Malware RSS Feed

Sinkholing Volatile Cedar DGA Infrastructure

Malware Alerts - Tue, 03/31/2015 - 16:35

There is currently some buzz about the Volatile Cedar APT activity in the middle east, a group that deploys not only custom built RATs, but usb propagation components, as reported by Check Point [pdf].

One interesting feature of the backdoors used by this group is their ability to first connect to a set of static updater command and control (c2) servers, which then redirect to other c2. When they cannot connect to their hardcoded static c2, they fall back to a DGA algorithm, and cycle through other domains to connect with.


This particular actor's true impact seemed interesting, so we sinkholed some of their dynamically generated command and control infrastructure. These victim statistics present a somewhat surprising profile. Almost all of these victims are geolocated in Lebanon.

Victims checking in to DGA c2

Clearly, the bulk of the victims we observe are all communicating from ip ranges maintained by ISPs in Lebanon. And most of the other checkins appear to be research related. Almost all of the backdoors communicating with sinkholed domains are the main "explosion" backdoor. But, some of the victim systems in Lebanon communicating with our sinkhole are running the very rare "micro" backdoor written up in the paper: "Micro is a rare Explosive version. It can best be described as a completely different version of the Trojan, with similarities to the rest of Explosive "family" (such as configuration and code base). We believe that Micro is actually an old ancestor of Explosive, from which all other versions were developed. As in other versions, this version is also dependent on a self-developed DLL named "wnhelp.dll." They check in to with the URI "/micro/data/index.php?micro=4" over port 443.

While Volatile Cedar certainly does not have a high level of technological prowess, it appears that they have been effective at spreading their malware, much like the Madi APT we reported on mid-2012. Because the group is not known for spearphishing, IT administrators should be aware of their own publicly exposed attack surface like web applications, ftp servers, ssh servers, etc, and ensure they are not vulnerable to SQLi, SSI attacks, and other server side offensive activity.

Kaspersky Verdicts and MD5s:































IoT Research – Smartbands

Malware Alerts - Tue, 03/31/2015 - 07:00

Nowadays technology helps the development of hardware and software tools to record and analyze different aspects of our lives. This opens up new ways of staying aware of lifestyle and aiming to improve our health and fitness. One of the big trends in this sphere are fitness trackers such as smartbands, which, in the most popular current format, are bundles consisting of a hardware device we carry on our wrist and a mobile phone application to control the device and gain insights into the recorded data. We're entrusting these gadgets with very personal and sensitive data about ourselves and letting them into dive into our very inmost self. This poses big questions for us as a security company:

  • What kind of data is being collected
  • What are the risks and where are they?
  • What other parties might be interested in getting hold of this information, what's the potential result?
  • How can users help to protect their data?

Tracking devices and their corresponding mobile applications from three leading vendors were inspected in this report to shed some light on the current state of security and privacy of wearable fitness trackers.

What is it all about? The quantified self, smartbands and what people want to achieve

We regularly measure aspects of our daily lives because we feel we have to, because it is human nature to want to stay safe. We typically set our goals for certain points in time and regularly check how well or badly we're performing.

Things we often measure:

  • Business: financial goals, project plans, salary
  • Health: weight, height, eyesight, body mass index
  • Sports: heartbeat, distance covered and altitude gain while cycling or running, average speed

But a movement known as 'quantified self' wants more. It wants to go beyond and off the beaten tracks. This movement has been around for years and people are getting together all over the world to exchange information, discuss their experiences and form a culture of self-tracking. They are searching for a healthier, more fulfilling life by measuring things in their daily routines that have been overlooked by traditional measuring schemes.

The healthy living angle of this is attracting a lot of attention these days. Most people work in offices and they only get exercise as they commute, go shopping or walk to the coffee machine. More and more people work from home and use online store to get the things they need delivered to them, so there is far less need to actually leave the house. At the same time people are more aware of their bodies than – both in terms of health and an attractive appearance.

There are several ways of measuring how healthy, fit and active we are. Heart beat monitors help us control our exercise and get hard facts about our condition. Speedometers help cyclists measuring the distance covered, what altitude gain they achieved and their average speed. But all these tools are limited. They are taken off after exercising so other everyday activities like walking or working aren't recorded. If we use multiple devices the data remains isolated on each machine and is never correlated.

We entrust fitness trackers with our personal data and invite them into our innermost self


This is where smartbands come into play. These devices are meant to be worn on our wrist all day and night to record our level of activity and also the time and quality of sleep. This generation of devices still records single snapshots, but the high frequency of recording sets makes it look like dynamic stream. It's a bit like the difference between photography, which gathers single shots, and filming, which uses a constant stream of shots to create a dynamic image. By acquiring and correlating constant streams of different health related data, we get additional benefits and information about our daily life, some of which we may not have been aware of. This paints a more complete picture of our lifestyle.

Human nature also seeks improvement. Collecting and visualizing our activities in daily life and their effects on our body helps motivate us to set new high scores. With most smartband offerings, users can try to beat their own targets as well as competing with a broader audience of family members, friends, colleagues from work and other individuals from online training groups. These are connected by the eco-system of the vendor's cloud network or by sharing information on social networks.

Smartbands – what they are and how they work

Basic smartbands are wristbands with mostly rubber surfaces to withstand shocks and moisture. The technological heart of the device is either firmly embedded into the body of the smartband or created in the form of a capsule, which can be placed into the band. The latter format allows the user to change the band if it gets damaged or worn out over time.

