Malware RSS Feed

Scammers' delivery service: exclusively dangerous

Malware Alerts - Wed, 09/17/2014 - 07:00

Well-known companies and brands are favorite targets for fraudsters. After all, it is much easier to get people's attention with the use of a popular name, so scammers have more chance of trapping a gullible user.

In this article, we will analyze phishing and malicious emails sent by fraudsters on behalf of international delivery services. The most popular of these are DHL (Germany), FedEx and United Parcel Service (USA), TNT (Netherlands). All of these companies are international, with millions of customers using branches in major countries all over the world. They provide similar services, so scammers use the same methods and techniques in their fraudulent mails.

The phishers' goals include:

  1. Theft of confidential data (bank card credentials, logins and passwords from personal accounts), mainly with the help of fake web pages imitating official pages of the site. In a phishing attack users provides the fraudsters with their personal data by filling the fields on fake sites or sending them via email.
  2. Installing various malicious programs on users' computers. These programs are used not only to monitor user online activity and steal personal information, but also to organize botnets to distribute spam and launch DDoS attacks.
Headings of fraudulent emails The From field

Structurally, the  address in the From field looks like this: Sender Name . To confuse recipients, scammers can change parts of the address and often make it look very similar to an official address of the delivery service.

There are several groups of email addresses seen in fraudulent emails:

  1. Email addresses which closely resemble companies' legitimate public addresses. Generally, they use the name of the company (DHL INC, TNT COURIER SERVICE, Fedex, etc.) as the sender name. The name of the mailbox often includes the words info, service, noreply, mail, support which are typical of email addresses used to send official notifications. The server domain name often has a real or very plausible company domain.
  2. Addresses which do not resemble legitimate company addresses. The sender name still reflects the company name (FedEx, DHL Service, FedEx.com) but the domain name usually belongs to a free email service or an absolutely different company. The email address could be taken from a real user (taken from public sources or hacked mailboxes) or automatically generated addresses. The latter usually appear as a random sequence of letters, words and numbers.
  3. Addresses that resemble e-mail addresses of company employees. The sender name may contain the name and surname of a supposed employee, or the company name, or a position (courier, manager, etc). The name of the email box usually contains the same name and surname as the sender name because any difference in the data may alert the recipient to a fraudulent email. Either the real company domain or other domains not related to delivery companies might be used as a domain name.
  4. Addresses which only indicate the sender's address without a name.

While analyzing sender address, remember that scammers do not need to hack the company servers to use the real company domain in the From field. They can simply insert the necessary domain name of the server into the From field.

The Subject field

The subject of the fraudulent mail should capture the imagination of recipients and encourage them to open the message, but it also needs to be plausible. Therefore spammers choose common phrases typical of official notifications from delivery services. After sending a parcel or a document, customers worry about its successful delivery and try to follow its progress by reading any notification from a delivery service.

The most popular subjects are:

  1.  Subjects related to the delivery/shipment (shipment notifications, delivery status, shipping confirmation, shipment documents, delivery information, etc.).
  2. Examples:

  3. Subjects related to tracking shipments, order information and invoices (the tracking number of the shipment, tracking the shipment, etc.).
  4. Examples:

  5. Subjects related to notifications about messages and accounts (creation and confirmation of accounts, new messages, etc.).
The design of the email

Scammers pay special attention to the design of the email. Their main goal is to make message as believable as possible. After all, if it looks suspicious, a potential victim will most likely delete it despite the attractive subject and plausible sender address. Let's analyze the basic techniques that fraudsters use to make emails look legitimate.

Graphic design

All major international companies have their own corporate style, including wordmarks, graphic trademarks, corporate fonts, slogans and color schemes. These are used on the official website, in mailings and commercials, and in other design components. Scammers use at least some of these elements when designing fraudulent emails to make them look convincing. Usually phishers focus on logos because these elements are unique to each company and is an immediate identifying mark.

Examples of DHL company logos used in fraudulent emails.

Let's take a closer look at these examples. It's immediately obvious that the second example is very different from the company's official logo. Another sign of a forgery is the difference in size between the false logo and the original, as seen in the fourth example where the logo takes almost a third of the message. Here the plan is probably to attract the reader's attention with a large bright picture rather than plain text. That also explains why the phishing links appear in a larger font: users should respond to it immediately, without trying to read the small print.

In the first example, the scammers are trying to copy the design from the official site (a very popular method). However the logo is placed on the right-hand side rather than on the left. Also they are using a color blend for the logo background rather than making it single-color. The logo in the third example most closely imitates the original DHL logo: the scammers have tried to match its size and design. It's not really all that difficult to make a logo for a fake notification: there are plenty of versions of the original image available online in several formats, including vector graphics. In addition to the logo the fraudsters use the color spectrum chosen by the company in its official resources and mailings. For example, for DHL it is a combination of yellow and red.

The text design

In most official emails we find a number of set phrases, especially when it comes to standard notifications generated and sent automatically. These messages often include contacts and links to the official resources of the sender. Therefore, to make the text of the fake email look like an original notification from a delivery service the fraudsters use:

  1. Standard phrases typical of official mass mailings: Please do not reply to this email, This is automatically generated email, please do not reply, All rights reserved, Diese Versendung ist automatisch, Bitte beantworten Sie diese nicht, This communication contains proprietary information and may be confidential. Questo e' un email automatico, Si prega di non rispondere, etc.
  2. Links to the official page of the company. Not all links contained in the fraudulent email are phishing - spammers may also use the links which really lead to the official resources on order to make their emails look legitimate and bypass spam filtering.
  3. Contact for feedback. The fraudsters often indicate the contact information of the sender or the company (name, surname, position, office address). These contacts might be real or fictitious.
The content of the email

When fraudsters send out fake emails convincing readers that it is a real message is only part of the battle. The next step is to persuade the potential victim to do what the scammer requires, such as providing personal information or installing a malicious file. This is where psychology comes into play, and the email content is the main tool.

