Malware Alerts

Subscribe to Malware Alerts feed
Online headquarters of Kaspersky Lab security experts.
Updated: 41 min 42 sec ago

IT threat evolution in Q1 2015

Wed, 05/06/2015 - 06:00

Q1 in figures
  • According to KSN data, Kaspersky Lab products detected and neutralized a total of 2,205,858,791 malicious attacks on computers and mobile devices in the first quarter of 2015.
  • Kaspersky Lab solutions repelled 469,220,213 attacks launched from online resources located all over the world.
  • Kaspersky Lab's web antivirus detected 28,483,783 unique malicious objects: scripts, exploits, executable files, etc.
  • 93,473,068 unique URLs were recognized as malicious by web antivirus components.
  • 40% of web attacks neutralized by Kaspersky Lab products were carried out using malicious web resources located in Russia.
  • Kaspersky Lab's antivirus solutions detected a total of 253,560,227 unique malicious and potentially unwanted objects.
  • Kaspersky Lab mobile security products detected
    • 147,835 installation packages;
    • 103,072 new malicious mobile programs;
    • 1,527 mobile banking Trojans.
Overview Equation APT – the most sophisticated attacks

The story of the powerful Equation cyberespionage group was perhaps the most talked-about news story of Q1. The group has interacted with other influential groups, such as Stuxnet and Flame, for many years. Attacks carried out by Equation are arguably the most sophisticated of all: one of the group’s modules can be used to modify hard drive firmware. Since 2001, Equation has successfully infected the computers of thousands of victims in Iran, Russia, Syria, Afghanistan, the US and other countries. Its victims come from sectors such as government and diplomatic institutions, telecommunications, energy, etc.

The group uses a variety of malware, some of which is even more sophisticated than the infamous Regin platform. Known methods of dissemination and infection include using the Fanny USB worm (its arsenal included two zero-day vulnerabilities that were later used in Stuxnet), malicious installers on CDROMs, and web exploits.

Carbanak – the most successful cyber campaign

In spring 2014, Kaspersky Lab got involved in a forensic investigation: a bank’s ATMs dispensed cash without the recipient physically interacting with the ATM. This was the start of our investigation into the Carbanak campaign and an analysis of the eponymous malicious program.

Carbanak is a backdoor originally based on Carberp code. It is designed for espionage, data exfiltration and remote control of any computer infected with it. Once the attackers were inside the victim´s network, they performed a reconnaissance of that network with a view to performing lateral movement and compromising critically important systems – processing systems, accounting systems and ATMs.

Kaspersky Lab products detected a total of 2.2 bln malicious attacks in the Q1 2015

Tweet

Three methods of cashing out have been identified:

  1. via ATMs,
  2. by transferring money to cybercriminals’ accounts using the SWIFT network,
  3. by altering databases to create fake accounts and subsequently using mule services to collect the money.

Infections were carried out using typical APT-style methods – via spearphishing emails with documents containing exploits. The emails were constructed in such a way as to avoid raising suspicions, in some cases coming from the addresses of employees working for the company under attack.

Kaspersky Lab estimates that about 100 financial organizations, most of them in Eastern Europe, have been hit by the group, with total financial losses approaching $1 billion. This makes Carbanak by far the most successful criminal cyber campaign we have ever seen.

Desert Falcons – attacks in the Middle East

While investigating an incident in the Middle East, Kaspersky Lab experts came across the activity of a previously unknown group carrying out targeted attacks. The group was given the name Desert Falcons. It is the first Arabic speaking group seen conducting full-scale cyberespionage operations, and its work is apparently connected with the political situation in the region.

The first signs of Desert Falcons’ activity were seen in 2011 and the first known infections were carried out in 2013. The group’s activity peaked in late 2014 and early 2015. The group’s members are clearly no newbies: they developed Windows and Android malware from scratch; they also skillfully organized attacks which relied on phishing emails, fake websites and fake social network accounts.

Kaspersky Lab solutions repelled 470 mln attacks launched from online resources located all over the world

Tweet

The group’s victims are located primarily in Palestine, Egypt, Israel and Jordan. Victims include political activists and leaders, military and governmental organizations, mass media, financial institutions and other organizations. The group has currently claimed more than 3,000 victims; the attackers have succeeded in stealing over a million files and documents.

In addition to highly sophisticated and carefully planned distribution of spear phishing emails designed to infect the victims, Desert Falcons used social engineering on Facebook. The attackers created dedicated accounts to begin communicating with their intended victims, gain their trust and then use the chat facility to send each victim a malicious program disguised as an image. For infections on a bigger scale, the group used posts containing malicious links, created using compromised or fake accounts of political leaders.

Animal Farm APT

In March 2014 the French newspaper Le Monde published an article on a cyberespionage toolset identified by Communications Security Establishment Canada (CSEC). The toolset described was used in the Snowglobe operation, which targeted francophone Canadian media, as well as Greece, France, Norway and some African countries. Based on the results of their analysis, CSEC believed that the operation might have been initiated by French intelligence agencies.

In early 2015, researchers published analyses of some malicious programs (1, 2, 3) that had much in common with Snowglobe. In particular the research identified samples that contained the internal name Babar, which was the same as the name of the program mentioned in the CSEC slides.

Kaspersky Lab's web antivirus detected 28,5 mln unique malicious objects in the Q1 2015

Tweet

After analyzing the malicious programs used in this campaign and identifying the connections between them, Kaspersky Lab experts gave the group behind them the name Animal Farm. It was discovered that two of the three zero-day vulnerabilities found by Kaspersky Lab in 2014 and used by cybercriminals in their attacks were present in the group’s arsenal. For example, an attack from the compromised website of the Syrian Ministry of Justice using exploits for CVE-2014-0515 led to an Animal Farm tool, known as Casper, being downloaded.

A curious feature of this campaign is that NBOT – one of the malicious programs used by the group – is designed to conduct DDoS attacks. This functionality is not commonly used by typical APT groups. In addition, one of the malicious ‘animals’ has the strange name of Tafacalou – possibly, a word in Occitan, a language spoken in France and some other places.

Upatre – active distribution of the Dyre/Dyreza banker

Last quarter, the most widespread example of a banker Trojan was Upatre – a downloader for the Dyre financial malware, also known as Dyreza. This banker Trojan first appeared in 2014. It targets users from various financial organizations. It uses a technique designed to bypass SSL protection in order to steal payment information. This malware can also be used as a remote administration tool (RAT), enabling attackers to manually carry out transactions on behalf of online banking users.

The Upatre downloader is delivered to users in spam emails, many of which look like legitimate messages from financial institutions. Banks attacked by the banker Trojan Dyre, which is downloaded by Upatre, include Bank of America, Natwest, Citibank, RBS and Ulsterbank. According to researchers, the bulk of Dyre activity is currently taking place in the UK.

PoSeidon – attacks on PoS terminals

A new banker Trojan which attacks PoS terminals has been detected. PoSeidon scans a PoS system’s memory for payment information stored in plain text and sends any information it finds to the attackers.

Researchers from Cisco Security Solutions have identified three malware components that are probably associated with PoSeidon: a keylogger, a loader and a memory scraper that also has keylogging functionality. The keylogger is designed to steal credentials for the LogMeIn remote access application. It deletes encrypted LogMeIn passwords and profiles that are stored in the system registry in order to force users to type them again. The researchers believe this keylogger is potentially used to steal the remote access credentials that are needed to compromise point-of-sale systems and install PoSeidon.

In the Q1 2015 Kaspersky Lab mobile products detected 103 072 new malicious mobile programs

Tweet

Once the PoSeidon attackers get access to a PoS terminal, they install a loader. This component downloads another file called FindStr from the group’s command-and-control (C&C) servers. FindStr is used to find strings that match payment card numbers in the memory of running processes. Curiously, the malware only looks for card numbers that begin with specific digits.

Statistics

All the statistics used in this report were obtained using Kaspersky Security Network (KSN), a distributed antivirus network that works with various anti-malware protection components. The data was collected from KSN users who agreed to provide it. Millions of Kaspersky Lab product users from 213 countries and territories worldwide participate in this global exchange of information about malicious activity.

Mobile threats

Mobile malware is evolving towards monetization – with malware writers trying to render their creations capable of obtaining money and users’ bank data using a variety of techniques.

More and more SMS Trojans are being enhanced with features that enable them to attack victims’ bank accounts. An example of this is Trojan-SMS.AndroidOS.OpFake.cc, which can now attack at least 29 banking and financial applications.

Malware writers are also beginning to build ransomware functionality into their SMS Trojans. For example, in order to obtain victims’ bank card data, Trojan-SMS.AndroidOS.FakeInst.ep uses techniques typical of ransomware programs: windows opened by the malware cannot be closed without entering the data.

What the user sees is a message, purportedly from Google, demanding that the user opens Google Wallet and goes through the ‘personification’ procedure by entering their credit card details (curiously, one of the justifications given for these actions is the need to combat cybercrime). The window cannot be removed until the victim enters credit card details.

Trojan-Spy programs, like SMS Trojans, are modified so that they can attack victims’ bank accounts. For example, Trojan-Spy.AndroidOS.SmsThief.ay is now capable of attacking five different banking and financial applications.

The upshot of this is that the mobile malware used by cybercriminals to hunt for their victims’ money is becoming increasingly versatile. Stealing money from users’ bank accounts by attacking banking applications is now something that can be done not only by dedicated Trojan-Bankers but also by some SMS Trojans and even Trojan-Spies. This may be one of the reasons why relatively few mobile banker Trojans were detected in Q1 2015.

In the Q1 2015 Kaspersky Lab mobile products detected 1,527 mobile banking Trojans

Tweet

Overall, mobile malware designed to steal or extort money from users (SMS Trojans, banker Trojans and ransomware Trojans) accounted for 23.2% of new mobile threats in Q1 2015. All three malware types are extremely dangerous and the malware writers' interest in their victims' money provides an incentive for their further development and evolution.

New developments from malware writers
  1. Trojan-Banker.AndroidOS.Binka.d, a banker Trojan, has evolved. Now it can ‘listen in’ to its victim. Sound is recorded using the device’s microphone and written to a file that is transferred to the cybercriminals’ server.
  2. A technique based on patching applications and embedding malicious code into them is now one of the main methods used to distribute Trojans. For example, Trojan-SMS.AndroidOS.Chyapo.a was embedded in the Unity Launcher Free app. The difference between clean and malicious applications is, in this case, manifested only by a new permission requirement – the malicious app requires access to the handling of incoming SMS messages. Another curious thing about this Trojan was that its command-and-control server was hosted on sites.google.com.
  3. The developers of Podec, an SMS Trojan, have mastered a new distribution technique – through the VKontakte social network. A malicious file was uploaded to the popular social network’s content storage servers.  The Trojan made it into the Top Three malicious mobile programs based on the number of users attacked.
  4. Malware that can actively resist security solutions is not a new technology, but it is gaining in popularity. Trojan-Banker.AndroidOS.Svpeng.f, a banker Trojan first detected in Q1, tries to remove the applications of three antivirus vendors: Avast, Eset, and DrWeb.
Mobile threat statistics

In Q1 2015, Kaspersky Lab mobile security products detected 103,072 new malicious mobile programs, a 3.3 fold increase on Q4 2014.

The number of installation packages detected was 147,835 – this is 2.3 times as many as in the previous quarter.

Number of malicious installation packages
and new malicious mobile programs detected (Q3 2014 - Q1 2015)

We have lately seen the ratio of malicious installation packages to new malicious programs diminish. In Q3 2014, there was an average of 6.2 malicious installation packages per malicious program, in Q4 – there were about two installation packages per malicious program. In Q1 2015, the ratio was down to 1.4.

Distribution of mobile malware by type

Distribution of new mobile malware by type, Q1 2015

The ranking of malware objects for mobile devices for the first quarter of 2015 was headed by RiskTool (35.7%). These are legitimate applications that are potentially dangerous for the user – if used carelessly or manipulated by a cybercriminal, they could lead to financial losses.

SMS Trojans came second with 21%. As we wrote in our previous reports, in Q3 2014 the proportion of SMS Trojans to all new mobile threats fell from 22% to 14%. However, this type of malware regained lost ground by the end of 2014. In terms of growth rate, it is in third place: in Q1 2015 the total number of SMS Trojans in our collection increased by 18.7%.

Third place in the rankings was taken by potentially unwanted advertising apps (15.2%). The number of such applications in the overall stream of new mobile threats is gradually declining.

Более 93 млн. опасных ссылок выявили продукты "ЛК" с января по март 2015 года

Tweet

The share of banker Trojans among all the mobile malware first detected in Q1 has significantly declined compared to previous quarters and was down to 1.1%. The number of new mobile bankers in our collection grew by 6.5% during the quarter.

One other thing worth noting is that Trojan-Ransom malware, which has not been in the cybercriminals’ arsenal for very long, demonstrated the highest growth rate of all mobile threats. The number of new samples detected in Q1 was 1,113, resulting in a 65% increase in the number of mobile ransomware samples in our collection. This is a dangerous trend: since malware of this type is designed to extort money, it can damage personal data and block infected devices.

Another type of mobile threat which is showing a high growth rate is spyware (Trojan-Spy). The number of such programs in our collection increased by 35% in the first quarter of 2015.

Top 20 malicious mobile programs   Name % of attacks * 1 DangerousObject.Multi.Generic 10.90% 2 AdWare.AndroidOS.Viser.a 9.20% 3 Trojan-SMS.AndroidOS.Podec.a 7.92% 4 RiskTool.AndroidOS.MimobSMS.a 7.82% 5 Trojan-SMS.AndroidOS.OpFake.a 6.44% 6 Trojan.AndroidOS.Mobtes.b 6.09% 7 Adware.AndroidOS.MobiDash.a 5.96% 8 Exploit.AndroidOS.Lotoor.be 4.84% 9 RiskTool.AndroidOS.SMSreg.gc 4.42% 10 AdWare.AndroidOS.Xynyin.a 3.31% 11 AdWare.AndroidOS.Ganlet.a 2.63% 12 Exploit.AndroidOS.Lotoor.a 2.19% 13 AdWare.AndroidOS.Dowgin.l 2.16% 14 Trojan-SMS.AndroidOS.Stealer.a 2.08% 15 AdWare.AndroidOS.Kirko.a 2.04% 16 Trojan.AndroidOS.Rootnik.a 1.82% 17 Trojan.AndroidOS.Pawen.a 1.81% 18 Trojan-SMS.AndroidOS.Gudex.f 1.75% 19 RiskTool.AndroidOS.SMSreg.dd 1.69% 20 AdWare.AndroidOS.Kemoge.a 1.52%

* Percentage of users attacked by the malware in question, relative to all users attacked

The top position in the rankings was occupied by DangerousObject.Multi.Generic (10.90%). This is how new malicious applications are detected by Kaspersky Security Network cloud technologies, which help our products to significantly shorten the response time to new and unknown threats.

Potentially unwanted advertising applications accounted for seven positions in the rankings, including second place, which was taken by AdWare.AndroidOS.Viser.a (9.2%).

SMS Trojans continue to lose ground in the Top 20 ranking of mobile threats: while in Q4 2014 they had nine positions in the rankings, in Q1 2015 they only had four.

Nevertheless, Trojan-SMS.AndroidOS.Podec.a (7.92%) has been among the Top Three malicious mobile programs for two quarters in a row due to its active dissemination. As we mentioned above, the malware was uploaded to the file storage servers of VKontakte, Russia’s largest social network. On top of everything else, this Trojan is known to use the most powerful commercial obfuscator available today.

RiskTool malware occupied six positions in the Top 20, with RiskTool.AndroidOS.MimobSMS.a (7.82% of users attacked) ranking fourth.

Mobile banker Trojans

In Q1 2015, we detected 1,527 mobile banker Trojans –a 4.4 fold decline on the previous quarter.

Number of mobile banker Trojans detected (Q1 2014 – Q1 2015)

Geography of mobile banking threats in Q1 2015
(number of users attacked)

96% of attacks involving mobile banker Trojans were against users located in 10 countries.

Top 10 counties attacked by mobile banker Trojans:

  Country % of all attacks* 1 Russia 86.66% 2 Ukraine 2.27% 3 US 2.21% 4 Kazakhstan 1.87% 5 Germany 0.97% 6 Republic of Korea 0.70% 7 Belarus 0.64% 8 UK 0.37% 9 Uzbekistan 0.34% 10 India 0.21%

* Percentage of users attacked per country, relative to all users attacked

Russia retained its traditional top position in the rankings. Ukraine moved up to second place, pushing the US and Kazakhstan down to the third and fourth positions, respectively. Belarus moved two notches down to seventh place.

The geography of mobile threats

In Q1 2015, mobile malicious attacks were detected at least once in 213 countries.

The geography of mobile malware infection attempts in Q1 2015
(percentage of all users attacked)

Top 10 countries attacked by mobile malware:

  Country % of attacks* 1 Russia 41.92% 2 India 7.55% 3 Germany 4.37% 4 Brazil 3.20% 5 Iran 3.12% 6 Kazakhstan 2.88% 7 US 2.84% 8 Ukraine 2.53% 9 Malaysia 2.05% 10 Vietnam 1.87%

*Percentage of users attacked per country, relative to all users attacked

Russia (42%) remained at the top of this ranking, with the other countries lagging far behind. India (7.5%) was in second place.

Vulnerable applications exploited by cybercriminals

The ranking of vulnerable applications below is based on information about the exploits blocked by our products. These exploits were used by cybercriminals in Internet attacks and in attempts to compromise local applications, including those installed on mobile devices.

Distribution of exploits used in attacks by type of application attacked, Q1 2015

The top position in the Q1 2015 rankings was occupied by the Browsers category (64%), which includes exploits targeting Internet Explorer. This category was also at the top of the rankings in the last three quarters of 2014.

In Q1, we saw a significant fall in the number of exploits for Oracle Java (down seven percentage points (p.p.) from Q4 2014). This can be explained by the fact that exploits for these applications were almost completely removed from all exploit packs.

It is worth mentioning the growing number of exploits for Microsoft Office (up two p.p. from Q4 2014) and Adobe Flash Player (up by one p.p.) in Q1 2015.

The increase in the number of malicious flash objects was primarily due to the large number of vulnerabilities discovered in the first quarter of 2015. Virtually all exploit packs now include exploits for Adobe Flash Player vulnerabilities.

Online threats (Web-based attacks)

The statistics in this section were derived from web antivirus components that protect users from attempts to download malicious objects from a malicious/infected website. Malicious websites are created deliberately by malicious users; infected sites include those with user-contributed content (such as forums), as well as compromised legitimate resources.

Online threats in the banking sector

In the first quarter of 2015, Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via online banking on the computers of 929,082 users. This figure represents a 64.3% increase compared to the previous quarter (565,515).

Number of computers attacked by financial malware (Q1 2015)

Attacks using financial malware are on the rise. Note that there was a sharp increase in the number of such attacks in March 2015.

A total of 5,106,804 notifications of malicious activity by programs designed to steal money via online access to bank accounts were registered by Kaspersky Lab security solutions in Q1 2015.

Geography of attacks

Geography of banking malware attacks (Q1 2014)

Top 10 countries by the number of users attacked

  Countries Number of users attacked 1 Brazil 91,893 2 Russia 85,828 3 US 66,699 4 Germany 51,670 5 UK 25,269 6 India 22,085 7 Turkey 21,397 8 Australia 18,997 9 Italy 17,663 10 Spain 17,416

Brazil continued to lead the ranking of countries most affected by banking malware, with the number of attacks increasing by 15% compared to the previous quarter (79,845).