Bluetooth module: The main interface to upload collected data to a smartphone app and download new instructions, like vibration alarm at a defined time. Vibration motor: Just as on a smartphone, the motor lets the device vibrate to notify users of certain events like low battery or a pre-defined alarm. Motion sensor: Similar to the motion sensors in smartphones, the sensor monitors gyroscopic and accelerating movements. Vendor-defined algorithms then translate the movement into understandable units like steps. Battery: The battery of basic smartbands usually takes 35 – 70 mAH, a very low charge compared to smartphones, which take 2000 – 4000 mAH. Since there are far fewer components and they are usually more energy efficient, smartbands can keep running for one to two weeks, depending on how much data is being collected and how often power-consuming features are used. Power/sync button: Most smartbands can be operated with a single button to power on/off and sync or pair the device with the mobile phone. Power jack: To recharge the device's battery via a USB adapter. Display: Basic smartbands offer a small LED or dot matrix display to show battery charge or essential information like time or the step count. Features

Different smartband offerings have similar features. They are all based on measuring the activity levels, longevity and quality of sleep, information on calorie balance and additional goodies.

Main features:

  • step counter and approximate distance covered
  • calorie consumption
  • sleep recorder (duration and quality)
  • self-defined fitness plan and a comparison with actual activity

More features:

  • Nutrition intake and comparison with calories burnt from activity
  • Friend list with texting functionality and comparison of activities
  • Smart alarm for gentle recovery phase, based on measured stages of sleep
  • Stopwatch
  • Training diagrams
  • Third party extensions, if offered
A closer look at the whole system What data is collected by these devices?

The fitness trackers examined in this paper offer very similar feature sets and there is a consensus among the vendors about the data that is collected by the apps.


  • Name (or nickname)
  • Birth date (or just birth year)
  • Height
  • Weight
  • Gender
  • E-mail address
  • Password for account


  • Country
  • Training plan
  • Weight goal
  • Training goals (steps per day, hours of sleep)
  • Nutrition plan
  • Photo
  • Mood
  • Friends using the same fitness tracker
  • . . .

The apps automatically show the correct localization, taken from the active settings on the mobile phone. Units for weight and height can be adjusted, enabling users to choose between imperial and metric systems, but is initially pre-set according to the mobile phone's localization setting.

Some fitness trackers allow users to control what they share on their friend list, but not with the cloud service.

Collecting and processing the information

The data acquisition and processing is done in a chain comprising the smartband itself, a smartphone (usually Android or iOS based) or computer (running on Windows or OSX), the corresponding application to process the data and the vendor's cloud service to provide deeper insights and store historical data. In order to synchronize the individual components the system uses Bluetooth and the Internet (via 3G/4G, Wi-Fi or wired connection).

The continuous synchronization between the tracking device and mobile phone requires a steady Bluetooth connection. This can have a considerable impact on the battery time of the phone. However the tracker is able to store data without synchronization for anywhere between two and 30 days, depending on the device and the amount of information recorded. Most vendors recommend keeping Bluetooth enabled at all times to ensure the best user experience.

Stage 1: Record data and short term storage

Stage 2: Process and correlate data, send instructions to control smartband

Stage 3: long time storage, web based interface for better viewing and deeper investigation

Smartbands are currently in a state of transition. The popularity of the product is prompting new varieties to come to market, and demand is growing for different formats. The type of smartband we know at present will be known as basic smartbands; future generations will offer additional innate processing power instead of merely collecting data. Some companies already have plans for products like combined smartwatches and activity sensors including heart beat monitors.

The daily traffic for cloud synchronization is around 1 -2 MB per day, depending on the model, level of activity and which features are used. Users without mobile Internet flat rates should consider performing this task via Wi-Fi only.

Possible vectors of compromise

In general, the more devices and data transmissions between them are needed in a system, the greater the possibility of compromising the chain. Most smartband environments use the above-mentioned scheme. Other types of fitness trackers cut out the smartband and record the data on the smartphone itself or don't offer a cloud service. For these types some attack vectors are not applicable.

Synchronization between tracking device and mobile phone

The smartband is meant to be worn day and night; however, their owners may well take them off from time to time. Therefore it could be left unattended for a while and anyone with a compatible device and the appropriate app – which is usually free of charge – could theoretically synch with the device and gain access to the data it records. That data could potentially be delivered to a rogue smartphone whenever it is range.

The information from smartbands and fitness trackers includes highly personal details about an individual. These could be used against the user for:

  • Blackmail
  • Naming and shaming on the Internet

Other than that, thieves might also be interested in the victim's training schedule since it could alert them to times when the flat or home is left empty.

The good news is that each of the smartbands we reviewed features some kind of integrated protection against this risk. The apps signed out from the phone and notified the owner that the smartband had been disconnected. The only information available to a rogue user was the data collected that day, or since the last synchronization. However, since only a small fraction of today's smartband offerings were tested, this attack vector might still apply to other devices.

The bad news is, the protection mechanisms can be susceptible to attacks, as my colleague Roman Unuchek proved in his blog post "How I hacked my smart bracelet". He was able to compromise the authentication process and thereby read the tracker's recorded data as well as executing code on it. According to his research, sometimes it is even possible to hijack the device without the owner even knowing.

