Malware RSS Feed

The Art of Finding Cyber-Dinosaur Skeletons

Malware Alerts - Wed, 12/03/2014 - 10:25

Following the release of our report on the Regin nation-state cyber operation, questions were raised about whether anti-malware companies deliberately withheld information -- and detections -- at the request of governments and customers. A similar question was raised by Bruce Schneier in 2013.

Let's get the most important issue out of the way immediately. We have never been asked by a customer or a government entity to whitelist or stop detecting any specific malware sample. We'd never comply with such a request, no matter the source.

This simply does not happen. In some cases, investigations into advanced targeted attacks include NDAs (non-disclosure agreements) with customers and we are bound to maintain confidentiality but that never affects adding detection and protecting our entire customer base from threats.

So, why did it take two years for us to release a report on Regin? Without proper context, it may appear that researchers kept something really important in the dark for an inordinately long time. However, security research -- not unlike law enforcement investigations -- requires meticulous scrutiny and analysis and in many cases, it's important to watch the crime unfold in real-time to build a proper case.

In our case, without unlimited resources and the fact that we're tracking multiple APT actors simultaneously (Careto/Mask, EpicTurla, Darkhotel, Miniduke/Cosmicduke, to name a few), this becomes a process that takes months, even years, to gain a full understanding of a cyber-operation.

Sean Sullivan from F-Secure provided a perfect description of APT research, comparing it to the work of paleontologists that find some bones of a dinosaur.  Everyone may have a bone but nobody has the full skeleton.

In the case of Regin, what we first discovered in 2012 was a slightly damaged bone from unknown part of a monster living in a mysterious mountain lake.

(courtesy of southampton.ac.uk)

Someone finding a bone might discard it and keep traveling, but in security research we collect things. The original discovery went to our collection of things stored in the backyard. We have many of these fractured bones from unseen monsters or maybe harmless creatures. Sometimes we hear about other bone fragments being discovered by others and this pushes us to take a closer look but at the early stages, without enough evidence to draw meaningful conclusions, it doesn't make sense to go public about discoveries until you confirm that the monsters are real, big and dangerous.

We keep working in various channels to collect different artifacts that may or may not match some of the pieces in our collection. Sometimes we join efforts with other "paleontologists" and share our discoveries. Once we collect enough of bones from a monster to understand potential size, danger and possible habitat, we can start the next phase which is a real active investigation that might lead us to the mysterious mountain lake.

A comprehensive APT research project consists of several stages:

  1. Adding detection for known modules
  2. Collecting samples
  3. Reversing the samples
  4. Decrypting sophisticated encryption and compression schemes
  5. Understanding lateral movement
  6. Outlining multiple attack stages in the correct order
  7. Mapping C&C infrastructure
  8. Setting up sinkholes
  9. Analyzing collected traffic and communication protocols
  10. Crawling other hosts that understand the same protocol
  11. Taking down and acquiring images of C&C servers
  12. Identifying victims, sending out notifications to victims and global CERTs
  13. Applying forensic analysis and extracting logs, stolen files, other components
  14. Collecting and analyzing data from KSN, C&C servers, individual victims who are willing to work with us, sinkholes, crawlers, etc.
  15. Writing a comprehensive report

If we are lucky we can find a monster in-the-wild that is the best source for scientific study. In most cases, including Regin, we observe and learn from the behavior of a live monster. We record every single step and intention.

At the same time, we can take it down and study it in a lab like zoologists. However, in many research investigations, we can see only a skeleton of a monster. We have to put everything together and reconstruct how the monster moved, what was it habits, what species it attacked, and how these attacks were coordinated.  Simply put, this requires time and patience.

In addition, when we analyze the characteristics of a certain creature, we understand that the evolution goes on and there are other species like the subject, live and kicking somewhere in a manner that's not visible at all.

While some of the Regin samples got on our radar early and we continued to find additional samples and artifacts during the research, we are convinced there are others that are currently unknown and undiscovered. Little was known about their life and existence in the past but we know they were out there by finding some tiny fragments over time. And we have to refer to paleontology again, because in the overall picture we have discovered just a small part of the entire beast, but have enough to to release a public alert.

Like Regin, sometimes we find that we had been detecting pieces of malware for several years before realizing that it was a part of global cyber-espionage campaign. One good example is the story of RedOctober. We had been detecting components of RedOctober long before we figured out that it was being used in targeted attacks against diplomatic, governmental and scientific research organizations.

At Kaspersky Lab, we are processing hundreds of thousands of samples every day. The art of figuring out which ones are significant and further yet which ones belong together as part of a big APT attack is akin to finding needles in a huge haystack and then figuring out which ones belong to the same knitting set. We are grateful for every needle we discover, because this makes the world a little safer.

Kaspersky Security Bulletin 2014. Predictions 2015

Malware Alerts - Mon, 12/01/2014 - 04:00

 PDF version
 EPUB version

Cyber-criminals merge with APT

In 2015, we expect to see another stage in the evolution of cyber-criminal activity with the adoption of APT tactics and techniques in financially motivated online criminal activity.

During a recent investigation, we discovered an attack in which an accountant's computer was compromised and used to initiate a large transfer with a financial institution. It represented the emergence of an interesting trend: targeted attacks directly against banks.

We are seeing an upsurge in malware incidents where banks are being breached using methods coming directly from the APT playbook. Once the attackers got into the banks' networks, they siphon enough information to allow them to steal money directly from the bank in several ways:

  • Remotely commanding ATMs to dispose cash.
  • Performing SWIFT transfers from various customers accounts,
  • Manipulating online banking systems to perform transfers in the background.

A new trend is embracing #APT style attacks in the cybercriminal world.

Tweet

Such attacks are an indication of a new trend that is embracing APT style attacks in the cybercriminal world.

APT groups fragment, diversify attacks

The naming-and-shaming of APT groups in 2014 led to the public exposure and indictment of a hacking group that allegedly carried out cyber-espionage against U.S. businesses.

We expect to see a shift in 2015 where the bigger, noisy #APT groups splinter into smaller units, operating independently of each other.

Tweet

As security research teams continue to push for exposure of nation-state APT crews, we expect to see a shift in 2015 where the bigger, noisy APT groups splinter into smaller units, operating independently of each other. This in turn will result in a more widespread attack base, meaning more companies will be hit, as the smaller groups diversify their attacks. At the same time it means that bigger companies that were previously compromised by two or three major APT groups (eg. Comment Crew and Webky) will see more diverse attacks, coming from more sources.

Old code, new (dangerous) vulnerabilities

Recent allegations of deliberate tampering and accidental failures in crypto implementations ("goto fail"), and critical vulnerabilities in essential software (Shellshock, Heartbleed, OpenSSL) have left the community suspicious of unaudited software. The reaction has been to either launch independent audits of key software or have security researchers poke them in search of critical vulnerabilities (tantamount to an unofficial audit). This means that 2015 will be another year of new, dangerous vulnerabilities appearing in old code, exposing the Internet infrastructure to menacing attacks.

Escalation of ATM and PoS attacks

Attacks against cash machines (ATM) seemed to explode this year with several public incidents and a rush by law enforcement authorities globally to respond to this crisis. A corollary of this publicity is an awareness that ATMs are ripe for the taking and cybercriminals are sure to notice. As most of these systems are running Windows XP and also suffer from frail physical security, they are incredibly vulnerable by default and, as the impersonal gatekeepers of the financial institutions' cash, cybercriminals are bound to come knocking here first.

The next stage will see attackers compromising the networks of banks and using that level of access to manipulate #ATM #machines in real time.

Tweet

In 2015, we expect to see further evolution of these ATM attacks with the use of APT techniques to gain access to the "brain" of cash machines.  The next stage will see attackers compromising the networks of banks and using that level of access to manipulate ATM machines in real time.

Mac Attacks: OS X botnets

Despite efforts by Apple to lock down the Mac operating system, we continue to see malicious software being pushed via torrents and pirated software packages. The increasing popularity of Mac OS X devices is turning heads in the criminal world, making it more appealing to develop malware for this platform.

