. This malware took first place in the rating with over 25% of all attacks. The wrongdoers were especially active in April, when attempts at Stealer infection were almost twice as frequent as in May or March. And in June the attempts at infection with this Trojan were 7 times more frequent than those of its nearest competitor.

The goegraphy of threats


Map of mobile malware infection attempts
(percentage of all attacks on unique users)

There have been some slight changes in the territorial distribution of attacks. And so we see Germany in the second place, while India, which was in the second place in the first quarter, has fallen out of the TOP 10 altogether. Kazakhstan hung on to third place and Ukraine moved from fourth to fifth to make way for Poland, which climbed from tenth into fourth place.

TOP 10 attacked countries:

  Country % of attacks 1 Russia 46.96% 2 Germany 6.08% 3 Kazakhstan 5.41% 4 Poland 5.02% 5 Ukraine 3.72% 6 Malaysia 2.89% 7 Vietnam 2.74% 8 France 2.32% 9 Spain 2.28% 10 Mexico 2.02%

Users install a lot of apps on their mobile devices and it should be noted that in different countries the percentage of malicious apps among the apps installed by users varies.

TOP 10 countries by risk of infection

  Country* % of malicious apps 1 Vietnam 2.31% 2 Greece 1.89% 3 Poland 1.89% 4 Kazakhstan 1.73% 5 Uzbekistan 1.51% 6 Armenia 1.24% 7 Serbia 1.15% 8 Morocco 1.09% 9 Czech Republic 1.03% 10 Romania 1.02%

*We have excluded countries where there were less than 100,000 downloads

Although Russia takes first place in terms of recorded attacks it is not the country with the greatest chance of infection with mobile malware. In this respect Vietnam is in the lead; there 2.31% of all apps that users attempted to install were malicious.

Below for comparison we show the risk levels of infection for another 15 countries from various regions of the world:

Country % of malicious apps China 0.94% France 0.85% Russia 0.74% Mexico 0.58% Spain 0.55% India 0.41% Germany 0.19% UK 0.18% Argentina 0.13% Brazil 0.12% Italy 0.11% USA 0.09% Peru 0.07% Hong Kong 0.06% Japan 0.02%

In France 0.85% of apps that users were interested in turned out to be malicious, in Russia 0.74%, in Germany 0.19%, in the UK 0.18%, in the USA 0.09% and in Japan only 0.02%.

Statistics

All statistics used in this report were obtained using a distributed antivirus network Kaspersky Security Network (KSN) as a result of the work performed by various anti-malware protection components. The information was collected from KSN users who agreed to transfer the data. Millions of Kaspersky Lab product users from 213 countries and territories worldwide participate in the global exchange of information related to malicious activity.

Online threats in the banking sector Key events in Q2

One of the biggest events in Q2 was the appearance of the OpenSSL vulnerability capable of providing unauthorized access to users' secret keys, names and passwords as well as content that is transferred in an encrypted form.

The Heartbleed vulnerability is exploited in the OpenSSL cryptographic library used in various software products including banking software. It took several hours for an official patch to emerge, and then there was a long installation procedure, leading to leakage of customer payment data and other valuable information in various spheres of business. Following the spread of this information and those subsequent leaks, we can expect a spike in the number of fraudulent transactions. This is yet another wake-up call, highlighting the need for financial organizations and their customers to stay on top of security for all e-payment data.

The second quarter of 2014 saw the appearance of a new banking Trojan, Pandemiya, which uses commonly seen malware methods like a web-inject attack to steal payment information.

Q2 also saw an international law enforcement operation to seize control over the Gameover ZeuS botnet. The FBI put the developer of the banking Trojan ZeuS on its international wanted list.

Not surprisingly the 2014 World Cup in Brazil attracted the attention of fraudsters. According to this quarter's results, Brazilian users were attacked by banking malware more frequently than in other countries. Malicious content was detected, for instance, that spread in the guise of adverts and exploited the excitement surrounding this summer's main sporting event.

The number of computers attacked by financial malware

During the reporting period, Kaspersky Lab solutions blocked 927,568 attacks on user computers attempting to launch malware capable of stealing money from online banking accounts. This figure represents a 36.6% increase compared to April.


The number of computers attacked by financial malware, Q2 2014

A total of 3,455,530 notifications of malicious activity by programs designed to steal money via online access to bank accounts were registered by Kaspersky Lab security solutions in Q2 2014.

The geography of attacks


The geography of banking malware attacks in Q2 2014
(by number of attacked users in the country)

The Top 20 countries by the number of attacked users:

  Country Number of users 1 Brazil 159,597 2 Russia 50,003 3 Italy 43,938 4 Germany 36,102 5 USA 34,539 6 India 27,447 7 UK 25,039 8 Austria 16,307 9 Vietnam 14,589 10 Algeria 9,337

Brazil traditionally tops the rating of the countries where users are attacked by banking malware most often.

Brazil is often at the top of this list because financial malware has always been widely used by criminals here. In Q2 2014, the FIFA World Cup generated even more opportunities for attacks: thousands of fans visited the country and used online banking systems while they were there. Kaspersky Lab experts have examined the security of Wi-Fi networks and made a list of recommendations for those who do not want to risk compromising their payment information in Brazil.

The Top 10 banking malware families

The table below shows the programs most commonly used in Q2 2014 to attack online banking users, based on the number of reported infection attempts:

  Verdict* Number of users Number of notifications 1 Trojan-Spy.Win32.Zbot 559,988 2,353,816 2 Trojan-Banker.Win32.Lohmys 121,675 378,687 3 Trojan-Banker.Win32.ChePro 97,399 247,467 4 Trojan-Spy.Win32.Spyeyes 35,758 99,303 5 Trojan-Banker.Win32.Agent 31,234 64,496 6 Trojan-Banker.Win32.Banbra 21,604 60,380 7 Trojan-Banker.Win32.Banker 22,497 53,829 8 Trojan-Banker.Win32.Shiotob 13,786 49,274 9 Backdoor.Win32.Clampi 11,763 27,389 10 Backdoor.Win32.Shiz 6,485 17,268

Zeus (Trojan-Spy.Win32.Zbot) remained the most widespread banking Trojan. According to Kaspersky Lab's research, the program was involved in 53% of malware attacks affecting online banking clients.