Synchronization between the mobile phone and the server

The synchronization between the smartphone apps and the cloud servers is a neuralgic point, since the data stream comprises both the data gathered and the credentials to access the user's account. When smartbands hit the market some years back, some curious security researchers dipped into the traffic; a great uproar soon followed as it emerged that many vendors had no encryption whatsoever in this process, meaning all data was transmitted in clear text, perfectly readable for anyone who came upon it.

The synchronization between the smartphone apps and the cloud servers is a neuralgic point


Fortunately, all the vendors of smartbands tested in this paper did their homework, since all of them incorporated a form encryption in their apps (TLS/SSL). This way, it is no longer simple to sniff traffic over Wi-Fi.

Compromising the mobile phone

Mobile malware has been a hot topic in recent years, with the number of new samples increasing in an almost exponential fashion. In the period from 2004-13 Kaspersky Lab analyzed almost 200,000 mobile malware code samples. In 2014 alone there was an additional stream of 295,539 samples. However, this doesn't give the whole picture. These code samples are re-used and re-packaged: in 2014 we saw 4,643,582 mobile malware installation packs (on top of the 10,000,000 installation packs that had been seen in the period 2004-13). The number of mobile malware attacks per month increased tenfold – from 69,000 per month in August 2013 to 644,000 in March 2014.

All the vendors of smartbands tested in this paper incorporated a form encryption in their apps (TLS/SSL)


The typical modus operandi of cybercriminals is to use legitimate apps or app names as a vehicle to spread their malicious creations – mainly on third party app sites. One mobile malware sample is usually packaged under just one installer package, but sometimes even a hundred could be used to increase the leverage and therefore spread it among different user groups.  Malicious fake apps for smartbands, asking the user for the login credentials and thereby hijacking the account and all the information on it are entirely plausible. In combination with other data from the compromised phone, such as GPS coordinates of check-in features from social networking apps, this would pretty much by 'game over'.

However, the daily life of a smartphone poses a far higher risk. These devices are especially prone to getting lost. For example the London Underground reported more than 15,000 phones were lost in its trains in 2013 [1]. Without a lock screen in place, all information is visible to anyone who finds a smartphone, and that includes the information stored in fitness trackers. None of the smartband apps tested for this report offered the opportunity of locking the app with separate pin.

Compromising the cloud service

Aside from targeting single devices and users, attackers could also aim for the cloud service itself and seek access to records from all users.

Sometimes not even sophisticated hacking skills are needed, as one leading smartband vendor's user portal proved in 2011. All the user profiles were indexed by a popular search engine, making it easy to simply search the Internet for specific expressions that were only found in these profiles. Back then, users had the option to make their profile "private" but they were set to "public" by default. In addition, users could manually enter descriptions for their activities and certain timeframes, e.g. to find out what is most helpful when trying to lose weight. This meant that even the most private kind of "activity" was publically visible for everyone to see, together with information on longevity and how many calories were burned [2]. The vendor subsequently took action to prevent this. This case highlights how easily information and privacy leaks can result from misconfiguration and/or lax privacy policies.

Tracker's users have the option to make their profile "private", but they're set to public by default


One smartband vendor's API allows users to access their data via a user ID and the serial number of the smartband, as well as the more traditional username-and-password combo. However, if a third party has the required information, the essential data can be downloaded without the user's knowledge.

In 2014 we saw numerous class A exploits like Shellshock or Heartbleed targeting web servers. These attacks were performed in a scripted fashion to IP addresses throughout the world by numerous gangs. It is still not clear how much data was gathered in these mega breaches, nor what the overall effect will be. Cloud services are not exempt from attacks like this and are seen as a lucrative target. It's only a matter of time until the next big exploit is found.

Other potential traps

According to research performed by the Massachusetts Institute of Technology, one smartband is notorious for scanning the user's environment for other Bluetooth-enabled devices, like computers, mobiles, other smartbands etc. As well as gathering the addresses of these devices, it also passes them to the vendor's servers via the smartband's phone application. This way, the vendor is potentially able to create a profile of each user's infrastructure environment.

In addition, the smartband itself uses BTLE (Bluetooth Low Energy), which makes it possible to change the device's address from time to time to avoid tracking the wearer. However, the vendor chose not to use this feature.

Fake smartband apps, asking for login credentials, are entirely plausible


One tested smartband app invited the user to install additional apps from third parties to integrate and associate the collected data for deeper insights into the state of the users' health and activity. Possible extensions include correlating the standard data with GPS recording during workouts, dedicated apps for further visualizations, apps offering additional weight control related models, apps encouraging the user to eat more healthily (e.g. more fruit) and even offering financial incentives if all goals have been completed, paid by users who didn't meet their own targets.

If integrated, user automatically agrees to share this kind of data with the supplier.

The last potential trap has been a classic for decades. People tend to reuse their passwords over and over out of convenience. Most people have a main e-mail address, which also serves as a username on many websites and services. Now if one these accounts is compromised due to a server side breach (and we read of these breaches almost every week) or a malware infection stealing the login credentials on one of the machines, this means the other accounts using the same password are in massive danger. It is widely known that cybercriminals try these credentials on many of the big web portals like online shops, online payment systems, social networks and anything else that might turn a cash profit in the digital underground.

Commercial models around smartbands, fitness trackers and other gadgets

The flood of personal information, gathered by millions of users of smartbands and other wearables, whets the appetite of others as well as cybercriminals.

