Malware RSS Feed

ekoParty Security Conference

Malware Alerts - Thu, 11/06/2014 - 09:37

The ten year anniversary edition of the Electronic KnockOut Party, held annually in Buenos Aires, Argentina, was certainly special! Over the years, ekoParty has become a standard for other conferences in Latin America, bringing together researchers from all over the world for nearly a full week packed with trainings, workshops, and ground breaking talks about different aspects of the field of information security.

Ten year anniversary, epic uptime!

This year, the conference changed venues from the previously known 'Ciudad Cultural Konex' in favor of a much bigger space near the airport, the 'Aeroparque Jorge Newbery'. The loud engines from passing planes could not stop the speakers from sharing their knowledge with the audience. Organizers were prepared for this and outfitted the main stage with airport-themed decorations. Even the badges resembled boarding passes, making the most of the new venue's quirks and leaving nothing to chance.

What differentiates ekoParty from other conferences is the passion exhibited by everyone in attendance. Thanks in part to the Latin American way of doing things, ekoParty is proud of not taking itself too serious and encourages its attendees to behave the same way. A loud siren blares when it's time for the speaker to take a drink and loosen up a bit mid-talk. Rushing forward with a shot of vodka, the conference staff is alert and engaging, making sure that both speaker and audience are having fun.

The main stage, where speakers from all around the world shared their latest research.

During the first day, we were welcomed by an interesting discussion panel and a wide array of workshops to choose from. In addition, several corporate sponsors gave away free trainings to showcase some of their latest tools and also administered challenges for the duration of the conference. With tempting cash prizes and fancy gadgets on the line, some participants chose to forego the talks altogether in order to test their skills in areas such as reverse engineering, penetration testing, and networking.

By the time the talks began on the second day, the tone of the conference was set by Cesar Cerrudo who presented on how to hack traffic control systems. Using 'Live Free or Die Hard' references to engage the audience proved successful and Hollywood-worthy research was presented in a compelling and understandable way. As the day went on, attendees could choose to participate in one of the workshops (as I did with Juliano Rizzo's bitcoin security training) or keep attending assorted talks. Among the topics covered were "Exploring the Jolla Phone", "Cooking an APT the paranoid way" or even browser exploitation techniques with Alex Rad's presentation "Pointer Subterfuge in the Browser Address Space".

There were just too many topics and talks to cover all in detail but a common thread emerges. Speakers not only share their knowledge but also ask the community to join them in their research to create something useful for all parties involved. This was the case with Anibal Sacco's "IDA Synergy – Collaborative Reverse Engineering", which showed a combination of IDAPython Plugin and control version system that resulted in a new reverse engineering collaborative add-on for IDA Pro.

Though a lot of talks focused on exploiting different technologies (as in the case of Luis Colunga's presentation on Software Defined Radio), other presentations could be easily mistaken for university courses. This was the case with Alfredo Ortega's "Deep-submicron backdoors" which led the audience from concepts like Fourier transformations to CPU low-level backdoors. With a touch of 3D modeling and some lines of code in the right place, Ortega demonstrated that building a backdoored ARM CPU isn't as hard as it might seem.

The final day of the conference started early with discussions about the current state of privacy and a historical perspective on the many state-backed surveillance programs of recent years.  Just before lunch we had a great presentation by Marcio Almeida Macedo on 'Hacking RFID Billing Schemes for fun and free rides', mentioning our recent blogpost on the topic, specifically referring to vulnerabilities in the Chilean transportation system. All researchers went above and beyond to show the hardware and principles involved in their investigations, always enticing the audience to follow in their footsteps.

Malware made its appearance with Thiago Bordini who shared techniques for 'Monitoring Malicious Domains on the Internet in real time for forensic purposes'. Brazilians presenters were, of course, forced to withstand chanting and taunting from Argentinians in the crowd pleased by World Cup results. That's to be expected. The day ended with bells and whistles as Rahul Sasi presented his sequel presentation on hacking TV networks, an investigation that stemmed from a penetration testing job that ended with him finding ways to inject video signals in TV networks and even shutting down the receiver's box remotely.

A nice attendance for this edition of ekoParty Security Conference.

An emotive award's ceremony brought the event to a close by recognizing local talent and remembering Barnaby Jack's appearance years ago. The ekoParty left everyone wanting more and eager to attend the following year. ekoParty is one of those conferences were attendees get back what they put in -they can choose to just enjoy the talks or instead get involved in the many challenges, workshops, and networking activities offered. Until next year, I encourage you to check out the content covered during the conference and hope to see you there!

Hack In The Box 2014 KUL

Malware Alerts - Thu, 11/06/2014 - 07:19

The Hack In The Box (HITB) SecConf 2014 was held from the 13 to the 16 of October, in Kuala Lumpur, Malaysia. More than 500 people from around the world participated in the event. Unfortunately, 2014 was the final round of this nice event.

The event is made up of four main elements: Technical training sessions, a security conference, Capture the Flag 'Live Hacking' Attack & Defense Competition, Developer Hackathon (HackWEEKDAY) and A CommSec Village & Technology Showcase Area.

Although there were many interesting presentations at the conference, I have too little space here to introduce all of them, so let's take a look of three of them.

Filippo Valsorda gave a presentation entitled "Exploiting ECDSA Failures in the Bitcoin Blockchain". Elliptic Curve Digital Signature Algorithm (ECDSA) is an EC-based signature scheme as implemented in TLS, DNSsec and PS3. He pointed out that ECDSA might not be as secure as it is believed to be.