The increasing popularity of #MacOS X devices is turning heads in the criminal world, making it more appealing to develop malware.

Tweet

The closed-by-default ecosystem makes it harder for this malware to successfully take hold of the platform, but there remains a subsection of users who'll gladly disable Mac OS X security measures – especially people who use pirated software. This means that those looking to hijack OS X systems for a variety of reasons know that they simply need to bundle their malware with desirable software (probably in the form of a key generator) to enjoy widespread success. Due to widespread beliefs about the security of the OS X platform, these systems are also unlikely to have an antimalware solution installed that will flag the infection so once the malware is installed, so it's likely to go unnoticed for a very long time.

Attacks against ticketing machines

Incidents such as the NFC hack on Chilean public transport show an interest in abusing public resources such as transportation systems. Some hackers won't be looking to turn a profit from these types of attacks and will be satisfied to get some free rides and 'stick it to the man' by sharing this ability with others. However, ticketing systems are being shown to be vulnerable (many of them running Windows XP) and in many cities handle credit card transaction data directly. We expect to see bolder attacks on these systems to either game the system or steal credit card data for themselves.

Attacks against virtual payment systems

Conventional wisdom tells us that cybercriminals are looking to monetize their daring exploits as simply and efficiently as possible. What better target than virtual payment systems in their infancy? As some countries like Ecuador rush to adopt virtual payment systems, we expect criminals to leap at every opportunity to exploit these. Whether social engineering the users, attacking the endpoints (cellphones in many cases), or hacking the banks directly, cybercriminals will jump all over directly monetized attacks and virtual payment systems will end up bearing the brunt.

We expect to the appearance of vulnerability warnings about weaknesses in #Apple #Pay, virtual wallets and other virtual payment systems.

Tweet

These fears can also be extended to the new Apple Pay, which uses NFC (Near Field Communications) to handle wireless consumer transactions.  This is a ripe market for security research and we expect to the appearance of vulnerability warnings about weaknesses in Apple Pay, virtual wallets and other virtual payment systems.

Apple Pay

Previous attacks have focused on NFC payment systems but, thanks to limited adoption, these have reaped limited rewards. Apple Pay is bound to change that. The enthusiasm over this new payment platform is going to drive adoption through the roof and that will inevitably attract many cybercriminals looking to reap the rewards of these transactions. Apple's design possesses and increased focus on security (like virtualized transaction data) but we'll be very curious to see how hackers will exploit the features of this implementation.

Compromising the Internet of Things

Attacks against the Internet of Things (IoT) have been limited to proof-of-concepts and (sometimes overhyped) warnings that smart televisions and refrigerators will be targeted by hackers to create botnets or launch mischievous attacks.

In 2015, there will surely be in-the-wild attacks against networked printers and other #connected #devices.

Tweet

As more and more of these connected devices become available, we expect to see a wider discussion about security and privacy, especially among businesses in this space.  In 2015, there will surely be in-the-wild attacks against networked printers and other connected devices that can help an advanced attacker to maintain persistence and lateral movement within a corporate network.   We expect to see IoT devices form part of an APT group's arsenal, especially at high-value targets where connectivity is being introduced to the manufacturing and industrial processes. 

On the consumer side, IoT attacks will be limited to demonstrations of weaknesses in protocol implementations and the possibility of embedding advertising (adware/spyware?) into smart TV programming.

Phishing attack to target the clients of a Japanese bank

Malware Alerts - Fri, 11/28/2014 - 04:00

Most phishing emails that aim to steal bank and e-payment data are written in English. However, we are seeing more and more fraudulent messages written in other languages, suggesting that the number of attacks targeting users in non-English speaking countries is growing. Here is an example of a fake notification in Japanese, supposedly sent on behalf of a major bank of Japan.

The text of the fake message warned users of a possible leak of their personal data. They were also told that the bank system security had been updated to protect their accounts so they had to follow the link and enter their login details and passwords on the bank's site to ensure their accounts weren't blocked. The information entered in the phishing form was sent to the fraudsters who got access to the personal account of the victims and could control their money via the online banking system.

The 'From' field of the email specified an address registered on a well-known free mail service from a Taiwanese (.tw) domain. The address of the phishing page in the body of the message was similar to the official web address of the bank but the real address of the page to which the user was redirected was different. Since the fraudulent page was designed to look like the bank's official page, users could only spot the trick if they paid close attention to the suspicious address in the browser.

A month later our colleagues registered a similar phishing mass mailing.

The sender's address looked genuine. The text informed recipients that the bank had updated its security system and users should follow the link to confirm their account details. That link went to the same phishing link as in the first example but this time the forgery was much more like a genuine link. Only a careful user would spot the difference.

Spam and Phishing in the Q3 of 2014

Malware Alerts - Thu, 11/27/2014 - 04:00
Spam: features of the quarter Appearance of the iPhone 6

In September there was a significant event in the IT industry - the iPhone 6 smartphone was presented to the public and put on sale. Not surprisingly, this was big news in the cybercriminal and spamming community as well and throughout the quarter we saw a sharp increase in spam about the famous brand. The number of phishing messages claiming to come from popular Apple services also significantly increased around the release date.

Spammers started offering the new smartphone long before its official release - as a prize for participating in questionnaires and special offers, as a gift when purchasing goods or using services offered in spam; the stylish accessory was the prize in various lotteries and featured in many false win notifications. Finally the iPhone 6 was offered for unbelievably low prices (compared to the official price).

Compared to the previous models the design of the iPhone 6 has several noticeable changes - including the size of the screen. This caused a burst of spam from factories producing all manner of accessories, actively offering protective cases and the like in the new size.

This all shows how a single event can trigger an increase in many different kind of spam, both swindles and adverts. In many cases it was also a powerful hook to draw attention to letters; the mere mention of the new iPhone in the subject header greatly increased the chances of the message being read.

Spam as a way to steal mail addresses

The last quarter saw several leaks of account logins and passwords from major mail systems. The data appeared on the net, which worried users and prompted lively discussions about confidentiality. At the same time the companies owning the mail services announced that most of the published data was from long abandoned accounts and the few that were still active were probably hijacked by phishing.

We note that the ID data for an email account doesn't just give wrongdoers access to the owners' personal correspondence and their address books; it also opens up other services provided by the mail host. Logins and passwords for other resources could also fall into unwelcome hands, especially those for social networks and online stores registered to that mailbox. The demand for email logins and passwords is underlined by the volume of phishing communications we have found that were designed specifically for this purpose that. In the third quarter we encountered phishing letters using various methods to con people out of their data. Here are a few examples:

  1. Communications in which a phishing HTML-page is inserted directly into the letter.
  2. Communications with phishing links in the text of the letter. The false link might be tied to a text fragment or shown in the text of the letter. Often the swindlers place phishing pages on specially created third-level domains.

  3. Communications in which an email address and password have to be sent to a specific electronic address.

Among the most popular tricks used for stealing data are warnings about exceeding the size of a mailbox, system updates and blocking mailboxes. And although these phishing letters frequently imitate communications from specific mail services the great majority of them are just general requests to confirm logins and passwords for email addresses. Probably this is because the conmen are sending false warnings to a whole database of addresses at once rather than going through the unprofitably time-consuming process of selecting specific mail services.

Spam is going beyond mail

Offers to conduct marketing campaign that will develop business and attract new clients is a popular and widespread trend in spam. Typically these involve mass mailshots to advertise services. Increasingly, though, these campaigns are moving away from mail services and email addresses and targeting mobiles and smartphones.

In the third quarter of 2014 spammers started offering SMS and instant messaging advertising more often. Does this mean that classic email spam is going to take a back seat and surrender its predominance to SMS spam?  Having analyzed the link between SMS spam and email spam we came to the conclusion that this is unlikely. Firstly, more and more countries are alert to the problem of SMS spam and taking legislative measures banning this type of mass advertising. Secondly there is an obvious connection between all the media platforms used to distribute unwanted adverts and classic email spam.