The Top 10 banking malware families

The table below shows the top 10 programs most commonly used to attack online banking users in Q1 2015, based on the number of users attacked:

Name Number of notifications Number of users attacked Trojan-Downloader.Win32.Upatre 3,127,365 349,574 Trojan-Spy.Win32.Zbot 865,873 182,966 Trojan-Banker.Win32.ChePro 355,735 91,809 Trojan-Banker.Win32.Banbra 35,182 16,363 Trojan.Win32.Tinba 94,972 15,719 Trojan-Banker.Win32.Agent 44,640 12,893 Trojan-Banker.Win32.Shiotob 60,868 12,283 Trojan-Banker.Win32.Banker 39,728 12,110 Trojan-Spy.Win32.SpyEyes 57,418 9,168 Backdoor.Win32.Papras 56,273 3,062

The vast majority of malicious programs in the Top 10 ranking use a technique based on injecting arbitrary HTML code into the web page displayed by the browser and intercepting payment credentials entered by the user in original and injected web forms.

In the first quarter of 2015, Zeus (Trojan-Spy.Win32.Zbot), which in 2014 was the most popular malicious program in this category, gave up its top position to Trojan-Downloader.Win32.Upatre. Malicious programs in this family are relatively simple and no larger than 3.5 KB. They usually download a Trojan-Banker belonging to a family known as Dyre/Dyzap/Dyreza. The list of financial institutions attacked by the banker Trojan depends on the configuration file that is downloaded from the command-and-control center.

The third specimen in the banker Trojan Top Three is Trojan-Banker.Win32.ChePro. This malware spreads via spam emails with online banking-related subject strings (e.g., messages can have “Invoice for online banking” as their subject). A word document with an embedded image is attached to such messages; upon clicking on the image, malicious code is executed.

Financial threats

Financial threats are not limited to banker malware that attacks online banking customers.

Financial malware: distribution by malware type

The second most widespread financial threat in Q1 2015 was Bitcoin wallet theft. Another cryptocurrency-related threat was Bitcoin mining, i.e., using victims' computers to generate Bitcoins.

Top 20 malicious objects detected online

In the first quarter of 2015, Kaspersky Lab's web antivirus detected 28,483,783 unique malicious objects: scripts, exploits, executable files, etc.

We identified the 20 most active malicious objects involved in online attacks against users' computers. These 20 accounted for 95.9% of all attacks on the Internet.

Top 20 malicious objects detected online

  Name* % of all attacks** 1 Malicious URL 37.55% 2 AdWare.JS.Agent.bg 36.06% 3 AdWare.Script.Generic 6.58% 4 Trojan.Script.Iframer 4.49% 5 AdWare.NSIS.AnProt.b 3.83% 6 Trojan.Script.Generic 2.91% 7 AdWare.JS.Agent.an 1.06% 8 AdWare.Win32.Yotoon.bfm 0.81% 9 Trojan.JS.Redirector.ads 0.47% 10 Exploit.Script.Blocker 0.33% 11 AdWare.Win32.Eorezo.eod 0.31% 12 Trojan.Win32.Generic 0.24% 13 Trojan-Downloader.Win32.Generic 0.22% 14 AdWare.Win32.ConvertAd.vo 0.17% 15 Trojan-Downloader.Script.Generic 0.16% 16 AdWare.NSIS.Agent.bx 0.16% 17 AdWare.NSIS.Agent.cv 0.13% 18 AdWare.AndroidOS.Xynyin.a 0.13% 19 AdWare.Win32.Yotoon.heur 0.12% 20 AdWare.Win32.SoftPulse.xvm 0.12%

*These statistics represent the detection verdicts of the web antivirus module. Information was provided by users of Kaspersky Lab products who consented to share their local statistical data.
**The percentage of all web attacks recorded on the computers of unique users.

The Top 20 is largely made up of objects used in drive-by attacks, as well as adware programs. 37.55% of all verdicts fell on links that are included in blacklists.

Top 10 countries where online resources are seeded with malware

The following statistics are based on the physical location of online resources that were used in attacks and blocked by antivirus components (web pages containing redirects to exploits, sites containing exploits and other malware, botnet command-and-control centers, etc.). Any unique host could be the source of one or more web attacks.

In order to determine the geographical source of web-based attacks, domain names were matched up against the actual domain IP addresses, and then the geographical locations of specific IP addresses (GEOIP) were established.

In Q1 2015, Kaspersky Lab solutions blocked 469,220,213 attacks launched from web resources located in various countries around the world. 90% of notifications on blocked web attacks were triggered by attacks coming from web resources located in 10 countries.

Distribution of web attack sources by country, Q1 2015

This Top 10 ranking typically remains unchanged for extended periods of time. However, Q1 2015 saw a change of leader. The top position is now occupied by Russia (with almost 40%), which rose from fourth position. The US, which headed the ranking in the previous quarter, is now in second position with 18%.

Countries where users faced the greatest risk of online infection

In order to assess the risk of online infection faced by users in different countries, we calculated the percentage of Kaspersky Lab users in each country who encountered detection verdicts on their machines during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers work in different countries.

  Country* % of unique users attacked ** 1 Kazakhstan 42.37% 2 Russia 41.48% 3 Azerbaijan 38.43% 4 Ukraine 37.03% 5 Croatia 37.00% 6 Armenia 35.74% 7 Mongolia 33.54% 8 Moldova 33.47% 9 Belarus 33.36% 10 Kyrgyzstan 32.20% 11 Algeria 32.12% 12 Qatar 31.15% 13 Georgia 30.69% 14 UAE 29.36% 15 Latvia 28.69% 16 Tajikistan 28.36% 17 Bosnia and Herzegovina 28.00% 18 Greece 27.55% 19 Tunisia 27,54% 20 Bulgaria 27,44%

These statistics are based on the detection verdicts returned by the web antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data.
*These calculations excluded countries where the number of Kaspersky Lab users is relatively small (fewer than 10,000 users).
**Unique users whose computers have been targeted by web attacks as a percentage of all unique users of Kaspersky Lab products in the country.

In the first quarter of 2015, the top position in the rankings was occupied by Kazakhstan, which pushed Russia down to second place. Since the previous quarter, Vietnam and Portugal have left the Top 20. The rankings’ newcomers were Bosnia and Herzegovina (28.00%) and Greece (27.55%), which were in 17th and 18th positions, respectively.

The countries with the safest online surfing environments included Japan (12.4%), Denmark (12.7%), Singapore (14.3%), Finland (14.9%), South Africa (14.8%) and the Netherlands (15.2%).

On average, 26.3% of computers connected to the Internet globally were subjected to at least one web attack during the three months.

Local threats

Local infection statistics for user computers are a very important indicator: they reflect threats that have penetrated computer systems using means other than the Internet, email, or network ports.

Data in this section is based on analyzing statistics produced by antivirus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media.

In Q1 2015, Kaspersky Lab's file antivirus modules detected 253,560,227 unique malicious and potentially unwanted objects.

Top 20 malicious objects detected on user computers   Name* % of unique users attacked ** 1 DangerousObject.Multi.Generic 22.56% 2 Trojan.WinLNK.StartPage.gena 17.05% 3 Trojan.Win32.Generic 15.06% 4 AdWare.Script.Generic 6.12% 5 WebToolbar.Win32.Agent.azm 4.49% 6 WebToolbar.JS.Condonit.a 4.20% 7 AdWare.Win32.Agent.heur 4.15% 8 RiskTool.Win32.BackupMyPC.a 3.83% 9 Downloader.Win32.Agent.bxib 3.74% 10 Trojan.Win32.AutoRun.gen 3.70% 11 Trojan.VBS.Agent.ue 3.64% 12 Downloader.Win32.MediaGet.elo 3.42% 13 AdWare.Win32.SearchProtect.ky 3.34% 14 Worm.VBS.Dinihou.r 3.31% 15 Virus.Win32.Sality.gen 3.18% 16 AdWare.Win32.DealPly.brj 2.86% 17 Trojan.Script.Generic 2.74% 18 AdWare.Win32.NewNext.a 2.70% 19 WebToolbar.JS.CroRi.b 2.66% 20 AdWare.MSIL.Kranet.heur 2.49%

*These statistics are compiled from malware detection verdicts generated by the on-access and on-demand scanner modules on the computers of those users running Kaspersky Lab products who have consented to submit their statistical data.
**The proportion of individual users on whose computers the antivirus module detected these objects as a percentage of all individual users of Kaspersky Lab products on whose computers a file antivirus detection was triggered.

This ranking usually includes verdicts issued to adware programs and their components (such as Trojan.VBS.Agent.ue,). In Q1 2015, such verdicts occupied thirteen places in the Top 20.

A newcomer to the rankings, Trojan.WinLNK.StartPage.gena, jumped straight into second position. This is a verdict given to LNK files containing a browser link which specifies the page to be opened. These pages usually have names similar to those of Internet search engines, but they actually redirect users to sites with questionable content. Some of these sites can be dangerous and are even detected by antivirus solutions. Detections of such LNK files peaked in January.

The only virus in the rankings – Virus.Win32.Sality.gen – continues to lose ground. The proportion of user machines infected by this virus has been diminishing for a long time. In Q1 2015, Sality was in 15th place with 3.18%.

Countries where users faced the highest risk of local infection

For each of the countries, we calculated the percentage of Kaspersky Lab product users on whose computers the file antivirus had been triggered during the quarter. These statistics reflect the level of personal computer infection in different countries.

Top 20 countries with the highest levels of computer infection

  Country* % of unique users ** 1 Vietnam 60.68% 2 Bangladesh 60.20% 3 Mongolia 57.28% 4 Yemen 55.91% 5 Somalia 55.64% 6 Nepal 55.01% 7 Afghanistan 54.91% 8 Algeria 54.83% 9 Iraq 54.38% 10 Cambodia 52.70% 11 Laos 52.54% 12 Armenia 52.44% 13 Pakistan 51.95% 14 Kazakhstan 51.54% 15 Ruanda 51.36% 16 Ethiopia 50.93% 17 Egypt 50.60% 18 Syria 50.11% 19 India 50.00% 20 Tajikistan 49.80%

These statistics are based on the detection verdicts returned by OAS and ODS antivirus modules, received from users of Kaspersky Lab products who have consented to provide their statistical data. The data includes detections of malicious programs located on users' computers or on removable media connected to the computers, such as flash drives, camera and phone memory cards, or external hard drives.
* These calculations excluded countries where the number of Kaspersky Lab users is relatively small (fewer than 10,000 users).
**The percentage of unique users in the country with computers that blocked local threats as a percentage of all unique users of Kaspersky Lab products.

For a long time, countries in Africa, the Middle East and South-East Asia took all the positions in this ranking. However, in Q1 2015, the rankings had such newcomers as Armenia (12th position), Kazakhstan (14th position) and Tajikistan (20th position).

Vietnam (60.68%) has headed the rankings for almost two years, while Bangladesh (60.2%) and Mongolia (57.3%) have kept their positions for the third quarter in a row.

In Russia, local threats in Q1 2015 were detected on computers of 49.6% of users.

The safest countries in terms of local infection risks were: Japan (14.7%), Denmark (20.1%), Sweden (21.4%), Hong Kong (21.5%), and Finland (21.6%).

An average of 39.8% of computers globally faced at least one local threat during Q1 2015, which is two p.p. more than in Q4 2014.

RSA Conference 2015

Wed, 04/22/2015 - 07:54

The RSA Conference 2015 is being held at the Moscone Center in San Francisco. It a massive event, with thousands of people in attendance.

A huge number of booths built up by vendors provide coffee bars, presentations, and swag giveaways. Threat intelligence is hawked by many here. But, some of the most surprising parts of cyber-security that has been a long time coming is a discussion I do not always hear - cyber-security insurance and quantification methodologies of threat risk assessment. Yawn. This arrival following the massive 2014 data breaches, of course, is partly expected and a double edged sword. It both incentivizes corporate decision makers to act more irresponsible with protecting your data (just buy more insurance to cover it, it's cheap!), and the policies may incentivize decision makers to strengthen their organization's cybersecurity in order to meet coverage requirements. Either way, carriers are underwriting more cybersecurity policies and we have yet to see the real impact.

From Kaspersky Lab, our very own David Jacoby will be presenting later today on IoT security at 10:20 am, West Moscone Room 3018. Come check it out!

How exploit packs are concealed in a Flash object

Wed, 04/22/2015 - 07:00

One of the most important features of a malicious attack is its ability to conceal itself from both protection solutions and victims. The main role in performing a hidden attack is played by exploits to software vulnerabilities that can be used to secretly download malicious code on the victim machine. Generally, exploits are distributed in exploit packs which appear in the form of plugin detects (to identify the type and version of software installed on the user computer) and a set of exploits, one of which is issued to the user if an appropriate vulnerability is found.

Recently, we have come across a new technique used to hide exploit-based attacks: fraudsters packed the exploit pack in the Flash file.

Downloading an Exploit

The standard technique used in a drive-by attack is to compromise a web site with a link leading to a landing page with the exploit pack. From there the pack uploads the necessary exploit onto the user computer.  From the point of view of security software, this unmasks all the components of the exploit pack because they are simply uploaded onto the landing page. As a result, the exploits and the plugin detects are visible in the web traffic. The criminals must mask each component separately if the attack is to go unnoticed.

The unconventional new approach with the Flash package is definitely more efficient for criminals. The standard landing page is missing. The user follows the link to get to a page with a packed Flash object that turns out to be the exploit pack and the configuration file in an image form. The packed Flash file with the exploit pack is loaded to a page in the browser and has the right to write to and modify the page, i.e. it can add exploits to the page which will then be executed.

Let us look into how this works, using the Netrino exploit pack as our example.

This is what the packed Flash object looks like:

The packed Flash object (exploit pack)

This is how it looks after de-obfuscation:

The Flash object (exploit-pack) after de-obfuscation

The packing is supposed to prevent the malicious object from being detected. A Flash object like this is not opened by most popular deobfuscators. For instance, SWF Decompiler freezes and then reports an error.


The results of using a popular deobfuscator on the Flash object of the Neutrino exploit pack

The Flash object is written to a page in the user's browser with the parameter allowscriptaccess = "always" – this allows for the page to be modified, even if the object was loaded from a different domain. Although Flash objects rarely require page modification rights, there is nothing very unusual about this option and indeed a lot of legitimate Flash content is loaded this way. With this privilege, the malicious Flash object simply writes exploits to the page from its binary data.

Thus, there is no malicious content in the web traffic or on the page delivered to the browser. The malicious content is hidden behind a good packer, and the exploits emerge while a page is processed by the browser.

Contents of the Flash object

Let us have a look at what the analyzed Flash object contains, and what it writes to a web page. After unpacking, we see six embedded binary objects. These binary objects are coded with RC4, and some are also compressed with the standard 'deflate' algorithm.

The encoded binary objects within the Flash object

Here is how one of the objects is decoded and delivered:

The code for decrypting and adding the exploit to a page

Other objects are decrypted in a similar manner.

Let us summarize the binary objects contained in the Flash pack:

  • An exploit for the CVE-2013-2551 vulnerability in Internet Explorer
  • The exploit for the CVE-2013-2551 vulnerability

  • A malicious DLL which is also part of other versions of the Neutrino exploit pack (discussed later in this article).
  • Two exploits for the CVE-2014-6332 vulnerability in Internet Explorer's VBS processor:

  • Exploits for the CVE-2014-6332 vulnerability

  • An exploit for the CVE-2014-0569 vulnerability in Adobe Flash
  • The exploit for the CVE-2014-0569 vulnerability

  • An exploit for the CVE-2014-0515 vulnerability in Adobe Flash
  • The exploit for the CVE-2014-0515 vulnerability

By the way, there is no plugin detect for Adobe Flash exploits in this exploit pack. ActionScript tools are used to check the version of Adobe Flash. Adobe Flash versions that can be attacked using exploits are hardcoded in the Flash-pack code:

In the most recent versions, modifications were introduced into the Flash pack. These include adding another exploit for the vulnerability CVE-2015-0536 in Adobe Flash.

The configuration file

Let us have a look at one interesting function in the Flash pack.

It should be remembered that an image (a configuration file) is posted on the landing page alongside with the Flash object.

The image posted on the page

A special function reads this image from the landing page, decodes its Base64 and RC4, and thus obtains the configuration file.

The function for obtaining the configuration file

The configuration file contains the keys and identifiers of the exploits discussed above, which are available for the user to download. The availability of the configuration file gives some flexibility to the cybercriminals: they can specify the best settings for its operation at each specific period of time without changing the exploit pack itself. For example, they can specify priority exploits or separately keep the keys with which to decrypt the objects within the pack.

The configuration file decrypted from the image

In the later versions of the Flash pack, however, the configuration file is part of the actual exploit pack rather than a separate picture.

Implementing the payload

The shell-code of one of the exploits is a VBS code with binary code in a string, which is executed by the exploitation of the vulnerability CVE-2014-6332 in Internet Explorer's VBS processor. As a result, the file shell32.dll is loaded to the folder "%temp%/System32/.

The name and the path of the loaded file are similar to those of regular Windows DLLs. Using the regular DLL hijacking technique, one can go without using the functions run, start, open etc., and thus mask the launch of a malicious DLL from the security product.

Using DLL hijacking shell32.dll

The exploit modifies the environment variable SYSDIR and attempts to load System.ShellApplication – this launches the malicious DLL.

The launched DLL is a dropper which loads the script"p.js" to the victim's computer and launches it.

The main part of shell32.dll code

The launched p.js script

This script is the loader of the principal malicious file.

Distribution

The version of the Flash pack described in this article emerged in late 2014 and was actively distributed in Q1 2015. There were also new modifications of the Flash pack, but their basic working principles didn't change.

It wasn't until March 2015 that we observed Neutrino Flash pack attacks on the computers of 60,541 users. On average about 2,000 users were attacked every day; on certain days, the number of potential victims reached 5,000 to 6,000.

The number of unique users attacked by Neutrino Flash pack

This exploit pack is predominantly used to attack users located in the USA and Canada.

The geographic distribution of Neutrino Flash-pack attacks (as of March 2015)

Conclusion

The idea of use a Flash-pack to distribute exploits is relatively new and it has proved fairly successful for cybercriminals. Existing Flash properties allow them to pack the exploit pack into a Flash object and conceal it with an obfuscator. The Flash capability to specify website access parameters then allows them to write exploits to a webpage in the user's browser. The exploit-pack's components are not found in the web traffic, nor in the loaded page.

Although the malware writers are constantly updating the exploit-pack and introducing modifications into the code of the malicious Flash pack in order to prevent security products from detecting it, Kaspersky Lab responds promptly to these threats. Alongside regular protection methods, Kaspersky Lab's products use a special "Anti-Exploit Protection" (AEP) component, which detects this threat with the help of behavior analysis.

Kaspersky Lab's products detect this Flash pack under the verdict HEUR:Exploit.Script.Blocker, HEUR:Exploit.SWF.Generic.

The CozyDuke APT

Tue, 04/21/2015 - 16:50

CozyDuke (aka CozyBear, CozyCar or "Office Monkeys") is a threat actor that became increasingly active in the 2nd half of 2014 and hit a variety of targets. The White House and Department of State are two of the most spectacular known victims.

The operation presents several interesting aspects

  • blatantly sensitive high profile victims and targets
  • crypto and anti-detection capabilities
  • strong malware functional and structural similarities mating this toolset to early MiniDuke second stage components, along with more recent CosmicDuke and OnionDuke components

The actor often spearphishes targets with e-mails containing a link to a hacked website. Sometimes it is a high profile, legitimate site such as "diplomacy.pl", hosting a ZIP archive. The ZIP archive contains a RAR SFX which installs the malware and shows an empty PDF decoy.

In other highly successful runs, this actor sends out phony flash videos directly as email attachments. A clever example is "Office Monkeys LOL Video.zip". The executable within not only plays a flash video, but drops and runs another CozyDuke executable. These videos are quickly passed around offices with delight while systems are infected in the background silently. Many of this APT's components are signed with phony Intel and AMD digital certificates.

Recent Cozyduke APT activity attracted significant attention in the news:
Sources: State Dept. hack the 'worst ever'
White House computer network 'hacked'
Three Months Later, State Department Hasn't Rooted Out Hackers
State Department shuts down its e-mail system amid concerns about hacking

Let's examine a smattering of representative CozyDuke files and data. There is much to their toolset.

