Malware RSS Feed

Microsoft Updates September 2014 - APT Loses a Trick, Reminiscing Stuxnet EoP

Malware Alerts - Wed, 09/10/2014 - 21:54

Microsoft released four security bulletins this month addressing a total of 42 vulnerabilities in Internet Explorer (MS14-052), .NET (MS14-053), the Windows task scheduler (MS14-054), and several issues in Windows Lync Server (MS14-055). I counted a total of 37 cve set aside for Internet Explorer, with the other five for the three remaining software.

Most interesting is the XMLDOM vulnerability (cve-2013-7331), a vulnerability that has been publicly discussed since at least April 25, 2013. The PoC was re-purposed and abused in the VFW watering hole attack by APT otherwise known as Aurora Panda or "the DeputyDog actor". The crew is highly advanced and effective in technique and operation, over time deploying multiple 0day to meet their heavy offensive needs. Their xmldom trick likely helped to delay discovery of their IE 0day and presence on the compromised VFW server. "The attacker can easily diagnose whether the machine is running EMET by loading an XML string. If the parsed return code fails, it means EMET is not present and the attacker can proceed with the exploit". Microsoft rated this vulnerability patch "important" across OS versions, while the other privately disclosed IE vulnerabilities are rated "critical".

The other 36 Internet Explorer memory corruption vulnerabilities are all over the board as far as exploitability per platform, but they all enable remote code execution. It's most interesting that the patches for Internet Explorer v10 and v11 on supported Windows 8.1 are rated Critical RCE.

Also this month is a task scheduler escalation of privilege vulnerability reminiscent of one of the Stuxnet 0day that Kaspersky Lab researchers reported back in 2010, and was later deployed by the Tdss gang. And an update to an advisory went out to deal with post-exploitation lateral movement. This time the patched issue is not related to older pass-the-hash issues, but Kerberos ticket grant delay related. The logon credential cleanup package can be downloaded here.

More can be read about September 2014 Microsoft Security Bulletins here.

CTIA's Super Mobility Week 2014

Malware Alerts - Wed, 09/10/2014 - 15:31

The world's largest mobile innovation forum, "Super Mobility Week", is being held in Las Vegas. We were there to participate and moderate a panel on mobile and cloud cyber-security with speakers from Verizon, Samsung, and Eriksonn Mobile.

The event maintains an impressive vendor floor and multiple stages for discussions and panels throughout the days. The floor hosts vendors presenting their newest products, including wearables and other IoT. The afternoon keynotes yesterday brought a switch from the planned Twitter's CEO to their "President of Global Revenue" Mark Bain, who spoke about both their technology push onto wearables and IoT, and a glimpse into their data mining capabilities derived from their Gnip acquisition. It's notable that he didn't mention anything about security or privacy. Two factor authentication is ancient history for them, while Apple and their customers unfortunately continue to learn the hard way that some inconvenience is a small tradeoff for privacy and security.

Microsoft also keynoted, bringing their EVP of Devices Group onstage to discuss their push into mobile to cloud technologies with Nokia devices and "Cloud OS". Again, no mention of security baked into these technologies, although we haven't seen any recent naked celebrity photo theft from the Microsoft cloud.

My panel's discussion weaved mainly in and out of enterprise wide security challenges to BYOD and cloud adoption, along with recent and relevant threats that we noted:

1. The recent Apple iCloud mess revealed several things

  • Apple provided password and knowledge based authentication services that enabled social engineering and brute force attacks and dismissed 2FA (until now). On cloud service authentication security, Apple "led from behind"
  • Apple's cloud security enabled brute forcing of both AppleIDs and iCloud passwords

2. Mobile malware volumes continue to surge - our mobile malware collection now includes almost half a million samples. Digging deeper, in 2013, we saw around 600 mobile banking trojans and now our malware collection maintains around 8,500 banker variants specifically supporting financial cybercrime.

3. Wifi and Ssl insecurities, as implemented in and used by mobile technologies, are on the increase and will likely continue to be.

4. Targeted attackers express interest in an expanded set of technologies, including various mobile devices by the Rocra, LuckyCat and Chuli attackers.

The event lasts from September 9th to the 11th.

The world at your fingertips… and theirs too

Malware Alerts - Wed, 09/10/2014 - 07:00

Technology has changed our lives, the way we live and work. With the emergence of wearables, the convergence between the virtual and the physical world makes people feel more natural using technology all the time.Google Glass is one of the most amazing wearable devices and although it is still at an early stage of development, it is undeniable that you can do awesome things and experience the world in a different way with them.