This kind of information is highly valuable to companies and institutions in different sectors.

Insurance companies

Insurance companies are based around risk estimation. To do this effectively, data has to be collected and evaluated to calculate the appropriate premiums from customers. The better the data, the better companies can manage their business. This is where fitness trackers come into play. What data could possibly be better than actual data streaming in real time from the customers themselves? At the time of writing some insurance companies are launching special programs for customers who are willing to share the information gathered from their fitness trackers. In return, financial incentives are offered to customers who prove to have a healthy lifestyle, as well as vouchers for travel and additional fitness courses [4].

None of the smartband apps tested offered the opportunity to lock the app with a PIN


What could possibly go wrong? This scheme could potentially backfire. Imagine a keen fitness enthusiast who is also not averse to extreme sports. What if the tracking device and smartphone regularly transmit data about driving to an infamously dangerous mountain bike downhill track? GPS data sent from the smartphone and additional "step" count, coming from the rocks beneath the tire while riding at 40 kilometers per hour down the hill prove that someone didn't just go there to be a spectator, and this might displease the insurer. It could result in increased insurance costs based on the customer's allegedly higher risks. Depending on the legal situation in different regions in the world there's also a chance that insurance companies would refuse to insure high-risk clients because of the data recorded by their tracking devices.

Apart from fitness trackers, there are other gadgets and apps being developed to optimize the quantified self, like toothbrushes with integrated sensors to monitor the motion of the brush in three dimensions and a Bluetooth uplink to a dedicated smartphone application [5]. The app includes mini games to teach, motivate and reward people, especially children. It also tracks how often the teeth are being brushed and for how long. Again, insurers (dental insurance in particular) would be pleased to get their hands on this data.


Companies also discovered fitness trackers for their employees. There are already examples of employers offering these devices to their workforce to measure their health and motivate them towards a healthier lifestyle. British Petroleum (BP) introduced a "wellness program", in which employees are given points for reaching certain targets and incentives like health care premiums are offered [6]. Employees thinking about joining such program should thoroughly check the privacy policy and consider what potential consequences it might have.

Advertisement industry

There are almost no mobile apps on the market that offer users the option of disabling the flow of data into the cloud. As a result vendors quickly learn about your habits and your state of health. Depending on privacy policies, this enables them to tailor advertising based on the user's information and activity. Even within a general interest or activity, advertisements can focus on specific user groups: for example beginners could be offered running shoes and basic sportswear, whereas advanced athletes are shown advertisements for more expensive equipment, LED headlamps for night-time work outs or special sports nutrition. All offers can be adjusted for your local currency and targeted at the right gender and approximate size according to the weight and height set in the app.

Other parties

After the earthquake in Northern California the smartband vendor Jawbone published a diagram on their blog that showed the impact on sleep the event had in different areas around the epicenter [7]. All data was collected from thousands of customers, aggregated and presented in an anonymized form. The data enabled Jawbone to come up with a new format to show the actual impact of the earthquake on people rather than approximate seismographic ratings for surrounding areas. The graph appeared on many news sites around the globe.

Personal information gathered by millions of smartband users whets the appetite of cybercriminals


The year 2014 marked the first time that data recordings from smartbands were used in court, opening the way for future cases. In this case the woman in question freely provided her data to prove that her injuries from a car accident limited her activities. Her information was compared with other women of her age using a third party [8]. In this case the use of data was not controversial – the woman provided her data freely to prove her point. It is important for smartband users to remember that vendors usually include a clause in their user agreements and privacy policies to make it clear that they can disclose information in response to a court order. It is also important to understand that the gathered data won't necessarily be kept in the country where it was recorded, but could also be used in foreign countries with a different jurisdiction.

According to researchers from the Hebrew University of Jerusalem it is possible identify individuals by the distinct shake of their GoPro cameras, worn on the head, from a sample of only a few seconds [9]. This raises the question whether algorithms along these lines could allow individual smartband users to be identified by their activity and sleep patterns.

Is there a more private way to keep track of your fitness?

More private alternatives (read: self-sufficient) to smartbands include pedometers and fitness tracker apps. Both options can act as single device systems and thereby cut off potential vectors of compromise that affect common smartband systems.

Fitness tracker apps commonly use an internal gyroscopic sensor and accelerometer to keep track of activities.  Tracker apps lack the sensors to measure people's sleep and also do without some other features of smart devices. Dedicated step counter devices, called pedometers, offer a similar feature set, but are easy on the smartphones' battery. Some offerings can be synced with a smartphone, others are completely self-sufficient. They can be carried it in a pocket or clipped onto your belt.

Advice for users of smartbands

To minimize the risks of your data being compromised, there are several pieces of advice to follow. Many of them apply not only to smartband users but to anyone using apps that store personal information:

  • Only use features you really need and avoid giving out any personal information that you would not want to store  in the cloud
  • Use a strong and unique password for each account
  • Lock the home screen on your smartphone and use access protection
  • Encrypt your phone if possible
  • Use security solutions for all devices, if available
  • Read the license agreements of applications and pay close attention to how personal information might be used by the service
  • Install app and operating system updates when available
  • Uninstall/Delete applications that are not needed anymore
  • Turn off the Bluetooth and location services on phones when not needed (this also preserves battery time)

Smartbands have been around for almost a decade by now, so they are almost senior citizens compared with many gadgets. While some old security issues like absence of encryption or public indexing of user profiles have been fixed, they show that security is still an afterthought for many companies. Security is also a process; vulnerabilities in drivers, protocols and the whole server ecosystem are found more and more frequently, vendors need to monitor vulnerabilities and the exploit landscape and quickly patch their software on both the client side (smartphone apps) and the server side (cloud service) to secure the customer data.