In fraudulent notifications allegedly sent on behalf of delivery services often use the following tricks:

  1. Notifications of various problems (eg. unsuccessful delivery, lack of information, wrong address, no recipient at the delivery address). These phrases are usually related to the delivery since the companies in question are in the service sector. Therefore, a logistics company warning of a problem with a delivery doesn't prompt any suspicion, especially if the email contains some details of the situation.
  2. A demand to do something or face some consequence. For example, "collect your parcel within 5 days otherwise it will be returned to the sender".
  3. The scammers use deadlines like this to make recipients react immediately. The phishers hope that users will be so worried about losing the parcel or paying extra costs that they won't hesitate to provide personal details or open a suspicious attachment.

  4. Phrases about the content of an attachment or link (invoices, detailed information, documents).
  5. Users are unlikely to open unknown attachments or follow unknown links. That's why scammers imitate official websites and present malware as a document with information a parcel. In addition, if the text of the notification states that the attachment contains, for example, a consignment document, the malicious archive will have a similar name, such as "consignment.zip." This applies to phishing links as well - scammers name their links with an appropriate phrase from the text, such as "shipping information".

    This simple trick is intended to reassure recipients that the attachment or link is perfectly legitimate.

  6. Phrases about the need to do something (follow a link, open an attachment, print out a file, etc.).
  7. Assuming the fraudsters have convinced the recipients that the email is real, the next step is to tell the victims how to solve their problems. Fulfilling these instructions is the ultimate goal of the fraudulent email. Here it is important for the scammers not just to tell recipients what they need to do, but to make them understand correctly what is written in the message. To avoid any misunderstanding on the part of the recipients, messages often contains detailed instructions about what to do.

How the text might change

Cheating the user is not the only thing scammers have to do. They also need to bypass spam filters and deliver the email to the email boxes of potential victims. One of the most popular and long-used methods to bypass filtering is to change text fragments within the email. Modern programs designed to send out spam messages include ample opportunities to generate multiple changes in the text. The text of a message which varies from email to email makes the email unique, while different personal information specified within one mailing (such as the number of the shipment, the form of the address, the dates) helps to convince recipients that the email is intended for them. In addition, the fraudsters can send out emails designed in the same style for several months - they only need to change some elements in the text.

Fraudulent notifications from delivery services can change:

  1. The information about the order/shipment, including the tracking number of the shipment, delivery dates, etc.)
  2. Contact details, sender names and company names. Some mass mailings provide an e-mail address or a phone number of a company representative for feedback. This particular data changes from email to email. In addition, names of company representatives and even company names themselves may also vary.
  3. The name of the attachment. It mainly refers to malicious attachments which names vary in messages within one mass mailing while these different names hide one and the same malicious program.
  4. Links. In phishing emails and emails with malicious attachments scammers often specifically change the addresses of the links, masking them with the help of different URL shorteners. Most of these links are quickly blocked by current antivirus programs.
  5. Phrases indicating numbers and dates. These can refer to timetables (days, hours), sums of money and dates (day and month)
  6. The greeting. Here spammers generally use the email address and/or the name of the recipient. Sometimes they use generic expressions (Dear client, Dear customer, etc.) instead.
  7. Other text fragments. Some words are replaced with other phrases that have a similar meaning so the general sense of the sentence remains unchanged.

Let's analyze some examples of changes in the text of fraudulent emails.

Below are some emails from yet another mass mailing.

Fake pages

To steal personal information from users, scammers create phishing HTML pages which partially or completely copy the official website of a company. If victims of fraud enters their personal information (bank details, usernames and passwords) on this page, that data immediately falls into the fraudsters' hands.

To mask the links leading to phishing websites the fraudsters often use popular free URL shorteners. In addition, most services offer customers the ability to view the statistics on the short link which tells fraudsters more about the number of clicks on any links etc. Phishing pages can be located on specially registered domains which usually have a short life span as well as on compromised domains whose owner may not even be aware that the web site is being used for fraudulent purposes.

Let's analyze a fake email sent on behalf of FedEx in which recipients are asked to update their account information. The text of the email contains a link to the official website of the company while the real address to which the user is redirected is nothing like the legitimate page and is located on a free URL shortener service. This becomes obvious when you hover on the link.

After clicking the link, users get to a fraudulent page imitating the official website of FedEx, where they are asked to enter their logins and passwords to access their accounts. Once the users fill in the fields and click "Login", the entered information is transmitted to the scammers who can then access the victims' personal accounts. The menu tabs and other links on the phishing page are often inactive, so clicking on them will not take users to the appropriate page. However, in some cases, phishers imitate all links on the page so that users do not have any doubt about its legitimacy. Sometimes the design of the page imitates the official site but does not copy it completely. If you have a closer look at the details, you will see some differences between the designs of the real and the fake pages. However, most users do not pay attention to small details and this carelessness helps the scammers to steal personal information.

Below is yet another example of an email sent on behalf of FedEx. This time it contains a malicious link.  The email informs recipients that delivery is impossible because of missing information. And now users have to follow the specified link for verification.

The link leads to a fraudulent page where potential victims are invited to download a program that will supposedly check whether they are really going to receive a parcel. Naturally, the program turns to be the well-known Zeus Trojan, which helps the fraudsters to access the computer and all the personal information on it.

Scammers might not only include a phishing link in the body of the email, but also attach an HTML phishing page designed to steal personal data. However this use of HTML attachments as phishing pages is unusual for fraudulent mailings sent on behalf of delivery services.

Fraudulent emails in different languages

To increase the audience of recipients and customers, spammers are mastering new languages. In addition to traditional English and German, current spam traffic includes emails in Hebrew, Albanian and other languages​​ which were found in advertising and fraudulent mailings a few years ago. For example, you may come across fake notifications from international delivery services written in Italian and Dutch. These emails do not have any special features that distinguish them from English- or German-language messages - to cheat users, the fraudsters resort to the same tricks.

For example, this Italian-language fake notification from FedEx tells users to confirm their identity by following a fraudulent link.

