Techie Feeds

Free antivirus coupon leads to tech support scam

Malwarebytes - Fri, 03/03/2017 - 16:00

In a previous blog post, we showed how users were redirected to a tech support scam page via a rogue Google Chrome extension. This time we take a look at another clever ruse to trick you into calling for assistance, and ultimately getting scammed.

This scheme is actually hosted on the same domain that was running the fake Windows support we described before and our assumption is that users are redirected to this coupon page via a similar malvertising campaign.

It plays on special offers, discounts and time-limited deals to entice you to claim your product now, choosing between Norton or McAfee. After filling in your personal details (which are actually sent off to the crooks), a page simulates the offer being processed only to fail with an error message. Victims are mislead into thinking that their offer was redeemed, but that they must perform a final call to get it completed.

Click to view slideshow.

This is where the tech support scam comes in. Once you call that number, you are routed to an Indian boiler room where one of many agents will take remote control of your computer to figure out what went wrong. (Un)shockingly, the bogus technician will identify severe problems that need an immediate fix.

Despite the scam being about Norton, the technician brushes it off as useless when it comes to the real deal: “Junk is a kind of virus which is the most harmful virus“. With his technical expertise, he proceeds to highly recommend the most expensive plan, for a lifetime low price of $400.

Of course, there is nothing there, it’s a pure rip-off where once they have your money, they couldn’t care less about helping you out (for a problem you didn’t have in the first place anyway).

The crooks are using 123care.co as the placeholder to download remote software and host the payment platform:

Click to view slideshow.

There are other scam domains also hosted on this IP (166.62.1.15):

instantpccare.com quickbooks-certified.com quickbooksphonenumbers.com ip-166-62-1-15.ip.secureserver.net trckx.xyz carerequired.xyz stop-security.xyz cyber-alert-usa.xyz stopsecuritycheck.xyz before-you-proceed.xyz certifiedsupport.info pccare.site onlinetechhelp.site onlinetechsupport.site cyber-alert-usa.online call-855-345-0911.online airlinescustomer.support

Instantpccare.com is familiar and related to a previous investigation where the owner of that tech support company incriminated himself by posting a comment on our blog which shared the same IP address as the remote technician who had just scammed us.

As always, please stay vigilant online when you see free coupons or other similar offers. They often are the gateway to a whole of trouble. For more information on tech support scams, please visit our page here.

The post Free antivirus coupon leads to tech support scam appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Coachella-gate: fire in the disco

Malwarebytes - Thu, 03/02/2017 - 19:09

I’d like to make some smart references to the Coachella event, except that I’ve only heard of about  six of the acts, one of them is named after a TV show and I mean, come on…”Swet Shop Boys”?

Instead, I’ll begin by pointing out that the last time I went to a music festival was in 2001, and there was a huge riot, a power generator exploded and set my tent on fire, and I was stranded on a hill at 2AM with half a dozen firemen holding axes. I am not the right person to ask, unless you want to know about sleeping in a ditch at 2AM with no tent due to it being a smoking pile of burnt ash.

I mentioned the exploded and very much on fire generator, right?

All well and good, but what we have here is a different kind of risk, in the form of a compromised database up for grabs on the Dark Web. The data swiped includes the following:

Usernames, first and last names, shipping addresses, email addresses, phone numbers and dates of birth.

You don’t even need to know Beyonce pulled out of the event to know this isn’t a good thing, as it opens the door to very personalized phishing attempts. Smooth criminals will no doubt fire off some fake refund/special festival deals at people who may not know about the breach, so it’s crucial we heal the world by ensuring word gets out about what happened.

If, after you’ve finished working 9 to 5, you become a calendar girl and spend a perfect day mapping out upcoming events for a nice Saturday in the park—and yes, this is the obligatory section jamming in as many song titles as possible, I won’t do it again—then you should keep one hand in your pocket, and the other pointing at dubious emails (Sorry. Sorry. Won’t do it again. And anyway, it wasn’t me).

The good news is, no payment information was compromised—but by the same token, cards can be canceled and replaced. It’s a bit trickier to replace the information swiped above, to varying degrees of difficulty and/or time-wasting inconvenience. Lots of techniques exist for spotting a fake mail and more often than not a few moments of fact checking works wonders.

If you’re off to Coachella this year, have a good time and remember to go directly to the source where all email missives are concerned. There may be dancing in the street in California, but the man who sold the world—and quite possibly your home address—is still in no immediate danger of having some Folsom city blues.

 

Chris “Martin” Boyd

The post Coachella-gate: fire in the disco appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Australians beware: myGov phishing on the prowl

Malwarebytes - Thu, 03/02/2017 - 16:00

In Australia, myGov is a “simple and secure way to access government services online”.

  • Secure access to a range of government services using one username and password
  • A single inbox for your messages from Centrelink, Medicare, Child Support and the Australian Taxation Office
  • A quick and easy way to advise selected member services about changes to some of your personal details

Unfortunately, phishing campaigns happily target such services given the plentiful data a successful scam can harvest with relative ease. Here’s a nasty one which was doing the rounds a week or so ago via email:

Australian government and myGov must verify your identity!

This is a notification email only. Please do not reply to this email as this mailbox is not monitored.

This is a message from the myGov team.

Australian government and myGov must verify your identity – (Part 4.2, paragraph 4.2.13 of the AML/CTF rules).

Click “Go to myGov” and start the verification process.

Thank you

The URL – which we’ve reported and has been taken offline – seems to have been a compromised website, located at

peletycmc(dot)sk

The landing page is a carbon copy of the real myGov login screen and asks for a myGov username and password.

For a more typical phish, that might be as far as the scammers go; here, the data grab is rather spectacular as we progress to the next page:

The text reads as follows:

Australian Government and myGov must verify your identity – (Part 4.2, paragraph 4.2.13 of the AML/CTF Rules).
To upload your identity documents please use the ‘Browse’ button.

Important Tips
Ensure that you upload a high quality copy of the front and back of your licence and that it is straight and not on an angle. We only accept valid Australian Drivers Licenses.
Ensure that you upload a high quality copy of your passport and that it is straight and not on an angle. We only accept valid Australian Passports.

Front of Australian Drivers License Unlinked
Back of Australian Drivers License Unlinked
Australian Passport Unlinked

Yes, that is the phishing page asking the victim to browse their PC and upload copies of their passport and front/back of their driver’s license. They’re not done yet, however, presenting them with a dropdown urging the victim to “Link their banking account”. This is where things become very interesting – note the design change. It still says “Australian Government – myGov” at the top, but we’re suddenly presented with narrow rectangles, almost like we’re looking at a totally different style of site:

There’s multiple banks listed, but only two are able to be selected – Citibank and Commonwealth Bank. Regardless of which one is picked, the scammers then ask for:

Client number and password

Mother’s maiden name
Phone number
Telephone banking passcode

Note the first reference to something called “Poli ID”. At this point, it simply appears to be “some bank stuff” related to the overall process and probably wouldn’t attract too much attention. It’ll become important later.

For now, the scammers stick with the theme of mobile banking:

A one time PIN has been sent via SMS to your registered mobile. Please enter the 6 digit OTP below and select continue.

The scammers send the bank info via: [form id=”stpForm” action=”safe2(dot)php” method=”post” name=”date”], and then we see what claims to be an attempted payment failure message, via some code in the page’s HTML:

 

Polipay is an Australian payment system which allows you to “use your internet banking to securely pay for goods and services”. If you’re a website owner, you can potentially become a merchant and integrate payment facilities into your site.

As it happens, both Citibank and Commonwealth Bank can be used with Poli – which are the only two banks the phish page lets you choose from. The scammer is – for reasons known only to them – popping a hardcoded “payment failed” message to the tune of $1,000 (Australian dollars?). The supposed attempted payment appears as though it’s being sent to a Bitcoin wallet via Coinspot(dot)com, listed in the code under the “merchant” tag.

Here is the failed payment attempt message that pops no matter what you do:

What the phishers have done here is start off with a myGov phish to set the scene, then divert the victim into a payment flow entirely unrelated to anything myGov, and modeled the “link your bank account to myGov” section on Polipay (check out the demo).

It’s not possible for the $1,000 payment to go out, as the stolen information is being collected and sent to scammers via a .php page, and not using Polipay. We notified Polipay on Twitter (Feb 14th) and by email on Feb 15th, and their reply is as follows:

It seems the culprit has screen grabbed screens from a transaction and manipulated them to gain the information they require. This series of screens was hosted on the culprits URL.

The screens grabbed where [sic] from an incomplete transaction with a POLi merchant.

User awareness on the internet is an important factor – specifically, knowing how to ensure the identity of a website owner. POLi employs Extended Validation SSL for its payment systems which makes it clear to users that they are making a payment through a POLi Payments service website. Sites claiming to be POLi which don’t bear this level of company validation are imposters/scammers/phishers etc.

It’s a bit of an odd thing to do with a live phish, as up until the end part of the scam the victim wouldn’t have any idea about the Polipay / Coinspot side of things. If you wanted to keep the victim unaware that something funny is going on, I couldn’t think of a worse way to do it than randomly telling them “HEY THIS PAYMENT HAS FAILED” because the natural reaction would be “…what payment?”

This is a pretty interesting con job, then, and regardless of what the scammers were up to they’d still have the victim’s other information such as the uploaded documentation.