Office Monkeys dropper analysis
The droppers and spyware components often maintain fairly common characteristics
68271df868f462c06e24a896a9494225,Office Monkeys LOL Video.zip

Believe it or not, recipients in bulk run the file within:
95b3ec0a4e539efaa1faa3d4e25d51de,Office Monkeys (Short Flash Movie).exe
 
This file in turn drops two executables to %temp%

  • 2aabd78ef11926d7b562fd0d91e68ad3, Monkeys.exe
  • 3d3363598f87c78826c859077606e514, player.exe

It first launches Monkeys.exe, playing a self-contained, very funny video of white-collar tie wearing chimpanzees working in a high rise office with a human colleague. It then launches player.exe, a CozyDuke dropper maintaining anti-detection techniques:
3d3363598f87c78826c859077606e514,338kb,player.exe,Trojan.Win32.CozyBear.v,CompiledOn:2014.07.02 21:13:33

The file collects system information, and then invokes a WMI instance in the root\securitycenter namespace to identify security products installed on the system, meaning that this code was built for x86 systems, wql here:
SELECT * FROM AntiVirusProduct
SELECT * FROM FireWallProduct

The code hunts for several security products to evade:

  • CRYSTAL
  • KASPERSKY
  • SOPHOS
  • DrWeb
  • AVIRA
  • COMODO Dragon

 
In addition to the WMI/wql use, it also hunts through the "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\" registry key looking for security products to avoid.
 
Following these checks, it drops several more malware files signed with the pasted AMD digital signature to a directory it creates. These files are stored within an 217kb encrypted cab file in the dropper's resources under the name "A". The cab file was encrypted and decrypted using a simple xor cipher with a rotating 16 byte key: \x36\x11\xdd\x08\xac\x4b\x72\xf8\x51\x04\x68\x2e\x3e\x38\x64\x32.

The cab file is decompressed and its contents are created on disk. These dropped files bundle functionality for both 64bit and 32bit Windows systems:
C:\Documents and Settings\user\Application Data\ATI_Subsystem\
6761106f816313394a653db5172dc487,54kb,amdhcp32.dll  ← 32bit dll,CompiledOn:2014.07.02 21:13:24
d596827d48a3ff836545b3a999f2c3e3,60kb,aticaldd.dll  ← 64bit dll,CompiledOn:2014.07.02 21:13:26
bc626c8f11ed753f33ad1c0fe848d898,285kb,atiumdag.dll ← 32bit dll, 279kb, Trojan.Win32.CozyDuke.a, CompiledOn:2014.07.02 21:13:26
4152e79e3dbde55dcf3fc2014700a022,6kb,racss.dat
 
The code copies rundll32.exe from windows\system32 to its newly created %appdata%\ATI_Subsystem subdirectory as "amdocl_as32.exe" alongside the three dll's listed above. It runs atiumdag.dll with two parameter values, it's only export and an arbitrary pid,  i.e.:
"C:\Documents and Settings\user\Application Data\ATI_Subsystem\amdocl_as32.exe" "C:\Documents and Settings\user\Application Data\ATI_Subsystem\atiumdag.dll"", ADL2_ApplicationProfiles_System_Reload 1684"
 
This dll is built with anti-AV protections as well. However, it looks for a different but overlapping set, and the random duplication suggests that this component was cobbled together with its dropper, partly regionally based on target selection.

  • K7
  • KASPERSKY
  • AVG

 
The code collects information about the system
efd5aba3-6719-4655-8a72-1aa93feefa38C:\Documents and Settings\user\Application Data\ATI_Subsystem\amdocl_as32exeMyPCuserMicrosoft Windows XP 512600 SP 30 x32Admin192.60.11.1008:11:17:f2:9a:efSophos Anti-Virus

Finally, this process beacons to www.sanjosemaristas.com, which appears to be a site that has been compromised and misused multiple times in the past couple of years.
hxxp://www.sanjosemaristas.com/app/index.php?{A01BA0AD-9BB3-4F38-B76B-A00AD11CBAAA}, providing the current network adapter's service name GUID. It uses standard Win32 base cryptography functions to generate a CALG_RC4 session key to encrypt the collected data communications and POSTs it to the server.

Executable-Signing Certificates

Samples are usually signed with a fake certificate - we've seen two instances, one AMD and one Intel:

Configuration files:

Some of the malware uses an encrypted configuration file which is stored on disk as "racss.dat". This is encrypted by RC4, using key {0xb5, 0x78, 0x62, 0x52, 0x98, 0x3e, 0x24, 0xd7, 0x3b, 0xc6, 0xee, 0x7c, 0xb9, 0xed, 0x91, 0x62}. Here's how it looks decrypted:

C&Cs:

121.193.130.170:443/wp-ajax.php
183.78.169.5:443/search.php
200.119.128.45:443/mobile.php
200.125.133.28:443/search.php
200.125.142.11:443/news.php
201.76.51.10:443/plugins/json.php
202.206.232.20:443/rss.php
202.76.237.216:443/search.php
203.156.161.49:443/plugins/twitter.php
208.75.241.246:443/msearch.php
209.40.72.2:443/plugins/fsearch.php
210.59.2.20:443/search.php
208.77.177.24:443/fsearch.php
www.getiton.hants.org.uk:80/themes/front/img/ajax.php
www.seccionpolitica.com.ar:80/galeria/index.php
209.200.83.43/ajax/links.php
209.200.83.43/ajax/api.php
209.200.83.43/ajax/index.php
209.200.83.43/ajax/error.php
209.200.83.43/ajax/profile.php
209.200.83.43/ajax/online.php
209.200.83.43/ajax/loader.php
209.200.83.43/ajax/search.php

Second stage malware and communications:

The attackers send commands and new modules to be executed to the victims through the C&Cs. The C&C scripts store these temporarily until the next victim connects in local files. We've identified two such files:

  • settings.db
  • sdfg3d.db

Here's how such a database file appears:

These are BASE64 encoded and use the same RC4 encryption key as the malware configuration.

Decoding them resulted in the following payloads:

59704bc8bedef32709ab1128734aa846 *ChromeUpdate.ex_
5d8835982d8bfc8b047eb47322436c8a *cmd_task.dll
e0b6f0d368c81a0fb197774d0072f759 *screenshot_task.dll

Decoding them also resulted in a set of tasking files maintaining agent commands and parameter values:

conf.xml

And a set of "reporting" files, maintaining stolen system "info", error output, and "AgentInfo" output, from victim systems:
DCOM_amdocl_ld_API_.raw
Util_amdave_System_.vol
Last_amdpcom_Subsystem_.max
Data_amdmiracast_API_.aaf
7.txt

screenshot_task.dll is a 32-bit dll used to take a screenshot of the full desktop window and save it as a bitmap in %temp%. The number of times the screenshot is repeated is configurable within the xml task file.

cmd_task.dll is a 32-bit dll that maintains several primitives. It is used to create new processes, perform as a command line shell, and several other tasks.

Each of these payloads is delivered together with a configuration file that explains how to run it, for instance:

Furthermore, ChromeUpdate is a 64-bit executable (which appears to be a WEXTRACT package) that oddly drops a 32-bit Dll. Cache.dll is simply stored as a cabinet file in the ChromeUpdate's resource section.

ChromeUpdate.exe starts the file with "rundll32 cache.dll,ADB_Setup"

Cache.dll analysis

Cache.dll was written in C/C++ and built with a Microsoft compiler.

Cache.dll code flow overview

  • rc4 decrypt hardcoded c2 and urls
  • resolve hidden function calls
  • collect identifying victim system data
  • encrypt collected data
  • send stolen data to c2 and retrieve commands

Cache.dll code details

Structurally, cache.dll is a fairly large backdoor at 425kb. It maintains both code and data in the raw, encrypted blobs of data to be decrypted and used at runtime, and hidden functionality that isn't exposed until runtime. No pdb/debug strings are present in the code.

It maintains eight exports, including DllMain:

  • ADB_Add
  • ADB_Cleanup
  • ADB_Initnj
  • ADB_Load
  • ADB_Release
  • ADB_Remove
  • ADB_Setup

ADB_Setup is a entry point that simply spawns another thread and waits for completion.

Above, we see a new thread created with the start address of Cache.dll export  "ADB_Load" by the initial thread.

This exported function is passed control while the initial thread runs a Windows message loop. It first grabs an encrypted blob stored away in a global variable and pulls out 381 bytes of this encrypted data:

The standard win32 api CryptDecrypt uses rc4 to decrypt this blob into a hardcoded c2, url path, and url parameters listed below with a simple 140-bit key "\x8B\xFF\x55\x8B\xEC\x83\xEC\x50\xA1\x84\x18\x03\x68\x33\xC9\x66\xF7\x45\x10\xE8\x1F\x89\x45\xFC\x8B\x45\x14\x56".

The code then decodes this set of import symbols and resolves addresses for its networking and data stealing functionality:
InternetCloseHandle
InternetReadFile
HttpSendRequestA
HttpOpenRequestA
HttpQueryInfoA
InternetConnectA
InternetCrackUrlA
InternetOpenA
InternetSetOptionW
GetAdaptersInfo

Much like the prior office monkey "atiumdag.dll" component, this code collects identifying system information using standard win32 API calls:

  • Computer name - GetComputerNameW
  • User name - GetUserNameW
  • Adapter GUID, ip address, mac address - GetAdaptersInfo
  • Windows version - GetVersionExW

It then uses the runtime resolved networking API calls to send the collected data back to a hardcoded c2 and set of urls.

Cache.dll connectback urls:
209.200.83.43/ajax/links.php
209.200.83.43/ajax/api.php
209.200.83.43/ajax/index.php
209.200.83.43/ajax/error.php
209.200.83.43/ajax/profile.php
209.200.83.43/ajax/online.php
209.200.83.43/ajax/loader.php
209.200.83.43/ajax/search.php

Observed user-agent string on the wire, but it's dynamically generated based on the Windows system settings (retrieved using standard win32 api "ObtainUserAgentString"):
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)"

Connections with MiniDuke/CosmicDuke/OnionDuke:

One of the second stage modules of Cozy Bear, Show.dll, is particularly interesting because it appears to have been built onto the same platform as OnionDuke. Below we compare Show.dll with the OnionDuke sample MD5: c8eb6040fd02d77660d19057a38ff769. Both have exactly the same export tables and appear to be called internally "UserCache.dll":

This seems to indicate the authors of OnionDuke and Cozy Bear are the same, or working together.

Another interesting comparison of two other files matches a recent second stage tool from the CozyDuke attacks with a second stage component from other Miniduke/Onionduke attacks.
2e0361fd73f60c76c69806205307ccac, update.dll (Miniduke), 425kb (internal name = "UserCache.dll")
9e3f3b5e9ece79102d257e8cf982e09e, cache.dll (Cozyduke), 425kb (internal name = "UserCache.dll")

The two share identical export function names in their export directories, and the naming appears to be randomly assigned at compile time. The table below presents the function matches based on size data, but the calls, jmps and code all match as well. The contents of only one of these exports in update.dll has no match whatsoever in cache.dll.

Unlike the atiumdag.dll file above, however, cache.dll and update.dll do not maintain anti-AV and anti-analysis functionality sets. Perhaps they plan to pair this stealer with another dropper that maintains the WMI anti-AV functionality.

We expect ongoing and further activity from this group in the near future and variations on the malware used in previous duke-ish incidents.

For more information about MiniDuke, CosmicDuke and OnionDuke, please see References.

Appendix: Parallel and Previous Research

The MiniDuke Mystery: PDF 0-day Government Spy Assembler 0x29A Micro Backdoor, Securelist, Feb 2013

Miniduke is back: Nemesis Gemina and the Botgen Studio, Securelist, July 2014

MiniDuke 2 (CosmicDuke), CrySyS, July 2014

COSMICDUKE Cosmu with a twist of MiniDuke [pdf], F-Secure, September 2014

THE CASE OF THE MODIFIED BINARIES, Leviathan Security, October 2014

A word on CosmicDuke, Blaze's Security Blog, September 2014

OnionDuke: APT Attacks Via the Tor Network, F-Secure, November 2014

The Connections Between MiniDuke, CosmicDuke and OnionDuke, F-Secure, January 2015

The Chronicles of the Hellsing APT: the Empire Strikes Back

Tue, 04/14/2015 - 22:30

Introduction

One of the most active APT groups in Asia, and especially around the South China Sea area is "Naikon". Naikon plays a key part in our story, but the focus of this report is on another threat actor entirely; one who came to our attention when they hit back at a Naikon attack.

Naikon is known for its custom backdoor, called RARSTONE, which our colleagues at Trend Micro have described in detail. The name Naikon comes from a custom user agent string, "NOKIAN95/WEB", located within the backdoor:

NOKIAN string in Naikon backdoor

The Naikon group is mostly active in countries such as the Philippines, Malaysia, Cambodia, Indonesia, Vietnam, Myanmar, Singapore, and Nepal, hitting a variety of targets in a very opportunistic way. What was perhaps one of the biggest operations of the Naikon group was launched in March 2014, in the wake of the MH370 tragedy that took place on March 8th. By March 11th, the Naikon group was actively hitting most of the nations involved in the search for MH370. The targets were extremely wide-ranging but included institutions with access to information related to the disappearance of MH370, such as:

  • Office of the President
  • Armed Forces
  • Office of the Cabinet Secretary
  • National Security Council(s)
  • Office of the Solicitor General
  • National Intelligence Coordinating Agency
  • Civil Aviation Authority
  • Department of Justice
  • National Police
  • Presidential Management Staff

The Naikon group used mostly spear-phished documents for the attacks, with CVE-2012-0158 exploits that dropped the group's signature backdoor.

While many of these attacks were successful, at least one of the targets didn't seem to like being hit, and instead of opening the documents, decided on a very different course of action.

The empire strikes back

Here's a question - what should you do when you receiving a suspicious document from somebody you don't know, or know very little? Choose one:

  • Open the document
  • Don't open the document
  • Open the document on a Mac (everybody knows Mac's don't get viruses)
  • Open the document in a virtual machine with Linux

Based on our experience, most people would say 2, 3 or 4. Very few would open the document and even fewer would actually decide to test the attacker and verify its story.

But this is exactly what happened when one of the Naikon spear-phishing targets received a suspicious email. Instead of opening the document or choosing to open it on an exotic platform, they decided to check the story with the sender:

Naikon target asks for confirmation of the email

In the email above, we can see the target questioning the authenticity of the Naikon spear-phishing. They ask the sender if it was their intention to email this document.

The attacker was, of course, not confused in the slightest, and being very familiar with the internal structure of the target's government agency, replied claiming that they work for the secretariat division and were instructed to send it by the organization's management:

Naikon attacker replies to the target

The reply is written in poor English and indicates that the attacker is probably not as proficient in the language as the intended victim. Seeing the reply, the target obviously decided not to open the document. Moreover, they decided to go a bit further and try to learn more about the attacker.

Not long after the first exchange, the following email was sent to the attacker by the target:

The attachment is a RAR archive with password, which allows it to safely bypass malware scanners associated with the free email account used by the attackers. Inside the archive we find two decode PDF files and one SCR file:

Much to our surprise, the "SCR" file turned out to be a backdoor prepared especially for the Naikon fraudsters.

The file "Directory of ... Mar 31, 2014.scr" (md5: 198fc1af5cd278091f36645a77c18ffa) drops a blank document containing the error message and a backdoor module (md5: 588f41b1f34b29529bc117346355113f). The backdoor connects to the command server located at philippinenews[.]mooo[.]com.

The backdoor can perform the following actions:

  • download files
  • upload files
  • update itself
  • uninstall itself

We were amazed to see this course of action and decided to investigate the "Empire Strikes Back"-door further; naming the actor "Hellsing" (explained later).

The malware used by the intended victim appears to have the following geographical distribution, according to KSN data:

  • Malaysia – government networks
  • Philippines – government networks
  • Indonesia – government networks
  • USA - diplomatic agencies
  • India (old versions of malware)

In addition, we've observed the targeting of ASEAN-related entities.

Victims of Hellsing attacks

The actor targets its intended victims using spear-phishing emails with archives containing malware, similar to the one it used against the Naikon group. Some of the attachment names we observed include:

  • 2013 Mid-Year IAG Meeting Admin Circular FINAL.7z
  • HSG FOLG ITEMS FOR USE OF NEWLY PROMOTED YNC FEDERICO P AMORADA 798085 PN CLN.zip
  • Home Office Directory as of May 2012.Please find attached here the latest DFA directory and key position officials for your referenece.scr
  • LOI Nr 135-12 re 2nd Quarter.Scr
  • Letter from Paquito Ochoa to Albert Del Rosario,the Current Secretary of Foreign Affairs of the Philippines.7z
  • Letter to SND_Office Call and Visit to Commander, United States Pacific Command (USPACOM) VER 4.0.zip
  • PAF-ACES Fellowship Program.scr
  • RAND Analytic Architecture for Capabilities Based Planning, Mission System Analysis, and Transformation.scr
  • Update Attachments_Interaction of Military Personnel with the President _2012_06_28.rar
  • Update SND Meeting with the President re Hasahasa Shoal Incident.scr
  • Washington DC Directory November 2012-EMBASSY OF THE PHILIPPINES.zip
  • ZPE-791-2012&ZPE-792-2012.rar
  • zpe-791-2012.PDF.scr

We've observed RAR, ZIP and 7ZIP archives in the attacks - the 7ZIP archives with passwords were probably introduced as a way to bypass the recent security features on Gmail, which block password-protected archives with executables inside.

Each backdoor has a command and control server inside as well as a version number and a campaign or victim identifier. Some examples include:

MD5 Date C&C Campaign identifier 2682a1246199a18967c98cb32191230c Mar 31 2014 freebsd.extrimtur[.]com 1.6.1_MOTAC 31b3cc60dbecb653ae972db9e57e14ec Mar 31 2014 freebsd.extrimtur[.]com 1.6.1_MOTAC 4dbfd37fd851daebdae7f009adec3cbd Nov 08 2013 articles.whynotad[.]com 1.5_articles.whynotad.com-nsc 015915bbfcda1b2b884db87262970a11 Feb 19 2014 guaranteed9.strangled[.]net 1.5_guaranteed9-nsc 3a40e0deb14f821516eadaed24301335 Mar 31 2014 hosts.mysaol[.]com 1.6.1_imi;simple 73396bacd33cde4c8cb699bcf11d9f56 Nov 08 2013 web01.crabdance[.]com 1.5_op_laptop 7c0be4e6aee5bc5960baa57c6a93f420 Nov 08 2013 hosts.mysaol[.]com 1.5_MMEA bff9c356e20a49bbcb12547c8d483352 Apr 02 2014 imgs09.homenet[.]org 1.6.1_It c0e85b34697c8561452a149a0b123435 Apr 02 2014 imgs09.homenet[.]org 1.6.1_It f13deac7d2c1a971f98c9365b071db92 Nov 08 2013 hosts.mysaol[.]com 1.5_MMEA f74ccb013edd82b25fd1726b17b670e5 May 12 2014 second.photo-frame[.]com 1.6.2s_Ab

The campaign identifiers could be related to the organizations targeted by the specific builds of this APT. Some possible descriptions for these initials could be:

Artifacts and overlap with other APTs

Interestingly, some of the infrastructure used by the attackers appears to overlap (although around a year apart) with a group tracked internally at Kaspersky Lab as PlayfullDragon (also known as "GREF"); while other aspects of the infrastructure overlap with a group known as Mirage or Vixen Panda.