Yet another mass mailing in Italian contained a malicious archive which included the Zeus/Zbot Trojan used to steal personal data. The fraudulent email claimed that the user profiles on the website had been updated and there was more detailed information about it in the archive.

Another fake notification written in Dutch on behalf of TNT informs recipients that new accounts have been formed for them, with details in the attachment. The archive attached to the email contains Backdoor.Win32.Andromeda, a malicious file that allows the scammers to control the infected computer without the user knowing.

Malware in fraudulent emails

Spam is one of the most popular ways of spreading malware and infecting computers on the Internet. Attackers have various tricks to make victims install malicious software on their computers. Email traffic includes a variety of private emails, such as wedding invitations, dating offers and other similar messages. However, fake notifications from well-known companies and brands providing different services remain the most popular cybercriminal trick. International delivery services are also used by spammers as a cover for malicious spam.

Malware spread in fake notifications from delivery services is divided into:

  1. Trojan programs developed to perform unauthorized operations in order to delete, block, modify or copy data, to disrupt computer or network performance. Trojans distributed in spam include Backdoors, Trojan-Downloaders, Trojan-Proxies, Trojan-PSWs, Trojan-Spies, Trojan-Bankers and others
  2. Worms, malicious programs capable of unauthorized self-proliferation on computers or computer networks. Those copies go on to spread themselves further.

What is dangerous about malicious programs?

  1. They can steal usernames and passwords from users' accounts, as well as financial or other information sought by the attackers.
  2. They can create botnets for distributing spam, DDoS attacks and other criminal activity
  3. They can provide fraudsters with control over victim computers, including the ability to run, delete or install any files or programs.

Current malicious programs integrate broad-ranging fraudulent functionality. In addition, some malicious programs can download other malware, providing additional opportunities. These might include stealing usernames and passwords entered in the browser or seizing remote control over the whole computer.

Malicious objects in fraudulent notifications can be embedded directly in the email or downloaded from a link provided in the body of the message. The most dangerous thing about it is that malware can be run and installed without users being aware or installing any software themselves. Typically, malicious ZIP (less often RAR) files enclosed in fraudulent emails have an executable .exe extension.

How to recognize phishing emails

Below are a number of features that can help to identify a fraudulent email.

  1. The sender address. If the sender address includes a random sequence of letters, words or numbers, or the domain has no connection with the official address of the company, the emails should undoubtedly be considered fraudulent and deleted without opening.
  2. Grammar and spelling mistakes. Wrong word order, incorrect punctuation, grammar and spelling mistakes can also be a sign of a fraudulent mailing.
  3. Graphic design. Scammers are doing their best to make the email look very similar to the original. To this ends they are trying to imitate other companies' corporate styles using some of their elements such as color schemes and logos. Inaccuracies and noticeable design errors are among the signs of a fake email.
  4. The content of the email. If the recipient of the email is asked under various pretexts to urgently provide or confirm personal information, download a file or a link – especially while being threatened with sanctions for not doing so – the email may well be fraudulent.
  5. Links with different addresses. If the address of the link specified in the body of the email and address of the actual link to which you are redirected do not match, you are definitely looking at a fraudulent email. If you are viewing your email from the browser, the actual link can be usually seen in the bottom left of the browser window. If you use an email client, the actual link can be displayed in a popup window if you hover the cursor over the link in the text. Fraudulent links can also be attached to a text phrase in the email.
  6. Attached archives. Generally, ZIP and RAR archives are used by cybercriminals to hide malicious executable EXE-files. Therefore, you should not open these archives or run the attached files.
  7. Lack of contacts for feedback. Legitimate emails always provide contact information for feedback - either the company or the sender's personal contacts.
  8. Form of address. Fraudulent emails do not necessarily use the first name or the surname to address the recipient; sometimes a universal form of address ("client", etc.) is used.

Thefts in Remote Banking Systems: Incident Investigations

Malware Alerts - Thu, 09/11/2014 - 07:00

More and more companies are asking Kaspersky Lab to carry out detailed investigations of malware-related IT security incidents affecting their business.

In this article, we will describe a typical cybercriminal attack aiming at stealing corporate financial assets from a remote banking system.

Description of the Incident

An organization recently asked Kaspersky Lab to investigate an incident that had occurred in its corporate remote banking system: a bank representative contacted the organization's accounting department and asked for confirmation of a payment worth 3 million rubles (about US$80,000). It transpired that nobody in the organization had ever heard of this payment. The accountant was certain that he did not make that payment; he explained that he was out on his lunch break at the time of the transaction.

The accountant used banking software on his workstation to prepare payment orders and send them to the bank. The logs on this software recorded two suspicious payments to the same address. The first was a relatively small payment of 300,000 rubles. This did not sound any alarm bells, and was processed without a query. The second payment, worth 3 million rubles, alerted the staff at the company's bank.

It was clear that the accountant had not made the payments himself, so the organization suspected a malware attack. But how was that possible? They were using specialized banking software with password protection. They required a special file to access the remote banking system, and the bank itself would check the IP address of the sender of any payment.

Investigation

The main goal of a malware incident investigation is to accurately assess the consequences of the attack, identify every compromised computer and establish exactly how the malware penetrated the victim computer(s). The organization affected can then use this information to effectively mitigate the damage and address weaknesses in its corporate security system to prevent such incidents from happening in the future.

During the investigation, it is also sometimes possible to detect hitherto-unknown malware species and add their signatures to the security databases, protecting other users from their future impact.

In this case an image of the hard disk from the accountant's desktop was provided to Kaspersky Lab's Global Emergency Response Team (GERT) for analysis and investigation.

Remote Access to Desktop

During our first-pass analysis of the accountant's hard drive, we identified a modified version of the legal Remote Manipulator System which enables remote access to the computer. This type of software is often used by accountants and system administrators. However, this program was located in a suspicious catalogue, had a suspicious name ('C:\windows\dotcom\wmiterm.exe' is an overly "system-related" path , so even an advanced user is unlikely to smell a rat), and had two modifications to conceal its operation:

  • The icon in the Windows Task Bar was hidden,
  • The Registry key where the program stores its configuration was modified: 'HKLM\SYSTEM\Remote Manipulator System\v4' was changed to 'HKLM\SYSTEM\System\System\Remote\ Windows', which again looks very similar to the system registry key.