With out-the-box functionality, you can search the internet, take pictures or videos, check mail, send messages to Hangouts contacts, or publish information to Google+. What truly excites us are foreseeable uses in fields like medicine or education. The device could become indispensable by helping surgeons check patient vital signs or video broadcasting their surgeries to other specialists. Similarly, we can foresee novel means of transmitting knowledge to students in interactive ways. Perhaps we can even imagine enhancements to law enforcement by enabling immediate recognition of wanted criminals.

Unfortunately, the emergence of new technologies also entails new security risks. There are in fact many concerns about potential risks to privacy and ways in which these new devices could be compromised. Cybercriminals don't rest and are always looking for new ways to obtain gains from their victims, whenever they see an opportunity they will work day and night to achieve this objective.

New Technologies, Old Risks.

New and existing devices have many things in common: they use the same protocols and are interconnected with other devices using similar applications. There is no way around this. Traditional attack vectors are mainly against the network layer in the form of Man-in-The-Middle (MiTM), the exploitation of some vulnerability in the operating system, or the applications themselves. Being based on Android, Glass could inherit known vulnerabilities found in other devices with the same OS.

There are two ways to surf the Web from Google Glass: through Bluetooth pairing to a mobile device that shares its data network connection, or directly through Wi-Fi with prior configuration of the network via a MyGlass account or mobile app generated QR code.

The procedure to add a network is pretty simple: by adding a network name and password a QR code is generated containing connection settings which when looked at through Glass establishes an automatic connection to the network.

Last year, a vulnerability was published by the Security firm Lookout related to this procedure that would mislead a user to connect to a fake access point through a malicious QR thus allowing a potential attacker to hijack network communications and possibly redirect navigation to a malicious web page that could exploit a known Android web vulnerability. This vulnerability was patched but gave us a clear sense that attackers could discover ways to compromise these new devices.

A source of potential risks is that unlike a computer or a mobile device, the Glass interface is navigated through 'cards' to scroll through the different applications and settings thus limiting configuration options and in some cases automating certain procedures and functions with little input from the user, as in the case of connecting to a network or sharing information. This automation opens the door for exploitation by attackers and the compromise of user privacy.

Another threat avenue is the propensity for users to activate 'debug mode' in order to install applications outside of the official glassware ecosystem thus raising the risk of installing malicious applications.

This opens the possibility of new attacks using old methods such as social engineering through the use of the magic words: "free" and "sex". Although not all apps advertised this way are malicious, the terms stand as a hook for users in search of new experiences, willing to step out of the comfort zone pre-arranged by the manufacturer.

One simple test

As mentioned earlier, a feature distinguishing Glass from other wearables is the ability to navigate the internet directly via a Wi-Fi connection, rather than exclusively piggybacking off of a paired mobile device. However, this ability also means that the device is exposed to network vectors attacks, particularly MiTM.

Imagine this scenario, you are at your favorite coffee shop and decide to connect to the Wi-Fi network using Glass. You set up the network and are off to check-in on Foursquare, launch an app to recognize the song playing in the background and fetch the lyrics. But what if in this network someone is using a tool to poison the other devices into redirecting traffic towards a router IP address thus capturing all of the network traffic?

We tested by doing just that in a controlled laboratory network. Once the network was compromised, we did some searches on google, standard site browsing, sent pictures and messages to some of our contacts, and even read the news.

Once we captured enough traffic to analyze, we found that almost all the traffic remains encrypted after the network was compromised, specially the google searches. However, we found enough information in plain text to correlate and piece together the user's navigation to airlines, hotels, and touristic destination sites and how and where the device was connected. Nothing too sensitive but in some cases useful for when carrying out a profiling job.

In the end, as with any other device, security must be visualized in layers and we need to protect every layer to reduce the risk of compromise. In this case, the network layer could be exposed since the device can connect to public networks but lacks the option for VPN connections thus insuring traffic can be captured and analyzed.

In coming months, we'll see wearable devices becoming the next attack targets, highlighting the need to pay special attention to these devices, their capabilities, and the information they handle.

