Malware RSS Feed

Patch Tuesday March 2015 - Stuxnet LNK 0day Fixed

Malware Alerts - Tue, 03/10/2015 - 20:05

Wait, what? Wasn't the Stuxnet LNK vulnerability CVE-2010-2568, in part reported by Sergey I. Ulasen, patched years ago? Didn't Kim Zetter have enough time to write 448 pages of thoroughly footnoted research on this digital weaponry?

Yes, it was, but MS10-046 didn't completely fix all of the vulnerable code path. And, we just might start to call it the Fanny LNK 0day, after the poorly QA'd USB worm spread across Pakistan using the same LNK exploit. However, we have not observed a newer implementation of this LNK exploit in-the-wild. Yet.

So, machines have remained vulnerable to an actively exploited codebase providing USB support since at least 2008. German researcher Michael Heerklotz reported the remaining flaws in January, and an excellent technical writeup describing his findings is posted on the ZDI blog here. Essentially, an attacker has to create a malicious LNK file with a link path of exactly 257 characters containing embedded unescaped spaces, and two "target" files - one with embedded unescaped spaces and one without. This is not difficult on a usb stick, and it bypasses much of the effective defenses Microsoft has developed for years. "Microsoft has gone to a great deal of effort to make exploitation of memory corruption bugs more difficult. This is a classic example of the Defender's Dilemma -- the defender must be strong everywhere, while the attacker needs to find only one mistake." In this case, it's more that the attacker had to chain together a complex series of overlooked steps.

Microsoft's release of thirteen other bulletins includes a large rollup of fixes for RCE across all versions of Internet Explorer, IE6 - IE11. This MS15-018 bulletin is rated critical, and it requires a reboot.

SMS Trojan bypasses CAPTCHA

Malware Alerts - Tue, 03/10/2015 - 07:00

Late last year, we encountered an SMS Trojan called Trojan-SMS.AndroidOS.Podec which used a very powerful legitimate system to protect itself against analysis and detection. After we removed the protection, we saw a small SMS Trojan with most of its malicious payload still in development. Before long, though, we intercepted a fully-fledged version of Trojan-SMS.AndroidOS.Podec in early 2015.

The updated version proved to be remarkable: it can send messages to premium-rate numbers employing tools that bypass the Advice of Charge system (which notifies users about the price of a service and requires authorization before making the payment). It can also subscribe users to premium-rate services while bypassing CAPTCHA. This is the first time Kaspersky Lab has encountered this kind of capability in any Android-Trojan.

Distribution

This article discusses Trojan-SMS.AndroidOS.Podec, version 1.23 (the version was identified from analyzing its code). The hash sums are:

72ADCF52448B2F7BC8CADA8AF8657EEB
0D5708158B8782F115670BD51833AC5C

This version of the Trojan circulates in Russia and neighboring countries.

Country Number of attempts to infect unique users Russia 3666 Kazakhstan 339 Ukraine 305 Belarus 70 Kyrgyzstan 23

The number of infections over time:

Number of attempts to infect unique users

Sources of Infection

According to statistics collected with the help of Kaspersky Security Network, the main sources from which the Trojan in our study spreads are various domains with imposing names (Apk-downlad3.ru, minergamevip.com, etc.), as well as the servers of the popular Russian social network VKontakte (VK, vk.com) that are used to store users' content.

A pie chart of file infection sources

As we see, in most cases the infection is sourced from the social network's servers. Unfortunately, VK's file storage system is anonymous, so there is no way to analyze how malware emerges from it. However, further research identified a number of communities that distribute Trojan-SMS.AndroidOS.Podec on this social network:

  • http://vk.com/vzlomannye_igry_dlya_android
  • http://vk.com/skachat_minecraft_0_9_0_android
  • http://vk.com/minecraft_pe_0_9
  • http://vk.com/vzlom_igry_android_mody
  • http://vk.com/igry_android_cheats
  • http://vk.com/android_mody_apk
  • http://vk.com/novye_igry_na_android
  • http://vk.com/skachat_hill_climb_racing_bpan
  • http://vk.com/na_android_igry

(The Russian names of these groups refer to cracking Android games in some form)

All the groups listed here were filled with similar content: images, links and messages.

Each group is about one or more cracked games. The cybercriminals seem to be hoping that potential victims will be attracted by the chance to get free access to content that is usually paid-for.

Nearly all messages on the groups' walls are links leading to sites purportedly containing Android games and applications. The same is true for the "Links" section. In reality, the only purpose these sites served was to spread different versions of Trojan-SMS.AndroidOS.Podec.

Eight groups in the social network with similar visual designs

These groups have a lot in common: the way in which they are managed and designed (e.g. using keywords in place of descriptions, an abundance of simple broad-language messages characteristic of bots, etc.), the links they host to fake sites that seem to be copies of one idea. This suggests that black SEO (Search Engine Optimization) specialists were involved in distributing the Trojan. The above practices help bring links to the malicious resources (sites and groups) closer to the top of search engine results, attracting yet more visitors.

All these clone communities have the same administrator, who is a VK user identified as 'kminetti'. These communities are also advertised on that user's personal page. The user's account was created on 12 October 2011; in 2012, the account's wall started hosting links to sites and communities spreading malicious applications for mobile devices.

Examples of messages posted by the administrator of the malicious communities

Earlier, this account was used as a bot hosting links to web resources to increase their citation indexes (CI).

Examples of the posts placed by the communities' administrator to increase CIs of third-party resources

It can be concluded from all of the above that the VKontakte social network is the main vehicle for distributing Trojan-SMS.AndroidOS.Podec.

The Infection Procedure

The mobile Trojan sample that became available for Kaspersky Lab's analysts masquerades as a popular application, 'Minecraft Pocket Edition'. The file is 688 Kbyte in size, which may be an advantage in the eyes of inexperienced users with a slow and/or expensive Internet access. The official Minecraft application is 10 to 13 MB in size.

When launched, the application asks for device administrator privileges. This step makes sure that neither user nor a security solution can subsequently delete the Trojan. If the user rejects the request, the Trojan keeps repeating it until the privilege is granted. This process effectively blocks the normal use of the device.

Privilege escalation request

When Trojan-SMS.AndroidOS.Podec receives the requested escalated privileges, the legitimate Minecrast app is downloaded from a third-party resource and installed on the SD card. This behavior follows the instructions provided in the configuration file that comes alongside with the Trojan; the same file specifies the link to the legitimate APK file. However, the configuration file does not always contain a link to the application; in this case, the Trojan simply stops any activities observable by the user after it receives the requested privilege escalation.

Part of the configuration file containing the link to legitimate Minecraft installation file

Then the Trojan deletes its shortcut from the apps list and replaces it with the real Minecraft shortcut. However, traces of the Trojan's presence remain in the install apps list and in the device administrators' list:

The option of deleting the malicious app is deactivated. If the device user later seeks to de-escalate the Trojan's privileges the machine responds with weird and unsettling behavior: the screen locks, then shuts down for some moments. When the screen comes back on the device displays the configuration menu and there is no evidence of any attempt to strip the malicious app of its admin privileges.

Protection against analysis

The cybercriminals apparently invested serious time and effort into developing Trojan-SMS.AndroidOS.Podec, as demonstrated by the techniques used to prevent code analysis. As well as introducing garbage classes and obfuscation into the code, the cybercriminals used an expensive legitimate code protector which makes it fairly difficult to gain access to the source code of the Android application. This protector provides code integrity control tools, hides calls of all methods and manipulations involving class fields, and encrypts all strings.

Here is an example of protected code:

This is the same code after the protection is removed:

Managing the Trojan

Trojan-SMS.AndroidOS.Podec's activities are managed using C&C servers. The system works like this. First the Trojan contacts a C&C server via an HTTP protocol, and waits for an SMS with instructions. Trojan-SMS.AndroidOS.Podec has a main and a backup list of C&C domain names – a specific C&C server is chosen from the list following a random algorithm. If there is no response from that server within 3 days, a C&C from the backup list is used. This implements an adaptive algorithm to connect to a C&C server, which works even if specific domain names are blocked.

The C&C domain names and the entire traffic (both HTTM and SMS) are encrypted with AES encryption algorithm in CBC/NoPadding mode with a 128 bit key. The encryption key and the initialization vector are originally located in the file fXUt474y1mSeuULsg.kEaS (the name of this file changes from version to version), located in the 'assets' folder of the app source. Most of the file content is junk; useful information is contained between tags, appearing in the form of [a]string[/a].

From the strings between tags, the required encryption parameters (the key and the vector) are obtained in an encrypted form. Then they are decrypted by simply replacing one substring with others.