Always be wary if asked for the kind of information requested up above, and if in doubt, contact the relevant official body directly, whether bank or Government portal. It’ll potentially save you time, effort, money, and a couple of forms of identification to boot.

Chris Boyd (Thanks to Steven and Nathan for additional information)

The post Australians beware: myGov phishing on the prowl appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Two new Mac backdoors discovered

Malwarebytes - Wed, 03/01/2017 - 15:00

On Valentine’s Day, Mac users got a special “treat” in the form of new malware. Then, later that same week, there were signs of yet another piece of malware looming. These threats were overshadowed a bit by the discovery last week of the second ransomware app to ever appear on the Mac, but they’re still worthy of consideration.

The first malware, named XAgent, was analyzed by Palo Alto Networks. XAgent, it turns out, is related to the Komplex malware discovered by Palo Alto last year, as can be seen by comparing some of the strings to those found in Komplex.

At that time, Palo Alto tied Komplex to the Sofacy Group – also known by the names Fancy Bear and APT28, among others – a Russian hacking organization that has since been linked to such things as the hack of the Democratic National Convention.

XAgent is a backdoor that provides a number of powerful remote access features, including keylogging, screenshots, remote shell access, and file exfiltration. Of particular interest is a command that provides the hacker with information about iOS backups stored on the infected Mac. iPhones (and other iOS devices) are notoriously difficult to hack, but by targeting backups instead, this malware could access potentially sensitive iPhone data.

Interestingly, Patrick Wardle, Director of Research at Synack, had another interesting revelation about this malware. He shows quite convincingly that the Sofacy Group used code copied from the Hacking Team. (Hacking Team is the creator of the Remote Control System backdoor, which it sells to governments and law enforcement, among other organizations.)

Hacking Team was itself the victim of a hack in 2015, and all their source code was made public. Wardle was able to demonstrate key similarities, such as identical bugs, in the decompiled XAgent code and the leaked Hacking Team code. It appears that Sofacy used Hacking Team code in their malware, most likely obtained from the Hacking Team breach.

According to a whitepaper released by Bitdefender, the malware installs itself into the following folder, where it is given one of a set of hard-coded names:

~/Library/Assistants/.local/

At the time of its discovery, the XAgent command & control servers were down, meaning that this variant of the malware is no longer a threat.

On the heels of the XAgent discovery came an intriguing glance at another piece of Mac malware, a sample of which has not yet been found. Three days after Palo Alto released their analysis of XAgent, Apple released an update to XProtect – the built-in anti-malware software in macOS – that added detection of XAgent.

However, that update also included a signature for something Apple called OSX.Proton.A, which ignited a storm of questions in the security community, who had never heard of any such malware for the Mac.

A little digging by Arnaud Abbati, a researcher at Ninja, Inc, turned up a page from the Sixgill website with a terse description of a remote access tool (RAT) called Proton. The page has been taken down, but can still be found in Google’s cache here.

Apparently, the malware is being sold on a Russian cybercrime forum, among other places. Sixgill also provided a link to a YouTube video from December, apparently made to promote the malware by demonstrating its capabilities. Another YouTube video, posted on February 8, showed additional capabilities.

Unfortunately, thus far, no samples of the malware have been found. It does not appear to be in the VirusTotal database, and neither of the sites that appear to be associated with Proton (ptn[dot]is or protonsolutions[dot]net) are responding. Even Sixgill’s analysis seemed to be done entirely from online sources, and had no information to suggest that they had seen a copy of the malware. For now, this is a completely unknown threat with rather frightening apparent capabilities.

Two new malware threats in a week, added to the others previously seen this year (Quimitchin/Fruitfly, MacDownloader, a new class of Microsoft Office macro malware and the Findzip ransomware), brings the Mac malware count for 2017 up to 6, and February isn’t even over yet. If things continue at this rate, 2017 could see a spike in Mac malware that could rival or exceed the previous high point in 2012, when the infamous Flashback, and a number of other pieces of malware taking advantage of Java vulnerabilities, terrorized the Mac community.

The post Two new Mac backdoors discovered appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Decrypting after a Findzip ransomware infection

Malwarebytes - Tue, 02/28/2017 - 16:00

The Findzip ransomware was discovered on February 22, 2017. At that time, it was thought that files would be irreversibly encrypted by this ransomware, with no chance of decryption. Turns out, that’s not quite true.

For those who get infected with Findzip (aka Filecoder), it’s still true that the hackers behind it can’t give you a key to decrypt it. There’s no honor among these particular thieves, as they’re lying about their ability to help if you pay the ransom.

However, all hope is not lost! If you made the mistake of not having a backup, or if your backup was also compromised by the ransomware, there’s still a chance for you to recover. It will not be fast or easy, but by following the instructions in this article, you’ll be able to regain your files. These instructions will be daunting for many, so if you have any doubts about your ability to follow them, please seek help from someone with more experience.

Special thanks to Jérôme Segura and @TheWack0lian for their help with this procedure. I wouldn’t have been able to build these instructions without their advice!

Gathering the materials

There are a few things you’re going to need before you get started.

  1. A working computer
  2. Xcode or TextWrangler
  3. Xcode command-line tools
  4. pkcrack source code
  5. One unencrypted file and the corresponding encrypted file

First, of course, you’ll need a working computer. This could be something like a second computer or could be another user account on the infected Mac. If you managed to force-quit the malware before it encrypted your whole user account, you may even be able to continue using your existing account.

These instructions assume that you’ll be doing the work on a Mac. If you need to do the decryption on a Windows or Linux computer, you’ll need to figure out how to compile and use pkcrack on that system.

Second, you’ll either need Apple’s Xcode development environment or a good text editor. Xcode is a rather large download that most people will never use in any way, so unless you have a reason to have Xcode, I recommend downloading TextWrangler. It’s an excellent text editor with many possible uses.

Next, you need to install the Xcode command-line tools, which fortunately does not require actually installing Xcode. If you don’t have a copy of Xcode already, open the Terminal app, which is found in the Utilities folder in the Applications folder.

In the Terminal, enter the following command:

xcode-select --install

When you do, you’ll see the following window:

Click the Install button to install the command-line tools, agree to the license, and then wait for the download and install process to complete.

Fourth, you’ll need to download the pkcrack source code. Some people, at this point, might be a little skittish about downloading something like this, for good reason, but I’ve tried it out myself and it works well.

Finally, you will need one of the files that got encrypted in both encrypted and unencrypted form. The file needs to be exactly the same as one that got encrypted. This could be a document that had been attached to an e-mail message that you had saved, but could still retrieve from the e-mail server, or a document that you had stored on a flash drive or other external storage. Make sure the document isn’t too large or two small. Something larger than 1000 bytes, but not thousands of times larger, would be ideal.

If you can’t find such a file, you may be able to use the malicious Findzip app against itself. If you ran the app from somewhere in your user folder – like your Downloads folder – then the app will have (amusingly) encrypted itself. In this case, you can simply download a fresh copy of the app.

Control-click the fresh app and choose Show Package Contents from the contextual menu that appears. Be careful not to open the app! In the window that opens, there will be a Contents folder. Inside that is a file named Info.plist, which will be perfect for our purposes. Grab a copy of that file.

Next, on the encrypted system, find the remnants of that app and do the same thing. In this case, the Info.plist file will have been replaced with an encrypted file named Info.plist.crypt.

The rest of these instructions will involve using these Info.plist and Info.plist.crypt files, but any other pair of matching encrypted and unencrypted files will do just fine.

Compiling pkcrack

In order to use pkcrack, which will allow you to execute what is called a “known plaintext attack” against the encrypted file, you will need to compile it from the source code. The pkcrack source code you downloaded earlier should decompress into this:

The files in the src directory are the ones you’ll be interested in.

Unfortunately, as is, this code won’t compile on macOS. Fortunately, there are some very simple changes you can make to these files to fix that. Time to break out either Xcode or TextWrangler and use that to edit several of these files.

First, open the file named Makefile. There will be a line near the top of the file reading:

CFLAGS=-O6 -Wall

Change the 6 to a 2, so that line looks like this:

CFLAGS=-O2 -Wall

Then save and close the file.

Next, you’ll need to open the exfunc.c file. Find the line near the top that reads:

#include <malloc.h>

Delete this line, and only this line, then save and close the file.

Now, repeat this procedure, removing exactly that same line from the following files:

extract.c main.c readhead.c zipdecrypt.c

Once you’re done, you’re ready to compile the code. Fortunately, this is quite easy. Open the Terminal app again and type the following, but do not press return:

cd

You can’t see it, but there’s a space after “cd”, so be sure to put that space there.

Next, drag the src folder from the pkcrack-1.2.2 folder onto the Terminal window. That will insert the path to that folder into the command. Now switch back to the Terminal and press return. This changes the current working directory in the Terminal to the src folder.

