Techie Feeds

Solution Corner: Malwarebytes Incident Response

Malwarebytes - Thu, 06/22/2017 - 19:40

Unless you’ve been stuck at a fiery music festival, I don’t need to tell you the threat landscape is constantly evolving and that threats have become increasingly sophisticated at evading detection. Recent Malwarebytes Labs reports, including the 2017 State of Malware shine a light on just how fast these threats continue to spread around the globe impacting businesses of all sizes.

In fact, according to eWeek the latest Ponemon Institute 2017 Cost of Data Breach report came out this week and shows dwell times for malicious attacks now average 214 days. The report also highlights that 1 out of 4 businesses will experience a breach. The cost to businesses and the complexity involved in responding to these types of incidents, including remediating the threats from endpoints, continues to increase as well. Osterman Research uncovered that more than 60 percent of attacks take organizations more than nine hours to remediate.

 

 

We recently announced Malwarebytes Incident Response, a centralized threat detection and remediation platform that helps businesses accelerate their response workflows for these types of threats while reducing attack dwell times. Malwarebytes Incident Response scans networked endpoints for advanced threats including malware, PUPs, and adware, and removes them.

Our threat detection and remediation technologies are powered by the world’s best-informed telemetry. More than 500,000 consumers and businesses download Malwarebytes every day when their existing solutions fail. Driven by our big data analytics systems and expert research analysis, we process more than 3 million endpoint remediations each day. This valuable telemetry on zero-day malware makes our technology more responsive to emerging threats, and helps us anticipate tomorrow’s malware.

By scheduling and automating scans with Malwarebytes Incident Response, the prolonged downtime that typically accompanies incident response and re-imaging processes can be significantly reduced, along with management complexity. All of this helps optimize efficiency and effectiveness for admins and incident responders.

 

Flexibility and extensibility

Malwarebytes Incident Response integrates with and minimizes impacts to your existing security stack. With flexible deployment options, businesses can choose to run scans and remediate endpoints using the cloud-managed persistent endpoint agent or the included non-persistent agents (aka “agentless”). The non-persistent agent makes it simple to deploy and integrate with your existing third-party tools, including endpoint management platforms and SIEMs.

 

Thorough remediation

Malwarebytes is viewed as the gold standard in remediation, and that’s thanks in part to our Linking Engine technology. This signature-less technology works in concert with our main remediation engine to identify and remove dynamic and related threat artifacts which are linked with the primary threat payload. Additionally, our Linking Engine applies associated sequencing to ensure malware persistence mechanisms are eradicated in such a way that disinfection is permanent.

 

Threat hunting

Unfortunately for many businesses, it’s likely threats already exist in their environment. When an endpoint is successfully infected, attackers often initiate lateral movement to infect other endpoints. Malwarebytes Incident Response empowers organizations to proactively hunt for malware and thoroughly remediate endpoints leveraging on-demand, scheduled, and automated scans—reducing the complexity of the whole remediation process. This solution makes it easy to adopt a proactive, assume-the-compromise approach that greatly improves your security posture. Businesses can use the included non-persistent agent to scan, or hunt, for threats using recently reported indicators of compromise (IOCs) for instances of that threat elsewhere in their environment. For example, Malwarebytes can conduct an automated threat response based on an alert from your existing Splunk or ForeScout solutions.

Click to view slideshow. Static forensics

Malwarebytes Incident Response also includes a static forensic tool for more in-depth forensic investigations. Forensic Timeliner quickly tracks forensic events so your security team can uncover attacker actions, or address security gaps and unsafe user behavior. It gathers system events prior to, during, and following an infection from more than 20 Windows log repositories and presents the data in a convenient chronological timeline view for comprehensive analysis of vector and attack chain. Events covered include file and registry modifications, file execution, and websites visited.

 

Introducing Malwarebytes cloud platform

Malwarebytes Incident Response includes a single unified endpoint agent which is built on our cloud-based management platform. This new cloud platform makes deployment and ongoing management of Malwarebytes Incident Response and other Malwarebytes solutions easy. Administrators benefit from simplified deployments onto their endpoints along with effortless scalability.

The cloud management console provides easy, direct, centralized management of security policies, deployments, and threat visibility across all geographically distributed endpoints.

Asset Management is another built-in feature of the cloud platform that delivers dozens of actionable endpoint system details to a security or system admins’ fingertips. This allows them to quickly glean info that might ordinarily require them to log into different, separate consoles or applications. See detailed information including OS, network interfaces, storages devices, memory objects, installed software, software updates, startup programs, and more.

 

Time happens, act now

Built for Windows and Macs, Malwarebytes Incident Response provides the most complete and thorough remediation possible, improves threat detection for businesses of all sizes, and minimizes the time it takes to respond to an attack.

I encourage you to check out this new solution for your business today.

The post Solution Corner: Malwarebytes Incident Response appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Barclays Bank customers targeted by phishers

Malwarebytes - Thu, 06/22/2017 - 15:00

Today we have a phish targeting customers of Barclays Bank, located at:

bank(dot)barclay(dot)co(dot)uk(dot)olb(dot)auth(dot)loginlink(dot)action(dot)p1242557947640(dot)chofcg(dot)com/bd/

The phish opens up with an initial lunge for personal details:

The first page asks for a surname, then offers the potential victim a variety of petards to hoist themselves from – do you want to enter your membership number, card number, or sort code and account number? Please, step right this way.

The second page continues the deep dive with a move into the realm of PIN sentry codes:

Barclays use a device called a PIN Sentry for certain online (and offline) activities. Step 2 of this phish asks for the last five digits of your card, the eight digit code that appears on the device, and “your four digits ATM code”. After that:

A 5 digit telephone banking passcode and a mother’s maiden name, you say?

It would appear the phishers are trying to get enough bits of information to try some social engineering on someone in a call center, though they’re not going to get very far with a 4 digit PIN given the person on the other end of the line wouldn’t know it. Only today, a friend of mine told me their husband nearly lost his business account cash (held with another bank) because someone phoned him up and asked for his personal details. He only realized something was wrong when they asked for his PIN number – but he nearly didn’t phone the bank because he thought they’d “tell him off”.

Don’t be like him. Should you ever run into a scenario such as the above, the very first thing you should do is call your bank for help. They’ll give you the best course of action from there, and with any luck, your hard-earned money won’t be going elsewhere.

 

Christopher Boyd

The post Barclays Bank customers targeted by phishers appeared first on Malwarebytes Labs.

Categories: Techie Feeds

The Roblox Robux generator is too good to be true

Malwarebytes - Wed, 06/21/2017 - 15:00

Roblox is an enormously popular MMORPG title for kids available on both PC and console, and it suffers no end of scammers trying to fleece its players as a result. While the game tries to block and filter text/URLs and comes with additional security features, potentially dubious sites also bounce around outside of the Roblox environment. Here’s one we had sent our way, located at:

robloxrobux(dot)gamehack(dot)co

The site claims to walk that well-worn path of free coin/item/whatever generation, in return for entering your username and a few other values such as desired coin (“Robux”) amount. There’s also a chat box in the bottom right corner which repeats the same text every time you visit the page, mostly to the tune of “Yes, this definitely worked 100% for me, honest”. Once all info is submitted and the magic “Do things now” button is pressed, it delivers the well-worn trick of popping a fake box claiming things are happening behind the scenes. Secret, hacker-style things working their magic on Roblox servers.

Unfortunately for the person using it, it’s all complete nonsense and leads gamers to the usual assortment of survey links.

We don’t have much to add here besides “Don’t bother”. All you’ll get for your troubles is your personal information added to marketing databases via the survey links. If you have young relatives playing Roblox, please consider informing them about sites such as the above.

 

Christopher Boyd

The post The Roblox Robux generator is too good to be true appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (Jun 12 – Jun 18)

Malwarebytes - Tue, 06/20/2017 - 15:56

Last week was very busy for the Labs, with a look at so-called numeric tech support scams, a visit to the huge Infosec Europe conference, an exploration of Mac Malware as a Service, and a walk through the myths of online bullying.

Elsewhere:

Stay safe!

The Malwarebytes Labs Team

 

The post A week in security (Jun 12 – Jun 18) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Breaking the attack chain

Malwarebytes - Mon, 06/19/2017 - 15:52

The attack chain. It’s a term used often in infosecurity. Also known as the kill chain, it was originally used as a military concept to describe the structure of an attack. It serves the same function in cybersecurity, where various methods of malware infiltration, deployment, and execution are outlined. To break the attack chain, then, means to preempt the attack.

This is of obvious significance to business owners, who’d much rather avoid expensive and time-sucking breach cleanups with programs that prevent attacks altogether. But breaking the attack chain is not as simple as it used to be.

Cybercriminals are constantly changing methodologies and deployment vectors to fool endpoint defenses. The attack chain is evolving and multiplying, out-thinking traditional, signature-based endpoint security. In fact, nearly 80 percent of businesses have suffered a security-related breach in the last year.

That’s why businesses need to evolve their endpoint protection strategy, using a multi-layered approach to stop malware deployment and execution in multiple attack chains. In the following infographic, we’ve outline how Malwarebytes does just this, using seven different, complementary technologies.

Click here for the full PDF version.

 

The post Breaking the attack chain appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Tackling the myths surrounding cyberbullying

Malwarebytes - Fri, 06/16/2017 - 15:00

Cyberbullying is an act most of us are familiar with. Knowing what it is, who’re involved, and its harmful effects to targets are easy enough to identify; but do you know that cyberbullying is surrounded by misconceptions, too? In this post, we have identified six of these myths, explained why they’re worth discrediting, and lastly, provided ways to nip cyberbullying in the bud.

Myth #1: Bullying, whether done face-to-face or online, only negatively affects the target.

This may seem like an obvious and accepted truth; however, several medical studies have shown otherwise. Both the offended and the offender experience emotional, physical, and social issues as a direct result of bullying and such effects have been consistently observed across youths in different countries, which includes headaches, recurrent stomach pains, feeling unsafe whether inside or outside the home, and difficulty sleeping at night.

Perhaps the most harmful consequence of being targeted, especially in the case of teens, is “internalizing problems”—negative self-perception, anxiety, depression, and insomnia. Left untreated, these will grow worse and increase the likelihood of them developing mental health issues.

Furthermore, cyberbullying has ill effects on bystanders as well.

Myth #2: Only kids and teens experience cyberbullying.

According to a survey conducted by the Pew Research Center, 40% of adults in the United States have experienced some form of bullying online. Forms of harassment range from name-calling, deliberate embarrassment, physical threats, to stalking.

In the past, we used to hear about teachers picking on students, but now we’re as likely to read about students bullying teachers.

Myth #3: The best way to beat the cyberbully is to fight back.