After decryption the commands form an XML document, in which the tags represent specific commands, and the contents of tags are command parameters. Below is the list of Trojan-SMS.AndroidOS.Podec capabilities implemented via commands:

  1. Collect information about the device (cell phone service provider, IMEI, phone number, interface language, country and city, etc.)
  2. Collect a list of installed applications.
  3. Receive information about USSD.
  4. Send SMS messages.
  5. Set a filter on incoming messages.
  6. Set filters on incoming and outgoing calls.
  7. Display advertisements to the user (display a separate notification, open an advertisement page, start a dialog, and other ways to show commercial content)
  8. Delete messages, as specified
  9. Delete call records, as specified
  10.  Upload the source HTML code of a specified page to the cybercriminals' server.
  11.  Perform a DDoS attack. Ramp up website visitor counters.
  12.  Subscribe the user to paid content.
  13.  Do a self-update.
  14.  Perform an outgoing call.
  15.  Export incoming messages according to conditions specified by C&C.
  16.  Delete an app, as instructed by C&C.

Even a quick analysis of the Trojan's executable code reveals an abundance of ways of working with HTML and HTTP. As well as features regarded as standard for this type of Trojans (e.g. sending and intercepting text messages, placing phone calls, manipulations with SMSs and call logs), Trojan-SMS.AndroidOS.Podec can also configure web page visits and send their code to C&C. However, this Trojan's most interesting feature is its CAPTCHA recognition capability.

A flow chart of Trojan-SMS.AndroidOS.Podec in operation is provided below.

Thus, the web resource's communication capabilities are the source of two different threats:

  1. The Trojan contains functions with which one can launch a simple HTML Flood DDoS attack. The associated strings in the configuration file are as follows:
  2. The resulting link is loaded; the function sleep() is called with the parameter 'seconds'. This process is repeated as often as the 'limit' parameter specifies.

    The scheme used by the cybercriminals enables them to configure the frequency and number of access attempts; therefore, it can be used to ramp up web site visitor counters, thus generating profits from advertising and from partnership programs.

  3. One of the most dangerous capabilities in Trojan-SMS.AndroidOS.Podec is the use of configurable webpage visit rules, with CAPTCHA recognition supported. With this, the Trojan can subscribe the user to premium-rate subscriptions without the user's knowledge or consent. This capability is unique to this Trojan, so let us review it in more detail.
Paid subscriptions

There are two main models of subscribing to content on a web resource:

  • Pseudo-subscription. In this model, users visit a web resource and enter their phone numbers. An SMS is then sent, asking users to pay for the service by sending a reply message with any text. When users send that message, a certain amount of money is deducted from their phone accounts, depending on the specific service provider's prices. These messages arrive automatically, and users make up their minds each time whether to send the reply message or not. It is for this reason that this model is often referred to as pseudo-subscription.
  • MT subscription. In this model, users enter their mobile phone numbers on a web page and receive an SMS with a validation code. Then users enter that code on the service provider's website, accepting the subscription terms and conditions. After that, the service provider will automatically deduct the sum stipulated in the subscription terms and conditions from the subscriber's account. In the Russian segment of the Internet, a number of partnership contracts are available that can aggregate this type of payments. This means that the cybercriminals do not have to directly deal with the cellular service providers when they create a service to which users can subscribe to paid content; partnership programs will do the agent's job. Under this model, the revenue is lower for the service creators, but the financial transactions are more anonymous.

Subscribing to paid services through a Trojan can be costly for users. In case of pseudo-subscriptions, one reply message may cost between $0.5 and $10. In case of MT subscription, the price in each specific case is agreed directly with the mobile service provider via the partnership program. The most dangerous factors here are that money is deducted 1) covertly and 2) on a regular basis. Users who are subscribed to several such "sources of content" may have to spend a lot of time and effort trying to find out where and how money from their accounts is going.

Example of the Trojan in operation

We were able to intercept Trojan-SMS.AndroidOS.Podec's communication with its C&C server. This communication session unfolded as follows:

  • The RuMaximum.com website was accessed – this site provides online test services for users. To get their results, users have to subscribe to the site.
  • This test in Russian is "What type of dog is most like you?"

  • With a GET request, the Trojan imitates a user taking a test. Then it finishes with a link that looks like http://rumaximum.com/result.php?test=0&reply[1]=0&reply[2]=0&reply[3]=0&reply[4]=0&reply[5]=0&reply[6]=0&reply[7]=0&reply[8]=0&reply[9]=0&reply[10]=0. This URL leads to the following web document:
  • Results of the test "What type of dog are you similar to?"
    "Yes, I am 18 years old or older, and I consent to the Terms and Conditions below.
    Enter your phone number."

  • After the user enters a phone number, a unique "landing page" of the service provider is generated, demanding a CAPTCHA authentication and for a validation code that was sent to the phone by SMS. The Trojan fills out both fields and validates the subscription. Then, the user is redirected to the test results via the e-commerce system totmoney.ru.
  • Results of the test "What type of dog are you similar to?"
    You are a German shepherd, a versatile dog. You can guard the state border or help the blind across the street. You learn things easily and keep your head cool in any circumstances. A good manager too!

The Trojan does all of these actions automatically using the configuration sent from the C&C. The victim, however, has no idea that any of this is happening.

Paid subscription capability

In the XML configuration sent from the C&C server, there is a field which subscribes the user to paid content. It looks like this:

Let's have a closer look at the configuration field:

  1. verify is an array of strings with the separator "-S-". It contains the information required to obtain the CAPTCHA value.
  2. verify[0]: if this field is not equal to zero, CAPTCHA recognition is required, otherwise further processing is done. This may contain the image file in base64 coding (done for processing static images and CAPTCHA), or an image ID;
    verify[1] is the key of the service 'http://antigate.com' used to recognize CAPTCHA and required to login at the service;
    verify[2] is the minimum image length, used for housekeeping purposes;
    verify[3] is the maximum image length, used for housekeeping purposes;
    verify[4] is the language of the symbols in the image.

  3. service is the accessed service;
  4. search is an array of strings with the separator "-S-", used to search for substrings in the link and to take a decision about the appropriate type of subscription depending on the search results;
  5. images is not used in this version;
  6. actions is an array of strings with the separator "-S-". Contains the final links that the services follows to initiate/complete the subscription process;
  7. type is request type;
  8. source indicates whether the webpage's source code should be sent to C&C;
  9. domain: If the page's source code should be sent to C&C, domain indicates the destination C&C.

The Observable interface is used to fetch the code of HTML pages and send it to C&C. The required information is sent to this interface, whenever needed, with the help of JavaScript when the page is loaded.

The webpage source code is required for cybercriminals to analyze the structure and to prepare an appropriate configuration for the paid subscription module. Also, this service provides source codes of webpages to ensure that the page's code is received in a form that can be used to show it to the victim. This makes it easier for the cybercriminals to analyze the page and start the subscription.

The function which completes the subscription to paid content is located in the class CustomWebView, which is inherited from the class WebViewClient. In it, the method onLoadResource was redefined (this method is used to get a link to the image), as was the onPageFinished method,which is used to post-process the loaded web-resource. Post-processing is based on analyzing the configuration and then visiting the required links with the help of the loadUrl function. When required, the CAPTCHA processor is called as well.

Bypassing CAPTCHA

Different partnership programs have different requirements from the design of a web resource where subscription tools will be hosted. For instance, there is often a requirement that for a CAPTCHA module to confirm that the request was not made from a bot. In most cases, the partnership program forwards the browser to the service provider's site where users are prompted to enter a CAPTCHA code to confirm their subscription requests. As explained above, Trojan-SMS.AndroidOS.Podec's key characteristic is that it can bypass CAPTCHA protection systems.

Trojan Podec can subscribe users to premium-rate services while bypassing CAPTCHA

Tweet

The CAPTCHA processor communicates with the service Antigate.com which provides image-to-text manual recognition services. Here is what the service says on its web-page:

Antigate.Com is an online service which provides real-time captcha-to-text decodings. This works easy: your software uploads a captcha to our server and receives text from it within seconds.

Source: antigate.com

In other words, the text from the CAPTCHA image is recognized by a person working for this service. According to the information Antigate.com provides on its website, most of its workers are based in India.

Source: antigate.com

Distribution of Antigate.com employees between countries

The Trojan communicates with Antigate.com via an HTTP API service: a POST request is used to the send the image containing a text to be recognized; then, with the help of GET requests, the recognition status is monitored. The recognized result (if received in reasonable time) is inserted into the links from the 'actions' field of the received configuration. Then the links are opened with the help of the loadUrl()function.