Finally, enter the following command:

make

This will compile the code, echoing a lot of text into the Terminal window that you don’t really need to worry about. As an example, here’s what this looked like on my system, with much of the output omitted in the middle for brevity:

Hyperion:~ thomas$ cd /Users/thomas/Desktop/pkcrack-1.2.2/src Hyperion:src thomas$ make gcc -O2 -Wall -c -o crc.o crc.c crc.c:24:13: warning: unused variable 'RCSID' [-Wunused-variable] static char RCSID[]="$Id: crc.c,v 1.3 1997/09/18 18:07:24 lucifer Releas... ^ 1 warning generated. [...] int makekey.c:19:13: warning: unused variable 'RCSID' [-Wunused-variable] static char RCSID[]="$Id: makekey.c,v 1.1 1997/02/15 09:44:44 lucifer Re... ^ 3 warnings generated. gcc -o makekey -O2 -Wall makekey.o crc.o keystuff.o Hyperion:src thomas$

There’s no need to worry about the warnings. You’ll know the build was successful if you now see the following files in the src folder:

extract findkey makekey pkcrack zipdecrypt

These are Unix executable files, also called “binaries.” For ease of use, move these files into a separate folder. I put them into a “bin” folder as shown here:

Finding the keys

The next step will involve using that pair of encrypted and unencrypted files obtained earlier to find three keys. For this example, we’ll use the Info.plist.crypt and Info.plist files referred to previously. Move those files into the bin folder, alongside the pkcrack binaries. Then rename the original, unencrypted file to something else; in this example, we’ll use Info_orig.plist.

Next, back in the Terminal, use the “cd” command again to change to the bin directory. Then, enter the following command:

./extract -p Info.plist.crypt Info.plist

This will produce a file called Info.plist, but its contents are still encrypted. Rename this file to something else, such as Info_enc.plist. (Of course, replace these names with the correct names for the file you’re working with, if you’re not using this Info.plist file.)

If the filenames you’re working with have spaces in them, you’ll need to enclose them in quotes. For example:

./extract -p "Some Word file.docx.crypt" "Some Word file.docx"

Now you’re ready to start searching for the keys. Enter the following command:

./pkcrack -c Info_enc.plist -p Info_orig.plist

(Again, be sure to use quotes around any filenames that contain spaces.)

The pkcrack app will start working on the encrypted file. Depending on the file, it could take a while, but for the Info.plist file in this example, and on my high-end MacBook Pro, it took less than a minute.

You’ll know it’s done when it beeps twice, and the Terminal is displaying something like this:

Hyperion:bin thomas$ ./pkcrack -c Info_enc.plist -p Info_orig.plist Files read. Starting stage 1 on Sat Feb 25 08:05:04 2017 Generating 1st generation of possible key2_1544 values...done. Found 4194304 possible key2-values. Now we're trying to reduce these... Done. Left with 2941 possible Values. bestOffset is 24. Stage 1 completed. Starting stage 2 on Sat Feb 25 08:05:11 2017 Ta-daaaaa! key0=c054acf9, key1=d1656d7b, key2=3549626f Probabilistic test succeeded for 1525 bytes. Ta-daaaaa! key0=c054acf9, key1=d1656d7b, key2=3549626f Probabilistic test succeeded for 1525 bytes. Searching... 11.2%

At this point, pkcrack is trying to find the passcode for the encrypted file, but that will not succeed due to the length of the passcode used by the malware. You can force it to cancel and quit by pressing control-C.

Fortunately, you don’t need the passcode… the three keys it found can be used to decrypt all the other decrypted files. Make a note of those three keys, labeled key0, key1, and key2.

Decrypting the files

At this point, we can decrypt the Info.plist.crypt file, as well as any other files encrypted by the malware on that particular Mac. Enter the following command:

./zipdecrypt c054acf9 d1656d7b 3549626f Info.plist.crypt Info.plist.zip

Be sure to replace the keys in this command with the ones obtained from your encrypted file, in order.

The result of this command will be the creation of a new, unencrypted Info.plist.zip file. Double-clicking this file will unzip it. The zip file will contain a series of nested folders, starting with “Users” and going through the entire path that the file was original found in. Dig down into each subsequent folder until you reach the original, now unencrypted, file.

Of course, you already had the original file, in this case. However, you can now repeat this zipdecrypt command with any other encrypted files, using the same keys. Recovering a large number of files in this manner will be tedious, but on the positive site, you can use that time to contemplate how this could have been avoided by having a good set of backups!

The post Decrypting after a Findzip ransomware infection appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (Feb 20th – Feb 27th)

Malwarebytes - Mon, 02/27/2017 - 21:00

Last week in the world of security, we had rogue chrome extensions teaming up with tech support scams, tips on how to stay safe during tax season, advice on locking down your social media profiles, and what to do in the aftermath of a cyberattack. We also teamed up with Cybersecurity Factory, recapped our time at the recent RSA Conference, and took a look at a typo-laden fake FBI mail.

Elsewhere from last week:

The post A week in security (Feb 20th – Feb 27th) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

New Neutrino Bot comes in a protective loader

Malwarebytes - Mon, 02/27/2017 - 19:30

Co-authored by Hasherezade and Jérôme Segura.

In this blog post we will cover a recent version of the multi-purpose Neutrino Bot (AKA Kasidet) which ironically was distributed by an exploit kit of the same name. Earlier in January this year, we had described Neutrino Bot that came via spam so we won’t go over those details again, but instead will focus on an interesting loader.

Anti VM detection is complemented by multiple layers hiding the actual core which made extraction of the final payload a bit of challenge.

Distribution method

This sample was collected via a malvertising campaign in the US that leveraged the Neutrino exploit kit. The infection flow starts with a fingerprinting check for virtualization, network traffic capture and antivirus software. If any are found (i.e. not a genuine victim), the infection will not happen. This check is done via heavily obfuscated JavaScript code in the pre-landing pages, rather than within the Flash exploit itself, like it used to in the past.

Once the initial check has passed, the next step is to launch a specially crafted Flash file containing a bunch of exploits for Internet Explorer and the Flash Player (similar to what was described here). The final step is the download and execution of the RC4 encoded payload via wscript.exe to bypass proxies.

The overall infection flow is summarized in the diagram below (click to enlarge):

A script from Maciej Kotowicz was used to extract artifacts from the Flash file.

Analyzed samples Behavioral analysis

The sample was well protected against being deployed in a controlled environment. When it detects that it is being run in a VM/sandbox it just deletes itself:

If the environment passed the checks, it drops its copy into: %APPDATA%/Y1ViUVZZXQxx/<random_name>.exe  (during tests we observed the following names: abgrcnq.exe, uu.exe):

The folder and the sample are hidden.

Persistence is achieved via the Task Scheduler:

The malware adds and modifies several registry keys. It adds some basic settings, including the installation date:

It modifies some keys in order to remain hidden in the system. Hidden/SuperHidden features allows its dropped copy to remain unnoticed by the user. It disables viewing such files by modifying the following registry keys:

Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden

It also adds itself into the firewall’s whitelist with this command:

cmd.exe " /a /c netsh advfirewall firewall add rule name="Y1ViUVZZXQxx" dir=in action=allow program=[full_executable_path]

Similarly, path to the malware is added to Windows Defender’s exclusions:

It disables reporting incidents to Microsoft’s cloud service (SpyNet):

HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet\SpyNetReporting

It modifies settings of terminal services, setting MaxDisconnectionTime and MaxIdleTime to 0. Modified keys:

HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\MaxDisconnectionTime HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\MaxIdleTime

If the full installation process went successfully, it finally loads the malicious core, and we can see a traffic typical for the Neutrino Bot. You can see below the beacon “enter” and the response “success”, encoded in base64. The response is sent as a comment in the retrieved blank html page, in order to avoid being noticed:

In the next request the bot sends information about itself, and in response the CnC gives it commands to be executed. Requests and responses are also base64 encoded. Example after decoding:

req:

cmd&9bc67713-9390-4bcd-9811-36457b704c9c&TESTMACHINE&Windows%207%20(32-bit)&0&N%2FA&5.2&22.02.2017&NONE

resp:

1463020066516169#screenshot#1469100096882000#botkiller#1481642022438251#rate 15#

The first command was to take a screenshot, and indeed, soon after we can see the bot sending a screenshot in JPG format:

From the sent version number we can conclude, that the version of the bot is 5.2 (similarly to this campaign).

Inside

The first layer is a stub of a crypter, that overwrites the initial PE in memory by the image of the loader. Unpacking it is demonstrated in this video: https://www.youtube.com/watch?v=m_xh33M_CRo.

The second layer is a loader that prevents from running the core bot in a controlled environment (i.e. on VM or under a debugger). This element is probably new (we didn’t observe it so far in previous campaigns of Neturino Bot, i.e. the one described here). We found the loader very effective in its protective task. Most of the sandboxes and test VMs used during tests failed to provide any useful results.

The final payload had features typical for Neutrino Bot family.

The loader code shows that it is an integral part of the full Neutrino Bot package – not yet another layer added by an independent crypter. Both, the payload and the loader are written in C++, use similar functions and contain overlapping strings. It  will be demonstrated in details later in this article. They both also have very close compilation timestamps: payload: 2017-02-16 17:15:43, loader: 2017-02-16 17:15:52.

A patched version of the loader, with environment checks disabled can be viewed here.

Loader Obfuscation techniques

The code inside contains some level of obfuscation. A few strings are visible:

  • Directory name
  • Some functions
  • Registry keys related with Windows Security features that are going to be disabled
  • Strings used to add a new scheduled task.