Security, though, depends on both makers and users alike. Everyone involved must understand the value and sensitivity of the user data collected by the fitness tracker. Normally when a breach involving personal data happens, data like names, mail addresses, birthdates, credit card information or passwords are affected. In this context, the information is even more personal. It contains health and body related data, including details that someone would normally confide only to a handful of very close people – or possibly even the doctor alone.

Smartband vendors are sitting on a goldmine of information that would be of great value to third parties in its anonymized form and even more attractive in a user-specific context. But if vendors decided to give out this data in either format (and risk losing their users' trust), third parties need to be cautious about the data. After all, what is to stop users attaching a smartband to a hyperactive pet dog and using that to get preferential 'active lifestyle' rates from an insurance company?

Although smartbands are relatively old technology, they are still part of the breeding ground for devices and services that trade on quantifying ourselves. New kinds of devices are coming up, integrating old technology and combining them with new innovation. Gadgets like smartwatches and Google's Glass are examples of how the future might shape up in this area.

Appendix: Resources

(1) More than 15,000 lost mobile phones on London Underground pose security risks

(2) Dear Fitbit users, kudos on the 30 minute of vigorous sex activity last night

(3) Security Analysis of Wearable Fitness Devices (Fitbit)

(4) Insurance company Generali wants to collect fitness data from customers (German)

(5) Kolibree, Smart Tooth Brush

(6) Wearables at work mean big business, says Fitbit CEO

(7) How the Napa Earthquake Affected Bay Area Sleepers

(8) Fitbit Data now being used in the Court Room

(9) Egocentric Video Biometrics

CanSecWest 2015: everything is hackable

Malware Alerts - Fri, 03/27/2015 - 09:48

Last week, we had the privilege to participate in and present at the 15th edition of CanSecWest in beautiful Vancouver, BC, along with its famous accompaniment, the ever famous Pwn2Own competition. Yes, once again all major browsers were hacked, but they were not alone! BIOS and UEFI, 4G modems, fingerprints, credentials, virtual machines, and operating systems were among the victim systems successfully hacked by our fellow presenters.

The event gathers a very technical audience with a shared interest in the most recent attacks and the presenters delivered with a variety of demos that showcased their intended vulnerabilities beautifully and thus reinforced the conclusion that digital voodoo can turn obscure and seemingly innocuous vulnerabilities into mind-numbingly cunning attacks.

One of the most discussed presentations, and certainly one of our favorites, showcased the power of BIOS and UEFI hacking: two guys, Corey Kallenberg and Xeno Kovah of Legbacore, armed with $2,000 and 4 weeks of hard work were able to show how a long list of vendor BIOSes were not only vulnerable but could successfully be loaded with LightEater, an SMM implant capable of pilfering sensitive information from Tails OS and even exfiltrating that information in such a way as to bypass the OS entirely. We clearly agree with their conclusion, it´s time to start taking a harder look at firmware!

Firmware insecurity: absence of evidence is not evidence of absence

One of the very possible attack is the well-known 'evil maid' or the 'border guard' approach: someone with physical access to your computer can just plug a small device (see below) and successfully reflash your system's BIOS, rewriting it with malicious code, without so much as booting up the system.

Press a button and in a few seconds the handy green light will indicate the BIOS is p0wned

Another very interesting presentation by Jan "starbug" Krissler showed how high resolution photos could bypass biometric authentication. Pictures acquired through high-resolution cameras from a safe distance amounted to the successful theft of fingerprints, faces, and irises used by current biometric systems for authentication. The distance can even be extended through the use of infrared imagery! We spent the talk imagining the breach possibilities as  an increasing number of ATMs  nowadays rely on biometric input.

Please authenticate access to your bank account using a password you can never change: your fingerprint

We also saw presentations on MacOS DLL (dylib) hijacking, userland exploits on iOS 8, attacks using Windows PowerShell, and even the installation of a bootkit in a 4G modem by simply sending an SMS! All sandwiched between explanations of the work of the ever fascinating Google Project Zero Team. In one of these, Chris Evans walked the audience through how a 'simple' crash caused by a call with a negative length became an exploit on Adobe Flash Player.

Our own presentation was a walkthrough of the misuse of whitelisted tools to further all kinds of attacks, from APTs and Targeted attacks to banking trojans and ransomware. This ongoing project is intended to highlight the faulty foundations of the whitelisting approach to security and how whitelisting alone simply won't protect you, from advanced and intermediary attackers alike! Stay tuned for a post on our findings.

In the end, we expanded our view as to the true breadth of vulnerable software and hardware. on which we depend daily. Security is a truly elusive state in an ecosystem composed of interwoven, dependent systems, each responding to the diverging priorities of a developer, an administrator, a user, and, of course, an attacker as well. The role of the security researcher that lives and breathes attack vectors and obscure vulnerabilities in search of the right digital voodoo has never been more important. And we can't help but echo the sentiments of Dragos Ruiu and our own Eugene Kaspersky in thanking CanSecWest for bringing all these researchers under one roof and one banner to share that digital voodoo and successfully stave off the balkanization of our industry just a while longer.

