Earlier this year, we deployed new technologies in Kaspersky Lab products to identify and block zero-day attacks. This technology already proved its effectiveness earlier this year, when it caught an Adobe Flash zero day exploit (CVE-2016-1010). Earlier this month, our technology caught another zero-day Adobe Flash Player exploit deployed in targeted attacks. We believe the attacks are launched by an APT Group we track under the codename “ScarCruft”.

ScarCruft is a relatively new APT group; victims have been observed in Russia, Nepal, South Korea, China, India, Kuwait and Romania. The group has several ongoing operations, utilizing multiple exploits — two for Adobe Flash and one for Microsoft Internet Explorer.

Operation Daybreak appears to have been launched by ScarCruft in March 2016 and employs a previously unknown (0-day) Adobe Flash Player exploit. It is also possible that the group deployed another zero day exploit, CVE-2016-0147, which was patched in April.

This exploit caught by our technologies highlights a few very interesting evasion methods, some of which we haven’t seen before. We describe them below.

Operation Daybreak general information

Operation Daybreak appears to have been launched by unknown attackers to infect high profile targets through spear-phishing e-mails. To date, we have observed more than two dozen victims for these attacks.

Although the exact attack vector remains unknown, the targets appear to receive a malicious link which points to a hacked website where the exploitation kit is hosted. The hacked web server hosting the exploit kit is associated with the ScarCruft APT and used in another line of attacks. Certain details, such as using the same infrastructure and targeting, make us believe that Operation Daybreak is being done by the ScarCruft APT group.

The ScarCruft APT group is a relatively new player and managed to stay under the radar for some time. In general, their work is very professional and focused. Their tools and techniques are well above the average. Prior to the discovery of Operation Daybreak, we observed the ScarCruft APT launching a series of attacks in Operation Erebus. Operation Erebus leverages another Flash Player exploit (CVE-2016-4117) through the use of watering hole attacks.

In the case of Operation Daybreak, the hacked website hosting the exploit kit performs a couple of browser checks before redirecting the visitor to a server controlled by the attackers hosted in Poland.

The main exploit page script contains a BASE64 decoder, as well as rc4 decryption implemented in JS.

The parameters sent to the “ap.php” script are randomly generated on each hit, so the second stage payload gets encrypted differently each time. This prevents easy detection by MD5 or signatures of the second stage payload.

The exploitation process consists of three Flash objects. The Flash object that triggers the vulnerability in Adobe Flash Player is located in second SWF delivered to the victim.

At the end of the exploitation chain, the server sends a legitimate PDF file to user – “china.pdf”. The “china.pdf” file shown to the victims in the last stage of the attack seems to be written in Korean:

Decoy document shown to victims

The document text talks about disagreements between China and “The North” over nuclear programs and demilitarization.

Vulnerability technical details

The vulnerability (CVE-2016-4171) is located in the code which parses the ExecPolicy metadata information.

This is what the structure looks like:

This structure also contains an array of item_info structures:

The documentation says the following about these structures:

“The item_info entry consists of item_count elements that are interpreted as key/value pairs of indices into the string table of the constant pool. If the value of key is zero, this is a keyless entry and only carries a value.”

In the exploit used by the ScarCruft group, we have the following item_info structures:

Item_info array in exploit object

The code that triggers the vulnerability parses this structure and, for every key and value members, tries to get the respective string object from string constant pool. The problem relies on the fact that the “.key” and “.value” members are used as indexes without any kind of boundary checks. It is easy to understand that if key or value members are larger than string constant pool array, a memory corruption problem appears. It is also important to mention that this member’s (value, key) are directly read from SWF object, so an attacker can easily use them to implement arbitrary read/write operations.

Getting object by index from constant pool without any checks

Using this vulnerability, the exploit implements a series of writes at specified addresses to achieve full remote code execution.

Bypassing security solutions through DDE

The Operation Daybreak attack employs multiple stages, which are all outstanding in some way. One of them attracted our attention because it implements a bypass for security solutions we have never seen before.

In the first stage of the attack, the decrypted shellcode executed by the exploit downloads and executes a special DLL file. This is internally called “yay_release.dll”:

Second stage DLL internal name and export

The code of this module is loaded directly into the exploited application and has several methods of payload execution. One of method uses a very interesting technique of payload execution which is designed mostly to bypass modern anti-malware products. This uses an interesting bug in the Windows DDE component. It is not a secret that anti-malware systems trigger on special system functions that are called in the context of potential vulnerable applications to make a deeper analysis of API calls such as CreateProcess, WinExec or ShellExecute.

For instance, such defense technologies trigger if a potentially vulnerable application such as Adobe Flash starts other untrusted applications, scripts interpreters or even the command console.

To make execution of payload invisible for these defense systems, the threat actors used the Windows DDE interface in a very clever way. First, they register a special window for it:

In the window procedure, they post WM_DDE_EXECUTE messages with commands:

Sending WM_DDE_EXECUTE message to window

The attackers used the following commands:

The main idea here is that if you create a LNK to an executable or command, then use the ShowGroup method, the program will be executed. This is an undocumented behavior in Microsoft Windows.

In our case, a malicious VBS was executed, which installs a next stage payload stored in CAB file:

Malicious VBS used in the attack

We have reported this “creative” abuse of DDE to Microsoft’s security team.

The final payload of the attack is a CAB file with the following MD5:

• 8844a537e7f533192ca8e81886e70fbc

The MS CAB file (md5: 8844a537e7f533192ca8e81886e70fbc) contains 4 malicious DLL files:

MD5 Filename a6f14b547d9a7190a1f9f1c06f906063 cfgifut.dll e51ce28c2e2d226365bc5315d3e5f83e cldbct.dll 067681b79756156ba26c12bc36bf835c cryptbase.dll f8a2d4ddf9dc2de750c8b4b7ee45ba3f msfte.dll

The file cldbct.dll (e51ce28c2e2d226365bc5315d3e5f83e) connects to the following C2:

• hXXp://webconncheck.myfw[.]us:8080/8xrss.php

The modules are signed by an invalid digital certificates listed as “Tencent Technology (Shenzhen) Company Limited” with serial numbers, copied from real Tencent certificates:

• 5d 06 88 f9 04 0a d5 22 87 fc 32 ad ec eb 85 b0
• 71 70 bd 93 cf 3f 18 9a e6 45 2b 51 4c 49 34 0e

Invalid digital signature on malware samples

The malware deployed in this attack is extremely rare and apparently reserved only for high profile victims. Our products detect it as well as other malware from ScarCruft as HEUR:Trojan.Win32.ScarCruft.gen.