However, that is not all. Most of the strings are decrypted at runtime. Here is an example of loading an encrypted string:

First, the obfuscated string is written to the dynamically loaded memory by a dedicated function. Then, it is decrypted using a simple, XOR-based algorithm:

def decode(data): maxlen = len(data) decoded = bytearray() for i in range(0, maxlen): dec = data[i] ^ 1 decoded.append(dec) return decoded

The same string after decryption:

Most of the API calls are also dynamically resolved. Example:

Tracing API calls helps to understand the programs’s functionality. For this reason, the authors of this malware file implemented some of the functions without using API calls at all. In the below example you can see the function GetLastError() implemented by reading a low-level structure: Thread Envioroment Block (TEB):

Functionality

In order to prevent from being executed more than once, the loader creates a mutex with a name that is hardcoded in the binary: 1ViUVZZXQxx.

The primary task of the loader is to check the environment, in order to make sure that the execution is not being watched. But, in contrary to most of the malware, the check is not just done once. There is a dedicated thread deployed:

It runs checks in a never ending loop:

If at any time, the loader detects i.e. some blacklisted process being deployed, execution is terminated.

Examples of the checks performed:

1. Enumerates through the list of the running processes (using dynamically loaded functions CreateToolhelp32SnapshotProcess32FirstProcess32Next). Calculates checksum from each retrieved process name and compares it with the built-in blacklist:

The blacklisted checksums:

.gist table { margin-bottom: 0; }

Implementation of the function searching blacklisted processes – as we can see, every function is loaded dynamically with the help of a corresponding checksum:

2. Searches blacklisted modules within the current process (using dynamically loaded functions CreateToolhelp32SnapshotModule32FirstModule32Next). Similarly, it calculates the checksum from each retrieved process name and compares it with the built-in blacklist.

Checksum calculation algorithm (implementation):

The blacklisted checksums:

.gist table { margin-bottom: 0; }

3, Checking if the process is under the debugger, using: IsDebuggerPresent, CheckRemoteDebuggerPresent

4. Detecting single-stepping with the help of time measurement, using GetTickCount – Sleep – GetTickCount

5. Anti-VM check with the help of detecting blacklisted devices – using QueryDosDevices i.e. VBoxGuest

6. Searching and hiding blacklisted windows by their classes – using  EnumWindowsGetClassName (i.e. procexpl)

The blacklisted checksums:

.gist table { margin-bottom: 0; }

In another thread, the malware performs operations related to the bot installation – adding a task to the Windows Scheduler, adding exclusions to the Firewall etc.

Finally, it unpacks the final payload and runs it with the help of the Run PE method. First, it creates another instance of its own:

Then, it maps a new PE file on this place:

Payload

The loaded payload is a Neutrino Bot, with very similar features to the one that we described in a previous post. However, we can find some similar elements like in the loader, for example matching strings:

Conclusion

Neutrino Bot has been on the market for a few years. It is rich in features but its internal structure was never impressive. This time also, the malware authors did not make any significant improvements to the main bot’s structure. However, they added one more protection layer which is very scrupulous in its task of fingerprinting the environment and not allowing the bot to be discovered.

The post New Neutrino Bot comes in a protective loader appeared first on Malwarebytes Labs.

Categories: Techie Feeds

DNSSEC: why do we need it?

Malwarebytes - Mon, 02/27/2017 - 18:00

DNSSEC is short for Domain Name System Security Extensions. It is a set of extensions that add extra security to the DNS protocol. This is done by enabling the validation of DNS requests, which is specifically effective against DNS spoofing attacks. DNSSEC provides the DNS records with a digital signature, so the resolver can check if the content is authentic.

The reason for this post was the recent SIDN report that concluded that the DNSSEC security status in the Netherlands left a lot to be desired. To name a few, the banking sector and the ISPs were lagging behind. Especially compared to the government sector, which has to be fully compliant by the end of 2017 and is now at a level of 59% of all domain names to be cryptographically secured and signed.

Background of the report

Included in the investigation were only .nl domains, so companies of a more international nature, that might be using other Top Level Domains (TLDs) were not included in the research. Let’s hope that companies of this nature are more advanced in this regard. On a grand total of approximately 5.7 million domains 46% were signed.

Additional security

Not only is DNSSEC a  security feature by itself, it also provides a platform for additional features like:

  • DKIM (DomainKeys Identified Mail)
  • SPF (Sender Policy Framework)
  • DMARC (Domain-based Message Authentication, Reporting and Conformance)
  • DANE (DNS-based Authentication of Named Entities)

Especially DANE, which is a protocol that allows Transport Layer Security (TLS) certificates to be bound to Domain Name System (DNS) names, is considered a major step forward in security after some certificate authorities (CA) providers have been breached and any CA could issue a certificate for any domain name. This is why we say that the green padlock is required, but not enough. Going forward it’s important to know that all the popular browsers support DNSSEC and most of them support DANE (for some browsers you may need a plug-in), so implementation of this extra security should put a major dent in the possibilities for DNS spoofing.

Extended DNSSEC Validator

Major conclusions of the report

Personally I was surprised, almost shocked, to find out that only 6% of the banking sites had their domains signed, the worst of all the investigated groups of domains. Especially worrying as the move from physical to on-line banking has been progressing steadily in recent times. The percentage for all financial corporations was at 16%. Other sectors where we would expect better figures:

  • ISPs (Internet Service Providers) 22%
  • Stock exchange listed companies 12%
  • Internet shops 30%
  • Telecom providers 33% and worst of all, of the 4 biggest providers with an .nl domain, none contributed to that score.

As stated before, the only group scoring somewhat satisfactory where government sites at 59%, with the remark that they are being forced to comply by the end of this year (2017).

So, even though the number of signed domain names has grown considerably over the past two and a half years (the previous report on this subject), some sectors are heavily lagging behind, and in particular some sectors where we would hope and expect otherwise.

Your country

If you have any similar figures about these numbers in your country, let me know in the comments. I would like to make some comparisons.

 

Pieter Arntz

The post DNSSEC: why do we need it? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Fake FBI mail: “Send us $112 or we’ll lock your iCloud account”

Malwarebytes - Fri, 02/24/2017 - 20:12

Here’s a scam mail which claims your iCloud has been accessed without permission, and will be locked within 2 hours if you don’t verify the account by sending $112 to a Bitcoin address.

The missive claims to be from SERVICE@FBI.gov and is titled, “Virus Warning: E-Mail from ‘FBI Alert”.

As you might expect, it’s rather all over the place, lurching from random mentions of virus warnings and fraudulent access, to a cavalcade of typo-ridden howlers:

Virus Warning: E-mail from ‘FBI Alert’

Apple has detected an unauthorized sign-in to your iClodu [sic] account.

Please verify your account by sending 112$ to this Bitcoin address:

If no response is received your account will be locked for security.

The server will lock yor [sic] account within 2 hours if we don’t receive the payment!

We are working to create a world where privacy is the norm, end-to-end encryption is the standard, and security and usability are synonymous.

FBI and iCloud is selling a tool for iCloud protection against hackers and scammers this tool costs only 112$

the license for our tool is 360 days

if you are not familiar with bitcoin you can buy it from here:

coinbase(dot)com
bitstamp(dot)net
localbitcoin(dot)com

After we confirm the payment, we send the private key so you can unlock your email and download our tool

FBI SECURIRY [sic] iCloud and Apple Protection

Well, if you want to secure your iCloud I guess the right people for the job are definitely FBI Security…maybe?

The email definitely goes right off the rails at the end with random mentions of a “tool” designed to protect your iCloud from hackers, which also just happens to cost the same amount as the supposed verification fee. This is most definitely the “throw it all at a wall, see what sticks” approach but I’m not convinced it’ll be as successful as the scammers would like it to be. Should you receive any missives from the “FBI” regarding the safety of your iCloud account, feel free to send it to the trash. Elsewhere, you can visit the Apple website and find out everything you need to know about locking down your iCloud.

 

Christopher Boyd (Thanks Steven)

The post Fake FBI mail: “Send us $112 or we’ll lock your iCloud account” appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Who else crushed it at RSA?

Malwarebytes - Fri, 02/24/2017 - 18:00

The theme for this year’s RSA Conference was the “Power of OpportUNITY”, and with more than 43,000 IT and security professionals in attendance—it truly was the gathering to bring our community together.

Malwarebytes was proud to once again take part in this spectacular week-long event. Thousands of customers, new businesses, students, press, and industry analysts made their way to our new booth to catch our giant threat theater presentation, see a demo, grab a new collectible T-shirt, and say “Hi” to our robot (who was officially named ZERO).

While at the booth, visitors shared with us the security challenges and pain they’re experiencing. Overwhelmingly, threats including zero-day exploits, malware, and ransomware are continuing to get through their existing defenses and perimeters. Businesses from around the country across every industry are all looking for better threat detection capabilities and ways to reduce their response times for incidents. This made for a great opportunity to explain how Malwarebytes technologies can address these shared needs.

Click to view slideshow.

But the week wasn’t just about security… the galleries at the recently remodeled San Francisco Museum of Modern Art were the perfect backdrop for our CRUSH PARTY on Valentine’s Day. Filled to capacity, guests fell in love with the perfect palette of music, food, and great art.

Click to view slideshow.

Mark your calendars now for RSA’s 27th annual conference, being held April 16-20, 2018 in San Francisco. ZERO and the rest of us Malwarenauts will be there, and we hope you’ll join us too!

Can’t wait till then? Check out our Events page to see where else we’re popping up this year.