These modifications are typical of malware, so we added signatures for this program to Kaspersky Lab's antivirus databases – it is detected as malicious with the verdict 'Backdoor.Win32.RMS'.

While analyzing the operation of Backdoor.Win32.RMS, we discovered that the cybercriminals used it to download another malware program onto the victim computer, 'Backdoor.Win32.Agent'. (This detection was added to Kaspersky Lab products immediately). That backdoor provided remote VNC (Virtual Network Computing) access to the victim computer. Interestingly, the code of this malware program has a lot in common with the 'hVNC' module of the Carberp Trojan. Carberp's source code is available for public access.

So, how did Backdoor.Win32.RMS sneak onto the accountant's desktop?

Infecting a Corporate Desktop

In the Microsoft Outlook database, stored in the file 'outlook.pst' on the hard drive, we found an email containing an attachment named "запрос ИФНС № АС-4-31339.doc" ('Federal Tax Service request no. AC-4-31339.doc'). Kaspersky Lab Anti-Virus detected that Microsoft Office document as malicious with the verdict 'Exploit.MSWord.CVE-2012-0158.'

The cybercriminals used social engineering methods: the email was sent in the name of Russia's Federal Tax Service, called for immediate action, and provided contact details of real Tax Service officers.

"Federal Taxation Service. Please provide all required documents as soon as possible."

The accountant would certainly have opened the attachment, which exploited a vulnerability in Microsoft Word to download a self-unpacking archive from a remote server and then initialize the unpacking. The archive contained two files: 'SYST.EXE', a renamed version of the file archiver '7zip', and 'SYST'.

While unpacking, the source archive launched the archive program 'SYST.EXE' with parameters instructing it to unpack the password-protected archive 'SYST' using the incorporated password. This trick of using a password-protected password successfully bypasses security software's attempts at static unpacking of the file, impeding its detection.

Unpacking 'SYST' created the following: the 'Backdoor.Win32.RMS' file (which we detected earlier) and the 'INST.CMD' script which installed the backdoor in the system. This is the script that copied the malicious program's files into the folder 'C:\windows\dotcom'.

After we detected the backdoors, we began to understand how the cybercriminals could steal the money. If they had remote access to the computer, they could have make their own payment order, and then the key file and the sender's IP address would be legitimate. But we still didn't know how they criminals got the password to access the banking software. We decided to look for a keylogger program.

The keylogger

The file 'Svchost.exe' attracted our attention, located in the root of the system disk. It turned out to be a keylogger (detection added with the verdict 'Trojan-Spy.Win32.Delf'); it also contained functionality to manage the configuration of Backdoor.Win32.RMS. This unusual capability was apparently introduced by the cybercriminals because they needed a tool to control the modified Remote Manipulator System: they had hidden this program's entire user interface and could use it to manage the configuration.

We also discovered that this keylogger was downloaded with the help of Backdoor.Win32.RMS.

The keylogger sent a log containing all stolen information to the C&C at regular intervals and kept an up-to-date copy of the log on the infected computer's hard drive. We found the banking password within the piles of information stolen by the keylogger.

The battle plan

Following our research, we reconstructed the cybercriminals' action plan:

  1. The cybercriminals launched a targeted attack using social engineering and a Microsoft Word vulnerability to infect the accountant's computer with Backdoor.Win32.RMS.
  2. With the help of that backdoor, the cybercriminals loaded two more malicious programs onto the victim computer: a keylogger (Trojan-Spy.Win32.Delf) and another backdoor (Backdoor.Win32.Agent) which establishes remote VNS access to the victim computer.
  3. The keylogger intercepted the password to the remote banking account.
  4. While the accountant was away from his computer, the cybercriminals used Backdoor.Win32.Agent and the VNS access to the computer to start the banking software on behalf of the accountant.
  5. The cybercriminals used the password intercepted by the keylogger to create a payment order worth 300,000 rubles and send it to the bank.
  6. A bit later, they created another payment order, this time worth 3 million rubles, and sent it to the bank.

As we got towards the end of the investigation, we discovered yet another interesting fact: the IP-addresses of C&C servers for all malicious programs used in the attack belonged to the same sub-network.

Diagram of the cybercriminal attack

We also found out that the cybercriminals acted very fast: it took them just four days to carry out their planned crime. Three days were spent preparing, and the plan was executed within just a few hours on the fourth day.

Day 1. The cybercriminals sent the email to the company's accountant. The accountant read the email, opened the attachment, and the malicious program Backdoor.Win32.RMS was downloaded to his program. On the following days, the cybercriminals used this program to watch the accountant's activities.

Day 4. The cybercriminals used Backdoor.Win32.RMS to load the keylogger Trojan-Spy.Win32.Delf to the victim computer and intercepted the password to the banking software. Soon afterwards they loaded Backdoor.Win32.Agent and used it to connect to the accountant's computer. Then they sent payment orders from the victim computer to the bank.

Notifying the cybercriminals' victims

As the cybercriminals used several IP addresses from the same sub-network, we decided to have a closer look at the C&C servers. As it turned out, the cybercriminals made a mistake when configuring one of the servers, so any user can see the HTTP requests to the C&C servers. That's how we were able to track down the IP addresses from which requests were sent using the keylogger's protocol. As we found out, there were several computers with different IP-addresses infected with the keylogger.

There was one odd feature of this keylogger: when it was launched on an infected computer, it downloaded the latest version of its log from the C&C server. Thus, any user could review the keylogger's log if they opened the appropriate URL address in their web browser. We decided to have a close look at the HTTP requests sent to the C&C server, and in them we found the names of the logs that the keyloggers sent to the C&C server. In many cases, the logs contained the name of the organization which owned the infected computer and the victims' contacts (We could also find the victims' IP addresses using the vulnerability in the C&C server). This information helped us contact other victims (most of them were accountants at SMBs) and warn them that their computers were infected. They were very grateful for the information.