Nine out of 10 malware families represented in the table work by injecting a random HTML code in the web page displayed by the browser and intercepting any payment data entered by the user in the original or inserted web forms. As well as web injections, four of the 10 entries also make use of keylogging technology, which suggests this method of stealing information is still effective when carrying out attacks on online banking customers.

Financial threats are not restricted to banking malware that attacks the customers of online banking.


Distribution of attacks targeting user money by malware type, Q2 2014

As well as banking Trojans that modify HTML pages in the browser, there are other methods of stealing e-money, such as Bitcoin wallet theft. Fraudsters are also happy to use computing resources to generate crypto currency: Bitcoin miners account for 14% of all financial attacks. Criminals also use keyloggers to collect user credentials for online banking and payment systems in another bid to access bank accounts.

Vulnerable applications used by fraudsters

The rating of vulnerable applications below is based on information about the exploits blocked by our products. These exploits were used by hackers in both Internet attacks and when compromising local applications, including those installed on mobile devices.


The distribution of exploits used by fraudsters, by type of application attacked, Q2 2014

Of all registered attempts to use vulnerabilities, 53% involved vulnerabilities in browsers. Almost every exploit pack includes an exploit for Internet Explorer.

Java exploits are in second place. Java vulnerabilities are used in drive-by attacks via the Internet and new Java exploits are part of many exploit packs. In 2013, 90.5% all of registered attempts to use vulnerabilities exploited vulnerabilities in Oracle Java. At the beginning of 2014 the popularity of Java exploits began to decrease. In Q1 of this year, 54% of attempts to use vulnerabilities targeted Java; in the second quarter the figure was just 29%. This decline in popularity may reflect the fact that no new Java vulnerabilities have been made public for almost a year.

Next come Adobe Reader exploits. These vulnerabilities are also exploited in drive-by attacks via the Internet and PDF exploits are part of many exploit packs.


The distribution of Windows OS installed on user computers by version, Q2 2014

65.35% of KSN participants use various versions of Windows 7 and 12.5% use Windows XP.

Online threats (Web-based attacks)

The statistics in this section were derived from web antivirus components that protect users when malicious code attempts to download from a malicious/infected website. Malicious websites are deliberately created by malicious users; infected sites include those with user-contributed content (such as forums) as well as legitimate resources that have been hacked.

The Top 20 malicious objects detected online

In the second quarter of 2014, Kaspersky Lab's web antivirus detected 57,133,492 unique malicious objects: scripts, web pages, exploits, executable files, etc.

We identified the 20 most active malicious programs involved in online attacks launched against user computers. These 20 accounted for 97% of all attacks on the Internet.

The Top 20 malicious objects detected online

  Name* % of all attacks** 1 Malicious URL 72.94% 2 Trojan.Script.Generic 11.86% 3 Trojan-Downloader.Script.Generic 5.71% 4 Trojan.Script.Iframer 2.08% 5 Adware.Win32.Amonetize.heur 1.00% 6 AdWare.Script.Generic 0.88% 7 AdWare.Win32.Agent.aiyc 0.76% 8 AdWare.Win32.Yotoon.heur 0.25% 9 Trojan.Win32.AntiFW.b 0.23% 10 AdWare.Win32.Agent.allm 0.19% 11 AdWare.Win32.AirAdInstaller.aldw 0.17% 12 Trojan.Win32.Generic 0.15% 13 Trojan-Downloader.Win32.Generic 0.14% 14 Trojan.Win32.Vague.cg 0.11% 15 Trojan.Win32.Invader 0.11% 16 AdWare.Win32.BetterSurf.b 0.10% 17 AdWare.Win32.Lollipop.qp 0.08% 18 Exploit.Script.Blocker 0.08% 19 AdWare.Win32.Lollipop.agzn 0.08% 20 Trojan.JS.Small.aq 0.07%

* These statistics represent detection verdicts of the web antivirus module. Information was provided by users of Kaspersky Lab products who consented to share their local data.
** The percentage of all web attacks recorded on the computers of unique users.

As is often the case, the Top 20 mostly comprises verdicts assigned to objects used in drive-by attacks and to adware programs. The number of positions occupied by adware verdicts rose from nine to 11 in the second quarter of 2014.

The Trojan.JS.Small.aq verdict is in twentieth place. This is assigned to a script that a malicious browser extension inserts in web pages of specific sites in order to display intrusive advertising.

Top 10 countries where online resources are seeded with malware

The following stats are based on the physical location of the online resources that were used in attacks and blocked by antivirus components (web pages containing redirects to exploits, sites containing exploits and other malware, botnet command centers, etc.). Any unique host might become a source of one or more web attacks.

In order to determine the geographical source of web-based attacks, a method was used by which domain names are matched up against actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established.

In Q2 2014, Kaspersky Lab solutions blocked 354,453,992 attacks launched from web resources located in various countries around the world. 88.3% of the online resources used to spread malicious programs are located in 10 countries. This is 4.9 percentage points more than in the previous quarter.


The distribution of online resources seeded with malicious programs in Q2 2014

The Top 10 rating of countries where online resources are seeded with malware remained largely unchanged from the previous quarter although there was some movement within that group. Germany rose from fourth to first place: its share increased by almost 12 percentage points. Russia dropped from second to fourth following a decline in its share of 2.5 percentage points. Canada climbed from tenth to fifth after its contribution grew by 6.29 percentage points.

Countries where users face the greatest risk of online infection

In order to assess in which countries users face cyber threats most often, we calculated how often Kaspersky users encountered detection verdicts on their machines in each country. The resulting data characterizes the risk of infection that computers are exposed to in different countries across the globe, providing an indicator of the aggressiveness of the environment in which computers work in different countries.