The post Who else crushed it at RSA? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Malwarebytes teams up with Cybersecurity Factory

Malwarebytes - Fri, 02/24/2017 - 17:00

Malwarebytes is proud to support Cybersecurity Factory, a 10-week summer program for early-stage cybersecurity companies. This program runs in collaboration with Highland Capital Partners provides teams with a $35,000 convertible note investment, office space, and dedicated security mentorship from industry leaders at leading companies throughout the United States.

Security software startups face several unique challenges. The advantage of new technologies is hard to communicate, and can be even harder to demonstrate, to customers. Reputation is paramount, but can be damaged overnight. Sales models are rapidly evolving, and keeping up with them requires both agility and experimentation. Despite these challenges, hackers are continuously trying to penetrate systems and exploit vulnerabilities. There is a strong need for security innovation to stay ahead of these attackers.

Cybersecurity Factory is attempting to fulfill this need by providing the support and mentoring to help teams with business and product strategy and to help them build a network of entrepreneurs and investors to identify key opportunities in the security market. During the summer, each team will work closely with our security mentors and potential customers to produce and improve a marketable prototype.

Applications are open! The early deadline is 3/6 and the program will accept applications on a rolling basis until 3/20.

If anyone has questions about Cybersecurity Factory, don’t hesitate to email the team at team@cybersecurityfactory.com.

As a leading security provider, Malwarebytes is excited to help facilitate and support new innovation in the security market to keep users and companies safe.

The post Malwarebytes teams up with Cybersecurity Factory appeared first on Malwarebytes Labs.

Categories: Techie Feeds

What to do after recovering from a cyberattack

Malwarebytes - Thu, 02/23/2017 - 18:00

More companies are falling victim to cyberattacks, as a wide range of harmful software, social engineering schemes and scams threaten to compromise the personal information and online safety of their clients. With cybercrime rates on the increase every year, it is important for businesses of all sizes to have a recovery plan in place to mitigate any losses. In the unfortunate event of a data breach, these are the steps you should take to recover.

Identify and Contain the Problem

On average, companies do not know about data breaches or cyberattacks until at least 200 days after they have occurred. As soon as you become aware of a security incident, the first step is to identify and contain the problem.

Having all of the correct facts will go a long way to helping to formulate an effective response plan, and better inform your communications with customers. When identifying a data breach, ensure that you document the following:

  • When it took place
  • How it will affect customers
  • What assets were affected
  • Who are the victims
  • The type of attack

To contain and remove the issue, your IT department should be ready to spring into action. To ensure that they are prepared for such a task, any business owner should hire a cybersecurity specialist or send their IT staff for cybersecurity training. They should be prepared to:

  • Separate sensitive data from the network. If banking and login information is not encrypted, do so now.
  • Reset all affected logins. All parties affected by the cyberattack should have their login details changed and the new passwords should be secure in that they have uppercase letters, lowercase letters, symbols and numbers. Also consider using two-factor authentication to tighten up security.
  • Reinstall affected files. Any programs that have been affected by the attack should be uninstalled and reinstalled so that the infection cannot spread.
  • Disconnect affected hosts. Once it has been disconnected, the host is no longer available and can no longer be subjected to the cyberattack.
  • Apply security patches if necessary. This software is designed to update any programs or operating systems, fixing vulnerabilities and other bugs that could compromise your online security.
  • Remove all files installed by the attack. After they have been isolated, your IT analysts will investigate them to gain a better understanding of the attack, potentially identify the attacker and identify any security vulnerabilities.
Inform Your Customers Promptly

Large companies tend not to have a history of a responding to cyberattacks in a timely manner. While they react quickly by containing the breach, it is often months before they address the general public and even those affected by the incident.

British mobile phone operator TalkTalk was criticized for waiting to inform customers of its data breach in 2015, and things haven’t improved over the years. In 2016, Yahoo took five months to respond to customers who had their data stolen. It is this kind of behavior that causes companies to lose customers and even sets them up to face class-action lawsuits. In fact, TalkTalk lost 101,000 customers as a direct result of its data breach.

The solution is to act quickly and ensure that you have a response plan ready long before any cybercrime has occurred. Liaise with your PR and Marketing departments to prepare communications that you can issue in the event of a data breach. It should include information about compensation and outline any steps that you’re taking to prevent future security incidents, such as implementing new cybersecurity protocols. When the time comes to distribute this information, your IT team will be involved to fill in the specific details.

One of the best examples of an effective cybercrime response is Home Depot. In 2014, the company faced data breach that compromised the banking information of its customers. Its PR team took to social media right away, informing customers that staff are looking into the issue and working with law enforcement.

Usually, organizations that experience data breaches lose an average of $3.97 million due to lost customers. However, Home Depot actually saw a 5.7 percent increase in net sales during the following quarter. Its proactive approach to communication certainly had a positive effect on the company’s profits.

Prevent Future Breaches

In the event of a data breach, it is important that you have the right professionals on board to help your business recover. According to IBM, enlisting in the help of cybersecurity experts can help you save millions as your company aims to contain a data breach and respond to the affected parties.

  • Appointing a Chief Information Security Officer saves $7 per record. This staff member is responsible for developing and implementing a program that protects all communications, systems and assets from all types of security threats.
  • Involving a Business Community Manager saves businesses $9 per record. This professional is responsible for your brand’s image in the online world. They will handle online communications with customers and press, and they play a key role in crisis management.
  • Incident response teams save $16 per record. It is their job to react to any cybersecurity threats or incidents in a timely manner. They will analyze the incident in order to identify, contain and eradicate the issue. This team should include professionals from various departments like business managers, IT staff, legal representatives and human resources employees.

Research by Ponemon Institute, LLC found that enlisting in cybersecurity professionals can help drive down the costs of data breach recovery. Employing experts in online security saved companies $2.1 million per year while hiring a high-level security manager like a CISO saved $2 million.

Companies can also lower their defense costs by investing in online security technologies. Security intelligence systems saved companies an average of $3.7 million while encryption technology saved companies $1.4 million per year. Using advanced firewalls saved them $2.5 million.

Tighten Up Your Legal Defense

After having their information compromised by a data breach, it is not uncommon for customers to sue the company. With Yahoo facing a class-action lawsuit in light of its recent data breach that affected over 500 million accounts, it is important for companies to prepare for the fact that they may be taken to court for allowing a hacker access to their customers’ personal information.

The Department of Justice advises business owners to form a relationship with local law enforcement offices before a cyberincident has the chance to occur. This establishes a point-of-contact in the event of a data breach, to whom you can report the crime.

Legal counsel should also be retained before any cybercrimes have the chance to be committed. When doing so, business managers should ensure that their legal team has experience with cyberincident management. They should have the knowledge necessary to help guide you when reporting the breach to customers, navigating your liability for taking corrective measures and interactive with government agencies. As this is an emerging legal issue, your legal team should stay up-to-date with the latest developments so they prepared to handle any situation.

In the event of a data breach, companies can avoid lawsuits by taking proactive measures to take care of customers. Some companies like Neiman Marcus have offered victims credit monitoring services, which not only demonstrates great customer service but also weaken claims that customers may make about having suffered harm as a result of the data breach.

The best defense is a good offense, so companies should be proactive in preventing cyberattacks from occurring in the first place. Since 66 percent of data breaches are caused by employee negligence, business owners should take measures so that there are no insider threats. As such, all staff members should be trained in the best practices for cybersecurity.

Being prepared and acting quickly are vital to helping your company recover from a cyberattack as effectively as possible. Your customers will appreciate that you’ve taken action promptly to protect them, which goes a long way to maintaining a successful and profitable business in light of a data breach.

Author Bio: Faith is a technology blogger for Secure Thoughts, a leading resource on cybersecurity. With a background in marketing, she specializes in helping businesses engage in effective communication in the event of data breaches and other cyberincidents. 

The post What to do after recovering from a cyberattack appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Mac ransomware on piracy sites

Malwarebytes - Thu, 02/23/2017 - 16:00

February has been a relatively busy month in the world of Mac malware, and now it has gotten busier with the appearance of the second piece of ransomware ever to affect macOS. Fortunately, this is quite poor ransomware that will only bite those who are doing something wrong in the first place. Nonetheless, it’s good enough to cause your day to go bad in a very big way if you get infected.

This malware, which an update to Apple’s XProtect signatures calls Findzip, was found and described by ESET. According to their report, Findzip has been found on piracy sites masquerading as cracks for Adobe Premier Pro and Microsoft Office, although ESET was careful to point out that there may be other such files out there.

These apps are signed, but with a certificate not issued by Apple, which is unusual. Fortunately, they won’t open by default on a Mac as a result of this.

Unfortunately, this requires that the app be “quarantined.” A properly quarantine-aware app, such as any of the major web browsers, will download files in such a way that the “quarantine” flag is set. Whenever an app or any other kind of executable file is opened, if it has the quarantine flag set, the system will prevent it from opening if it is known malware or isn’t properly signed.

However, torrent clients typically do not do the right thing, in this case, and will often leave the quarantine flag unset on files they download. So the very people who are likely to be downloading this malware are also the people who will be most vulnerable to it. They will not be prevented from opening the malicious app simply because it isn’t properly signed.

When opened, the malware displays a rather goofy-looking mostly-transparent window:

At this point, nothing will happen unless you click the “start” button. You can feel free to quit the app again at this point without suffering any consequences.