If the subscription mechanism requires SMS validation the Trojan uses the filter set by the cybercriminals to search for the message containing the validation code, and uses regular expressions to extract the code from there.

The general subscription procedure

General flow chart of subscription to paid content

In general, the model of subscribing to paid content consists of the Observer SubscribeService which listens to the events as they occur in the HTMLOUT interface. When data (a downloaded page) is received from there, it is sent to C&C with the help of the class Submitter, which inherits the class AsyncTask. Also, SubscribeService accepts command parameters from the manager routine as input, initializes CustomWebView and starts to process the task with the help of SubscribeTask. SubscribeTask launches CustomWebView in which input parameters are processed, and decision is made about how the subscription should be performed. If required, CaptchaProcessor is launched, which is responsible for communications with the text recognition service and handling the requests that require validation code and the characters from the CAPTCHA image.

Conclusion

From the analysis of Trojan-SMS.AndroidOS.Podec samples that arrived earlier, we can conclude that the Trojan is under ongoing development. The code is being refactored, new capabilities are added, and module architectures are being reworked.

We suspect this Trojan is being developed by a team of Android developers in close cooperation with Black SEO specialists specializing in fraud, illegal monetization and traffic generation. The following evidence supports this theory:

  1. The Trojan is distributed via the VKontakte social network employing social engineering tools;
  2. A commercial protector is used to conceal the malicious code;
  3. The scheme includes a complicated procedure of extorting money from the victim while bypassing CAPTCHA.

Also, there are certain features in the code of the analyzed version of Trojan-SMS.AndroidOS.Podec which have not yet been used but which may reveal the malware writer's further plans. For instance, there is an auxiliary function isRooted(), which helps to check whether the device's owner has super-user privileges. This function is not used in the Trojan's main code, so we can assume that a payload designed to exploit super-user privileges may emerge in future versions of the Trojan.

Users of Kaspersky Lab's products are already secured against all existing versions of Trojan-SMS.AndroidOS.Podec. Nonetheless, we recommend that users only install applications sourced from official stores, such as Google Play. The user should always be alert to cybercriminals' tricks and avoid downloading cracked apps advertised as free of charge. If you download and launch a Trojan, you can potentially lose much more money than you may earn from not paying to purchase legitimate software.

With acknowledgements to Mobile TeleSystems OAO, a GSM cell phone operator in Russia, and specifically to its experts in partnership programs traffic.

Make your password long.

SANS Tip-of-the-Day - Mon, 03/09/2015 - 23:43

Understanding the operations of a scam

Malware Alerts - Mon, 03/09/2015 - 05:00

Currently, in Sweden, we're facing a big issue with scammers trying to buy items for sale on various auction websites, but when you initiate contact with the potential buyer things get nasty and you might lose money. This is nothing new, and most of the auction websites have written about this to inform their users, but they do not explain in detail how these scams actually work – their FAQs only advise people to be careful. So I know that there are a lot of questions unanswered for worried users.

Since one of these scammers tried to scam my wife, I decided to follow their scam and document the entire process, so that I could inform not only law enforcement but also our readers on how these scams actually work. When you know how the scam works, it will be much easier to spot them and avoid being scammed.

So, let me give you the background.

Our daughter got a new bike, so we decided to sell the old one on Blocket, the biggest website for personal ads (buying/selling) in Sweden.

After a few days my wife received an SMS (which unfortunately has been deleted). The SMS came from a Polish number, and the person wrote in very good English. They said that they were interested in the bike, but wanted to have more information, and gave my wife an email address. I told her NOT to reply via SMS but to email the person, because sometimes the bad guys send SMS from premium numbers, which means that when you reply to the SMS it will cost you much more than a normal SMS.

I told my wife to be very brief in her answers, which you can see in her initial email response below:

As you can see, the person starts to ask valid questions about the bike, which means that it's not a bot, it's actually someone who manually responded to this ad. I have no idea how they select their victims, but it is obviously a manual process.

We decided to take this even further, to see the next step in the scam, so we replied with the information about the bike – there was also still be a chance that the person was not a scammer and really wanted the bike.

It was after this email that everything started to get nasty. They accepted our offer, but what was so strange was that the person confirmed their Polish identity. Even if you look up the person on social media their identity seems to be Polish. So we decided to continue.

The person asked for our name, PayPal details and the total price, which we obviously sent them. They also said that they were going to cover the shipping cost for the bike, and had already involved a shipping company.

We shared our information, and waited for them to reply. They were VERY fast in replying to all the emails; it almost seemed as though there were a lot of people with access to the same mail account, but we weren't able to confirm this. In the email they sent just before the money transfer they also included an address in Poland. This address hasn't been confirmed, but we are trying to find out who lives at that address which can be found in the screenshot below. Within minutes they just stated that they had completed the transfer, which you can see in the second screenshot.


I did get two emails from something that looked like PayPal, but when you look more closely you can see that the email is not coming from PayPal at all. This is a very clever, but common, trick that is also used in phishing attacks.  When you look at the email you can see that it's actually being sent from service@e-pay-team.com which is hosted on Google Mail.  What is so interesting with this email is that it's most likely created manually too, because it contains details such as the price we asked for the bike.


At this point no money had been transferred to my PayPal account - the emails were just fake. The fraudsters next tried to get me to transfer the shipping cost, in this case 1700 SEK (about $200 USD), from our account to the company "P.S.S Logistics". The process they outlined for transferring the money was to visit a Western Union office, and transfer it to this shipping company; but when you look more closely at the emails they sent, they wanted us to transfer it to a private person. There is a company called "P.S.S Logistics", but its registered in South Africa, the fraudsters started to use this name, but when you transfer the money it goes to an individual named "Bamise Seon" in Nigeria.


At this point I wondered if the scammers were working with hacked accounts, because all of the individuals exist on various social media networks. For example, the person who keeps email using the Polish name "Pawel Dylewski" can be found on Google Plus. And the individual in Nigeria can be found on Facebook. If you look closely on the screen captures I took from Facebook, you can see that there are two identities, one female and one male, and they are both connected to each other by the same name. In the screenshot below you can see that it's written: "Send HER a friend request", which indicates that this profile belongs to a female. You can also see that she has one friend, a person with the same name, but with a profile picture of a man and more information.

I am currently working with PayPal, Western Union, Google and law enforcement, to share the intelligence I have collected, but I also want to share this story. We need to inform everyone who is actively selling/buying things online to keep a close eye on the details. If the deal sounds too good to be true, in most cases it is.

The scheme in bullet points:
  1. You receive an SMS from a potential buyer containing an email for further contact?
  2. In some cases the SMS is sent from a premium number, so when you reply you will be charged for the premium service.
  3. Once the email conversation starts, the buyer wants to pay with an online payment service - for example, PayPal - offering full payment, including shipping.
  4. They send FAKE emails pretending to come from PayPal, stating that their money has been transferred to your account. But the money won't be transferred to your account until you have completed the deal.
  5. The deal can only be completed if you transfer money for the shipping costs to a shipping company - for example, via Western Union.
  6. The shipping company does not exist, it's actually the personal account of the scammer; which means that they want you to transfer a sum from your own pocket in the hope that they will pay the full amount (including the amount for your item) into your PayPal account.
Some useful tips when communicating with strangers over Internet:
  • Please do not use SMS to communicate, because fraudsters might use premium numbers to charge you a lot of money.
  • Please double-check any email address: for example, in this case it did not come from "paypal.com", but "e-pay-team.com".
  • Never transfer any money to anyone; and always make sure you have received payment BEFORE you ship the item you are selling.
  • Never pay with a credit card unless you are 100% sure that the website is legitimate; try to use secure payment methods such as PayPal.

PS: We sold the bike today. To a REAL person

Animals in the APT Farm

Malware Alerts - Fri, 03/06/2015 - 06:00

In 2014, researchers at Kaspersky Lab discovered and reported on three zero-days that were being used in cyberattacks in the wild.

Two of these zero-day vulnerabilities are associated with an advanced threat actor we call Animal Farm. Over the past few years, Animal Farm has targeted a wide range of global organizations. Victims include:

  • Government organizations
  • Military contractors
  • Humanitarian aid organizations
  • Private companies
  • Journalists and media organizations
  • Activists

Our colleagues at Cyphort, G-DATA and ESET have recently published blogs about Bunny, Casper and Babar, some of the Trojans used by the Animal Farm group.