And by “fight back”, they mean “bullying the bully”. This may seem like sound advice from well-meaning friends or family members, but more often than not, hitting back with words may make matters worse. Those who are unable to fight back due to feelings of fear, anxiety, or powerlessness may begin blaming themselves for the bullying. It also sends the wrong message to kids and teens that out-bullying each other is the only way to stop the harassment.

Myth #4: Bullying is a part of life. Get over it.

Although bullying happens both in the digital and real domains, it shouldn’t be considered normal, okay, or acceptable, and telling those being harassed to “get over it” doesn’t help the already mentally and emotionally vulnerable. Bullying, regardless of where it takes place, is a societal problem that needs to be seriously addressed, not brushed aside.

Myth #5: Once the bullying stops, the life of the affected child/person goes back to normal.

This is far from reality. According to a joint US/UK study, people involved in bullying continue to feel and experience the effects of the act until adulthood. The severity of these effects also depends on the person’s resilience and the positive relationships he/she has with other people. Some of the problems that can carry over to adulthood are depression, panic attacks, and difficulties socializing.

Scientists also stress the long-term effects of cyberbullying, even if it happens only once.

Myth #6: There are no laws against bullying and/or cyberbullying.

On the contrary, the Cyberbullying Research Center has a dedicated page showcasing US states and their bullying laws.

Prevention is always better than cure’

What most of us may not realize is that a number of incidents of cyberbullying can be prevented. Here’s a few ways to tackle them:

  • Never share your online credentials with anyone, not even with family members (except your parents if they asked for them), or friends. Most kids and teens these days allow their friends to access their social profiles, believing that doing so is cool. However, friends may begin posting images and messages without their consent, and may cause more headache to the innocent child or teen who owned the profile.
  • Never share private or intimate photos of yourself to anyone. Not only will teen girls gain Likes from peers, they may also grab the unwanted attention of strangers, which may further lead to stalking and other forms of online harassment. Additionally, revenge porn also happens among kids and teens.
  • Consider limiting the number of people seeing what you post online. Sadly, most users of social networking sites don’t bother setting up the privacy level of their profiles and posts. As most (if not all) social sites show posts publicly by default, those who express their views on, say, politics usually invite ire from strangers who don’t share similar views. If not mitigated from the get-go, the banter may quickly escalate to bullying. If you wish to remain posting publicly, then at the very least…
  • Mind what you disclose online. Kids and teens share quite a lot about themselves—their thoughts, opinions, feelings, activities at the home or with friends. Although these are likely innocent, they can be used to fuel the bullying.
  • Create strong passwords for all online accounts. Some cyberbullies may attempt to infiltrate a target’s account by hacking. Although this act is not considered cyberbullying, online bullies can use accounts they control to humiliate a target or harass other targets by posing as someone else. Make sure that you can efficiently manage the passwords you create.
    • A word on personally identifiable information (PII): Revealing information you use to access or create accounts, such as your dog’s name and your date of birth, is highly discouraged. Not only will this contribute towards impersonation, but it may also lead to the compromise of your online account.
  • When using public or shared computers, make sure to log out of your social media accounts before leaving. If possible, delete the browser history cache and cookies or you may give someone else the opportunity to be you online.

The internet is what we make of it. On the one hand, it can be a great place to learn, meet new friends, reconnect with old ones, and discover the world without leaving the comfort of your sofa. On the other hand, it can also be a destructive and hurtful place. With the guidance of parents, teachers, law enforcement, and groups that deal with online harassment, children will be steered in a direction where future generations can still experience the internet as a safe place to be.

For additional resources, take a look at our 2016 blogs from Anti-Bullying Week:

The Malwarebytes Labs Team

The post Tackling the myths surrounding cyberbullying appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Announcing Malwarebytes Endpoint Protection, a next-generation antivirus replacement for businesses

Malwarebytes - Thu, 06/15/2017 - 15:00

Six months ago, we announced Malwarebytes 3.0, a next-generation antivirus replacement for home users. Today, I am happy to announce Malwarebytes Endpoint Protection, its equivalent for businesses.

Malwarebytes Endpoint Protection includes an easy to deploy, scalable cloud platform that allows you to rapidly install, configure, and manage our solutions on any Windows endpoint. Businesses get Web Protection, Application Hardening, Exploit Mitigation, Application Behavior, Payload Analysis, and ransomware prevention technologies all delivered through a single agent in the cloud! In addition, I’m pleased to introduce our first ever signature-less Anomaly Detection Engine powered by machine learning. This now adds a seventh layer to our protection stack, making your defense-in-depth strategy even stronger.

We’ve added Asset Management so you can see what software your endpoints have installed, what updates they have or need, and generally, monitor the health of your environment.

Key features of our new platform:

  • Cloud based: no need to provision a server, just create an account and go!
  • Scalable: enterprise-grade security for small offices or large enterprises
  • Single agent: all of our protection technologies delivered through a unified agent
Click to view slideshow.

But that’s not all! We’re also announcing Malwarebytes Incident Response, our threat detection and remediation tool which is also built on our new Malwarebytes cloud platform. Powered by our Linking Engine technology, this solution provides the most complete and thorough remediation possible for Windows and Mac endpoints.

Malwarebytes Endpoint Protection and Malwarebytes Incident Response are available globally June 28th, so stay tuned for more information. In the meantime, you can contact our awesome sales team and authorized resellers to learn more.

 

FREQUENTLY ASKED QUESTIONS

What is Malwarebytes Endpoint Protection?

Malwarebytes Endpoint Protection is an advanced threat prevention solution for Windows endpoints featuring a cloud-based management console, delivered through a unified endpoint agent.

The solution delivers real-time threat prevention using multiple layers of matching and signature-less technologies including Web Protection, Application Hardening, Exploit Mitigation, Application Behavior, Payload Analysis, ransomware prevention, and now our newest signature-less Anomaly Detection Engine, powered by machine learning. These seven technologies work together providing a more effective and efficient replacement for antivirus. Includes email and 9am-5pm phone technical support.

 

What is Malwarebytes Incident Response?

Malwarebytes Incident Response is a centralized threat detection and remediation solution for Windows and Mac endpoints featuring a cloud-based management console, delivered through a unified endpoint agent.

Malwarebytes Incident Response empowers organizations to proactively hunt for malware and thoroughly remediate any endpoint leveraging our in-depth, on-demand, and scheduled scans. Powered by the best threat remediation and signature-less Linking Engine technologies, organizations can now quickly recover from cyberattacks without the prolonged downtime that typically accompany incident response and re-imaging processes.

Malwarebytes Incident Response includes the capability to scan and remediate endpoints with non-persistent agent (aka “agentless”) CLI options. Also, includes a static forensic tool for more in-depth forensic investigations. Includes email and 9am-5pm phone technical support.

 

Can I replace my traditional antivirus with Malwarebytes Endpoint Protection?

Yes! Malwarebytes Endpoint Protection is designed to replace your antivirus solution. We believe in layered defense and built Malwarebytes Endpoint Protection to provide the right mix of proactive and signature-less technologies to combat modern threats and zero-day malware.

Malwarebytes is now a validated, next-generation replacement for traditional antivirus (AV) solutions. Coalfire Systems, a leading provider of cybersecurity, risk management, and compliance services, certified by the PCI Security Standards Council as a Qualified Security Assessor (QSA), conducted an independent assessment of Malwarebytes.

 

Can we still run Malwarebytes Endpoint Protection and Malwarebytes Incident Response alongside our existing antivirus solutions?

Absolutely! We built Malwarebytes Endpoint Protection and Malwarebytes Incident Response to be compatible with all major antivirus software. Malwarebytes defaults to side-by-side operation mode, but also has the Policy-configurable capability to register in the Windows Action Center (WAC), allowing customers of Malwarebytes to run alongside third-party antivirus applications and/or the built-in Windows Defender, or as primary, thereby deactivating Defender.

 

We currently have a Malwarebytes subscription for our business. How much do we have to pay to upgrade to Malwarebytes Endpoint Protection or Malwarebytes Incident Response?

Pricing for Malwarebytes Endpoint Protection and Malwarebytes Incident Response is dependent on the number of endpoints and length of subscription. Contact your sales representative or Malwarebytes authorized reseller for more information on pricing and how to upgrade to the new Malwarebytes cloud platform.

 

How can we get an evaluation copy of Malwarebytes Endpoint Protection or Malwarebytes Incident Response?

Contact your sales representatives to learn more about our new cloud-delivered solutions and get a free evaluation of Malwarebytes Endpoint Protection and Malwarebytes Incident Response.

The post Announcing Malwarebytes Endpoint Protection, a next-generation antivirus replacement for businesses appeared first on Malwarebytes Labs.

Categories: Techie Feeds

New Mac Malware-as-a-Service offerings

Malwarebytes - Wed, 06/14/2017 - 15:00

A couple weeks ago, two new Malware-as-a-Service (MaaS) offerings for the Mac became available. These two offerings – a backdoor named MacSpy and a ransomware app named MacRansom – were discovered by Catalin Cimpanu of Bleeping Computer on May 25.

Cimpanu evidently had some trouble getting hold of samples, but on Friday analysis of MacRansom was posted by Fortinet and analysis of MacSpy was posted by AlienVault.

Both of these malware programs were advertised through Tor websites, claiming them to be “The most sophisticated Mac spyware/ransomware ever, for free.” Neither programs were directly available, but could only be obtained by emailing the authors at protonmail[dot]com email addresses.

Behavior

Despite the claims of sophistication, these malware programs are not particularly advanced. The programs provided to both Fortinet and AlienSpy were simple command-line executable files that, when run, copy themselves into the user’s Library folder.

MacSpy:

~/Library/.DS_Stores/updated

MacRansom:

~/Library/.FS_Store

Because the .DS_Stores folder and the .FS_Store file both have names starting with a period, they are hidden from view unless the user has done something to show invisible files.

As part of the installation, these programs also create LaunchAgent files for persistence – a not at all original method.

MacSpy:

~/Library/LaunchAgents/com.apple.webkit.plist

MacRansom:

~/Library/LaunchAgents/com.apple.finder.plist

Some recent malware has had the capability to customize the install locations and names, but there’s no indication in the reports from Fortinet and AlienVault that such a feature is available in MacSpy or MacRansom, making these quite easy to detect.

MacRansom is created with a custom “trigger date,” after which time the malware detonates and encrypts the files in the user’s home folder, as well as on any connected volumes, such as external hard drives. As happened with KeRanger, which had a 3-day delay before encrypting, this delay will likely mean that few people who are using security software will actually be affected, as the malware will probably be detected before it encrypts anything.

Further, the encryption uses a symmetric key – meaning that the same key is used both to encrypt and to decrypt – that is only 8 bytes in length, making it rather weak and relatively easy to decrypt. However, the key creation process involves a random number and the resulting key is apparently not saved to the hard drive or communicated back to the authors in any way, making it impossible to decrypt the files except via brute force.