The fact is, to find customers for their new products spammers continue to use old-fashioned techniques — with the help of spam mailings. There is even a specific type of email sendout in which spammers offer to buy readymade databases of electronic addresses and telephone numbers created using specific criteria to target a specific audience. There are also phishing mailshots aimed at collecting the personal data of users and organizations with the aim of consolidating them into databases for sale or use in mailshots. In this way spam is used to collect data for databases that are then offered for sale or used to send more spam. Spammers continue to use classic email spam to sell telephone numbers for use in SMS spam, and find buyers for their services.

Social networks are another media platform where spam distribution is growing. These have audiences in the millions and are gaining popularity all the time. At the same time hundreds of thousands of these accounts are "dead souls" - bots created specially for sending spam and stealing personal data from real users. In the last quarter we increasingly found spam content in apparently legal formal communications from social networks. What is happening is that almost all accounts in social networks are linked to the email addresses of their owners and messages distributed within the network are sent by email. The contents of such messages are typical spam:  "Nigerian" stories of millions of dollars available to a helpful contact, offers of financial help to start a business or simply adverts for various goods.

This suggests that SMS mailshots and messages in social networks are not new types of spam but new methods that spammers have developed to deliver advertising to users. These are, in one way or another, linked to email spam. Moreover spammers can send the same message by various channels, which creates the impression of an increase in the overall quantity of unwanted adverts being sent.

New developments in "Nigerian" spam

In the third quarter conmen used the political situation in Ukraine and the media storm around the Ebola virus as inspiration for their "Nigerian-style" tales. Politics is a popular topic for this type of conman, as can be seen by the large percentage of letters discussing political themes or well-known public figures. It's not surprising, then, that the situation in Ukraine was actively used during the third quarter. When creating the supposed authors of these messages the conmen didn't just invent Ukrainians in various professions; they also conjured up politicians and businessmen offering cash rewards for help in transferring or investing large sums of money.

Letters concerning the Ebola virus were usually sent in the name of individuals from West Africa infected with the deadly virus. But there were unusual variations, for example invitations to related conferences. Regardless of the author of the letter and the convincing tales within the aim of the conmen does not change from year to year — to relieve the victims of their money.

Malicious email  attachments

Top 10 malicious programs sent by email,
third quarter of 2014

In the third quarter of 2014 Trojan.JS.Redirector.adf was the malicious program most often distributed via email, according to our ranking. It appears as an HTML page which, when opened by users, redirects them to an infected site. There it usually offers to load Binbot — a service for the automatic trading of binary options, which are currently popular on the net. The malware spreads via email in a passwordless ZIP archive.

Next comes Trojan-Spy.HTML.Fraud.gen. This program was top of the list for several previous quarters but has finally been pushed down. Trojan-Spy.HTML.Fraud.gen is a phishing HTML page on which the user is asked to enter their confidential data. All the entered information is then sent to cybercriminals. Compared to the last quarter the figure for this malware has fallen by 0.62 percentage points.

In third place is Trojan.Win32.Yakes.fize, a Trojan loader of the Dofoil type. Its relative, Trojan-Downloader.Win32.Dofoil.dx, is in fourth. Malware programs of this type download another malicious program onto the user's computer, start it and use it to steal assorted user information, especially passwords.

In fifth and ninth places are two members of the universal bot module family Andromeda/Gamarue - Backdoor.Win32.Androm.enji and Backdoor.Win32.Androm.euqt. The main features of these malware programs are the ability to download, store and run executable files, downloading and loading DLL (without saving on disk), downloading plugins and the capability of updating and deleting themselves. The bot's functionality is enhanced with a system of plugins which can be downloded by the cybercriminals whenever necessary.

The sixth and seventh positions are taken by Trojan.Win32.Bublik.clhs and Trojan.Win32.Bublik.bwbx respectively. These are modifications of the well-known Bublik malware— a Trojan-loader that downloads a malicious file onto the user's computer and launches it.

In eighth place is the mail worm Email-Worm.Win32.Bagle.gt. The main function of all mail worms is to collect email addresses from infected computers. A mail worm of the Bagle family can also accept remote commands to install other malicious programs.

Our rating is completed by Trojan-Banker.Win32.ChePro.ink. This downloader is created in the form of a CPL-applet (a control panel component) and downloads Trojans designed to steal confidential financial information. Most programs of this type are aimed at Brazilian and Portuguese banks.

Distribution of email malware by family

As regards the most popular families of malicious programs, their email distribution is as follows:

TOP 10 families of malware programs distributed by email,
third quarter of 2014

Heading the rating is the Andromeda family, which accounts for 12.35% of all malware. In second place is ZeuS/Zbot: members of this family are designed for attacks on servers and users' computers and also for capturing data. Although ZeuS/Zbot is capable of carrying out various harmful actions it is most often used to steal banking information. It can also install CryptoLocker - a malicious program that extorts money to decrypt users' data.

Bublik, which often loads Zbot, also made the top 10 most frequently encountered malware families.

Countries targeted by malicious mailshots

Distribution of email antivirus activations by country,
third quarter 2014

In the third quarter there were some changes in the countries targeted by mailshots with malicious contents. Now we see Germany in top spot with 10.11%. Britain drops to second, losing 1.22 percentage points compared to the second quarter. In the third place is the USA, down 1.77 percentage points.

Russia, which in the second quarter was in 19th place with 1.48%, climbed to 6th place this quarter (4.25%); the share of malicious spam directed at the country increased almost threefold.

Special features of malicious spam Ice Bucket Challenge

During the past quarter cybercriminals continued to use high profile events to attract attention to mailshots containing malware. This time around the Ice Bucket Challenge, a hugely popular summer campaign, was one of these events. The aim of this campaign was to raise awareness of amyotrophic lateral sclerosis, and also to collect funds to research the disease. An enormous number of people took part, many of them famous: actors, politicians, sportsmen and women, businessmen, and musicians poured ice-cold water over themselves, uploading videos of the process and passing the baton on further. At the peak of its popularity conmen got involved, seeing the campaign as a chance to attract attention to their malicious communications.

As a result unsuspecting users began to receive letters with offers to join the ALS association and change their lives, as thousands of others had already done. The recipients were offered an inspiring video to watch, located in an archive attached to the letter. But in place of the promised video a malicious program such as Backdoor.Win32.Androm.eu.op lay in wait. Such programs allow cybercriminals to infect computers, which often become part of botnets.

"Malicious messages" from booking systems

In the third quarter of 2014 cybercriminals sent some seasonal malicious spam tying in with the themes of the summer holidays. Spam traffic featured false messages from hotels, booking services and airlines in English and German. Traditionally the conmen try to convince users that a ZIP archive contains information about hotel bookings or air tickets.

Among others we found false communications from American Airlines; executable files were attached to letters that contained malware from the Net-Worm.Win32.Aspxor family. These net worms can send spam, download and run other programs, collect valuable data from the victim's computer (saved passwords, mail and FTP accounts) and also automatically search for vulnerable sites for further infections to keep spreading the bot.

Forged letters in German, supposedly sent by an Internet portal for booking hotels in Germany, contained the malware Trojan-Spy.Win32.Ursnif. This Trojan steals confidential data and is capable of monitoring net traffic, loading and running other malware programs and also switching off several system applications.

Malware in ARJ archives

In September we detected a major malicious mailout with an unusual attachment for spam letters — an archive in ARJ format. It should be noted that this choice of file archiver was probably made precisely because of the unusual file format. The criminals assumed users would be aware of the potential dangers of ZIP and RAR archive attachments but may be less suspicious of an unfamiliar tag. Furthermore the ARJ archiver allows the file size to be reduced considerably and its source code is available to all for study and modification.

The cybercriminals sent several types of malicious letter within one mailout. These were an announcement about receipt of a fax, an account statement from a specific company and a personal communication with a greeting in the body of the letter. All the letters had an attachment in the form of a malicious program from the family Trojan-Downloader.Win32.Cabby, which distracts victims with an RTF or DOC document and loads a malware program from the ZeuS/Zbot family at the same. All attachment filenames were generated using the same format. To give the letters a unique feel the cybercriminals changed several fragments of the text and the antivirus automatic signature.