The Farm includes several Trojans, which we have grouped into six major families:

Here's a brief description of the animals in the farm:

  • Bunny - an old "validator"-style Trojan used with a PDF zero-day attack in 2011.
  • Dino - a full-featured espionage platform.
  • Babar - the most sophisticated espionage platform from the Animal Farm group.
  • NBot - malware used in a botnet-style operation by the group. It has DDoS capabilities.
  • Tafacalou - a validator-style Trojan used by the attackers in recent years. Confirmed victims get upgraded to Dino or Babar.
  • Casper – the most recent "validator"-style implant from the Animal Farm group.

The group has been active since at least 2009 and there are signs that earlier malware versions  were developed as far back as 2007.

Over the years we have tracked multiple campaigns by the Animal Farm group. These can be identified by a specific code found either in the malware configuration or extracted from the C&C logs.

Most recently, the group deployed the Casper Trojan via a watering-hole attack in Syria. A full description of this zero-day attack can be found in this blog post by Kaspersky Lab's Vyacheslav Zakorzhevsky.

In addition to these, the Animal Farm attackers used at least one unknown, mysterious malware during an operation targeting computer users in Burkina Faso.

KSN & Sinkholing statistics

During the investigation we sinkholed a large number of C&C servers used by the Animal Farm group. This allowed us to compile a comprehensive picture of both targets and victims.

The malware known as Tafacalou (aka "TFC", "Transporter") is perhaps of greatest interest here, because it acts as an entry point for the more sophisticated spy platforms Babar and Dino. Based on the Tafacalou infection logs, we observed that most of the victims are in the following countries: Syria, Iran, Malaysia, USA, China, Turkey, Netherlands, Germany, Great Britain, Russia, Sweden, Austria, Algeria, Israel, Iraq, Morocco, New Zealand, Ukraine.

What does "Tafacalou" mean?

"Tafacalou" is the attacker's internal name for one of the validator (1st stage) Trojans. We tried various spellings of this word to see if it means anything in a specific language, and the most interesting option is one with its origins in the Occitan language: "Ta Fa Calou."

The expression "Fa Calou" is the French interpretation of the Occitane "Fa Calor" which means "it's getting hot" (see http://ejournaux.blogspot.com/2008/07/la-langue-occitane-et-ses-quelques.html). 'Ta Fa Calou" could therefore be taken to mean "so it's getting hot" based on the Occitan language.

According to Wikipedia: 'Occitan is a Romance language spoken in southern France, Italy's Occitan Valleys, Monaco, and Spain's Val d'Aran; collectively, these regions are sometimes referred to unofficially as "Occitania".

Note: A detailed technical report on Animal Farm is available to customers of Kaspersky Intelligent Services.  For more information, contact intelreports@kaspersky.com

Keep it off the floor

SANS Tip-of-the-Day - Thu, 03/05/2015 - 21:56

Get it out of the car

SANS Tip-of-the-Day - Wed, 03/04/2015 - 21:57

Who's Really Spreading through the Bright Star?

Malware Alerts - Wed, 03/04/2015 - 12:14

Security researchers recently announced that that the official website for the Korean Central News Agency of the Democratic People's Republic of Korea has been serving malware disguised as a Flash Player update. The immediately conspicuous code is still active on the KCNA front page. The javascript variables at the top of the front page source code are part of an interwoven js mechanism meant to check for specific requirements before redirecting the visitor to a relative location, /download/FlashPlayer10.zip.

The malware delivery site has been live, although response to connection attempts is intermittent at best. The zip file contains two executables with the common Flash installer names.This malware has been around since the end of 2012.

What appears to be rushed attribution and pretty faux-intelligence diagrams proposes the standard hypothesis that the malware was placed there by the site's developers in an attempt to infect the endpoints of those outsiders interested in the goings-on of the DPRK. This may not be the case, because incidents are usually more complex than they seem. And clearly, this is a significant piece of the puzzle - there was human involvement in adding this web page filtering. It is not a part of the viral routines in its handful of components. Instead, the malware's trigger, system requirements, and technical and operational similarities with the more recent DarkHotel campaigns point in the direction of an external actor, possibly looking to keep tabs on the geographically dispersed DPRK internet-enabled elite.

The larger spread of victims include telecommunications network engineering staff, wealth management and trading staff, a pharmaceutical's electrical engineering staff, distributed software development teams, business management and related school faculty and IT, and many, many more.

Website Attack and Geographic Spread

One of the most notable characteristics is that the malware isn't being delivered to every site visitor. The delivery trigger is contingent on the absence of the legitimate Flash Player 10 or newer being present on the target's Windows system. If a user attempts to view the videos or picture slideshows linked on the bottom right pane of the front page, the user is presented with a gif in place of the desired content indicating that flash player is required. Naturally, clicking on the gif will redirect to the malicious zip file. It's also interesting that this malware has no Linux or OS X variant, deliverables are exclusively Windows executables. It's also interesting that the malware components were first detected in Nov of 2012, two months prior to the first known appearance of the Flashplayer bundle on the kcna.kp website. While we don't know definitively the exact origin of these infections, at this point, we suspect it was in fact the kcna website. There are no other known sources.

 

KSN data also includes few select cases where Firefox users were served up the malware while visiting a page known for cross-site scripting, described in the following section "Potential XSS-Enabled Watering Hole". Basically, the timing and resource location of this vulnerability presents the definite possibility of an external actor's intrusion.

The delivery of a zip file dependent on user interaction and self-infection initially implies a fairly low level of attack sophistication, but let's go farther than the social engineering elements of the attack and consider the victim profiling too. From this web site in particular, the attackers are initially targeting users with not only a low-level of technical expertise and general knowledge, but also tragically outdated Windows systems. Flash Player version 10 was released on October 2008, and newer browsers like Google Chrome include a more recent flash plug-in out of the box. These attacks took place in the third quarter of 2012 at the earliest.

Most likely, the intended victims are known to use outdated systems that fit these specifications. This is the case in North Korea, where Global Stats places nearly half of desktop computers systems still running Windows XP. In comparison, South Korea has a steady Windows 7 adoption rate of nearly 80% over the past year.

So what is the actual geographic spread of the malware? Well, the two main associated components mscaps.exe and wtime32.dll were detected on systems mostly in China, followed by South Korea, and Russia. We can infer that these systems were infected at some point and were victim systems of the kcna.kp spread malware:

China 450 Korea, Republic of 43 Russian Federation 25 Malaysia 20 Italy 11 India 10 Korea, Democratic People's Republic of 7 Germany 7 Hong Kong 6 Iran, Islamic Republic of 4

However, reading into the geolocation of the top hits is not as straightforward as it may seem. Reports suggest that NK elites have access to various internet providers that may geolocate their ip in Chinese, Russian, and Hong Kong IP ranges.

 

Potential XSS-Enabled Watering Hole

Given the recent branding of NK threat actor as the culprit of the Sony hack, original reporting has had no difficulty accepting the idea that this is an attack perpetrated from within the DPRK in order to keep track of those people interested in the official state media. Let's examine the difficulties in arriving at that conclusion.

First, the site itself was vulnerable to XSS in the early 2013 time frame, when the Flashplayer installer bundle first appeared on the site. The site's vulnerability is recorded here by "Hexspirit"  on XSSed in April 2013. As a matter of fact, the first pages we are aware of that referred to the flashplayer bundle on kcna.kp by the exact same XSS-vulnerable page were seen in Jan 2013:

hxxp://www.kcna.kp/kcna.user.home.photo.retrievePhotoList.kcmsf;jsessionid=xxx

So, the flashplayer bundle may have been delivered by any APT actor and not simply the site's governmental sponsor. Coupling that possibility with the Darkhotel APT's penchant for delivering Flashplayer installers from compromised resources, this scenario holds weight. Also, the strong possibility that the site's developers unknowingly maintained infected machines is present.

The operational angle of placing malware on the state's official news site is dependent on who is most likely to view this site or directed to it and be interested in its content -- to the point of arriving at the download trigger deep in the media section. Sure, we can consider that key elements in the international community, like dissidents, think tanks, and foreign institutions are likely to keep an eye on NK state news but their systems are unlikely to fit the Flash player requirements for the infection. We also have seen forums maintaining emotionally charged discussions containing links to photo images redirecting to the Flash installer malware. Perhaps forum participants were targeted actively in this way as well. So this watering hole attack may be focused inward, intentionally targeting the geographically-spread North Korean internet-enabled elite and other interested readers by an external threat actor.

Malware Similarities to Darkhotel APT Toolset 

The original finding includes a preliminary analysis of the quirky inner workings of the malware dropper, delving into the two executables masquerading as Flash Player 10 updates. Let's go a step further and discuss the following similarities between the viral code hosted on kcna.kp and the previously documented Darkhotel malware in the following categories:

  • Social engineering
  • Distribution
  • Data collection
  • Network configuration and simple obfuscation
  • Infection and injection behavior
  • Timestamps and timelines

A referent for these malware similarities can be found in descriptions of the malware distributed during the DarkHotel campaigns. Comparisons follow.

