Techie Feeds

Stay away from the Bitcoin multiplier scam

Malwarebytes - Mon, 11/06/2017 - 18:30

It is well known that hot commodities tend to attract scammers and online criminals. The continuous rise of Bitcoin over the past year (valued at over USD $7,188 at the time of writing) is generating frenzy amongst fans of cryptocurrencies as well as those watching from the sidelines.

While the threat of Bitcoin theft from hackers or rogue operators remains high, we also see many scams inspired by the classic Ponzi scheme. Such is the case of the Bitcoin multiplier scheme, where victims are enticed to send some of their Bitcoin to a particular wallet and be given x times the amount they invested.

Multiply your loss

There are a few different ways users are drawn to this scam. One of them is searching online for sites that offer such a service (and you can find many). Some people are even asking the million dollar question: “Is there any genuine Bitcoin multiplier?” which scammers immediately pounce on and use for Search Engine Optimization (SEO) purposes.

Another tactic is to use advertising to redirect users to such sites:

The offer sounds too good to be true and should raise an immediate red flag. Even the “confidence” indicators displayed at the bottom of the page are fake and just for show.

However, the scam artists are using an interesting ploy by first asking the user for their email address and Bitcoin address, suggesting that the service might actually send them something. But the opposite happens. When the user submits their information, they are taken to a different page asking them to send BTC to the perpetrator’s wallet:

This might make some people feel uneasy, but the crooks have an answer for any doubts that might arise. They keep a page with previous payments they have sent, although this information is bogus.

In trying to deconstruct this scam, one question that comes to mind is why such a service would exist in the first place, especially considering that nowhere on the site do they mention any kind of commission for their effort. Well, apparently, these guys are doing it for the altruistic love of technology.

Sadly, many people have fallen for this scam and have never seen their money again. The criminals behind this are setting up temporary websites and keep on resurfacing after they have been taken down.

The best piece of advice we can give you is to stay away from too good to be true promises, especially when it involves something like Bitcoin or other cryptocurrencies. And if you need any more guidance, the answer to the million dollar question is: No, there are no genuine Bitcoin multipliers.

The post Stay away from the Bitcoin multiplier scam appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (October 30 – November 5)

Malwarebytes - Mon, 11/06/2017 - 18:00

Last week on our blog, we told you what to expect at the upcoming Irisscon security conference in Dublin. We gave you a quick introduction into the why and how of analyzing malware based on their API calls. And we issued a warning about some lesser-known cybercrimes. Plus we explained why emerging APAC markets are prime targets for cybercriminals.

We also introduced you to some of the scariest malware monsters that could come knocking on your door for more than just candy. And finally, we explained how cryptocurrencies work and why all the cybercriminals love them.

Other news

Safe surfing, everyone!

The post A week in security (October 30 – November 5) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Explained: blockchain technology

Malwarebytes - Mon, 11/06/2017 - 17:45

Last week, we talked about what cryptocurrency is and why cybercriminals love it. We mentioned that cryptocurrency was founded on a technology called blockchain, which is a tight system that, when applied correctly, is more secure than most other financial transactions. In this post, we’ll explain the basics of blockchain technology, including its origin, development, and what makes it secure.

Origin of blockchain

One of the prime and most well-known examples of blockchain technology is Bitcoin. In 2008, the founder and spiritual father of Bitcoin (acting under the name of Satoshi Nakamoto) laid the groundwork for blockchain technology when he presented his solution for the “double spending problem” in digital currency. Double spending can be seen as copying and pasting money so you would never run out of it. In the non-digital world, we’d call this counterfeiting.

This countermeasure against double spending is essentially the foundation of our current blockchain technology, a method of record keeping that is essentially a decentralized, distributed, historical database.

The linchpin of blockchain technology is its decentralization. There is no central authority. Anybody can be a user or participant. This makes the system more open and less vulnerable than traditional ledgers.

Blockchain security

How is the blockchain made secure? Good question! Without making this too complicated, consider a system that only works in one direction. That system calculates the hash value that is the unique answer to a math problem based on the data contained in the block. Every time you feed the system the same data in the block, the hash value will be the same. Every change in the block results in a different hash value.

Take for example adding up the numbers in a long value like 123456789, which will result in 45. Changing the first value will have an effect on the result, but from knowing 45 alone it is impossible to figure out the value we used as input. This is the basically the same idea as blockchain, only the its hashes and input are much more complicated.

So there is no way (short of centuries of bruteforcing) to go in reverse and find the data of the block based on a hash value. This provides miners, or those who maintain the transactions in the blockchain, with a method to check the validity of a transaction without being able to create a block with false information. This is what solves the double spending problem. It makes it impossible to make up a transaction and feed the false information into the blockchain. You can not find the hash that would make that transaction look legitimate.

How new blocks are created

Every so often a new block is created—as a set of transactions recorded over a given period of time. This block contains all the transactions that were made on the blockchain since the previous block was closed. Miners then calculate the hash value of the current block. The first one to get it right gets a reward.

Now the nodes come into play. A node is a machine that is broadcasting all the transactions across the peer-to-peer network that is the base of the blockchain. The nodes check and broadcast the hash of this proposed block until agreement is reached about the new block. Then this block will be accepted as the new starting point for the transactions in the next block. The block is saved in many different places so that no one entity has total control over it.