Statistics The proportion of spam in email traffic

The proportion of spam in email traffic,
April – September 2014

The proportion of spam in email traffic according to the figures for the third quarter of 2014 was 66.9%, which is 1.7 percentage points lower than in the previous quarter. The greatest amount of spam was sent in August and the least in September.

Spam source countries

Countries that are sources of spam,
third quarter 2014

In the third quarter of 2014 the USA remained the country that was the biggest source of spam, sending almost 14% of unwanted mail. In second place was Russia with 6.1%. Completing the trio of leaders was Vietnam with almost the same amount as Russia at 6% of the world's spam.

The distribution of sources of spam had few surprises. China (5.1%), Argentina (4.1%), and Germany (3.5) made it into the top ten with Brazil in tenth place at 2.9%.

The size of spam letters

The sizes of spam letters,
third quarter 2014

The distribution of spam by size has hardly changed from the second quarter. The leaders remain very short letters of up to 1 Kb, which are quick and easy to handle in mass mailings. The proportion of these letters increased by 4.6 percentage points.

There was a slight reduction in the proportion of letters in the size range 2 Kb — 5 Kb — by 4.8 percentage points. There was also a small reduction in the amount of spam in the 5-10 Kb range, by 2.5 percentage points. However there was a 1.7 percentage point increase in the share of letters with a size of 10-20 Kb.

Phishing

In the third quarter of 2014 the computers of users of Kaspersky Lab products recorded 71,591,006 instances that triggered the "Antiphishing" system. This is 11.5 million more than in the last quarter.

As in the second quarter, the largest single group of users subjected to phishing attacks was in Brazil — the number was up 3.53 percentage points to 26.73%.

The geography of phishing attacks*,
third quarter of 2014

* The percentage of users on whose computers the "Antiphishing" system was triggered out of the total number of users of Kaspersky Lab products in the country

Top 10 countries by percentage of attacked users:

  Country % of users 1 Brazil 26.73% 2 India 20.08% 3 Australia 19.37% 4 France 18.08% 5 UAE 17.13% 6 Canada 17.08% 7 Kazakhstan 16.09% 8 China 16.05% 9 UK 15.58% 10 Portugal 15.34%

There was a noticeable increase in attacked users in China (+4.74%), Australia (+3.27%), the UAE (+2.83%) and Canada (+1.31%).

Organisations under attack

The statistics on the targets of phishing attacks are based on the triggering of the heuristic component of the "Antiphishing" system. The heuristic component of the "Antiphishing" system is triggered when the user follows a link to a phishing page and there is no information about this page in the Kaspersky Lab databases. For this it is not important how the page was entered, as the result of clicking on a link in a phishing letter, a social network message or, for example, as the result of an action of a malicious program. As a result of the triggering the user sees a warning of the possible threat in the browser.

As before, the "Email and search portals" category (previously known as "Global Internet portals") was the group of organizations most often subject to phishing attacks. However the share for this category has dropped sharply – by 22.15 percentage points – and in the third quarter it stands at 28.54%.

Distribution of organisations subject to phishing attacks,
third quarter of 2014

In the third quarter of 2014 the "Online finance" category saw a 13.39 percentage point rise to 38.23%. Within its sub-categories there were increases for the second quarter in a row for "Banks" (+6.16%), "Payment systems" (+5.85%) and "Online shops" (+3.18%).

Distribution of phishing attacks on payment systems,
third quarter 2014

Phishing attacks on payment systems are particularly attractive because conmen can get their hands directly on their victims' money. Paypal was the most frequently targeted payment system (32.08%) with Visa (31.51%) close behind and American Express in third with 24.83%.

Phishing attacks on the users of payment systems are often conducted by sending false letters, apparently written by representatives of the financial organizations. These letters contain threats to block the account or stop account activity and are designed to startle users into a rash response, which could include transferring confidential information to cybercriminals.

An example of a phishing letter with a threat to block the victim's account

In this example the letter was sent from a suspicious address that didn't match Paypal's usual mailing address. There was a threat to the user that the account would be blocked if account data was not renewed, and a request to follow the link and enter personal data on the page that opened.

Phishing page imitating a Paypal website page

Following the link the user sees a page imitating the layout of the official Paypal website, with a form for the entry of personal data. However the connection to this page is not protected, which is shown by the lack of HTTPS in the address line and the indicated IP address does not belong to Paypal.

Top 3 attacked organizations   Organization % of phishing links 1 Google 10.34% 2 Facebook 10.21% 3 Yahoo! 6.36%

The top three target organizations remain Google, Facebook and Yahoo!, however there have been changes within the top three. The numbers for Google (10.34%) and Facebook (10.21%) have increased slightly: these organizations have gone up a place in step. Yahoo!, which was the undisputed leader in the first half of 2014, has dropped down to third — the figure for the organization decreased by 24.62% to 6.36%.

Hot topics in phishing

Apple was not in the top three, although it climbed in the rating of organizations subject to phishing attacks to reach fourth place with a figure of 1.39% (+0.98%). At the beginning of September the company was involved in a major scandal, connected with leaked photographs of famous people from its iCloud storage servcie. Apple dismissed rumours about the presence of vulnerabilities in the service leading to leaked data; it could be the result of a phishing attack targeting users of Apple products (it is not clear whether this was a targeted attack or if hackers were simply lucky that there were several stars among their victims).

In addition, the new iPhone 6 and 6 Plus were announced on 9 September. Major events in a company usually attract additional interest from swindlers so it is not surprising that we recorded a growth in the number of false communications  sent in the name of representatives of Apple services such as iTunes and iCloud.

Conmen used the name of the company to attract users' attention and frequently used the same letter format, changing only the name of the Apple service.

Number of daily phishing attacks imitating pages of Apple resources,
second and third quarters of 2014

Apple uses a two stage check for Apple ID to protect the personal data of users, including the registration of one or several trusted devices. The two stage check eliminates the possibility of unsanctioned access to or alteration of the user's registered details and prevents outsiders from making purchases by using stolen registration details. On 5 September Apple announced that it would soon be taking additional safety measures which would inform users of suspicious activity on their accounts.


Example phishing pages requesting Apple ID data

Among other things, users can improve their safety by attentively studying any page that asks for confidential information. Attention should be paid to the presence of a protected connection and whether the domain belongs to Apple. It is worth considering what information is being requested - conmen frequently ask for information unrelated to what is needed for using Apple ID; they often ask for bank card details under the pretext of linking them to the account. In these cases if the users independently supply the swindlers with financial information Apple's defenses cannot protect them from the consequences.

Example of a phishing page imitating an Apple request for confirmation of personal information

Conclusion

The share of spam in email traffic for the third quarter of 2014 was 66.9%, which is 1.7 percentage points less than in the last quarter.

The topics of spam in the third quarter strongly reflected major news events such as the release of the iPhone 6, political developments in Ukraine, the leak of network passwords from major mail services, the Ice Bucket Challenge campaign and the summer holiday season. Major world events are also actively exploited in "Nigerian" spam.

The three leading source countries for spam sent across the world are the USA (14%), Russia (6.1%) and Vietnam (6%).

The rankings of malware programs sent by email, according to third quarter figures, are headed by Trojan.JS.Redirector.adf (2.8%), which sends users to an infected site. Among the families of malicious programs the Andromeda family was the leader with a 12.35% share of all malware. Users in Germany experience more attacks than those anywhere else.

The third quarter saw spam traffic consisting of phishing letters aimed at trying to steal logins and passwords for email accounts, and the release of the new iPhone saw a flare up of phishing communications apparently sent from the Apple iTunes and iCloud services.

In order to install their malicious programs on users' computers in the third quarter cybercriminals sent out not only false communications from hotel booking services and airlines but also letters with long unused file archivers.

The growth of phishing attacks on organizations involved in online financial operations continued (banks, payment systems, online shops). There was a significant reduction in the number of attacks on organizations from the category "Email and search portals", down to 28.54%. There was also a noticeable reduction in the proportion of attacks directed at Yahoo!, one of the organizations in this category.