Social engineering

The most blatant and obvious similarity between these campaigns is the approach of delivering spoofed FlashPlayer installers bound with backdoors from compromised server resources. This is the first page out of the Darkhotel playbook and one of its most distinct qualities now replicated in the KCNA attack. The benefits of this approach are significant, especially when considering that the malware in the case of KCNA is not digitally signed and requires express user interaction for execution.

Data Collection

On a technical level, it's interesting to recall the Darkhotel information stealer from 2012. Its purpose is to collect identifying data points from victim systems. The data points of interest to the DH information stealer are very similar to that of its KCNA equivalent (shown below):

Coincidentally, the KCNA dropper collects much the same identifying data points from victim systems. The Darkhotel item missing from this list is the 'CPU Name and Identifier', supplanted by 'time of infection'.

The Darkhotel stealer maintained the stolen data in a specific internal format of label-colon-value as follows:

The KCNA stealer maintained the stolen data in the following internal format, very similar to the Darkhotel format (label-colon-value):

Network configuration and simple obfuscation

This package's network callback includes several unusual Fully Qualified Domain Names (FQDNs). This network configuration is specifically hardcoded within wtime32.dll:

a.gwas.perl.sh
a-gwas-01.dyndns.org
a-gwas-01.slyip.net

It's interesting that the malware is configured with three connectback command & control servers, just like the network configuration of tens of the Darkhotel backdoors. Also, a very simple routine locates these strings within the wtime32.dll component's .data section and decodes them as global variables. Those strings are obfuscated within the binary with a simple XOR 0x12 loop. The later Darkhotel samples maintain a somewhat more complicated approach, but not by much. Here are strangely obfuscated strings:

Software\Microsoft\Active Setup\Installed Components
{ef2b00e3-19da-4e78-b118-6b6451b719f2}
{a96adc11-e20e-4e21-bfac-3e483c40906e}
Software\Microsoft\Windows\CurrentVersion\Run
JREUpdate
mscaps.exe
a.gwas.perl.sh
a-gwas-01.slyip.net
a-gwas-01.dyndns.org
update.microsoft.com
20
%SystemRoot%\system32
%APPDATA%\Microsoft\Protect\SETUP
%SystemRoot%\system32\gdi32.dll

Targeting Specificity

The Darkhotel actor is unusual in the varying degrees of specificity it uses to spread its malware: "This APT precisely drives its campaigns by spear-phishing targets with highly advanced Flash zero-day exploits that effectively evade the latest Windows and Adobe defenses, and yet they also imprecisely spread among large numbers of vague targets with peer-to-peer spreading tactics."

In other words, the group is surprisingly open to their worms spreading indiscriminately across entire countries, hitting tens of thousands of systems. This is also the case in the KCNA campaign wherein malware is positioned in a way meant to attract a specific target audience with uncommon system requirements and yet the malware itself is designed to spread indiscriminately (via a mechanism described below).

Infection and Injection Behaviors

Much like the Darkhotel toolset, the KCNA malware includes viral code. The routine is maintained in the fil.dll code. After sleeping for a couple of minute intervals, the code repeatedly looks through attached network drives for executables to infect. It infects these files with its explorer shellcode and the @AE1.tmp dropper itself. It's a strange infection strategy --notably, the shellcode blob does not transfer control back into the original file.

The injection behavior is both intricate and indiscriminate as the malware not only infects executables on network shares but also locally. As an example, the size of an infected Skype installer on a network drive increased in size from its original 1,513 kb to 3,221 kb.

Great strides, however inelegant, were taken in adding to the malware's injection capabilities beyond simple executables. For this purpose, the malware drops a copy of command-line WinRar version 4.1.0 (released January 2012) in %USERS%\AppData\Roaming\Microsoft\Identities\\Rar.exe. This Winrar software is used in order to access ZIP, RAR, ISO, and 7Z files in search of any executable contents to infect. Archives in the aforementioned formats containing executables are infected and then repackaged under their original filenames but with their new executable contents under the Daws.awfy scheme.

All resultant infected files are detected by our products as Trojan-Dropper.Win32.Daws.awfy. Several networks were affected by this viral code, and almost one thousand unique md5s representing related infected files across various systems were recorded as "Trojan-Dropper.Win32.Daws.awfy".

Viral Victimology

Given the malware's viral propagation capabilities, we can distinguish the infection spread data above, which relates directly to the Flashplayer hosted on KCNA, from the malware's viral spread through network shares and removable drives. While each count in this list represents a unique organization or system that detected a set of KCNA-viral infected files on their drives, the total infected file detection count is almost 20,000 files. Focusing on the Daws.awfy spread, we get a different picture of the malware's reach:

Country Systems and organzations encountering infected files China 481 Malaysia 51 Russia 47 Korea, Republic of 34 Taiwan 14 Senegal 14 Korea, Democratic People's Republic of 11* India 9 Mexico 9 Qatar 9

It's important to note the different conditions that apply to North Korea. First of all, the limited IP space means that multiple unique systems share IP addresses --in the case of DPRK victims above, the number is based on unique systems instead of unique IP addresses. Next, we attribute the relatively low number of network-based infections to the restrictive policies that keep many users from connecting to the larger Internet from KP ip ranges in the first place. A network- and usb-based viral infector is a great tool for a malicious actor to use the few front-facing systems in order to infect computers on an isolated intranet, like the one connecting most machines inside NK. However, that very isolation makes it impossible to precisely quantify the malware's success inside that intranet at this time.

Timestamps and timelines

KCNA malware dropper compilation timestamp: Tue, 13 Mar 2012 02:24:49 GMT.
Darkhotel information stealer compilation timestamp: Mon, 30 Apr 2012 00:25:59 GMT.

Also interesting is that mostly all of the additional KCNA malware related components were compiled in mid-March 2012.

The first Darkhotel APT spoofed flashplayer installer incidents recorded in our KSN data began in 2012 and peaked in 2013. This KCNA incident would fall in the peak timeframe for this type of offensive activity for Darkhotel. 

Noteworthy Components

In addition to the legitimate flash player upgrade that this archive maintains, the backdoor components that it drops to disk and executes seem to be clustered as Windows Live components (i.e.: Defender, IM Messenger). The two most interesting dropped files are the following:

78d3c8705f8baf7d34e6a6737d1cfa18,c:\windows\system32\mscaps.exe
978888892a1ed13e94d2fcb832a2a6b5,c:\windows\system32\wtime32.dll

The mscaps.exe component's reboot persistence setting is added to the registry here: HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{a96adc11-e20e-4e21-bfac-3e483c40906e}, where its stubpath is set to '"C:\WINDOWS\system32\mscaps.exe"  /s /n /i:U shell32.dll'. This setting ensures that every time the explorer.exe shell is started or restarted on the system, this executable injects its code.

Other analyses of this malware failed to mention the presence of Madshi's madCodeHook. It is a legitimate commercial DLL injection and api hooking framework, in this case used to inject the att.dll spyware component specifically into the following communications applications:

  • Internet Explorer -- iexplore.exe, ieuser.exe
  • Mozilla Firefox, firefox.exe
  • Google Chrome, chrome.exe
  • Microsoft Outlook Express, msimn.exe
  • Microsoft Outlook, outlook.exe
  • Windows Mail, winmail.exe
  • Windows Live Mail, wlmail.exe
  • MSN Messenger, msnmsgr.exe
  • Yahoo! Messenger, yahoomessenger.exe
  • Windows FTP Client, ftp.exe

The LoadLibraryExW hook is placed here:

The hook jmp listed here:

Related string parsing loop here:

Other analysis notes that ws2_32.dll, or the winsock2 library, is dropped to disk and copied to mydll.dll. The reason for this is most likely to maintain stable Winsock2 hooks across Windows OS. In the past, some madCodeHooks set on Winsock2 api proved to be unstable, so these guys just include one that they know works.

This implementation throws a wrench in the works, it is certainly a dissimilarity. The madCodeHook library was not observed in Darkhotel malware.