You can also follow me on twitter @r0bertmart1nez

Wearable Security: Present and Future

Malware Alerts - Wed, 09/10/2014 - 07:00

Now that the Internet of Things is all the rage, I wanted to take a look at a trend in IoT that I find particularly exciting and that's wearable devices. In theory, wearables could present us with a paradigm shift in the manner in which users interact with technology, moving us away from the old mouse and keyboard combo, and possibly even the touchscreen. For now, we are not quite there and science fiction superlatives are premature. At this time, wearables are in simplest terms appendages of our mobile phones. They're meant to more conveniently convey notifications, collect heartbeat measurements, and throw an alternate camera angle into the selfie-filled mix. Though wearables are still in their infancy, rising adoption highlights the need for a discussion about the concerns that could accompany these new technologies. Let's attempt to carry out this discussion in two modes: current privacy issues and future overall security concerns.

With Creepy Enthusiasm

Sadly technology isn't always used in the benevolently child-like way we intend; gone are the days of look-what-I-can-do wonderment.

Source: http://www.killyourdarlingsjournal.com/wp/wp-content/uploads/2014/01/1963-jetsons-flintstones.jpeg

Instead, we see users adapting technologies old and new to satisfy base desires. A recent twitter-storm documented by Gawker showed just that, as a Chinese Glass Explorer was found using his new device to upload unsolicited pictures of women in public places to his twitter account. His actions fit into a reprehensible internet subculture of fetishizing 'creepshots' that has caused great uproar. Unfortunately, the principal design tenets of wearables have the unintended corollary of making perfect devices for this community of perverts.

With an unassuming device and a nearly undetectable camera, a wearable can be used as a predatory tool for violating the privacy of unsuspecting bystanders. During our Latin American Security Analysts Summit, Roberto Martinez and I took up the mantle of predatory wearable users, taking candid pictures of our guests to display during our presentation. I'm disappointed to say it was incredibly easy to get away with. In the case of Roberto's Glass, the wink feature (which allows the user to take a picture by simply winking in the direction of the target) was indispensable to our experiment. In my case, I had a Galaxy Gear 2 which Samsung had cautiously programmed to accompany pictures with a loud noise in order to alert nearby targets.

However, creepers will not be easily deterred! And a solution was swiftly proffered in the form of rooting and a handful of commands. Most people are familiar with the notion of rooting or jailbreaking a device these days. It is often touted as a means of retaking control of your device, away from the clutches of evil limiting corporations! In the case of the Gear 2, the uses of rooting are anything but benevolent. Rather than unleashing homebrew development creativity, the sole use of rooting the Gear 2 that I've been able to spot is to disable the moderately loud sound the device emits to notify passersby that they are in fact being photographed.

On more specific terms, the process includes the use of a leaked internal Samsung tool called ODIN in order to flash an alternate ROM onto the device that comes with root privileges enabled. Root privileges are not required in order to install applications themselves but will be necessary in order to mount the otherwise inaccessible filesystem. Once mounted, the creeper needs only zero-in on the folders that contain the camera notification sound files and move them elsewhere for safe-keeping. Thus, when a picture is being taken, the camera application will look for these files in vain and continue to take the picture sans shutter sound. Since the camera is quite discreetly placed, lacks a flash, and shows no other outward indication that a picture is being taken, this sound is a crucial privacy feature in the device's design.

With the Tizen Smart Developer Bridge (reminiscent of the Android Developer Bridge) in hand, semi-proficient users can also sideload applications in wgt format onto the device. In the case of video recordings, an altered camera app can be sideloaded that includes a single modified line within the package thus eliminating the pre-imposed limitation on video recording from a few seconds to as much as the cramped storage will allow. These two modifications allow a perverted user to turn the otherwise benevolent smartwatch into a rather creepy device.

The Less-Scrutinized Link in the Mobile Security Chain

An interesting implication arises from being able to sideload modified applications onto the device with such ease. Though Tizen applications are meant to go through a rigorous testing process, this process occurs on the side of the controlling device – in this case, the Galaxy S5 loaded with the Gear Manager app paired to the smartwatch. When an application is installed on the device through the Gear Manager app via bluetooth, there are no indications or notifications on the smartwatch that a new application has been installed. This goes to stress the perils of the simplified interfaces on most wearable devices and thus the importance of maintaining the integrity of the controlling mobile device. With Android being a primary target for mobile attackers, rising consumer interest in wearables is bound to be met by rising attacker interest in these devices as well, which brings us to the prospective side of our discussion…

Laymen cybercriminals are not the only one's interested in our devices. Sophisticated actors have a distinct interest in infecting mobile devices as these become the gateway for intimate information about individual targets not commonly found on corporate networks. Though I would in no way claim that wearables are being targeted by these actors at this time, there is a twofold appeal presented by wearables that make them a likely future target if widely adopted by consumers:

  • Firstly, the information wearables devices gather is going to attract new corporate players to the cyberespionage scene. If wearables are adopted by a large enough crowd, insurance companies interested in tweaking and improving their risk mitigation formulae will be jonesing to get their hands on the aggregated vital signs and unadulterated exercise details of their clients. This information could translate into real money for these companies and that sort of financial incentive is often enough to encourage less than ethical means of information gathering.
  • Secondly, we need to be wary and adopt a holistic approach towards the security of a chain of devices paired for data sharing. When it comes to a home or office network, securing endpoints isn't enough. Any device on the network, even if it's a printer or a seemingly harmless network storage device, can represent an entry point or means of persistence for an attacker. The same occurs with mobile devices and their less sophisticated accessories.

In an espionage campaign, breaching the security of a mobile device is only the beginning. Oftentimes, valuable information will become available with long-term access to the device as the unsuspecting target goes on about their everyday dealings. Given that security solutions are already deployed on mobile platforms, less sophisticated appendages such as wearables connected to mobile devices could become particularly interesting to advanced threat actors looking for a means of persistence with a lower probability of detection. In this case, resilience and discreet execution are gold standards, and what is more discreet than operating within a device whose simplified interface and inaccessible filesystem essentially insure that the breach will never be detected by even the most competent users?

Outsmart hoax e-mail

SANS Tip-of-the-Day - Wed, 09/10/2014 - 00:35

Gaps in corporate network security: ad networks

Malware Alerts - Fri, 09/05/2014 - 09:42

'Malvertising' is a relatively new term for a technique used to distribute malware via advertising networks, which have long since become a popular medium among cybercriminals. In the past four years, hundreds of millions of users have fallen victim to 'viral' advertising, including visitors to major media sites, such as NY Times, London Stock Exchange, Spotify, USNews, TheOnion, Yahoo!, and YouTube. The complicated situation with ad networks even prompted the United States Senate Permanent Subcommittee on Investigations to conduct an in-depth inquiry, which produced recommendations on stepping up security and increasing the responsibilities of advertising platform owners.

At the turn of the year 2.5 million Yahoo users were attacked. Soon after the incident, a company called Fox IT published a detailed analysis of the attack. Curiously, according to Fox IT, not all Yahoo! users were affected by the attack – only residents of European countries, primarily Romania, the UK and France. Fox IT analysts believe that the attackers probably used targeted advertising mechanisms, i.e., they paid for 'impressions' served to a certain audience from the countries mentioned above. Here is an illustration of how attacks are conducted via ad networks: an overall attack organization diagram (on the left-hand side) and a specific example of the attack against Yahoo! users (on the right-hand side).

In the past, we have written about targeted attacks conducted via trusted websites (so-called watering-hole attacks) and social engineering on social networks and in IM clients. Specifically, we wrote that a cybercriminal has to do two things in order to implement a watering-hole attack: first, compromise a trusted website and second, surreptitiously inject malicious scripts into the site's code. Successful attacks via social networks or IM clients also make certain demands of cybercriminals – at the very least, to win the users' trust and increase the chances of them clicking on links sent by the attackers.

What sets attacks via ad networks apart is that in these attacks the cybercriminals do not have to compromise websites or gain the trust of potential victims. All they have to do is find an ad provider from which to buy 'impressions' or become a provider themselves (like BadNews). The remaining work, related to distributing malicious code, will be done by the ad network –the trusted site itself will download malicious scripts to its page via iframe.

Moreover, users don't even have to click on the ads – as part of its attempt to display a banner on the web page, the browser executes the banner's SWF/JS code, which automatically redirects the user to a site hosting the landing page of a popular exploit pack, such as Blackhole. A drive-by attack will follow: the exploit pack will attempt to choose an appropriate exploit to attack a vulnerability in the browser or its plugins.

The problem of ad networks being used to distribute malware and conduct targeted attacks (taking advantage of their targeted advertising capabilities) does not only affect those who use browsers to access websites. It also applies to users of applications that can display adverts, such as IM clients (including Skype), email clients (Yahoo! included), etc. And, most importantly, the problem affects the huge number of mobile app users, since these apps also connect to ad networks!