After encryption, the malware will display a pop-up alert informing the user of what must be done to decrypt the files, and will continue to reappear even if the user clicks the “Destroy [sic] My Mac” button. The malware does not save any copies of that information to files on the hard drive, as is typical of most ransomware.

MacSpy is fairly simple spyware, which gathers data into temporary files and sends those files periodically back to a Tor command & control (C&C) server via unencrypted http. It will exfiltrate the following data:

  • Screenshots (taken every 30 seconds)
  • Audio captured via microphone
  • Keystrokes*
  • Clipboard contents
  • iCloud photos
  • Browser data

In the case of keylogging, the malware requires an admin password, which can be provided in the email requesting a copy of the malware. This requires that the attacker knows the password for the target Mac in advance.

If the attacker pays for the malware, they will get additional capabilities, such as more general file exfiltration, access to social media, help with packaging the executable into a Trojan form (such as a fake image file), and code signing.

Analysis avoidance

Although neither of these programs is particularly sophisticated, they both do include some reasonably effective analysis avoidance features. Both include three methods for determining whether they are being analyzed by a researcher, in which case they shut down and do not display their malicious behaviors.

First, they will check to see if they are being run by a debugger, using a call to ptrace.

They will also parse the output from the shell command sysctl hw.model for the word “Mac”, terminating if that is not found. In a virtual machine, this command will not return the model identifier for the hardware, but will instead return a value specific to the virtualization software being used. Thus, if the output does not contain “Mac,” it is most likely being run in a virtual machine, and the most likely reason for that is that it’s being analyzed by a security researcher.

Another virtual machine check that is performed is a check for the number of logical and physical CPUs. Since the number of CPUs is simulated in a virtual machine, this is another fairly reliable indicator that the malware is under analysis.

If any of these checks fail, the malware terminates.

Fortunately, because the malware isn’t signed, it’s possible to hack the executables to bypass these anti-analysis checks and then analyze it in a virtual machine.

About the authors

The websites for the malware include an “About Us” section, in which the authors provide some information about their motivations:

We are engineers at Yahoo and Facebook. During our years as security researchers we found that there lacks sophisticated malware for Mac users. As Apple products gain popularity in recent years, according to our survey data, more people are switching to MacOS than ever before. We believed people were in need of such programs on MacOS, so we made these tools available for free. Unlike most hackers on the darknet, we are professional developers with extensive experience in software development and vast interest in surveillance. You can depend on our software as billions of users world-wide rely on our clearnet products.

I suspect that a lot of this is probably not accurate. I seriously doubt that they would really give away information about their former employers, which would provide a clue that could be used to help track them down and could be used as evidence in a trial. Further, as a security professional myself, it’s rather laughable that the best a security researcher could do for persistence is a launch agent.

Also, the lack of any way to decrypt files in a ransomware app is extremely amateurish. This means that 2/3 of the Mac ransomware that has ever existed has had no means for decrypting files so that users who pay will get none of their data back in return. Hopefully, this will make victims of future Mac ransomware reluctant to pay, which will, in turn, make it unprofitable to develop such malware in the future.

All these factors mean that these hackers undoubtedly do not have the qualifications they claim to have and are actually amateur developers with a tendency towards crime.

Disinfection

The presence of any of the following items is an indicator of infection:

~/Library/LaunchAgents/com.apple.webkit.plist ~/Library/LaunchAgents/com.apple.finder.plist ~/Library/.DS_Stores/ ~/Library/.FS_Store

Malwarebytes for Mac will detect these as OSX.MacSpy and OSX.MacRansom.

If you were infected with MacSpy, after removing it, you should be sure to change all your passwords, as they might have been compromised by the keylogging, screen captures and/or clipboard exfiltration. If your work computer has been compromised, contact your IT department to alert them to the issue; otherwise, your accounts or other information leaked could potentially give a criminal inside access to your company’s servers.

If you had a MacRansom infection and didn’t get your data encrypted, consider yourself very lucky. Start backing up your computer regularly if you didn’t already and avoid leaving the backup drive connected all the time.

If you did have data encrypted by the ransomware, it’s possible that it could be decrypted by an expert in cryptography. Although we don’t currently have information about decrypting such files, we will update this article in the future if a method for doing so is identified.

The post New Mac Malware-as-a-Service offerings appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Cheers to a successful time at Infosec Europe 2017

Malwarebytes - Wed, 06/14/2017 - 09:00

With over 350 exhibitors, well over 10,000 visitors, and many widely respected speakers, Infosec Europe is one of Europe’s biggest security events. The Malwarebytes stand attracted a lot of interested people, even without our robot Zero, who had obligations elsewhere.

The new EMEA Channel Programme, hourly presentations, and visitors that were interested in using or integrating one of our products made sure that our team at the booth never got bored. Especially the sales engineers doing the product demo’s barely had time to take a break.

Our CEO Marcin Kleczynski got a lot of press requests but found the time to do one panel discussion together with yours truly and our amazing presenter Helge Husemann.

We would like to thank everyone that stopped by at our booth to attend our presentations, inquire about the channel programme, join our panel discussion, ask for product information, or even just stopped to tell us how happy they are with our software. We’ll love to see you again next year!

Click to view slideshow.

Pictures courtesy of Fieldhouse Associates. Thank you, Aislinn.

 

The post Cheers to a successful time at Infosec Europe 2017 appeared first on Malwarebytes Labs.

Categories: Techie Feeds

The numeric Tech Support Scam campaign

Malwarebytes - Tue, 06/13/2017 - 14:00

There are many different tech support scam (TSS) campaigns active at any given moment, the majority of them are fueled by malicious adverts (the browser lockers), or bundled software (the screen lockers).

Something interesting happened recently, where legitimate – but hacked – websites would redirect to a tech support scam page, not only via malvertising but also from hacked websites bearing the mark of a popular website infection.

What was particularly striking was the fact that visitors from the US (and some other locations), running Internet Explorer, were being targeted and redirected to the scam page instead of what we would normally expect: an exploit kit landing page.

In this blog, we will focus on the US campaign that is pushed both via malvertising and compromised sites and recognizable by its use of numeric domain names.

Numeric TSS

This latest tech support scam scheme can be identified by the use of only digits within its domain name. While they may look odd at first, numeric domains – as they are known – work just like any other domain names.

They can be quite expensive if kept short as they can represent a brand or have special meanings (i.e. containing the number 8, popular in Chinese culture), but are otherwise a cheap commodity.

In fact, each domain we encountered as part of this attack was registered for a mere $0.88 and came with free WhoisGuard protection for anonymity:

The numeric TSS has been around since at least early April based on this urlQuery report, with some of those domains registered at the end of March.

Domain name Creation date 6473819564947657419.win 2017-03-31 7598437654236982.win 2017-03-31 Browser lockers

Almost all browsers fail to mitigate the fake alert used by the numeric TSS, by not allowing you to normally close the page and instead of leaving little choice other than resorting to using the Task Manager to kill the offending process.

Internet Explorer

For Internet Explorer, the crooks are using mouse events to load the dialog message. Each time the mouse moves over a certain area, the same popup will reappear. You can close the page using keyboard shortcuts only (provided you do not move your cursor) but this is not something most users would be aware of.

Code:

Google Chrome

The Google Chrome version of this campaign still uses the history.pushState() trick we reported back in Nov. 2016 to freeze the browser by maxing out the CPU. This affects Chrome on Windows and Mac and is by far the most disruptive experience across various browsers.

Code:

Firefox

Firefox visitors are prompted with a username and password when the page is shown, which abuses HTTP basic access authentication to lock the browser by reloading that authentication dialog repeatedly.

Code:

Edge

Edge is actually the only browser that lets you close the page ‘cleanly’ without resorting to Task Manager or other quick shortcut combinations.

Code:

Distribution part 1: Malvertising

We caught a few malvertising chains involved in the numeric TSS but the most notable one was served from the AdsTerra ad network. One interesting thing is that we expected to see a different TSS campaign here (one that is hosted on Amazon S3).

Distribution part 2: Compromised websites

EITest is one of several campaigns that leverages compromised sites to monetize traffic via malicious redirections, typically to exploit kits such as RIG EK. It is also one of the few that is not only longstanding but has diversified itself with social engineering schemes already, such as the fake font trick.

In late May, @nao_sec blogged about some cloaking with EITest, in particular for certain geolocations. It quickly became clear that the multi-purpose EITest had yet another trick up its sleeve which was observed by others, such as Brad Duncan.

A large blurb is injected into compromised sites right before the </body> tag with a URL to the numeric TSS page. What is quite noteworthy is that the URL could have been for an ad network or even one of the gates we mentioned earlier. But instead, EITest generates the right URL directly, suggesting some kind of access to the same API used in the malvertising campaigns.

There are times when the API fails (perhaps because of takedowns) and we caught this happening:

Brad Duncan also captured a similar case via EITest, where the injected coded had a blank numeric domain but also a link to a RIG EK landing page (bug, A/B testing?).

Tech support scam

This campaign seems to fuel various call centers in India, with phone numbers generated on-the-fly and based on geolocation. While the fake alerts are an easy lead-in to scam unsuspected users for hundreds of dollars, we noticed some differences in how the scam goes down. Some call centers are outright fraudulent and go straight for the money, but others still take the time to walk you through a ‘diagnostic’.

Regardless, Microsoft would never use such ways to contact people that may be infected so you can rest assured that any phone number that appears out of the blue on your machine is not to be trusted.

Mitigation

The easiest way to get rid of a browser locker (AKA browlock) is to terminate (‘End task’) the associated browser process using the Task Manager. There are various ways to launch it depending on your operating system, but typically you can type it in the search bar (bottom left near Windows logo in Windows 10, or inside the Start Menu in Windows 7).

This does not damage your computer but you will lose websites you had opened. Having said that, the browser lock doesn’t give you much chance either to recover those anyway. After forcefully killing the browser process, you may be asked if you want to recover the pages from the ‘crash’. You are better off saying ‘no’, or else you will be back to square one dealing with the locker once again.

Conclusion

The delivery of tech support scams via compromised websites is worrisome because ad-blockers will be ineffective here, since there is no middle man (advertiser) involved to be blocked. This is why browsers play such a big role, but also where they fall short. Maintaining a blacklist of such sites is almost counter productive as the rogue domains rotate so quickly. There could be improvements on how to defeat browser lockers to give users a way out, but also perhaps to flag such pages as potentially malicious, simply based on their behaviour.

The growing number of social engineering schemes from malware campaigns is a sign that exploit kits are failing to generate enough victims these days, mainly due to their reliance on older vulnerabilities that have long been patched. Another factor is Google Chrome’s market share (close to 60%) while most current exploits are still very much Internet Explorer-centric.