For instance, one of the PlayfullDragon's Xslcmd backdoors described by our colleagues from FireEye (md5: 6c3be96b65a7db4662ccaae34d6e72cc) beams to cdi.indiadigest[.]in:53. One of the Hellsing samples we analysed (md5: 0cbefd8cd4b9a36c791d926f84f10b7b) connects to the C&C server at webmm[.]indiadigest[.]in. Although the hostname is not the same, the top level domain suggests some kind of connection between the groups. Several other C&C subdomains on "indiadigest[.]in" include:

  • aac.indiadigest[.]in
  • ld.indiadigest[.]in
  • longc.indiadigest[.]in

Another overlap we observed is with an APT known as Cycldek or Goblin Panda. Some of the Hellsing samples we analysed in this operation (e.g. md5: a91c9a2b1bc4020514c6c49c5ff84298) communicate with the server webb[.]huntingtomingalls[.]com, using a protocol specific to the Cycldek backdoors (binup.asp/textup.asp/online.asp).

It appears that the Hellsing developer started with the Cycldek sources and worked together with the operators from other APT groups. Nevertheless, it is sufficiently different to warrant classification as a stand-alone operation.

So, where does the Hellsing name come from? One of the samples we analysed (md5: 036e021e1b7f61cddfd294f791de7ea2) appears to have been compiled in a rush and the attacker forgot to remove the debug information. One can see the project name is Hellsing and the malware is called "msger":

Of course, Hellsing can have many different meanings, including the famous doctor from Bram Stoker's Dracula. However, according to Wikipedia, "Hellsing (ヘルシング Herushingu) is also a Japanese manga series written and illustrated by Kouta Hirano. It first premiered in Young King Ours in 1997 and ended in September 2008".

The Hellsing series chronicles the efforts of the mysterious and secret Hellsing Organization, as it combats vampires, ghouls, and other supernatural foes; which makes it perhaps an appropriate name for our group.

In addition to the Hellsing/msger malware, we've identified a second generation of Trojan samples which appear to be called "xweber" by the attackers:

"Xweber" seems to be the more recent Trojan, taking into account compilation timestamps. All the "msger" samples we have seen appear to have been compiled in 2012. The "Xweber" samples are from 2013 and from 2014, indicating that at some point during 2013 the "msger" malware project was renamed and/or integrated into "Xweber".

During our investigation we've observed the Hellsing APT using both the "Xweber" and "msger" backdoors in their attacks, as well as other tools named "xrat", "clare", "irene" and "xKat".

Other tools

Once the Hellsing attackers compromise a computer, they deploy other tools which can be used for gathering further information about the victim or doing lateral movement. One such tool is "test.exe":

Name test.exe Size 45,568 bytes MD5 14309b52f5a3df8cb0eb5b6dae9ce4da Type Win32 PE i386 executable

This tool is used to gather information and test available proxies. Interestingly, it also contains the Hellsing debug path:

Another attack tool deployed in a victim's environment was a file system driver, named "diskfilter.sys", although internally it claims to be named "xrat.sys". The driver is unsigned and compiled for 32-bit Windows. It was used briefly in 2013, before being abandoned by the attackers, possibly due to Windows 7 driver signing requirements:

Another tool used by the attackers is called "xKat":

Name xkat.exe Size 78,848 bytes MD5 621e4c293313e8638fb8f725c0ae9d0f Type Win32 PE i386 executable

This is a powerful file deletion and process killer which uses a driver (Dbgv.sys) to perform the operations. We've seen it being used by the attackers to kill and delete malware belonging to their competitors.

Some of the debug paths found in the binaries include:

  • e:\Hellsing\release\clare.pdb
  • e:\Hellsing\release\irene\irene.pdb
  • d:\hellsing\sys\irene\objchk_win7_x86\i386\irene.pdb
  • d:\hellsing\sys\xkat\objchk_win7_x86\i386\xKat.pdb
  • d:\Hellsing\release\msger\msger_install.pdb
  • d:\Hellsing\release\msger\msger_server.pdb
  • d:\hellsing\sys\xrat\objchk_win7_x86\i386\xrat.pdb
  • D:\Hellsing\release\exe\exe\test.pdb
Attribution

In general, the attribution of APTs is a very tricky task which is why we prefer to publish technical details and allow others to draw their own conclusions.

The Hellsing-related samples appear to have been compiled around the following times:

Assuming normal work starts at around 9 am, the attacker seems to be most active in a time-zone of GMT+8 or +9, considering a work program of 9/10 am to 6/7pm.

Conclusions

The Hellsing APT group is currently active in the APAC region, hitting targets mainly in the South China Sea area, with a focus on Malaysia, the Philippines and Indonesia. The group has a relatively small footprint compared to massive operations such as "Equation". Smaller groups can have the advantage of being able to stay under the radar for longer periods of time, which is what happened here.

The targeting of the Naikon group by the Hellsing APT is perhaps the most interesting part. In the past, we've seen APT groups accidentally hitting each other while stealing address books from victims and then mass-mailing everyone on each of these lists. But, considering the timing and origin of the attack, the current case seems more likely to be an APT-on-APT attack.

To protect against a Hellsing attack, we recommend that organisations follow basic security best practices:

  • Don't open attachments from people you don't know
  • Beware of password-protected archives which contain SCR or other executable files inside
  • If you are unsure about the attachment, try to open it in a sandbox
  • Make sure you have a modern operating system with all patches installed
  • Update all third party applications such as Microsoft Office, Java, Adobe Flash Player and Adobe Reader

Kaspersky Lab products detect the backdoors used by the Hellsing attacker as: HEUR:Trojan.Win32.Generic, Trojan-Dropper.Win32.Agent.kbuj, Trojan-Dropper.Win32.Agent.kzqq.

Appendix:

Hellsing Indicators of Compromise

Microsoft Security Updates April 2015

Tue, 04/14/2015 - 13:58

Microsoft releases 11 Security Bulletins (MS15-032 through MS15-042) today, addressing a list of over 25 CVE-identified vulnerabilities for April of 2015. Critical vulnerabilities are fixed in Internet Explorer, Microsoft Office, and the network and graphics stacks. Most of the critical remote code execution (RCE) vulnerabilities reside in the IE memory corruption bugs for all versions of Internet Explorer (6-11) and the Microsoft Office use-after-free, however, they appear to all be result of private discoveries.

The Microsoft Office CVE-2015-1649 use-after free is a critical RCE impacting a variety of software and scenarios. The vulnerable code exists across desktop versions Word 2007, 2010, the Word Viewer and Office Compatibility apps, but not Word 2013 or Word for Mac. It's also critical RCE on the server-side in Word Automation Services on Sharepoint 2010 and Microsoft Office Web Apps Server 2010, but not SharePoint 2013 or Web Apps 2013.

As the new Verizon Data Breach 2015 report highlighted today, many exploits currently effective against targets are exploiting vulnerabilities patched long ago. According to their figures, many of the exploited CVE used on compromised hosts were published over a year prior. Microsoft provides Windows Update to easily keep your software updated, and Kaspersky products provide vulnerability scanners to help keep all of your software up-to-date, including Microsoft's. Please patch asap.

From the heap of vulnerabilities and fixes rated "Important", the Hyper-V DoS issue effects the newest Microsoft platform code: Windows 8.1 64-bit and Windows Server 2012 R2 (including the Server Core installation, which is fairly unusual). While the flawed code has not been found to enable EoP on other VMs within the Hyper-V host, attacked Hyper-V systems may lose management of all VMs in the Virtual Machine Manager.

Your Tax Refund with a Data Kidnapping Twist!

Tue, 04/14/2015 - 07:40

Oh, how procrastination gets all of us! April 15th is the U.S. tax deadline and it looks like most of us will be coming down to the wire on declaring our taxes and holding our collective breath in expectation of that sweet, sweet refund. Sadly, our malware writing friends are aware of this and their discipline has proven far superior. Knowing that many are on the lookout for emails from the Internal Revenue Service concerning pending refunds, criminals have crafted some of their own:

The attachment is actually a Trojan-Downloader.MsWord.Agent malware, built by the same group behind the recent LogMeIn malicious campaign described here.

The infection scheme is very similar to the aforementioned, however, the threat actor has moved on from abusing Pastebin entries and has instead hacked a Web server in China to host the instructions script file. This file as well as the download URL are also encoded in Base64 and the resulting payload is actually ransomware.

URLs embedded in the malicious macros leading to a Base64 encoded instructions script file and the payload URL below

Instructions files with the URL to the ransomware payload

The malicious ransomware payload is detected by Kaspersky Anti-Virus as Trojan-Ransom.Win32.Foreign.mfbg

Due to the reliance on the IRS branding, this particular malicious campaign is mostly focused on US citizens and permanent residents of the USA.

Challenging CoinVault – it's time to free those files

Mon, 04/13/2015 - 07:23

Some months ago we wrote a blog post about CoinVault. In that post we explained how we tore the malware apart in order to get to its original code and not the obfuscated one.

So when were contacted recently by the National High Tech Crime Unit (NHTCU) of the Netherlands' police and the Netherlands' National Prosecutors Office, who had obtained a database from a CoinVault command & control server (containing IVs, Keys and private Bitcoin wallets), we were able to put our accumulated insight to good use and accelerate the creation of a decryption tool.

We also created a website and started a communications campaign to notify victims that it might be possible to get their data back without paying.

To build the decryption tool we needed to know the following:

  • Which encryption algorithm was being used?
  • Which block cipher mode was being used?
  • And, most importantly, what malware are dealing with?

There was obviously no time for "hardcore" reverse engineering, so the first thing we did was run the malware sample to see what it was doing. And indeed, just as we thought, it was another CoinVault sample. The next thing we did was open the executable in a decompiler, where we saw that the same obfuscation method was used as described in the post. So CoinVault it is. However, we still didn't know which encryption algorithm and block cipher mode it was using.

But luckily we have a sandbox! The nice thing about the sandbox is that it executes the malware, but also has the ability to trace virtually anything. We can dump files and registry changes but in this case the memory dumps were the most interesting. We knew from the previous CoinVault samples that the malware was using the RijndaelManaged class, so all we had to do was search in the memory dump for this string.

And here it is. We see that it still uses AES, although not the 128-bit block size anymore, but the 256-bit one. Also the block cipher mode has changed from CBC to CFB. This was all the information we needed to write our decryption tool (link to decryption tool).

To see if you can decrypt your files for free, please go to https://noransom.kaspersky.com

Simda's Hide and Seek: Grown-up Games

Mon, 04/13/2015 - 00:30

On 9 April, 2015 Kaspersky Lab was recently involved in the synchronized Simda botnet takedown operation coordinated by INTERPOL Global Complex for Innovation. In this case the investigation was initially started by Microsoft and expanded to involve a larger circle of participants including TrendMicro, the Cyber Defense Institute, officers from the Dutch National High Tech Crime Unit (NHTCU), the FBI, the Police Grand-Ducale Section Nouvelles Technologies in Luxembourg, and the Russian Ministry of the Interior's Cybercrime Department "K" supported by the INTERPOL National Central Bureau in Moscow.

As a result of this takedown of 14 C&C servers in the Netherlands, USA, Luxembourg, Poland and Russia. Preliminary analysis of some of the sinkholed server logs revealed a list of 190 countries affected by the Simda botnet.

Simba character, courtesy of Walt Disney Productions, has nothing to do with Simda botnet

Simda is a mysterious botnet used for cybercriminal purposes, such as the dissemination of potentially unwanted and malicious software. This bot is mysterious because it rarely appears on our KSN radars despite compromising a large number of hosts every day. This is partly due to detection of emulation, security tools and virtual machines. It has a number of methods to detect research sandbox environments with a view to tricking researchers by consuming all CPU resources or notifying the botnet owner about the external IP address of the research network. Another reason is a server-side polymorphism and the limited lifetime of the bots.

Simda is distributed by a number of infected websites that redirect to exploit kits. The bot uses hardcoded IP addresses to notifying the master about various stages of execution process. It downloads and runs additional components from its own update servers and can modify the system hosts file. The latter is quite an interesting technique, even if it seems deceptively obvious at first glance.

Normally malware authors modify host files to tamper with search engine results or blacklist certain security software websites, but the Simda bot adds unexpected records for google-analytics.com and connect.facebook.net to point to malicious IPs.

KL detected the #Simda #bot as Backdoor.Win32.Simda, it affected hundreds thousands victims worldwide

Tweet

Why is that, one might ask? We don't know, but we believe that the answer is connected with Simda's core purpose – the distribution of other malware. This criminal business model opens up the possibility of exclusive malware distribution. This means that the distributors can guarantee that only the client's malware is installed on infected machines. And that becomes the case when Simda interprets a response from the C&C server - it can deactivate itself by preventing the bot to start after next reboot, instantly exiting. This deactivation coincides with the modification of the system hosts file. As a farewell touch, Simda replaces the original hosts file with a new one from its own body.

Now, curious mind may ask: how does it help them? Those domains are no longer used to generate search results, but machines infected by Simda in the past might occasionally continue to send out HTTP requests to malicious servers from time to time, even in when exclusive 3rd-party malware is supposed to have been installed.

We need to remember that these machines were initially infected by an exploit kit using a vulnerability in unpatched software. It's highly likely that 3rd-party malware will be removed over time, but a careless user may never get round to updating vulnerable software.

If all those hosts keep coming back to the malicious servers and asking for web resources such as javascript files, the criminals could use the same exploits to re-infect the machines and sell them all over again – perhaps even 'exclusively' to the original client. This confirms once again – even criminals can't trust criminals.

In this investigation Microsoft and various law enforcement bodies completed the sinkholing process and Kaspersky Lab willingly contributed to the preparations for the takedown. That work included technical analysis of malware, collecting infection statistics, advising on botnet takedown strategy and consulting our INTERPOL partners.

Kaspersky Lab detected the Simda bot as Backdoor.Win32.Simda and according to our estimations based on KSN statistics and telemetry from our partners it affected hundreds thousands victims worldwide.

Simda is automatically generated on demand and this is confirmed by the absence of any order in compilation link times. Below is a chart generated from a small subset of about 70 random Simda samples:

Samples link times in UTC timezone

The increase in link times is most likely related to the activity of the majority of Simda victims located somewhere between UTC-9 and UTC-5 timezones, which includes United States.

Thanks to the sinkhole operation and data sharing between partners we have put up a page where you can check if your IP has connected to Simda C&C servers in the past. If you suspect your computer was compromised you can use one of our free or trial solutions to scan your whole hard drive or install Kaspersky Internet Security for long-term protection.

Kaspersky Lab products currently detect hundreds of thousands of modifications of the Simda together with many different 3rd-party malware distributed during the Simda campaign.

Darwin Nuke

Fri, 04/10/2015 - 07:00

In December 2014 we discovered a very interesting vulnerability in the Darwin kernel, which is an open source part of Apple's two operating systems: OS X and iOS. As a result, OS X 10.10 and iOS 8 are also at risk. This vulnerability is connected with the processing of an IP packet that has a specific size and invalid IP options. As a result, remote attackers can cause DoS (denial of service) of a device with OS X 10.10 or iOS 8 installed. It means that attackers can send just one incorrect network packet to the victim and the victim's system will crash.

OS X 10.10 crash after invalid network packet processing

Using vulnerability in the Darwin kernel attackers can cause DoS of a device with OS X 10.10 or iOS 8 installed

Tweet

While analyzing this vulnerability we've discovered that the following devices with 64-bit processors and iOS 8 installed are affected by this threat:

  • iPhone 5s and later models
  • iPad Air and later models
  • iPad mini 2 and later models

To understand the nature of this bug let's look at a crash dump:

Kernel stack trace

You can see from this trace that something went wrong in the icmp_error() function and it calls the panic function. This function tries to construct a new ICMP error message and resend it. This screenshot shows that the icmp_error was called after parsing packet options. The problem lies in this piece of code:

The cause of the problem

When the conditions laid down in the code are met, the panic function is engaged and the system is shut down in emergency mode. This happens because the internal kernel structures have been changed and the new buffer size is insufficient to store a newly-generated ICMP packet. To cause this, the IP packet must satisfy the following criteria:

  • The size of the IP header should be 60 bytes.
  • The size of the  IP payload should be at least 65 bytes
  • There should be errors in the IP options (invalid size of option, class, etc.)

Example of packet that cause a crash

At first glance it is not obvious how this bug could be exploited effectively. However, a true professional can easily use it to break down a user's device or even interrupt the work of a corporate network. Usually this kind of incorrect packet would be dropped by routers or firewalls but we discovered several combinations of incorrect IP options that can pass through the Internet routers.

This vulnerability no longer exists in OS X 10.10.3 and iOS 8.3. In addition, users of Kaspersky Lab's products are secured against this vulnerability in OS X 10.10 by the Network Attack Blocker feature. Starting from Kaspersky Internet Security for Mac 15.0, this threat is detected as DoS.OSX.Yosemite.ICMP.Error.exploit.

The Banking Trojan Emotet: Detailed Analysis

Thu, 04/09/2015 - 10:00

Introduction

In the summer of 2014, the company Trend Micro announced the detection of a new threat - the banking Trojan Emotet.  The description indicated that the malware could steal bank account details by intercepting traffic.  We call this modification version 1.

In the autumn of that year a new version of Emotet was found.  It caught our attention for the following reasons:

  • The developers of this Trojan had begun to use technology that stole money automatically from victims' bank accounts - so called "Automatic Transfer System (ATS)".
  • The Trojan had a modular structure: it contained its own installation module, a banking module, a spam bot module, a module for stealing address books from MS Outlook and a module for organizing DDoS attacks (Nitol DDoS bot).
  • The creators made a significant effort to remain unnoticed: they didn't attack users in the RU zone but targeted the clients of a small number of German and Austrian banks (other well-known banking Trojans are less discerning in their choice of target),and the domain name of the ATS server changed frequently (once or several times a day).

We are going to refer to this modification as Emotet version 2. The bot contains and transfers the numbers one and seven to the command and control center (C&C), which suggests that the Trojan's authors considers this variant to be version 1.7.

Both versions of the Trojan attacked clients of German and Austrian banks.

#Trojan #Emotet targeted the clients of a small number of German, Austrian and Swiss banks

Tweet

We closely monitored Emotet version 2.  In December 2014 it ceased activity and the command servers stopped responding to infected computers.  We recorded the last command sent from the command centers on 10/12/2014, at 11:33:43 Moscow time.

However, the thoroughness with which the authors had approached the development of this Trojan and the high level of automation in its operation, left little doubt that this was not the end of the story.  And so it turned out - after a short break in January 2015, Emotet reappeared!  We are calling this modification version 3 (the bot contains and transfers the numbers one and 16 to the C&C, which we assume means that the authors consider this variant to be version 1.16).

In essence, Emotet version 3 is not that different to version 2 - the main differences are designed to make the Trojan less visible. Of the changes we noted, we would like to highlight the following:

  • The Trojan has a new built-in public RSA key and, although the communication protocols with the command center are identical for Emotet versions 2 and 3, if the old key is used the bot does not receive the correct answer from the command center.
  • The ATS scripts are partially cleaned of debugging information and comments.
  • New targets! Emotet is now also targeting clients of Swiss banks.
  • There has been a slight change in the technology used to inject code into the address space of explorer.exe.  Version 2 used a classic model for code injection: OpenProcess+WriteProcessMemeory+CreateRemoteThread. Version 3 uses only two stages of the previous model:OpenProcess+WriteProcessMemory;  and the injected code is initiated with the help of modified code of the ZwClose function in the address space of the explorer.exe process, which is also achieved using WriteProcessMemory.
  • Emotet version 3 resists investigation: if the Trojan detects that it has been started in a virtual machine it functions as usual but uses a different address list for the command centers.  However, all these addresses are false and are used only to mislead investigators.
  • The Trojan contains very few lines of text:  all lines that could warn investigators are encrypted using RC4 and are decrypted in allocated memory directly before use and deleted after use.

On the whole, we formed the impression that the main techniques used in version 3 of the banking Trojan were developed "in the field" using version 2 as a basis, and with the addition of improved stealth techniques.

Kaspersky Lab products detect all versions of this Trojan as Trojan-Banker.Win32.Emotet.  We also detect the following  modulesof Emotet:

  • Module for modifying HTTP(S) traffic - Trojan-Banker.Win32.Emotet.
  • Spam module - Trojan.Win32.Emospam.
  • Module for the collection of email addresses - Trojan.Win32.Emograbber.
  • Module for stealing email account data - Trojan-PSW.Win32.Emostealer.
  • Module designed for organising DDoS attacks — Trojan.Win32.ServStart.