  Country* % of unique users ** 1 Russia 46.53% 2 Kazakhstan 45.35% 3 Armenia 42.26% 4 Ukraine 41.11% 5 Azerbaijan 40.94% 6 Vietnam 39.59% 7 Belorussia 37.71% 8 Moldova 36.65% 9 Mongolia 33.86% 10 Kyrgyzstan 33.71% 11 Algeria 32.62% 12 Tajikistan 32.44% 13 Georgia 31.38% 14 Croatia 29.46% 15 Turkey 29.31% 16 Uzbekistan 29.20% 17 Qatar 28.76% 18 Tunisia 28.67% 19 Iran 28.35% 20 Spain 28.05%

These statistics are based on the detection verdicts returned by the web antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data.
*We excluded those countries in which the number of Kaspersky Lab product users is relatively small (less than 10,000).
** Unique users whose computers have been targeted by web attacks as a percentage of all unique users of Kaspersky Lab products in the country.

In Q2 2014, Vietnam was replaced at the top of the rating by Russia. Tunisia (18th place) and Iran (19th place) were newcomers to the rating. Lithuania and Greece dropped out of the Top 20.

The countries with the safest online surfing environments are Singapore (10.4%), Sweden (12.8%), Japan (13.3%), Finland (16.3%), South Africa (16.9%), Ecuador (17.1%), Norway (17.5%), the Netherlands (17.5%), Hong Kong (17.7%) and Argentina (17.9%).

On average, 29.5% of computers connected to the Internet were subjected to at least one web attack during the past three months.

Local threats

Local infection statistics for user computers are a very important indicator. This data points to threats that have penetrated a computer system through something other than the Internet, email, or network ports.

This section contains an analysis of the statistical data obtained based on the operation of the antivirus which scans files on the hard drive at the moment they are created or accessed, and the results of scanning various removable data storages.

In Q2 2014, Kaspersky Lab's antivirus solutions successfully blocked 528,799,591 malware attacks on user computers. In these incidents, a total of 114,984,065 unique malicious and potentially unwanted objects were detected.

The Top 20 malicious objects detected on user computers   Name* % of unique attacked users ** 1 DangerousObject.Multi.Generic 17.69% 2 Trojan.Win32.Generic 15.59% 3 AdWare.Win32.Agent.ahbx 14.81% 4 Adware.Win32.Amonetize.heur 13.31% 5 Trojan.Win32.AutoRun.gen 6.13% 6 Worm.VBS.Dinihou.r 5.95% 7 Virus.Win32.Sality.gen 4.94% 8 AdWare.Win32.BetterSurf.b 4.29% 9 AdWare.Win32.Yotoon.heur 4.01% 10 AdWare.Win32.Agent.aknu 3.64% 11 AdWare.Win32.Agent.aljb 3.57% 12 Worm.Win32.Debris.a 3.29% 13 AdWare.Win32.Skyli.a 2.90% 14 Trojan.Win32.Starter.lgb 2.74% 15 AdWare.Win32.Agent.heur 2.64% 16 AdWare.Win32.Agent.aljt 2.30% 17 Trojan.Win32.AntiFW.b 2.27% 18 AdWare.JS.MultiPlug.c 2.21% 19 Worm.Script.Generic 1.99% 20 Virus.Win32.Nimnul.a 1.89%

* These statistics are compiled from malware detection verdicts generated by the on-access and on-demand scanner modules on the computers of those users running Kaspersky Lab products that have consented to submit their statistical data.
** The proportion of individual users on whose computers the antivirus module detected these objects as a percentage of all individual users of Kaspersky Lab products on whose computers a malicious program was detected.

This ranking usually includes verdicts given to adware programs, worms spreading on removable media, and viruses.

The proportion of viruses in this Top 20 continues to decline slowly, but steadily. In Q2 2014, viruses were represented by the verdicts Virus.Win32.Sality.gen and Virus.Win32.Nimnul.a, with a total share of 6.83%. In Q1 2014, that figure was 8%.

Countries where users face the highest risk of local infection   Country % unique users* 1 Vietnam 58.42% 2 Mongolia 55.02% 3 Algeria 52.05% 4 Yemen 51.65% 5 Bangladesh 51.12% 6 Pakistan 50.69% 7 Nepal 50.36% 8 Afghanistan 50.06% 9 Iraq 49.92% 10 Egypt 49.59% 11 Tunisia 46.75% 12 Syria 46.29% 13 Saudi Arabia 46.01% 14 Ethiopia 45.94% 15 Iran 45.40% 16 Laos 45.20% 17 Turkey 44.98% 18 India 44.73% 19 Cambodia 44.53% 20 Djibouti 44.52%

These statistics are based on the detection verdicts returned by the antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data. The data includes detections of malicious programs located on users' computers or on removable media connected to the computers, such as flash drives, camera and phone memory cards, or external hard drives.
* When calculating, we excluded countries where there are fewer than 10,000 Kaspersky Lab users.
** The percentage of unique users in the country with computers that blocked local threats as a percentage of all unique users of Kaspersky Lab products.

The Top 20 in this category continues to be dominated by countries in Africa, the Middle East, and South East Asia. Vietnam ranks first, as was the case in Q1 2014, while Mongolia remains in second. Nepal fell to seventh place. Saudi Arabia, Ethiopia, and Turkey are new entries in this ranking. Morocco, Myanmar and Sudan dropped out of the top 20.

The safest countries in terms of local infection risks are: Japan (11%), Sweden (13.8%), Denmark (15.3%), Finland (16.4%), Singapore (16.8%), the Netherlands (17.1%), the Czech Republic (18.3%), Norway (19.1%) and Hong Kong (19.2%).

An average of 32.8% of computers were subjected to at least one local threat during the past year.

Spammy Facebook friends from the neighborhood

Thu, 07/31/2014 - 11:18

Recently I stumbled upon some spam-ads on Facebook, which didn't look very unusual at first glance.

It's common for spammers to rely on social engineering techniques. They typically creating fake profiles, joining random open (or closed) groups and share links to shady e-commerce sites or survey-scams - always with catchy claims to lure the readers to click on the advertised link.

In this particular case, things are a bit different. The spammers created fake profiles featuring a nice profile photo of a young woman. But when you take a closer look at the About-page of "her" profile, you'll notice she's residing in the beautiful village of Ernersdorf in Bavaria (which is actually not far away from the Kaspersky Lab local office). I was somewhat surprised by this, because Addison is a very unusual name for a person living in such a small Bavarian village. And, according to her profile, she's actually male and was born in September 1978. So I took a closer look.