The wtime32.dll component is dropped to disk and loaded at startup into explorer.exe. It is then injected into each of the listed "interesting" processes. It is a very interesting bot component, communicating with its three c2 domains and listening for further commands. It maintains 13 primitive interactive bot commands:

Command Command Description cmd run provided cmd and output to file as a part of newly created and killed process, i.e. "cmd /c tree > file 2>&1" inf collect system information - operating system version, username, computername, system drive, local time, all connected drives and properties, network adapter properties, disk free space, enumerate all installed programs as per-user or per-machine cap capture screenshot and send to c2 dlu incomplete function dll open a process with all access, write a dll to memory and remotely create thread (load a dll into a remote process) put receive, decrypt, and write specified file to disk got report status on retrieved file get collect, encrypt, and retrieve specified file exe run provided executable name with WinExec del record file attributes to specified c2 and delete specified file dir record and report to c2 all files in current directory tree and their attributes: filename, file size, last write time, archive or directory, hidden, system quit exit thread prc process request

Its functionality includes older technologies used here that we just don't see anymore. Not only does it provide for NTFS, FAT32, FAT16, and FAT filesystem I/O routines, but it implements the older FAT12 I/O routines as well. Low level Windows95 raw disk access is enabled with CreateFileA on \\.\vwin32 through the vwin32 virtual driver.

Finally, the KCNA malware does have a unique trick up its sleeve. Its dropped components' ability to scan connected drives and network shares to copy their contents and deliver a special something to further its spread. So in its own crude way, this malware could hop across usb-enabled air-gapped networks by infecting both executables and archives on usb sticks.

Conclusions

The KCNA incident and the related viral bot's spread leaves more questions than solid answers. Chalking this campaign up to DPRK operations is certainly a simplistic thing to do and unsupported here. The possibility for the spread of an internal network virus or the possibility of an XSS-enabled website compromise are both high. Some similarities with the Darkhotel toolset are present, including the network configuration, spoofing technique, as well as the format and selection of stolen data. Were these to be related campaigns, particularities of the KCNA malware show that the Darkhotel actor may still have some tricks up its sleeve.


Appendix

Components Dropped by the KCNA Malware

78d3c8705f8baf7d34e6a6737d1cfa18, mscaps.exe, Tue, 12 Apr 2011 09:15:59 GMT
978888892a1ed13e94d2fcb832a2a6b5, wtime32.dll, 213kb, Trojan.Win32.Agent.hwgw, CompiledOn:Wed, 29 Feb 2012 00:50:36 GMT
2d9df706d1857434fcaa014df70d1c66, arc.dll, 1029kb, Trojan.Win32.Agent.hwgw, CompiledOn:Tue, 13 Mar 2012 02:34:00 GMT
fffa05401511ad2a89283c52d0c86472, att.dll, 229KB, Trojan.Win32.Agent.hwgw, CompiledOn:Tue, 13 Mar 2012 02:24:32 GMT
1fcc5b3ed6bc76d70cfa49d051e0dff6, dis.dll, 120.kb, Trojan.Win32.Agent.hwgw, CompiledOn:Tue, 13 Mar 2012 02:24:36 GMT
d0c9ada173da923efabb53d5a9b28d54, fil.dll, 126kb, UDS:DangerousObject.Multi.Generic, CompiledOn:Tue, 13 Mar 2012 02:24:41 GMT
daac1781c9d22f5743ade0cb41feaebf, launch.exe, 172KB, HEUR:Trojan.Win32.Generic, CompiledOn:Tue, 13 Mar 2012 02:24:52 GMT
6a9461f260ebb2556b8ae1d0ba93858a, sha.dll, 89KB, Trojan.Win32.Agent.hwgw, CompiledOn:Tue, 13 Mar 2012 02:24:43 GMT
f1c9f4a1f92588aeb82be5d2d4c2c730, usd.dll, 99KB, Trojan.Win32.Agent.hwgw, CompiledOn:Tue, 13 Mar 2012 02:24:46 GMT
59ee2ff6dbac2b6cd3e98cb0ff581bdb, WdExt.exe, 1.66MB, Trojan.Win32.Agent.hwgw, CompiledOn:Tue, 13 Mar 2012 02:24:49 GMT
f415ea8f2435d6c9656cc6525c65bd3c, wtmps.exe, 1.94MB, Trojan-Dropper.Win32.Daws.awfy, CompiledOn:Mon, 05 Mar 2012 08:37:55 GMT

 

Related MD5s, Domains, and Detections

Trojan.Win32.Agent.hwgw
78d3c8705f8baf7d34e6a6737d1cfa18, mscaps.exe
2d9df706d1857434fcaa014df70d1c66, arc.dll
1e7c6907b63c4a485e7616aa04351da7, @aedf66.tmp.exe
1fcc5b3ed6bc76d70cfa49d051e0dff6, dis.dll
523b4b169dde3bcab81311cfdee68e92, wdext.exe
541989816355fd606838260f5b49d931, wdext.exe
5e34f85278bf3504fc1b9a59d2e7479b, wdext.exe
6a9461f260ebb2556b8ae1d0ba93858a, sha.dll
78ba5b642df336009812a0b52827e1de, wdexe.exe
7f15d9149736966f1df03fc60e87b8ac, wdext.exe
7f3a38093bd60da04d0fa5f50867d24f
82206de94db9fb9413e7b90c2923d674
a59d9476cfe51597129d5aec64a8e422, @ae465f.tmp.exe
f1c9f4a1f92588aeb82be5d2d4c2c730, usd.dll
fffa05401511ad2a89283c52d0c86472, att.dll
d0c9ada173da923efabb53d5a9b28d54, fil.dll

Trojan-Dropper.Win32.Daws.awfy
2f7b96b196a1ebd7b4ab4a6e131aac58
8948f967b61fecf1017f620f51ab737d
...and almost 800 other executables that were infected on network shares and attached drives

c2 Domains
a.gwas.perl.sh,211.233.75.83
a-gwas-01.dyndns.org
a-gwas-01.slyip.net

Skyfall Meets Skype

Malware Alerts - Wed, 03/04/2015 - 10:14

The portmanteau-named SKYPEFALL.EXE is the latest, very active, malware-spamming campaign spreading through Skype. We first registered this attack on March 3 using both Spanish and English to lure victims. How does this attack work?

The victim receives a Skype message in the following format:

Dios Mio! [user name in Skype] video: http://********skype.info/video/?n=[user name in Skype]

Oh, My God ! [user name in Skype] video: http://********skype.info/video/?n=[user name in Skype]

If they click on the link and use Internet Explorer, it leads them to a fake video Website full of fabricated comments meant to peak the users interest while inviting the victim to download a plugin in order to watch the video itself:



Again, the URL used in the malicious message sent through Skype is available only if the browser referrer points to Internet Explorer. If the victim uses any other browser, the URL is simply unavailable.

The initial setup.exe is a RAR auto-extractible file with embedded instructions. It includes a full GUI installation package.

The victim receives both Adware-like functionality as well as Backdoor capabilities. Once it is installed on the victim's machine, it abuses the new victim's Skype friends list to continue spamming the aforementioned messages. The instructions for its behavior are downloaded from another server and look like this:

{
"skype_restart_mins": 120,
"old_friend_hours": 48,
"del_msgs_limit": 5,
"send_strategy": 1,
"max_loc_msgs": 60}

The malware also includes an embedded SMTP client that would potentially allow the attackers to send spam through the victim's machine.
The attackers leading this campaign are changing this binary on the Web every few hours. In this way, they are trying to evade any consistent AV detection.

Dating Lisa for 1 Euro

Malware Alerts - Wed, 03/04/2015 - 10:11

Last night I got a unexpected SMS in German language on one of my phones. A message from "Lisa", pretending to know me, including an url luring the reader to a picture of her.

The short-url points to the domain "m.bensbumsblog.com", which is already known for being used in SMS-spam for dating-websites, redirecting to a dating website. As there was no preregistration or request for this SMS, this clearly belongs into the category unsolicited bulk message.

The final target of the link is "daily-date.de". This website requires registration (username, password, mail-address and several personal questions). Finally it offers premium access to the system, which means searching, meeting and texting people as well as watching pictures, not for free though. This campaign offers a 14-day trail for 1€.

The domain "bensbumsblog.com" is protected by an anonymizing service to avoid identifying the owner. Although the IP-address is owned by a cloud service (according to RIPE lookup) and rented by some marketing company (IP reverse lookup).
The final website "daily-date.de" belongs to a German company, located in Berlin.
A look at the click-statistics from "bit.ly" shows that this campaign started on 03.03.2015 and got more than 10,000 clicks within 18 hours, most of them from Germany. Most clicks appeared in the first 3 hours of the campaign (started around 18:00 CET).

The "bit.ly"-user "benbu", who setup this Link, already created 15 Bitlinks/Short-URLs (active since 2nd of march 2015).

Amount of Bitlinks Target/Campaign 6 DailyDates (this campaign) 1 Easy money/credit cards 8 Coupons

Spam is a common problem, not only via email. Although SMS-Spam is more common in Asia but less common in Europe.