The transactions we mention do not have to be money transfers, as the blockchain can be used for many other applications. Consider, for example, smart contracts that can be programmed to pay the supplier when a condition has been met, such as the delivery of goods. This moves the trust in the completion of the transaction from an intermediary like a bank or a website to the blockchain.

How mining works on the blockchain

Why would miners bother with appending to the blockchain and verifying new blocks? The “proof of work” method gives rewards to miners for calculating the hashes. So basically they get paid for the energy they put into the work. However, the proof of work method used in Bitcoin and other digital currencies is causing an energy consumption level that could run an entire country.

The number of  processing cycles needed to mine effectively has made CPU mining a thing of the past. Instead, miners moved on to GPU mining and then to ASIC, or application-specific integrated circuit, which is highly specialized and much more effective at what it does.

Although the number of Bitcoin that are given out each day as rewards stays the same over a given period of time, the number of mining farms has taken the number of cycles needed for one Bitcoin through the roof. Imagine huge server farms with racks upon racks of ASICs mining away, and that will give you a good idea of what the professional miners are doing. This is not “Joe at Home” anymore, but serious business. 

One alternative method that is in planning for the Ethereum Project is “proof of stake.” Proof of stake rewards those that have the most invested in the currency or gas (gas is the internal pricing for running a transaction or contract in Ethereum). Some fear this will turn blockchain into “the rich get richer” system, so there may be some new problems to be solved on the horizon.

But if it’s so secure, how come I heard…

Even though the blockchain technology itself is secure, the applications that may be built on or around this technology are not necessarily inheriting its security. So you may have heard of criminals acquiring Bitcoins illegally in various ways, but these crimes usually take place before the cryptocurrency was acquired, for example by having others mine for the threat actor. Or afterwards, for example by stealing wallets or even robbing a Bitcoin exchange.

Extra reading

For more information on blockchain, take a look at this explanation using easy to understand examples: The ultimate 3500-word guide in plain English to understand Blockchain.

A comparison between proof of work and proof of stake can be found here: Proof of Work vs Proof of Stake: Basic Mining Guide

The post Explained: blockchain technology appeared first on Malwarebytes Labs.

Categories: Techie Feeds

What is cryptocurrency and why do cybercriminals love it?

Malwarebytes - Fri, 11/03/2017 - 14:00

Ever pretend you know what your friends are talking about because you want to sound smart and relevant—and then trap yourself in a lie?

“Wow, looks like those hackers were mining for cryptocurrency. You know what cryptocurrency is, right?”

“Oh yeah, totally. Cryptocurrency. Bad stuff. You know. Currency? In the crypt? Bad.”


Okay, so the next time someone asks, “What is cryptocurrency, anyway?” instead of awkwardly shrugging, be prepared to dazzle them with your insider knowledge.

What is cryptocurrency, in a nutshell?

In its simplest form, cryptocurrency is digital money. It’s currency that exists in the network only—it has no physical form. Cryptocurrency is not unlike regular currency in that it’s a commodity that allows you to pay for things online. But the way it was created and managed is revolutionary in the field of money. Unlike dollars or euros, cryptocurrency is not backed by the government or banks. There’s no central authority.

If that both excites and scares you, you’re not alone. But this technology train has left the station. Will it be a wreck? Or will it be the kind of disruptive tech that democratizes the exchange of currency for future generations?

Let’s take a closer look at what cryptocurrency is, how it works, and what are the possible pitfalls.

What makes cryptocurrency different from regular money?

If you take away all the techno-babble around cryptocurrency, you can reduce it down to a simple concept. Cryptocurrency is entries in a database that no one can change without fulfilling specific conditions. This may seem obtuse, but it’s actually how you can define all currency. Think of your own bank account and the way transactions are managed—you can only authorize transfers, withdrawals, and deposits under specific conditions. When you do so, the database entries change.

The only major difference, then, between cryptocurrency and “regular” money is how those entries in the database are changed. At a bank, it’s a central figure who does the changing: the bank itself. With cryptocurrency, the entries are managed by a network of computers belonging to no one entity. More on this later.

Outside of centralized vs. decentralized management, the differences between cryptocurrency and regular currency are minor. Unlike the dollar or the yen, cryptocurrency has one global rate—and worth a lot. As of November 2017, one Bitcoin is equal to $6,942.77. Its value has increased exponentially this year, exploding from around $800 in January 2017.

How does cryptocurrency work?

Cryptocurrency aims to be decentralized, secure, and anonymous. Here’s how its technologies work together to try and make that happen.

Remember how we talked about cryptocurrency as entries in a database? That database is called the blockchain. Essentially, it’s a digital ledger that uses encryption to control the creation of money and verify the transfer of funds. This allows for users to make secure payments and store money anonymously, without needing to go through a bank.

Information on the blockchain exists as a shared—and continuously reconciled—database. The blockchain database isn’t stored in a single location, and its records are public and easily verified. No centralized version of this information exists for a cybercriminal to corrupt. Hosted by millions of computers simultaneously, its data is accessible to anyone on the Internet.

So how, exactly, is cryptocurrency created and maintained on the blockchain? Units are generated through a process called mining, which involves harnessing computer power (CPU) to solve complicated math problems. All cryptocurrencies are maintained by a community of miners who are members of the general public that have set up their machines to participate in validating and processing transactions.

And if you’re wondering why a miner would choose to participate, the answer is simple: Manage the transactions, and earn some digital currency yourself. Those that don’t want to mine can purchase cryptocurrency through a broker and store it in a cryptocurrency wallet.

When was cryptocurrency developed?