Spammers Facebook Profile About-Page

It seems the spammers strategically chose this Bavarian Village and began to send out friend-requests to several people from that region. And since I grew up in this region, some of my friends on Facebook were successfully lured into accepting the fake friend requests.

Then nothing happened for several months. A few days ago, these spammers, now equipped which a level of credibility, started posting photos advertising an online-shop for sunglasses from a big brand - most likely fake versions. And finally, to improve spreading of the picture-ads, the spammers tagged their new "friends" from nearby.

Picture Spam on Facebook

To prevent other people from using your profile for spamming all of your friends with that "technique", you can adjust your Facebook settings for "Timeline and Tagging" like I did.

Facebook Timeline and Tagging Settings

Also, please keep in mind that you don't necessarily have to fall into this "nearby friends" trap to get you and your friends spammed like that. If spammers steals your real friends' account-credentials somehow, it also could happen like in this case.

Energetic Bear: more like a Crouching Yeti

Thu, 07/31/2014 - 07:00

Report   
Appendix   

Energetic Bear/Crouching Yeti is an actor involved in several advanced persistent threat (APT) campaigns that has been active going back to at least the end of 2010. Targeted sectors include:

  • Industrial/machinery
  • Manufacturing
  • Pharmaceutical
  • Construction
  • Education
  • Information technology

Most of the victims we identified fall into the industrial / machinery building sector, indicating this is of special interest.

To infect the victims, the attackers rely on three methods:

  • Spearphishing using PDF documents embedded with a flash exploit (CVE-2011-0611)
  • Trojanized software installers
  • Waterhole attacks using a variety of re-used exploits

During the attacks, the Crouching Yeti team uses several types of malware or Trojan, all of which only infect Windows systems:

  • Havex Trojan
  • Sysmain Trojan
  • The ClientX backdoor
  • Karagany backdoor and related stealers
  • Lateral movement and second stage tools

For command and control, these connect to a large network of hacked websites. The hacked sites host malware modules and victim information as well as serving commands to infected systems.

The dozens of known Yeti exploit sites and their referrer sites were legitimate, compromised sites. They ran vulnerable content management systems or vulnerable web applications. None of the exploits used to compromise the servers were known to be zero-day. None of the client side exploits re-used from the open source metasploit framework were zero-day.

Overall, we observed about 2,800 victims worldwide, the most prevalent attack tool being the Havex trojan.

We believe this group is highly determined and focused on a very specific industrial sector of vital interest. It uses a variety of ways to infect its victims and exfiltrate strategic information. The analyzed data seems to suggest the following points:

  • Country of origin cannot be determined at this point
  • Attackers' global focus is much broader than power producers
  • Stable toolset over time
  • Managed, minimal, methodical approach to sustained operation
  • Appropriate use of encryption (symmetric key protected with attackers public key for encrypted log file exfiltration)

You can read the full report here.

FAQ What is Yeti/Energetic Bear?

Energetic Bear/Yeti is an actor involved in different campaigns dating back to at least the end of 2010. It uses different techniques to spread its malware, most notably the repackaging of legitimate software installers and waterhole attacks. The victims, from several different sectors, are infected with backdoors.

What are the malicious purposes of this campaign?

We believe this is an information stealing campaign. Given the heterogeneous profile of the victims it seems than the attackers were interested in different topics and decided to target some of the most prominent institutions and companies in the world to get latest information.

Why do you think it is significant?

In our opinion, this campaign has some of remarkable characteristics: the artifacts used for the infection and exfiltration are not particularly interesting, but they are effective; they are very persistent, successfully infecting a significant number of companies and institutions around the world for a long period of time; they have a set of tools of choice that help us identify the group through their TTPs. In this last characteristic, it is interesting that they use the LightsOut Exploit Kit to infect users through waterhole attacks.

Why not Energetic Bear? Why did you give it a new name?

Energetic Bear was the initial name given to this campaign by Crowd Strike according to their nomenclature. After analyzing the data we obtained we can confirm that victims are not limited to the energy sector but to many other ones. The Bear tag reflects Crowd Strike's belief that this campaign has a Russian origin. We couldn´t confirm this point, so we decided to give it a new name. Yetis have something in common with Bears, but have a mysterious origin

When did the campaign start? Is this attack still active?

Based in some artifacts, we believe the campaign originated at the end of 2010. The campaign is still alive and getting new daily victims.

How was the malware distributed?

The malware is distributed using three methods:

  • Spearphishing using PDF documents embedded with a flash exploit (CVE-2011-0611)
  • Trojanized software installers
  • Waterhole attacks using a variety of re-used exploits

Additional modules can be installed by the attackers once a machine has been compromised.

The most prevalent attack tool is the Havex Trojan; we identified 27 different versions.

What is the potential impact for victims?

Given the nature of the known victims, the disclosure of very sensitive information such as commercial secrets and know-how are the main impact for the victims.

Who are the attackers? What countries are they from?

There simply is no one piece or set of data that would lead to a conclusion regarding the origin of this threat actor.

Who are the victims? What is the scale of the attack?

Overall, we observed about 2,800 victims worldwide.
Most of the victims we identified fall into the industrial / machinery building sector.

Targeted sectors include:

  • Industrial/machinery
  • Manufacturing
  • Pharmaceutical
  • Construction
  • Education
  • Information technology

The most targeted countries are: United States, Spain, Japan, Germany, France, Italy, Turkey, Ireland, Poland and China.

How are users (both home and corporate) protected against this type of attack?

Our products detect and eliminate all variants of the malware used in this campaign including but
not limited to:

  • Trojan.Win32.Sysmain.xxx
  • Trojan.Win32.Havex.xxx
  • Trojan.Win32.ddex.xxx
  • Backdoor.MSIL.ClientX.xxx
  • Trojan.Win32.Karagany.xxx
  • Trojan-Spy.Win32.HavexOPC.xxx
  • Trojan-Spy.Win32.HavexNk2.xxx
  • Trojan-Dropper.Win32.HavexDrop.xxx
  • Trojan-Spy.Win32.HavexNetscan.xxx
  • Trojan-Spy.Win32.HavexSysinfo.xxx

All the exploits are also detected and detailed in the report.