How I hacked my smart bracelet

Malware Alerts - Thu, 03/26/2015 - 07:00

This story began a few months ago when I got a popular brand of fitness bracelet. As this is a wearable device I installed Android Wear app, an application developed especially for wearable devices. This application easily connects to the fitness band.

However, there was something odd: the program could connect to a Nike+ Fuel Band SE, but my bracelet was another brand! It wasn't long before I realized my colleague had a Nike wristband – and he didn't even notice I had connected to his device.

After that I decided to do some research and find out how secure my wristband was.

Smart bracelets: communication with a smartphone

Today's market offers a lot of wristbands from other manufacturers. KSN provides the following statistics about the installation of Android-based applications to work with popular fitness trackers on mobile devices (the statistical data was obtained from KSN users who freely agreed to the transfer of this data).

The installation of Android-based applications designed to work with fitness trackers from different manufactures

Although this statistic demonstrates the popularity of Android applications (we cannot guarantee that the appropriate devices have users), to some extent it reflects the situation with the popularity of wearable devices.

To communicate with the smartphone most of these fitness bands use Bluetooth LE technology (also known as Bluetooth Smart). For us, this means that the devices connect in a different way from regular Bluetooth. There is no pairing password because most wristbands do not have a screen and/or a keyboard.

In some cases you can connect to a wearable device without the owner even knowing


These wristbands use a GATT (Generic Attribute Profile) which means that every wearable device includes a set of services, each of which has a set of characteristics. Each characteristic contains a byte buffer and a list of descriptors, and each descriptor contains a value – a byte buffer.

In order to demonstrate this, I used some ready code from Android SDK, an example of an application that connects to Bluetooth LE devices. I did not have to write a single new line of code; I simply opened the existing project in Android Studio and pressed Start.

The screenshot above shows the result of my attempt to connect my fitness bracelet with the help of this application. Here we see the services and their characteristics. However, it is not easy to obtain data for my bracelet from the characteristics - it requires authentication in addition to the connection. In the case of some other devices I could read the data from the characteristics and their descriptors. This was probably the user data.


So, using the example of the application from Android SDK I could connect to some devices. After that I have developed my own application which automatically searched for the Bluetooth LE devices attempting to connect to them and get their list of services.

Using this application I performed several scans.

  • Over two hours on the Moscow undeground subway system I could have connected to 19 devices: 11 FitBit and 8 Jawbone.
  • Over an hour in a gym in Bellevue, WA, USA I was able to connect to 25 devices: 20 Fitbit, and one each from Nike, Jawbone, Microsoft, Polar and Quans.
  • Over two hours at SAS2015 in Cancun, Mexico, I was able to connect to 10 fitness trackers: 3 Jawbone and 7 FitBit.

From just six hours of scanning I was able to connect to 54 devices despite two serious restrictions:

  1. Although the spec suggests the maximum distance for connections is 50 meters, in reality it's rarely possible to connect to a device more than 6m away.
  2. It seems that it is not possible to connect to a device that already has a connection to another phone. Thus if your wristband is connected to your phone, no one else can connect to it; it should not even be seen during scanning.

The second restriction should mean that when the wristband is connected to a smartphone, it cannot be attacked. This is not true though. And here is an example: while scanning with my app I was able to block the communication between my bracelet and its official application, even though they were connected.

It could be that the devices I found had never connected to a phone before or that the wristband was not connected to a smartphone while I was scanning (perhaps the Bluetooth on the phone was disabled). However it could also be that a pre-connected device was still available for connection despite the supposed restriction. Whatever the reason, potential fraudsters have ample opportunity to connect to fitness trackers.

However, in most cases, authentication is required in addition to the connection in order to gain access to the user data. Let's see how my bracelet's authentication process works.

My bracelet's authentication

To authenticate the bracelet on a smartphone the official application uses one of the four available services on the wristband. Each characteristic of each service is flagged with 'CharacteristicNotification' - this is how the app informs the wristband that it wants notifications of any change in this characteristic. Then the application gets a list of descriptors for each characteristic and sets the 'ENABLE_NOTIFICATION_VALUE' flag to inform the wristband that it wants notifications of any change in each descriptor.

After that one of the characteristics changes its value - the byte buffer. The application reads this buffer from the wristband: the 200f1f header and the byte array - let's call it authBytes.

The application creates a new array. Its first part is a constant array which is contained in the application and begins with 6dc351fd44; the second part of the new array is authBytes. The application receives the MD5 hash from the new array and sends it back to the device in the following structure:

  • Header (201210051f)
  • MD5
  • Verification byte

The application then sends to the device yet another array also found in this application.

After this wristband starts to vibrate and the user just needs to press the button to complete the authentication process.

With the official application the authentication process takes about 15 seconds. I have developed an application that requires only 4 seconds to make the wristband vibrate.

It is not difficult to make the user press a single button on the wristband. You just need to be persistent. You can keep trying authentication process over and over until the user finally presses the button or moves out of range.

From just six hours of scanning I was able to connect to 54 devices despite two serious restrictions


After authentication is completed, the data on my bracelet can be accessed. Right now, wearable fitness devices do not contain much information. Typically, they have the number of steps, the phases of sleep, the pulse for the last hour or so. Approximately once an hour the app transfers this information from the wristband to the cloud.