Haroon Meer, Marco Slaviero and Azhar Desai picked up the topic of "sockpuppet"- a false online identity adopted for deceptive purposes – in their presentation. They demonstrated mass-posting, mass-voting and mass-down-voting at some forums, with the help of only one line of bash script. The presentation was entitled "Weapons of Mass Distraction: Sock Puppetry for Fun & Profit".

Mike Ryan's "The NSA Playset: Bluetooth Smart Attack Tools" presentation introduced a series of tools used by the NSA and demonstrated keyboard hijacking via Bluetooth using some of the tools.

For those who are interested, the presentation materials are available at the official web site of HITB2014.

The CTF session was also quite interesting. Let's take a look at Challenge 2.

As a problem to solve, a pcap file was provided. It was a capture of some network traffic.

Inspecting the file, you could find that ICMPv6 packets contain unknown strings that start with "G01". In fact, the strings are G-codes, computer numerical control commands (for industrial hardware, 3D printers, etc.). If is it run using emulator software, a string is displayed – this is the answer to the problem.

In my opinion, CTF is a good exercise for IT engineers, because it gives the chance to learn technologies that are not familiar to you.

In the closing session, the event organizers announced the end of HITB KUL and the beginning of a new event "HITB GSEC". This is planned to take place in Singapore in October 2015.

I hope the new HITB GSEC will be as fantastic as HITB KUL and I'm looking forward to meeting great security specialists there again!!

From the horse's mouth: brands leaking your information open the door to effective spearphishing

Malware Alerts - Mon, 11/03/2014 - 10:13

A few months ago, I requested an online quote for some home repairs. The recipient was a very well-known company here in US. The service I got actually was very good. Under my explicit approval the company kept my email address and has been sending me several promotions that I had signed up to.

However, the latest one was unusual - it arrived with at least 20 recipients explicitly exposed including my full email address in the list.

Cybercriminals and other threat actors also have normal lives - they shop at the same places we do, they eat the same food we eat, and they hire the same services we do. So, imagine what happens when a malicious actor receives one of these emails! It's a perfect source of information for spearphishing attacks.

I say this because the attacker would have enough information to know the potential victims are customers or potential customers of that particular brand, knowing the benefits of abusing the brand to launch attacks in the name of that store.
Since the advertisement I get is customized, meaning it refers to a very specific part of town, then the attacker would also know his victims live in a particular city. This also brings a lot of advantages when preparing the attack.
Finally, the attacker even knows how the store legitimately promotes their services. And I mean which format the store uses:

In my case, I got a PDF file attachment. So, in case the attacker launches a spear phishing campaign with a malicious file, the victims wouldn't suspect anything malicious since nothing is out of the ordinary.

So who might abuse this technique and what can we do about it?

The most likely actor would be a classic cyber-criminal. However, any threat actor in need can resort to the same scheme.

What is the best practice when you get such advertisement emails? I prefer to use online viewers, embedded into many modern Webmail providers. Instead of downloading the file to the disk and then opening it locally, you can visualize it online:

So in case of any local app exploit, let's say for Adobe Reader, the exploit won't work and you will still be able to read the document.

Certainly leaks like the aforementioned, despite not being particularly big, definitely expose people to become victims of new spear-phishing campaigns.

You may follow me on twitter: @dimitribest

BE2 Custom Plugins, Router Abuse, and Target Profiles

Malware Alerts - Mon, 11/03/2014 - 02:58

The BlackEnergy malware is crimeware turned APT tool and is used in significant geopolitical operations lightly documented over the past year. An even more interesting part of the BlackEnergy story is the relatively unknown custom plugin capabilities to attack ARM and MIPS platforms, scripts for Cisco network devices, destructive plugins, a certificate stealer and more. Here, we present available data - it is difficult to collect on this APT. We will also present more details on targets previously unavailable and present related victim profile data.

These attackers are careful to hide and defend their long-term presence within compromised environments. The malware's previously undescribed breadth means attackers present new technical challenges in unusual environments, including SCADA networks. Challenges, like mitigating the attackers' lateral movement across compromised network routers, may take an organization's defenders far beyond their standard routine and out of their comfort zone.


Brief History

BlackEnergy2 and BlackEnergy3 are known tools. Initially, cybercriminals used BlackEnergy custom plugins for launching DDoS attacks. There are no indications of how many groups possess this tool. BlackEnergy2 was eventually seen downloading more crimeware plugins - a custom spam plugin and a banking information stealer custom plugin. Over time, BlackEnergy2 was assumed into the toolset of the BE2/Sandworm actor. While another crimeware group continues to use BlackEnergy to launch DDoS attacks, the BE2 APT appears to have used this tool exclusively throughout 2014 at victim sites and included custom plugins and scripts of their own.