Behind the 'Android.OS.Koler' distribution network

Mon, 07/28/2014 - 04:00

Our full Koler report (PDF) 

At the beginning of May 2014 a security researcher named Kaffeine made the first public mention of Android.OS.Koler.a, a ransomware program that blocks the screen of an infected device and requests a ransom of between $100 and $300 in order to unlock the device. It doesn't encrypt any files or perform any kind of advanced blocking of the target device other than blocking the screen.

The malware displays a localized message from the police!

It has customized messages for the following countries:

Australia
Austria
Belgium
Bolivia
Canada
Czech Republic
Denmark
Ecuador
Finland
France Germany
Hungary
Ireland
Italy
Latvia
Mexico
Netherlands
New Zealand
Norway
Poland Portugal
Romania
Slovakia
Slovenia
Spain
Sweden
Switzerland
Turkey
United Kingdom
United States

As of July 23, the mobile part of the campaign has been disrupted and the Command and Control server has started sending an "Uninstall" request to victims.

In this post, instead of focusing on the mobile application itself – we highlight some details at the end – we want to shed light on its distribution infrastructure.  An entire network of malicious porn sites linked to a traffic direction system that redirects the victim to different payloads targeting not only mobile devices but any other visitor. That includes redirections to browser-based ransomware and what we think is an "Angler" exploit kit distribution network.

The diagram below illustrates the bigger picture of the infrastructure used.

The main findings can be summarized as follows:

  • Distribution:      TDS (Traffic Distribution System)
  • Main controller:      video-sartex.us (TDS Controller)
  • Malicious porn sites (redirector):      49 domains detected
  • Exploit kit websites:      700+ URLs (200+ domains)
  • Browser-based screen-lock domains:      49 domains detected
  • Mobile infection domain:      video-porno-gratuit.eu
  • Mobile Current C2:      policemobile.biz.
  • Traffic: almost 200,000 visitors to the mobile infection domain
  • 80% of visitors from the US

The use of a pornographic network for this "police" ransomware is no coincidence: the victims are more likely to feel guilty about browsing such content and pay the alleged fine from the authorities. This psychological factor can be the difference between a failed campaign and a successful one.

With regards to the malicious mobile application, we have found different APKs with the same behavior. Some of them (not yet distributed through this malicious network) have interesting names such as PronHub.com.Apk, whatsapp.apk or updateflash.apk.

This suggests the attackers could expand their campaign in the near future.

Mobile payload distribution

The mobile infection is triggered when the user visits specific pornographic sites from an Android device. Those sites are part of the distribution network created for this campaign and will redirect the victims to a landing page that contains an APK file called animalporn.apk.

All the porn sites in the campaign redirect their traffic to the same server: hxxp://video-porno-gratuit.eu. This domain hosts the malicious APK.

When visited, the website automatically redirects the user to the malicious application. The user still has to confirm the download and installation of the application on their device.

We were able to obtain the statistics showing the geographical distribution of visitors to this malicious site:

According to the same stats, we see that the campaign started and reached peak activity in April 2014.

Redirectors:  The malicious porn network

The pornographic sites of the network are not compromised sites. They all look the same, have the same HTML infrastructure and don´t provide their own pornographic material.

We identified a total of 48 domains in this porn redirecting network.

Almost all the websites used in this infrastructure were created using the same template – in many cases using templates from the legitimate site Tubewizardpro and Webloader for the external resources.

All the content (mainly videos and pictures) on these porn sites is loaded from external sources using Webloader.

Basically, all the porn sites redirect to the "controller" domain videosartex.us.

Videosartex.us then performs a redirect based on the parameter in the URL, the referrer, the user agent and the geographical location of the visitor's IP.

If the IP belongs to any of the 30 affected countries and the user-agent belongs to an Android device, the visitor is redirected to the APK at video-porno-gratuit.eu.

In other cases, the user is either redirected to a porn site on the network, to a screen-locker or to an exploit kit. The attackers use Keitaro TDS (Traffic Distribution System) to redirect users.

Non-mobile payloads

During our analysis we noticed that some domains showed ransomware-themed pop-ups to non-mobile victims. These additional servers are used when the controller (videosartex) detects the following two conditions:

  • The request contains no Internet Explorer user agent.
  • The request is from one of the 30 affected countries, but it doesn't contain an Android user agent.

In this case, the victim is redirected to any of the browser ransomware websites, while a blocking screen identical to the one used for mobiles is displayed on the victim's computer. There is no infection in this case, just a pop-up showing a blocking template.

The following images are examples of the headers used in the ransomware pop-ups:



Exploit kits

The redirection infrastructure used in this campaign contained one final surprise; redirecting visitors using Internet Explorer to sites hosting the Angler exploit kit, which has exploits for Silverlight, Adobe Flash and Java.

The following is an example of such a redirection:

We detected more than 200 domains used for hosting this exploit kit.

During our analysis, the exploit code was not fully functional and it didn´t deliver any payload.

Conclusions

Ransomware for mobile devices appeared on almost every prediction list for 2014. We are not dealing with the most advanced families here such as cryptolocker for Windows. The ransomware is fairly basic, but sufficient to annoy the victim.

Of most interest is the distribution network used in the campaign. Dozens of automatically generated websites redirect traffic to a central hub where users are redirected again. Depending on a number of conditions, this second redirection could be to a malicious Android application, to browser-based ransomware or to a website with the Angler Exploit Kit.

We believe this infrastructure demonstrates just how well organized and dangerous these campaigns are that are currently targeting, but not limited to, Android users. The attackers can quickly create similar infrastructure thanks to full automation, changing the payload or targeting different users. The attackers have also thought up a number of ways for monetizing their campaign income in a truly multi-device scheme.

elasticsearch Vuln Abuse on Amazon Cloud and More for DDoS and Profit

Fri, 07/25/2014 - 19:07

A couple weeks ago, my colleague Mikhail K posted on the "versatile linux DDoS trojan", with analysis of several bots, including a bot implementing some extraordinary DNS amplification DDoS functionality. Operators of these bots are currently active, and we observe new variants of the trojan building bigger botnets.