We have seen the last module used with other malware and assume that it was added to Emotet by a cryptor.  It is quite possible that Emotet's authors are totally unaware of the presence of this module in their malware.  Whatever the case may be, the command centers of this module do not respond and the module has not been updated (its compilation date is 19 October 2014).

Infection

We currently know of only one method of distribution for the Emotet banking Trojan: distribution of spam mailings that include malicious attachments or links.

The attached files are usually ZIP archives containing the Emotet loader.  The files in the archives have long names, e.g. rechnung_november_2014_11_0029302375471_03_44_0039938289.exe.  This is done on purpose: a user opening the archive in a standard Windows panel might not see the extension .exe, as the end of the file name might not be displayed.  Sometimes there is no attachment and the text in the main body of the email contains a link to a malicious executable file or archive.

#Emotet banking #Trojan is distributed of spam mailings that include malicious attachments or links

Tweet

Examples of emails used to spread Emotet are given below.

Version 2 (link to malware):

Version 2 (attached archive):

Version 3 (link to malware):


The emails we found are almost identical to ones from well-known companies – for example Deutsche Telekom AG and DHL International GmbH.  Even the images contained in the messages are loaded from the official servers telekom.de and dhl.com, respectively.

When the email contains a link to malware, it downloads it from the addresses of compromised legitimate sites:

hxxp://*******/82nBRaLiv (for version 2)
or from the addresses
hxxp://*******/dhl_paket_de_DE and hxxp://*******/dhl_paket_de_DE (for version 3).

In Emotet version 3, when addresses are contacted with the form hxxp://*/dhl_paket_de_DE, the user receives a ZIP archive of the following form hxxp://*/dhl_paket_de_DE_26401756290104624513.zip.

The archive contains an exe-file with a long name (to hide the extension) and a PDF document icon.

Loading the Trojan

The Trojan file is packed by a cryptor, the main purpose of which is to avoid detection by anti-virus programs.  After being started and processed by the cryptor, control is passed to the main Emotet module - the loader.  This has to embed itself in the system, link with the command server, download additional modules and then run them.

Consolidation in the system is fairly standard — Emotet version 2 saves itself in %APPDATA%\Identities with a random name of eight characters (for example — wlyqvago.exe); adds itself to the autoloader (HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run) and  then deletes its source file with the help of a launched bat-file that is created in %APPDATA% with the name "ms[7_random_numbers].bat.

Emotet version 3 saves itself in %APPDATA%\Microsoft\ with a name in the format msdb%x.exe" (for example – C:\Documents and Settings\Administrator\Application Data\Microsoft\msdbfe1b033.exe); adds itself to the autoloader (HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run) and then deletes itself with the help of a launched bat-file (which is created in %APPDATA%\del%x.bat).

After consolidating itself in the system, Emotet obtains a list of the names of all processes running and calculates a hash from the name of every function, comparing the resulting value with the hardcoded  0xB316A779 (this hash corresponds to the process explorer.exe).  In this way, Emotet locates the process into which to inject itself.  Further, the Trojan unpacks its main code and injects it into the process explorer.exe.

Communication with the command center

The main module of the Trojan, the loader, communicates with the C&C using RC4 encryption.

The port used by the loader is hardcoded into it - 8080.

Command center addresses

The IP addresses of Emotet's command-and-control servers are hardcoded into the bot. There are several of these – one of the version 2 samples that we analyzed included 30 (note that 3 addresses on the list below belong to well-known legitimate resources):

hxxp://109.123.78.10
hxxp://66.54.51.172
hxxp://108.161.128.103
hxxp://195.210.29.237
hxxp://5.35.249.46
hxxp://5.159.57.195
hxxp://206.210.70.175
hxxp://88.80.187.139
hxxp://188.93.174.136
hxxp://130.133.3.7
hxxp://162.144.79.192
hxxp://79.110.90.207
hxxp://72.18.204.17
hxxp://212.129.13.110
hxxp://66.228.61.248
hxxp://193.171.152.53
hxxp://129.187.254.237
hxxp://178.248.200.118
hxxp://133.242.19.182
hxxp://195.154.243.237
hxxp://80.237.133.77
hxxp://158.255.238.163
hxxp://91.198.174.192
hxxp://46.105.236.18
hxxp://205.186.139.105
hxxp://72.10.49.117
hxxp://133.242.54.221
hxxp://198.1.66.98
hxxp://148.251.11.107
hxxp://213.208.154.110

In the sample of version 3 we investigated there were 19 command centers:

hxxp://192.163.245.236
hxxp://88.80.189.50
hxxp://185.46.55.88
hxxp://173.255.248.34
hxxp://104.219.55.50
hxxp://200.159.128.19
hxxp://198.23.78.98
hxxp://70.32.92.133
hxxp://192.163.253.154
hxxp://192.138.21.214
hxxp://106.187.103.213
hxxp://162.144.80.214
hxxp://128.199.214.100
hxxp://69.167.152.111
hxxp://46.214.107.142
hxxp://195.154.176.172
hxxp://106.186.17.24
hxxp://74.207.247.144
hxxp://209.250.6.60

Communication with the C&C when run in a virtual machine

Emotet version 3 contains another list of "command center" addresses, as given below:

hxxp://142.34.138.90
hxxp://74.217.254.29
hxxp://212.48.85.224
hxxp://167.216.129.13
hxxp://91.194.151.38
hxxp://162.42.207.58
hxxp://104.28.17.67
hxxp://8.247.6.134
hxxp://5.9.189.24
hxxp://78.129.213.41
hxxp://184.86.225.91
hxxp://107.189.160.196
hxxp://88.208.193.123
hxxp://50.56.135.44
hxxp://184.106.3.194
hxxp://185.31.17.144
hxxp://67.19.105.107
hxxp://218.185.224.231

The Trojan tries to contact these addresses if it detects that it is being run in a virtual machine.  But none of the addresses correspond to the bot's command centers, and the bot is therefore unsuccessful in trying to establish contact with them. This is probably done to confuse any investigators and give them the impression that the Trojan command centers are dead.  A similar approach was used previously in the high-profile banking Trojan, Citadel.

#Trojan #Emotet tries to contact the wrong addresses of the C&C if it is being run in a virtual machine

Tweet

The detection of a virtual machine is organized quite simply — by the names of processes that are usual for various virtual machines.  The following algorithm is used to calculate a hash value from the name of every process in the system:

Algorithm for calculation of a hash value from a process name

The resulting hash value is then compared with a list of values hardcoded into the Trojan:

Hashes from the names of processes used for the detection of virtual machines

We derived the names of the processes for several hashes. For example, hash 0xBCF398B5 corresponds to the process vboxservice.exe, hash 0x2C967737 to the process vmacthlp.exe, hash 0xE3EBFE44 to the process vmtoolsd.exe, and 0x61F15513 to the process vboxtray.exe.

Data transferred

A request to the command center appears in the traffic as follows (the example given is from version 2, but a version 3 request looks the same):

Dialogue between the Emotet bot and its command center

The URL-path that the bot communicates with appears as follows: /722ffc5e/355c7a0a/, where 722ffc5e is a number calculated on the basis of information from the access marker of the user, and  0x355c7a0a = 0x722ffc5e xor 0x47738654 (the value 0x47738654 is hardcoded into the bot).

The data sent by the bot and the command center are encrypted using RC4 and the answers received from the command center are signed with a digital signature.  Probably this is done to make it difficult to seize control over the botnet: in order for the bot to accept a packet it must be signed and for that it is necessary to know the secret key.

There is a public RSA key in the body of the bot. In PEM format for version 2 it appears as follows:

PEM representation of the open RSA key coded into the bot in version 2

As noted above, in version 3 the key changed.  In PEM format it looks like this:

PEM representation of the open RSA key coded into the bot in version 3

A packet sent to the server is made up as follows:

  • A request is generated containing the identifier of the infected computer, a value presumably indicating the version of the bot; information about the system (OS version, service pack version, product type); a hardcoded dword (value in the investigated sample — seven); control sums for the banker module; and information about the web-injects.  Information about the web-injects contains: a page address (with jokers), into which the injection is needed; data coming before the injected data; data coming after injected data; and injected data.
  • An SHA1 hash is calculated from the generated request.
  • The request is encrypted with a randomly generated 128 bit RC4 key.
  • The generated RC4 key is encrypted using the public RSA key.
  • The total packet is the concatenation of the results obtained at steps 4, 2 and 3.

The request packet can be represented by the following diagram:

Structure of a request from the bot to the server

In response the server sends a packet with the following structure:

Structure of the server's answer to the bot

The answer can contain information about the Emotet web-injects, Emotet modules and links for loading external modules (for example a spam bot or an updated loader).

Modules

Like most modern banking Trojans, Emotet has a modular structure.  To date we have detected the following modules:

Name Description Method of delivery to infected system loader loader In spam emails or by downloading via a link from a compromised site (for updates). nitol-like-ddos-module DDoS-bot mss Spam module Downloaded from compromised sites by the loader module. email_accounts_grabber Email account grabber, uses Mail PassView – a legitimate program designed for recovering forgotten passwords and mail accounts Received by the loader module in the answer packet from the command center. banker Module for modifying HTTP(S)-traffic Received by the loader module in the answer packet from the command center. outlook_grabber Outlook address book grabber Received by the loader module in the answer packet from the command center.

Several modules can work independently of the loader module, as they don't need to import anything from it.

The whole arrangement of the bot is evidence of a high level of automation: new email addresses are collected automatically from the victims' address books, spam with the Emotet loader is sent automatically, and money is transferred automatically from the user.  Operator participation is kept to a minimum.

As an example, here is the report of the outlook_grabber module sent to the attacker (from Emotet version 2) with a stolen Outlook address book:

A stolen Outlook address book, transferred to the criminals' server

One positive note is that when trying to contact one of the attackers' servers an answer is obtained containing "X-Sinkhole: Malware sinkhole", meaning that the stolen data will not reach the criminals — this domain, which is used by Emotet version 2, is no longer controlled by the authors of the Trojan.

However, for version 3 things are different.  This is how the report of the email_accounts_grabber module appears for Emotet version 3:

Report containing data about the user's email accounts

It is clear that the server answers "200 OK". This means that the criminals have successfully received the data.

Stand and Deliver!

Information about the data for injection into the page that is received by Emotet after unpacking appears as follows:

Decrypted data on the web-injects of Emotet version 2

Decrypted data in the web-injects of Emotet version 3

The significant difference in data on injects between the two versions is as follows: Emotet version 3 is aimed at the clients of Swiss credit organizations.  To date we have not seen scripts for the automatic stealing of money from clients' accounts in these credit organizations but we are certain that such scripts will be written soon.

Although individual fragments of HTML code in the decrypted packet can be read easily, understanding the rules for use of the web-injects from the deciphered data is difficult.  Below, in JSON format, several web-inject rules are given for one target — the site of a German bank (Emotet version 2).

The web-inject rules for the site of a German bank (Emotet version 2)

The use of this web-inject leads to the creation of a new element of type 'div', which will have the size of the whole visible page, and to the addition of a new script in the HTML document.  In the example given the script is loaded from the address hxxps://*******.eu/birten/luck.php?lnk=js&id=44.

And an analogous view of several inject rules for a new target — the site of a large Austrian bank (Emotet version 3).

The web-inject rules for the site of an Austrian bank (Emotet version 3)

It is clear that the configuration file with the web-injects has a classic structure, using fields conventionally called  data_before, data_after and data_inject.

It should be noted that the address of the host on which the file luck.php (for version 2) and a_00.php (for version 3) is located is changed frequently.  The rest of the address of the script is constant.

If the investigator tries the script directly, only an error message is received.  However, in a real attack when the line

is added to the real bank page, the script loads successfully.

This happens because the criminals' server checks the "Referer" field of the header of the HTTP request and sends the script only if the request came from a page of one of the banks attacked by Emotet.

Having supplied the necessary Referrer one can easily obtain the script code.

At Kaspersky Lab we obtained scripts designed for injection into the pages of the attacked banks.

Table 1.  Targets of Emotet version 2, types of attacks and the identification numbers of scripts loaded for carrying out these attacks.

Table 2. Targets of Emotet version 3, types of attacks and the identification numbers of scripts loaded for carrying out these attacks.

In one of the scripts of Emotet version 2 that was used to attack a German bank the comments contain the following line:

Artifact from the script for an attack on a German bank (Emotet version 2)

Clearly the script developers speak Russian.

Getting round two-factor authentication

The main purpose of the scripts looked at above is to carry out the illicit transfer of money from the user's account.  However the bot cannot independently get round the system of two-factor authentication (Chip TAN or SMS TAN), it needs the user's help.  To mislead the potential victim, social engineering techniques are used: the message injected into the webpage using the script informs the user that the site is introducing a new security system and normal operations cannot be continued until the user has tested it in the demo-regime.

False message about new security system

This is followed by a request to enter real data from the Chip TAN or SMS TAN to carry out a "test transfer":

And finally - congratulations that the task has been completed successfully:

In fact, instead of a test transfer the malicious script carries out a real transfer of money from the victim's account to the account of a nominated person — the so-called "drop", and the user themselves confirms this transfer using the Chip TAN or SMS TAN.

Details of the accounts for the transfer of the stolen money are not initially indicated in the script, but are received from the command server of the criminals using a special request.  In reply the command server returns a line with information about the "drop" for each specific transaction.  In the comments in one script we found the following line:

Clearly the criminals tested this script with a transfer of 1500.9 EUR to a test account.

In addition, this script contained the following information about the drop:

In the corresponding script in Emotet version 3, designed to attack the same bank, we also found information on the drop, but this time another one:

Let's compare the fields JSON __DropParam and the fields in the legitimate form from a demo-access to the online system of the attacked bank.

Online banking form for transfer of money within Germany or in the SEPA zone

Table 3. Relationship between the drop data and the fields in the form for transfer of money and explanations of these fields

Name of fields in the __DropParam JSON Name of corresponding field in the form Translation Field contents name Empfängername Name of recipient Real name of drop who will receive the stolen money ibanorkonto IBAN/Konto-Nr. International bank account number/ account number Account number, international or local, to which money will be transferred bicorblz BIC/BLZ BIC or BLZ code International bank identification code or identification code used by German and Austrian banks (Bankleitzahl) description Verwendungszweck Purpose Purpose of payment amount Betrag Amount Transferred amount

The JSON __DropParam fields correspond to the fields in the form.

In this way the bot receives all the necessary information about the drop from its server and draws up a transfer to it, and the misled user confirms the transfer using the Chip TAN or SMS TAN and waves goodbye to their money. 

Conclusion

The Emotet Trojan is a highly automated and developing, territorially-targeted bank threat. Its small size, the dispersal methods used and the modular architecture, all make Emotet a very effective weapon for the cyber-criminal.

The #Emotet #Trojan is a highly automated and developing, territorially-targeted bank threat

Tweet

However this banking Trojan doesn't incorporate conceptually new technology and so the use of a modern anti-virus program can provide an effective defense against the threat.

Furthermore, the Trojan cannot function effectively without the participation of the user — the Emotet creators have actively used social engineering techniques to achieve their criminal ends.

And so the alertness and technical awareness of the user, together with the use of a modern anti-virus program can provide reliable protection against not only Emotet but other` new banking threats working in a similar way.

Some MD5 hashes

Emotet version 2:
7c401bde8cafc5b745b9f65effbd588f
34c10ae0b87e3202fea252e25746c32d
9ab7b38da6eee714680adda3fdb08eb6
ae5fa7fa02e7a29e1b54f407b33108e7
1d4d5a1a66572955ad9e01bee0203c99
cdb4be5d62e049b6314058a8a27e975d
642a9becd99538738d6e0a7ebfbf2ef6
aca8bdbd8e79201892f8b46a3005744b
9b011c8f47d228d12160ca7cd6ca9c1f
6358fae78681a21dd26f63e8ac6148cc
ac49e85de3fced88e3e4ef78af173b37
c0f8b2e3f1989b93f749d8486ce6f609
1561359c46a2df408f9860b162e7e13b
a8ca1089d442543933456931240e6d45

Emotet version 3:
177ae9a7fc02130009762858ad182678
1a6fe1312339e26eb5f7444b89275ebf
257e82d6c0991d8bd2d6c8eee4c672c7
3855724146ff9cf8b9bbda26b828ff05
3bac5797afd28ac715605fa9e7306333
3d28b10bcf3999a1b317102109644bf1
4e2eb67aa36bd3da832e802cd5bdf8bc
4f81a713114c4180aeac8a6b082cee4d
52f05ee28bcfec95577d154c62d40100
772559c590cff62587c08a4a766744a7
806489b327e0f016fb1d509ae984f760
876a6a5252e0fc5c81cc852d5b167f2b
94fa5551d26c60a3ce9a10310c765a89
A5a86d5275fa2ccf8a55233959bc0274
b43afd499eb90cee778c22969f656cd2
b93a6ee991a9097dd8992efcacb3b2f7
ddd7cdbc60bd0cdf4c6d41329b43b4ce
e01954ac6d0009790c66b943e911063e
e49c549b95dbd8ebc0930ad3f147a4b9
ea804a986c02d734ad38ed0cb4d157a7

The author would like to express his thanks to Vladimir Kuskov, Oleg Kupreev and Yury Namestnikov for their assistance in the preparation of this article.

A flawed ransomware encryptor

Wed, 04/08/2015 - 06:00

In the middle of last year, my colleagues published a blogpost about a new generation of ransomware programs based on encryptor Trojans, and used the example of the Onion family (also known as CTB-Locker) to analyze how these programs work.

Last autumn, we discovered the first sample of an interesting new encryptor, TorLocker (this is the original name given by the creator); later on, TorLocker was used to launch an attack on Japanese users. When it was discovered on 24 October, 2014, the proactive components in Kaspersky Lab's products already detected this piece of malware; later on, it was assigned the verdict 'Trojan-Ransom.Win32.Scraper'.

Trojan-Ransom.Win32.Scraper encrypts the victim's documents and demands a ransom ($300 or greater) to decrypt them

Tweet

All the TorLocker samples that we have obtained belong to one of two versions: 1.0.1 (in English) or 2.0 (in English and Japanese.) There are only slight differences between them: 1) in the method employed to obfuscate code, and 2) in the sources used for additional modules: in the first version, the additional modules are extracted from the data section, while in the second version, they are downloaded from the Internet (from file hosting services or from compromised sites). Also in the second version, some strings were relocated from the data section into the code section, and dangling (redundant, not used) bytes emerged. The file encryption algorithm is the same in both versions.

Common features and peculiarities of this malware family

Our analysis has shown that Trojan-Ransom.Win32.Scraper was presumably written in assembler, which is unusual for this type of malware. The Trojan uses the Tor network to contact its "owners" – something that is apparently becoming a norm for the new generation of ransomware – and the proxy server polipo. This piece of malware often lands on users' computers via the Andromeda botnet.

Trojan-Ransom.Win32.Scraper encrypts the victim's documents and demands a ransom ($300 or greater) to decrypt them. If the malware gets deleted by a security product after the files are encrypted, the Trojan installs bright red wallpaper on the Desktop, containing a link to its executable file. Thus, users have a chance to re-install the Trojan and report to its owners that they have paid the ransom: to do so, users need to enter payment details in a dedicated TorLocker window. This data will be sent to the C&C server which will either reply with a private RSA key or notify that there was no payment.

This typical representative of the Scraper family is packed with UPX. The data section is additionally encrypted with AES with a 256-bit key. In the code section, between the assembler instructions, there are a large number of redundant bytes that are not used in any way.