Features of banking attacks

As we said at the beginning of the article, this attack is a typical case of stealing money from a company.

  1. Cybercriminals actively use social engineering to encourage users to open the malicious file.
  2. Members of staff who deal with commercially important information and handle the company's finances need training on the basics of IT security. The company must implement security policies that would minimize the risk of employee negligence causing an infection on the corporate network.

  3. When attacking important targets, cybercriminals may use new exploits for previously unpublished vulnerabilities. In such cases regular attack detection tools, such as IDS, are not good enough.
  4. However, 0-day exploits are too expensive to use in attacks on regular companies. Here we usually see exploits for known vulnerabilities. This means simple steps like promptly updating software (especially Microsoft Office and Java) and installing a quality security solution can ensure adequate levels of protection.

  5. Yet another feature of this attack is that it involves legal software. This is a growing trend: we see cybercriminals using legitimate applications to gain remote access to victim computer before downloading and launching malicious files on them.
  6. Security products obviously won't flag up the use of legitimate software. So cybercriminals can use these applications in a bid to keep their operations secret. In this attack, secrecy was ensured by using a version of Remote Manipulator System with modifications introduced into its executable file. We added a signature for this modified version of Remote Manipulator System so in future Kaspersky Lab's products will detect it.

    If cybercriminals use the original, unmodified versions of legitimate software, the only solution will be for security systems to notify the user every time a potentially unwanted program is launched. All users, especially those who deal with financial and other important documents, must remember that no security system can provide absolute protection. They should pay attention to system notifications and be alert to any anomalous behavior on their computer. It's important to notify security staff of any suspicious event in the system.

Ideally, default deny mode should be enabled on all computers used to make payments in a remote banking system; this mode restricts Internet access and prevents the launch of irrelevant, non-whitelisted software. The same applies to computers used by corporate users to work with commercially important (business-critical) information.

Conclusion

These days, the main driving force behind all cybercriminal actions is money. Gaining access to remote banking systems is the most direct and straightforward way of stealing money from an organization. It is little surprise that remote banking systems are an increasingly attractive target for cybercriminal attacks.

Anyone who uses remote banking systems is more than familiar with the security systems incorporated in them … but so are the cybercriminals. The use of passwords, key files and tokens, as well as restricting IP access, can lull users into a false sense of security.

However, none of these measures, whether taken individually or as a group, will do anything to enhance security if they are implemented on a compromised computer. On an infected machine, passwords can be intercepted, key files can be copied. Cybercriminals can create a hidden desktop and use the original IP address and the token connected to the victim computer.

When investigating security incidents we regularly encounter the following situation: a malicious program is launched on a computer, but later it is detected and removed from the system. Subsequently the affected computer is used as before, continuing to carry out banking transactions with the accountant confident that the problem has been solved.

Users must realize that once a malicious program is executed, the computer affected should be considered compromised. The first malicious file only loads the main malicious payload. That payload typically consists of programs which update themselves all the time to escape detection by security products. Alternatively, cybercriminals load legitimate software with modifications that enable cybercriminals to connect to it via malicious C&C servers. In this case the malicious programs will not be detected.

Overlooking this can cause huge damage to a company. If a malicious program has been detected on a computer with critical information, incident response measures must be taken immediately.

Sadly, our experience shows that organizations often sound the alarm too late, when they are already facing financial loss or the shutdown of critical computing services. Moreover, the response measures taken within corporations usually prove ineffective, and often impede further investigation.

There is no such thing as a one-size-fits-all response to an incident. There are too many possible attack methods out there. For example, in some cases shutting the computer down immediately helps to preserve data that would be irreversibly deleted by a malicious program after a certain period. In other situations, though, a shutdown will destroy the RAM data that is vital to a subsequent investigation. Only an incident investigation specialist can make the right decision.

In any case, if there is the slightest suspicion of intrusion, any compromised computer should be disconnected from the Internet and the corporate network, and malware incident specialists should be called in.

Only a detailed investigation of a security incident can lead to an effective response.

Microsoft Updates September 2014 - APT Loses a Trick, Reminiscing Stuxnet EoP

Malware Alerts - Wed, 09/10/2014 - 21:54

Microsoft released four security bulletins this month addressing a total of 42 vulnerabilities in Internet Explorer (MS14-052), .NET (MS14-053), the Windows task scheduler (MS14-054), and several issues in Windows Lync Server (MS14-055). I counted a total of 37 cve set aside for Internet Explorer, with the other five for the three remaining software.

Most interesting is the XMLDOM vulnerability (cve-2013-7331), a vulnerability that has been publicly discussed since at least April 25, 2013. The PoC was re-purposed and abused in the VFW watering hole attack by APT otherwise known as Aurora Panda or "the DeputyDog actor". The crew is highly advanced and effective in technique and operation, over time deploying multiple 0day to meet their heavy offensive needs. Their xmldom trick likely helped to delay discovery of their IE 0day and presence on the compromised VFW server. "The attacker can easily diagnose whether the machine is running EMET by loading an XML string. If the parsed return code fails, it means EMET is not present and the attacker can proceed with the exploit". Microsoft rated this vulnerability patch "important" across OS versions, while the other privately disclosed IE vulnerabilities are rated "critical".

The other 36 Internet Explorer memory corruption vulnerabilities are all over the board as far as exploitability per platform, but they all enable remote code execution. It's most interesting that the patches for Internet Explorer v10 and v11 on supported Windows 8.1 are rated Critical RCE.

Also this month is a task scheduler escalation of privilege vulnerability reminiscent of one of the Stuxnet 0day that Kaspersky Lab researchers reported back in 2010, and was later deployed by the Tdss gang. And an update to an advisory went out to deal with post-exploitation lateral movement. This time the patched issue is not related to older pass-the-hash issues, but Kerberos ticket grant delay related. The logon credential cleanup package can be downloaded here.