The Plugins and Config Files

Before evidence of BlackEnergy2 use in targeted attacks was uncovered, we tracked strange activity on one of the BlackEnergy CnC servers in 2013. This strangeness was related to values listed in newer BlackEnergy configuration files. As described in Dmitry's 2010 Black DDoS' analysis, a configuration file is downloaded from the server by main.dll on an infected system. The config file provides download instructions for the loader. It also instructs the loader to pass certain commands to the plugins. In this particular case in 2013, the config file included an unknown plugin set, aside from the usual 'ddos' plugin listing. Displayed below are these new, xml formatted plugin names "weap_hwi", "ps", and "vsnet" in a BlackEnergy configuration file download from a c2 server. This new module push must have been among the first for this group, because all of the module versions were listed as "version 1", including the ddos plugin:

Config downloaded from BE2 server

The 'ps' plugin turned out to be password stealer. The 'vsnet' plugin was intended to spread and launch a payload (BlackEnergy2 dropper itself at the moment) in the local network by using PsExec, as well as gaining primary information on the user's computer and network.
Most surprising was the 'weap_hwi' plugin. It was a ddos tool compiled to run on ARM systems:

Weap_hwi plugin

At first, we didn't know whether the ARM plugin was listed intentionally or by mistake, so we proceeded to collect the CnC's config files. After pulling multiple config files, we confirmed that this ARM object inclusion was not a one-off mistake. The server definitely delivered config files not only for Windows, but also for the ARM/MIPS platform. Though unusual, the ARM module was delivered by the same server and it processed the same config file.

Linux plugins

Over time we were able to collect several plugins as well as the main module for ARM and MIPS architectures. All of these ARM/MIPS object files were compiled from the same source and later pushed out in one config: "weap_msl", "weap_mps", "nm_hwi", "nm_mps", "weap_hwi", and "nm_msl". It's interesting that the BE2 developers upgraded the ddos plugin to version 2, along with the nm_hwi, nm_mps, and nm_msl plugins. They simultaneously released version 5 of the weap_msl, weap_mps, and weap_hmi plugins. Those assignments were not likely arbitrary, as this group had developed BlackEnergy2 for several years in a professional and organized style:

Config with a similar set of plugins for different architectures

Here is the list of retrieved files and related functionality:

weap DDoS Attack (various types) ps password stealer handling a variety of network protocols (SMTP, POP3, IMAP, HTTP, FTP, Telnet) nm scans ports, stores banners snif logs IP source and destination, TCP/UDP ports hook main module: CnC communication, config parser, plugins loader uper rewrites hook module with a new version and launches it


Weap, Snif, Nm plugin grammar mistakes and mis-spellings

The developers' coding style differed across the 'Hook' main module, the plugins, and the Windows main.dll. The hook main module contained encrypted strings and handled all the function calls and strings as the references in a large structure. This structure obfuscation may be a rewrite effort to better modularize the code, but could also be intended to complicate analysis. Regardless, it is likely that different individuals coded the different plugins. So, the BE2 effort must have its own small team of plugin and multiplatform developers.

Hook module structure

After decrypting the strings, it became clear that the Linux Hook main module communicated with the same CnC server as other Windows modules:

The CNC's IP address in the Linux module

This Linux module can process the following commands, some of which are similar to the Windows version:

delete all BlackEnergy2 files and system traces kill
delete all BlackEnergy2 files and system traces and reboot lexec
launch a command using bin/sh rexec
download and launch file using 'fork/exec' update
rewrite self file migrate
update the CnC server


Windows Plugins

After the disclosure of an unusual CnC server that pushed Linux and the new Windows plugins we paid greater attention to new BE2 samples and associated CnCs.

During an extended period, we were able to collect many Windows plugins from different CnC servers, without ever noticing Linux plugins being downloaded as described above. It appears the BE2/SandWorm gang protected their servers by keeping their non-Windows hacker tools and plugins in separate servers or server folders. Finally, each CnC server hosts a different set of plugins, meaning that each server works with different victims and uses plugins based on its current needs. Here is the summary list of all known plugins at the moment:

fs searches for given file types, gets primary system and network information ps password stealer from various sources ss makes screenshots vsnet spreads payload in the local network  (uses psexec, accesses admin shares), gets primary system and network information rd remote desktop scan scans ports of a given host grc backup channel via jn file infector (local, shares, removable devices) with the given payload downloaded from CnC cert certificate stealer sn logs traffic, extracts login-passwords from different protocol (HTTP, LDAP, FTP, POP3, IMAP, Telnet ) tv sets password hash in the registry for TeamViewer prx Proxy server dstr Destroys hard disk by overwriting with random data (on application level and driver level) at a certain time kl keylogger upd BE2 service file updater usb gathers information on connected USBs  (Device instance ID,  drive geometry) bios gathers information on BIOS, motherboard, processor,  OS

We are pretty sure that our list of BE2 tools is not complete. For example, we have yet to obtain the router access plugin, but we are confident that it exists. Evidence also supports the hypothesis that there is a decryption plugin for victim files (see below).

Our current collection represents the BE2 attackers' capabilities quite well. Some plugins remain mysterious and their purpose is not yet clear, like 'usb' and 'bios'. Why would the attackers need information on usb and bios characteristics? It suggests that based on a specific USB and BIOS devices, the attackers may upload specific plugins to carry out additional actions. Perhaps destructive, perhaps to further infect devices. We don't know yet.
It's also interesting to point out another plugin – 'grc'. In some of the BE2 configuration files, we can notice an value with a "gid" type:

The addr number in the config

This number is an ID for the service and is used by the 'grc' plugin to parse html. It then downloads and decrypts a PNG file. The decrypted PNG is supposed to contain a new CNC address, but we never observed one. We are aware of two related GooglePlus IDs. The first one,, contains an abnormal number of views. At the time of writing, the count is 75 million:

BE2 plus profile

The second one - - is currently more modest at a little over 5,000 views. All of that account's posts are deleted.