Victims:

Although our visibility is rather limited, some of the victims of these attacks include:

• A law enforcement agency in an Asian country
• One of the largest trading companies in Asia and in the world
• A mobile advertising and app monetization company in the USA
• Individuals related to the International Association of Athletics Federations
• A restaurant located in one of the top malls in Dubai

Some of these were compromised over the last few days, indicating the attackers are still very active.

Conclusions:

Nowadays, in-the-wild Flash Player exploits are becoming rare. This is because in most cases they need to be coupled with a Sandbox bypass exploit, which makes them rather tricky.

Additionally, Adobe has been doing a great job at implementing new mitigations to make exploitation of Flash Player more and more difficult.

Nevertheless, resourceful threat actors such as ScarCruft will probably continue to deploy zero-day exploits against their high profile targets.

As usual, the best defense against targeted attacks is a multi-layered approach. Windows users should combine traditional anti-malware technologies with patch management, host intrusion detection and, ideally, whitelisting and default-deny strategies. According to a study by the Australian DSD, 85% of the targeted attacks analysed could have been stopped by four simple defense strategies. While it’s impossible to achieve 100% protection, in practice and most cases all you have to do is increase your defenses to the point where it becomes too expensive for the attacker – who will just give up and move on to other targets.

Kaspersky products detect flash exploit as HEUR:Exploit.SWF.Agent.gen also our AEP (Automatic Exploit Prevention) component can successfully detect this attack. Payloads are detected with HEUR:Trojan.Win32.ScarCruft.gen verdict.

* More information about the ScarCruft APT group is available to customers of Kaspersky Intelligent Services.

Indicators of compromise: Malicious IPs and hostnames:

• 212.7.217[.]10
• reg.flnet[.]org
• webconncheck.myfw[.]us

MD5s:

3e5ac6bbf108feec97e1cc36560ab0b6
a6f14b547d9a7190a1f9f1c06f906063
e51ce28c2e2d226365bc5315d3e5f83e
067681b79756156ba26c12bc36bf835c
f8a2d4ddf9dc2de750c8b4b7ee45ba3f
8844a537e7f533192ca8e81886e70fbc

Over the last two years, deep in the slums of the Internet, a different kind of underground market has flourished.

The short, cryptic name perhaps doesn’t say much about it: xDedic. However, on this obscure marketplace anyone can purchase more than 70,000 hacked servers from all around the Internet.

xDedic forum login

From government networks to corporations, from web servers to databases, xDedic provides a marketplace for buyers to find anything. And the best thing about it – it’s cheap! Purchasing access to a server located in a European Union country government network can cost as little as $6.

The one-time cost gives a malicious buyer access to all the data on the server and the possibility to use this access to launch further attacks. It is a hacker’s dream, simplifying access to victims, making it cheaper and faster, and opening up new possibilities for both cybercriminals and advanced threat actors.

Server purchase forum

To investigate xDedic, Kaspersky Lab teamed up with a European ISP. The research allowed us to collect data about the victims and the way the marketplace operates.

In May 2016, we counted 70,624 servers available for purchase, from 416 unique sellers in 173 affected countries. In March 2016, the number was about 55,000, a clear indication that the database of users and servers is carefully maintained and updated.

Top countries with servers on sale

Interestingly, the developers of xDedic are not selling anything themselves – instead, they have created a marketplace where a network of affiliates can sell access to compromised servers. If the truth be told, the people behind xDedic have created what appears to be a “quality” service – the forum even includes live technical support, special tools to patch hacked servers to allow multiple RDP sessions and profiling tools that upload information about the hacked servers into the xDedic database.

Top 10 sellers – May 2016

So who are the xDedic sellers listed above? We have been able to identify a very specific piece of malware (SCCLIENT) which is used by one of them, and to sinkhole its C&Cs. This provided a glimpse into the operations of one of these entities, which, based on the number of victims, we suspect is either Narko, xLeon or sirr.

SCCLIENT Trojan: victims’ information from sinkholing (first 12 hours)

The profiling software created by the xDedic developers also collects information about the software installed on the server, such as online gambling, trading and payments.

Apparently, there is strong interest in accounting, tax reporting and point-of -sale (PoS) software which open up many opportunities for fraudsters:

Spam and Attacking Tools Gambling and Financial Software POS Software

Advanced Mass Sender
Bitvise Tunnelier
DU Brute
LexisNexis Spam Soft
LexisNexis Proxifier
Proxifier
Spam Soft

Full Tilt Poker
iPoker Network
UltraTax 2010 (2011,..,2015)
Abacus Tax Software
CCH tax14 (tax15)
CCH Small Firm Services
ChoicePoint
ProSeries TAX (2014,2015)
ProSystem fx Tax
TAX Software
2015 Tax Praparation
Tax Management Inc.
Lacerte Tax

PosWindows
BrasilPOS
POS AccuPOS
POS Active-Charge
POS Amigo
POS Catapult
POS Firefly
POS ePOS
POS EasiPos
POS Revel
POS Software (Generic)
POS Toast
POS QBPOS
PosTerminal
POS kiosk.exe
POS roi.exe
POS PTService.exe
POS pxpp.exe
POS w3wp.exe
POS DpsEftX.ocx
POS AxUpdatePortal.exe
POS callerIdserver.exe
POS PURCHASE.exe
POS XPS.exe
POS XChgrSrv.exe

During our research, we counted 453 servers from 67 countries with PoS software installed:

Servers for sale with Point-of-Sale software – May 2016

For instance, a malicious user could go to the xDedic forum, register an account, top it up with Bitcoins and then purchase a number of servers which have PoS software installed. Then, they can install PoS malware, such as Backoff to harvest credit card numbers. The possibilities are truly endless.

Kaspersky Lab has reported this issue with the appropriate law enforcement agencies and is cooperating in an ongoing investigation.

To read our full report on xDedic which includes IOCs, download the xDedic Marketplace Analysis PDF here.