More can be read about September 2014 Microsoft Security Bulletins here.

CTIA's Super Mobility Week 2014

Malware Alerts - Wed, 09/10/2014 - 15:31

The world's largest mobile innovation forum, "Super Mobility Week", is being held in Las Vegas. We were there to participate and moderate a panel on mobile and cloud cyber-security with speakers from Verizon, Samsung, and Eriksonn Mobile.

The event maintains an impressive vendor floor and multiple stages for discussions and panels throughout the days. The floor hosts vendors presenting their newest products, including wearables and other IoT. The afternoon keynotes yesterday brought a switch from the planned Twitter's CEO to their "President of Global Revenue" Mark Bain, who spoke about both their technology push onto wearables and IoT, and a glimpse into their data mining capabilities derived from their Gnip acquisition. It's notable that he didn't mention anything about security or privacy. Two factor authentication is ancient history for them, while Apple and their customers unfortunately continue to learn the hard way that some inconvenience is a small tradeoff for privacy and security.

Microsoft also keynoted, bringing their EVP of Devices Group onstage to discuss their push into mobile to cloud technologies with Nokia devices and "Cloud OS". Again, no mention of security baked into these technologies, although we haven't seen any recent naked celebrity photo theft from the Microsoft cloud.

My panel's discussion weaved mainly in and out of enterprise wide security challenges to BYOD and cloud adoption, along with recent and relevant threats that we noted:

1. The recent Apple iCloud mess revealed several things

  • Apple provided password and knowledge based authentication services that enabled social engineering and brute force attacks and dismissed 2FA (until now). On cloud service authentication security, Apple "led from behind"
  • Apple's cloud security enabled brute forcing of both AppleIDs and iCloud passwords

2. Mobile malware volumes continue to surge - our mobile malware collection now includes almost half a million samples. Digging deeper, in 2013, we saw around 600 mobile banking trojans and now our malware collection maintains around 8,500 banker variants specifically supporting financial cybercrime.

3. Wifi and Ssl insecurities, as implemented in and used by mobile technologies, are on the increase and will likely continue to be.

4. Targeted attackers express interest in an expanded set of technologies, including various mobile devices by the Rocra, LuckyCat and Chuli attackers.

The event lasts from September 9th to the 11th.

The world at your fingertips… and theirs too

Malware Alerts - Wed, 09/10/2014 - 07:00

Technology has changed our lives, the way we live and work. With the emergence of wearables, the convergence between the virtual and the physical world makes people feel more natural using technology all the time.Google Glass is one of the most amazing wearable devices and although it is still at an early stage of development, it is undeniable that you can do awesome things and experience the world in a different way with them.

With out-the-box functionality, you can search the internet, take pictures or videos, check mail, send messages to Hangouts contacts, or publish information to Google+. What truly excites us are foreseeable uses in fields like medicine or education. The device could become indispensable by helping surgeons check patient vital signs or video broadcasting their surgeries to other specialists. Similarly, we can foresee novel means of transmitting knowledge to students in interactive ways. Perhaps we can even imagine enhancements to law enforcement by enabling immediate recognition of wanted criminals.

Unfortunately, the emergence of new technologies also entails new security risks. There are in fact many concerns about potential risks to privacy and ways in which these new devices could be compromised. Cybercriminals don't rest and are always looking for new ways to obtain gains from their victims, whenever they see an opportunity they will work day and night to achieve this objective.

New Technologies, Old Risks.

New and existing devices have many things in common: they use the same protocols and are interconnected with other devices using similar applications. There is no way around this. Traditional attack vectors are mainly against the network layer in the form of Man-in-The-Middle (MiTM), the exploitation of some vulnerability in the operating system, or the applications themselves. Being based on Android, Glass could inherit known vulnerabilities found in other devices with the same OS.

There are two ways to surf the Web from Google Glass: through Bluetooth pairing to a mobile device that shares its data network connection, or directly through Wi-Fi with prior configuration of the network via a MyGlass account or mobile app generated QR code.

The procedure to add a network is pretty simple: by adding a network name and password a QR code is generated containing connection settings which when looked at through Glass establishes an automatic connection to the network.

Last year, a vulnerability was published by the Security firm Lookout related to this procedure that would mislead a user to connect to a fake access point through a malicious QR thus allowing a potential attacker to hijack network communications and possibly redirect navigation to a malicious web page that could exploit a known Android web vulnerability. This vulnerability was patched but gave us a clear sense that attackers could discover ways to compromise these new devices.

A source of potential risks is that unlike a computer or a mobile device, the Glass interface is navigated through 'cards' to scroll through the different applications and settings thus limiting configuration options and in some cases automating certain procedures and functions with little input from the user, as in the case of connecting to a network or sharing information. This automation opens the door for exploitation by attackers and the compromise of user privacy.

Another threat avenue is the propensity for users to activate 'debug mode' in order to install applications outside of the official glassware ecosystem thus raising the risk of installing malicious applications.

This opens the possibility of new attacks using old methods such as social engineering through the use of the magic words: "free" and "sex". Although not all apps advertised this way are malicious, the terms stand as a hook for users in search of new experiences, willing to step out of the comfort zone pre-arranged by the manufacturer.

One simple test

As mentioned earlier, a feature distinguishing Glass from other wearables is the ability to navigate the internet directly via a Wi-Fi connection, rather than exclusively piggybacking off of a paired mobile device. However, this ability also means that the device is exposed to network vectors attacks, particularly MiTM.

Imagine this scenario, you are at your favorite coffee shop and decide to connect to the Wi-Fi network using Glass. You set up the network and are off to check-in on Foursquare, launch an app to recognize the song playing in the background and fetch the lyrics. But what if in this network someone is using a tool to poison the other devices into redirecting traffic towards a router IP address thus capturing all of the network traffic?

We tested by doing just that in a controlled laboratory network. Once the network was compromised, we did some searches on google, standard site browsing, sent pictures and messages to some of our contacts, and even read the news.