In the wake of Occupy Wall Street and the economic crash of 2008, Satoshi Nakamoto created Bitcoin, a “peer-to-peer electronic cash system.” Bitcoin was a slap in the face to the “too big to fail” banks because it operated outside of a central authority, with no server and no one entity running the show. Bitcoin pioneers had high hopes of eliminating the middle man in order to cancel interest fees, make transactions transparent, and fight corruption.

While Bitcoin was the first and remains the most popular cryptocurrency, others saw its potential and soon jumped on the bandwagon. Litecoin was developed in 2011, followed by Ripple in 2012. In 2015, Ethereum joined the fray and has become the second most-popular cryptocurrency. According to CoinMarketCap, there are now more than 1,000 cryptocurrencies on the Internet.

Cryptocurrency’s popularity on the Internet soon bled into other real-world applications. Japan has adopted Bitcoin as an official currency for commerce. Banks in India are using Ripple as an alternative system for transactions. JP Morgan is developing its own blockchain technology in partnership with Quorum, an enterprise version of Ethereum.

However, as with any new and relatively untested technology, the cybercriminals wanted in. And it wasn’t long before Bitcoin and other cryptocurrencies fell victim to their own democratic ideals.

How has cryptocurrency been abused?

As secure as a Bitcoin address is, the application of its technology is often fumbled; usually by unpracticed programmers looking to get in on the action and creating faulty code. Fundamentally, the system is superior to centralized database systems, but poor coding practices among its thousands of practitioners have created a multitude of vulnerabilities. Like vultures to carrion, cybercriminals flocked to exploit. According to Hacked, an estimated 10 to 20 percent of all Bitcoin in existence is held by criminals.

While cryptocurrency was initially hailed as the next big thing in money, a savior for folks who just lost everything in steep recession (but watched as the banks that screwed them over walked away unscathed), a hack in 2011 showed how insecure and easily stolen cryptocurrency could be. Soon, the criminal-minded rushed in, looking to take advantage of the cheap, fast, permission-less, and anonymous nature of cryptocurrency exchange. Over the last nine years, millions of Bitcoin, worth billions of dollars, have been stolen—some events so major that they drove people to suicide.

On a smaller but much more frequent scale, cryptocurrency is used on the black market to buy and sell credit card numbers and bot installs, fund hacktivism or other “extra-legal” activity, and launder money. It’s also the payment method of choice for ransomware authors, whose profits are made possible by collecting money that can’t be traced. Certainly makes getting caught that much more difficult.

Ransom note asking for Bitcoin

And if that weren’t enough to call cryptocurrency unstable, the process of mining itself is vulnerable and has already attracted some high-profile hacks. Services such as CoinHive allow those that deploy it to mine the CPU of their site visitors—without the visitors’ knowledge or permission. This process, known as cryptojacking, is robbery-lite: Users may see an impact to their computer’s performance or a slight increase in their electric bill, but are otherwise unaffected. Or that is, they were, until cybercriminals figured out how to hack CoinHive.

Future applications

So where does that leave us with cryptocurrency? Surely its popularity is skyrocketing and its value is spiking so hard it could win a gold medal for beach volleyball at the Olympics. But is it a viable, safe alternative to our current currencies? Cryptocurrency could democratize the future of money—or it could end up in technology hell with AskJeeves and portable CD players.

We can see the technological applications for the future that demonstrate the clear advantages of cryptocurrency over our current system. But right now, cryptocurrency is good in theory, bad in practice. Volatile and highly hackable, we’ll have to move to create security measures that can keep up with the development of the tech, otherwise cybercriminals will flood the market so heavily that it never moves beyond the dark web.

If you want to learn even more about cryptocurrency, stay tuned for a deeper dive on blockchain technology and a full report on cryptojacking.

The post What is cryptocurrency and why do cybercriminals love it? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Why emerging APAC markets are prime targets for the malware of the future

Malwarebytes - Fri, 11/03/2017 - 02:00

In many ways, Asia has led the way in technological development. Robotics, video games, dizzyingly fast Internet speeds. But when it comes to cybersecurity, several APAC countries, especially those in emerging markets, are severely lacking. And while, according to the 2017 State of Malware Report, cybercriminals are still focusing the bulk of their nefarious efforts on North America and Europe, it’s not long before they turn their full attention to the vulnerable targets of the East.

To be clear, that doesn’t mean that there’s no cybercriminal activity in Asia-Pacific. Quite the contrary. According to research by March & McLellan Companies, APAC is an ideal environment for cybercriminals to thrive in due to high digital connectivity contrasted with low cybersecurity awareness and weak regulations. However, lack of transparency from Asian governments and businesses leads to the potentially inaccurate perception that threat levels in the APAC region are lower than everywhere else. We just don’t know what we don’t know.

That being said, our data shows that the most dangerous and pervasive forms of malware and the highest frequency of attacks are not happening yet in Asia-Pacific. Why? If you need an answer for why cybercriminals do anything, look no further than this: money. Threat actors target countries with the strongest economies in order to get the biggest return on their investments. In countries where the Internet is just being introduced, criminals would not expect to extort the same amount of money or data as in countries where the Internet rules almost all commerce, banking, data storage, and financial transactions.

Countries such as the Philippines, Malaysia, and Indonesia are already seeing widespread use of mobile banking and social media via smartphones, rapidly bringing Internet access to citizens. With widespread Internet adoption, it is only a matter of time before cybercriminals turn their attentions toward these markets.