Tracked Commands

During observation of the described above "router-PC" CnC we tracked the following commands delivered in the config file before the server went offline. Our observation of related actions here:

u ps start password stealing (Windows) Ps_mps/ps_hwi start start password stealing (Linux, MIPS,  ARM) uper_mps/uper_hwi start rewrite hook module with a new version and launch it (Linux, MIPS, ARM) Nm_mps/nm_hwi start  –ban -middle Scan ports and retrieve banners on the router subnet  (Linux, MIPS,  ARM) U fsget * 7 *.docx, *.pdf, *.doc * search for docs with the given filetypes (Windows) S sinfo retrieve information on installed programs and launch commands: systeminfo, tasklist, ipconfig, netstat, route table, trace route to (Windows) weap_mps/weap_hwi host188.128.123.52 port[25,26,110,465,995]  typetcpconnect DDoS on (Linux, MIPS,  ARM) weap_mps/weap_hwi  typesynflood port80 cnt100000 spdmedium host212.175.109.10 DDoS on (Linux, MIPS,  ARM)

The issued commands for the Linux plugins suggest the attackers controlled infected MIPS/ARM devices. We want to pay special attention to the DDoS commands meant for these routers. belongs to the Russian Ministry of Defense and belongs to the Turkish Ministry of Interior's government site. While many researchers suspect a Russian actor is behind BE2, judging by their tracked activities and the victim profiles, it's still unclear whose interests they represent. 

While observing some other CnCs and pulling down config files, we stumbled upon some strange mistakes and mis-typing. They are highlighted in the image below:

BE2 config file mistakes

First, these mistakes suggest that the BE2 attackers manually edit these config files. Secondly, it shows that even skilled hackers make mistakes.

Hard-Coded Command and Control

The contents of the config files themselves are fairly interesting. They all contain a callback c2 with a hardcoded ip address, some contain timeouts, and some contain the commands listed above. We include a list of observed hardcoded ip C2 addresses here, along with the address owner and geophysical location of the host:

C2 IP address Owner Country US Leaseweb NL Leaseweb NL Leaseweb NL Leaseweb NL Leaseweb NL Leaseweb NL Leaseweb NL Hetzner DE Hetzner DE Serverconnect SE Redstation GB Nadym RU Yisp NL UA PIRADIUS MY Keyweb DE NL US DE NL


It's interesting that one of these servers is a Tor exit node. And, according to the collected config files, the group upgraded their malware communications from plain text http to encrypted https in October 2013.


BE2 Targets and Victims

BlackEnergy2 victims are widely distributed geographically. We identified BlackEnergy2 targets and victims in the following countries starting in late 2013. There are likely more victims.

  • Russia
  • Ukraine
  • Poland
  • Lithuania
  • Belarus
  • Azerbaijan
  • Kyrgyzstan
  • Kazakhstan
  • Iran
  • Israel
  • Turkey
  • Libya
  • Kuwait
  • Taiwan
  • Vietnam
  • India
  • Croatia
  • Germany
  • Belgium
  • Sweden

Victim profiles point to an expansive interest in ICS:

  • power generation site owners
  • power facilities construction
  • power generation operators
  • large suppliers and manufacturers of heavy power related materials
  • investors

However, we also noticed that the target list includes government, property holding, and technology organizations as well:

  • high level government
  • other ICS construction
  • federal land holding agencies
  • municipal offices
  • federal emergency services
  • space and earth measurement and assessment labs
  • national standards body
  • banks
  • high-tech transportation
  • academic research


Victim cases

We gained insight into significant BE2 victim profiles over the summer of 2014. Interesting BE2 incidents are presented here.

Victim #1

The BE2 attackers successfully spearphished an organization with an exploit for which there is no current CVE, and a metasploit module has been available This email message contained a ZIP archive with EXE file inside that did not appear to be an executable. This crafted zip archive exploited a WinRAR flaw that makes files in zip archives appear to have a different name and file extension.

BE2 spearphish example

The attached exe file turned out to be 'BlackEnergy-like' malware, which researchers already dubbed 'BlackEnergy3' - the gang uses it along with BlackEnergy2. Kaspersky Lab detects 'BlackEnergy3' malware as Backdoor.Win32.Fonten – naming it after its dropped file "FONTCACHE.DAT"

When investigating computers in the company's network, only BE2 associated files were found, suggesting BE3 was used as only a first-stage tool on this network. The config files within BE2 contained the settings of the company's internal web proxy:

BE2 config file contains victim's internal proxy

As the APT-specific BE2 now stores the downloaded plugins in encrypted files on the system (not seen in older versions – all plugins were only in-memory), the administrators were able to collect BE2 files from the infected machines. After decrypting these files, we could retrieve plugins launched on infected machines: ps, vsnet, fs, ss, dstr.
By all appearances, the attackers pushed the 'dstr' module when they understood that they were revealed, and wanted to hide their presence on the machines. Some machines already launched the plugin, lost their data and became unbootable.

Desstructive dstr command in BE2 config file

Also on some machines some documents were encrypted, but unfortunately no appropriate plugin who was responsible for that was found.