Until attackers can get their hands on newer exploits, they will continue to design creative lures and adapt them to specific targets for the most impact.

Tech Support Scams – Help & Resource Page

Some examples of numeric TSS domain names:

6473819564947657419.win 7598437654236982.win 75894326984785657.win 089808456012319849851.win 28769437645567160.review 1367465423548945466.win 36546876516465456.win 15467448788975.win 1652546334798534.win 42165448125463151.win 544789942631624685.win 1317587423345278789.win 462781647864529375896239.win 547566458877948786467.win 14567996453586879.review 1894063121084890231894080.win 212655432897895349795160.win 45610897897984561087802.site 0789085614050105453286405572454.win 1987561230989456165016547084564189075132104897789415128287129.win 236846723674238468.site 712653651726438762364523546823.site 068923772895474564121755216.review

Text message:

Windows Defender Alert : Zeus Virus Detected In Your Computer !! Please Do Not Shut Down or Reset Your Computer. The following data will be compromised if you continue: 1. Passwords 2. Browser History 3. Credit Card Information 4.Local Hard Disk Files. This virus is well known for complete identity and credit card theft. Further action through this computer or any computer on the network will reveal private information and involve serious risks. </br></br>Call Microsoft Technical Department: (888)

The post The numeric Tech Support Scam campaign appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (Jun 05 – Jun 11)

Malwarebytes - Mon, 06/12/2017 - 16:58

Last week, we interviewed our very own Pieter Arntz to get to know him a little better. We also touched on the importance of HTTPS and focused on a new social engineering scheme that triggers on mouse movement.

We also took a deeper look at LatentBot, a Trojan that is being distributed by the RIG exploit kit; profiled Fireball, a browser hijacker that is capable of downloading and executing other malware, advised blog readers to stop sharing photos of their X-rays to social media; and named the other groups and/or individuals who are also fighting the good fight against tech support scams.

Below are notable news stories and security-related happenings:

  • Apple Test Hints That iOS 11 Will Be The End-of-life For Outdated, 32-bit Applications. “Ahead of Apple’s Worldwide Developer Conference today, and the expected announcement of iOS 11, the company briefly removed older, 32-bit iOS applications from appearing in the App Store’s search results. The change, which appears to have been a short test on Sunday, could have impacted a sizable portion of the App Store’s long tail.” (Source: TechCrunch)
  • Tech Firms: We’re Trying To Make Our Sites Hostile To Terrorists. “In the aftermath of the London attack, Facebook, Google, and Twitter have insisted that they already work closely with the UK government to flush out the sharing of extremist content—as fresh calls to crack down on the Internet and end-to-end crypto once again surfaced following a terror atrocity.” (Source: Ars Technica)
  • Hack Back Law Would Create Cyber Vigilantes. “Tom Graves (R-GA) released an update to the initial Active Cyber Defense Certainty Act (ACDC) that intends to exempt victims of cyber attacks from being prosecuted for attempting to hack back at their attackers under the Computer Fraud and Abuse Act (CFAA). If enacted, the law allows organizations that are the victims of hacks to conduct their own hacks to identify the assailants, stop the attacks or retrieve stolen files. At a high level, it makes sense. In practice, it is ridiculous.” (Source: CSO)
  • Stealthy DDoS Attacks Distract From More Destructive Security Threats. “Despite several headline-dominating, high-volume DDoS attacks over the past year, the vast majority (98%) of the DDoS attack attempts against Corero customers during Q1 2017 were less than 10 Gbps per second in volume. In addition, almost three-quarters (71%) of the attacks mitigated by Corero lasted 10 minutes or less.” (Source: Help Net Security)
  • WannaCry Exploit Could Infect Windows 10. “WannaCry targeted a Server Message Block (SMB) critical vulnerability that Microsoft patched with MS17-010 on March 14, 2017. While WannaCry damage was mostly limited to machines running Windows 7, a different version of EternalBlue could infect Windows 10.” (Source: Dark Reading)
  • Why Two Factors Are Better Than One. “In fact, a recent study conducted by the Pew Research Center illustrates why reliance on the single factor of ID and password may not provide sufficient protection. The study found that 39% of online adults have shared their password to one of their online accounts with a friend or family member. In addition, 25% admit that they often use passwords that are less secure because simpler passwords are easier to remember.” (Source: InfoSecurity Magazine)
  • Singapore, Australia Forge Cyber Security Ties. “In a two-year memorandum of understanding (MoU) inked by the two countries on 2 June 2017, the Cyber Security Agency of Singapore and the Australian government will conduct regular information exchanges on cyber threats, share best practices to promote innovation in cyber security and build cyber security capabilities.” (Source: Computer Weekly)
  • The End Of Net Neutrality Could Shackle The Internet Of Things. “Net Neutrality isn’t the simplest concept to grasp. Explaining it works best via example: Net neutrality means, say, that internet providers like AT&T, Comcast, and Verizon, which also have their own television and streaming video services, can’t create ‘slow lanes’ for competing services. They can’t gum up traffic from sites such as Netflix and Dish’s SlingTV in favor of their own.” (Source: Wired)
  • Russian Hackers Control Malware Via Britney Spears Instagram Posts. “A group of Russian-speaking hackers has been attacking multiple governments for years now. Not only that, but they also experimented with different methods of conducting those attacks with the help of the social media websites. Their approach was pretty clever, and they used those sites for concealment of the espionage malware.” (Source: HackRead)
  • Slack, Telegram, Other Chat Apps Being Used As Malware Control Channels. “Researchers at Trend Micro took a closer look at platforms including chat programs, self-hosted chat clients, and social networks to see whether their application programming interfaces (APIs) could be turned into C&C infrastructure. API refers to definitions, protocols, and tools that a program uses to interact and perform specific tasks.” (Source: Dark Reading)
  • Google Ads For Tech Support Scams – Would You Spot One? “According to Bleeping Computer, the dodgy campaign was spotted on Friday by a US user who posted his observations to a StackExchange thread. The user said that a coworker had searched for ‘Target’, clicked the top result – which was an ad – and was redirected to a phishing page that was rigged up to look like a Microsoft tech support page that wanted him to call a ‘tech support number’.” (Source: Sophos’s Naked Security Blog)
  • This Russian Vending Machine Will Sell You Fake Instagram Likes. “For years, those hungry for online validation have bought fake likes, faves, or followers for every social media site imaginable. In exchange for a small sum, dozens of sketchy websites promise anywhere from a couple dozen likes on a single Instagram photo, to a million Twitter followers.” (Source: Motherboard)
  • Worried About Election Hacking? There’s A Fix For That. “Revelations regarding top-level inquiries into a cyberattack launched by Russian military intelligence agents on an American voting-systems manufacturer, and of an apparently related attempt to hack the e-mail accounts of local election officials around the United States shortly before the 2016 presidential election, should turn the attention of Congress toward the need to secure this country’s extraordinarily vulnerable electoral processes.” (Source: The Nation)
  • 14-year-old Japanese Student Caught For Creating Ransomware. “The cyber criminal community is quite active is developing nasty ransomware to infect unsuspecting users and demand a large amount of money in return. But who could expect a 14-year-old to develop a ransomware malware on his own?” (Source: HackRead)
  • Al-Jazeera Reportedly Hit By Systematic Hacking Attempts. “Al-Jazeera, the Doha-based broadcaster owned by the ruling family of Qatar, says the websites and digital platforms of Al-Jazeera Media Network, its parent company, ‘are undergoing systematic and continual hacking attempts.'” (Source: Help Net Security)
  • Sleeping Giant, Botnets Pose Threat As Ransomware Attacks Decline. “Botnet operators are capable of using their malicious networks to execute virtually any task with a success rate of close to 100 percent, according to a June 7 ESET security blog post. These task could be anything from sending spam, distributing ransomware, carrying out DDoS attacks, or cheating advertising networks, or mining Bitcoin, all of which could change on a whim.” (Source: SC Magazine)
  • Internet Cameras Have Hard-coded Password That Can’t Be Changed. “Security cameras manufactured by China-based Foscam are vulnerable to remote take-over hacks that allow attackers to view video feeds, download stored files, and possibly compromise other devices connected to a local network. That’s according to a 12-page report released Wednesday by security firm F-Secure.” (Source: Ars Technica)
  • Malicious Android App Installs ‘Impossible To remove’ Adware. “The IT Security researchers have discovered a new malware that is essentially an Android Package or APK masked as a cleaner app called Ks cleaner and tricks the users into downloading a security update. Once the update is installed, the malware cannot be removed.” (Source: HackRead)
  • I Admit It, I’m A Cyber Security Professional And I Fell For A Phishing Email. “Both emails lacked any attachments that could have aroused suspicions. On both emails there was a call to action – a ‘Renew your Business Name’ link was in the ASIC email, and a ‘View Your Bill’ link was in the Origin email.” (Source: CRN)
  • Don’t Like Mondays? Neither Do Attackers. “Monday may be our least favorite day of the week, but Thursday is when security professionals should watch out for cybercriminals, researchers say. Timing is everything. Attackers pay as close attention to when they send out their booby-trapped emails as they do in crafting how these emails look.” (Source: CSO)
  • Keeping Threat Intelligence Ahead Of The Bad Guys. “Over the course of my recent series on establishing a cybersecurity portfolio, I’ve recommended five steps for businesses to engage in as they determine the security investments that are right for them: 1) Determine Needs; 2) Allocate Spending According to Risk; 3) Design Your Portfolio; 4) Choose the Right Products; and 5) Rebalance as Needed. These steps are akin to the process you would go through with your broker when creating a strong financial portfolio, with a diversified spread of investments and an adaptable strategy that can change along with your needs at a given time.” (Source: Forbes)

Safe surfing, everyone!

The Malwarebytes Labs Team

The post A week in security (Jun 05 – Jun 11) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Please stop posting your X-rays to social media

Malwarebytes - Fri, 06/09/2017 - 14:00

Social media is fun. Posting pictures and sharing them with friends is a great technology. But please, we beg you, stop posting your medical imaging results to Instagram, Twitter, and Facebook. Why? What if you get a gnarly fracture from a really awesome snowboarding stunt and you want to share your battle wounds? Let’s start small and see where an X-ray or MRI can take us.

 

Personally Identifiable Information Click to view slideshow.

Depending on the facility, your X-ray or MRI might have your full name, date of birth, social security number, name, and the name of the facility in question. This much information is good when your doctor needs to know with 100% certainty that you are you and are tied to your medical records. It’s bad when it’s on Twitter.

 

Doxxing Click to view slideshow.