In fact, just yesterday virtually every person in Malaysia had their personal data swiped in hacks of government servers and telco databases. After all, when market share increases, the sharks smell blood. To avoid the feeding frenzy, emerging APAC markets need to increase cybersecurity awareness and take active steps to mitigate risks as Internet access and adoption increases.

Let’s take a closer look at the factors that leave emerging markets in APAC vulnerable to attack.

Lack of regulation online

With the rapid growth of Internet usage in the APAC region, it’s likely that we’ll see a relative increase in malware detections. The aforementioned lack of transparency has resulted in weak cyber regulations by authorities in certain geographies, as well as a marked lack of security investment amongst businesses—perhaps partially due to the Internet security market still being heavily targeted toward US and European markets.

A relative lack of regulation leads to an Internet that resembles the wild west of early years—yet with the technological sophistication of today. This results in third-party app stores selling malicious apps unchecked, and pirated software often left unpatched due to lack of official support. It also leaves PCs ripe for takeover, which is why 50 percent of all botnet detections by Malwarebytes were centered in Asia. Outdated prevention security, the use of pirated software, lack of remediation or response, and poor cyber hygiene habits leave these systems open to online attacks.

Increased adoption of Internet without awareness

According to ESET’s Asia Cyber-Savviness Report, 78 percent of Internet users in Asia have not received any education on cybersecurity. Collectively, Asia’s level of awareness is comparably lower than other regions of the world. This general lack of awareness bleeds over into business, with 70 percent of Asian firms saying they don’t have a strong understanding of their cyber posture (Marsh & McLellan).

Without background information on the dangers inherent in cyberthreats, individuals and companies are less likely to consult cybersecurity resources, invest in security products, or respond quickly to breaches.

Some Asian economies such as Singapore, Hong Kong, and Taiwan boast excellent cybersecurity postures; all have government-linked cybersecurity agencies that sponsor education, outreach, and response to cyberthreats. The entire region must make a unified effort, however, to ensure that cybersecurity awareness is given greater emphasis.

Increased adoption of Android

Android devices are vulnerable to malware attack because of their high market share and ability to download third-party apps from vendors outside of Google. These vendors often don’t require that developers submit to strict security regulations, which leaves them vulnerable to infection (or, in many cases, results in malicious apps making their way into the marketplace unobscured). Unfortunately, the region of the world with the highest rate of Android adoption is, you guessed it, Asia.

In addition, local phone manufacturers in emerging Asian markets have been known to skimp on security features in order to reduce manufacturing costs. This leaves Asian Android users even more open to attack.

Increased adoption of IoT devices

Asia-Pacific leads the IoT market, having pioneered the adoption of IoT and machine-to-machine technology. Yet IoT is still a relatively new technology, for which security has not be adequately developed. Because of this, we’re already seeing IoT devices being compromised for botnet attacks, which are rampant in the APAC region.

While Internet usage in the region continues to grow, legislation and cybersecurity awareness is lagging behind; users are leaving themselves vulnerable to increasing attacks from cybercriminals. Individuals, businesses, and government bodies must learn more about cybersecurity, educate their friends, family, and coworkers, and take steps to secure their environments now before the inevitable tsunami of cyberattacks hits.

The post Why emerging APAC markets are prime targets for the malware of the future appeared first on Malwarebytes Labs.

Categories: Techie Feeds

IRISSCON security conference comes to Dublin in November

Malwarebytes - Thu, 11/02/2017 - 19:53

It’s that time of the year when IRISSCON—the biggest security conference in Ireland, in my humble opinion—springs into life with a great collection of talks and Capture the Flag events. Held on November 23 in Dublin, there will be a strong focus on working in Infosec this year, alongside some of the problems faced by industry practitioners. For my part, I’ll be giving a retooled run-through of my talk Makhra Ni Orroz, which received a great response at SteelCon. I’m looking forward to seeing how it goes down with a new audience!

Elsewhere at IRISSCON, the theme of breaking into Infosec via non-traditional routes is prominent—and this has been a hot topic this year, thanks to Equifax and music degrees. With that in mind, “Getting into the infosec industry from different directions,” by Lee Munson and Thom Langford will be a must watch. There’s a huge range of people working in Infosec with no technology qualifications (myself included), and presentations like this are a great way to explain why and how there are so many diverse skill sets on offer.

Elsewhere, we have “Would the real imposter please stand up?” by Dr. Jessica Barker, which looks at the very real problem of “Imposter Syndrome” suffered by those working in security fields—something I suspect may have been exacerbated as a direct result of the explosion of angry shouting related to non-tech qualifications.

In another handy talk for those in the Infosec field, we have “Three security professionals walk into a bar” by Javvad Malik, which will show you how to make yourself a more attractive proposition for both your 0rg and the industry in general. A little self improvement goes a long way!

Quentyn Taylor will add further insight into the daily dealings of a CISO with “The sights, the sounds, the smells of a hard working CISO on the road.” Last but not least, FreakyClown will be giving a deep dive into the world of social engineering and weaknesses in physical and digital security with the wonderfully titled “How I rob banks.”

If you haven’t been to a security conference before, or even if you’re a seasoned hand on the conference circuit, this is definitely one of the best value events you can attend, so please come along and say hello!

The post IRISSCON security conference comes to Dublin in November appeared first on Malwarebytes Labs.