State of Play: Network Devices Facing Bulls-eye

Malware Alerts - Wed, 11/26/2014 - 04:00

A long time has passed since we published our analysis of threats for home network devices. Since then, the situation has significantly changed - alas, not for the better. Back in 2011, we were concerned mainly about the security of SOHO routers, DSL modems and wifi access points. Today, we are talking about the whole Internet-of-Things, which includes every single machine, appliance or gadget that is able to communicate over the Internet.

Let's recall what kind of threats for network devices we were aware of at the end of 2011:

  • DNS poisoning, drive-by pharming and SOHO pharming: exploitation of vulnerabilities in a web interface of a router/modem to change its DNS settings in order to redirect users to malicious websites
  • UPnP & SNMP based attacks: exploitation of vulnerabilities and implementation issues in widely used protocols in order to get access to the device
  • Malicious binaries: Linux-based DDoS (Distributed Denial of Service) tools, especially customized to run on routers; router botnets, capable of conducting a wide range of attacks; worms, infecting routers and spreading through the network

And now, let's look at the year 2014 and see which of our predictions came true...

More SOHO pharming attacks

True. There have been numerous attacks utilizing a router's DNS settings to obtain users banking credentials and redirect users to malicious websites. Just to name a few of the biggest incidents:

  • January 2014: huge SOHO pharming campaign affecting a wide range of routers from several manufacturers all over the world.The attackers exploited a variety of vulnerabilities to change the DNS settings of more than 300 000 devices, mainly located in Vietnam, India and Thailand, but also in several countries in Europe, both Americas and Africa. As a result, all traffic from behind the compromised routers was redirected to the malicious servers, enabling cybercriminals to decide if users should be pointed to the original version of the website they requested, or to the phishing/malicious one.
  • February 2014: another large scale campaign using the DNS poisoning technique. This time the attack was highly targeted and the goals of the cybercriminals were strictly defined: the attack was designed to steal the banking credentials from users of five popular Polish banks. In this case the number of infected routers was about 100 and most of them were located in Poland and Russia. When users tried to log into the online banking website, they were redirected to a modified site which requested them to provide the confidential information.
  • September 2014: classical drive-by pharming attack targeting home routers in Mexico and Brazil. This attack started with malicious email, spammed to a large number of Portuguese-speaking users, in which cybercriminals tried to lure the recipient to click on the link to malicious website. The HTML script on this website was designed to try several combinations of default credentials to access the configuration of the router and change its DNS settings. If this approach failed, the script displayed a pop up, asking user to enter the router credentials manually.
Binary malware for ARM and other platforms

True. We have discovered more malware samples that are affecting MIPS routers, and – more importantly – samples developed in such a way that they might be compiled for different platforms (MIPS, ARM, Intel, PPC, SuperH, etc.) and run on different kinds of Linux-based devices. A couple of examples:

  • Aidra – an open source DDoS tool, designed to scan modems/routers and create a botnet from exploitable devices. There are currently several Aidra binaries in the wild, compiled for different platforms (MIPS, ARM, PPC, SuperH), which means that this worm has been customized to be able to infect Internet-of-Things devices.
  • Figure 1 – Aidra - open source DDoS tool

  • Darlloz – a Linux worm and bot designed for MIPS, ARM and Intel architectures, spreading through a PHP-CGI vulnerability to randomly generated IP addresses and capable of downloading and running additional code. It communicates with the malicious operator by opening a backdoor on TCP port 58455 and waiting for commands. It infected more than 30 000 devices, mainly in the US and China, and – as it was proven later – was used to install crypto-currency mining software (cpuminer), at least on Intel x86 devices.
  • Figure 2a – Darlloz worm, code compiled for ARM architecture

    Figure 2b – Darlloz worm, same code snipped, compiled for x86 architecture

  • The Moon worm – a mysterious worm, spreading through a remote authentication bypass exploit in the implementation of the HNAP protocol in Linksys E-Series routers. This malware collects information about the device and communicates with its C&C (Command and Control) servers using quotes and images from the 2009 sci-fi movie called "The Moon". The IP ranges that the worm scans, in order to exploit them, are hard-coded in the binary and include about 670 networks, most of which belong to certain DSL and cable modem ISPs in different countries.
  • Figure 3 – The Moon worm, strings related to The Moon movie

Permanent modifications of firmware

True. The story published in the German c't magazine revealed the first router malware that was trying to make persistent changes to the router firmware. The malware consisted of several Linux shell scripts that were responsible for downloading the modified version of the firmware, overwriting the original image and rebooting the router. The malicious firmware came with a modified init script, which launched a sniffing tool (dsniff) on the infected machine, capturing traffic and sending all the intercepted data to the C&C FTP server. This malware was found to be affecting not only routers but also other Linux-based embedded devices, such as Dreambox DVB receivers.

Figure 4 – Flasher, script replacing the original firmware

Figure 5 – Flasher, script running the sniffer and uploading the data to FTP server

Cross-platform and multi-platform malware

True. Malware and botnets traditionally associated with Windows machines only, now start to use routers and other Internet enabled devices for different malicious purposes:

  • The Sality virus was found to incorporate SOHO routers in its replication process, by using DNS poisoning method to redirect users to infected files. In this case, the malware used was Windows malware similar to the DNSChanger Trojan.
  • The Black Energy 2 botnet also got an IoT upgrade: it started to use additional plugins which are designed to run on Linux-based MIPS and ARM devices. These modules are capable of performing DDoS attacks, stealing passwords, scanning ports in the network and sniffing traffic. They are communicating with C&C servers and are able to execute specified shell commands and download and launch additional binaries.  We have recently published an in-depth analysis of Black Energy 2, where you can find much more details about it.
More vulnerabilities in firmware discovered and exploited

True. Several critical vulnerabilities affecting Internet-of-Things devices were discovered and reported to the vendors this year. Just to name a few:

  • Rom-0 vulnerability in ZyXEL routers, which allows an attacker to download the router's configuration file without any authentication
  • CVE-2014-2719 vulnerability in ASUS wireless routers, which allows an attacker to retrieve the router's credentials
  • 15 zero-day vulnerabilities in 10 different SOHO router models, revealed at the Defcon 22's SOHOpelessly Broken contest
  • Our colleague, David Jacoby, found interesting zero-days in the devices he uses at home.
  • We also need to remember that the Heartbleed and Shellshock vulnerabilities affect some Linux-based network devices and internet-of-Things devices as well.

But what is even more scary than the growth in discovered vulnerabilities, is the fact that certain vendors seem to implement hardcoded firmware backdoors in their products, providing cybercriminals with an easy way-in, especially to devices that no longer receive any updates.

As we can see, the security situation of the network devices didn't much improve since 2011. Most of our predictions came true: the threats are on the rise and cybercriminals widen their interest not only to home routers and modems, but to the whole Internet-of-Things. Although both the vendos and the ISPs are slowly realizing the threat and trying to make their devices more secure, there is still a lot to do. For example, one of the very serious issues is that most of the older devices are not receiving firmware updates anymore, so if there is any new attack vector discovered, users can do literally nothing to protect themselves against it, unless they decide to purchase an (often expensive) newer version of the device, that is still being supported. This issue is not easy to fix: for the vendors, it wouldn't really be cost-effective to support each of the devices they offer for a long period of time; and without the software patches, there is not much to do to secure these devices from the customer's side. Times has changed, and we need to come up with a new security model for Internet of Things, as the old one is not working properly anymore.

To learn, how to protect your home network, please read the guidelines put together by my colleague, David Jacoby.

Guidelines for securing your home

Malware Alerts - Wed, 11/26/2014 - 04:00

Our homes today look more like small offices. We have tons of different devices connected to our network, everything from storage devices and network equipment to wireless network printers. The entire "home entertainment" industry is getting connected: it is very difficult to buy a TV, DVD or Blu-ray player that's does not have WIFI… the same thing goes for the gaming industry: all new gaming consoles require Internet connectivity.

I do love the fact that we are applying new technology to old concepts, and improving functionality. I personally even have my old retro computers connected to the Internet - and we are talking about old computers such as Commodore 64, Amiga 500 and Atari computers - because I love the fact of adding new functionality to old things.