The redundant bytes in the encryptor's body

The method of submitting string arguments to functions is just as unusual. The strings are located directly in the code section; in order to submit a string as an argument to a function, the pointer to that string is placed into the stack by way of calling (using the 'call' instruction) the instruction following the string. As a result, the return address (which is identical to the pointer to the string) is placed into the stack:

Handling string constants as arguments to functions

Operating principles

Once launched, the Trojan starts by decrypting its data section with a 256-bit AES key. The first 4 bytes of this key are used as a sample ID, added to the end of the encrypted files. Then the Trojan is copied to a temporary folder, and a registry key for that copy's autorun is created in the following registry section:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

Next the Trojan creates several threads to do the following:

  • Search for and terminate the taskmgr.exe, regedit.exe, procexp.exe, procexp64.exe processes.
  • Delete all system recovery points.
  • Encrypt the user's office documents, video and audio files, images, archives, databases, backup copies, virtual machines encryption keys, certificates and other files on all hard and network drives, except files located in the folders %windir%, %temp%. The names and extensions of encrypted files remain unchanged.
  • Here is the complete list of file extensions that are encrypted:
    .3gp .7z .accdb .ai .aiff .arw .avi .backup .bay .bin .blend .cdr .cer .cr2 .crt .crw .dat .dbf .dcr .der .dit .dng .doc .docm .docx .dwg .dxf .dxg .edb .eps .erf .flac .gif .hdd .indd .jpe .jpg .jpeg .kdc .kwm .log .m2ts .m4p .mdb .mdf .mef .mkv .mov .mp3 .mp4 .mpg .mpeg .mrw .ndf .nef .nrw .nvram .odb .odm .odp .ods .odt .ogg .orf .p12 .p7b .p7c .pdd .pdf .pef .pem .pfx .pif .png .ppt .pptm .pptx .psd .pst .ptx .pwm .qcow .qcow2 .qed .r3d .raf .rar .raw .rtf .rvt .rw2 .rwl .sav .sql .srf .srw .stm .txt .vbox .vdi .vhd .vhdx .vmdk .vmsd .vmx .vmxf .vob .wav .wb2 .wma .wmv .wpd .wps .xlk .xls .xlsb .xlsm .xlsx .zip
  • Extract a BMP image, save it to a temporary folder and then set it as desktop wallpaper:
  • Download tor.exe and polipo.exe, the files required to communicate with C&C servers, from the links specified in the Trojan's configuration (in the case of TorLocker 2.0) or extract them from the data section (in case of TorLocker 1.0). Then tor.exe is launched with the following arguments: tor.exe -SOCKSPort 9150 -AvoidDiskWrites 1 -ExcludeSingleHopRelays 0 -FascistFirewall 1 -DirReqStatistics 0

    polipo.exe is launched in the following configuration:

    127.0.0.1:57223 proxyPort = 57223 socksParentProxy = 127.0.0.1:9150 socksProxyType = socks5
  • Create a GUI window demanding that the victim pays the creators of Trojan-Ransom.Win32.Scraper and display the window in the top left corner of the screen. It supports payment via BitCoin, UKash and PaySafeCard.

    To encourage the user to pay the ransom to the Trojan's owners faster, the Trojan threatens to delete the private key required to decrypt the files if the user fails to send the money within a certain time period. In reality, the RSA keys are not deleted. They are associated with the malware sample rather than with a specific user, so the same RSA key is used for several users at the same time.

  • The IP address of the victim computer is determined using www.iplocation.net, www.seuip.com.br, whatismyipaddress.com, or checkip.dyndns.org.
  • Establish a connection to the C&C server in the onion domain via the proxy server polipo 127.0.0.1:57223. If the victim user has paid the ransom to the extorters, then, after contacting the C&C server and sending the information about the client (the selected RSA key, the number of encrypted files, the client's IP address and ID, the selected method of payment and the number of the bank card), the Trojan then receives the private RSA key with which to decrypt the files – in this case, a file decryption thread is created. Otherwise, a message is sent that the payment has not been effected yet. In each sample of Trojan-Ransom.Win32.Scraper?, a few dozens C&C domain names are hardcoded; they are not updated and may lead to the same C&C server.
Encryption

When launching, Trojan-Ransom.Win32.Scraper chooses one of the 128 public RSA keys hardcoded in it, depending on the victim computer's name and the serial number of the logical drive. The number (n) of the public RSA key is calculated as following:

n = (VolumeSerialNumber * strlen(ComputerName)) mod 128,
where strlen(ComputerName) is the length of the computer's name, and VolumeSerialNumber is the serial number of the logical drive on which Winsow is installed.

Each sample contains its own set of public keys.

The user's files are encrypted with AES-256 with a randomly generated one-time key; an individual encryption key is created for each file. Then, a 512-byte service section is added to the end of each file, which consists of 32 bytes of padding, 4 bytes of the Trojan's identifier, and 476 bytes of the employed AES key encrypted with RSA-2048.

If the file size is greater than 512 MB + 1 byte, then of the first 512 MB of the file get encrypted. The encrypted data is written on top of the original, non-encrypted data; no new file is created, and the old file is not deleted.

The Structure of an encrypted file

The Trojan does not need Internet access to encrypt the files.

Packing

In order to obstruct the analysis, some of the detected samples of Trojan-Ransom.Win32.Scraper were additionally packed with the KazyLoader and KazyRootkit protectors along with UPX.

KazyLoader is a two-stage protector of executable files, written in .NET Framework. The protected executable is encrypted with AES, and then placed into the protector's assets section as a color palette of a BMP image.

The image decryption module is encrypted by XORing with one byte, then divided into parts and also placed into the protector assets section in the form of strings LOADER0, LOADER1, … LOADER272.

The KazyRootkit protector is also written in .NET Framework and has a feature that can conceal processes in the Task Manager (taskmgr.exe) and conceal registry keys in the Registry Editor (regedit.exe) by deleting strings from ListView GUI elements with the help of WinAPI. Depending on its configuration, the protector may shut down without unpacking the file embedded in it, if it detects any of Sandboxie, Wireshark, WPE PRO or a code emulator.

Although Scraper (TorLocker) encrypts all files with AES-256 + RSA-2048, in 70%+ cases they can be decrypted

Tweet

The file to be protected is encrypted by XORing with a certain key, and then injected into the protector's process. A large array of random bytes is stored in the protector's overlay.

Partnership program

Trojan-Ransom.Win32.Scraper's builder (i.e. the program with which to create new samples of the Trojan with specified configuration) is distributed via a partnership program and sold for a few bitcoins. We found two posts about selling the builder for TorLocker 2.0 in the 'Evolution' (now taken down) underground online store:


The published screenshot of the builder suggests that the cybercriminal can change some of the encryptor's settings, as follows:

  • Allow or block the launch of Task Manager or Process Explorer after infection;
  • Allow or block the use of payment systems like BitCoin, PaySafeCard and Ukash to pay the ransom;
  • Allow or block the removal of Windows recovery points;
  • Modify the links from which to download tor.exe and polipo.exe; modify the names of these files after they are downloaded.

A screenshot of the builder's window

On the underground e-store's website, there are 11 reviews of the vendor of the Trojan-Ransom.Win32.Scraper builder, posted between 8 May 2014 and 17 January 2015.

By way of advertisement, news links are published about successful attacks performed using Trojan-Ransom.Win32.Scraper.

A brief description of TorLocker's operating principles and a comparison with CryptoLocker is also provided.

Decryption

At the decryption stage, when the ransom payment is received, Trojan-Ransom.Win32.Scraper contacts the cybercriminals' C&C servers via the Tor network and the polipo proxy server, to receive a private RSA key. With this key, the Trojan decrypts the AES key for each encrypted file, and then decrypts the files.

Although Trojan-Ransom.Win32.Scraper encrypts all files with AES-256 + RSA-2048, in 70%+ cases they can be decrypted because of the errors made during the implementation of cryptography algorithms. To restore the original files, Kaspersky Lab has developed the ScraperDecryptor utility, which can be downloaded from Kaspersky Lab's technical support website.

Blockchain Technology Abuse: Time to Think About Fixes

Tue, 04/07/2015 - 06:57

Kaspersky Lab and INTERPOL recently presented research on how blockchain-based cryptocurrencies could be abused through the pollution of public decentralized databases with arbitrary data.  During our presentation at the BlackHat Asia conference in Singapore, we demonstrated the proof-of-concept using the Bitcoin network, but it's important to understand that any cryptocurrency that relies on blockchain technology can be abused in this way.

Blockchain-based cryptocurrencies could be abused through the pollution of p2p databases with arbitrary data

Tweet

Some believe that security researchers, especially those from the anti-malware industry, generally only publish threat reports after the discovery of a threat in the wild.  However, this is not always true.  Our current research focuses on potential future threats that could be prevented before cryptocurrencies are fully adopted and standardized. While we generally support the idea of blockchain-based innovations, we think that, as part of the security community, it is our duty to help developers make such technologies fit-for-purpose and sustainable.

Blockchainware, short for blockchain-based software, stores some of its executable code in the decentralized databases of cryptocurrency transactions. It is based on the idea of establishing a connection to the P2P networks of cryptocurrency enthusiasts, fetching information from transaction records and running it as code. Depending on the payload fetched from the network, it can be either benign or malicious.

The proof-of-concept code we demonstrated was a benign piece of software

Tweet

To ensure the accurate interpretation of our research, we would like to point out that in the anti-malware industry, there is a clear definition of what constitutes malware, and there are extremely strict policies in place that forbid any attempts to create or distribute malware. The proof-of-concept code we demonstrated was a benign piece of software that opened the Notepad application after getting a confirmation from the user.

So, what exactly did we demonstrate at BlackHat Asia?   See for yourself at:  https://www.youtube.com/watch?v=FNsqXHbeMco

As we pointed out during our presentation, possible solutions can be introduced at different layers. From the perspective of a company developing endpoint security solutions, we don't believe it's too much trouble to blacklist applications that load unpredictable external payload from a P2P network.

We believe that the value of solution development lies in its neutrality and decentralized decision-making

Tweet

However, from the perspective of the cryptocurrency network, it's still an open question. We are not the experts in this field, and are therefore not best placed to propose effective solutions.  We also don't want to promote any specific solution as we believe that the value of solution development (as in the case of Bitcoin) lies in its neutrality and decentralized decision-making.

That's why we suggest this is a project for the cryptocurrency community.

We don't promote any specific solution. We suggest this is a project for the cryptocurrency community

Tweet

As a starting point for opening a discussion in the community, we suggest looking for an opportunity to implement a network consensus/negotiation algorithm that will sustain the clean state of the blockchain.

Don't Feel Left Out: Ransomware for IT Security Enthusiasts!

Tue, 04/07/2015 - 05:45

Macros are so hot right now

It's getting dark outside and our favorite mail client beeps with excitement for a new missive in our inbox, something interesting perhaps? A rapid glimpse at the contents of the message should indicate that a malicious campaign will play the starring role in what follows. An included attachment reveals itself as a malicious document with password-protected embedded macros. Moreover, a quick analysis of the file shows that it's dropping an executable payload to the system, which further piques our interest in this devious sample:

After opening the file, and only once the victim has been lured into enabling macros,  a seemingly innocuous Word document is shown.

File metadata betrays the developer's rush in crafting this file, using the Russian language letters "фыв" to fill the tags section:

"фыв" corresponds to the "asd" letter combination on Latin keyboards so often used as mindless filler.

Delving into the code

The second stage malicious script containing the instructions is downloaded from a public entry hosted on Pastebin in base64 encoding mode.

The full instruction set is 101 lines long and at the time of writing it counts with more than 5k reads. So this seems like a reliable indicator of the number of potential infections by this malware.

It is important to mention that upon discovery of the initial malicious document, Virustotal showed a null detection rate (however, the executable payload itself was detected by Kaspersky as Trojan-Ransom.Win32.Foreign.mdst)

The decoded script looks like this:

The decoded base64 payload downloaded from Pastebin fetches a file that includes several tokens to be used by the beckoning VBS script. Each token represents a section of the code that needs to be called in a specific order to achieve infection. The sections are named using a generic convention such as 'text20', 'text21', 'stext1', etc. Using the 'Tort' function implemented in the VBS script module, the instructions are deobfuscated and then outputted for execution.

The payload Trojan-Ransom.Win32.Foreign.mdst connects to an onion-based domain via the Tor2Web service

Tweet

In the case of the ' ' section, we can find a PowerShell script being called using the '-noexit' option, which according to Microsoft's Technet documentation is commonly used when running scripts via the command prompt (cmd.exe) so as to avoid exiting after execution. It's worth mentioning the second parameter, which sets the execution policy to bypass mode. Interestingly, by using a simple command line option this malicious creation is able to bypass the PowerShell execution policy configured in the system.

The file set for execution by PowerShell is also set by the original VBS script. A simple yet annoying obfuscation is in charge of getting the final string to be passed as a parameter.

As per the instructions above, the 'currentFile' variable will be replaced by the value of Chr(34) or a quotation mark, and the value of the variables PH2, FL2 and another static text value. Both PH2 and FL2 variables are set at the beginning of the execution of the script, FL2 being the random text used to name several files inside a temporary location set by PH2.

Even though the mechanism is not very complex, we can see that the malware writers took any measures available to slow down analysis and hide the real purpose of their code, even if by virtue of being a script it should be human readable.

We already reported the abusive Pastebin URL.

Payload

The payload is a binary PE file (self-extracting archive or SFX) named "file.exe". Upon execution, "file.exe" is copied to "C:\Windows\System32\WinSrv32.exe" and deleted from its original calling location. Persistence in the infected system is obtained via a registry key written in the following branch "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run".

This payload connects to an onion-based domain via the Tor2Web service.

The mention of a hostname refers to the front-facing side of the um6fsdil5ecma5kf.onion domain that serves as a C2 of the payload malware.

Detection names for malware 239d4f67692a5883574e3c496d88979c logmein_coupon.doc Trojan-Downloader.MsWord.Agent.hz 41d605b3981f330bd893b2dfd6e1d890 file.exe Trojan-Ransom.Win32.Foreign.mdst

Sinkholing Volatile Cedar DGA Infrastructure

Tue, 03/31/2015 - 16:35

There is currently some buzz about the Volatile Cedar APT activity in the middle east, a group that deploys not only custom built RATs, but usb propagation components, as reported by Check Point [pdf].

One interesting feature of the backdoors used by this group is their ability to first connect to a set of static updater command and control (c2) servers, which then redirect to other c2. When they cannot connect to their hardcoded static c2, they fall back to a DGA algorithm, and cycle through other domains to connect with.

Statistics:

This particular actor's true impact seemed interesting, so we sinkholed some of their dynamically generated command and control infrastructure. These victim statistics present a somewhat surprising profile. Almost all of these victims are geolocated in Lebanon.

Victims checking in to DGA c2

Clearly, the bulk of the victims we observe are all communicating from ip ranges maintained by ISPs in Lebanon. And most of the other checkins appear to be research related. Almost all of the backdoors communicating with sinkholed domains are the main "explosion" backdoor. But, some of the victim systems in Lebanon communicating with our sinkhole are running the very rare "micro" backdoor written up in the paper: "Micro is a rare Explosive version. It can best be described as a completely different version of the Trojan, with similarities to the rest of Explosive "family" (such as configuration and code base). We believe that Micro is actually an old ancestor of Explosive, from which all other versions were developed. As in other versions, this version is also dependent on a self-developed DLL named "wnhelp.dll." They check in to edortntexplore.info with the URI "/micro/data/index.php?micro=4" over port 443.

While Volatile Cedar certainly does not have a high level of technological prowess, it appears that they have been effective at spreading their malware, much like the Madi APT we reported on mid-2012. Because the group is not known for spearphishing, IT administrators should be aware of their own publicly exposed attack surface like web applications, ftp servers, ssh servers, etc, and ensure they are not vulnerable to SQLi, SSI attacks, and other server side offensive activity.

Kaspersky Verdicts and MD5s:

Trojan.Win32.Explosion.a
981234d969a4c5e6edea50df009efedd

Trojan.Win32.Explosion.b
7031426fb851e93965a72902842b7c2c

Trojan.Win32.Explosion.c
6f11a67803e1299a22c77c8e24072b82

Trojan.Win32.Explosion.d
eb7042ad32f41c0e577b5b504c7558ea

Trojan.Win32.Explosion.e
61b11b9e6baae4f764722a808119ed0c

Trojan.Win32.Explosion.f
c7ac6193245b76cc8cebc2835ee13532
184320a057e455555e3be22e67663722

Trojan.Win32.Explosion.g
5d437eb2a22ec8f37139788f2087d45d

Trojan.Win32.Explosion.i
7dbc46559efafe8ec8446b836129598c

Trojan.Win32.Explosion.j
c898aed0ab4173cc3ac7d4849d06e7fa

Trojan.Win32.Explosion.k
9a5a99def615966ea05e3067057d6b37

Trojan.Win32.Explosion.l
1dcac3178a1b85d5179ce75eace04d10

Trojan.Win32.Explosion.m
22872f40f5aad3354bbf641fe90f2fd6

Trojan.Win32.Explosion.n
2b9106e8df3aa98c3654a4e0733d83e7

Trojan.Win32.Explosion.o
08c988d6cebdd55f3b123f2d9d5507a6

Trojan.Win32.Explosion.p
1d4b0fc476b7d20f1ef590bcaa78dc5d

Trojan.Win32.Explosion.q
c9a4317f1002fefcc7a250c3d76d4b01

Trojan.Win32.Explosion.r
4f8b989bc424a39649805b5b93318295

Trojan.Win32.Explosion.s
3f35c97e9e87472030b84ae1bc932ffc

Trojan.Win32.Explosion.t
7cd87c4976f1b34a0b060a23faddbd19

Trojan.Win32.Explosion.u
ea53e618432ca0c823fafc06dc60b726

Trojan.Win32.Explosion.v
034e4c62965f8d5dd5d5a2ce34a53ba9

Trojan.Win32.Explosion.w
5ca3ac2949022e5c77335f7e228db1d8

Trojan.Win32.Explosion.x
ab3d0c748ced69557f78b7071879e50a

Trojan.Win32.Explosion.y
5b505d0286378efcca4df38ed4a26c90

Trojan.Win32.Explosion.z
e6f874b7629b11a2f5ed3cc2c123f8b6

Trojan.Win32.Explosion.aa
306d243745ba53d09353b3b722d471b8

Trojan.Win32.Explosion.ab
740c47c663f5205365ae9fb08adfb127

Trojan.Win32.Explosion.ac
c19e91a91a2fa55e869c42a70da9a506

Trojan.Win32.Explosion.ad
edaca6fb1896a120237b2ce13f6bc3e6

Trojan.Win32.Explosion.ae
d2074d6273f41c34e8ba370aa9af46ad

Trojan.Win32.Explosion.af
66e2adf710261e925db588b5fac98ad8
29eca6286a01c0b684f7d5f0bfe0c0e6
2783cee3aac144175fef308fc768ea63
f58f03121eed899290ed70f4d19af307

Trojan.Win32.Agent.adsct
826b772c81f41505f96fc18e666b1acd

Trojan-Dropper.Win32.Dycler.vhp
44b5a3af895f31e22f6bc4eb66bd3eb7

??
96b1221ba725f1aaeaaa63f63cf04092

IoT Research – Smartbands

Tue, 03/31/2015 - 07:00
Summary

Nowadays technology helps the development of hardware and software tools to record and analyze different aspects of our lives. This opens up new ways of staying aware of lifestyle and aiming to improve our health and fitness. One of the big trends in this sphere are fitness trackers such as smartbands, which, in the most popular current format, are bundles consisting of a hardware device we carry on our wrist and a mobile phone application to control the device and gain insights into the recorded data. We're entrusting these gadgets with very personal and sensitive data about ourselves and letting them into dive into our very inmost self. This poses big questions for us as a security company:

  • What kind of data is being collected
  • What are the risks and where are they?
  • What other parties might be interested in getting hold of this information, what's the potential result?
  • How can users help to protect their data?

Tracking devices and their corresponding mobile applications from three leading vendors were inspected in this report to shed some light on the current state of security and privacy of wearable fitness trackers.