Categories: Techie Feeds

All rise! Mind these digital crimes and arm yourself against them

Malwarebytes - Wed, 11/01/2017 - 13:15

Have you noticed that, in this year alone, headlines are inundated with words that contain “cyber”?

Cybercrime. Cyberattack. Cybersecurity. Cyberwarfare. The cyber. (Okay, that was last year.)

Frankly, with so much going on, we hardly remember a time when the term “cyber” seemed quaint and a little retro.

Indeed, cybercrime as a whole has been steadily on the increase these past few years, and not one expert has predicted it ebbing anytime soon. This is daunting, but not exactly unexpected. As we progress in adopting new technologies—with more of the world’s population online now than not—more and more people are exposed to potential threats.

Are we then to embrace the inevitable? Not really. Assuming the worst is to come—and we think you should—it’s more important than ever to arm yourself against digital crimes. This means putting security measures in place that aim to prevent or mitigate specific threats, tinkering with some habits that are actually quite dangerous, and talking about security candidly with friends, family, and peers.

So, let’s prioritize. We’ve scoured through scores of reports and identified digital crimes that are on the rise. In the list below, we’ll explain them and what you can do to protect yourself against them.

(1) Card skimming. This is a type of electronic fraud where criminals use a device called a skimmer to steal card information from users. The skimmer is usually installed onto devices where one can swipe or feed their credit or debit card, such as ATMs, point-of-sale (POS) devices, and gas pumps. Brian Krebs of KrebsOnSecurity covered card skimming extensively in a fascinating and eye-opening series of blog posts that we suggest you read through here.

How to protect yourself: There are two rules of thumb:

Always check. KrebsOnSecurity has provided ways on how one could recognize tampered devices so users can protect their bank cards from getting skimmed. “If you see something that doesn’t look right—such as an odd protrusion or off-color component on an ATM—consider going to another machine,” wrote Krebs in one article. “Also, stay away from ATMs that are not located in publicly visible and well-lit areas.”

More sophisticated setups, on the other hand, show nominal to no signs of obvious tampering. This is true for gas stations, where threat actors generally plant their skimming device within the pump’s interior. We don’t advocate consumers to start dismantling gas pumps to check if they’re clean or not; however, we do advice users to keep a close eye on their bank statements for any expenditures they don’t remember paying for.

In September of this year, an Android app called Skimmer Scanner was made available on Google Play to download and use for free. This app is supposed to detect skimmer-tainted gas pumps, which use Bluetooth technology to steal user information. If you’re interested, the developer of the app wrote a technical post that you can read in this SparkFun page.

Never let your bank card out of your sight. If you’re in a restaurant or small shop where they use a handheld payment terminal, ask the waiter or cashier to swipe the card in front of you. A lot of businesses already do this, but it won’t hurt to ask if you see that the establishment you’re in needs to catch up on this practice.

It’s also important to make sure contact details are updated for each card you own and use so you can be easily reached if the bank spots potential fraudulent transactions.

(2) Android malware. Ever since mobile usage exceeded PC and laptop usage combined, we’ve been expecting that criminals would begin targeting the mobile market. And since Android is the dominant mobile OS worldwide, they are the most targeted mobile devices. This has been and continues to be the trend, year after year. Trojans lead the mobile malware infection count, followed by potentially unwanted programs (PUPs). Meanwhile, mobile ransomware is growing at a rapid rate.

How to protect yourself: If you haven’t already, begin practicing basic computing hygiene the same way you would when you’re on a desktop or laptop. This includes regular firmware and app updates, backing up phone data, locking the device when not in use, setting up remote wipe, installing apps that help protect you from threats when you browse the web, and playing it smart on public Wi-Fi networks.

It’s also essential that users regularly audit mobile devices for apps that they no longer use—these they can uninstall—and those that, for some reason, started doing things they’re not supposed to—these they must uninstall.

We pushed out several articles about mobile security on the Labs blog. Now would be a good time to go back and review them.

(3) Mac malware. Apple has gained favor in the eyes of threat actors, but this didn’t happen overnight. Its user base has been increasing steadily over the years, and we can surmise some reasons why. For one thing, its partnerships with other tech giants like IBM and Cisco have significantly expanded Apple’s reach in the enterprise world. Not only that, human behavior and logic play a factor, too: iPhone and iPad users are known to consider buying a Mac instead of a PC to complement their devices.

There wasn’t much Mac malware out there at first, but our recent telemetry data reveals that it is becoming noticeably problematic, along with adware and PUPs. We’d be remiss not to point out that Mac OS users may encounter various malvertising and scam campaigns, too.

How to protect yourself: Our recommendations to Mac users are not that different from what we advise Windows users. Again, following safe browsing habits is a constant best practice for any platform, operating system, or device. Don’t forget to back up files and, if you can, try to avoid downloading torrent files, which are sometimes bundled with programs you wouldn’t want to be installed on your system.

Below are some posts you may want to go back to and re-read about Mac safety:

(4) Linux malware. Here’s another OS that was first deemed “immune” from digital crime but is now making headlines, thanks to the proliferation of electronic devices and appliances that use software based on the Linux kernel, such as Android phones and tablets, routers, and the Internet of Things (IoT). In the Internet Security Report Q1 [PDF] by our friends at WatchGuard, they noted the three current types of malware targeting Linux: exploits, downloaders, and flooders.