* For more information about Kaspersky Lab Intelligence Services, Threat Reports and custom threat analysis contact intelreports@kaspersky.com

Earlier today, Adobe published the security advisory APSA16-03, which describes a critical vulnerability in Adobe Flash Player version 21.0.0.242 and earlier versions for Windows, Macintosh, Linux, and Chrome OS:

A few of months ago, we deployed a new set of technologies into our products designed to identify and block zero day attacks. These technologies already proved its effectiveness earlier this year, when they caught an Adobe Flash zero day exploit, CVE-2016-1010. Earlier this month, we caught another zero-day Adobe Flash Player exploit deployed in targeted attacks.

We believe these attacks are launched by an APT Group we call “ScarCruft”.

ScarCruft is a relatively new APT group; victims have been observed in several countries, including Russia, Nepal, South Korea, China, India, Kuwait and Romania. The group has several ongoing operations utilizing multiple exploits — two for Adobe Flash and one for Microsoft Internet Explorer.

Currently, the group is engaged in two major operations: Operation Daybreak and Operation Erebus. The first of them, Operation Daybreak, appears to have been launched by ScarCruft in March 2016 and employs a previously unknown (0-day) Adobe Flash Player exploit, focusing on high profile victims. The other one, “Operation Erebus” employs an older exploit, for CVE-2016-4117 and leverages watering holes. It is also possible that the group deployed another zero day exploit, CVE-2016-0147, which was patched in April.

We will publish more details about the attack once Adobe patches the vulnerability, which should be on June 16. Until then, we confirm that Microsoft EMET is effective at mitigating the attacks. Additionally, our products detect and block the exploit, as well as the malware used by the ScarCruft APT threat actor.

* More information about the ScarCruft APT and Operation Daybreak is available to customers of Kaspersky Intelligence Services. Contact: intelreports@kaspersky.com

 

Olympic threats designed to trick you

Are you planning to visit Brazil during the Olympic Games? Or watch it online? In this blog post we discuss the threats to visitors aiming to travel to Brazil to watch the games and to those planning to watch it online. In the first part we’ll talk about phishing attacks, including one against the organizers of the Games; in the second we highlight WiFi security and the results of the wardriving we did on the streets of Rio, visiting the same places as tourists and the athletes. In the third and final part we touch upon physical security that involves the usage of USB charging spots at airports, the problem of credit card cloning and ATM skimmers that will directly affect visitors to this summer’s Olympic Games in Rio.

It is clear that using the Olympic Games theme is very attractive to the bad guys. Cybercriminals always use popular sports events as bait for their attacks, as they did it in the 2014 World Cup – an event we monitored very closely due to the impressive amount of attacks registered at the time, mainly in Brazil. But the forthcoming Olympic Games has been a bit different. The number of attacks has been low, compared with the World Cup. There are many reasons to explain it one of which is that the International Olympic Committee (IOC) keeps a very active Security Operations Center (SOC), working and treating the security incidents, reporting phishing and malware campaigns. As a result, the number of “in-the-wild” attacks targeting users at this time are low.

However, the bad guys have no limit when it comes to creating new attacks. We were able to track and block several of them, such as the registration of malicious domains, fake giveaways promoted on social networks and, of course, websites selling fake tickets, using all possible ways to trick users.

The rise of bad domains

Most of the attacks start with the registration of a domain that clearly shows its malicious intent. Since the beginning of the year, we monitored the creation of new domains registered with the name of the city that will held the games. In fact, we found that the bad guys are constantly registering new creations at the start of every attack. Our blacklist contains more than 230 of these bad domains.

Several of these domains were registered via a free webmail account or use domains as protection to hide the real identity of the owner. Some of these domains are hibernating, waiting for the right moment to start an attack (especially those promising free streaming). Others were used to host fake ecommerce sites selling tickets, hosting phishing, malware, or even used to spread fake ticket giveaways. Another interesting point is that several of these domains are already using the new gTLD approved by ICANN (such as .tech and others).

The phishing phenomenon

It’s not only end-users who are targets of phishing attacks. Brazil tops the list as the most attacked country with this type of scam, and employees of the Games organization were also targeted for their potentially lucrative credentials. In February we identified a very interesting targeted campaign, on our domain monitoring system, against the IOC using the malicious domain masquerade as their Intranet portal. The purpose of the attackers was to steal credentials of IOC employees working in Brazil. The fake site looked like this when it was live and we are also aware of several other attacks including this one:

IOC employees were the target of phishing campaigns to steal credentials

The most common attacks are those that aim to phish the final user – stealing credentials is a very easy attack that even a non-skilled criminal can do. We saw phishing scams with different goals, in several colors and guises. This one was very popular in Brazil and aims to clone your credit card using the name of a Brazilian company and promising to giveaway a new car and tickets to the Games:

Free tickets and car giveaway. All fake promises.

Fake tickets, fake giveaways, real losses

As happened during the last World Cup, most of the malicious e-mails sent by the Brazilian bad guys used free tickets to watch the Games in Rio as the bait. Some of these messages also pointed to fake websites. This is a good example of a very well done campaign, promising the direct sales of tickets without applications to the official lotteries, that take place for people living in Brazil:

Why bother to participate in the official lottery when you can buy a ticket direct from a fraudster?

Other fake websites also offered tickets with a very low price, to attract people looking to buy tickets at the last hour. This website, targeting Brazilians, looks good but on closer inspection it is written in poor Portuguese:

The purpose here was to sell fake tickets with the victim paying but receiving nothing. The payment method selected by the fraudster was Brazilian boletos, a very popular payment system, used mostly for people that don’t have credit cards.

The bait to attract the attention was very low prices. The ticket to the inaugural ceremony cost U$500.00 and a match of the Brazilian National Football Team cost only U$ 50.00. Of course everything was fake:

“Watch the Male Football match paying only U$ 50,00”

Bad guys also used social media to spread their attacks. Facebook was the most used network in these cases, such as this fraudulent page announcing a fake ticket giveaway. The page is still online:

If you want to watch the games, it’s too late to buy tickets via the official channels. We do not recommend buying through unofficial markets as there is a high possibility that you are buying a pig in a poke. To make sure you don’t get caught out, the best thing is to watch the games on TV or online – but be aware of malicious streaming websites, as they will undoubtedly appear in a last ditch attempt by the bad guys to try and infect your computer and steal your data.

WiFi security

When we travel, we usually access the Internet more to help stay in touch, tweet, post status updates and share pictures. However, international data plans are usually very expensive and this is why we look for WiFi hotspots. Cybercriminals know this and every year set up fake access points or compromise legitimate WiFi networks to intercept and manipulate their victim’s browsing. Their focus for the attack is user’s passwords, credit cards and other sensitive personal information. Open and misconfigured WiFi networks are actually preferred vehicles for criminals.