Essentially, mobile applications are different in that the SDKs commonly used for embedding adverts into apps (such as AdMob, Adwhirl etc.) do not support the execution of arbitrary code supplied by ad providers, as is the case with website advertising. In other words, only static data is accepted from the server supplying ads, including images, links, settings etc. However, cybercriminals can also create SDKs, just like media companies. The former offer developers higher per-click rates than their legitimate competitors. This is why developers of legitimate mobile software embed malicious 'advertising' code – essentially backdoors – into their apps. Moreover, legitimate SDKs may have vulnerabilities enabling the execution of arbitrary code. Two such cases were identified late last year – one involving the HomeBase SDK, the other involving AppLovin SDK.

Source: http://researchcenter.paloaltonetworks.com

The question "How should a corporate network be protected against attacks conducted via ad networks?" does not have a simple answer, particularly if you keep in mind possible targeted attacks. As we mentioned before, protection needs to cover not only workstations (browsers, IM clients, email clients and other applications that have dynamic advertising built into them), but also mobile devices that can access the corporate network.

Clearly, protecting workstations requires at least a Security Suite class anti-malware solution, which must include:

  • protection against vulnerability exploitation;
  • advanced HIPS with access restriction features, as well as heuristic and behavioral analysis (including traffic analysis);
  • tools for monitoring the operating system (System Watcher or Hypervisor) in case the system does get infected.

For more reliable protection of workstations, it is prudent to use application control technology, collect statistics (inventory) on the software used on the network, set up updating mechanisms and enable Default Deny mode.

Unfortunately, compared to the protection of workstations, mobile device protection is still in the early stages of evolution. It is extremely difficult to implement a full-scale Security Suite or Application Control solution for mobile devices, since that would require modifying firmware, which is not always possible. This is why Mobile Device Management (MDM) technology is currently the only effective tool for protecting mobile devices that connect to the corporate network. The technology can control which applications are allowed to be installed on a device and which are not.

Cybercriminals have used ad networks to distribute malware for years. At the same time, the advertising market is rapidly growing, branching out into new platforms (large websites, popular applications, mobile devices), attracting new advertisers, partners, intermediaries and aggregators, which are intertwined into an extremely tangled network. The ad network problem is one more example showing that rapid technology development is not always accompanied by the corresponding evolution of security technologies.

Protecting yourself against the celebrity iCloud hackers

Malware Alerts - Wed, 09/03/2014 - 15:51

The biggest security news of the week is the leaked photos of many celebrities. Many people, especially the involved celebrities, wondered how such a hack could take place.

The initial statement by the attacker was that the iCloud was hacked. This prompted Apple into their we-do-not-really-comment-until-we-have-done-our-research mode. Today, they released a statement on the incident:

https://www.apple.com/pr/library/2014/09/02Apple-Media-Advisory.html

For me the most interesting quote is: “accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet.”

Apple is thus well aware of the problems that arise with these forms of authentication. The more interesting is their advice: strong passwords and two-step-verification.

Strong passwords are, according to Apple, passwords with a minimum of 8 characters, with some additional requirements. Interesting enough they do not enforce of all their suggestions. A password such as “Password1″ is acceptable, even though it can be easily guessed.

Their other advice, using two-factor-authentication is somewhat flawed. For instance, it does not protect your iCloud backups (see this post). Also, two-step-verification is not available in every country. If you use, for example, a Romanian or a Croatian telephone number, then bad luck. Considering that Google offers two factor authentication for such countries as well, one might wonder why Apple didn’t implement it as well. Could it be the cost of the SMSes?

So how to protect yourself properly? My colleague Alex Savitsky wrote an excellent article about this.

To summarize:

  • Use strong and unique passwords that are easy to remember and hard to crack (for instance, a phrase in your native language with “spaces” in it, a number and a special char)
  • If available in your country, enable two-factor authentication
  • iPhone users may want to disable iCloud photo Stream / photo Sharing. Additionally iPhone users may want to delete the backup of their photos / iPhone in the iCloud.

Photo courtesy of my colleague Dmitry Bestuzhev – https://twitter.com/dimitribest/status/506820178320322560

And remember – if you don’t want your private photos to get leaked, better not take them in the first place!

Web-based attack targeting home routers, the Brazilian way

Malware Alerts - Tue, 09/02/2014 - 14:53

We spotted an interesting attack from Brazilian bad guys aiming to change the DNS settings of home routers by using a web-based attack, some social engineering, and malicious websites. In these attacks the malicious DNS servers configured in the user's network device are pointed towards phishing pages of Brazilian Banks, programmed to steal financial credentials.