Disclosure of one piece of personal information feels inconsequential. But multiple, low-value pieces of information disclosed on multiple platforms can yield an analytic chain that can uncover more serious data. For an X-ray, your name, and the name of a hospital seem fairly trivial and non-threatening. But the hospital name provides your probable city of residence, which in conjunction with your name, often provide property, tax, and voting records. Public data brokers often organize their best guess matching name and phone number by the city.

Meaning: a bad guy holding his target’s X-ray can have hard validation on the city of residence, which in turn allows him to validate anything else of yours he steals to exclude other people with the same name. It’s a neat trick, with the only real defense being to not post personal information online if its something you can’t change easily. (Your fingerprint, city of residence, name, etc.)

Endangering your hospital/doctor’s entire network

And sometimes the machines taking the pictures can be networked. (Yes, there is an absolute landslide of issues surrounding why and how an X-ray machine should be connected to a network, but that is a series of blogs for another time.) Take a look at this X-ray:

Public facing server redacted

This person has wisely cropped out their own name, but if you check out the bottom right corner, you’ll see the active user account in the program. Not extremely alarming, but further is “Server: [redacted].” Very, very alarming! Perhaps the server receiving the image is a local machine that’s aair-gapped from the Internet but needs to receive images from multiple machines in an office or hospital. (If you are a security professional reading this, we know that this is extremely unlikely.) So, taking the server name and plugging it into a public metadata search tool, we find:

  • The image was taken in 2014, but the server is still active as of writing
  • The server is web facing
  • The WHOIS on the web server is public
  • All of the server’s subdomains are enumerated
  • Traversing the subnet reveals what is most likely a medical record server

Yikes. Medical infrastructure security has problems. A lot of problems. But while the responsibility for an insecure network lies with the organization running it, posting photos that have exploitable information is also not a great thing. Given that vulnerabilities in the medical space can have catastrophic consequences, we should take extra care before exposing any data from inside a hospital or doctor’s office.

But I really, really want to post pics!

Use a crop tool. On a Mac, Command+Shift+4 brings up a resizable frame that can be used to crop out data that is none of the Internet’s business. On a PC, Select the Start button, type snipping tool in the search box on the taskbar, and then select Snipping Tool from the list of results. Remember that you are not only cropping out your information, but also the medical facility’s.

Click to view slideshow.

On Instagram, you can follow the instructions here to crop your photo. On Twitter, maybe you just shouldn’t, unless your account is private.

A good question to ask before you post is “Do I want people I don’t know to have this information, and do whatever they want with it, for as long as they want?” If the answer is no, take a pause before hitting submit and check out our post here on securing your social media profile.

The post Please stop posting your X-rays to social media appeared first on Malwarebytes Labs.

Categories: Techie Feeds

New social engineering scheme triggers on mouse movement

Malwarebytes - Thu, 06/08/2017 - 18:49

One of threat actors’ favorite malware delivery schemes is social engineering as it remains highly effective against a variety of targets. Malicious spam, in particular, is one of the biggest threats enterprises are facing today in the form of daily deliveries of fake invoices, contract, and other receipts.

Those attachments can be scripts, PDFs, or Microsoft Office documents, the latter often containing macros designed to retrieve a malicious payload as soon as users activate them. Today we take a look at a sightly different delivery mechanism that does not rely on macros or exploits, but rather a built-in functionality in PowerPoint to run external programs.

This attack abuses the hyperlink feature to launch a Powershell command as soon as the user moves their mouse cursor over that link. The typical attack scenario is described in the diagram below.

Malwarebytes users were already protected against this threat thanks to our Application Behavior Protection:

Time will tell whether this new infection vector gains popularity among the criminal element. The fact that it does not need a macro is novel and triggers on mouse activity is a clever move. There is no doubt threat actors will keep on coming up with various twists to abuse the human element.

The post New social engineering scheme triggers on mouse movement appeared first on Malwarebytes Labs.

Categories: Techie Feeds

LatentBot piece by piece

Malwarebytes - Thu, 06/08/2017 - 15:00

LatentBot is a multi-modular Trojan written in Delphi and known to have been around since 2013. Recently, we captured and dissected a sample distributed by RIG Exploit Kit.

The main executable is a persistent botnet agent which downloads additional modules and reports about the performed activities to its Command and Control server. Depending on the modules that have been installed, LatentBot has various capabilities, including:

  • Act as a keylogger and form grabber
  • Steal cookies
  • Run a Socks Proxy from the victim system
  • Give remote access to the attacker (VNC / Remote Desktop)

In this post we will describe those modules by taking apart several layers of obfuscation and encryption in order to reveal their true nature.

Analyzed samples

Downloaded modules, injected into svchost:

Behavioral analysis

After being deployed. the original sample installs itself and deletes the sample from the original location. It injects into svchost the initial module (60c3232b90c773ed9c4990da7cc3bbdb). That module performs another injection (of module: b622a0b443f36d99d5595acd0f95ea0e)  – into Internet Explorer (iexplore.exe):

The module injected in the iexplore.exe process is responsible for establishing connection with the CnC and downloading submodules.

At this stage, LatentBot creates two groups of registry keys:

...\Software\Google\Update\network\secure

In the key named “0” the initial PE file is stored:

Another, encrypted key is added under:

...\Software\Adobe\Adobe Acrobat

The data under the key “in” is encrypted by a custom algorithm, typical for the LatentBot, that will be described further (it can be decoded by a dedicated application). After decoding, it gives the path where the malware installed itself, i.e.:

C:\Users\tester\AppData\Local\Microsoft\Windows\shfdnoh.exe

If the CnC is active and the bot managed to download sub-modules, they are run injected into new instances of svchost:

The main module is deployed with a parameter: -l MxN4ViazcD

This parameter specifies a group id where the bot belongs (also encrypted by Latent Bot’s custom crypto).

MxN4ViazcD -> Group 1

Also, the registry keys related to the new modules are added under:

...\Software\Google\Update\network\secure

Decrypted names of the modules are very descriptive:

FtUFJu5xP3C -> formgrab hdtWD3zyxMpSQB -> Bot_Engine l551X+rNDh3B4A -> Found_Core QdG8eO0qHI8/Y1G -> send_report QdW/DoI2F9J -> security RRrIibQs+WzRVv5B+9iIys+17huxID -> remote_desktop_service VRWVBM6UtH6F+7UcwkBKPB -> vnc_hide_desktop w97grmO -> Socks

Some of the modules are collecting data on the victim machine, and saving them in the %TEMP% directory in encrypted form:

Further, they are being uploaded to the CnC.

Persistence

The basic persistence of Latent Bot is simple. The initial sample is copied into:

C\[current user]\AppData\Local\Microsoft\Windows\<random_name>.exe

It is executed on each system startup thanks to a simple Run key:

Once the main module is run, it is responsible for decrypting all the submodules from the registry and loading them.

Network communication

The bot starts communication with CnC by sending a beacon. If the beaconing went successfully, it starts to download additional modules in encrypted form. They are pretending to be .zip files:

The beacon is encoded by two algorithms: Latent’s custom encryption and then Base64:

QWRsN2srdjlxUUdDYVp0aTBMUzl2cStzY0pOR3VkWlNtc3Q1VzduWlJ2SHZ6QjJhNEtuTFo3RUNobVlOKzJMbDE0TWxBUXR2NXdxelBtSk1aeDNaNVRlaVdzdFVhZG5IK0JwcEp3NkFXVTlVc3JJYWpKa3VzTnlSbUE=

Base64 decoded:

Adl7k+v9qQGCaZti0LS9vq+scJNGudZSmst5W7nZRvHvzB2a4KnLZ7EChmYN+2Ll14MlAQtv5wqzPmJMZx3Z5TeiWstUadnH+BppJw6AWU9UsrIajJkusNyRmA

Latent custom decoded:

forum?datael=US-70-789548274695&ver=5015&os=5&acs=1&x64=0&gr=Group 1&random=mxmgkuusrfqdotm

As we can see, it contains data about the infected machine, as well as the group name and a random token.

However, not all the communication is encrypted. Some of the further requests are very verbose. Name of each action is identified by a string, in capital letters. Examples:

Client beacons to the server by a HELLO command. In return, the CnC gives it a cookie that is further used as an ID. The content posted between the client and the server is encrypted:

Analyzing the traffic, we can find that the bot sends to the CnC some stolen data, packed as Cabinet format. The content inside is encrypted by a custom encryption algorithm, typical  to LatentBot, that will be described later. The file is uploaded using HTTP PUT method:

Inside

The original sample of Latent Bot, that is distributes in campaigns, comes packed with a crypter. After removing this first layer, we get a loader with the following structure of sections:

All the used strings are obfuscated – particular chunks of the string are being moved to consecutive variables:

The basic role of the main element is to to make injection into svchost.exe. In the memory of svchost.exe, another PE file is unpacked and loaded:

If we dump this file, we find another stage. Starting from this element, all further pieces of Latent Bot have some common patterns. They are written in Delphi, and their strings are obfuscated by the same set of functions. Example:

In order to defeat this obfuscation I prepared a dedicated IDA script (latent_dec.py). Not much of the other obfuscation techniques has been used, so after applying it, the code looks much more understandable:

Another thing, typical for LatentBot’s pieces are the resources following similar schema. The current sample comes with 2 resources: CFG and R. Both of them are encrypted:

This element unpacks another module (b622a0b443f36d99d5595acd0f95ea0e), that is injected this time into iexplore. The new module has resources with a structure similar to the previous one. It’s CFG file contains strings encrypted by an algorithm typical for this bot:

The configuration of this element contains the bot group ID and the CnC address:

MxN4ViazcD -> Group 1 j5kmNVnZPcAt18wWBH3kfMOzGQ6ENA -> http://104.232.32.101/ Modules

The main element of the LatentBot  is an engine downloading and managing the modules. Each module of LatentBot have some different task to do. Overall, it has capabilities of a typical RAT and stealer. Downloaded submodules are various for various samples. In the analyzed one, elements with the following names has been fetched:

  • formgrab-128521-2
  • Bot_Engine-641712-8
  • Found_Core-147200-2
  • send_report-325310-77
  • security-945874-2
  • remote_desktop_service-828255-2
  • vnc_hide_desktop-590642-47
  • Socks-400578-2

Let’s have a look inside some of them…

Bot_Engine Module

As the name states, this is the main module of the bot. It is responsible for the communication with the C&C and loading the plugins.

It fingerprints the environment and send the collected data in the beacon to the CnC.