To identify the extent of the problem in Brazil, we drove by three major areas of the Olympic games and passively monitored the available networks which visitors are most likely to try and use during their stay – the Brazilian Olympic Committee building, Olympic Park and the stadiums (Maracanã, Maracanãzinho and Engenhão).

Beautiful beaches, bossa nova and insecure WiFi

Running a fast recognition over two days and on the map marked with a star sign, we were able to find about 4,500 unique access points located in the aforementioned areas.

Most of the networks actually work on the 802.11n standard:

That means that most of the hardware used to build the WiFi access points is new and works especially well for multimedia streaming, reaching speeds of up to 600Mbps and working not just on 2.4Ghz and 2.5Ghz but also 5Ghz.

However, when it comes to their security, 18% of all available WiFi networks in the area are insecure and openly configured. That means that all data sent and received in such networks is not protected by any encryption access key.

We can see that additionally 7% of all networks are WPA-personal protected. That algorithm is actually obsolete today and can be broken with minimal effort. In our opinion this is especially concerning as users who connect to their “trusted” networks may believe that they are actually connecting to a secure network, when in reality it could be compromised by an attacker, who could deliver different kind of attacks to manipulate network traffic with user’s data.

So, about a quarter of all WiFi networks in the areas of the Olympic games are insecure or configured with weak encryption protocols. This means that the attackers can break them first and then develop technical circumstances to sniff victim’s navigation data and steal their sensitive data.

Is it possible to use an open WiFi network and still have a secure Internet connection? The answer is yes, however only when using a VPN connection.

We strongly recommend, regardless of any WiFi network you use while travelling, to use a VPN connection, so the data from your end-point travels to the Internet through an encrypted data channel. This way even if you work from a compromised WiFi network, the attacker might not get access to your data.

However not all VPN providers actually offer the same good service. Some of them are vulnerable to DNS leak attacks. That means that even if your immediate sensitive data is sent via VPN, your DNS queries or requests are sent in plain text to the DNS servers set by the access point hardware. In this scenario the attacker can still at least know what servers you are browsing and then, if it has access to the access point of the compromised WiFi network, can define malicious DNS servers. That would essentially mean, next time you type the name of your bank in the browser, the IP address where it goes to will be a malicious one. So, even some experienced users may become an easy victim for the attackers. There is almost no limit from the attackers’ point of view when they have control of your DNS servers.

So, before you use your VPN connection, make sure it does not have a DNS leak problem. If your VPN provider doesn’t support its own DNS servers, you might consider another VPN provider or a DNSCrypt service, so your DNS requests will make external and encrypted queries to secure DNS servers. Remember that what starts as a small security issue could have big security implications.

A simple formula must be this: any network you connect to, use your VPN connection with its own DNS servers. Don’t rely on any local settings since you can’t be sure if the WiFi access point you connect to is compromised or not.

Physical security

Another point that requires vigilance when travelling is physical security – not everything that is useful is exactly what it seems. Criminals often use tactics to deliver malicious attacks on situations where you do not necessarily think there is a risk. Let’s look at some common situations where this could happen.

USB charging spot

As mentioned before, using a mobile phone when traveling is crucial and it can be a big challenge to keep it sufficiently charged all day long. In order to help tourists, most cities are investing in charging points that can be easily found in shopping malls, airport and taxis. Most of them provide connectors for the majority of phone models as well as a USB connector that can be used with your own cable.

Charging spot provided in a Brazilian cab

Some models usually found in shopping malls and airports also provide a traditional power supply that can be used with your own charger.

Charging spot at Rio International Airport. Which one do you think is the most secure?

While connected via USB, the attacker can execute commands in order get information about the device including the model, IMEI, phone number and battery status. With that information it is possible to run an attack for the specific phone model and then successfully infect the device and collect personal information.

This doesn’t mean that we should never charge our devices when away from home, but by following these simple rules you can protect yourself from this kind of attack:

• Always use your own charger and avoid buying one from unknown sources;
• Use the power outlet instead of USB socket when using an unknown charging point;
• Don’t use the charging cables at a public charging spot.

ATM skimmer

The ATM skimmer attack, also known as “Chupa-cabra” in Brazil and other countries in Latin America, is a very popular type of attack that is still being used by criminals in Brazil. From time to time a new gang appears on the news delivering this attack somewhere across the country, mainly in places commonly frequented by tourists, such as the Rio International Airport. In 2014 a gang installed 14 ATM skimmers there.

There are different types of ATM skimmers in Brazil, the most common just installs a reader for the card and a camera in order to record the password as it is typed.

An ATM skimmer which installs a camera to record the typed password

For this type of skimmer you can protect yourself by hiding the keypad while typing the password which will avoid your password from being recorded by the installed camera.

Unfortunately, this method will not help in all cases, as there is another type of skimmer where criminals replace the entire ATM, including the keypad and screen. In this case, the typed password will be stored on the fake ATM system.

ATM Skimmer which replaces the entire ATM

In order to avoid this type of attack it is important to be aware of any suspicious behavior while using the ATM.

• Check if the green light on the card reader is on. Usually they replace the reader with a version where there is no light or it is off.
• Before starting the transaction, check if there is anything suspicious on the ATM such as missing or badly fixed parts;
• Hide the keypad while typing your password.

Credit Card Cloning

Unfortunately, Brazil is well known for its credit card cloning activities and it is not hard to find someone who had their card cloned while visiting the country.

Credit and debit cards are widely used in Brazil and almost everywhere accepts cards as payment methods – including street vendors. Actually most of them prefer credit card payments in order to avoid problems with the change.

Brazilian banks are referenced across the world regarding their fight against credit card cloning as well as their pioneer status in adopting chip-based cards to protect customers from this type of attack by making it much harder to clone the card. However, it was only a matter of time before Brazilian criminals would find a way to start cloning the chip-based cards, by exploiting flaws in the EMV transaction implementation.

We could see Brazilian criminals exchanging information about how to execute an attack on a chip-based card in order to extract the information and then write it back to another card using some tools.

Tool used to save the information to the smart card

It is really hard to protect yourself against this type of attack, because usually the point-of-sale is modified in order to save the information, to be collected later by the criminals. Sometimes they don’t need physical access to extract the stolen information as it is collected via bluetooth.