Anecdotal evidence points to a number of reasons why threat actors are now going after Linux-powered devices. First, vendors and developers didn’t take the time or effort to incorporate a patched kernel onto their products. Second, most of these devices and appliances have little to no security protections in place, and updating them over-the-air (OTA) is almost nonexistent. Last, consumers don’t use passwords—and if they do, they use poor ones—to protect such devices and appliances.

How to protect yourself:

Let’s start with passwords: Create one, now, or let a password manager do the creating for you. Make sure that the software and firmware on your IoT devices/appliances is updated.For those who have Linux servers, regularly update the OS. Implement firewall rules that block unsolicited inbound traffic and SSH access from the Internet and internal network. And finally, consider protecting devices with multiple security technologies, including anti-spam, URL filtering, anti-malware, and intrusion prevention, to name a few.

(5) Cyberbullying. The only Internet crime on this list that is aimed directly at actual people.

We’ve written about cyberbullying through the years, and we know that this act does not only involve kids and teens but also adults. And online bullying incidents are more prevalent now than ever. Why? While it’s true that the Internet has made it easier for anyone to talk to someone on the other side of the globe, let’s not remove from the equation people’s poor choices, misunderstood notions on anonymity, and the false assumption that real life is separate from digital life.

How to protect yourself: Prevention is always better than treatment, so how does one prevent cyberbullying? Consider limiting what you share online, or at least limit who sees what you share. Your social media feeds don’t have to be public, especially if you’re sharing something that is meant for close family and friends. Speaking of sharing, avoid sending intimate or private photos to anyone. This could not only lead to bullying but also revenge porn.

We have more preventive steps here, wherein we mostly touched on debunking myths surrounding cyberbullying.

Here’s more from our series during Anti-Bullying Week:

(6) Contactless card fraud. As we all know, a contactless card does not require one to enter their PIN, much less slotting it through a PoS terminal. All one has to do is wave it or keep it stationary in front of a contactless reader for a few seconds and you’re all set. Many users have opted to use contactless cards due to their ease of use. So easy, in fact, that one might correctly surmise that criminals can easily commit fraud as well.

Note that this particular digital crime is only relevant in regions of the world that use contactless cards, such as the UK and most European countries.

How to protect yourself:

Always handle your card yourself. Handing someone your card to be waved increases the risk of it getting skimmed. To keep track of spending when you use the contactless payment feature of your card, ask for a receipt. Compare these with your bank statements. Regularly check your statements for unusual transactions. And if you lose your card, report the loss to your bank immediately. Finally, considering using a digital wallet as an alternative to contactless cards.

While we focused on digital crimes that directly affect consumers here, in Part 2 of this series, we’ll be homing in on crimes that are after enterprises. See you then!

The post All rise! Mind these digital crimes and arm yourself against them appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Analyzing malware by API calls

Malwarebytes - Tue, 10/31/2017 - 18:59

Over the last quarter, we’ve seen an increase in malware using packers, crypters, and protectors—all methods used to obfuscate malicious code from systems or programs attempting to identify it. These packers make it very hard, or next to impossible to perform static analysis. The growing number of malware authors using these protective packers has triggered an interest in alternative methods for malware analysis.

Looking at API calls, or commands in the code that tell systems to perform certain operations, is one of those methods. Rather than trying to reverse engineer a protectively packed file, we use a dynamic analysis based on the performed API calls to figure out what a certain file might be designed to do. We can determine whether a file may be malicious by its API calls, some of which are typical for certain types for malware. For example, a typical downloader API is URLDownloadToFile. The API GetWindowDC is typical for the screen-grabbers we sometimes see in spyware and keyloggers.

Let’s look at an example to clarify how this might be helpful.

Trojan example

Our example is a well-known Trojan called 1.exe with SHA256 0213b36ee85a301b88c26e180f821104d5371410ab4390803eaa39fac1553c4c

The file is packed (with VMProtect), so my disassembler doesn’t really know where to start. Since I’m no expert in reverse engineering, I will try to figure out what the file does by looking at the API calls performed during the sandboxed execution of the file.

This is the list of calls that we got from the sandbox (Deepviz):

For starters, let’s have a look at what all these functions do. Here’s what I found out about them on Microsoft:

GetModuleHandle function

Retrieves a module handle for the specified module. The module must have been loaded by the calling process. GetModuleHandleA (ANSI)

GetProcAddress function

Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).


Convert a string to integer.

CreateStreamOnHGlobal function

This function creates a stream object that uses an HGLOBAL memory handle to store the stream contents.  This object is the OLE-provided implementation of the IStream interface.

StrStr function

Finds the first occurrence of a substring within a string. The comparison is case-sensitive. StrStrA (ANSI)

wsprintf function

Writes formatted data to the specified buffer. Any arguments are converted and copied to the output buffer according to the corresponding format specification in the format string. wsprintfA (ANSI)

WinHttpOpen function

This function initializes, for an application, the use of WinHTTP functions and returns a WinHTTP-session handle.

GetModuleFileName function

Retrieves the fully qualified path for the file that contains the specified module. The module must have been loaded by the current process. GetModuleFileNameW (Unicode)

LoadLibrary function

Loads the specified module into the address space of the calling process. The specified module may cause other modules to be loaded. LoadLibraryA (ANSI)

LocalAlloc function

Allocates the specified number of bytes from the heap.

LocalFree function

Frees the specified local memory object and invalidates its handle.

GetModuleFileName function

Retrieves the fully qualified path for the file that contains the specified module. The module must have been loaded by the current process. GetModuleFileNameA (ANSI)

ExitProcess function

Ends the calling process and all its threads.