Victim #2

The second organization was hacked via the first victim's stolen VPN credentials. After the second organization was notified about the infection they started an internal investigation. They confirmed that some data was destroyed on their machines, so the BE2 attackers have exhibited some level of destructive activity. And, they revealed that their Cisco routers with different IOS versions were hacked. They weren't able to connect to the routers any more by telnet and found the following "farewell" tcl scripts in the router's file system:

Ciscoapi.tcl – contains various wrappers over cisco EXEC-commands as described in the comments.
The comment includes a punchy message for "kasperRsky":

BE2 ciscoapi.tcl fragment

Killint.tcl – uses Ciscoapi.tcl, implements destroying functions:

BE2 killint.tcl fragment

The script tries to download ciscoapi.tcl from a certain FTP server which served as a storage for BE2 files. The organization managed to discover what scripts were hosted on the server before BE/SandWorm gang deleted them, and unfortunately couldn't restore them after they were deleted. The BE2 actor performs careful, professional activity covering their tracks:

There is evidence that the logs produced by some scripts were also stored on the FTP server, in particular the information on CDP neighbors which is provided by one of the procedures of ciscoapi.tcl.

Victim #3

The third organization got compromised by the same type of attack as the first one (an EXE file spoofing a doc within a Zip archive). All the plugins discovered in BE2 files were known, and there was no revelation of hacked network devices on their side and no destroyed data. The noticeable thing is that many computers contained both BE2 and BE3 files and some config files contained the following URL:

The URL contains the md5 of the string 'router'. One of the discovered config files contained a URL with an as yet unidentified md5:

Victim set #4

A set of victims discovered installed Siemens SCADA software in their ICS environment was responsible for downloading and executing BlackEnergy. Starting in March 2014 and ending in July 2014, Siemens "ccprojectmgr.exe" downloaded and executed a handful of different payloads hosted at They are all detected as variants of "Backdoor.Win32.Blakken".

Build IDs

Each config file within BE2 main.dll has a field called build_id which identifies the malware version for the operators. Currently this particular BE/SandWorm gang uses a certain pattern for the build ids containing three hex numbers and three letters, as follows:


The numbers indicate the date of file creation in the format: Year-Month-Day. Still, the purpose of the letters is unknown, but most likely it indicates the targets. The hex numbers weren't used all the time, sometimes we observed decimal numbers:



Most interesting for us was the earliest build id we could find. Currently it is "OB020Ad0V", meaning that the BE2/SandWorm APT started operating as early as the beginning of 2010.


Appendix: IoC

While BE dropper installs its driver under a randomly picked non-used Windows driver name, like %system32%\drivers\AliIde.sys. The driver is self-signed on 64-bit systems
However, new "APT" BE2 uses one of the following filenames that are used as an encrypted storage for plugins and the network settings. They are consistent and serve as stable IoC:


BE2 also uses start menu locations for persistence:
Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\flashplayerapp.exe

BE3 uses the following known filenames:

BE2 MD5s:

BE3 MD5s:


Parallel and Previous Research

Botnet History Illustrated by BlackEnergy 2, PH Days, Kaspersky Lab - Maria Garnaeva and Sergey Lozhkin, May 2014

BlackEnergy and Quedagh (pdf), F-Secure, September 2014

Sandworm, iSIGHT Partners, October 2014

Alert (ICS-ALERT-14-281-01A) Ongoing Sophisticated Malware Campaign Compromising ICS (Update A), ICS-CERT, October 2014


Keep it off the floor

SANS Tip-of-the-Day - Thu, 10/30/2014 - 23:30

Get it out of the car

SANS Tip-of-the-Day - Wed, 10/29/2014 - 22:26

A false choice: the Ebola virus or malware?

Malware Alerts - Thu, 10/23/2014 - 09:31

In September we came across mentions of people in Africa suffering from the Ebola virus and unusual invitations to a conference of the World Health Organisation (WHO) in the subject line of so-called "Nigerian" emails.  The aim of the conmen was, as usual, to swindle money from trusting recipients who entered into conversation with the authors of the letters.

In October it was the turn of the cybercriminals, who used the tumult around the Ebola virus to send letters containing malware. Once again the WHO was indicated as the sender of the letters, which is unsurprising as this is the organisation that deals with various diseases and epidemics on a worldwide level.

In the text of the letters we detected the evildoers tried to convince recipients that the WHO has prepared a file with general information and security measures that will help protect users and those around them from the deadly virus and other diseases. Furthermore the recipient was also asked to distribute this information to help the WHO.

To mask the real link a link abbreviation service was used, which finally redirected users to a popular cloud data storage service. There the criminals had stored the malware program Backdoor.Win32.DarkKomet.dtzn disguised as a document from the WHO. This malware is designed to steal personal data. We note that access to the file was blocked quite quickly by the service administrators and, probably for that reason, the evildoers decided to change their letter. The very next day our traps caught a similar communication supposedly from the WHO, only this time the archive with the same malware program was inserted into the letter itself.

Cybercriminals rarely miss a chance to use current events and the names of famous organisations to trick the recipients of their spam. And so, having fallen for the convincing header and failed to pay attention for even a moment, users risk compromising their personal data and surrendering control of their computer to criminals. It is worth remembering that modern anti-virus solutions provide protection but it is only the considered actions of users that can keep their personal data safe.

Spam in September 2014

Malware Alerts - Thu, 10/23/2014 - 07:00
Spam in the spotlight

In September, "Nigerian" scammers sent out stories relating to the breaking news of the Ebola epidemic. There was festive spam, focusing on both the US Labor Day celebration and the upcoming winter holidays: spammers have started to offer products and services for Christmas. A large part of the major theme mailings promoted products and services using popular social networking sites: the spammers promised an instant influx of new customers and income growth.

The Ebola virus in "Nigerian" spam

In July, the first reports about the Ebola outbreak in Africa appeared in the media. While the world's attention was focused on how to fight the epidemic and prevent it spreading further, scammers used the disease to create new stories for their "Nigerian" letters.