One good solution from the banks is SMS notifications for each transaction made using your card. Even though it does not avoid card cloning, the victim will be notified about the fraudulent transaction as soon as it happens then it can contact the bank in order to block future transactions.

To reduce the chances of having your card cloned, there are some simple steps to take:

• Never give your card to the retailer. If for some reason they cannot bring the machine to you, you must go to the machine;
• If the machine looks suspicious, change the payment method. It is always good to have some money with you as a back-up;
• Before typing your PIN make sure you are on the correct payment screen and that your PIN is not going to be shown on the screen.

For everybody visiting Brazil to watch the games, we wish you safe flights and a safe stay. To our readers we wish you safe online surfing and for the Olympic athletes, may the best one win!

One piece of advice that often appears in closed message boards used by Russian cybercriminals is “Don’t work with RU”. This is a kind of instruction given by more experienced Russian criminals to the younger generation. It can be interpreted as: “don’t steal money from people in Russia, don’t infect their machines, don’t use compatriots to launder money.”

“Working with RU” is not a great idea where cybercriminals’ safety is concerned: people from other countries are unlikely to report an incident to the Russian police. In addition, online banking is not very popular in the RU zone – at least, it is much less popular than in the West. This means that the potential income from operating in the RU zone is lower than in other zones, while the risk is higher. Hence the rule “Don’t work with RU”.

As always, there are exceptions to the rule. A rather prominent banker Trojan – Lurk – that is the subject of this paper has been used to steal money from Russian residents for several years.

We have written about this banker Trojan before. It caught our attention almost as soon as it appeared because it used a fileless spreading mechanism – malicious code was not saved on the hard drive and ran in memory only. However, until now no detailed description of Lurk had been published.

What Makes the Trojan Different

The Lurk banker Trojan is in a league of its own when it comes to malware designed to steal money from bank customers:

• Lurk has existed and actively evolved for over five years, but it works selectively – only on those computers where it can steal money. In the more than five years that it has been active, about 60,000 bots have been registered in the C&C, which is not a huge number.
• Lurk is a versatile banker Trojan – it can steal money not only from the iBank 2 system that is used by many Russian banks but also from the unique online banking systems of some large Russian banks.
• Lurk actively resists detection: its developers work hard to minimize detections of their Trojan, while targeted attacks make it difficult to get new samples quickly.
• Based on the methods of internal organization used in the malware, its feature set and the frequency with which it is modified, it can be concluded that a team of professional developers and testers is working on the project.

This is not to say that the Trojan is particularly well written: we have seen and analyzed banker Trojans with much higher code quality. Moreover, our analysis of Lurk has shown that several programmers with different levels of qualification have worked on the code. The developers clearly made some bad choices in places, which have remained unfixed for years (needless to say, we are not going to alert the developers to their mistakes). It is worth noting that the malware writers are developing their product: we see that the quality of code has improved over time and the solutions chosen by the developers have generally improved. What sets Lurk apart is that it is highly targeted – the authors do their best to ensure that as many victims of interest to them as possible get infected without catching the attention of analysts or researchers. The incidents known to us make us believe that Lurk is successful at what it was designed for: we regularly receive reports of thefts from online banking systems and forensic investigations after the incidents reveal traces of Lurk on the affected machines.

Victims

The cybercriminals are interested in the following types of organizations:

• IT organizations working in telecommunications field;
• mass media and news aggregators;
• banks and financial organizations.

Compromised computers of IT and telecoms companies provide the cybercriminals behind Lurk with new transfer servers through which traffic goes to the attackers’ servers. Media and news aggregator sites, particularly those visited by accountants, are used to infect a large number of users from Lurk’s ‘target audience’. Banks and financial organizations are of interest to the cybercriminals in connection with their main goal – stealing money.

We won’t comment on the reasons behind the malware authors’ attempts to get a foothold on the machines inside security agencies (these organizations are also among those targeted by Lurk).

The Trojan’s targets appear to include Russia’s four largest banks.

Distribution

The well-known technique of drive-by downloads is used to distribute the Lurk banker Trojan. In addition, the cybercriminals distribute the Trojan via compromised websites with legitimate software and across corporate networks – using the psexec utility.

Infecting Using an Exploit Pack

Lurk is distributed primarily using the infamous Angler exploit pack (cybercriminals call it XXX). With this method of distribution, users don’t have to do anything in particular for their computers to become infected.

Angler is rightfully considered the flagship of exploit packs: exploits for new vulnerabilities are nearly always first implemented in Angler and only later make their way into other exploit packs (or perhaps are just borrowed’). Exploits for zero-day vulnerabilities are also often implemented in Angler, making the exploit pack particularly dangerous.

Preparation for infecting new victims with Lurk is usually performed as follows:

1. A website that is of interest to the target audience is selected. This can be a message board for accountants, a news portal, etc.

   The website is infected by stealthily placing a link on it that leads to the exploit pack’s landing page. If it proves impossible to infect the site, a malicious link is placed into the materials of some ‘affiliate program’ that are shown on the site.

2. Users visiting the site are redirected to the exploit pack’s landing page without their knowledge. Angler attempts to exploit some vulnerability in the software installed on the user’s computer, which should result in the execution of Lurk’s downloader – mini.

Curiously, the link to the exploit pack’s landing page is either placed for a short time or is regularly placed and removed. For example, we have seen the message board of a well-known magazine for accountants become infected. A malicious link appeared on the message board on weekdays for exactly two hours at lunchtime. Of course, we detected the anomalous activity and notified the owners of the resource. However, by the time they read our letter the resource was clean again and they could not identify the infection. At the same time, during the period when the malicious link was shown on the message board, the Lurk owners managed to infect several new user machines.

Infecting via Compromised Websites

The second method of infection that the cybercriminals used extensively is the distribution of malicious code via legitimate websites. Apparently, this distribution method involves providing infected files to users in the RU zone only, while other users get clean files.

Infecting Machines across a Corporate Network

The scheme whereby one computer in an organization is initially infected is very popular among cybercriminals. Even if the infected machine itself is of no interest to the attackers, the computer is on the same network and on the same domain with other computers containing information that the Trojan’s owners want. In such cases, the psexec utility developed by Mark Russinovich is used to distribute the malware across the network. A special mini dropper is then used to execute the Trojan’s main module on other computers on the same network. This method can result in dire consequences for the organization, since the security of a computer containing data of interest to the cybercriminals essentially depends on that of the least protected computer on the network that is under attack.