And as we know, with great power comes great responsibility. But this is not something that the consumer product vendors are really adopting when adding extra functionality to their "old" products. I did some research where I looked into the devices that were connected to my own home network, and the result was extremely scary! Within minutes I was able to fully compromise some of my devices, turning them into zombie machines in botnets, bypassing all the security and accessing files on storage devices that I did not have the authority to access.

Many people still believe that these attacks are difficult, and require someone  to sit on the same network as your devices, for example on your private WIFI connection, but this is false perception. There are very easy and effective ways to compromise the network of connected devices behind your personal firewall remotely over the Internet.

My colleague, Marta Janus, also did some very interesting research where she looked into the (in)security of home modems and routers, and we both came to the same conclusion. We need to act now! This is not a futuristic problem, this problem exists now. Cybercriminals are exploiting these weaknesses right now and the industry is not doing enough about this.

This is not only a technical problem that can be resolved with a patch. Consumers in general are very bad at understanding how these network connected devices should be installed. All of these devices have different usage, and because of that also require different network configurations. We are very lazy, and without proper installation instructions we simple connect the devices to our network; and when that is done, we consider the installation complete.

What is happening is that you are sharing the same network configuration among all devices. This results, for example, in having a TV, Blu-ray player and network storage device on the same network as the laptop you use to do online banking, home finances, online shopping and maybe even work.

The vendors also need to take more responsibility when shipping consumer products. Most people don't understand that the support lifecycle of these devices is only about six months; after that there will be no more updates or support from the vendor, because they need to support the next upcoming products.

From talking to friends and family, it's clear that they have a problem realizing that this is actually a threat! People still believe that it's always "someone else" who will get infected with malicious code, or who will get their credit card details or identity stolen. Please wake up to the real world -  this is happening right here, right now! Some really good examples of these types of attacks are:

  • Customers to one of the largest ISPs in Sweden were sent vulnerable routers by the ISP, allowing attackers to remotely compromise the device though a "god-like" account with an very weak password; and all devices had the same account with the same password.
  • A large amount of money was stolen from the customers of five popular Polish banks, following an attack in which cybercriminals changed the settings of hundreds of vulnerable SOHO routers in order to redirect users to the fake banking websites.
  • Malware (Psyb0t) targeted home SOHO routers exploiting software weaknesses, but also weak passwords in the administrative interface - turning the device into a zombie in a botnet.
  • Malware (BlackEnergy2) implemented additional modules, designed to run on Internet-of-Things devices, in order to perform DDoS (Distributed Denial of Service) attacks, steal passwords and sniff network traffic.
  • Malware (Flasher) replaced the firmware on vulnerable SOHO devices with a modified system image that eavesdrops on users' network activity.

As researchers it is very easy to identify security weaknesses and flame the vendors about them, but it is a bit more challenging to come up with an effective conclusion. Together with Marta, we compiled a little list of easy tips and tricks that you should apply if you have network connected devices. It's only general tips because finding one solution that works on multiple devices is very complex; all products look and feel different and have different usages.

  1. Change default passwords on the device; attackers will try to exploit this!
  2. If possible try to update the firmware to the latest version!
  3. If you do not use the network connectivity on the device, TURN IT OFF! If you use it, or if it's necessary for the device to work, make sure that there is NO REMOTE ACCESS to the management interface of the device from the outside world.
  4. Apply strong network segmentation for your connected devices
    • Does the device require access to the INTERNET?
    • Does the device, for example a TV, require access to the same network as your personal data?
  5. Switch off unnecessary features. Contemporary IoT devices usually implement a variety of different functionalities, some of which you might not even be aware of. It's good practice, after buying each new device, to learn about all its features and disable the ones that you are not going to use. Having all the features enabled increases the potential attack surface.
  6. Read The Fascinating Manual. Every device is shipped with a manual, which documents its features and configuration settings. Also, there is usually a lot of additional documentation available online. To keep your home secure, you should always familiarize yourself with any new device that you are going to incorporate into your network and take all the recommended steps to make the device as secure as possible.
  7. Please contact the support team of the vendor if you do have questions. When buying consumer products, you also pay for support. Use it! They will offer guidance for your specific device!

Regin: Nation-state ownage of GSM networks

Malware Alerts - Mon, 11/24/2014 - 09:00
Motto: "Beware of Regin, the master! His heart is poisoned. He would be thy bane..." "The Story of Siegfried" by James Baldwin   Introduction, history

Download our full Regin paper (PDF).

In the spring of 2012, following a Kaspersky Lab presentation on the unusual facts surrounding the Duqu malware, a security researcher contacted us and mentioned that Duqu reminded him of another high-end malware incident. Although he couldn't share a sample, the third-party researcher mentioned the "Regin" name, a malware attack that is now dreaded by many security administrators in governmental agencies around the world.

For the past two years, we've been tracking this most elusive malware across the world. From time to time, samples would appear on various multi-scanner services, but they were all unrelated to each other, cryptic in functionality and lacking context.

It's unknown exactly when the first samples of Regin were created. Some of them have timestamps dating back to 2003.

The victims of Regin fall into the following categories:

  • Telecom operators
  • Government institutions
  • Multi-national political bodies
  • Financial institutions
  • Research institutions
  • Individuals involved in advanced mathematical/cryptographical research

So far, we've observed two main objectives from the attackers:

  • Intelligence gathering
  • Facilitating other types of attacks

While in most cases, the attackers were focused on extracting sensitive information, such as e-mails and documents, we have observed cases where the attackers compromised telecom operators to enable the launch of additional sophisticated attacks. More about this in the GSM Targeting section below.

Perhaps one of the most publicly known victims of Regin is Jean Jacques Quisquater (https://en.wikipedia.org/wiki/Jean-Jacques_Quisquater), a well-known Belgian cryptographer. In February 2014, Quisquater announced he was the victim of a sophisticated cyber intrusion incident. We were able to obtain samples from the Quisquater case and confirm they belong to the Regin platform.

Another interesting victim of Regin is a computer we are calling "The Magnet of Threats". This computer belongs to a research institution and has been attacked by Turla, Mask/Careto, Regin, Itaduke, Animal Farm and some other advanced threats that do not have a public name, all co-existing happily on the same computer at some point.

Initial compromise and lateral movement

The exact method of the initial compromise remains a mystery, although several theories exist, which include man-in-the-middle attacks with browser zero-day exploits. For some of the victims, we observed tools and modules designed for lateral movement. So far, we have not encountered any exploits. The replication modules are copied to remote computers by using Windows administrative shares and then executed. Obviously, this technique requires administrative privileges inside the victim's network. In several cases, the infected machines were also Windows domain controllers. Targeting of system administrators via web-based exploits is one simple way of achieving immediate administrative access to the entire network.

The Regin platform

In short, Regin is a cyber-attack platform which the attackers deploy in the victim networks for ultimate remote control at all possible levels.

The platform is extremely modular in nature and has multiple stages.

Regin platform diagram

The first stage ("stage 1") is generally the only executable file that will appear in victim' systems. Further stages are stored either directly on the hard drive (for 64 bit systems), as NTFS Extended Attributes or registry entries. We've observed many different stage 1 modules, which sometimes have been merged with public sources to achieve a type of polymorphism, complicating the detection process.

The second stage has multiple purposes and can remove the Regin infection from the system if instructed so by the 3rd stage.

The second stage also creates a marker file that can be used to identify the infected machine. Known filenames for this marker are:

  • %SYSTEMROOT%\system32\nsreg1.dat
  • %SYSTEMROOT%\system32\bssec3.dat
  • %SYSTEMROOT%\system32\msrdc64.dat

Stage 3 exists only on 32 bit systems - on 64 bit systems, stage 2 loads the dispatcher directly, skipping the third stage.

Stage 4, the dispatcher, is perhaps the most complex single module of the entire platform. The dispatcher is the user-mode core of the framework. It is loaded directly as the third stage of the 64-bit bootstrap process or extracted and loaded from the VFS as module 50221 as the fourth stage on 32-bit systems.

The dispatcher takes care of the most complicated tasks of the Regin platform, such as providing an API to access virtual file systems, basic communications and storage functions as well as network transport sub-routines. In essence, the dispatcher is the brain that runs the entire platform.