In September, we came across several mailings which mentioned Ebola. In addition to the popular "Nigerian" legends written supposedly on behalf of people with various diseases the fraudsters made up quite unusual stories. For example, an email from a rich Liberian lady dying from Ebola contained a long story about her children who died from the virus and about the local medical center which refused to help her. She was willing to donate more than $1.5 million to a recipient who would transfer this money to charities. The message contained a detailed description of the situation that is unusual for "Nigerian" letters. However, this long story was still nothing more than yet another trick to make recipients believe the story and start corresponding with the scammers.

The authors of another fraudulent mailing introduced themselves as an employee of the World Health Organization and tried an unusual tack to attract attention – the reader was invited to a conference where Ebola would be discussed along with other medical issues. The recipient was not only invited to participate in the conference as a guest but was also offered 350,000 Euro and an automobile for his work as the WHO Representative in the UK. If the victim was interested in the offer, he had to provide his personal data. Apparently, the scammers hoped that the offer of money and work in an international company would ease all the user's doubts.

Holiday spam

In early September, the United States celebrated Labor Day and the spammers were determined not to miss out on the event. Traditionally, in the run-up to the holidays people are attracted by discounts and sales. This time, companies selling print cartridges offered discounts not only for Labor Day but also the beginning of the new school year. Pharmaceutical spam advertizing drugs for weight loss also offered discounts related to the holiday.

Spam traffic around the world also contained adverts for goods and services related to Christmas. English-language messages offered a Christmas party on board a ship and urged early booking to get the lowest prices. In addition, the spammers encouraged people to start thinking of buying Christmas gifts in September and order digital devices directly from Chinese manufacturers as well as ordering a Christmas tree for the holiday.

Earnings and advertising on social networking sites

Another major theme this month was spam messages advertising various ways to earn money online using popular social networking sites. Most often, spammers offered to create an individual profile or a group in Twitter, Facebook or LinkedIn, to design a page according to the concept of the company and the goods it sells, to provide the first subscribers as well as to create the primary content and begin to actively promote it. Naturally, all this came at a cost. After such a comprehensive approach to creating a community in a social network the authors of the mailings promised a sharp increase in the customer numbers and sales volumes. Users were asked to apply by following a link in the email.

Spammers also spent plenty of time offering professional business promotion by placing photos and videos on specialist social networking sites. The authors of these mailings also promised to provide their customers with the necessary number of subscribers, for example, in Instagram, to place the photos of goods and to achieve the first results within the next three days. The recipients were often invited to make a video presentation of the company or the product and to post it on the popular video hosting YouTube. The spammers also promised that users could make "an obscene amount of money" with the help of YouTube by spending just 40 minutes a day on it. However, these mailings were nothing more than adverts about yet another author marketing course on DVD. To buy the DVD the recipient needed to follow a link in the email to enter the necessary website and make an order.

In September, we also came across the mailings containing invitations to seminars and webinars dedicated to the "art" of group and community administration on social networks. The authors of these training sessions promised to reveal all the secrets of an administrator's work (for example, on Facebook or LinkedIn), leading to a stable monthly income for students. To register for a webinar, the recipient had to click on the link in the email.

According to the authors of foreign language spam mailings, the most popular source for attracting new customers and revenue growth was, of course, Facebook. So the  spammers proposed using the network to promote personal ads, to link specific redirects to posts and photos – in this case the number of potential customers would depend on the quality of the content and the willingness of the users to click the links published in the communities. To accomplish this, they suggested special software which could be bought via spam mailings. Sites with detailed descriptions of the software had been created a few months ago and their names contained such words as "customers", "income", "Facebook"

Spam for collectors

Among the most interesting mailings of the month were collector-oriented spam messages sent. English-language users were offered a free booklet on British medals from the First World War. The emails with the generous offer supposedly came from the SSAFA, a charity created to assist British war veterans and their families. However the official website of this organization had no information on the promotion while online feedback pointed out that the mailing was unsolicited. The message linked to an order page where recipients were asked to provide contact details including a phone number. This is one of the ways the fraudsters collect user personal data which will later be used for promotional purposes. For example, a phone database can be used for cold calls to sell goods and services.

Another mass mailing was distributed on behalf of a collector. In his emails he spoke about his hobby - collecting badges and stickers with the logos of various organizations. He wrote to different companies asking for samples for his collection. Although it's unlikely that these emails were fraudulent, they were unsolicited and therefore were classified as spam.

Statistics The percentage of spam in email traffic

The percentage of spam in email traffic

The percentage of spam in September's email traffic averaged 66.5%, which is 0.7 percentage points down from August. The amount of unsolicited email consistently decreased throughout the month – in early September the percentage of spam averaged 69.3% while in the end it dropped to 63.1%.

Sources of spam by country

In September, the Top 3 most popular sources of spam were as follows. The USA remained in first position (12%) although its contribution was down nearly 4 percentage points from the previous month. Vietnam moved from fourth to second place with 9.3%; up 4.6 percentage points. Russia was in third place with 5.8% - there was little change in its numbers and it dropped one place in the table.

Sources of spam around the world

China was in 4th position with 5.6% of all distributed spam; its contribution dropped by nearly 1 pp. It is followed by India (4.7%): with almost 2 pp growth this country rocketed from 10th in August to 5th in September.