Main Modules

The Trojan consists of several modules that have reasonably rich capabilities. The main Lurk modules are:

• mini module;
• prescanner module;
• core module (the bot’s kernel),
• core_x64 module (64 bit version of the kernel);
• mini_x64 module (64 bit version of the mini module).

The mini Module

In the first stage of an attack involving the Angler exploit pack, a vulnerability found in the user’s software is exploited and the mini module of Lurk banker Trojan is downloaded and executed. As mentioned above, the user can download the malicious file from a compromised website; another possibility is infection over the local network.

By Lurk standards, mini is a small program (100-400 KB). Its main function is to download and execute two other main Lurk modules. The address of the server used by mini is hardcoded in the program’s body. Modules are downloaded using standard GET requests. The modules downloaded by mini are encrypted, with different encryption algorithms used. The prescanner module is encrypted using the simple “xor-next” algorithm. Other modules are encrypted using the BlowFish algorithm (ECB Mode), the pseudo key for which is hardcoded into mini. The real key is created from the hardcoded pseudo key using a sequential search for one character (a brute force attack).

To avoid having to download additional modules every time mini is executed, the Trojan saves these modules in a separate encrypted file located in %APPDATA% folder. The contents of the storage is encrypted with the Blowfish algorithm, using a key that depends on the time the Windows folder was created. In addition to a plugin’s name and body, the storage file includes a list of checksums of the names of those processes in whose context the plugin is to be executed. This information is used by mini to determine which process a plugin should be injected into: for web injection modules, this is a browser process; for the ibank module, it is Java.exe, in whose context the online banking system operates.

The prescanner module

According to the operating logic of mini, the second stage of the attack is to load the prescanner module. The module is a dynamically loaded library with only one exported function – Prescan.

The cybercriminals need prescanner to make their attacks as narrowly targeted as possible. If a machine does not match the specific rules of prescanner and no online banking systems have been found on it, the module reports this to mini and the latter decides not to try to achieve persistence on the machine. In this way, the Trojan’s developers try to avoid attracting the attention of law enforcement agencies and anti-malware product developers. The following fact supports this idea: every time a new bot is registered by the C&C, a unique identifier – bot number – is assigned to the bot. In the more than five years that the banker Trojan has existed, only about 60,000 bots have been registered by the C&C.

Prescanner performs two main tasks:

• collecting information about an infected system;
• grabbing passwords from FTP clients found on the user’s machine.

After collecting information about the machine and checking whether its rules are observed, prescanner sends a report to its command server. In the cases that we have seen, the C&C used by prescanner was the same as that used by the mini downloader.

If it is decided that a machine is unsuitable for a Lurk attack based on the analysis performed, mini and prescanner modules terminate and uninstall themselves. If prescanner has made the decision to ensure persistence on the machine, it reports this to the mini downloader, which in turn downloads and executes the core module – the bot’s main body.

The core module

Core is the main module of Lurk. Its main functions are:

• network interaction with the C&C;
• executing commands received from the cybercriminals;
• logging keypresses (keylogger function) and recording video from the infected system’s screen;
• maintaining the encrypted data storage and Lurk settings;
• downloading, installing and executing the Trojan’s additional modules.

The core module is a communication channel of sorts between all the other malware modules and the command server. The C&C servers used for mini and for core are different. Core does not have a hardcoded command server address. The address of its command server is calculated using DGA – the Domain Generation Algorithm. Among other DGA input parameters, the Trojan’s authors use exchange quotation data received from Yahoo Finance. This means that the data used to generate C&C addresses cannot be known to security experts in advance. As a result, it is impossible to predict the addresses generated by Lurk.

After successfully establishing a connection, data collected by the malware and the results of executing commands are sent to the command server every five minutes, with requests for new updates and commands. All communication between the core module and the C&C is encrypted – core and C&C exchange data is in the JSON format.

The function of intercepting data entered on the keyboard is implemented in the core module in the newer versions of Lurk (starting at least from 8.9773). Keypresses are intercepted only in the context of windows that have specific words/phrases in their names. The list of these words/phrases is received from the C&C. Intercepted data is sent to the command server during the next communication session (every 5 minutes).

The main part of Lurk’s storage is located in the system registry, but some additional data belonging to the storage can be saved as a file on the hard drive. As a rule, files are used to store a large but logically uniform volume of data, such as video captured from the screen or code for web injection. But in any case, links to these additional files are always present in the main part of the storage, which is located in system registry.

Additional modules

The bot’s additional modules (plugins) are downloaded by the core module to those computers the malicious program deems most suitable. Those modules that are required on a specific computer to steal money are downloaded to that computer.

The Lurk modules currently known to us are listed in the table below.

Plugin GUID Name Plugin function {5FBA6505-4075-485b-AEC4-75767D9054C9} module_Bifit A set of .class-files designed to introduce changes into the normal operation of iBank 2 systems, in order to steal money. {0F3E7AFA-1F2B-4b0e-99D6-3716A4C3D6DE} module_Bifit_admin An administrative applet for iBank 2 systems modified by cybercriminals, designed to steal credentials and key files from iBank 2 systems. {04DB063E-1454-4a73-B2CC-4DB6D4BB6AA1} module_ibank This plugin is used to inject malicious applets into the iBank 2 system. These applets (along with other tools) are used to steal money from the user. {AABA3126-14E2-443b-A11B-FB6C1F793103} module_w3bank This plugin is designed to organize web injections into the pages of remote banking systems. {5C345F77-B111-4a85-B6D6-EC8F27F993C4} module_w3bank_scripts A set of scripts written in JavaScript for injection by the module w3bank; designed to steal money and data from remote banking systems. {50D13F6C-FC46-4fdf-A294-E149D36E54D4} module_spider An auxiliary module whose main task is to ensure other Lurk modules are loaded into the contexts of the processes iexplore.exe, firefox.exe, chrome.exe, opera.exe, jp2launcher.exe, java.exe before these processes are actually launched. {52F1F7D8-4BCC-4498-AC86-3562F81990F6} module_vnc This plugin provides remote access via VNC to the infected computer (for remote control over the infected computer). {A06B5020-0DF3-11E5-BE38-AE5E4B860EDE} rdp-plugin-x86 This plugin ensures that RDP is enabled on the infected computer.