'tkNFKRA' -> '&ver=' 'tA8OqC' -> '&os=' 't4M5zB' -> '&av="' 't4c85aF' -> '&acs=' 'tct4rwD' -> '&x64=' 'tgszOD' -> '&gr=' 'tMc36A' -> '&li=W4' 't89KWAf3QyCh' -> '&plugins=' 'to8KKL6mYGs8' -> '&errcode=' 't08rKTC' -> '&bk=1' 't08rKXC' -> '&bk=0' 'tEMeVgHimC' -> '&note=1' 'tEMeVgHinC' -> '&note=0' 'tsMSYj/L' -> '&dom=1' 'tsMSYjvL' -> '&dom=0' 'tw9sex5WXDzsMB' -> '&sockslog=' 'tk9H0psjw5Wv' -> '&vncpass=' 'tkNGWE8KNC+N' -> '&vidtype='

Example – checking installed AV products:

The dedicated function contains a long list of the directories that are checked,i.e.

This module gives to the attacker remote control on the victim’s environment by executing various commands, such as:

'/tKvXgFBlB' -> 'testapi' 'slx6nfFi' -> 'get_id' '5J5eN0Wp9A' -> 'restart' '4FEa7FfTRCI' -> 'shutdown' 'nxRY+d/E' -> 'logoff' 'slx6nLVh9Et/qqi2eUpf9D' -> 'get_label_engine' 'slx6nLVh9Et/qOCYBWP' -> 'get_label_load' 'slx6n7kxqMcKNsq0UkmG' -> 'get_plugin_list' '7hfCrPhOfgfTX28h8TZS' -> 'plugin_stop_all' '7hfCrPhOfkfbTM6EplCNCN1d' -> 'plugin_restart_all' '7hfCrPhOfg+PtNcXVAc8JLsPUA' -> 'plugin_clear_storage' '41l3p17Xus/kRtagq7ObrZEM/WucXWH' -> 'stop_engine_and_plugins' '+FJV1v6mXl5SW7r8cB' -> 'uninstall_all' 'slx6njktomFaQ0F' -> 'get_version' '7hfCrPhOfgfTX2M' -> 'plugin_stop' '7hfCrPhOfkfbTM6EplC' -> 'plugin_restart' '7hfCrPhOfgfTX28h8bppqx+bZm/CQDXSnB' -> 'plugin_stop_and_uninstall' '7hfCrPhOf4vfz5NHktwwJB' -> 'plugin_uninstall' '7hfCrPhOfgfTZiCd' -> 'plugin_start' '7hfCrPhOfgfTZiCdhJwYvUM' -> 'plugin_start_auto' '7hfCrPhOfgfTX28h83I9CD' -> 'plugin_stop_autox' 'slx6n7kxqMcKNsazBUKWvC' -> 'get_plugin_start' 'o5SQ6EkjlBwmdJhahA' -> 'clear_cookies'

Example – fragment of the function stealing and clearing the cookies:

After completing a task, it also sends a report about the operation status:

Security Module

This module performs extended environment check against various security products. Looking at the resources, we can find three elements: DFX, VBL, FDL containing lists of strings encrypted in the typical way:

Decrypting them gives an extensive list of the checked paths: DFX , VBL, and modules (exe, dll, sys): FLD

Formgrab Module

In comparison to other modules, this one does not contain string or API obfuscation.

We can find it grabbing the content of fields of the windows:

…and tapping the typed keys:

Foud_Core Module

This is the only module that has been written in C++ instead of Delphi. It comes with a default icon added to Windows projects by Visual Studio.

It’s original name is installer.exe and it exports various functions, that can be used to make injections into 64 bit applications:

It has various features that are different from other modules, i.e. lack of string obfuscation. Performed actions are reported by debug strings, that are stored inside the binary as open text, i.e.

The compilation timestamp of this executable points at the February of 2017: 2017:02:28 18:21:01+01:00. This element was not observed in previous years, so probably indeed it is added this year, to expand injection capabilities of the LatentBot to 64 bit processes.

Conclusion

LatentBot has been around for several years, however, looking at the modules we can find out that it is still being actively maintained. The distributed package is a mixture of old and new modules.

The authors of this bot are not very advanced in malware development. They program in Delphi and use some ready-made templates. Also, the obfuscation they use can be easily defeated. However, they delivered a bot that is very rich in features and easily expandable, thus, it still poses a serious threat.

Appendix

https://www.cert.pl/news/single/latentbot-modularny-i-silnie-zaciemniony-bot/ – Polish CERT on LatentBot (December 2016)

https://www.fireeye.com/blog/threat-research/2015/12/latentbot_trace_me.html – FireEye on LatentBot (2015)

https://cys-centrum.com/ru/news/module_trojan_for_unauthorized_access – CyS Cenrtum report (2015)

This was a guest post written by Hasherezade, an independent researcher and programmer with a strong interest in InfoSec. She loves going in details about malware and sharing threat information with the community. Check her out on Twitter @hasherezade and her personal blog: https://hshrzd.wordpress.com.

The post LatentBot piece by piece appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Adware the series, part 5

Malwarebytes - Thu, 06/08/2017 - 14:00

In this series of posts, we will be using the flowchart below to follow the process of determining which adware we are dealing with. Our objective is to give you an idea of how many different types of adware are around for Windows systems. Though most are classified as PUPs, you will also see the occasional Trojan or rootkit, especially for the types that are more difficult to detect and remove.

In this part of the series, we will be focusing on cases where the process we found as the one that was showing the advertisement was not the actual culprit. We will demonstrate how to use Process Explorer to see which handles, DLL’s and parent processes are involved. Which is a relatively easy way to figure out what a process is doing.

Process Explorer

As mentioned before the tool we will be using for this episode is Sysinternal’s Process Explorer. At the moment I was writing this post the current version of Process Explorer was v16.21. To view DLLs and handles you will need to enable the Lower Pane view and set it to DLLs or Handles respectively.

To enable the Lower Pane View, click View > and put a check-mark in front of Lower Pane View. Then if you hover over the Lower Pane View option you can either select DLLs or Handles.

Parent process

But let’s have a look at the parent process first. When you toggle the header of the Process column you will notice one configuration (like in the screenshot above), where the processes are shown in a tree-like fashion. The other configurations are alphabetical and reversed alphabetical. The tree-like representation allows you to see which process started the one(s) listed under it. Example: the processes listed under “explorer.exe” have explorer.exe as the parent process. Which in the case of explorer.exe often means that the user double-clicked the executable or a shortcut to that executable. But in cases where a browser window is showing you an advertisement, it can be interesting to see which process is the parent process of the browser process, because that could be the one you are after.

DLLs

Dynamic Load Libraries (DLLs) are files that can be used by other executable files. They often contain functions or other pieces of code, that can be called by name or entry point. In this way, the code in the library can be executed as part of the running process. To see all the DLLs that are in use by one process, you can look at the Lower Pane. Tip: if you want to present this list to someone to get a second opinion, you can select the process in the top window, then click

Tip: if you want to present this list to someone to get a second opinion, you can select the process in the top window, then click File > Save As and save the resulting text file.

Tip: sort the Lower Pane by Company Name so you can easily skip all the Microsoft Corporation files. This will usually limit the number of DLLs you need to look at to a few.

Handles

Handles are a good way of looking whether a process is using certain resources like ports, sockets, and files. And the beauty of Process Explorer is, that if you know which handle you are looking for, you can search for that handle. For example, if you want to look at which processes have a handle on the counters.dat file, which is often shared among many internet connected processes, you can click Find > Find Handle or DLL… and then type the name of the resource in the prompt to get a list of processes that have a handle on it.

When in doubt, you can enable the Virustotal lookup of handles by clicking Options > VirusTotal.com > Check VirusTotal.com. This will send the hashes to Virustotal, a free service that analyzes suspicious files and URLs. With a bit of luck, you will notice a detection in the list that you would have missed if you had only checked the list of processes against Virustotal.

When you right-click a Handle, you will see the option to Close Handle. Releasing these handles can sometimes help when you encounter files that are undeletable because they are in use. By closing all the handles these files will become deletable as they will be no longer in use.

Example

Let’s use some adware, as an example, that uses your default browser to open advertisements. On this system, Firefox is the default browser. Every time I open Firefox I will get a new tab with a different advertisement (all redirects in this case).

It is obvious that the process is firefox.exe and a quick examination tells me there are no extensions at play and no active proxy is present. A little deeper investigation showed no LSP or DNS hijacks.

So I looked at my list of installed programs and saw something unknown, which was also suspicious because it has no Publisher and no Version, and the install date happens to match the date the advertisements started.

So I performed a search for DLLs and Handles with Process Explorer and found the QIPApp in quite a lot of processes and it even has a process with the same name.

In this case, the uninstall worked and the adware was gone after a reboot, so we didn’t have to remove it manually. We also could have used Malwarebytes to remove it, but I used it as an example to demonstrate the method of investigation.

See you next time when we will tackle the ones that are a lot harder to find and remove.

Index

Part 1

  • Identify the process
  • Clear browser caches
  • Remove browser extensions

Part 2

  • Proxies
  • Winsock hijackers
  • DNS hijackers

Part 3

  • Type of software
  • Uninstall
  • Remove file
  • Replace file

Part 4

  • Scheduled tasks
  • Services

Part 5

  • DLL’s
  • Handles
  • Parent process

Up next, part 6

  • ADS
  • Rootkits
  • Fileless infections

 

The post Adware the series, part 5 appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Fireball Chinese malware and you

Malwarebytes - Wed, 06/07/2017 - 22:54

By now, you might have heard about an adware infection operation that has allegedly spread to 250 million systems called Fireball.  The threat intelligence and research teams at Check Point wrote a blog post last week describing the operation, what the threat does, the system, and the alarming potential the malware has for doing some serious damage.

Fireball the malware:

Fireball is currently being used as a browser-hijacker being frequently installed through bundling (the same infection method that brings you most of the PUPs we detect) modifying the default start page for your browsers as well as changing default search engines to the Rafotech search engine (the company that created Fireball).  Also, it utilizes tracking pixels to collect private information about the user and their browsing habits.

The best case

As mentioned before, Fireball is most frequently classified as adware or malware that exists solely to push users to specific web pages and serve them loads of advertisements, getting paid on the back end through all the clicks the ads get by unwilling users. With this in mind, the best scenario is that Fireball continues just to be adware, being annoying and disruptive but not overly dangerous.

The worst case

Fireball also happens to have some additional features that make many security researchers very nervous; this includes the ability to download and execute additional malware.

When you think about 250 million endpoints being infected with this adware and any day it could just decide to drop and execute any malware on the system, it will make you nervous too.  Here is what could potentially happen in the worst-case scenario:

  • Fireball drops a botnet malware family on all the endpoints, turning it into the most powerful Distributed Denial Of Service weapon ever created, which could be used for taking down the web servers of critical infrastructure, competitor websites, game servers, social media and even our unfortunately designed internet backbone (registrars and top level DNS servers) which could prevent many people from accessing their favorite websites.
  • Fireball drops ransomware on the systems and then waits to get paid, disrupting millions of systems and the users and organizations that rely on them
  • Fireball drops any other malware (or a combination of malware) and can steal credentials, spy on users, hijack social media and communication accounts or just use the whole thing as a massive spam spreading operation.