Let's explore some additional offensive details of this crew's activity in the past week. In general, the DDoS trojans are being distributed to fire on victim profiles that seem to indicate purely cybercrime activity. We have not heard from the site owners themselves of the DDoS targets, just the compromised sites. These victims have been running Amazon EC2 instances, but of course, this platform is not the only one being attacked and mis-used. It's also interesting that operators of this botnet apparently have no problem working with CN sites, as demonstrated by their use of the site hosting their tools since late 2013. Seven of their eight tools hosted here were uploaded in the past couple of weeks, coinciding with their updated attack activity. Their repository includes a couple recent Linux escalation of privilege exploit source code, likely compiled on the compromised hosts only when higher privileges are necessary, along with compiled offensive sql tools, multiple webshell and two new variants of the "versatile bots", the udp-only "xudp" code being the newer of the two:

But first, how are they getting in to EC2 instances and running their linux DDoS bots from the cloud? They are actively exploiting a known, recent elasticsearch vulnerability in all versions 1.1.x (cve-2014-3120), which happens to still be in active commercial deployment for some organizations. If you are still running 1.1.x, upgrade to the latest 1.2 or 1.3 release, which was released a couple of days ago. Dynamic scripting is disabled by default, and other features added to help ease the migration. From a couple of incidents on Amazon EC2 customers whose instances were compromised by these attackers, we were able to capture very early stages of the attacks. The attackers re-purpose known cve-2014-3120 proof-of-concept exploit code to deliver a perl webshell that Kaspersky products detect as Backdoor.Perl.RShell.c. Linux admins can scan for these malicious components with our server product.

Gaining this foothold presents the attacker with bash shell access on the server. The script "pack.pl" is fetched with wget and saved from the web host above to /tmp/zerl and run from there, providing the bash shell access to the attacker. Events in your index logs may suggest your server has fallen to this attack:

Hosted on the same remote server and fetched via the perl webshell are the DDoS bots maintaining new encrypted c2 strings, detected as Backdoor.Linux.Mayday.g. One of the variants includes the DNS amplification functionality described in Mikhail's previous post. But the one in use on compromised EC2 instances oddly enough were flooding sites with UDP traffic only. The flow is strong enough that the DDoS'd victims were forced to move from their normal hosting operations ip addresses to those of an anti-DDoS solution. The flow is also strong enough that Amazon is now notifying their customers, probably because of potential for unexpected accumulation of excessive resource charges for their customers. The situation is probably similar at other cloud providers. The list of the DDoS victims include a large regional US bank and a large electronics maker and service provider in Japan, indicating the perpetrators are likely your standard financially driven cybercrime ilk.

A new generation of ransomware

Thu, 07/24/2014 - 08:55

Ransomware is now one of the fastest growing classes of malicious software. In the last few years it has evolved from simple screen blockers demanding payments to something far more dangerous.

The Ransomware class is now based on so-called encryptors – Trojans that encrypt every kind of data that may be of value to the user without his or her knowledge. The data can include personal photos, archives, documents, databases (e.g., databases used in 1C:Enterprise software intended for automation of business activities), diagrams, etc. In order to decrypt these files the criminals demand a payment – often a significant sum. CryptoLocker, CryptoDefence (and its successor CryptoWall), ACCDFISA, and GpCode are some of the most notorious examples. There are also lots of lesser-known families that have spread in Russia and the CIS.

At the end of June 2014 Kaspersky Lab detected a new encryptor. Analysis showed that the Trojan had nothing in common with other known families and a number of features that suggested it was a completely new creation. Its name? CTB-Locker.

This new family is detected by Kaspersky Lab as Trojan-Ransom.Win32.Onion.

This encryption malware belongs to a new generation of ransomware. Its developers used both proven techniques 'tested' on its predecessors (such as demanding that ransom be paid in Bitcoin) and solutions that are completely new for this class of malware. Specifically, hiding the command and control servers in Tor anonymity network complicates the search for the cybercriminals, and the use of an unorthodox cryptographic scheme makes file decryption impossible, even if traffic is intercepted between the Trojan and the server. All this makes Trojan-Ransom.Win32.Onion a highly dangerous threat and one of the most technologically advanced encryptors out there.

Description

The high-level algorithm used by the malicious encryptor is quite ordinary and is as follows:

  • after launching, the malware copies its body to (CSIDL_COMMON_APPDATA) and adds the task to launch the file to the Task Scheduler;
  • search all the fixed, removable and network drives for files matching a list of extensions (see Figure 1);


Figure 1. Data fragment with a list of file extensions used by the encryptor

  • encrypt the files found;
  • display a window demanding ransom and containing a list of files that have been encrypted. The cybercriminals demand that the user pay ransom in Bitcoins (Figures 2, 3);
  • set an image named AllFilesAreLocked.bmp as desktop wallpaper. The wallpaper informs the user that data on the computer has been encrypted (Figure 4).


Figure 2. Window informing the victim that files on the computer have been encrypted


Figure 3. The cybercriminals' demands


Figure 4. Image set as desktop wallpaper

So what sets this Trojan apart from dozens of similar malicious programs?

The command server is located within the Tor anonymity network

The sample analyzed has a single static command server address, which belongs to the .onion domain zone.

It is worth noting that this in itself is not 'innovative'. We have seen similar arrangements in other malware types (discussed, for example, here and here).

However, this is a new development for ransomware. Although some of the ransom Trojans from families detected earlier demanded that the victim visit a certain site on the Tor network, the malware discussed here supports full interaction with Tor without the victim's input, setting it apart from the others.

This brings us to another feature, which is unique among known malware.

Unusual technical implementation of access to the Tor network

All the previously detected malware, if it communicated to the Tor network at all, did this in an unsophisticated manner: it launched (sometimes by injecting code into other processes) the legitimate file tor.exe, which is available for download on the network's official website.

Trojan-Ransom.Win32.Onion does not use the existing file tor.exe. Instead, all the code needed to implement interaction with the anonymity network is statically linked to the malicious program's executable file (i.e., is implemented as part of the malicious code) and is launched in a separate thread.