Once we captured enough traffic to analyze, we found that almost all the traffic remains encrypted after the network was compromised, specially the google searches. However, we found enough information in plain text to correlate and piece together the user's navigation to airlines, hotels, and touristic destination sites and how and where the device was connected. Nothing too sensitive but in some cases useful for when carrying out a profiling job.

In the end, as with any other device, security must be visualized in layers and we need to protect every layer to reduce the risk of compromise. In this case, the network layer could be exposed since the device can connect to public networks but lacks the option for VPN connections thus insuring traffic can be captured and analyzed.

In coming months, we'll see wearable devices becoming the next attack targets, highlighting the need to pay special attention to these devices, their capabilities, and the information they handle.

You can also follow me on twitter @r0bertmart1nez

Wearable Security: Present and Future

Malware Alerts - Wed, 09/10/2014 - 07:00

Now that the Internet of Things is all the rage, I wanted to take a look at a trend in IoT that I find particularly exciting and that's wearable devices. In theory, wearables could present us with a paradigm shift in the manner in which users interact with technology, moving us away from the old mouse and keyboard combo, and possibly even the touchscreen. For now, we are not quite there and science fiction superlatives are premature. At this time, wearables are in simplest terms appendages of our mobile phones. They're meant to more conveniently convey notifications, collect heartbeat measurements, and throw an alternate camera angle into the selfie-filled mix. Though wearables are still in their infancy, rising adoption highlights the need for a discussion about the concerns that could accompany these new technologies. Let's attempt to carry out this discussion in two modes: current privacy issues and future overall security concerns.

With Creepy Enthusiasm

Sadly technology isn't always used in the benevolently child-like way we intend; gone are the days of look-what-I-can-do wonderment.

Source: http://www.killyourdarlingsjournal.com/wp/wp-content/uploads/2014/01/1963-jetsons-flintstones.jpeg

Instead, we see users adapting technologies old and new to satisfy base desires. A recent twitter-storm documented by Gawker showed just that, as a Chinese Glass Explorer was found using his new device to upload unsolicited pictures of women in public places to his twitter account. His actions fit into a reprehensible internet subculture of fetishizing 'creepshots' that has caused great uproar. Unfortunately, the principal design tenets of wearables have the unintended corollary of making perfect devices for this community of perverts.

With an unassuming device and a nearly undetectable camera, a wearable can be used as a predatory tool for violating the privacy of unsuspecting bystanders. During our Latin American Security Analysts Summit, Roberto Martinez and I took up the mantle of predatory wearable users, taking candid pictures of our guests to display during our presentation. I'm disappointed to say it was incredibly easy to get away with. In the case of Roberto's Glass, the wink feature (which allows the user to take a picture by simply winking in the direction of the target) was indispensable to our experiment. In my case, I had a Galaxy Gear 2 which Samsung had cautiously programmed to accompany pictures with a loud noise in order to alert nearby targets.

However, creepers will not be easily deterred! And a solution was swiftly proffered in the form of rooting and a handful of commands. Most people are familiar with the notion of rooting or jailbreaking a device these days. It is often touted as a means of retaking control of your device, away from the clutches of evil limiting corporations! In the case of the Gear 2, the uses of rooting are anything but benevolent. Rather than unleashing homebrew development creativity, the sole use of rooting the Gear 2 that I've been able to spot is to disable the moderately loud sound the device emits to notify passersby that they are in fact being photographed.

On more specific terms, the process includes the use of a leaked internal Samsung tool called ODIN in order to flash an alternate ROM onto the device that comes with root privileges enabled. Root privileges are not required in order to install applications themselves but will be necessary in order to mount the otherwise inaccessible filesystem. Once mounted, the creeper needs only zero-in on the folders that contain the camera notification sound files and move them elsewhere for safe-keeping. Thus, when a picture is being taken, the camera application will look for these files in vain and continue to take the picture sans shutter sound. Since the camera is quite discreetly placed, lacks a flash, and shows no other outward indication that a picture is being taken, this sound is a crucial privacy feature in the device's design.

With the Tizen Smart Developer Bridge (reminiscent of the Android Developer Bridge) in hand, semi-proficient users can also sideload applications in wgt format onto the device. In the case of video recordings, an altered camera app can be sideloaded that includes a single modified line within the package thus eliminating the pre-imposed limitation on video recording from a few seconds to as much as the cramped storage will allow. These two modifications allow a perverted user to turn the otherwise benevolent smartwatch into a rather creepy device.

The Less-Scrutinized Link in the Mobile Security Chain

An interesting implication arises from being able to sideload modified applications onto the device with such ease. Though Tizen applications are meant to go through a rigorous testing process, this process occurs on the side of the controlling device – in this case, the Galaxy S5 loaded with the Gear Manager app paired to the smartwatch. When an application is installed on the device through the Gear Manager app via bluetooth, there are no indications or notifications on the smartwatch that a new application has been installed. This goes to stress the perils of the simplified interfaces on most wearable devices and thus the importance of maintaining the integrity of the controlling mobile device. With Android being a primary target for mobile attackers, rising consumer interest in wearables is bound to be met by rising attacker interest in these devices as well, which brings us to the prospective side of our discussion…

Laymen cybercriminals are not the only one's interested in our devices. Sophisticated actors have a distinct interest in infecting mobile devices as these become the gateway for intimate information about individual targets not commonly found on corporate networks. Though I would in no way claim that wearables are being targeted by these actors at this time, there is a twofold appeal presented by wearables that make them a likely future target if widely adopted by consumers:

  • Firstly, the information wearables devices gather is going to attract new corporate players to the cyberespionage scene. If wearables are adopted by a large enough crowd, insurance companies interested in tweaking and improving their risk mitigation formulae will be jonesing to get their hands on the aggregated vital signs and unadulterated exercise details of their clients. This information could translate into real money for these companies and that sort of financial incentive is often enough to encourage less than ethical means of information gathering.
  • Secondly, we need to be wary and adopt a holistic approach towards the security of a chain of devices paired for data sharing. When it comes to a home or office network, securing endpoints isn't enough. Any device on the network, even if it's a printer or a seemingly harmless network storage device, can represent an entry point or means of persistence for an attacker. The same occurs with mobile devices and their less sophisticated accessories.