South Korea (3.2%) also increased its share by 1.3pp and placed 7th, up eight from the previous month. Meanwhile, Germany (2.9%) lost 0.7 pp and fell from 6th to 9th place in September. The Top 10 was completed with Taiwan with 2.5% of all distributed spam. France, Spain and Italy also produced a little more than 2% of the world spam.

Sources of spam in Europe by country

Vietnam was September's leading source of spam sent to European users (11.1%). Next came the USA with 9.1% and Russia on 6%.

They are followed by China (5.3%), India (4.5%), Argentina (3.7%) and South Korea (3.5%). About 3% of European spam originated from each of Brazil, Germany and.

The rating also includes Taiwan (2.7%), Spain (2.6%), Italy (2.5%) and Mexico (2.3%) in 11th-14th place. Iran was in 15th position with 2.2% of spam sent to European users. The percentage of spam that originated from elsewhere did not exceed 2%.

Malicious attachments in email traffic

In September, the Top 10 malicious programs distributed via email were:

Top 10 malicious programs distributed via email

Dofoil:Trojan-Downloader.Win32.Dofoil.dx, Trojan-Downloader.Win32.Dofoil.dy and occupied 1st, 6th and 9th places respectively. This type of malware downloads other malicious programs onto the victim computer and uses them to steal user data (primarily passwords) which it then sends to the fraudsters.

Trojan-Spy.HTML.Fraud.gen was in 2nd position. As we wrote before, this piece of malware from the Fraud.gen family is a fake data entry HTML page that is sent to users by email, disguised as an important message from large commercial banks, online stores, software companies etc.

Trojan-Banker.HTML.PayPal.b came 4th. This malicious program appears in the form of the HTML page imitating a PayPal form. Recipients of an email containing this attachment is asked to fill in the form to update their PayPal account after the launch of the new IT security system. The German-language form includes fields like E-Mail Adresse, PayPal passwort,  Vollständiger Name, Nachname der Mutter (Fakultativ),  Geburtsdatum, Telefonnummer,  Adresse,  Stadt,  Land, Postzahl,    Kartennummer, Verfallsdatum,   Kartenprüfnummer, VBV Passwort / MasterCard. It seems the fraudsters are targeting German-speaking PayPal users. and placed 5th and 8th in the ranking. These programs imitate a .doc file with built-in macros written in Visual Basic for Applications (VBA), which are executed when opening the document. The macros download and run malicious software, such as representatives of the Andromeda family.

Trojan.Win32.Vundo.adc completed the list of the most popular malicious programs distributed via email. This program downloads other malware, for example, Trojan-Banker.Win32.Fibbit, which compromises the data passing through banking client applications. The Trojan intercepts keystrokes, copies data from the clipboard, searches for file certificates with the .jks extension, makes screenshots and tries to read the "keys.dat" file. All the stolen data is packed in the CAB archive and sent to the attacker's server.

Distribution of email antivirus detections by country

For several month in a row, the three countries with the most antivirus detections have been Germany, the UK and the USA, each jostling for position at the top.  In September, Germany took the lead (9.11%) followed by the UK (8.45%) and the USA (8.26%)

Russia was a big mover once again– after unexpectedly rising to 4th place in August it lost 4.14 percentage points and dropped down to 13th.

Special features of malicious spam

In September many mailings containing malicious attachments dealt with matters of hiring and firing. We registered a mass mailing that told recipient their employment contract withan organization (the company name varied from email to email) had been terminated for violations of the company's internal policy. The messages even provided number and date of the alleged violations. The email also stated that recipients had already been issued written warnings demanding improved behavior in future. However, since nothing had been done, the labor contract was terminated.

To appeal this decision the recipient was invited to consult the lawyer before a specified deadline. The email contained an attached archive with documents about the supposed violations.  To view the document, the recipient had to open the attachment. In fact, though, the attachment contained a representative of the Trojan-Downloader.Win32.Cabby family. This malware downloads other malicious software onto a victim computer, including various modifications of the Zbot family of programs.


In September, Kaspersky Lab's anti-phishing component registered 18,779,357 detections, 13,874,415 detections less than in the previous month. This decline in the amount of phishing was caused by the end of the summer slowdown and the beginning of the business season. It should also be noted that September is often a month for presentations and other major company events. In the run-up to these, phisher activity grows leading to a spike in the number of fraudulent attempts at the end of the summer

In September, Brazil (17.8%) was once again the leading country for phishing attacks, even though its share was down 1.7 percentage points. Australia dropped to 3rd with 11.1% of all antivirus detections. Second came India (13.4%). The UAE (10.5%) and France (10.4%) were in 4th and 5th positions respectively.

The geography of phishing attacks*, September 2014

* The percentage of users on whose computers the Anti-Phishing component was activated, from the total number of all Kaspersky Lab users

Top 10 countries by the percentage of attacked users:

  Country % of users 1 Brazil 17.8 2 India 13.4 3 Australia 11.2 4 UAE 10.5 5 France 10.4 6 Canada 9.9 7 China 9.9 9 Columbia 9.4 8 Bangladesh 9.0 10 UK 8.0 Targets of attacks by organization

The statistics on phishing targets are based on detections made by Kaspersky Lab's anti-phishing component. It is activated every time a user enters a phishing page that has not previously been included in Kaspersky Lab databases. It does not matter how the user enters this page – by clicking the link contained in a phishing email or in the message in a social network or, for example, as a result of malware activity. After the activation of the security system, the user sees a banner in the browser warning of a potential threat.