Figure 5. Pseudocode showing how launching the tor proxy thread is implemented

The code contained inside the thread_tor_proxy procedure is nearly all taken from open sources (Tor is an open-source project).

When connection to Tor has been established and a local tor proxy server has been set up at IP 127.0.0.1 (the port number varies from one infected machine to another and depends on the MachineGuid parameter), the global flag can_complete_circuit is set, which is later checked in the thread thread_post_unlock_data.

As soon as this happens, the malware establishes network communication with this local address, as shown in Figure 6.


Figure 6. Pseudocode showing how network communication with the tor proxy is implemented

A request sent by the malware to the server contains protected data required to decrypt the victim's files.


Figure 7. Data sent to the command server

In response, the server returns data about the cost of unblocking the user's files in bitcoins and US dollars, as well as the address of the wallet to which the payment is to be made.


Figure 8. Data returned by the command server

Compressing files before encryption

None of the encryptors known before used compression technologies (with the exception of ACCDFISA, which simply adds files to a password-protected rar-sfx archive; however, in this case encryption and compression is not functionality implemented in a malicious program but simply utilization of a ready-made product – WinRAR).

In this aspect of its operation, Trojan-Ransom.Win32.Onion also shows considerable originality. Here is what it does:

  • moves the victim's file to a temporary file using the MoveFileEx API function;
  • reads temporary file from disk block-by-block;
  • each block is compressed using Zlib, a freely distributed library (procedure deflate());
  • after compression, each block is encrypted and written to disk;
  • service information required for decryption is placed at the beginning of the resulting file;
  • the encrypted file is given the .ctbl extension.
Unusual cryptographic scheme

Cryptomalware most commonly uses a cryptographic scheme based on the AES+RSA combination. In this scheme, the server generates a pair of keys – rsa-public + rsa-private – for RSA, which is an asymmetric encryption algorithm. The private key, rsa-private, remains on the server, while rsa-public is sent to the malware. Next, the malware generates a new key – aes-key – for each of the victim's files, to be used by AES, a symmetric-key block algorithm. Each file is encrypted using AES, then its aes-key is encrypted using RSA (using the rsa-public key) and saved to the file.

Since the scheme uses asymmetric encryption, nobody can decrypt the file without having the rsa-private key, which never left the cybercriminals' server.

However, Trojan-Ransom.Win32.Onion has used an unusual approach yet again!

The sample uses the asymmetric cryptographic protocol known as ECDH – Elliptic curve Diffie–Hellman.

Elliptic curve Diffie-Hellman

The original Diffie-Hellman algorithm (the so-called key exchange method or shared-secret protocol) was developed some time ago and published in 1976 by famed cryptographers Whitfield Diffie and Martin Hellman. A modification of the algorithm which uses elliptic curves was published later in 2000, in a Certicom Research article, Standards for efficient cryptography, SEC 1: Elliptic Curve Cryptography.

A detailed description of the protocol is beyond the scope of this publication, so we are going to drop the details and describe the main principles that will be helpful in understanding how the malware operates.

  • A pair of keys – private and public can be generated.
  • The so-called shared secret can be generated from your private key and the other party's public key.
  • If the two parties have exchanged public keys (the private keys are not exchanged!) and each has independently calculated the shared secret from the other party's public key and its own private key, both parties will get the same value.
  • The resulting shared secret can be used as a key for any symmetric encryption algorithm.

The authors of Trojan-Ransom.Win32.Onion used an existing implementation of this cryptographic algorithm, a description of which is available on the Internet.

The high-level cryptographic scheme used by Trojan-Ransom.Win32.Onion is as follows.

Key generation:

  • the malware generates the pair master-public (public key) + master-private (private key);
  • master-private is sent to the server securely along with other data. It is not saved on the client (fact I);
  • for each file to be encrypted, a new key pair is generated – session-public + session-private;
  • the shared secret is calculated: session-shared = ECDH(master-public, session-private).

Encrypting a file belonging to the victim

  • the file is compressed using the Zlib library;
  • after being compressed with Zlib, each file is encrypted using AES, with the hash SHA256 (session-shared) used as the key;
  • after encryption, the session-public key is saved in the file (fact II), while session-private is not saved (fact III);
  • the shared secret calculated – session-shared – is not saved, either (fact IV).

Decrypting a file belonging to the victim

The Diffie-Hellman protocol is designed in such a way that the following equality is true:

ECDH(master-public, session-private) = session-shared = ECDH(master-private, session-public) (fact V)

The above equality defines the underlying principle on which the operation of Trojan-Ransom.Win32.Onion is based.

Provided that the Trojan has not saved session-private (see. fact III) and session-shared (see. fact IV), only one decryption method remains – calculating ECDH(master-private, session-public). This requires the master-private key (sent to the cybercriminals' server, see fact I) and session-public key (saved in the beginning of the encrypted file, see fact II). There are no other ways to decrypt the file, which means that the file cannot be decrypted without the master-private key.

Securing connection with the command server

The key sent to the server might be intercepted, but unfortunately, this would not be sufficient to decrypt the victim's files. This is because the malware writers have used the same asymmetric protocol, ECDH, to protect their traffic, albeit with a separate, dedicated set of keys.

  • the malicious program's body contains the public key, network-server-public;
  • when establishing a connection, the malware generates a new pair of keys: network-client-public + network-client-private;
  • the malware calculates the shared secret network-shared = ECDH(network-client-private, network-server-public);
  • the malware encrypts the data being sent using AES with SHA256(network-shared) used as the key;
  • the public key network-client-public is sent to the server in an unprotected form (fact VI);
  • the client keys, network-client-public + network-client-private, as well as the shared secret network-shared, are not saved (fact VII).

The cybercriminals have the key network-server-private and receive the key network-client-public from the client (see fact VI). As a result, they can decrypt the data received. To do this, they have to calculate network-shared = ECDH(network-client-public, network-server-private).

Without having network-server-private, this value cannot be calculated (see fact VII). As a result, unfortunately, intercepting traffic will not provide master-private, without which the victim's file cannot be decrypted.

Propagation

The creators of the early versions of Trojan-Ransom.Win32.Onion had English-speaking users in view as their primary targets, so English was the only supported GUI language.