In an espionage campaign, breaching the security of a mobile device is only the beginning. Oftentimes, valuable information will become available with long-term access to the device as the unsuspecting target goes on about their everyday dealings. Given that security solutions are already deployed on mobile platforms, less sophisticated appendages such as wearables connected to mobile devices could become particularly interesting to advanced threat actors looking for a means of persistence with a lower probability of detection. In this case, resilience and discreet execution are gold standards, and what is more discreet than operating within a device whose simplified interface and inaccessible filesystem essentially insure that the breach will never be detected by even the most competent users?

Outsmart hoax e-mail

SANS Tip-of-the-Day - Wed, 09/10/2014 - 00:35

Gaps in corporate network security: ad networks

Malware Alerts - Fri, 09/05/2014 - 09:42

'Malvertising' is a relatively new term for a technique used to distribute malware via advertising networks, which have long since become a popular medium among cybercriminals. In the past four years, hundreds of millions of users have fallen victim to 'viral' advertising, including visitors to major media sites, such as NY Times, London Stock Exchange, Spotify, USNews, TheOnion, Yahoo!, and YouTube. The complicated situation with ad networks even prompted the United States Senate Permanent Subcommittee on Investigations to conduct an in-depth inquiry, which produced recommendations on stepping up security and increasing the responsibilities of advertising platform owners.

At the turn of the year 2.5 million Yahoo users were attacked. Soon after the incident, a company called Fox IT published a detailed analysis of the attack. Curiously, according to Fox IT, not all Yahoo! users were affected by the attack – only residents of European countries, primarily Romania, the UK and France. Fox IT analysts believe that the attackers probably used targeted advertising mechanisms, i.e., they paid for 'impressions' served to a certain audience from the countries mentioned above. Here is an illustration of how attacks are conducted via ad networks: an overall attack organization diagram (on the left-hand side) and a specific example of the attack against Yahoo! users (on the right-hand side).

In the past, we have written about targeted attacks conducted via trusted websites (so-called watering-hole attacks) and social engineering on social networks and in IM clients. Specifically, we wrote that a cybercriminal has to do two things in order to implement a watering-hole attack: first, compromise a trusted website and second, surreptitiously inject malicious scripts into the site's code. Successful attacks via social networks or IM clients also make certain demands of cybercriminals – at the very least, to win the users' trust and increase the chances of them clicking on links sent by the attackers.

What sets attacks via ad networks apart is that in these attacks the cybercriminals do not have to compromise websites or gain the trust of potential victims. All they have to do is find an ad provider from which to buy 'impressions' or become a provider themselves (like BadNews). The remaining work, related to distributing malicious code, will be done by the ad network –the trusted site itself will download malicious scripts to its page via iframe.

Moreover, users don't even have to click on the ads – as part of its attempt to display a banner on the web page, the browser executes the banner's SWF/JS code, which automatically redirects the user to a site hosting the landing page of a popular exploit pack, such as Blackhole. A drive-by attack will follow: the exploit pack will attempt to choose an appropriate exploit to attack a vulnerability in the browser or its plugins.

The problem of ad networks being used to distribute malware and conduct targeted attacks (taking advantage of their targeted advertising capabilities) does not only affect those who use browsers to access websites. It also applies to users of applications that can display adverts, such as IM clients (including Skype), email clients (Yahoo! included), etc. And, most importantly, the problem affects the huge number of mobile app users, since these apps also connect to ad networks!

Essentially, mobile applications are different in that the SDKs commonly used for embedding adverts into apps (such as AdMob, Adwhirl etc.) do not support the execution of arbitrary code supplied by ad providers, as is the case with website advertising. In other words, only static data is accepted from the server supplying ads, including images, links, settings etc. However, cybercriminals can also create SDKs, just like media companies. The former offer developers higher per-click rates than their legitimate competitors. This is why developers of legitimate mobile software embed malicious 'advertising' code – essentially backdoors – into their apps. Moreover, legitimate SDKs may have vulnerabilities enabling the execution of arbitrary code. Two such cases were identified late last year – one involving the HomeBase SDK, the other involving AppLovin SDK.

Source: http://researchcenter.paloaltonetworks.com

The question "How should a corporate network be protected against attacks conducted via ad networks?" does not have a simple answer, particularly if you keep in mind possible targeted attacks. As we mentioned before, protection needs to cover not only workstations (browsers, IM clients, email clients and other applications that have dynamic advertising built into them), but also mobile devices that can access the corporate network.

Clearly, protecting workstations requires at least a Security Suite class anti-malware solution, which must include:

  • protection against vulnerability exploitation;
  • advanced HIPS with access restriction features, as well as heuristic and behavioral analysis (including traffic analysis);
  • tools for monitoring the operating system (System Watcher or Hypervisor) in case the system does get infected.

For more reliable protection of workstations, it is prudent to use application control technology, collect statistics (inventory) on the software used on the network, set up updating mechanisms and enable Default Deny mode.

Unfortunately, compared to the protection of workstations, mobile device protection is still in the early stages of evolution. It is extremely difficult to implement a full-scale Security Suite or Application Control solution for mobile devices, since that would require modifying firmware, which is not always possible. This is why Mobile Device Management (MDM) technology is currently the only effective tool for protecting mobile devices that connect to the corporate network. The technology can control which applications are allowed to be installed on a device and which are not.

Cybercriminals have used ad networks to distribute malware for years. At the same time, the advertising market is rapidly growing, branching out into new platforms (large websites, popular applications, mobile devices), attracting new advertisers, partners, intermediaries and aggregators, which are intertwined into an extremely tangled network. The ad network problem is one more example showing that rapid technology development is not always accompanied by the corresponding evolution of security technologies.

Pages

Subscribe to RIT Information Security aggregator