Having a look at other campaigns by this user, not all were successful. Besides this campaign, 6 others got some clicks. All mostly targeting Germany.

Created Target/Campaign Clicks 02.03.2015 Coupons 2630 02.03.2015 Coupons 1764 02.03.2015 Coupons 250 02.03.2015 DailyDates 993 03.03.2015 Coupons 1878 03.03.2015 Coupons 1004

In general make sure that you don't just click on any link you get as there might also be malicious content behind. To improve protection of your mobile (smartphone/tablet) always ensure you install updates. Further you should have security software installed to be protected against mobile malware.

 

 

Threats to Children Online: The Danger is Real

Malware Alerts - Wed, 03/04/2015 - 06:00

 Download Full Report PDF

The Internet has long ceased to be the preserve of grown-ups. Children today are often far more active Internet users than their parents. But is it safe enough for children to use without fear of facing inappropriate content? To find out we decided to investigate potential online threats to children.

The research is based on data processed by our Kaspersky Security Network. We analyzed data from more than a million Kaspersky Lab customers. Each of them had encountered dangerous content at least once in the last year.

The results show that more than half (59.5%) of users encountered pornography; over a quarter (26.6%) landed on websites dedicated to gambling; every fifth user stumbled across sites featuring weapons; and almost the same number were confronted by strong language.

Percentage of users worldwide encountered dangerous content in 2014

Two thirds (67.29%) came across chat services. Only a small proportion of these services, such as those with anonymity functions or predominately adult subscribers, represent a potential threat to children. As a result it is difficult to take overall chat service encounters as an accurate indication of the level of risk to young people.  However, the data does confirm the popularity of chat; and the greater the popularity of chat services in any given country, the greater the probability that children might occasionally or even intentionally enter into an unsafe chat environment. So, if nothing else, evidence of frequent encounters with chat services could be a sign for parents to pay more attention to the nature of these services and the likelihood of their child being drawn in.

Websites carrying these kinds of inappropriate content (adult, chat, gambling and weapons), along with others featuring drugs, tobacco and alcohol, were the ones blocked most often by Kaspersky Lab protection solutions. The frequency of detections demonstrates just how easy it is for users to encounter such content online. The higher the frequency: the greater the probability.

The most frequent use of parental controls were from China, USA, German, the UK and Russia #KLReport

Tweet

In geographical terms, the countries with the most frequent Parental Control detections were China, the USA, Germany, the UK and Russia. France, Vietnam, Brazil and Algeria also ranked in the top ten in terms of inappropriate content detection – but were relatively safer due to a lower frequency of detection.

Each of the top ten most affected countries has its own distinct characteristics when it comes to the prevailing online threats for children. For instance, adult content was the biggest threat to users in Germany (with 172 detections per user), China (144.18 detections per user), and the US (126.16 detections). Content about alcohol, tobacco and drugs was a major threat to users from Russia, Germany, the USA and France. The frequency of detection was especially high in these countries. This kind of content also proved popular in Brazil and the UK.

Parents should choose parental control solutions to help protect their children #KLReport

Tweet

The fact that the threat landscape for children changes significantly from country to country is one of the most remarkable findings to emerge from the research. It is a clear sign for parents around the world to pay special attention to what their children are doing online in their own country, as every situation will be different. To protect young people, we recommend that adults choose protection solutions with Parental Control technologies and make full use of safe "children" modes in search engines and applications that allow access to multimedia content and which are used by children.

However, although Parental Control technologies can block access to web sites with content that is dangerous or distressing for children, they cannot offer reliable protection in situations where safe-by-default web services like social networks or chats are misused by predators or users conducting cyberbullying campaigns.

Internet security deserves to be taken as seriously as real-life physical security #KLReport

Tweet

Internet security deserves to be taken as seriously as real-life physical security. That's why we urge parents to take an active part in their children's real and digital lives.  Only then can they be sure that they won't miss the moment when their child might need their support.

Read more about online threats to children in the full text of the research.

The Enemy on your Phone

Malware Alerts - Thu, 02/26/2015 - 05:00

Many people believe that there are no malware programs on smartphones. There was a time when there was some truth in this. A few years ago mobile platform operators originally designed their products with very high security levels. Mobile operating systems did not allow malicious programs to easily seize control and make themselves at home on devices.

Sadly that's no longer the case. Mobile devices are fundamentally different, they can do much more. A modern smartphone is a full-blown working tool, an entertainment center and a tool to manage your personal finances. The more it can do, the more attractive it is to cybercriminals. They want to steal a slice of that pie and the more tempting the prize, the more they create malicious applications, and invent methods to infect computers and to distribute malware.

Since Q1 2012, the number of malicious programs has grown more than tenfold, to exceed 12,000,000 in Q4 2014

Tweet

The evidence for this is clear when we look at the rapid growth in the numbers of mobile Trojans. The rate of growth is impressive: since Q1 2012, the number of malicious programs has grown more than tenfold, to exceed 12,000,000 in Q4 2014.

The number of detected malicious installation packages

Looking at the types of malicious programs is also revealing. It is easy to see that SMS Trojans and multi-purpose backdoors are giving way to malicious adware and Trojan bankers. However, just because a specific type of malware is losing its market share, this doesn't mean it is disappearing: it should be also remembered that the overall number of malware programs targeting mobile devices keeps growing.

Distribution of mobile malware by function (files from Kaspersky Lab's collection)

Malware writers don't create tons of malicious programs to build up a private collection or show off on some forum. All malware programs find their victims, and it is at times surprising to see how a seemingly innocuous loophole can allow them onto users' mobile devices.

Do it yourself

Believe it or not, users often infect their mobile devices with their own hands.

The ways to get malicious code on a regular computer without any user involvement are well known. Cybercriminals hack websites, users visit the sites and a hidden frame is opened in their browsers to download malware on to the victim machine using an arsenal of exploits.

On mobile platforms, everything is different. The underlying principles behind these platforms mean there are almost no vulnerabilities that would enable cybercriminals to attack a device without the user's knowledge and consent. So criminals need some help from users: Trojans must be installed and launched by their intended victims. It's like the old joke about the first, primitive virus: 'please delete all your important data and reformat your hard drive'.

A classic method to make money with mobile malware is to send premium-rate SMS messages from your phone

Tweet

Installing programs is one of the weakest places in mobile platforms, especially Android. Under iOS, you have to spend time fiddling around before you can install a program from anywhere other than App Store; however, Android allows users to do that by checking just one box in the settings. Once that's done, the system will check the digital signature of any installation package, and theoretically that should protect your device against malicious programs. But here's the snag: there are no Android certification centers, so anyone can create their own signature. Of course cybercriminals just sign off their own security confirmation and the installation goes ahead without a hitch when the user clicks 'OK'.

And many users do click 'OK'. After all, it's often easier than investigating everything about the app you're allowing onto your device.

Information security is usually far from the thoughts of a regular user. People love a bargain and find it hard to resist a free download of a useful program or a favorite game from some helpful-looking website. Often the application, once installed, will work as expected, except that money is drained from the phone's account at an alarming rate, and the user's credit card will soon get empty… Or, if users are invited to watch an exclusive video on an interesting site, perhaps they'd take a minute to update their Flash Players?

Fake Adobe Flash Player update page. Users are told to update an outdated version of Flash Player on their devices

Inexperienced users do not know that the update process for software on smartphones is different than on computers, so cybercriminals can trick them into installing anything under the guise of a useful upgrade.

Cybercriminals are extremely aggressive and astute when pursuing their targets: malicious applications are typically distributed in the form of various tempting software programs, games, porn clips or players for watching porn.

Where to find malware

Since users have to install malicious programs on their smartphones with their own hands, cybercriminals need to somehow entice them to a web resource where the malware is available. "Black SEO" is one of the methods used to do that. Black SEO is a type of search optimization that encourages search engines to display a link to the preferred malicious resource at the top of the search results. As soon as the site receives a top position in the search results, a harvest of unwitting users can be reaped.

A bored user types "Android games download" in a search engine and receives a link to web-site in the first or second line at the top of search results. That site may indeed contain games, but they come with some unpleasant extras. People tend to trust the sites from the top lines of search results. Users think that since thousands of people visit a web-site, it will also have the game or program they are looking for. Users do not think about security. That's a big mistake.

To bring the malicious site to the top of the search results, cybercriminals often use botnets: thousands of bots send search requests to Google and Yandex and visit the cybercriminals' site, boosting its ranking. Links to the cybercriminals' site are also published on all types of forums, bulletin boards, and in comments on news sites. The crawler bots of search engines find them there, so the rankings grow even faster.