Why this might not happen

Education is key when it comes to dealing with new cyber threats, Check Point did a fantastic job bringing this infection to the eyes of users at large and the media, it has had a lot of coverage over the last few days and hopefully folks are scanning their systems and removing unwanted plugins to help reduce the power this adware operation has to do anything worse.

In addition to that, while Rafotech (who created Fireball) is using the infection to spread advertisements, they are sitting in a legal gray area and shutting them down would be a bit difficult without some serious international cooperation.  However, if Fireball started spreading additional malware, like ransomware or bots, then you’ve got an international crisis on your hands, and law enforcement for every country affected knows who the culprit is, safe to say it would be a bad move.

The worst, worst case

In a nightmare universe, the backend command and control systems that decide what Fireball does is compromised by malicious actors who then drop all kinds of nasty malware on the systems.  If that were to happen, you would still have the international crisis but no attribution.

You can guarantee though, that even if the attackers cannot be stopped, Rafotech would take a lot of heat and face serious charges for their involvement in creating this threat, not securing it correctly and handing a nuke to whatever cybercriminal wanted it.

Removing yourself from the problem

Obviously, if your system is infected with Fireball then not only is your safety an issue but also the safety of every other system on the internet. It is easy to weaponize an infected system to be used for direct DDOS attacks, act as a proxy for traffic (hiding the bad guys) to spread malware itself in the case of some spambots.

So, how can you remove your system from being used in this way? It’s pretty easy actually.

  • Check your browser

Are you being redirected to the Rafotech search engine or feel like you’ve seen an immense amount of advertisements being pushed to you without provocation recently? If either of those is true, it’s likely you are infected with Fireball.

  • Run a scan

Your first step is to download, install, update and scan with Malwarebytes 3.0.  This will identify any artifacts on the system belonging to the threat; we detect Fireball as “Adware.Elex.”  We know exactly what Malwarebytes can detect concerning this threat, so we are only discussing remediation using our tool.

  • Find any strange browser add-ons

Fireball utilizes browser extensions and add-ons to help it complete its goal of drowning you in ads. So, you want to make sure there aren’t any that you didn’t install yourself, if you find one that looks strange, go ahead and remove them.  You can check out this resource that Facebook put together to help folks clean up the add-ons and extensions they have in their browser which may be causing problems.

  • Reset your defaults

After a Fireball infection, your default homepage and the search engine would have been modified; you can go into your browser settings to change them back to what you want or just restore the whole browser to its default state.

Conclusion

We want to thank Check Point for their fantastic analysis of this threat and bringing it to the attention of the world. We hope that those infected with this adware can find articles like this and learn how to clean up their systems before one of the worst-case scenarios listed above actually become a reality.

In the meantime, it’s best not to consider any malicious threat less dangerous than others, PUPs, adware, spyware, and others are still software installed on a system with the limitations (or lack thereof) of any other piece of software. Just because something is being used for one purpose today doesn’t mean it won’t be repurposed for something far more damaging next week.

Thanks for reading, stay alert, stay safe and we’ll catch you next time.

The post Fireball Chinese malware and you appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Tech support scams: what are other people doing?

Malwarebytes - Wed, 06/07/2017 - 14:00

We’ve talked a lot about tech support scams over the past few years, typically focused on what we see ourselves, and the scammers who like to pose as Malwarebytes. But tech support scams are much bigger than that, targeting every tech company under the sun. So what are other people doing about it? Let’s take a look at some of the other players working to keep you safe.

IT Advocate

Independent researchers will occasionally conduct sting calls based on a combination of victim complaints and their own research. IT Advocate presents some of the most thorough research and professional videos in this genre, providing context to each company before they make the call.

Others who refer to themselves as “scam baiters” will present calls on Youtube, typically designed to waste the scammer’s time, or execute a practical joke. These are amusing, but also frustrating because they aren’t useful; most videos don’t disclose where they got the number, what their specific setup is, or any specific details on the company. IT Advocate, in contrast, focuses on collecting hard, actionable evidence that can be used in takedown requests to keep users safe. They publish fairly frequently and you can find their YouTube channel here.

 

Fatsecurity.com

An occasional problem defenders run into is how to effectively execute a takedown, in particular, an advertisement takedown for a fraudulent company. Scammers will register a corporate presence in the United States, set up several money mule accounts here as “payment processors”, and use US dollars to buy ads. As a result, it can be tough for an advertising company like Google to distinguish these ads from those of a legitimate tech support company. Fat Security is attacking this issue from an interesting angle, as you can see here. Rather than crowdsourcing victim reports, which can be vague or incomplete, they are crowdsourcing reporting – users who sign up will be informed of identified scams and how to report them to the proper authorities. The idea being one researcher’s report can be ignored; ten thousand users reporting the same scam demands a response. It’s a novel idea and we look forward to seeing how it turns out.

The Big’uns

Microsoft is arguably one of the most abused companies in a tech support scammer’s pitch. So how are they fighting back? They have extensive coverage of tech support scams in their blog, as well as a consumer education sheet with useful info here. (Here’s ours, by the way.)

What a lot of folks don’t realize is that they also have a reporting tool for victims and researchers to report a scam directly to them: www.microsoft.com/en-us/reportascam. When conducting threat analysis, more data tends to make for better judgments, so these types of reporting tools tend to yield good intelligence.

Symantec provides a public resource page here, as well as a reporting tool, although it appears to be a catch-all for abuse of their intellectual property.

Teamviewer is the tool of choice for scammers to gain access to your computer. Their resource page for victims here offers some good tips on how to secure your account if you have one and provides an email address to report fraudulent use of their product.

In short, there’s a wide range of researchers working hard to keep you safe from tech support scams, from the biggest names in the industry, down to single individuals working as an avocation. The more of us who pitch in makes it more likely that you won’t have to deal with a scammer. And if you’ve ever thought you were talking to Malwarebytes and gotten someone unsavory instead, please post to the comments below.

Some resources mentioned above:

The post Tech support scams: what are other people doing? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

HTTPS… Everywhere!

Malwarebytes - Tue, 06/06/2017 - 14:00

We recently updated our redirections rule in HTTPS-Everywhere, a browser extension that automatically redirects you to the HTTPS version of the website you are trying to visit. Now is a good time for us to give a short overview of how important HTTPS is. We’ll also talk about a few major HTTPS-related events that happened lately.

When we browse the web, several third-parties are able to snoop on the connection between the user and the website, including the user’s ISP, law enforcement, the website’s ISP, and other people in between.

Who can snoop on your connection without HTTPS, and what can they see? (by The TorProject)

These intermediaries are able to obtain and modify on the fly most of the information sent through the connection: the website reached, the web page name and content, the potential username and password, the user’s IP address, and more. It obviously poses a lot of problems, which is why HTTPS is now mandatory for more and more websites (public sector, banks, etc.). Using HTTP with SSL/TLS (HTTPS) hides much of information compared to the picture above:

Who can still snoop on your connection with HTTPS, and what can they see? (by The TorProject)

Now, the intermediaries only get access to the website reached and the user’s IP address. The web page name, its content, the logins are no longer exposed to whoever snoops between the user and the website. It’s also no longer possible to modify this data on the fly.

The security gain is then huge, as it’s possible to transmit sensitive data in an authenticated way without being modified. This is possible thanks to a chain of trust established between the user software (a web browser, for instance) and a third-party who authenticated the service (a website, for instance).

This third party is called a Certificate Authority (CA). There currently are a lot of different CAs and all of them need to strictly follow the guidelines in order to stay trusted by web browsers, operating systems, and other software.

Once a service requests a certificate to be authenticated, the Certification Authority proceeds to a multiple-step process in order to verify the owner identity. If it’s successful, the service will be authenticated.

A widespread adoption

However, despite the huge benefit of using SSL/TLS, anyone who requests a trusted certificate for a specific domain needs to regularly pay an expensive fee, which slows down the adoption rate.

In 2014, a new non-profit Certificate Authority was created by the ISRG with the idea to provide trusted certificates for free for everyone. The adoption was huge: Let’s Encrypt has been publicly launched in 2016 and has already delivered more than 33M certificate since then, for more than 40M domains.

Let’s Encrypt Certificates Issued Per Day

For the first time, more than 50% of total web page requests have been served over HTTPS in early 2017 and it’s still climbing.

Percentage of pages loaded over HTTPS – Google Transparency Report

This widespread adoption is definitely good news for security. However, the landscape evolves very quickly, with involved parties trying to fix the remaining problems—and introduce new ones.

Web browsers pushing harder

In order to push the adoption much further, web browsers are also taking active actions.

Recently, Google and Mozilla announced a new feature in their browsers (Chrome and Firefox, respectively): websites served over HTTP will be labeled as non-secure (whereas before HTTP websites used to be the norm and only websites served over HTTPS had a specific label):

They also announced the end of support for the SHA1 algorithm, which is still used by some Certificate Authorities despite several flaws it suffers.

Another step is the introduction of Certificate Transparency, the support of which will be mandatory for all Certificate Authorities from October 2017 in order to very quickly detect wrongly issued certificates and malicious Authorities, thus, revoking them as quickly as possible.

Last but not least, they are taking strong positions against Certificate Authorities that don’t follow the rules and best practices: Google and Mozilla announced their intention to distrust the “Class 3 Public Primary CA” Symantec certificate due to several failures to comply with the industry rules and other more recent security problems. This will revoke the trusted chain and will trigger a warning for users visiting a service authenticated with this certificate and may even block them to visit the website depending on their configuration unless Symantec changes their practices or agree to comply with Google and Mozilla requests which may be the case.