If you make the mistake of clicking the “start” button, the malware will begin encrypting the files in your home folder, showing a message indicating that it is patching the app (Adobe Premier Pro or Microsoft Office) and that the process may take up to 10 minutes. Letting the process go quickly made a big mess of my desktop, which should cause even the most clueless pirate some concerns.

The numerous README, DECRYPT, and HOW_TO_DECRYPT files all contain the same instructions:

NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption method. What do I do ? So , there are two ways you can choose: wait for a miracle or start obtaining BITCOIN NOW! , and restore YOUR DATA the easy way If You have really valuable DATA, you better NOT WASTE YOUR TIME, because there is NO other way to get your files, except make a PAYMENT FOLLOW THESE STEPS: 1) learn how to buy bitcoin https://en.bitcoin.it/wiki/Buying_Bitcoins_(the_newbie_version) 2)send 0.25 BTC to 1EZrvz1kL7SqfemkH3P1VMtomYZbfhznkb 3)send your btc address and your ip (you can get your ip here https://www.whatismyip.com) via mail to rihofoj@mailinator.com 4)leave your computer on and connected to the internet for the next 24 hours after payment, your files will be unlocked. (If you can not wait 24 hours make a payment of 0.45 BTC your files will be unlocked in max 10 minutes) KEEP IN MIND THAT YOUR DECRYPTION KEY WILL NOT BE STORED ON MY SERVER FOR MORE THAN 1 WEEK SINCE YOUR FILE GET CRYPTED,THEN THERE WON'T BE ANY METHOD TO RECOVER YOUR FILES, DON'T WASTE YOUR TIME!

The encrypted files, having filenames ending in .crypt, are created using the zip command in the shell to create encrypted .zip files. These files are all given the same passcode, a randomly-generated 25-character string. Interestingly, .crypt files are created for folders, but don’t appear to contain the folders’ contents. Instead, there are more .crypt files inside the original folders. Only files actually get encrypted, and subsequently deleted.

Amusingly, this even applies to the malware itself! After it runs once, if it was run from somewhere in the user folder (like the Downloads folder or the desktop), it’ll never run again.

Unfortunately for affected users, this ransomware is broken as far as “customer service” is concerned. The key used to encrypt the files is never uploaded to a command & control server anywhere, so that hacker would have no way to help you decrypt your files if you paid him. This is a perfect example of the dangers of paying the ransom… there’s never any guarantee that your payment will get you your files back. It certainly won’t in this case. Once encrypted, only a backup can save your data.

There has been some speculation about whether ransomware can or cannot affect a Time Machine backup. ESET reports that it will try to encrypt files found on all connected external or network volumes, so naturally I wondered if Time Machine backups might be included.

I let it loose on a dummy backup, made from my test system, and let it run for 45 minutes. Although it definitely was accessing the external drive, the backups were never damaged in any way. I was still able to restore files from the backup at the end of the test. Of course, a different kind of backup that is connected at the time the malware runs could be affected.

In all, this is not a serious threat to most people. Only those who are engaging in software piracy will encounter it, and even then there are plenty of red flags before they get to the point of actually clicking the “start” button. Unfortunately, if you do run the gauntlet and end up getting your data encrypted, and you don’t have a good backup, this malware will really ruin your day.

Malwarebytes detects this as OSX.Findzip.

The post Mac ransomware on piracy sites appeared first on Malwarebytes Labs.

Categories: Techie Feeds

How do I secure my social media profile?

Malwarebytes - Thu, 02/23/2017 - 14:00

Many of us are all too aware of the uptick in news stories about phishes, online scams, and customer data breaches. Social media can be a popular vector for attackers to sift through data to answer your password recovery questions, send phishes and spam, and generally be a nuisance. So we’d like to secure our profiles as much as possible, but platforms built on monetized sharing of data tend to design interfaces around…sharing your data. Oftentimes there is no obvious button to click to activate common sense security measures, which can put users off of securing their info at all.  So let’s plummet head first into menus, buttons, and check boxes and see how we can be a little safer when choosing to share information online.

Twitter

1. Click your profile icon in the upper right corner of the screen and click “Settings”.


2. In the left sidebar that appears, click on “Privacy and Safety”. This is where all the good stuff can be found. Scroll down to “Direct Messages”, and make sure “Receive Direct Messages from anyone” is unchecked.

3. Under “Tweet Privacy,” checking “protect my tweets” will make everything you post going forward invisible to people who don’t follow you. Further, you will be able to approve new followers on a case by case basis. If you work in advertising, this is not a great setting to have checked. But for the rest of us, it’s probably worth considering.

**BONUS SETTING** Twitter likes to stay in touch, a lot. If, perhaps, Twitter notifications start to feel a little clingy and desperate, click on “Email notifications” in the settings sidebar. Scroll down to the bottom, and you’ll see “Updates from Twitter.” (Note that Twitter has thought of many, many things to update you on. If you uncheck everything but the top option regarding product updates, your inbox should get some relief.)

 

Instagram

NOTE: it appears that you can only do this from a mobile device, not the desktop application.

1. Tap your profile icon in the bottom right hand corner.

2. Click the “Settings” icon in the top right hand corner.

3.  Scroll to the bottom and slide the “Private Account” button on. This will make all your photos within the app private, and prompt you to approve new followers individually. However, people can still send a photo directly to you even if they’re not following you.

**BONUS SETTING**  If you scroll further down to “Settings”, there is an option “Cellular Data Use.” If you switch that to on, Instagram will stop preloading videos in your feed, which might be helpful if you have a slow connection, or limited data.

 

LinkedIn

While the safest way to LinkedIn is always LinkedIn abstinence, some of us face peer pressure to LinkedIn before we’re ready. To make sure you’re practicing proper harm reduction techniques, click the “Me” button in the top right of the screen, and under “Account,” choose “Privacy and settings”.

 

Next, click the Header that says “Privacy” towards the top of the screen. The most important setting listed here is “Edit your Public Profile.” What this actually means is “Decide if search engines are allowed to index my information and display it when someone searches my name.” There are very few use cases in which such a thing would be beneficial, so the suggested answer to this is No.

 

The other important setting is “Sharing data with third parties,” which should almost always be No.

**BONUS SETTING** Clicking on the “Communications” header brings up settings governing how LinkedIn is allowed to contact you. If you scroll down to the very bottom, there’s an option “Partner Inmail.” You most likely do not want LinkedIn advertisers to send you direct messages, so choose No.

 

Conclusion

Quitting social media entirely can be unrealistic, or at least seriously unfun. So it’s important to take a moment to check out account settings before you start, to make absolutely sure you’re okay with the service’s default settings. (You probably should not be.) Once you’re comfortable with the security settings on your profile, tell your friends. You spent all that time digging through menus and checkboxes, and you don’t want your work undone by one of your connections, do you?

The post How do I secure my social media profile? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Tips to stay secure during tax season

Malwarebytes - Wed, 02/22/2017 - 15:00

It’s everyone’s favorite time of year—tax season. While you might be looking forward to it with a mixture of trepidation and dread, cybercriminals are positively drooling at the prospect of all that personal data out there on the Internet for the taking.

So what’s the worst that can happen? In a couple words: identity theft. Nearly 250,000 new reports of identity theft were filed in 2016 with the IRS. Tax-related ID theft happens when criminals use your personal information to file for a tax refund with the IRS. Through September 2016, the IRS stopped 787,000 confirmed identity theft returns, totaling more than $4 billion. Besides having your rainy-day money stolen, this can also damage your credit and cost you in time. It can take upwards of 600 hours to restore a stolen identity, according to the Identity Theft Resource Center.

But you needn’t fear (unless you’ve been cheating on your taxes, in which case we can’t help you). In response to an uptick in tax fraud and identity theft last year, the IRS has launched new security safeguards in order to verify identity and the validity of returns, especially for those who prepare their own federal and state taxes using software programs. In addition, if you take your own proper precautions, you can shore up your online safety.

So what are some ways you can protect your information (and identity) during tax season? Here are some tried and true tips to help ease the stress.

For general tax preparedness

If you haven’t already filed, now’s the time to get a move on. “Start early, gather all your information in one place, and make sure it’s accurate,” says Mark Harris, CFO of Malwarebytes. Not only will you beat the rush, but you can ensure a faster return on your return. Mistakes, including those that can lead to identity theft, are made when you’re scrambling to dig up that charitable donation receipt from Goodwill five minutes before filing deadline.

Next, pick a preparer. Do your due diligence and check out any reviews or articles on tax software, if you plan to use it. Research online tax service providers to see how secure their systems are. Sites should have password standards, a lock-out feature that blocks users after too many unsuccessful login attempts, security questions, and email and/or text verification. If using an accountant, look for referrals. Remember that cheapest may not always be the best.

Finally, once you’ve filed, make sure to keep your tax returns someplace safe. If filing online, you’ll receive a massive PDF that you can download to your desktop. If someone were to access your computer a year from now, all that juicy information would be theirs for the taking. So be sure to either store it in an encrypted cloud service or put it on a removable drive, such as a USB. If filing on paper, keep your taxes in a locked file cabinet or drawer.

For online security

This is important for anyone transmitting sensitive data online, whether that’s shopping or filing taxes: be sure to use a connection that’s secure. If on a home computer and network, use password-protected Wi-Fi and look for secured browsers (website URLs that start with “https” and display a small lock icon). Be sure your preparer has the same security in place. Never, ever, ever file your taxes using public Wi-Fi.