Of course search engines try to stop this abuse of their services. They block hundreds of malicious sites. But that's not a big problem for cybercriminals: they keep creating and promoting new sites with the help of automatic tools.

SMS spam is yet another means of enticing users to sites containing malicious applications. It could be a simple, non-targeted mass-mailing of messages containing a link to the site: at least some of the recipients will follow the link. As soon as such program lands on somebody's smartphone, it will start to send SMS messages containing the malicious link to the owner's entire contact list. A message from a person you know raises few suspicions, especially if the text looks natural, so many do indeed follow the link they received, hoping to see some photos or jokes that their friend is sharing. But once opened, the site actually hosts malware samples from the cybercriminal.

Another method allows cybercriminals to exploit the popularity of legitimate resources. Cybercriminals hack popular online resources high visitor traffic, such as news sites, online stores, specialized portals. If the site's software contains known vulnerabilities, a code is embedded to the page and redirects the users to another site containing malware. If no vulnerabilities could be found, cybercriminals can still try to steal the site admin's credentials by using phishing and social engineering. If they succeed they can do anything to the site, including posting malware on the site itself.

Fake Android Market

In addition mobile malicious applications are distributed "almost honestly" – via app stores. This might be a legitimate program containing embedded malicious code; a specially created application which imitates some useful functionalities; or a bare-bones malicious program, with just a name and an icon as a camouflage.

Fake Google Play

Such programs are usually uploaded to unofficial app stores which either neglect security measures altogether or only take a cursory look at the content that gets published. However, there have been cases when dangerous programs got uploaded to official app stores – Google Play and even Apple App Store, which is historically more secure. Naturally, the manufacturers promptly clean their stores, but cybercriminals never sit on their hands either.

How cybercriminals make money

Once malware lands on your smartphone, it starts its mission of making money for its owner, naturally at your expense. A modern mobile device is a real goldmine for a cybercriminal; it only takes the appropriate mining skills.

Mobile malware: methods of making money

Expensive tricks

The least damaging money-spinner used by cybercriminals is obtrusive adware. It doesn't do much harm, but it doesn't take long for all those pop-up ads to get annoying. Getting rid of them is often more of a challenge: it takes quite an effort to find out which program is actually producing the banners. It could be Angry Birds HD, or it could be that something that has a name you cannot read aloud and masquerades as a system application.

There is also a curious category of fake apps that do nothing at all – neither good nor bad – but still cost good money. Some of these are clear dummies on offer in paid-apps sections of application stores, like a program that promises to make you rich but only displays an image of a diamond on the smartphone's screen. Others pretend to be useful applications, such as antivirus programs, and demand payments from the user for protection against Trojans that have supposedly overrun the device.

Money from your telephone

A classical method to make illegal money with mobile malware is to send SMS to premium-rate numbers. A Trojan running on your phone simply sends several premium-rate SMS messages and drains your account. Your phone service provider sends money from your account to the renter of the premium-rate number (the cybercriminal) without asking any questions, since premium-rate numbers are still a popular way to pay for different types of online services.

Another way to make money from the owners of infected smartphones is to steal their valuable data. There are tons of things of interest in your address book, SMS messages and email. At the very least, your address book can be used to replenish the spam databases, so your contacts will receive piles of ads and malicious links. Also, if you've ever sent or received web site administrator credentials and have not updated them since then, you can be sure that the cybercriminals will appreciate it and will adopt your site into the their malicious "family".

Smartphone or your wallet?

Ransomware Trojans for PCs are abundant. Recently, they've started emerging on mobile devices. The scam is simple: once installed on your mobile device, the Trojan displays a screen making threats and demanding a ransom. You can no longer work with your device. All you can do is to enter the special code that they promise to send you as soon as you pay them a specified amount of money.

Message displayed by this ransomware sample: "Your phone has been blocked for viewing banned porn (Pedophilia, Zoophilia)! All photo and video materials have been sent for further investigation. To unblock your phone and delete this material, you must pay a 1,000-ruble fine within 24 hours. To do this, top up number XXXX at the nearest payment kiosk. Warning! If the fine is not paid, all data will be made public"

It is impossible to delete the Trojan unless you hard reset the settings and the contents of the device's flash memory. For many the value of the data on the device makes it worth paying the ransom. However, the cybercriminals do not always send the unblock code even after the ransom is paid.

The key to your bank

However, none of the above scams are anything like as costly as this relatively new way of stealing from mobile device owners. In recent years mobile banking services have become increasingly popular. Every major bank has developed an app that allows clients to manage their money from their smartphone or, at the very least, use SMS banking services.

Mobile banking #malware threats increased since 2013 - from less than 100 to 13,000 by Oct. 2014

Tweet

Suddenly many smartphones are the key to bank accounts – often to several accounts at the same time. This offers many opportunities to make illegal profits – and promises greater rewards than the traditional SMS and ransomware scams of old. Not surprisingly, cybercriminals have been quick to embrace this new opportunity.

The statistics clearly show how much interest mobile virus writers have in users' bank accounts. At the start of 2013, there were less than a hundred Trojan bankers in Kaspersky Lab's collection; at the October 2014, there are more than 13,000 of them.

The number of detected banking malware programs

Banking Trojans are enjoying a surge in popularity all over the world but Russia is facing the brunt of this boom. Russia is a place where malware writers test-run their creations before using them in other countries.

Geography of mobile banking threats. January – October 2014
(Number of attempted installations of banking Trojans)

For cybercriminals, SMS banking is the easiest path to other people's money. It doesn't even require new tools – existing SMS Trojans work just fine. Banks often assume the client's phone is a trusted environment and follow SMS instructions without query.. Clients can send money from their bank accounts to their own or somebody else's mobile phone account. Using that feature, the cybercriminals send an appropriate SMS and send money from the victim to their phone number. After that it is easy to withdraw the money using advanced mobile payment systems.

Quite often, banking Trojans work in partnership with computer Trojans; Faketoken is one example. When the user's computer is infected with a banking Trojan it waits until they visit their online banking account. Then the malware program becomes active and displays a window to the user, asking them to download an Android application which is allegedly required to securely confirm the transaction. Gullible users obediently install Faketoken on their smartphones. After that it is only a matter of time: the malware on the computer steals the credentials, and the cybercriminals gain access to the user's banking account. They make a transaction and Faketoken intercepts the one-time confirmation code (mTAN) sent by the bank in an SMS. In the end some Vasily P. collects a hefty sum of money divested from the user's account, and cashes it immediately at an ATM. We saw this piece of malware attacking users in 55 countries, including Germany, Sweden, France, Italy, the UK and the USA.

A third method is to use independent mobile banking Trojans which can masquerade as a mobile banking applications or simply spoof the banking application's interface. The Trojan gets hold of the users' credentials and sends the information to its C&C server. The cybercriminal uses the intercepted data to make a transaction. Svpeng is a good example of this tactic. This mobile Trojan opens a window on top of a legitimate application window, imitating the banking applications of the largest Russian and Ukrainian banks.

Phishing window imitating the bank's own application

Using these programs, cybercriminals can strip you of all your savings in an instant, drain your accounts and close your deposits. They can also put you in debt by running up your entire available credit.

Don't dig a hole for yourself

The proportion of malicious applications among all applications installed by users varies from country to country. Here are the figures for some countries for January – October 2014 (according to Kaspersky Security Network data):

Vietnam 2.34% Switzerland 0.36% Poland 1.88% India 0.34% Chezh 1.02% Canada 0.23% France 0.84% Germany 0.18% Belgium 0.74% Brazil 0.17% China 0.73% Italy 0.09% Ukraine 0.70% Austria 0.07% Russia 0.69% USA 0.07% Mexico 0.62% Hong Kong 0.05% Spain 0.54% New Zeland 0.05% Belarus 0.50% Norway 0.04% Iran 0.38% Japan 0.01%

The fact is it's fairly easy to protect yourself against all these sophisticated mobile threats. Mobile platform developers have taken good care of security and the user is often the weakest link in the security chain. This is good and bad at the same time. It's a problem because many users don't pay much attention to their security. But the plus side is that you only need to follow a few simple recommendations to safeguard yourself against all the above threats.

We recommend that you follow the following simple rules.

  • Do not jailbreak / root your smartphone. While it will give you extra opportunities on your phone, it will also give the green light to cybercriminals.
  • On an Android phone, disable the option of installing software from untrusted sources.
  • Install a mobile security product on your phone. It will analyze all applications before installation.
  • Try not to follow any links arriving in SMS, even if they come from people you know.
  • If you do follow a link in an SMS, do not accept any downloads or installations.
  • Only updates your applications with downloads from official stores, not third-party sites.

Pages

Subscribe to RIT Information Security aggregator