Security software playing nasty Despite all these actions to push more and more  SSL/TLS implementation best practices, a major issue still persists. Several antivirus software, middleboxes, or corporate appliances analyze web or mail connections to scan for malicious content. While it’s easy to achieve for clear-text traffic (like HTTP), it’s much more difficult to do so for SSL/TLS traffic. As pointed by the recent study “The Security Impact of HTTPS Interception”, these solutions tend to behave like spyware and play nasty with SSL/TLS while they try to decrypt it “for security reasons”. As expected, it usually puts the user at risk while breaking the security chain, reducing the connection security, and reintroducing old security flaws. Malware is seen to maliciously modify the system certificate root store (which stores the list of trusted certificates from known Certificate Authorities). They add a non-trusted certificate and set it as trusted, or remove known and legit certificate in order to break the connection to known services. The latter has been seen very recently on our forum:

List of certificates maliciously marked as untrusted by the system

But as explained, several security software programs proceed in a very similar manner. The study has used browsers legit SSL/TLS handshakes with some being knowingly intercepted by security software (and middlebox, corporate appliances) to be able to draw a comparison based on the relationship between the user agent and Client Hello messages. They used portions of Cloudflare, Firefox update servers, and several popular e-commerces websites traffic in order to get a sufficient amount of data. The results are particularly explicit by themselves: 90% of connections to Firefox servers, 32% of connections to e-commerce’s websites, and 54% of Cloudflare connections have been observed to be less secure while being intercepted.
  • On 12 famous and widely used corporate middleboxes tested:
    • 11 weaken connection security (compared to an up-to-date web browser).
    • 5  introduce several MiTM flaws
    • 10 support RC4 ciphers (broken)
    • 2 support export-grade ciphers
    • 3 do not properly validate the certificates
  • On the various security software solutions and malware tested:
    • 10 introduce several flaws (CRIME, anonymous ciphers, no certificate validation, RC2, too short DH length)
    • Some RCE vulnerabilities (triggered by malformed certificates) are regularly found in some of them
Conclusion In short, even if only a few security software have seemed to properly handle SSL/TLS interception without introducing several vulnerabilities, all of them decreased the overall security compared to an up-to-date web browser or email client. Even worse, most of the time-critical vulnerabilities otherwise fixed years ago have also been reintroduced. The updated HTTPS Everywhere rule we spoke about in the introduction is another step to help our users to stay secure while browsing our websites, as all our services are available with HTTPS. We try to stay up-to-date with the best SSL/TLS deployment practices.

The post HTTPS… Everywhere! appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Interview with a malware hunter: Pieter Arntz

Malwarebytes - Mon, 06/05/2017 - 14:00

Welcome to our new series: interview with a malware hunter. In these Q&A sessions, we’ll take you behind the scenes to get to know our malware intelligence crew. Without further ado, we present our first victim, researcher, and blogger Pieter Arntz.

Where are you from? Are you still there now?

I’m from the Netherlands. I’m there now, yes.

You speak four languages. What are they? How did you learn them?

I speak Dutch, German, English, and French. We got the basics at school and I lived in London for a time and a place near Hamburg, Germany, as well. France was a favorite vacation spot for me, so that’s how I kept up to level.

How did you get into cybersecurity?

I started participating in the forums a long time ago, helping people who had computer problems. Because of the people I met in the forums—Marcin, Doug, Bruce, Mieke [Malwarebytes company founders]—I got interested in malware, specifically adware and spyware. They were looking for someone to write removal guides on the forums. I volunteered, so that’s how I ended up in cybersecurity, working for Malwarebytes.

Did you major in computer science? How did you know how to help people with malware problems?

I studied it a long time ago at University, so I had to have some basic knowledge of code. I actually got my bachelor’s in geodesy, so we had to use a lot of computer programs of our own making to put in all the data.

How long have you been a cybersecurity researcher?

Professionally, seven and a half years. I started doing it as a hobby 18 years ago.

When did you join the Malwarebytes team? What made you join?

November 2009 is when I joined. I watched this company grow enormously, and I liked the people that worked here. It gave me a lot of freedom, and it made my hobby into my work, so what else can you want?

What makes you stay? What do you like about this line of work?

I keep on learning. It doesn’t get boring, there’s always something new. That’s what keeps me going. The people I work with, like Adam [Kujawa, Director of Malware Intelligence] and Jérôme [Segura, Malware Intelligence Analyst], know so much that I don’t know, so I’m always trying to pick their minds.

What area of cybersecurity research do you focus on? Why this area?

I specialize in adware. It’s the easiest to understand for me. It’s like a puzzle I can work out. When I started, there were people who were spreading viruses just to make a name for themselves. Now we have to deal with hardened criminals. With the money angle in mind, there is a motive to what they do. And adware is what the majority of people have to deal with nowadays.

What’s the most interesting/impactful discovery you’ve made as a researcher?

I think it was Vonteera, an adware that marked certificates for security programs as untrustworthy. Because of that, people who were infected couldn’t download security programs. I was the first person to find out how they did that. I posted the results on the blog and wrote a fix for it. After that, the adware disappeared a few days later.

What’s the biggest cybersecurity “fail” you’ve witnessed?

My previous employer had a synchronized backup to back up the system every hour. When they got a virus infection, they didn’t notice for a week, so all the infected files got written to the backup. So they lost a week’s worth of work. I was very glad I didn’t work in IT there!

Talk to me about a day in the life of a researcher. How do you conduct your research?

I start with looking at forums and see if there are any new things that people are complaining about or having problems removing. I try finding an installer for it using programs such as Cosmos and VirusTotal. If I can’t find it anywhere, I reach out to the users who are complaining and get the infected file from them. Then I look to see if I should write about it—especially if it requires additional user interaction or if it is hard to recognize the infection. Then I check Twitter and Facebook to see if there are any other new trends I need to write about. If I find something that Malwarebytes does not tackle, I let the research team know.

What tips you off that something might be malicious?

I usually can guess if something is malicious is by the way it acts and the way it’s presented. If it talks like a duck and walks like a duck, it’s probably a duck. You always can tell if a program has something to hide.

When an outbreak like the recent WannaCry ransomware attack occurs, how does that impact your work?

I was tipped off about WannaCry when I noticed on Twitter that a lot of companies were complaining. People in England were being sent home from the hospital. Alarm bells started to ring. By the time I found out what was really going on, the other researchers in America were online and together we came up with a plan. When we found the sample, everything else stopped, especially since we knew our premium products already protected our customers. Zammis [one of our researchers] started working on reverse-engineering right away. We had to get that information out there so other people could be safe.

What kind of skills does a person need to be a malware intelligence researcher?

You have to be able to follow tracks. Finding the sources of the malware is the biggest part, really. You need logical thinking and enough understanding of coding to be able to decipher the raw elements. A big part of tracking malicious programs down is understanding the money flow, the business model. If they offer something for free that promises everything you ever wanted, and there is no catch, no improved version to purchase later on, how do they make their money?

What advice do you have for people who want to break into the field?

If you really want to make a difference, then try to learn reverse engineering or hacking. If you’re a good reverse engineer, you can work for any company you like.

The post Interview with a malware hunter: Pieter Arntz appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (May 29 – Jun 04)

Malwarebytes - Mon, 06/05/2017 - 13:59

Last week, we looked at a ransomware strain that appears to be a fake version of DMA Locker. We also focused on adware that use scheduled tasks in part 4 of a series. Lastly, we talked about fake reviews and how to spot them.

Below are notable news stories and security-related happenings:

  • Healthcare Industry Continues To Struggle With Software Security. “According to the results of a recent survey, roughly one third of device makers and HDOs are aware of potential adverse effects to patients due to an insecure medical device, but despite the risk only 17 percent of device makers and 15 percent of HDOs are taking significant steps to prevent such attacks.” (Source: Help Net Security)
  • The Need For Internet Security On Your Devices. “Cyber crime seems to be making headlines every other day. Cyber crime continues to be a growing problem for kiwi’s, costing us over $257 million per year.  This means that it’s important now more than ever to ensure that you are protected against the plethora of threats that seek to compromise your devices.” (Source: Future Five)
  • Don’t Wanna Cry After Meeting Judy? How To Secure Your Mobile From Malware. “Security firm Checkpoint on Thursday revealed that around 36.5 million Android devices were likely infected by a malware, dubbed as ‘Judy’, after downloading apps developed by South Korea-based Kiniwini and published under the name of ENISTUDIO Corp. The Korean firm developed 41 such malicious apps and was able to bypass Google’s security protocols on the Play Store, thereby making the app available for download.” (Source: Money Control)
  • China’s Tough Cybersecurity Law To Come Into Force This Week. “China, battling increased threats from cyber-terrorism and hacking, will adopt from Thursday a controversial law that mandates strict data surveillance and storage for firms working in the country, the state-run Xinhua news agency said. The law, passed in November by the country’s largely rubber-stamp parliament, bans online service providers from collecting and selling users’ personal information and gives users the right to have their information deleted, in cases of abuse.” (Source: South China Morning Post)
  • What Will It Take To Keep Smart Cities Safe? “‘Smart cities’ use smart technologies in their critical infrastructure sectors: energy, transportation, environment, communications, and government. This includes smart systems for energy management, parking management systems, public transportation information coordination, transportation sharing, traffic management, air quality monitoring, waste management, e-government, connectivity, and so on.” (Source: Help Net Security)
  • IT and Biz Leaders: Boards Don’t Take Security Seriously. “Nearly half of IT and business decision makers globally don’t think their boards are capable of effectively managing cybersecurity threats, despite the vast majority (77%) believing it is now the C-level’s responsibility, according to new research from Control Risks.” (Source: InfoSecurity Magazine)
  • Bitcoin Has Come Roaring BackBut So Have The Risks. “The big question is whether a crash is coming or whether cryptocurrencies have hit their stride. Should investors cash out now while the getting is good, or buy more now before the price climbs even higher? So far, when it comes to bitcoin, the only real rule is volatility.” (Source: Wired)
  • OneLogin Suffers Breach—Customer Data Said To Be Exposed, Decrypted. “OneLogin told fretful customers in an internal notification that they would need to work through a number of steps to secure their accounts, including generation of new API credentials and OAuth tokens. Any users served by the firm’s US data centre have been hit by the breach, OneLogin said.” (Source: Ars Technica)
  • A Recently Discovered Linux Flaw Could Be Exploited By Sudo Users To Gain Root Privileges. “Security researchers at Qualys Security have discovered a Linux flaw that could be exploited to gain root privileges and overwrite any file on the filesystem on SELinux-enabled systems. The high severity flaw, tracked as CVE-2017-1000367, resides in the Sudo’s get_process_ttyname() for Linux and is related to the way Sudo parses tty information from the process status file in the proc filesystem.” (Source: Security Affairs)
  • Kmart Point of Sale Hacked With ‘Undetectable’ Malware. “Kmart is not saying how many of its 750 stores in the US were affected by the point-of-sale (PoS) malware, but it stressed that no personal data, including names, addresses, Social Security Numbers or email addresses, was stolen. It also talked up its EMV reader implementation.” (Source: InfoSecurity Magazine)
  • Inside Google’s Global Campaign To Shut Down Phishing. “At the beginning of May, a phishing scam flooded the web, disguised as a typical Google Docs request. Some of the emails even appeared to come from acquaintances. If victims clicked through and granted seemingly innocuous permissions, they exposed their entire Gmail account to whoever was behind the scam. It was an explosive scheme. And Google responded in kind.” (Source: Wired)

Safe surfing, everyone!

The Malwarebytes Labs Team

The post A week in security (May 29 – Jun 04) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Pages

Subscribe to Furiously Eclectic People aggregator - Techie Feeds