A thorough description of all malware stages can be found in our full technical paper.

Virtual File Systems (32/64-bit)

The most interesting code from the Regin platform is stored in encrypted file storages, known as Virtual File Systems (VFSes).

During our analysis we were able to obtain 24 VFSes, from multiple victims around the world. Generally, these have random names and can be located in several places in the infected system. For a full list, including format of the Regin VFSes, see our technical paper.

Unusual modules and artifacts

With high-end APT groups such as the one behind Regin, mistakes are very rare. Nevertheless, they do happen. Some of the VFSes we analyzed contain words which appear to be the respective codenames of the modules deployed on the victim:

  • legspinv2.6 and LEGSPINv2.6
  • WILLISCHECKv2.0
  • HOPSCOTCH

Another module we found, which is a plugin type 55001.0 references another codename, which is U_STARBUCKS:

GSM Targeting

The most interesting aspect we found so far about Regin is related to an infection of a large GSM operator. One VFS encrypted entry we located had internal id 50049.2 and appears to be an activity log on a GSM Base Station Controller.

From https://en.wikipedia.org/wiki/Base_station_subsystem

According to the GSM documentation (http://www.telecomabc.com/b/bsc.html): "The Base Station Controller (BSC) is in control of and supervises a number of Base Transceiver Stations (BTS). The BSC is responsible for the allocation of radio resources to a mobile call and for the handovers that are made between base stations under his control. Other handovers are under control of the MSC."

Here's a look at the decoded Regin GSM activity log:

This log is about 70KB in size and contains hundreds of entries like the ones above. It also includes timestamps which indicate exactly when the command was executed.

The entries in the log appear to contain Ericsson OSS MML (Man-Machine Language as defined by ITU-T) commands.

Here's a list of some commands issued on the Base Station Controller, together with some of their timestamps:

2008-04-25 11:12:14: rxmop:moty=rxotrx; 2008-04-25 11:58:16: rxmsp:moty=rxotrx; 2008-04-25 14:37:05: rlcrp:cell=all; 2008-04-26 04:48:54: rxble:mo=rxocf-170,subord; 2008-04-26 06:16:22: rxtcp:MOty=RXOtg,cell=kst022a; 2008-04-26 10:06:03: IOSTP; 2008-04-27 03:31:57: rlstc:cell=pty013c,state=active; 2008-04-27 06:07:43: allip:acl=a2; 2008-04-28 06:27:55: dtstp:DIP=264rbl2; 2008-05-02 01:46:02: rlstp:cell=all,state=halted; 2008-05-08 06:12:48: rlmfc:cell=NGR035W,mbcchno=83&512&93&90&514&522,listtype=active; 2008-05-08 07:33:12: rlnri:cell=NGR058y,cellr=ngr058x; 2008-05-12 17:28:29: rrtpp:trapool=all;


Descriptions for the commands:

  • rxmop - check software version type;
  • rxmsp - list current call forwarding settings of the Mobile Station;
  • rlcrp - list off call forwarding settings for the Base Station Controller;
  • rxble - enable (unblock) call forwarding;
  • rxtcp - show the Transceiver Group of particular cell;
  • allip - show external alarm;
  • dtstp - show DIgital Path (DIP) settings (DIP is the name of the function used for supervision of the connected PCM (Pulse Code Modulation) lines);
  • rlstc - activate cell(s) in the GSM network;
  • rlstp - stop cell(s) in the GSM network;
  • rlmfc - add frequencies to the active broadcast control channel allocation list;
  • rlnri - add cell neightbour;
  • rrtpp - show radio transmission transcoder pool details;

The log seems to contain not only the executed commands but also usernames and passwords of some engineering accounts:

sed[snip]:Alla[snip]
hed[snip]:Bag[snip]
oss:New[snip]
administrator:Adm[snip]
nss1:Eric[snip]

In total, the log indicates that commands were executed on 136 different cells. Some of the cell names include "prn021a, gzn010a, wdk004, kbl027a, etc...". The command log we obtained covers a period of about one month, from April 25, 2008 through May 27, 2008. It is unknown why the commands stopped in May 2008 though; perhaps the infection was removed or the attackers achieved their objective and moved on. Another explanation is that the attackers improved or changed the malware to stop saving logs locally and that's why only some older logs were discovered.

Communication and C&C

The C&C mechanism implemented in Regin is extremely sophisticated and relies on communication drones deployed by the attackers throughout the victim networks. Most victims communicate with another machine in their own internal network, through various protocols, as specified in the config file. These include HTTP and Windows network pipes. The purpose of such a complex infrastructure is to achieve two goals: give attackers access deep into the network, potentially bypassing air gaps and restrict as much as possible the traffic to the C&C.

Here's a look at the decoded configurations:

17.3.40.101 transport 50037 0 0 y.y.y.5:80 ; transport 50051 217.y.y.yt:443 17.3.40.93 transport 50035 217.x.x.x:443 ; transport 50035 217.x.x.x:443 50.103.14.80 transport 27 203.199.89.80 ; transport 50035 194.z.z.z:8080 51.9.1.3 transport 50035 192.168.3.3:445 ; transport 50035 192.168.3.3:9322 18.159.0.1 transport 50271 DC ; transport 50271 DC


In the above table, we see configurations extracted from several victims that bridge together infected machines in what appears to be virtual networks: 17.3.40.x, 50.103.14.x, 51.9.1.x, 18.159.0.x. One of these routes reaches out to the "external" C&C server at 203.199.89.80.

The numbers right after the "transport" indicate the plugin that handles the communication. These are in our case:

  • 27 - ICMP network listener using raw sockets
  • 50035 - Winsock-based network transport
  • 50037 - Network transport over HTTP
  • 50051 - Network transport over HTTPS
  • 50271 - Network transport over SMB (named pipes)

The machines located on the border of the network act as routers, effectively connecting victims from inside the network with C&Cs on the internet.

After decoding all the configurations we've collected, we were able to identify the following external C&Cs.

C&C server IP Location Description 61.67.114.73 Taiwan, Province Of China Taichung Chwbn 202.71.144.113 India, Chetput Chennai Network Operations  (team-m.co) 203.199.89.80 India, Thane Internet Service Provider 194.183.237.145 Belgium, Brussels Perceval S.a.

One particular case includes a country in the Middle East. This case was mind-blowing so we thought it's important to present it. In this specific country, all the victims we identified communicate with each other, forming a peer-to-peer network. The P2P network includes the president's office, a research center, educational institution network and a bank.

These victims spread across the country are all interconnected to each other. One of the victims contains a translation drone which has the ability to forward the packets outside of the country, to the C&C in India.

This represents a rather interesting command-and-control mechanism, which is guaranteed to raise very little suspicions. For instance, if all commands to the president's office are sent through the bank's network, then all the malicious traffic visible for the president's office sysadmins will be only with the bank, in the same country.

Victim Statistics

Over the past two years, we collected statistics about the attacks and victims of Regin. These were aided by the fact that even after the malware is uninstalled, certain artifacts are left behind which can help identify an infected (but cleaned) system. For instance, we've seen several cases where the systems were cleaned but the "msrdc64.dat" infection marker was left behind.

So far, victims of Regin were identified in 14 countries:

  • Algeria
  • Afghanistan
  • Belgium
  • Brazil
  • Fiji
  • Germany
  • Iran
  • India
  • Indonesia
  • Kiribati
  • Malaysia
  • Pakistan
  • Russia
  • Syria

In total, we counted 27 different victims, although it should be pointed out that the definition of a victim here refers to a full entity, including their entire network. The number of unique PCs infected with Regin is of course much, much higher.

From the map above, Fiji and Kiribati are unusual, because we rarely see such advanced malware in such remote, small countries. In particular, the victim in Kiribati is most unusual. To put this into context, Kiribati is a small island in the Pacific, with a population around 100,000.

More information about the Regin victims is available through Kaspersky Intelligent Services. Contact: intelreports@kaspersky.com

Attribution

Considering the complexity and cost of Regin development, it is likely that this operation is supported by a nation-state. While attribution remains a very difficult problem when it comes to professional attackers such as those behind Regin, certain metadata extracted from the samples might still be relevant.