In September, Global Internet Portals were again the leading category among the organizations most often attacked by phishers with 24.7%, even though the share decreased by 6.1 pp. The contribution of Social networks (20.2%) rose by 2.8 pp from the previous month.

Organizations most frequently targeted by phishers, by category – September 2014

Financial phishing accounted for 36.9%of all detections made by Kaspersky Lab's anti-phishing component, a 1.7 pp growth compared with the previous month. The percentage of detections affecting Banks accounted for 18.9% (+0.5pp), followed by online stores (11.4%, +1.4%) and E-payment systems (7.3%, +0.5%).

Top 3 organizations most frequently targeted by phishers   Organization % of detections 1 Facebook 11.16% 2 Yahoo! 7.10% 3 Google 6.31%

In September, Facebook (11.1%) was most heavily targeted by phishers: its share was up 1.1 pp. Yahoo came 2nd with 7.1% of all Anti-Phishing component detections. The share of Google services halved compared to August and accounted for 6.3%, placing this organization 3rd.

September's spam traffic contained phishing mailings aimed at stealing logins and passwords to accounts with the popular Chinese online store The scammers tried to convince recipients to update their accounts or confirm their use with refer to a new security system and account maintenance. The design of fake the messages used the official logo and the Auto Signature of as well as the standard anti-virus notification about the absence of threats in the email. The 'From' field named as the sender and the sender's address contained mainly legitimate domain names. However, on closer examination, an observant recipient could notice spelling mistakes in the addresses of senders and see domain names which obviously did not belong to the company.

Phishing pages were included directly in the fake emails and had a similar design. Recipients had to fill in the fields entering not only email addresses and passwords but also company names, countries of residence and mobile phone numbers. This way the fraudsters collected additional information about their victims for use in future scams.


In September, the percentage of spam in email traffic decreased by 0.7pp and averaged 66.5%. The main distributors of spam were the USA (12%), Vietnam (9.3%) and Russia (5.8%).

A Trojan downloader from the Dofoil family topped the rating of the most popular malware spread via email. This malicious program is used to download other malware onto victim computers.

In September, Kaspersky Lab's anti-phishing component registered 18,779,357 detections. According to the statistics, 17.8% of all detections targeted the users in Brazil. Australia, which was August's leader, moved down to 3rd position (11.1%). Global Internet Portals remained the leading category among the organizations most often attacked by phishers with 24.7% of all attacks. Financial phishing accounted for 36.9% of all detections made by Kaspersky Lab's anti-phishing component, a 1.7 pp growth compared with the previous month. In September's the Top 3 organizations most frequently targeted by phishers Facebook took the lead with (11.1%) of all detections.

In September, "Nigerian" scammers switched their attention from events in Ukraine to health issues, in particular to the Ebola virus which was rarely far from the headlines this month.

Promotional mailings offered goods and services dedicated to America's Labor Day celebrations, as well as to the popular winter holidays celebrated worldwide. From now on we expect to see a sharp rise in the percentage of spam dedicated to Christmas and New Year festivities until it reaches its December peak.

Leave your passwords at the Checkout Desk

Malware Alerts - Thu, 10/23/2014 - 04:20

Hotels, Restaurants and Airports used to offer customers free tablets while using their facilities. Recently while attending an event and staying in one such hotel, I had the chance to use a free iPad especially installed in my room.

To my surprise, it not only contained the event agenda and provided a free WiFi connection, but also included a lot of private personal information from previous guests who had stayed in the same room.

When I speak about private personal information, I mean accounts with pre-saved passwords, authorized sessions on social networks, search results from the browser (mostly pornographic content), full contacts automatically saved into the address book, iMessages and even a pregnancy calculator with real information. It was not hard even to figure out that the identity of the woman who had used it, since she also left her personal contact information on the device:

Having full names and email addresses cached on the device, it was not hard to Google a little bit and find out that some of the users were very public people working for the government of the country where I was staying.

Most of sessions were still open, even allowing the posting / sending of messages in the name of the user:

This is completely unacceptable, from a security perspective. Basically a potential attacker had the chance not only read sent and received messages but also to impersonate the victim by sending messages in their name.

I also see this scenario as a perfect personal data collector for high profile spear phishing campaigns. On the other hand, if a potential attacker came from a classic cybercrime sphere, they might blackmail their victims. Moreover, it would be extremely easy for the criminal to do this, since they would have all kinds of data of the victims, including the name of pornographic movies watched on each specific date and time. Bearing in mind that some of the potential victims are public people and work for the government, most probably such blackmail would be successful.

So, what's wrong here? Well, I would say everything. First, it is unwise to use a free public device for personal and private communication. You just never know if the device is backdoored or who might be behind such hospitality? Second, if a public facility wants to offer its guests free portable devices for the duration of their stay, it's important that such devices are a properly configured first, to apply sensible security policies such as not storing personal information, not saving passwords and so on.

Maybe I'm too suspicious, but having an unknown and untrusted device like a tablet in my room, which is equipped with an embedded camera and a mic, I just preferred to switch it off and store it inside a drawer. I had to do this every afternoon since the cleaning staff put it back  on the desk every day I was at the hotel.

You have also remember that, even if such a free device is properly configured and does not visibly store any private information, you can't be sure that the next guest is not an expert in forensic analysis, in which case they could just take an image of the whole device and then recover your personal information step by step.

You may follow me on twitter: @dimitribest


Subscribe to RIT Information Security aggregator