What is it all about? The quantified self, smartbands and what people want to achieve

We regularly measure aspects of our daily lives because we feel we have to, because it is human nature to want to stay safe. We typically set our goals for certain points in time and regularly check how well or badly we're performing.

Things we often measure:

  • Business: financial goals, project plans, salary
  • Health: weight, height, eyesight, body mass index
  • Sports: heartbeat, distance covered and altitude gain while cycling or running, average speed

But a movement known as 'quantified self' wants more. It wants to go beyond and off the beaten tracks. This movement has been around for years and people are getting together all over the world to exchange information, discuss their experiences and form a culture of self-tracking. They are searching for a healthier, more fulfilling life by measuring things in their daily routines that have been overlooked by traditional measuring schemes.

The healthy living angle of this is attracting a lot of attention these days. Most people work in offices and they only get exercise as they commute, go shopping or walk to the coffee machine. More and more people work from home and use online store to get the things they need delivered to them, so there is far less need to actually leave the house. At the same time people are more aware of their bodies than – both in terms of health and an attractive appearance.

There are several ways of measuring how healthy, fit and active we are. Heart beat monitors help us control our exercise and get hard facts about our condition. Speedometers help cyclists measuring the distance covered, what altitude gain they achieved and their average speed. But all these tools are limited. They are taken off after exercising so other everyday activities like walking or working aren't recorded. If we use multiple devices the data remains isolated on each machine and is never correlated.

We entrust fitness trackers with our personal data and invite them into our innermost self

Tweet

This is where smartbands come into play. These devices are meant to be worn on our wrist all day and night to record our level of activity and also the time and quality of sleep. This generation of devices still records single snapshots, but the high frequency of recording sets makes it look like dynamic stream. It's a bit like the difference between photography, which gathers single shots, and filming, which uses a constant stream of shots to create a dynamic image. By acquiring and correlating constant streams of different health related data, we get additional benefits and information about our daily life, some of which we may not have been aware of. This paints a more complete picture of our lifestyle.

Human nature also seeks improvement. Collecting and visualizing our activities in daily life and their effects on our body helps motivate us to set new high scores. With most smartband offerings, users can try to beat their own targets as well as competing with a broader audience of family members, friends, colleagues from work and other individuals from online training groups. These are connected by the eco-system of the vendor's cloud network or by sharing information on social networks.

Smartbands – what they are and how they work

Basic smartbands are wristbands with mostly rubber surfaces to withstand shocks and moisture. The technological heart of the device is either firmly embedded into the body of the smartband or created in the form of a capsule, which can be placed into the band. The latter format allows the user to change the band if it gets damaged or worn out over time.

Bluetooth module: The main interface to upload collected data to a smartphone app and download new instructions, like vibration alarm at a defined time. Vibration motor: Just as on a smartphone, the motor lets the device vibrate to notify users of certain events like low battery or a pre-defined alarm. Motion sensor: Similar to the motion sensors in smartphones, the sensor monitors gyroscopic and accelerating movements. Vendor-defined algorithms then translate the movement into understandable units like steps. Battery: The battery of basic smartbands usually takes 35 – 70 mAH, a very low charge compared to smartphones, which take 2000 – 4000 mAH. Since there are far fewer components and they are usually more energy efficient, smartbands can keep running for one to two weeks, depending on how much data is being collected and how often power-consuming features are used. Power/sync button: Most smartbands can be operated with a single button to power on/off and sync or pair the device with the mobile phone. Power jack: To recharge the device's battery via a USB adapter. Display: Basic smartbands offer a small LED or dot matrix display to show battery charge or essential information like time or the step count. Features

Different smartband offerings have similar features. They are all based on measuring the activity levels, longevity and quality of sleep, information on calorie balance and additional goodies.

Main features:

  • step counter and approximate distance covered
  • calorie consumption
  • sleep recorder (duration and quality)
  • self-defined fitness plan and a comparison with actual activity

More features:

  • Nutrition intake and comparison with calories burnt from activity
  • Friend list with texting functionality and comparison of activities
  • Smart alarm for gentle recovery phase, based on measured stages of sleep
  • Stopwatch
  • Training diagrams
  • Third party extensions, if offered
A closer look at the whole system What data is collected by these devices?

The fitness trackers examined in this paper offer very similar feature sets and there is a consensus among the vendors about the data that is collected by the apps.

Required:

  • Name (or nickname)
  • Birth date (or just birth year)
  • Height
  • Weight
  • Gender
  • E-mail address
  • Password for account

Optional:

  • Country
  • Training plan
  • Weight goal
  • Training goals (steps per day, hours of sleep)
  • Nutrition plan
  • Photo
  • Mood
  • Friends using the same fitness tracker
  • . . .

The apps automatically show the correct localization, taken from the active settings on the mobile phone. Units for weight and height can be adjusted, enabling users to choose between imperial and metric systems, but is initially pre-set according to the mobile phone's localization setting.

Some fitness trackers allow users to control what they share on their friend list, but not with the cloud service.

Collecting and processing the information

The data acquisition and processing is done in a chain comprising the smartband itself, a smartphone (usually Android or iOS based) or computer (running on Windows or OSX), the corresponding application to process the data and the vendor's cloud service to provide deeper insights and store historical data. In order to synchronize the individual components the system uses Bluetooth and the Internet (via 3G/4G, Wi-Fi or wired connection).

The continuous synchronization between the tracking device and mobile phone requires a steady Bluetooth connection. This can have a considerable impact on the battery time of the phone. However the tracker is able to store data without synchronization for anywhere between two and 30 days, depending on the device and the amount of information recorded. Most vendors recommend keeping Bluetooth enabled at all times to ensure the best user experience.

Stage 1: Record data and short term storage

Stage 2: Process and correlate data, send instructions to control smartband

Stage 3: long time storage, web based interface for better viewing and deeper investigation

Smartbands are currently in a state of transition. The popularity of the product is prompting new varieties to come to market, and demand is growing for different formats. The type of smartband we know at present will be known as basic smartbands; future generations will offer additional innate processing power instead of merely collecting data. Some companies already have plans for products like combined smartwatches and activity sensors including heart beat monitors.

The daily traffic for cloud synchronization is around 1 -2 MB per day, depending on the model, level of activity and which features are used. Users without mobile Internet flat rates should consider performing this task via Wi-Fi only.

Possible vectors of compromise

In general, the more devices and data transmissions between them are needed in a system, the greater the possibility of compromising the chain. Most smartband environments use the above-mentioned scheme. Other types of fitness trackers cut out the smartband and record the data on the smartphone itself or don't offer a cloud service. For these types some attack vectors are not applicable.

Synchronization between tracking device and mobile phone

The smartband is meant to be worn day and night; however, their owners may well take them off from time to time. Therefore it could be left unattended for a while and anyone with a compatible device and the appropriate app – which is usually free of charge – could theoretically synch with the device and gain access to the data it records. That data could potentially be delivered to a rogue smartphone whenever it is range.

The information from smartbands and fitness trackers includes highly personal details about an individual. These could be used against the user for:

  • Blackmail
  • Naming and shaming on the Internet

Other than that, thieves might also be interested in the victim's training schedule since it could alert them to times when the flat or home is left empty.

The good news is that each of the smartbands we reviewed features some kind of integrated protection against this risk. The apps signed out from the phone and notified the owner that the smartband had been disconnected. The only information available to a rogue user was the data collected that day, or since the last synchronization. However, since only a small fraction of today's smartband offerings were tested, this attack vector might still apply to other devices.

The bad news is, the protection mechanisms can be susceptible to attacks, as my colleague Roman Unuchek proved in his blog post "How I hacked my smart bracelet". He was able to compromise the authentication process and thereby read the tracker's recorded data as well as executing code on it. According to his research, sometimes it is even possible to hijack the device without the owner even knowing.

Synchronization between the mobile phone and the server

The synchronization between the smartphone apps and the cloud servers is a neuralgic point, since the data stream comprises both the data gathered and the credentials to access the user's account. When smartbands hit the market some years back, some curious security researchers dipped into the traffic; a great uproar soon followed as it emerged that many vendors had no encryption whatsoever in this process, meaning all data was transmitted in clear text, perfectly readable for anyone who came upon it.

The synchronization between the smartphone apps and the cloud servers is a neuralgic point

Tweet

Fortunately, all the vendors of smartbands tested in this paper did their homework, since all of them incorporated a form encryption in their apps (TLS/SSL). This way, it is no longer simple to sniff traffic over Wi-Fi.

Compromising the mobile phone

Mobile malware has been a hot topic in recent years, with the number of new samples increasing in an almost exponential fashion. In the period from 2004-13 Kaspersky Lab analyzed almost 200,000 mobile malware code samples. In 2014 alone there was an additional stream of 295,539 samples. However, this doesn't give the whole picture. These code samples are re-used and re-packaged: in 2014 we saw 4,643,582 mobile malware installation packs (on top of the 10,000,000 installation packs that had been seen in the period 2004-13). The number of mobile malware attacks per month increased tenfold – from 69,000 per month in August 2013 to 644,000 in March 2014.

All the vendors of smartbands tested in this paper incorporated a form encryption in their apps (TLS/SSL)

Tweet

The typical modus operandi of cybercriminals is to use legitimate apps or app names as a vehicle to spread their malicious creations – mainly on third party app sites. One mobile malware sample is usually packaged under just one installer package, but sometimes even a hundred could be used to increase the leverage and therefore spread it among different user groups.  Malicious fake apps for smartbands, asking the user for the login credentials and thereby hijacking the account and all the information on it are entirely plausible. In combination with other data from the compromised phone, such as GPS coordinates of check-in features from social networking apps, this would pretty much by 'game over'.

However, the daily life of a smartphone poses a far higher risk. These devices are especially prone to getting lost. For example the London Underground reported more than 15,000 phones were lost in its trains in 2013 [1]. Without a lock screen in place, all information is visible to anyone who finds a smartphone, and that includes the information stored in fitness trackers. None of the smartband apps tested for this report offered the opportunity of locking the app with separate pin.

Compromising the cloud service

Aside from targeting single devices and users, attackers could also aim for the cloud service itself and seek access to records from all users.

Sometimes not even sophisticated hacking skills are needed, as one leading smartband vendor's user portal proved in 2011. All the user profiles were indexed by a popular search engine, making it easy to simply search the Internet for specific expressions that were only found in these profiles. Back then, users had the option to make their profile "private" but they were set to "public" by default. In addition, users could manually enter descriptions for their activities and certain timeframes, e.g. to find out what is most helpful when trying to lose weight. This meant that even the most private kind of "activity" was publically visible for everyone to see, together with information on longevity and how many calories were burned [2]. The vendor subsequently took action to prevent this. This case highlights how easily information and privacy leaks can result from misconfiguration and/or lax privacy policies.

Tracker's users have the option to make their profile "private", but they're set to public by default

Tweet

One smartband vendor's API allows users to access their data via a user ID and the serial number of the smartband, as well as the more traditional username-and-password combo. However, if a third party has the required information, the essential data can be downloaded without the user's knowledge.

In 2014 we saw numerous class A exploits like Shellshock or Heartbleed targeting web servers. These attacks were performed in a scripted fashion to IP addresses throughout the world by numerous gangs. It is still not clear how much data was gathered in these mega breaches, nor what the overall effect will be. Cloud services are not exempt from attacks like this and are seen as a lucrative target. It's only a matter of time until the next big exploit is found.

Other potential traps

According to research performed by the Massachusetts Institute of Technology, one smartband is notorious for scanning the user's environment for other Bluetooth-enabled devices, like computers, mobiles, other smartbands etc. As well as gathering the addresses of these devices, it also passes them to the vendor's servers via the smartband's phone application. This way, the vendor is potentially able to create a profile of each user's infrastructure environment.

In addition, the smartband itself uses BTLE (Bluetooth Low Energy), which makes it possible to change the device's address from time to time to avoid tracking the wearer. However, the vendor chose not to use this feature.

Fake smartband apps, asking for login credentials, are entirely plausible

Tweet

One tested smartband app invited the user to install additional apps from third parties to integrate and associate the collected data for deeper insights into the state of the users' health and activity. Possible extensions include correlating the standard data with GPS recording during workouts, dedicated apps for further visualizations, apps offering additional weight control related models, apps encouraging the user to eat more healthily (e.g. more fruit) and even offering financial incentives if all goals have been completed, paid by users who didn't meet their own targets.

If integrated, user automatically agrees to share this kind of data with the supplier.

The last potential trap has been a classic for decades. People tend to reuse their passwords over and over out of convenience. Most people have a main e-mail address, which also serves as a username on many websites and services. Now if one these accounts is compromised due to a server side breach (and we read of these breaches almost every week) or a malware infection stealing the login credentials on one of the machines, this means the other accounts using the same password are in massive danger. It is widely known that cybercriminals try these credentials on many of the big web portals like online shops, online payment systems, social networks and anything else that might turn a cash profit in the digital underground.

Commercial models around smartbands, fitness trackers and other gadgets

The flood of personal information, gathered by millions of users of smartbands and other wearables, whets the appetite of others as well as cybercriminals.

This kind of information is highly valuable to companies and institutions in different sectors.

Insurance companies

Insurance companies are based around risk estimation. To do this effectively, data has to be collected and evaluated to calculate the appropriate premiums from customers. The better the data, the better companies can manage their business. This is where fitness trackers come into play. What data could possibly be better than actual data streaming in real time from the customers themselves? At the time of writing some insurance companies are launching special programs for customers who are willing to share the information gathered from their fitness trackers. In return, financial incentives are offered to customers who prove to have a healthy lifestyle, as well as vouchers for travel and additional fitness courses [4].

None of the smartband apps tested offered the opportunity to lock the app with a PIN

Tweet

What could possibly go wrong? This scheme could potentially backfire. Imagine a keen fitness enthusiast who is also not averse to extreme sports. What if the tracking device and smartphone regularly transmit data about driving to an infamously dangerous mountain bike downhill track? GPS data sent from the smartphone and additional "step" count, coming from the rocks beneath the tire while riding at 40 kilometers per hour down the hill prove that someone didn't just go there to be a spectator, and this might displease the insurer. It could result in increased insurance costs based on the customer's allegedly higher risks. Depending on the legal situation in different regions in the world there's also a chance that insurance companies would refuse to insure high-risk clients because of the data recorded by their tracking devices.

Apart from fitness trackers, there are other gadgets and apps being developed to optimize the quantified self, like toothbrushes with integrated sensors to monitor the motion of the brush in three dimensions and a Bluetooth uplink to a dedicated smartphone application [5]. The app includes mini games to teach, motivate and reward people, especially children. It also tracks how often the teeth are being brushed and for how long. Again, insurers (dental insurance in particular) would be pleased to get their hands on this data.

Employers

Companies also discovered fitness trackers for their employees. There are already examples of employers offering these devices to their workforce to measure their health and motivate them towards a healthier lifestyle. British Petroleum (BP) introduced a "wellness program", in which employees are given points for reaching certain targets and incentives like health care premiums are offered [6]. Employees thinking about joining such program should thoroughly check the privacy policy and consider what potential consequences it might have.

Advertisement industry

There are almost no mobile apps on the market that offer users the option of disabling the flow of data into the cloud. As a result vendors quickly learn about your habits and your state of health. Depending on privacy policies, this enables them to tailor advertising based on the user's information and activity. Even within a general interest or activity, advertisements can focus on specific user groups: for example beginners could be offered running shoes and basic sportswear, whereas advanced athletes are shown advertisements for more expensive equipment, LED headlamps for night-time work outs or special sports nutrition. All offers can be adjusted for your local currency and targeted at the right gender and approximate size according to the weight and height set in the app.

Other parties

After the earthquake in Northern California the smartband vendor Jawbone published a diagram on their blog that showed the impact on sleep the event had in different areas around the epicenter [7]. All data was collected from thousands of customers, aggregated and presented in an anonymized form. The data enabled Jawbone to come up with a new format to show the actual impact of the earthquake on people rather than approximate seismographic ratings for surrounding areas. The graph appeared on many news sites around the globe.

Personal information gathered by millions of smartband users whets the appetite of cybercriminals

Tweet

The year 2014 marked the first time that data recordings from smartbands were used in court, opening the way for future cases. In this case the woman in question freely provided her data to prove that her injuries from a car accident limited her activities. Her information was compared with other women of her age using a third party [8]. In this case the use of data was not controversial – the woman provided her data freely to prove her point. It is important for smartband users to remember that vendors usually include a clause in their user agreements and privacy policies to make it clear that they can disclose information in response to a court order. It is also important to understand that the gathered data won't necessarily be kept in the country where it was recorded, but could also be used in foreign countries with a different jurisdiction.

According to researchers from the Hebrew University of Jerusalem it is possible identify individuals by the distinct shake of their GoPro cameras, worn on the head, from a sample of only a few seconds [9]. This raises the question whether algorithms along these lines could allow individual smartband users to be identified by their activity and sleep patterns.

Is there a more private way to keep track of your fitness?

More private alternatives (read: self-sufficient) to smartbands include pedometers and fitness tracker apps. Both options can act as single device systems and thereby cut off potential vectors of compromise that affect common smartband systems.

Fitness tracker apps commonly use an internal gyroscopic sensor and accelerometer to keep track of activities.  Tracker apps lack the sensors to measure people's sleep and also do without some other features of smart devices. Dedicated step counter devices, called pedometers, offer a similar feature set, but are easy on the smartphones' battery. Some offerings can be synced with a smartphone, others are completely self-sufficient. They can be carried it in a pocket or clipped onto your belt.

Advice for users of smartbands

To minimize the risks of your data being compromised, there are several pieces of advice to follow. Many of them apply not only to smartband users but to anyone using apps that store personal information:

  • Only use features you really need and avoid giving out any personal information that you would not want to store  in the cloud
  • Use a strong and unique password for each account
  • Lock the home screen on your smartphone and use access protection
  • Encrypt your phone if possible
  • Use security solutions for all devices, if available
  • Read the license agreements of applications and pay close attention to how personal information might be used by the service
  • Install app and operating system updates when available
  • Uninstall/Delete applications that are not needed anymore
  • Turn off the Bluetooth and location services on phones when not needed (this also preserves battery time)
Conclusion

Smartbands have been around for almost a decade by now, so they are almost senior citizens compared with many gadgets. While some old security issues like absence of encryption or public indexing of user profiles have been fixed, they show that security is still an afterthought for many companies. Security is also a process; vulnerabilities in drivers, protocols and the whole server ecosystem are found more and more frequently, vendors need to monitor vulnerabilities and the exploit landscape and quickly patch their software on both the client side (smartphone apps) and the server side (cloud service) to secure the customer data.

Security, though, depends on both makers and users alike. Everyone involved must understand the value and sensitivity of the user data collected by the fitness tracker. Normally when a breach involving personal data happens, data like names, mail addresses, birthdates, credit card information or passwords are affected. In this context, the information is even more personal. It contains health and body related data, including details that someone would normally confide only to a handful of very close people – or possibly even the doctor alone.

Smartband vendors are sitting on a goldmine of information that would be of great value to third parties in its anonymized form and even more attractive in a user-specific context. But if vendors decided to give out this data in either format (and risk losing their users' trust), third parties need to be cautious about the data. After all, what is to stop users attaching a smartband to a hyperactive pet dog and using that to get preferential 'active lifestyle' rates from an insurance company?

Although smartbands are relatively old technology, they are still part of the breeding ground for devices and services that trade on quantifying ourselves. New kinds of devices are coming up, integrating old technology and combining them with new innovation. Gadgets like smartwatches and Google's Glass are examples of how the future might shape up in this area.