Attacks targeting home routers aren't new at all; in 2011, my colleague Marta described malware targeting network devices like these. In Brazil we documented a long and painful series of remote attacks that started in 2011-2012 that affected more than 4.5 million DSL modems, exploiting a remote vulnerability and changing DNS configurations. But this "web-based" approach was something new to Brazilian bad guys until now and we believe it will spread quickly amongst them as the number of victims increases.

The attack starts with a malicious e-mail and a bit of social engineering, inviting you to click:

"I'm your friend and want to tell you you're being cheated, look at the pics"

How many people believe in it? Well, many: 3.300 clicks in 3 days, with most of the users located in Brazil, US and China, probably Brazilians living there or people that understand Portuguese:

Shortened URLs are a cheap way for the bad guy measure their 'performance'

The website linked in the message is full of adult content, porn pics. While in the background it starts running scripts. Depending on your configuration, at some point the website may ask for the username and password of your wireless access point – if it has, this is a good thing. If not, this may be a problem for you:

The script located in the website will try to guess the password of your home router. It tries several combinations such as "admin:admin":

or "root:root"

or "admin:gvt12345" (GVT is a big Brazilian ISP):

The scripts will continue trying combinations that point to the control panel of your network device such as [your-router-IP].rebootinfo.cgi or [your-router-IP].dnscfg.cgi?. Each script includes the commands to change the primary and secondary DNS servers. If you're using default credentials in your home router, there won't be an interaction and you'll never realize that the attack has occurred. If you're not using default credentials, then the website will pop up a prompt asking you to enter it manually.

We found Brazilian bad guys actively using 5 domains and 9 DNS servers – all of them hosting phishing pages for the biggest Brazilian Banks. The malicious websites used in the attacks are filtering direct access by using HTTP referrers, thus aiming to prevent direct access from security analysts.

So how do you protect yourself? Make sure you're not using the default password in your home router and NEVER enter your credentials into any website asking for them. Our Kaspersky Internet Security is also prepared to block such scripts automatically.

 

Know your IMEI?

SANS Tip-of-the-Day - Mon, 09/01/2014 - 22:49

Internet predators

Malware Alerts - Mon, 09/01/2014 - 06:30

Anyone using the Internet is at risk, regardless of age and regardless of what they like to do online. Cybercriminals can deploy an impressive arsenal, targeting everyone from schoolchildren to pensioners and following them whether they are logged on to social networks, checking the latest headlines or watching their favorite videos. Internet scammers want access to our money, our personal data and the resources of our computer systems. In short, they want anything that they can profit from.

There are a huge range of different attacks facing us on the net: users can get caught by ransomware like Gimeno or Foreign, become part of the Andromeda botnet, see ZeuS/Zbot drain the cash from their bank accounts, or have their passwords compromised by Fareit spyware. Usually web attacks try to download and install an infected executable file on the target computer, but there are some exceptions, for instance XSS or CSRF, which execute embedded HTML code.

Attack mechanism

For an attack to succeed, first of all users need to connect to a malicious site that downloads an executable file onto their computers. To tempt users to the resource, scammers might send them a link by email, SMS or via a social network. They might also try to promote their site via search engines. One further technique is to hack a popular legitimate resource and turn it into an instrument to attack its visitors.

Downloading and installing malware can be done in one of two ways. The first, a hidden drive-by download, relies on using a vulnerability in the user's software. The user of the infected site is often completely unaware that the computer is installing the malware, as usually there are no indications that this is happening.

The second method uses social engineering, where users are tricked into downloading and installing malware themselves, believing it is an updated flash player or some similar popular software.

Diagram of Internet attacks showing how executable malware files can be downloaded

Malicious links and banners

The simplest way to lure victims to malicious sites is simply to display an attractive banner with a link. As a rule sites with illegal content, pornography, unlicensed software, films etc. are used as a host. Such sites can work "honestly" for a long time to build up an audience before they start hosting banners with links to malicious resources.

One popular infection method is malvertising, or the redirecting the user to a malicious site with the help of hidden banners. Dubious banner networks attract site administrators with high payments for 'click-throughs' on their ads and frequently earn money "on-the-side" by spreading malware.