Ever.

In addition, when filing taxes online (and again, this applies to any online service that requires a password), choose passwords that are long and complex. Avoid plain text passwords, use special characters, and if allowed, use spaces. We also highly recommend a password vault or manager that uses two-factor authentication.

The third pillar of Internet security (especially during tax season) is to be aware of social engineering scams, including phishing emails. A popular phishing technique is to send an email from the “IRS” that says, essentially, “We have your tax return ready and you can get your money faster if you just download this PDF!” Nope. Number one, you should never open an attachment from an email you aren’t expecting to receive. Number two, the IRS will not email you. They’ll physically mail you information, but even then, be wary. Tax scams can happen via postal mail, too.

In addition to phishing attacks, there are reports of cold callers who say, essentially, “Hey, we’re from the IRS and you owe us $10,000.” Nope. The IRS won’t call you either. If you receive an email or phone call that’s unsolicited and is looking for personal information, don’t give it. Go back and independently verify who is trying to reach you.

After mastering the basics of online security best practices, it’s a good idea to protect yourself using a little technology. Before you even start typing in your social security number, you should run at least one kind of cybersecurity scan. That way you’re sure there’s no malware on your system, such as a keylogger or spyware that can record your information without you knowing. You should also make sure your operating system, browser, and other software programs are updated—that way, you protect against malware that might exploit vulnerabilities in your computer.

Finally, if you believe there’s a chance you could have been compromised, look into a credit monitoring or ID theft service. By law, you are entitled to a free copy of your credit report from the three major bureaus: Equifax, Experian, and Trans Union. In addition, there’s a lesser-known fourth bureau called Innovis that you can also use. Review your reports annually and look for any suspicious activity.

Filing early, being prepared, staying vigilant online, and employing the proper security technology—if you follow these tips then you can not only keep cybercriminals from cashing in on your tax returns but also from taxing your peace of mind.

Categories: Techie Feeds

Rogue Chrome extension pushes tech support scam

Malwarebytes - Tue, 02/21/2017 - 17:22

Given Google Chrome’s popularity, it is no surprise to see it being more and more targeted these days. In particular, less than reputable ad networks are contributing to the distribution of malicious Chrome extensions via very deceptive means.

In this post we look at a forced installation of such an extension that eventually leads to more adverts being force fed into Chrome. And once you spin the malvertising roulette, anything can happen…

Malvertising campaign

Google Chrome users are profiled based on the user-agent string they show whenever they visit a website. Rather than redirecting them to an exploit kit, they are often redirected to fake software updates, scams, or rogue browser extensions.

This malvertising flow (XML feed) shows how the user is redirected to a bogus site that is enticing them to install a Chrome extension.

Enticing might in fact be a euphemism, since in this case the user is giving no choice other than “Add Extension to Leave“, while their browser is stuck in a never ending loop of fullscreen modes. The tricks used here are very similar to what Pieter Arntz described in his Nov. ’16 blog (Forced into installing a Chrome extension).

Hidden but omnipresent

Once installed, this extension ensures it stays in hiding by using a 1×1 pixel image as its logo (note the blank space on the top right next to the Chrome menu from the animation below) and by hooking chrome://extensions and chrome://settings such that any attempt to access those is automatically redirected to chrome://apps. That makes it much more difficult for the average user to see what extensions they have, let alone uninstalling one of them.

The real bad stuff is buried into a couple of obfuscated JavaScript files:

The larger one reveals a connection to a command and control server where it can receive instructions on what to do next:

Ad fraud and scams

The perpetrators behind this extension are checking for certain keywords within the current URL and blocking/redirecting if the conditions are met. For instance, if the user tries to visit the Malwarebytes website, the browser will immediately get redirected, first to a YouTube video, and then to one of various Potentially Unwanted Programs (PUPs), get-rich-quick schemes, and various other scams.

This blog post wouldn’t be complete without a tech support scam which it seems one can’t avoid these days. If the user clicked on a new tab or typed a ‘forbidden’ keyword, the redirection chain would then deliver a fake Microsoft warning.

Extension woes

Google Chrome extensions are very powerful programs which are extremely useful in extending the browser’s capabilities, but can also be used for malicious purposes. Unfortunately, it is way too easy for online crooks to trick people into installing their malicious extension.

If you ever visit family or friends who run Chrome or own a Chromebook, have a check at the installed extensions on their machines, and you’ll be surprised by how many shady or flat out fraudulent ones are in there.

In addition to redirecting to bogus sites and junk offers, there are some serious privacy and security implications (Rogue Google Chrome Extension Spies On You) when an extension can read what you type and send this information to criminals.

Google has pulled this bogus extension from its store. If you already have it installed and can’t get rid of it (it won’t let you do it the regular way), please download Malwarebytes and run a scan. We detect and remove this one as Rogue.ForcedExtension.

IOCs

Fake extension:
pakistance.club
lfbmleejnobidmafhlihokngmlpbjfgo

Backend server (ad fraud/malvertising):
amserver.info
qma0.2dn.xyz

Tech support scam:
microsoft-official-warning.info

Categories: Techie Feeds

Explained: Bayesian spam filtering

Malwarebytes - Fri, 02/17/2017 - 16:30

Bayesian spam filtering is based on Bayes rule, a statistical theorem that gives you the probability of an event. In Bayesian filtering it is used to give you the probability that a certain email is spam.

The name

Named after the statistician Rev. Thomas Bayes who provided an equation that basically allows new information to update the outcome of a probability calculation. The rule is also called the Bayes-Price rule after the mathematician Richard Price, as he recognized the importance of the theorem, made some corrections to Bayes’ work and put the rule to use.

Spam

When dealing with spam the theorem is used to calculate a probability whether a certain message is spam based on words in the title and message, learning from messages that were identified as spam and messages that were identified as not being spam (sometimes called ham).

False positives

The objective of the learning ability is to reduce the number of false positives. As annoying it might be to receive a spam message, it is worse to not receive a message from a customer just because he used a word that triggered the filter.

Scoring

Other methods often use simple scoring filters. If a message contains specific words a few points are added to that messages’ score and when it exceeds a  certain score, the message is regarded as spam. Not only is this a very arbitrary method, it’s also a given that this will result in spammers changing their wording. Take for example “Viagra” which is a word that will surely give you a high score. As soon as spammers found that out they switched to variations like “V!agra” and so on. A cat and mouse game that will keep you busy creating new rules.

Learning

If the filtering is allowed for individual input the precision can be enhanced on a per-user base. Different users may attract specific forms of spam based on their online activities. Or what is spam to one person is a “must-read” newsletter to the next. Every time the user confirms or denies that a message is spam, the filtering process can calculate a more refined probability for the next occasion.

Poisoning

A downside of Bayesian filtering in cases of more or less targeted spam is that spammers will start using words or whole pieces of text that will lower the score. During prolonged use, these words might get associated with spam, which is called poisoning.

Bypasses

A few methods to bypass “bad word” filtering.

  • The use of images to replace words that are known to raise the score

  • Deliberate misspelling, as mentioned earlier.
  • Using homograph letters, which are characters from other character-sets that look similar to letters in the messages’ character set. For example the Omicron from the Greek which looks exactly the same as an “O”, but has a different character encoding.

Conclusion

Bayesian filtering is a method of spam filtering that has a learning ability, although limited. Knowing how spam filters work will make it more clear how some messages get through and how you can make your own mails less prone to get caught in a spam filter.

Links:

Evaluation of Bayesian Spam Filter and SVM Spam Filter

Machine Learning Techniques in Spam Filtering

 

Pieter Arntz

Categories: Techie Feeds

A week in security (Feb 6th – Feb 12th)

Malwarebytes - Wed, 02/15/2017 - 19:58

Last week, we gave a shout out to Safer Internet Day, passed around some tips for safe(r) public Wi-Fi use, and took a deep dive into Spigot browser hijackers. We had double the trouble in Mac land, with the defense industry coming under fire from rogue downloaders, and Microsoft office macro Malware.

Elsewhere:

Stay safe, everyone!

Categories: Techie Feeds

Staying safe online on Valentine’s Day

Malwarebytes - Tue, 02/14/2017 - 10:00

With Valentine’s Day rapidly approaching, love is in the air and so are Valentine’s Day security tips blogs, of which this is one. While you dash out for a last-minute purchase of flowers and a “Happy 5th Birthday” card played as a gag because they were all out of romantic ones at the store, please keep the below tips in mind if you’re browsing the aisles of popular dating sites and apps. You’re probably familiar with some of them already, and many of the below are good for all manner of online activities. In no particular order…

1. Are you in my area?

Make sure the profile you set up on a dating network doesn’t have geotagging enabled, regardless of whether you created it on a website or through an app. Some dating sites base the location you initially enter to serve up a list of possible matches within a certain radius, but they don’t display the location info on your profile – get familiar with the granular controls on the dating site’s settings and make sure you understand the differences. Many mobile apps aren’t hugely clear about “which thing does what”, so if in doubt, disable a particular feature until you can be 100% sure. As a side-note, ensure you don’t have geotagging enabled on any photographs you upload – if in doubt, use a picture from a public location away from your main residence. You can also use online tools to check what EXIF information is stored in images you want to use and remove it if needed.