Appendix: Resources

(1) More than 15,000 lost mobile phones on London Underground pose security risks
http://www.v3.co.uk/v3-uk/news/2318727/more-than-15-000-lost-mobile-phones-on-london-underground-pose-security-risks

(2) Dear Fitbit users, kudos on the 30 minute of vigorous sex activity last night
http://gizmodo.com/5817784/dear-fitbit-users-kudos-on-the-30-minutes-of-vigorous-sexual-activity-last-night

(3) Security Analysis of Wearable Fitness Devices (Fitbit)
https://courses.csail.mit.edu/6.857/2014/files/17-cyrbritt-webbhorn-specter-dmiao-hacking-fitbit.pdf

(4) Insurance company Generali wants to collect fitness data from customers (German)
http://www.heise.de/newsticker/meldung/Neue-Krankenversicherung-Generali-will-Fitnessdaten-von-Versicherten-sammeln-2461512.html

(5) Kolibree, Smart Tooth Brush
http://kolibree.com/en/

(6) Wearables at work mean big business, says Fitbit CEO
http://www.cnbc.com/id/101318809#

(7) How the Napa Earthquake Affected Bay Area Sleepers
https://jawbone.com/blog/napa-earthquake-effect-on-sleep/

(8) Fitbit Data now being used in the Court Room
http://www.forbes.com/sites/parmyolson/2014/11/16/fitbit-data-court-room-personal-injury-claim/

(9) Egocentric Video Biometrics
http://arxiv.org/abs/1411.7591

CanSecWest 2015: everything is hackable

Fri, 03/27/2015 - 09:48

Last week, we had the privilege to participate in and present at the 15th edition of CanSecWest in beautiful Vancouver, BC, along with its famous accompaniment, the ever famous Pwn2Own competition. Yes, once again all major browsers were hacked, but they were not alone! BIOS and UEFI, 4G modems, fingerprints, credentials, virtual machines, and operating systems were among the victim systems successfully hacked by our fellow presenters.

The event gathers a very technical audience with a shared interest in the most recent attacks and the presenters delivered with a variety of demos that showcased their intended vulnerabilities beautifully and thus reinforced the conclusion that digital voodoo can turn obscure and seemingly innocuous vulnerabilities into mind-numbingly cunning attacks.

One of the most discussed presentations, and certainly one of our favorites, showcased the power of BIOS and UEFI hacking: two guys, Corey Kallenberg and Xeno Kovah of Legbacore, armed with $2,000 and 4 weeks of hard work were able to show how a long list of vendor BIOSes were not only vulnerable but could successfully be loaded with LightEater, an SMM implant capable of pilfering sensitive information from Tails OS and even exfiltrating that information in such a way as to bypass the OS entirely. We clearly agree with their conclusion, it´s time to start taking a harder look at firmware!

Firmware insecurity: absence of evidence is not evidence of absence

One of the very possible attack is the well-known 'evil maid' or the 'border guard' approach: someone with physical access to your computer can just plug a small device (see below) and successfully reflash your system's BIOS, rewriting it with malicious code, without so much as booting up the system.

Press a button and in a few seconds the handy green light will indicate the BIOS is p0wned

Another very interesting presentation by Jan "starbug" Krissler showed how high resolution photos could bypass biometric authentication. Pictures acquired through high-resolution cameras from a safe distance amounted to the successful theft of fingerprints, faces, and irises used by current biometric systems for authentication. The distance can even be extended through the use of infrared imagery! We spent the talk imagining the breach possibilities as  an increasing number of ATMs  nowadays rely on biometric input.

Please authenticate access to your bank account using a password you can never change: your fingerprint

We also saw presentations on MacOS DLL (dylib) hijacking, userland exploits on iOS 8, attacks using Windows PowerShell, and even the installation of a bootkit in a 4G modem by simply sending an SMS! All sandwiched between explanations of the work of the ever fascinating Google Project Zero Team. In one of these, Chris Evans walked the audience through how a 'simple' crash caused by a call with a negative length became an exploit on Adobe Flash Player.

Our own presentation was a walkthrough of the misuse of whitelisted tools to further all kinds of attacks, from APTs and Targeted attacks to banking trojans and ransomware. This ongoing project is intended to highlight the faulty foundations of the whitelisting approach to security and how whitelisting alone simply won't protect you, from advanced and intermediary attackers alike! Stay tuned for a post on our findings.

In the end, we expanded our view as to the true breadth of vulnerable software and hardware. on which we depend daily. Security is a truly elusive state in an ecosystem composed of interwoven, dependent systems, each responding to the diverging priorities of a developer, an administrator, a user, and, of course, an attacker as well. The role of the security researcher that lives and breathes attack vectors and obscure vulnerabilities in search of the right digital voodoo has never been more important. And we can't help but echo the sentiments of Dragos Ruiu and our own Eugene Kaspersky in thanking CanSecWest for bringing all these researchers under one roof and one banner to share that digital voodoo and successfully stave off the balkanization of our industry just a while longer.

How I hacked my smart bracelet

Thu, 03/26/2015 - 07:00

This story began a few months ago when I got a popular brand of fitness bracelet. As this is a wearable device I installed Android Wear app, an application developed especially for wearable devices. This application easily connects to the fitness band.

However, there was something odd: the program could connect to a Nike+ Fuel Band SE, but my bracelet was another brand! It wasn't long before I realized my colleague had a Nike wristband – and he didn't even notice I had connected to his device.

After that I decided to do some research and find out how secure my wristband was.

Smart bracelets: communication with a smartphone

Today's market offers a lot of wristbands from other manufacturers. KSN provides the following statistics about the installation of Android-based applications to work with popular fitness trackers on mobile devices (the statistical data was obtained from KSN users who freely agreed to the transfer of this data).

The installation of Android-based applications designed to work with fitness trackers from different manufactures

Although this statistic demonstrates the popularity of Android applications (we cannot guarantee that the appropriate devices have users), to some extent it reflects the situation with the popularity of wearable devices.

To communicate with the smartphone most of these fitness bands use Bluetooth LE technology (also known as Bluetooth Smart). For us, this means that the devices connect in a different way from regular Bluetooth. There is no pairing password because most wristbands do not have a screen and/or a keyboard.

In some cases you can connect to a wearable device without the owner even knowing

Tweet

These wristbands use a GATT (Generic Attribute Profile) which means that every wearable device includes a set of services, each of which has a set of characteristics. Each characteristic contains a byte buffer and a list of descriptors, and each descriptor contains a value – a byte buffer.

In order to demonstrate this, I used some ready code from Android SDK, an example of an application that connects to Bluetooth LE devices. I did not have to write a single new line of code; I simply opened the existing project in Android Studio and pressed Start.

The screenshot above shows the result of my attempt to connect my fitness bracelet with the help of this application. Here we see the services and their characteristics. However, it is not easy to obtain data for my bracelet from the characteristics - it requires authentication in addition to the connection. In the case of some other devices I could read the data from the characteristics and their descriptors. This was probably the user data.

Scanning

So, using the example of the application from Android SDK I could connect to some devices. After that I have developed my own application which automatically searched for the Bluetooth LE devices attempting to connect to them and get their list of services.

Using this application I performed several scans.

  • Over two hours on the Moscow undeground subway system I could have connected to 19 devices: 11 FitBit and 8 Jawbone.
  • Over an hour in a gym in Bellevue, WA, USA I was able to connect to 25 devices: 20 Fitbit, and one each from Nike, Jawbone, Microsoft, Polar and Quans.
  • Over two hours at SAS2015 in Cancun, Mexico, I was able to connect to 10 fitness trackers: 3 Jawbone and 7 FitBit.

From just six hours of scanning I was able to connect to 54 devices despite two serious restrictions:

  1. Although the spec suggests the maximum distance for connections is 50 meters, in reality it's rarely possible to connect to a device more than 6m away.
  2. It seems that it is not possible to connect to a device that already has a connection to another phone. Thus if your wristband is connected to your phone, no one else can connect to it; it should not even be seen during scanning.

The second restriction should mean that when the wristband is connected to a smartphone, it cannot be attacked. This is not true though. And here is an example: while scanning with my app I was able to block the communication between my bracelet and its official application, even though they were connected.

It could be that the devices I found had never connected to a phone before or that the wristband was not connected to a smartphone while I was scanning (perhaps the Bluetooth on the phone was disabled). However it could also be that a pre-connected device was still available for connection despite the supposed restriction. Whatever the reason, potential fraudsters have ample opportunity to connect to fitness trackers.

However, in most cases, authentication is required in addition to the connection in order to gain access to the user data. Let's see how my bracelet's authentication process works.

My bracelet's authentication

To authenticate the bracelet on a smartphone the official application uses one of the four available services on the wristband. Each characteristic of each service is flagged with 'CharacteristicNotification' - this is how the app informs the wristband that it wants notifications of any change in this characteristic. Then the application gets a list of descriptors for each characteristic and sets the 'ENABLE_NOTIFICATION_VALUE' flag to inform the wristband that it wants notifications of any change in each descriptor.

After that one of the characteristics changes its value - the byte buffer. The application reads this buffer from the wristband: the 200f1f header and the byte array - let's call it authBytes.

The application creates a new array. Its first part is a constant array which is contained in the application and begins with 6dc351fd44; the second part of the new array is authBytes. The application receives the MD5 hash from the new array and sends it back to the device in the following structure:

  • Header (201210051f)
  • MD5
  • Verification byte

The application then sends to the device yet another array also found in this application.

After this wristband starts to vibrate and the user just needs to press the button to complete the authentication process.

With the official application the authentication process takes about 15 seconds. I have developed an application that requires only 4 seconds to make the wristband vibrate.

It is not difficult to make the user press a single button on the wristband. You just need to be persistent. You can keep trying authentication process over and over until the user finally presses the button or moves out of range.

From just six hours of scanning I was able to connect to 54 devices despite two serious restrictions

Tweet

After authentication is completed, the data on my bracelet can be accessed. Right now, wearable fitness devices do not contain much information. Typically, they have the number of steps, the phases of sleep, the pulse for the last hour or so. Approximately once an hour the app transfers this information from the wristband to the cloud.

After the authentication, it is easy to execute commands on the device. For example, to change the time you should send to the device the byte array beginning with f0020c and then the date in the form YYYY MM DD DW HH MM SS MSMSMSMS.

Things are even easier with the other fitness trackers: for some of them, part of the data is available immediately after the connection, while the application code for Nike is not even obfuscated and can be easy read (the results of one study can be found here).

Conclusion

The results of my research show that in some cases you can connect to a wearable device without the owner even knowing.

By hacking the bracelet I have the fraudster cannot get access to all user data as this is not stored on the wristband or in the phone - the official application regularly transfers information from the wristband to the cloud.

Fitness trackers are becoming more popular and offer a wider range of functions. Perhaps in the near future they will contain more sensors and hence much more user information, often medical data. However the creators of these devices seem to think very little about their safety.

Just imagine - if a wristband with the pulse sensor is hacked, store owners could look at your pulse rate while you are looking at the prices in the store. It might also become possible to find out how people react to advertising. Moreover, a hacked wearable with pulse sensor could be used as a lie detector.

The fraudster could take control of your wristband, make it vibrate constantly and demand money to make it stop

Tweet

Of course, there are more harmful actions that are more likely. For example, by using a Trojan-Ransom the fraudster could take control of your wristband, make it vibrate constantly and demand money to make it stop.

We reported our findings to my bracelet's vendor. The company's response defines the findings as a UX Bug and not a security issue. For ethical and security reasons we are not disclosing the name and the model of the bracelet this time. If you're worried about the possible consequences of cybercriminals exploiting the security issues we discovered, don't hesitate to contact the vendor of your fitness bracelet and ask if your product is affected by the method described in the article.

We also hope that this article will be helpful not only for users but also for vendors of the bracelets to make these devices safer from the IT Security perspective.

Analog OPSEC 101 – operational security in the physical world

Wed, 03/18/2015 - 06:00

For a long time we´ve been interested in operational security (OPSEC), and although you can find tons of cool technical tips about protecting digital information, we always felt that something was missing. After all, we live in a physical, or  analog world as well as a digital one, and we have encounters with other real people. After asking around, we found that one of the biggest worries of our technical community was how to behave during these interactions. So we decided to work on creating some realistic and easy to remember tips for exactly these situations.

Threat modeling

OPSEC is all about hiding information from your adversaries. We categorized our adversaries into just two groups: those who have resources and those who don´t. Plain and simple.

The first group comprises intelligence agencies, military organizations and the big bad boys. The second contains the rest. Important: no resources is not the same as no danger, but they are less able to track you unless you give away information for free.

Our tips are focused on encounters with the first group, since that is more likely to happen.

Recruitment

Agencies are always on the look-out for new assets to recruit – this is what they've been doing for centuries.

It all starts with the spotting process, identifying an asset who could meet their requirements based on the position and access to information. Next they profile the target, partly using OSINT. After that it's time to choose between the carrot and the stick, and pick out the most effective motivators on offer: money, blackmail, ideology, sex, etc.

Then some guy will approach us, maybe in person, maybe through LinkedIn. He'll probably pose as some businessman who will pay us a lot for nothing much, just a few easy reports from time to time.

When this happens we want to get to the Termination phase ASAP, ideally after being written off as a waste of time and effort.

We can just say "No", but they may keep increasing the pressure. On the other hand, we can refuse while providing alternatives, redirecting the request to another person ready to handle this.

Create a protocol for yourself and your organization in order to handle these situations effectively, minimizing the researcher ´s exposure. Be prepared in advance for situations where we are more vulnerable.

Borders

Crossing an international border can be one of the most vulnerable places. Somehow they are like a parallel dimension: although you are physically in one territory, the laws are just different, or maybe even non-existent.

We´ve learnt a few things regarding borders: there is always some exception to the law that officers might use in extreme scenarios. You can find legal advice here https://www.eff.org/wp/defending-privacy-us-border-guide-travelers-carrying-digital-devices>. However this is what you should NOT do:

  • Regardless of whether you consent to a search or not, do NOT stop the officer if he starts checking your stuff. This is a felony.
  • You don´t have to answer questions, but if you decide to do so, do not lie to the officer. Again, a felony.

This is our advice about how to react in a situation like this. These rules will provide you with peace of mind, help you stay calm and not freak out. Hopefully they will stop you overreacting, making things worse and talking too much, starting with: "I have nothing to hide, let me explain …".

  • Be cooperative.
  • Don´t make things worse.
  • Have your story prepared and be ready to back it up.
  • Golden rule: Don´t bring any valuable content with you! You should encrypt, upload and retrieve on arrival at your destination.
Other situations

Sometimes we could find ourselves going to a meeting in a strange country with a suspicion that something is not quite right. Some advice for this:

  • Don´t go alone.
  • Don´t rely on your host for transport
  • Plan exit routes and "safe" places, have your contacts ready.

In some cases the meeting itself won´t be the "trap"; it's just an excuse to get you to leave your computer in a known location the hotel, or in a cloakroom.

It is always a good idea to let someone know where you are going and tell them to react if you don´t ping them in a reasonable period of time. This also lets your adversaries know that you are ready – a simple casual comment will do the job.

Another concern is physical surveillance. To be honest, if this is done by sophisticated professionals there isn't much we can do about it and we probably won't even notice. But remember – don't try anything stupid; you're not James Bond. Acting like it's a movie can only make things worse.

If you are very concerned, escalate the situation and involve the person in your company who is responsible for dealing with local contacts. If you feel uncomfortable, move to a public place or directly move to your embassy.

Conclusions

You've probably already spotted a common theme in most of all these situations. First, keep calm and do not make things worse. You can rely on a third party to send in the cavalry when you need it. This is why your company should provide you with a single person to contact when you're in trouble. Also you might need international legal support.

However the key lesson is: do your homework. If you travel abroad, spend some time finding local contacts, get the telephone number and directions for your embassy, plan your meetings, let other people know where you are and make sure they are ready to act quickly in certain situations. Have your travel laptop ready and consider what information you bring with you. If you remember your lessons, you will be fine.

Yeti still Crouching in the Forest

Tue, 03/17/2015 - 03:53

Last July, we published details on Crouching Yeti (aka Energetic Bear), an advanced threat actor involved in several APT campaigns.

A quick summary:

  • Campaign status: Active
  • Discovery: January 2014
  • Targeted platforms: Windows
  • First known sample: 2010
  • Number of targets: 2,001-3,000
  • Top target countries : United States, Spain, Japan, Germany, France, Italy, Turkey, Ireland, Poland, China
  • Propagation method: Social engineering, Exploit, Watering hole attack, Trojanized software installers
  • Purpose/functions: Data theft
  • Special features : Interest in OPC/SCADA. Trojanized software used to administer remote OPC servers as well as modules to scan networks for OPC servers.
  • Targets: Industrial/machinery, Manufacturing, Pharmaceutical, Construction, Education, Information technology
  • Artifacts/attribution : Russian-speaking authors

This post is an update about the operational status of the campaign described in the original "Crouching Yeti" report.

Since the beginning of the research, we've been monitoring some of the C2 servers used by the components used in the attack – the Havex Trojan, the Sysmain Trojan and the ClientX backdoor. The following analysis is based on data gathered until March 04, 2015

C2 and victims:

Overall, we successfully monitored 69 C2 server (unique domains), receiving hits from 3699 victims (unique IDs of the Trojan/backdoor) connecting from 57796 different IP addresses. We gathered four additional C2s since the publication of the first report (65 in the last report).

Based on the graph below, the top five C2 servers share most of the unique victims :

Victims per C2

 

Although the trendline shows a decreasing number of hits on the C2, there are still >1.000 unique victim connections per day. These top five C2s with most of the victims coincides with the activity analyzed in the previous research and publication.

Another interesting figure is the number of hits by date which shows a decreasing trend:

The following figure shows the entire picture regarding Crouching Yeti victim country distribution including all the malware (Havex, ClientX,Sysmain) reporting to the C2s on which we have visibility. The graph contains the total dataset (inluding data for the previous report as well as the gathered during this period) and contains all the unique IP addresses observed. Be aware that there are some unique IDs using several IP addresses probably pertaining to infected computers used by travellers.

This shows the big (and updated) picture regarding Crouching Yeti victims by country. Spain, Poland and Greece are in the Top 3. Japan and especially the United States have significantly reduced position (less victims) since the last report, contrary to Poland and Italy that increased position remarkably (more victims reporting to the C2).

An additional representation of victim country distribution including the full dataset (all countries) :

Malware:

The most widely used Trojan on these C2 server is Havex with 3375 unqiue victims. Sysmain counts 314 and ClientX 10 (as in the last year's report). For Havex, version 024 is still the most widespread, followed by version 043. This is consistent with the trend observed in our last publication.

The following two graphs show the distribution of victims per malware type. We decided to divide the identified versions in two groups for purposes of clarity. The series names Report contains the data published in the first Crouching Yeti release (blue) and the Update (red) series contains the data analyzed.

During this period, the first subset shows an increase for almost all the included versions except for Havex-038 and Havex-01D which showed bigger activity in the first Crouching Yeti release . On the other hand, Havex-043 has the most significant increase during this period.

For the second subset, the picture looks pretty similar (global increase) except for Havex-01d which shows a decrease during this period.

Already before and also after the announcements around this actor other researcher digged into. Therefore the datasets are cleaned but may still include few research based non-victim systems.

The following graphs shows the operating system distribution amongst Havex victims during this period:

Apart from the increase of the category "unknown", there are no substantial differences when comparing the data analyzed in the first report :

In order to complement the data from the C2, we extracted some stats for the most relevant Trojans used by the Crouching Yeti operators. Almost all of them shows a residual impact during 2015. Nevertheless, we notice some very specific peaks during this month, especially for the Trojan.Win32.Ddex verdict. This component is a simple downloader with the functionality similar to the Havex component. All the detections are located within the Russian Federation.

In conclusion, the data analyzed during this period show us that Crouching Yeti's impact continues to increase in terms of infected victims reporting to the C2s, although internal data from KSN shows a different picture (residual number of infections). In this update, we did not see relevant changes in the infrastructure or in the C2 activity.

Taking into account the nature of this threat actor and the operational status of the infrastructure, it is likely the operators already switched infrastructure, techniques and targets.

We will continue to track this threat actor and providing updates accordingly.

Pages