When users enter the site displaying these banners, a so-called "pop-under" opens in the victim's browser. This is similar to a pop-up window, but it appears either under the main window of the site, or on an otherwise inactive neighboring tab. The contents of these "pop-unders" often depend on the location of the visitor to the site - the inhabitants of different countries are redirected to different resources. The visitors of one country might simply be shown an advert for example

Site sends American visitors to the resource watchmygf[]net

Site sends Russian visitors to the resource runetki[]tv\

…whereas visitors from other countries will be attacked by exploit packs.

An inhabitant of Japan is attacked by an exploit and infected with the Zbot spyware Trojan

On occasion these malicious banners can even penetrate into honest banner networks, despite careful scrutiny by administrators. Cases like this have affected the Yahoo Advertising banner network and even YouTube.

Spam

Spam is one of the most popular means of attracting victims to malicious resources. It includes messages sent by email, SMS and instant communications systems, via social networks, private messages on forums and comments in blogs.

A dangerous message might contain a malicious file or a link to an infected site. To encourage the user to click on a link or a file social engineering is used, for example:

  • the name of a real organization or person is used as the sender's name,
  • the letter pretends to be part of a legitimate mailshot or even a personal communication,
  • the file is presented as a useful program or document.

During targeted attacks, when cybercriminals specifically attack a certain organization, the malicious letter might mimic a letter from a regular correspondent: the return address, content and signature could be the same as a genuine letter, for example from a partner of the company. By opening the attached document with a name like "invoice.docx" users put their computers at risk of infection.

Black Search Engine Optimization

SEO or Search Engine Optimization is a collection of techniques to raise the position of a site in the results given by search engines. Modern users often go to search engines to find necessary information or services, so the easier it is to find a given site the more visitors it will get.

In addition to legitimate methods of optimization, those that are permissible in the eyes of the search engines, there are forbidden techniques that fool search engines. A site might "promote itself" with the help of a botnet - thousands of bots make certain search requests and select the malicious site, raising its rating. The site itself may adopt a different appearance depending on who has entered it: if it is a search robot it will be shown a page relevant to the request, if it is a normal user it will be redirected to a malicious site.

Also links to the site are distributed in forums and other sites known to search engines using special utilities, which raise the rating of the site and, consequently, its position in search results.

As a rule, sites that use black search optimization are actively blocked by search engine administrators. For this reason they are created by the hundred using automatic instruments.

Infected legitimate sites

Sometimes cybercriminals infect popular legitimate sites in order to spread their programs. These might be high-traffic news resources, internet shops or portals and news aggregators.

There are two common ways to infect sites. If a software vulnerability was detected on the target site, malicious code can be inserted (for instance an SQL injection). In other cases the malefactors obtain authentication data from the site administrator's computer using one of the many Trojan spyware programs or using phishing and social engineering and seize control of the site. Once under the control of the criminals, the site can be infected in one way or another. The simplest approach is to use a hidden iframe tag with a link to the malicious resource added to the HTML code of the page.

Kaspersky Lab registers thousands of legitimate sites every day that download malicious code to their visitors with them being aware of it. Among the most prominent cases were the Lurk Trojan found on the site of the RIA Novosti news agency and gazeta.ru and the infection of PHP.Net

Visitors to an infected site are attacked with the use of hidden drive-by-downloads. The infection goes unnoticed by the users and does not require them to download or activate anything. An exploit, or set of exploits, is automatically downloaded from the page and, if the targeted machine has vulnerable software, a malicious executable is launched.

Exploit packs

The most effective tool to infect a victim's computer is an exploit pack, such as Blackhole. These are hot products on the black market: exploit packs are developed to order or for widespread sale and are supported and updated. The price depends on the quantity and "freshness" of the exploits included, the ease of administration, the quality of the support, the regularity of updates and the greed of the seller.

As these attacks take place through the browser, the exploits have to use a vulnerability in either the browser itself, add-ons to it or third party software loaded by the browser to handle content. If one of these exploits is used successfully, a malicious file will be launched on the victim's machine.

Typical set of add-ons for the Internet Explorer browser that have permission to run by default. Add-ons the vulnerabilities in which are often used to attack a system are underlined in red.

An effective pack will contain exploits for useful vulnerabilities in popular browsers and their add-ons, and also for Adobe Flash Player and other popular programs. Often exploit packs have tools for fine tuning and collecting infection statistics.

Styx exploit pack control panel

Direct download by users

Quite often cybercriminals don't need ingenious and expensive tools to insert their malicious programs onto users' computers. Users can simply be fooled into downloading and running malware themselves.