The key malicious indicators

Not all of the functions shown above are indicative of the nature of an executable. But the API WinHttpOpen tells us that we can expect something in that area.

Following up on this function, we used URL Revealer by Kahu Security to check the destination of the traffic and found two URLs that were contacted over and over again.



This POST is what the VirusTotal API expects when you want to submit a file for a scan.

The link to an old and abandoned Twitter handle was a bigger mystery, until I decided to use the Advanced Search in Twitter and found this Tweet that must have been removed later on.

In base64, this Tweet says: Unfortunately that site no longer resolves, but it used to be an underground board where website exploits were offered along with website hacking services around the same time the aforementioned Twitter profile was active.


This was a dead end on trying to figure out what the malware was trying to GET. So we tried another approach by figuring out what it was trying to scan at VirusTotal and used Wireshark to take a look at the packets.

In the packet, you can see the API key and the filename that were used to scan a file at the VirusTotal site. So, reconstructing from the API calls and from the packets we learned that the malware was submitting copies of itself to VirusTotal, which is typical behavior for the Vflooder family of Trojans. Vflooder is a special kind of Flooder Trojan. Flooder Trojans are designed to send a lot of information to a specific target to disrupt the normal operations of the target. But I doubt this one was ever able to make a dent in the VirusTotal infrastructure. Or the one on Twitter for that matter.

The Vflooder Trojan is just a small and relatively simple example of analyzing API calls. It’s not always that easy: We’ve even seen malware that added redundant/useless API calls just to obfuscate the flow. But analyzing API calls is a method to consider for detecting malware trying to hide itself. Just keep in mind that the bad guys are aware of it too.

The post Analyzing malware by API calls appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Know your threats: the nine scariest malware monsters

Malwarebytes - Mon, 10/30/2017 - 20:31

It’s been a particularly ghoulish year in cybersecurity, from Russian hacks to ransomware outbreaks. The bad boogey man in the black hoodie has been pulling one over the collective public. It’s dark and creepy, but users refuse to stop peeking behind the door.

It’s enough to make even the most grizzled IT admin run for the hills. Wait…no. Avoid the hills. They have eyes.

So instead of turning tail at the first sign of trouble, you can overcome your cybersecurity fears by facing them. Look at these nine scariest malware monsters in the eyes (or eye), and let them know you’re onto them. The more you know about their devious ways, the better you can protect yourself from their attacks.

Click here for the full-size version.

The post Know your threats: the nine scariest malware monsters appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (October 23 – October 29)

Malwarebytes - Mon, 10/30/2017 - 20:01

Welcome back to “A week in security.” Last week, we took a look at how deleted files can be recovered, explored the BadRabbit ransomware plague attacking Eastern Europe (including a deep dive into the code), and talked about what it takes to work in security. One of our researchers, who is a PhD candidate in immunobiology at Yale, also discussed digital vs biological security. Finally, we launched a new series called “Please don’t buy this,” and our first edition featured smart locks.

In other news around the net:

  • Bad news for Google Play Protect: it might not be the malware-smashing barrier everyone was hoping it’d be. (source: The Register)
  • A Dell customer support domain lapses, with predictable “Oh no, here’s a headache” results. (source: Krebs on Security)
  • Home appliances going rogue? You’d better believe it. (source: Check Point blog)
  • Old, reused passwords are still causing problems—even for coin miners. (source: Help Net Security)
  • Oh look, even more bad apps on Google Play. (source: ESET Blog)
  • Exploits, Word documents, and DDE, oh my. (source: Tech Republic)
  • Turns out just looking at porn can get you infected: porn site ads deliver malvertising. (source: Grimsby Telegraph)
  • Fake Apple ID phish scams are still very popular. (source: BGR)
  • The NHS ransomware attack “could have been avoided.” (source: Evening Standard)
  • That speeding notification email you just received is a scam. (source: Yorkshire Post)

Safe surfing, everyone!

The post A week in security (October 23 – October 29) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Traditional AV solutions shown ineffective in real-time global heat map

Malwarebytes - Fri, 10/27/2017 - 07:01

It’s no secret that antivirus technology (AV) has faced increased scrutiny in the tech industry for quite some time. With signature-based detection methods, traditional AV solutions are simply weak against unknown malware and other malicious content. Meanwhile, consumers and businesses continue to trust AV solutions to protect their devices. So, how ineffective are they and what’s the risk to users?

“Testing” of AV platforms has become increasingly popular as a multitude of solutions, based on the same core technologies, have flooded the market. Those that perform well under these parameters tout the results as a stamp of approval. However, the true value of these tests is yet to be determined, as malware in the wild behaves in a manner significantly different from laboratory samples – even recently captured samples apprehended in security honeypots.

However, one way to truly gauge the effectiveness of today’s traditional AV solutions is by analyzing real-world data. So, we did just that.

To better understand the inherent flaws with traditional AV technology and to cast an eye onto the problem globally, we pulled data from real-world scans running one or more traditional AV tools registered on Windows® Security Center. We looked at instances where Malwarebytes was used solely for remediation and excluded data where Malwarebytes proactively blocked threats. This data excluded PUPs (potentially unwanted programs).

We found that in the US, nearly 40 percent of all malware attacks cleaned by Malwarebytes on endpoints with an AV installed occurred on endpoints that had two or more of these traditional AV solutions registered.