You’ll find some additional practical advice in terms of real world security on the Selfie Security blog we posted a few weeks ago. You should pay particular attention to not including location specific items in your photograph(s) such as bills with your address on them.

2. Hang on to your moneybags: social engineering tactics

Scammers setting up fake profiles then asking for money is astonishingly common, and it’s all to easy to be taken to the cleaners as a result. Just like 419 scams, romance fakers often use templates – or just lazily cut and paste Bot spam to reuse for their own purposes – and fans of dating sites should get into the habit of Googling common phrases, just to see if someone else is saying the same thing. If a wave of Susan J. Fakename is posting identical romantic overtures on six different sites, you can be sure it’s time to move along.

With regard to common scam angles, watch out for anything related to:

  • Sick relatives
  • Medical emergencies
  • Lost overseas and need a plane ticket
  • Lost passport and need a visa / replacement passport
  • Wallet stolen and no funds available
  • Coming to visit, but there’s a last minute ticket price hike and I need your help

On a related note, don’t ever let strangers send money to your bank account for any reason. They’ll probably get you to forward the cash on to someone else, and at that point, you’ve become a money mule.

That’s a criminal offence and will get you into trouble, by the way.

3. “Check out my other profile…”

Be cautious around links sent your way which direct you to another website, and be particularly careful around links to downloadable files. Scammers will often try and remove you from the relative safety of the service you happen to be using, directing you to links and files that the dating site you started with can’t hope to contain. That’s been a staple attack on social media sites for many a year, but it works with dating too.

If someone sends you shortened URLs, you can usually expand them to see where they end up. If you’re still not sure, try googling the link. If nothing still comes up to allow you to make an informed decision, you should just ignore whatever you’ve been sent – it isn’t worth the risk.

4. Remove that personal info

Don’t put your real name / age / location in your profile, email or anything else related to the dating site you’re on. Anonymous usernames are fine. You should also use a disposable email address when you sign up to a new dating service – not only will this keep people you’d rather not stay in touch with away from your main mailbox, it’ll also be obvious if a dating site decides to sell your email to spammers. This is a good trick to use outside of online dating, too.

5. Bots! Bots everywhere!

If you have an open private message system, you’ll likely receive many, many messages from people wanting to chat. Some dating websites will also send multiple daily messages to users via email claiming that persons x, y, and z would like to talk to you. They may even ask about cookie dough (and it better be delicious considering the eventual $118.76 monthly fee). Most dating bots will cycle through a canned script of a dozen or so phrases before claiming you need to be “verified” in some way. This will inevitably lead to a request for payment information. Don’t do it – if in doubt, contact the service you’re using and ask them about it directly. You’ve probably seen examples of this on blogs about Skype spam.

Bots will advertise everything from pornography to mobile games, and spammers commonly use images ripped from the net for their profile avatars. You can try and see if the picture is a stock photo by using the “Search Google for this image” option in your browser, or fire up TinEye to see what’s out there.

Bot accounts probably won’t have a realistic looking bio, or have links to profiles on popular social networks. If it looks cookie-cutter, there’s a good chance it might be. Feel free to see if they pop up across the web anyway and you’ll quickly learn if they’re one of a kind or part of a wave of identikit bots.

6. “Got any pics?”

Be wary of people asking for intimate photographs and / or video, as this is a surefire way to find yourself blackmailed into handing over lots of money. If you do pay the blackmailer, there’s no guarantee the images won’t be leaked anyway. There’s also the issue of revenge porn to consider, and the legal issues that will inevitably arise as a result.

Put simply: don’t do it.

Hopefully the above will help to keep you out of trouble while swiping left (or right? I have no idea), and here’s to a safe online Valentine’s Day experience for everybody.

 

Christopher Boyd

Categories: Techie Feeds

Always read the EULAAARGH: Part 1

Malwarebytes - Mon, 02/13/2017 - 16:00

Last November, I gave a talk in Ireland at the fantastic IRISSCON, a huge annual security conference which covers everything from social engineering and use of language to the criminal underground and heart hacking.

My talk was all about EULAs, or at least, it used EULAs as a starting point before quickly moving into the land of mobile and the crazy assortment of Privacy Policies on offer.

What is a EULA?

The EULA is an End User License Agreement and generally sets out things like your ability to use, copy (or indeed, not copy) the product sitting in front of you. More often than not, there’ll be a Terms of Service which explains what you can do while using the product, a sort of “what you can reasonably expect to take place while the wheels are in motion”. These can be more important in mobile land than on a desktop, where apps and software as a service reign supreme.

The last piece of the puzzle is the Privacy Policy, which explains what happens to your PII, where it is stored, and what the company responsible for it will do to safeguard the information. These are often very, very important where mobile is concerned – indeed, on the pages of Google Play you’ll very rarely see a EULA listed, whereas the Privacy Policies are always on the page, visible and linked (if you do see a EULA, it’ll probably pop up at install in the app itself). Here’s an example of a Privacy Policy linked on a Play Store app page:

 

Where this gets interesting is that Privacy Policies are typically all about the adverts, tracking, and analytics you can expect to run into on your travels. Just like websites, ads are usually how free games make their money – regardless of whether or not they use in-app purchases. I’ve written about Advergaming many times – here’s 5 blogs for you to get your teeth into:

Part 1: Introduction
Part 2: The Location and Design of In-Game Advertisements
Part 3: The Gamification of Gamers
Part 4: Hotfixes and Notfixes
Part 5: EULAs and You

Previously, device owners could try and bypass adverts on their devices through all manner of antics – here’s people using OpenDNS to block Xbox dashboard ads – so it was inevitable that adverts would eventually become something you can’t get around anymore. Behold, the advert as a game mechanic:

Yeah, there’s no way to dodge that. There’s a weird grey area where parents let their kids download / play all manner of things on their devices, or buy tablets specifically for the children to use, so they’re “theirs” but the data on the device is a mashup of both parent and child. Some games need registration, logins, permission from an adult over 13 years of age and so on. With that in mind, it’s quite important to ensure you know where your data is going, which is probably why Privacy Policies are such a big deal.

I’m not sure how many successful EULA challenges have passed muster in a court of law, but anything involving leakage/theft/bad things in general related to PII never tend to go well for the offending party. That’s probably why we end up with such a headache when trying to deal with companies attempting to cover themselves from unwarranted blame, because that way lies madness – and lots of words.

The problem with words

In an ideal world, the perfect EULA would combine the EULA, ToS, and Privacy Policy in one bundle of amazing and look like this:

Unfortunately, this isn’t possible.

Most mobile games make use of multiple advertisers/networks, and some are region specific so what you see in country A won’t be what you see in country B. As a result, you end up flowing down a river of “here’s two more links to two more policies – and both of those links to some of their partners, so here’s a few more – and this – and that – and one of these”.

Essentially, the EULA is the bit you get out of the way to introduce the meaty privacy policy, and beyond the “Agree/Disagree” it functions as little more than a gateway to the complicated stuff.

Here is your 2017 experience:

LOL indeed.

Incredibly important information about what’s happening to your data is often not placed in the app itself, because the app maker wants you to get right into the act of making them some money and tons of words would be a bit of a distraction, and worse still, the app maker is relying on the ad network/provider/whoever to actually have the correct information available, online, in an easy to digest format. Effectively, you’re seeing a EULA at app launch, but the PII references are all sitting on a website somewhere – or, even more confusingly, a whole bunch of third-party websites.

Did you read it all? Of course you did.

At time of writing (well, at time of putting together the slide deck) the top games on the Play store were as follows:

Design Home: 2147 word Privacy Policy
Taps to Riches: 1245 words
Block! Hexa Puzzle: 678 words
Rolling Sky: 586 words
Pineapple Pen: No privacy policy listed on Google Play or the developer’s own homepage. This surprised me, as I was under the impression every app needed one listed. The best I could come up with is the below text taken from the Play developer’s information portal:

Essentially, if it’s decided that the app doesn’t handle what is considered to be PII, then it doesn’t need to list anything. You can see the problem here; without any form of information whatsoever with regards what the app is doing with said data (outside of notifications related to what device functions it may make use of), there is no way for the consumer to make an informed decision.

In the last few days, Google Play has now decided to purge apps with no Privacy Policy on offer – one fears for the health of those pineapples.

Elsewhere, we have Privacy Policies ranging from 500 words to just over 2,000. There are various readability tests which will try to establish how complicated a piece of text is; these can take in very complicated mathematical equations, or look at what % of words contain more or less than 7 letters, or compare the whole text against a set of a couple of thousand “common” words, and increase the complexity score every time words appear which aren’t listed.

There are plenty of online readability score checkers you can run text through [1], [2], [3], and typically you’ll find the scores peg the Privacy Policies at close to (or above) graduate level.

This makes sense – it’s legalspeak, and legalspeak is complicated. Sites and services have occasionally tried to tackle this particular beast, with mixed results – for our part, we offer non-legal, hopefully easy to understand text next to the complicated bits in our own Privacy Policy.

Unfortunately, in certain circumstances there may just be too many words to deal with to gain a firm understanding of exactly what you happen to be dealing with. In the follow-up post, you’ll see exactly what I mean.

Bring some background music, a soft bedside light and a large pair of reading glasses.

You’ll need them.

 

Christopher Boyd

Categories: Techie Feeds

Pages

Subscribe to Furiously Eclectic People aggregator - Techie Feeds