After the authentication, it is easy to execute commands on the device. For example, to change the time you should send to the device the byte array beginning with f0020c and then the date in the form YYYY MM DD DW HH MM SS MSMSMSMS.

Things are even easier with the other fitness trackers: for some of them, part of the data is available immediately after the connection, while the application code for Nike is not even obfuscated and can be easy read (the results of one study can be found here).


The results of my research show that in some cases you can connect to a wearable device without the owner even knowing.

By hacking the bracelet I have the fraudster cannot get access to all user data as this is not stored on the wristband or in the phone - the official application regularly transfers information from the wristband to the cloud.

Fitness trackers are becoming more popular and offer a wider range of functions. Perhaps in the near future they will contain more sensors and hence much more user information, often medical data. However the creators of these devices seem to think very little about their safety.

Just imagine - if a wristband with the pulse sensor is hacked, store owners could look at your pulse rate while you are looking at the prices in the store. It might also become possible to find out how people react to advertising. Moreover, a hacked wearable with pulse sensor could be used as a lie detector.

The fraudster could take control of your wristband, make it vibrate constantly and demand money to make it stop


Of course, there are more harmful actions that are more likely. For example, by using a Trojan-Ransom the fraudster could take control of your wristband, make it vibrate constantly and demand money to make it stop.

We reported our findings to my bracelet's vendor. The company's response defines the findings as a UX Bug and not a security issue. For ethical and security reasons we are not disclosing the name and the model of the bracelet this time. If you're worried about the possible consequences of cybercriminals exploiting the security issues we discovered, don't hesitate to contact the vendor of your fitness bracelet and ask if your product is affected by the method described in the article.

We also hope that this article will be helpful not only for users but also for vendors of the bracelets to make these devices safer from the IT Security perspective.

Connect for good health

SANS Tip-of-the-Day - Mon, 03/23/2015 - 23:15

Analog OPSEC 101 – operational security in the physical world

Malware Alerts - Wed, 03/18/2015 - 06:00

For a long time we´ve been interested in operational security (OPSEC), and although you can find tons of cool technical tips about protecting digital information, we always felt that something was missing. After all, we live in a physical, or  analog world as well as a digital one, and we have encounters with other real people. After asking around, we found that one of the biggest worries of our technical community was how to behave during these interactions. So we decided to work on creating some realistic and easy to remember tips for exactly these situations.

Threat modeling

OPSEC is all about hiding information from your adversaries. We categorized our adversaries into just two groups: those who have resources and those who don´t. Plain and simple.

The first group comprises intelligence agencies, military organizations and the big bad boys. The second contains the rest. Important: no resources is not the same as no danger, but they are less able to track you unless you give away information for free.

Our tips are focused on encounters with the first group, since that is more likely to happen.


Agencies are always on the look-out for new assets to recruit – this is what they've been doing for centuries.

It all starts with the spotting process, identifying an asset who could meet their requirements based on the position and access to information. Next they profile the target, partly using OSINT. After that it's time to choose between the carrot and the stick, and pick out the most effective motivators on offer: money, blackmail, ideology, sex, etc.

Then some guy will approach us, maybe in person, maybe through LinkedIn. He'll probably pose as some businessman who will pay us a lot for nothing much, just a few easy reports from time to time.

When this happens we want to get to the Termination phase ASAP, ideally after being written off as a waste of time and effort.

We can just say "No", but they may keep increasing the pressure. On the other hand, we can refuse while providing alternatives, redirecting the request to another person ready to handle this.

Create a protocol for yourself and your organization in order to handle these situations effectively, minimizing the researcher ´s exposure. Be prepared in advance for situations where we are more vulnerable.


Crossing an international border can be one of the most vulnerable places. Somehow they are like a parallel dimension: although you are physically in one territory, the laws are just different, or maybe even non-existent.

We´ve learnt a few things regarding borders: there is always some exception to the law that officers might use in extreme scenarios. You can find legal advice here>. However this is what you should NOT do:

  • Regardless of whether you consent to a search or not, do NOT stop the officer if he starts checking your stuff. This is a felony.
  • You don´t have to answer questions, but if you decide to do so, do not lie to the officer. Again, a felony.

This is our advice about how to react in a situation like this. These rules will provide you with peace of mind, help you stay calm and not freak out. Hopefully they will stop you overreacting, making things worse and talking too much, starting with: "I have nothing to hide, let me explain …".

  • Be cooperative.
  • Don´t make things worse.
  • Have your story prepared and be ready to back it up.
  • Golden rule: Don´t bring any valuable content with you! You should encrypt, upload and retrieve on arrival at your destination.
Other situations

Sometimes we could find ourselves going to a meeting in a strange country with a suspicion that something is not quite right. Some advice for this:

  • Don´t go alone.
  • Don´t rely on your host for transport
  • Plan exit routes and "safe" places, have your contacts ready.

In some cases the meeting itself won´t be the "trap"; it's just an excuse to get you to leave your computer in a known location the hotel, or in a cloakroom.

It is always a good idea to let someone know where you are going and tell them to react if you don´t ping them in a reasonable period of time. This also lets your adversaries know that you are ready – a simple casual comment will do the job.