In the more recent versions, however, Russian also came to be supported in the Trojan's GUI along with English. The piece of malware also underwent some visual refurbishments, such as a countdown displayed to intimidate the user. The new Russian GUI and, more specifically, certain strings within the Trojans' body give us ground to assume that its creators are Russian speakers.

The analysis of how Trojan-Ransom.Win32.Onion penetrates victim computers has shown that it is different (once again) in this respect from most other encryptors that are active today. For many known ransomware programs, the main propagation vectors are spam messages with malware in an attachment, or brute forcing weak passwords and launching a file via remote administration tools.

The propagation method

We established that the bot Andromeda (detected as Backdoor.Win32.Androm by Kaspersky Lab products) receives a command to download and run another malicious program from the Email-Worm.Win32.Joleee family to the victim computer. The latter is primarily a malicious tool for sending spam emails, but it can also execute a number of commands from the cybercriminals, including the command to download and launch an executable file. It is actually Joleee that downloads the encryptor to the infected computer.

Trojan-Ransom.Win32.Onion's propagation procedure is presented in the following flowchart.


Figure 9. Trojan-Ransom.Win32.Onion's propagation scheme

Global distribution

Below are the infection statistics as of July 20, 2014. Most attempted infections took place in the CIS, while there were individual cases recorded in Germany, Bulgaria, Israel, the United Arab Emirates and Libya.

Trojan-Ransom.Win32.Onion was detected in the following countries:

Country Number of users attacked Russia 24 Ukraine 19 Kazakhstan 7 Belarus 9 Georgia 1 Germany 1 Bulgaria 1 Turkey 1 United Arab Emirates 1 Libya 1

Please note that the above numbers are provided for the verdict "Trojan-Ransom.Win32.Onion" only. The number of users attacked by the encryptor is in fact greater, as malicious packers with different verdicts are used to spread the malware. Unknown samples of the encryptor are also proactively detected by Kaspersky Lab products as "PDM:Trojan.Win32.Generic". This data is not included into the statistics above.

Recommendations for staying safe Backup copies of important files

The best way to ensure the safety of critical data is a consistent backup schedule. Backup should be performed regularly and, moreover, copies need to be created on a storage device that is accessible only during this process (e.g., a removable storage device that disconnects immediately after backup). Failure to follow these recommendations will result in the backed-up files being attacked and encrypted by the ransomware in the same way as the original file versions.

Backup procedures must be in place for any systems containing files of any appreciable importance. Even if no malware threats arise, remember – no one is completely secured against a commonplace hardware failure.

Security solutions

Your security solution should be turned on at all times and all its components should be active. The solution's databases should also be up to date.

Kaspersky Lab products detect this threat based on its signature with the verdict Trojan-Ransom.Win32.Onion.*. Unknown modifications are detected heuristically with the verdict HEUR:Trojan.Win32.Generic, or proactively with the verdict PDM:Trojan.Win32.Generic.

In addition, Kaspersky Lab products incorporate the Cryptomalware Countermeasures technology which is capable of protecting user data even from unknown encryptors for which there are still no signatures or cloud-based data available. This technology is based on the principle of creating protected backup copies of personal files as soon as a suspicious program attempts to access them. The technology will automatically restore the file even if it is encrypted by malware. For this technology to operate, the System Watcher component must be enabled in the Kaspersky Lab product settings.

Haunted by APT

Tue, 07/22/2014 - 00:15

Over the past decade, APT have intensely targeted organizations and individuals across India. Its developing base of technology, its geographical location and bounds, its inclusive and riotous political energy, and its growing economic weight makes it a special place of interest for badly intentioned cyber attackers. The list of APT groups targeting Indian organizations is unfortunately quite long. A few interesting mentions include Gh0stNet, Shadownet, an Enfal actor, Red October, NetTraveler, the LuckyCat actor, the Turla APT, a Mirage actor, and the Naikon crew. There are many more. And, in unique cases, we have seen unusual new techniques, some for infiltrating mobile devices by the Chuli attackers, the Sabpub attackers' focus on Apple's OS X devices, various effective watering holes, and the generally noisy, targeted activity we would expect from most of these actors.

More recently in March, we saw a pickup in offensive activity on Indian organizations invested in environmental, economic and government policy. This crew has been targeting organizations for a few years now with an unusual offensive WMI technique that continues to be effective. The components have been called WMIGhost or Shadow. These attackers, like others currently active, are generally re-using current headline geopolitical event spearphishing themes to establish a foothold in target organizations. For example, in a March 2014 attack, this actor used an upcoming meeting between national energy labs and the Departments of Energy as their spearphishing lure, filename mis-spellings and all, "India US strategic dialouge press release.doc" (000150415302D7898F56D89C610DE4A9).

From there, the dropper and component chain is the same they have used in the past. Successful exploitation drops  "dw20.exe" (803e8f531989abd5c11b424d8890b407)  -->  "gupdate.exe" (481f8320b016d7f57997c8d9f200fe18) and "~tmpinst.js" (6a279a35141e9a7c73a8b25f23470d80). The script instantiates WMI objects for communications complete with their Comment Crew-like encoded wordpress site instructions that redirect the backdoor to the appropriate command and control server for further instruction.

Along with other groups, WMIGhost attackers are actively hitting Indian targets. In another recent WMIGhost campaign this year, a spoofed unclassified military document was sent simultaneously to several Indian targets with the consistent WMIGhost toolchain, "united states air force unmanned aircraft systems flight plan 2009-2047.doc".

We observe more of these current attacks occurring throughout the country on government and military agencies, NGOs, subcontractors and technology developers, with an expanding scope of targets.

Of these groups to date, NetTraveler was the most prolific, and in many ways the most successful at exfiltrating large volumes of information. The NetTraveler crew spent a disproportionate amount of effort and attention on extracting data from Indian organizations overall. NetTraveler is stealing GB of data from victims all over the globe, including the many victims in India. An example of their past spearphish decoys deployed to India is displayed here. The content encompasses Indian political issues, current at the time of delivery:

Meanwhile, other actors are currently working to exfiltrate more data out of India. Multiple levels of Indian organizations are frightfully pounded with spearphish and webserver attacks with no end in sight.

Pages