As this information could be easily altered by the developers, it's up to the reader to attempt to interpret this: as an intentional false flag or a non-critical indicator left by the developers.

More information about Regin is available to Kaspersky Intelligent Services' clients. Contact: intelreports@kaspersky.com

Conclusions

For more than a decade, a sophisticated group known as Regin has targeted high-profile entities around the world with an advanced malware platform. As far as we can tell, the operation is still active, although the malware may have been upgraded to more sophisticated versions. The most recent sample we've seen was from a 64-bit infection. This infection was still active in the spring of 2014.

The name Regin is apparently a reversed "In Reg", short for "In Registry", as the malware can store its modules in the registry. This name and detections first appeared in anti-malware products around March 2011.

From some points of view, the platform reminds us of another sophisticated malware: Turla. Some similarities include the use of virtual file systems and the deployment of communication drones to bridge networks together. Yet through their implementation, coding methods, plugins, hiding techniques and flexibility, Regin surpasses Turla as one of the most sophisticated attack platforms we have ever analysed.

The ability of this group to penetrate and monitor GSM networks is perhaps the most unusual and interesting aspect of these operations. In today's world, we have become too dependent on mobile phone networks which rely on ancient communication protocols with little or no security available for the end user. Although all GSM networks have mechanisms embedded which allow entities such as law enforcement to track suspects, there are other parties which can gain this ability and further abuse them to launch other types of attacks against mobile users.

Full technical paper with IOCs.

Kaspersky products detect modules from the Regin platform as: Trojan.Win32.Regin.gen and Rootkit.Win32.Regin.

If you detect a Regin infection in your network, contact us at: intelservices@kaspersky.com

A Nightmare on Malware Street

Malware Alerts - Sat, 11/22/2014 - 11:49

Another ransomware has been spotted in the wild lately, branded as 'CoinVault'. This one involves some interesting details worth mentioning, including the peculiar characteristic of offering the free decryption of one of the hostage files as a sign of good faith.

Technically, the malware writers have taken a lot of measures to slow down the analysis of the sample. Even though it was made with Microsoft's .NET framework, it takes a while to reach the core of their malicious application. Upon opening the initial sample in 'IL Spy', we find that the program starts by using a string key which is passed to a decryption method, which will ultimately get the executable code.

A byte array is also passed as a parameter to the 'EncryptOrDecrypt' method, which in conjunction with the key will output a final byte array with the malware's much needed code.

Implementing these functions in Visual Studio is as easy as copy/paste, so we execute the methods gotten from the source code and set a breakpoint to check what the decryption method is doing. A '77', '90' in decimal tells us we are on the right track since when converting these numbers to hexadecimal we get '4D', '5A', which is the magic number for DOS executable files identified by the ASCII string 'MZ'. We dump all the bytes to an executable file in disk for further analysis.

We get a file called 'SHIELD runner', serving as a 'RunPE' helper application. A 'RunPE' application serves to execute files on the fly, meaning that a memory stream is created from an input and executed directly without first storing the file to disk. This is useful for malware writers that want to avoid leaving traces behind, and as we'll soon see, it's not all this file has to offer.

Although we'll carry on with our investigation into the ransomware code, there's a noteworthy string embedded in the SHIELD runner executable, 'd:\Users\dennis…'.

In the same way as before, a string key and a byte array are used to generate yet another executable file. As you can see, the cybercriminals have gone to great lengths in order to slow down the analysis and hide the malicious payload for as long as possible.

Not only do we have the usual 'RunPE' functions but also a nice additional set of methods that will help the malware detect analysis tools and virtualized environments. It checks for 'Sandboxie', 'Wireshark', 'Winsock Packet Editor' and even checks whether the machine's name is 'MALTEST'. Fortunately, none of these conditions are met in my environment so we are good to go.

But wait…. there's more! The detection of the virtualized environment will cause the execution to stop and the malicious payload to be hidden.

Using PowerShell, we are going to check if the malware can actually detect our environment. Apparently it can, so we'll need to carry out some simple modifications in order to continue the analysis process.

We can fix this easily from VMWare's configuration VMX file, setting the option 'SMBIOS.reflectHost = TRUE'. Running out PowerShell checks again, we witness the good news and are ready to go even further.

Repeating the process of string key and byte array decryption and dumping the memory at just the right time pays off and we finally end up with the set of files that will be used during the infection.

The CoinVault 'Locker' has two main Windows forms: the main one telling us to pay in order to recover the victim's files and 'frmGetFreeDecrypt' which is used to decrypt one of the victim's files as a way to demonstrate that we can in fact recover our precious information if we comply in a timely manner.

However, before the 'Locker' analysis we'll need to deobfuscate it (at least a little bit). The malware writers display some sense of humor here: if the analyst has gone through this much trouble to reach this point it seems he's welcome as suggested by the phrase, 'Your worst nightmare'. Moreover, they are keen enough to leave a banner signaling the obfuscation utility they used. In this case we are dealing with the ever popular 'Confuser', in its version 1.9.0.0.

Certainly, this is confusing… but we can make it better. So, we go from something that resembles a Chinese manuscript to readable source code.

We now can see, amongst the many (many) methods and delegates inside the assembly some relevant code regarding the file encryption. .NET's 'System.Security.Cryptography.RijndaelManaged' namespace is used (amongst others) revealing symmetric encryption functionality.

We can even get a glance at how the PRNG was implemented and some internal details of the malicious application.

When we are finally shown the 'Locker' executable, a connection is made to a dynamic domain. During the analysis, two addresses were present: 'cvredirect.no-ip.net' and 'cvredirect.ddns.net'. They are currently offline and this hampers the 'Locker' functionality, since upon traffic analysis inspection we were able to see that a hardware ID is sent to the C&C in order to use a dynamic file encryption password. I guess now we can understand why the malware is checking for Wireshark in the system. After all, cybercriminals wouldn't want you to take a peek at how their business is getting done.

At this point, if everything went well (for the cybercriminals) your personal documents and files have been encrypted and a payment is demanded in less than 24 hours or the price will rise. The bitcoin address used is dynamic too, making the tracing of the funds a lot more complex than usual.

Is this your worst nightmare? If you don't have an updated anti-malware suite and (just in case) a backup of your most important files, it might just be.

Kaspersky detects this family as 'Trojan-Ransom.Win32.Crypmodadv.cj'. We have already seen similar malicious applications in the past (regarding functionality) such as 'TorrentLocker', and some PowerShell ransomware, but the amount of effort invested in this one in order to protect the code shows that cybercriminals are leveraging already developed libraries and functionality in order to avoid reinventing the wheel.

AVAR 2014 - Australia

Malware Alerts - Thu, 11/20/2014 - 05:50

This year's 17th Association of anti-Virus Asia Researchers international conference, "AVAR 2014" came back to Sydney, Australia with the theme "Security Down-Under". The event was held here also in 2003.

The arrival hall at Sydney airport did indeed look like this:

More than 170 attendees related to the anti-virus industry, CERTs, law enforcement and academia from around the world had plenty of opportunities to network and exchange thoughts and ideas.

The keynote, delivered by Graham Cluley, included a part where everybody was invited to join in singing "The anti-virus industry song".

The presentations covered subjects like the current global anti-malware ecosystem, the mobile cybercriminal underground market in a certain country, details about the Dragonfly threat actor and much more (see the link below for more information).

Kaspersky Lab's Roman Unuchek did present his research about Android banking botnets.

Colleagues from ESET did a great job organizing not only the conference but also an entertaining gala dinner at the "Power House Museum".

Another highlight was the "after party" in a Bavarian Beer Cafe. That turned into a kind of power house as well when some attendees of the AVAR 2014 got on stage and rocked the place.

Last but not least there was also an opportunity to see a bit of Sydney's scenery and wild life during a tour.

We are looking forward to the next AVAR in 2015, which will be held in Vietnam.

Event site: http://www.avar2014.com/ehome/index.php?eventid=83858&

Pages

Subscribe to RIT Information Security aggregator