Another concern is physical surveillance. To be honest, if this is done by sophisticated professionals there isn't much we can do about it and we probably won't even notice. But remember – don't try anything stupid; you're not James Bond. Acting like it's a movie can only make things worse.

If you are very concerned, escalate the situation and involve the person in your company who is responsible for dealing with local contacts. If you feel uncomfortable, move to a public place or directly move to your embassy.


You've probably already spotted a common theme in most of all these situations. First, keep calm and do not make things worse. You can rely on a third party to send in the cavalry when you need it. This is why your company should provide you with a single person to contact when you're in trouble. Also you might need international legal support.

However the key lesson is: do your homework. If you travel abroad, spend some time finding local contacts, get the telephone number and directions for your embassy, plan your meetings, let other people know where you are and make sure they are ready to act quickly in certain situations. Have your travel laptop ready and consider what information you bring with you. If you remember your lessons, you will be fine.

Five Security Tips

SANS Tip-of-the-Day - Tue, 03/17/2015 - 21:49

Yeti still Crouching in the Forest

Malware Alerts - Tue, 03/17/2015 - 03:53

Last July, we published details on Crouching Yeti (aka Energetic Bear), an advanced threat actor involved in several APT campaigns.

A quick summary:

  • Campaign status: Active
  • Discovery: January 2014
  • Targeted platforms: Windows
  • First known sample: 2010
  • Number of targets: 2,001-3,000
  • Top target countries : United States, Spain, Japan, Germany, France, Italy, Turkey, Ireland, Poland, China
  • Propagation method: Social engineering, Exploit, Watering hole attack, Trojanized software installers
  • Purpose/functions: Data theft
  • Special features : Interest in OPC/SCADA. Trojanized software used to administer remote OPC servers as well as modules to scan networks for OPC servers.
  • Targets: Industrial/machinery, Manufacturing, Pharmaceutical, Construction, Education, Information technology
  • Artifacts/attribution : Russian-speaking authors

This post is an update about the operational status of the campaign described in the original "Crouching Yeti" report.

Since the beginning of the research, we've been monitoring some of the C2 servers used by the components used in the attack – the Havex Trojan, the Sysmain Trojan and the ClientX backdoor. The following analysis is based on data gathered until March 04, 2015

C2 and victims:

Overall, we successfully monitored 69 C2 server (unique domains), receiving hits from 3699 victims (unique IDs of the Trojan/backdoor) connecting from 57796 different IP addresses. We gathered four additional C2s since the publication of the first report (65 in the last report).

Based on the graph below, the top five C2 servers share most of the unique victims :

Victims per C2


Although the trendline shows a decreasing number of hits on the C2, there are still >1.000 unique victim connections per day. These top five C2s with most of the victims coincides with the activity analyzed in the previous research and publication.

Another interesting figure is the number of hits by date which shows a decreasing trend:

The following figure shows the entire picture regarding Crouching Yeti victim country distribution including all the malware (Havex, ClientX,Sysmain) reporting to the C2s on which we have visibility. The graph contains the total dataset (inluding data for the previous report as well as the gathered during this period) and contains all the unique IP addresses observed. Be aware that there are some unique IDs using several IP addresses probably pertaining to infected computers used by travellers.

This shows the big (and updated) picture regarding Crouching Yeti victims by country. Spain, Poland and Greece are in the Top 3. Japan and especially the United States have significantly reduced position (less victims) since the last report, contrary to Poland and Italy that increased position remarkably (more victims reporting to the C2).

An additional representation of victim country distribution including the full dataset (all countries) :


The most widely used Trojan on these C2 server is Havex with 3375 unqiue victims. Sysmain counts 314 and ClientX 10 (as in the last year's report). For Havex, version 024 is still the most widespread, followed by version 043. This is consistent with the trend observed in our last publication.

The following two graphs show the distribution of victims per malware type. We decided to divide the identified versions in two groups for purposes of clarity. The series names Report contains the data published in the first Crouching Yeti release (blue) and the Update (red) series contains the data analyzed.

During this period, the first subset shows an increase for almost all the included versions except for Havex-038 and Havex-01D which showed bigger activity in the first Crouching Yeti release . On the other hand, Havex-043 has the most significant increase during this period.

For the second subset, the picture looks pretty similar (global increase) except for Havex-01d which shows a decrease during this period.

Already before and also after the announcements around this actor other researcher digged into. Therefore the datasets are cleaned but may still include few research based non-victim systems.

The following graphs shows the operating system distribution amongst Havex victims during this period:

Apart from the increase of the category "unknown", there are no substantial differences when comparing the data analyzed in the first report :

In order to complement the data from the C2, we extracted some stats for the most relevant Trojans used by the Crouching Yeti operators. Almost all of them shows a residual impact during 2015. Nevertheless, we notice some very specific peaks during this month, especially for the Trojan.Win32.Ddex verdict. This component is a simple downloader with the functionality similar to the Havex component. All the detections are located within the Russian Federation.

In conclusion, the data analyzed during this period show us that Crouching Yeti's impact continues to increase in terms of infected victims reporting to the C2s, although internal data from KSN shows a different picture (residual number of infections). In this update, we did not see relevant changes in the infrastructure or in the C2 activity.

Taking into account the nature of this threat actor and the operational status of the infrastructure, it is likely the operators already switched infrastructure, techniques and targets.

We will continue to track this threat actor and providing updates accordingly.


Subscribe to RIT Information Security aggregator