For instance, on entering a malicious site a user sees a preview video "for adults only". Clicking on this brings up a message to update Adobe Flash Player, and at the same time the site immediately offers him a file to download with an authentic sounding name. By installing the "update" the user infects the computer with a Trojan.

Message appearing when trying to view an "adult" video on a malicious site

Or a web-page might appear imitating the "My Computer" window, saying that a large number of viruses have been detected on the computer. And nearby a window opens offering a free "antivirus" program to cure the problems.

An apparent offer to install a free antivirus program hiding a Trojan

Infection via social networks

Inexperienced users of social networks are open to attack by so-called semi-automatic worms. The future victim receives a message apparently from a virtual acquaintance with the offer of some attractive feature that is missing from the social network (to "dislike" a post, obtain confidential data on other users, etc.). To obtain this attractive feature the user is told to open a JavaScript terminal and enter certain code there.

Instructions for the installation of a semi-automatic Facebook worm

After these actions are carried out the worm activates and begins collecting data on the user, sending links to itself to the victim's contacts, awarding "likes" to various posts. This last option is a paid service that the owner of the worm offers to customers. And so we come to the reason why cybercriminals go to all this trouble and break the law.

Money, money, money

Naturally nobody is attacking our computers for the intellectual challenge — the aim is money. One very popular way of illegally making money from victims is the use of Trojan ransom-ware, making it impossible to use the computer until a certain sum has been paid.

Having penetrated the user's computer the Trojan determines the country where the infected computer is and shows the victim the corresponding disable screen, containing threats and instructions on how to pay the ransom. The language of the message and the payment method suggested by the cybercriminals both depend on the user's country.

Usually the evildoers accuse the user of looking at child pornography or some other illegal action and then threaten a criminal investigation or to make the matter public. The assumption is that the victim will take these threats seriously and won't risk seeking help from law enforcement agencies. In some cases the Trojan ransom-ware may threaten to destroy the contents of the hard disk if the ransom is not paid quickly.

The disable screen that Trojan-Ransom.Win32.Foreign shows users in the USA

The cybercriminals offer the option of paying this "fine" by sending an SMS to a premium number or making a money transfer using one of the payment systems. In return the user should receive an unblocking key to deactivate the Trojan, but in practice this doesn't always happen.

Maintaining a communication channel with the victim can lead law enforcement agencies to the criminals and they frequently prefer not to take the risk, leaving the victim with a practically useless computer.

Another common method of illegal moneymaking is the collection and sale of users' confidential data. Contact details and personal data are tradable commodities that can be sold on the black market, albeit not for a great deal of money. However, it can be a profitable sideline, especially as the collection of information does not necessarily require any malware infection. Often the victims themselves supply all the necessary information — the important thing is for the site hosting the form for the entry of data to appear reliable and authentic.

A false site collecting contact details and personal information of visitors and then signing them up for paid mobile services

Banking Trojans bring their operators large profits. These programs are designed to steal money from users' bank accounts using distance banking systems. Malware of this type steals users' authentication data for online banking systems. Usually this is not enough as almost all banks and payment systems require authentication using several factors - entering an SMS code, inserting a USB key etc. In these cases the Trojan waits until the user makes a payment using internet banking and then changes the payment details, diverting the money to special accounts from which the criminal can cash out. There are other ways around two factor authentication: the Trojan might intercept messages with single use passwords or freeze the system at the moment the USB key is inserted, leaving the user powerless while the criminals hijack the operation and steal the money.

Finally, another profitable business is running botnets. The infected computers in a botnet can, unnoticed, be used by the evildoers for various money-making activities: mining bitcoins, sending spam, carrying out DDOS attacks, and boosting sites' ratings through search requests.

Counteracting threats

As we have already shown, internet threats are diverse and can threaten users almost anywhere — when reading their mail, interacting on social networks, checking the news or simply surfing. There are also many ways to protect against these threats, but they can be summarized in four keys pieces of advice:

  • Always pay attention to what you are doing on the Internet: which sites you visit, which files you download and what you run on your computer.
  • Do not trust messages from unknown users and organizations, do not click on links and do not open attachments.
  • Regularly update frequently-used software, especially software that works with your browser
  • Install up-to-date defenses and keep anti-virus databases current.

It all sounds very simple, but the growing number of infections clearly demonstrates that too many users fail to take their safety seriously and neglect to follow this advice. We hope that our overview of current internet threats will help improve the situation.

Pages

Subscribe to RIT Information Security aggregator