{9F786E98-3D4C-4020-8819-B97D9D4DBCC0} highLauncher Bot plugin loader at a high Integrity level (required for rdp-plugin-x86 and lsa-plugin-x86). {968A2A9A-7DF4-4E69-BF81-563AF8FFB7DC} launcher The loader of mini. It awaits an IPC message with the name <LurkDll>, after which it loads mini with the help of LoadLibrary(). It is used in the mini launch process while escalating privileges. {5B3957F2-AAAF-4FF8-94B8-83C52AFCD2A9} lsa-plugin-x86 The plugin for grabbing administrator and/or domain accounts (the well-known program mimikatz is used).

We will now look at three bot modules (plugins) in more detail – they are the modules w3bank and ibank.dll – the two workhorses of the Lurk Trojan that are directly involved in stealing money – and the module_vnc module that makes it possible to remotely control the infected system using the VNC protocol.

The w3bank module

The w3bank module is designed for attacks on remote banking systems. Its main task is to perform injections into the user’s browser.

The ibank module

The ibank module is designed to steal money in iBank remote banking systems.

This module runs in the context of a Java virtual machine. When a Java applet is started, it is checked to see whether it belongs to the iBank 2 system. If this remote banking system is launched, a request is sent to the C&C asking if the applet should be blocked or allowed to run. If an “allow to run” command arrives in response, a set of Java-class files is sent to replace the original classes of the iBank applet.

The infected applet enables the cybercriminals to stealthily replace the data in payment orders, leaving the original information in the printouts.

The module_vnc module

The module_vnc module provides the ability to remotely control an infected system using the VNC protocol. When this happens, the remote node gains full access to the system: it can see the image displayed on the screen, send and receive any files or data, including data from video/audio input devices, use the software installed on the machine and install new software.

This module also makes it possible to launch browser processes with the following parameters:

Mozilla Firefox: -profile
Google Chrome: –user-data-dir=
Internet Explorer: -nomerge

Each time Mozilla Firefox and Google Chrome are launched a new browser user profile is created. This helps hide the Trojan’s activities from the legitimate user, who will not be able to see any trace in the history of visited sites. This also helps create a separate session on a website, parallel to an already open session. In particular, this makes it possible to log in a second time to the site the legitimate user is working with, and perform actions in a parallel session that will not affect the user’s session.

Stages of a Lurk attack

As a result, the Trojan’s typical attack sequence is as follows:

1. The user’s computer is infected by exploiting a vulnerability;
2. The mini module is launched on the infected computer;
3. mini downloads the prescanner module and launches it;
4. prescanner steals the user’s FTP credentials;
5. If an analysis finds that the infected computer is unsuitable, mini and prescanner silently terminate themselves.
6. If the infected computer is of interest to the cybercriminals, the attack continues.
7. If the attack continues, mini downloads and launches the core module, the bot’s main body.
8. core connects to the bot’s C&C server, receives commands from the cybercriminals and executes them.
9. core receives the bot’s additional plugins.
10. core spies on the user: intercepts data entered from the keyboard, and captures the video stream from the screen of the infected system. Capturing is only performed for windows with specific keywords/phrases in their names. A list of keywords is received from the C&C and is primarily determined by the financial interests of Lurk’s owners.
11. Using additional modules (ibank, w3bank), Lurk steals money from remote banking systems.

Example of an Attack on a Bank

During our research, we detected a Lurk attack on a major Russian bank that was using the w3bank module to perform web injections. We were able to obtain the scripts of the injections.

The files of the infection scripts have identical names for different remote online banking systems (content.min.js), but a different GUID, as the latter is generated in a random fashion.

This script intercepts the authentication information entered into the remote banking system. When the user logs in to the remote banking system, their username and password are intercepted. After successful authentication, a parallel session is created that is hidden from the user and in which Lurk scans the banking pages and searches for the card holder’s name and the phone number linked to the card. The malicious script collects all the information required to make a payment in that online banking system. This information is then sent to the C&C server whose address is identical to the network address of the server communicating with the core module.

In response, the C&C server may send a script to be executed in the browser context. We were unable to obtain such a script for this research.

The C&C server may also register an automated payment that will be executed the next time the user logs in to the online banking system.

Conclusion

The Trojan’s creators have made an effort to protect their creation from researchers, and especially to protect Lurk from an in-depth analysis, or, at the very least, greatly hinder such analysis. However, despite all the difficulties of analyzing the Trojan, Lurk is quickly detected by modern anti-malware solutions.

It’s not only anti-malware companies that are countering Lurk; the manufacturer of the iBank 2 system, BIFIT, is also taking measures to combat the attacks launched against its product. The company has implemented methods to counteract banking Trojans in its iBank 2 software and investigated their effectiveness. The BIFIT research shows that of all the protection tools implemented in iBank 2, only control over the bank’s server is effective against Lurk; all the other measures implemented in iBank 2 were successfully bypassed by the Lurk creators, testifying to their professionalism.

Lurk gives the impression of being a complex, powerful system designed to achieve its creators’ criminal goals, i.e., stealing money from users. The perseverance and focus with which they work with their Trojan suggest they are highly motivated.

Kaspersky Lab counteracts this Trojan using signature-based, heuristic and proactive detection methods. With this approach, we can even detect new specimens of Lurk before they are added to our collection. Kaspersky Lab’s products detect this Trojan with the following verdicts: Trojan.Win32.Lurk, Trojan-Banker.Win32.Lurk, Trojan-Spy.Win32.Lurk.

In conclusion, we give the following recommendations that may be hackneyed but are nonetheless relevant. The security of an online banking system is ensured by:

• Competent design and administration of an organization’s local area networks;
• Regular training on information security rules and norms for employees;
• Use of modern security software that is regularly updated.

We are confident that observing these simple rules will help ensure a high level of protection from Lurk and similar threats.

IOCS: Registry keys:

HKCU\Software\Classes\CLSID\{118BEDCC-A901-4203-B4F2-ADCB957D1887}
HKLM\Software\Classes\CLSID\{118BEDCC-A901-4203-B4F2-ADCB957D1887}
HKCU\Software\Classes\Drive\ShellEx\FolderExtensions\{118BEDCC-A901-4203-B4F2-ADCB957D1887}
HKLM\Software\Classes\Drive\ShellEx\FolderExtensions\{118BEDCC-A901-4203-B4F2-ADCB957D1887}

Files: Possible names of the mini module:

%APPDATA%\API32.DLL
%APPDATA%\dlg.dll
%APPDATA%\mm.dll
%APPDATA%\setup.dll
%APPDATA%\help.dll
%APPDATA%\mi.dll
%APPDATA%\http.dll
%APPDATA%\wapi.dll
%APPDATA%\ER32.DLL
%APPDATA%\core.dll
%APPDATA%\theme.dll
%APPDATA%\vw.dll
%APPDATA%\el32.dll
%APPDATA%\sta.dll
%APPDATA%\p10.dll
%APPDATA%\fc.dll
%APPDATA%\in_32.dll
%APPDATA%\pool.drv
%APPDATA%\env.dll
%APPDATA%\man.dll

Possible names of the storage module:

%APPDATA%\ddd2.dat
%APPDATA%\pdk2.dat
%APPDATA%\km48.dat
%APPDATA%\9llq.dat
%APPDATA%\ddqq.dat
%APPDATA%\834r.dat
%APPDATA%\gi4q.dat
%APPDATA%\wu3w.dat
%APPDATA%\qq34.dat
%APPDATA%\dqd6.dat
%APPDATA%\w4ff.dat
%APPDATA%\ok4l.dat
%APPDATA%\kfii.dat
%APPDATA%\ie31.dat
%APPDATA%\4433.dat

Network indicators: C&C servers:

3d4vzfh68[.]com
43xkchcoljx[.]com
carlton69f[.]com
diameter40i[.]com
elijah69valery[.]com
embassy96k[.]com
evince76lambert[.]com
globe79stanhope[.]com
groom58queasy[.]com
hackle14strand[.]com
hotbed89internal[.]com
mechanic17a[.]com
paper17cried[.]com
plaguey42u[.]com
possum89hilarity[.]com
rhythmic81o[.]com
ri493hfkzrb[.]com
roomful44e[.]com
s8f40ocjv[.]com
scale57banana[.]com
wing97pyroxene[.]com
yf3zf90kz[.]com

IDS rules:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”Bot.Lurk.HTTP.C&C”; flow:established,to_server; content:”POST”; pcre:”/\?hl=[a-z]+&source=[^\r\n&]+&q=[^\r\n&]+/msi”;)

MD5: mini:

185C8FFA99BA1E9B06D1A5EFFAE7B842
2F3259F58A33176D938CBD9BC342FDDD
217DAB08B62B6F892A7D33E05E7F788C
3387E820F0F67FF00CF0C6D0F5EA2B75
36DB67CCADC59D27CD4ADF5F0944330D
6548D3304E5DA11ED2BED0551C3D6922
72D272A8198F1E5849207BC03024922D
85B66824A7F2787E87079903F0ADEBDF
B4FFAD760A52760FBD4CE25D7422A07B
C461706E084880A9F0409E3A6B1F1ECD
D0B4C0B43F539384BBDC103182E7FF42
E006469EA4B34C757FD1AA38E6BDAA72
E305B5D37B04A2D5D9AA8499BBF88940
E9CAB9097E7F847B388B1C27425D6E9A
E9DA19440FCA6F0747BDEE8C7985917F
F5022EAE8004458174C10CB80CCE5317

prescanner:

A802968403162F6979D72E04597B6D1F

core:

C15E18AFF4CDC76E99C7CB34D4782DDA
8643E70F8C639C6A9DB527285AA3BDF7

ibank.dll:

A6C032B192A8EDEF236B30F13BBFF204
4CB6CA447C130554FF16787A56A1E278
BFE73DE645C4D65D15228BD9A3EBA1B6
CC891B715C4D81143491164BFF23BF27

module_vnc:

601F0691D03CD81D94AD7BE13A10A4DB
6E5ADF6246C5F8A4D5F4F6BBFC5033B9
78EDD93CEA9BEDB90E55DE6D71CEA9C4

w3bank.dll:

1B84E30D4DF8675DC971CCB9BEE7FDF5
3A078D5D595B0F41AD74E1D5A05F7896

In early March, Kaspersky Lab detected the modular Trojan Backdoor.AndroidOS.Triada which granted superuser privileges to downloaded Trojans (i.e. the payload), as well as the chance to get embedded into system processes. Soon after that, on March 15, we found one of the modules enabling a dangerous attack – spoofing URLs loaded in the browser.

The malicious module consists of several parts and is detected by Kaspersky Lab products as Backdoor.AndroidOS.Triada.p/o/q. When it gains superuser privileges, it uses regular Linux debugging tools to embed its DLL (Triada.q, which then loads Triada.o) into the processes of the following browsers:

• com.android.browser (the standard Android browser)
• com.qihoo.browser (360 Secure Browser)
• com.ijinshan.browser_fast (Cheetah browser)
• com.oupeng.browser (Oupeng browser)

The DLL intercepts the URL the user is opening, analyzes it and, if necessary, changes it to another URL. The rules for changing the URL are downloaded from the C&C server while the module is running.

Attack sequence

In an uninfected system, the browser sends a request with a URL address to the web server via the Internet, and receives a page in response.

After infection by Triada, a DLL intercepting URLs is added to the browser’s process. The URL address request finds its way into this DLL, where it is modified and sent to another web server.

As a result, the browser receives data that’s different from that requested, meaning the user ends up viewing a different page.

Now, this sequence of actions is being used by malware creators to change the standard search engine selected in the user’s browser, and to replace the home page. Essentially, these actions are identical to those carried out by numerous adware programs for Windows. However, there is nothing to stop similar attacks intercepting any URL, including banking URLs, and redirecting users to phishing pages, etc. All it takes is for the cybercriminals to send the appropriate command.

During our observation period, this module attacked 247 users, and there have been no signs of a decrease in the intensity of attacks. The number of module versions is small; it appears the creators of this backdoor have decided to focus their efforts elsewhere, in spite of all the ‘promise’ shown by this technology.

The geography distribution is very similar to that of root-access malware, as this module can only function together with Triada, and is downloaded by Triada.

Number of users attacked by Backdoor.AndroidOS.Triada.p in different countries

In conclusion, we would like to note that cybercriminals specializing in Android are pretty lazy – it’s easier for them to steal money directly, for instance, with the help of Trojans that send text messages to premium-rate numbers, or spoof banking app windows. However, we have recently observed that some cybercriminals have begun to actively study the structure of the operating system, expand their repertoire of technical skills, and launch sophisticated attacks like the one we examined above.