What does this mean from a global perspective? We learned that AV is not necessarily the silver bullet. A combination of remediation and protection is sorely needed. What we found might surprise you. In just the month of October, there were about 4 million instances where traditional AV was ineffective against today’s threats.

Screenshot from real-time heat map showing global detections in October


We also created a real-time heat map looking at global malware detections around the globe as they happen,

For a dot to appear on the real-time maps, three things must happen:

  1. A device has a third-party antivirus registered on Windows® Security Center.
  2. A Malwarebytes remediation scan is run.
  3. The scan must detect malware.

Malwarebytes then adds a numerical count for each detection next to the respective vendor’s name. These elements represent Malwarebytes real-time global view of the threats detected by the remediation scans. Each dot represents a detection and there can be multiple detections for each dot.

The results of our global analysis show the ineffectiveness of today’s traditional AV solutions. The worst part is that many businesses and users have no idea that their traditional AV programs aren’t doing their job. This can have devastating consequences at work and at home. Trusting traditional AV alone is a losing proposition for individuals and businesses looking to protect their data from today’s modern threats. The path to a stronger solution for users must be a combination of both remediation and protection.

The post Traditional AV solutions shown ineffective in real-time global heat map appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Please don’t buy this: smart locks

Malwarebytes - Thu, 10/26/2017 - 20:44

We all like buying the latest and greatest tech toy. It’s fun to get new and novel features on a product that used to be boring and predictable; a draw of the original BeBox (amongst many) was a layer of “das blinkenlights” across the front. But sometimes, the latest feature is not always the greatest feature. And sometimes, some things should not be on the Internet at all. For readers concerned with privacy, or who simply do not want to introduce additional hassle into their tech maintenance routine, we introduce the first entry in our series called “Please don’t buy this.”  Today’s feature: smart locks.

The cool new thing

Recently, Amazon announced a new service combining a selection of smart locks, a web-connected security camera, and a network of home service providers that work in concert to allow remote access to your home. Ignoring the question of allowing third-party contractors vetted by an unpublished standard unsupervised access, lets take a look at why smart locks might not be the best purchase.

Amazon’s program actually works with three different existing smart lock products, as seen here.

“Smart lock” is a bit of a catchall term covering a wide variety of technologies, so what are the Amazon locks dependent on, and what security vulnerabilities do those technologies include? It’s a bit of a mystery, as the Amazon sales pages don’t include that information, nor does the “technical specification” page of one of the manufacturers.

What we can surmise is that these locks will require replaceable batteries, and that at least one of the locks affords the user Wi-Fi access. While allowing remote unlocks to your home without any in-person authentication is a pretty transparently bad idea, a number of other smart locks have attempted a more secure approach using Bluetooth low energy, which affords some additional security features that the original protocol does not.

Unfortunately, while the protocol itself has a generally good security profile, implementation and associated companion apps put out by lock manufacturers aren’t quite as good. In tests at last year’s Defcon, 12 out of 16 smart lock models failed under sustained attack. Most of these failures concerned either encryption implementation, or shoddy code in associated apps.

Why it’s less cool than it appears

Setting aside poor security design and implementation, “smart” devices like these tend to come with fuzzy legal boundaries surrounding ownership and maintenance.  Last year, a home automation hub company called Revolv was shut down during acquisition. Rather than simply failing to provide updates, the devices were disabled.

This was an inconvenience for users, but what if it was your front door? Given the current state of mobile OS fragmentation, would it be that much of a surprise if a lock company simply declined to provide security updates? We couldn’t find any information on the means by which the new Amazon compatible locks are updated, how authorized delivery personnel will interact with the locks, and if any third party has access to data communicated by the lock and/or accompanying phone apps.

These are questions that would be concerning for any device. But when that device affords access to your home, considerably more transparency about the device’s underlying technology should be mandatory.


A physical deadbolt has security flaws as well. But deadbolts have a standardized design, commonly accepted standards that they are evaluated against, can be repaired or replaced by anybody, and are unequivocally owned by you. Can a smart lock’s EULA claim the same? Smart locks could achieve acceptable purchase status if they met the following criteria:

  • independent, industry-wide security standards in design
  • independent code auditing
  • no Wi-Fi
  • Conventional implementation of industry standard encryption
  • no third-party data storage
  • right to repair

Until smart locks can meet these standards, we respectfully suggest. . .Please don’t buy this.

The post Please don’t buy this: smart locks appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Our computers, ourselves: digital vs. biological security

Malwarebytes - Wed, 10/25/2017 - 23:12

Though by night I fight malware alongside the rest of the Malwarebytes research team, by day I work as a doctoral student in Immunobiology at Yale University, where I study the development of the immune system in your bone marrow. This grants me a unique perspective, as I’ve studied both the evolution of malware over the past decade, and the evolution of the microscopic organisms that make us sick.

“Computer virus” has become the catch-all term that people use to describe all types of malicious software—Trojans, ransomware, adware—you name it. When grandma asks for help with her computer, the phrase “I think there’s a virus” likely rings familiar. A similar pattern also emerges when people describe biological infections; we often begrudgingly conclude, “I caught a virus,” as we lay painstakingly on the couch waiting for the fever to break.

Studying these two similarly-named phenomena in parallel had led me to the inevitable question: Are these two types of infections so different? Are there parallels we can draw and learn from between computer security and the human immune system?

Computer viruses vs. biological viruses

I often like to compare digital polymorphic file-infector viruses (such as Virut and Sality, both commonly found throughout the past decade) and biological retroviruses such as HIV. File-infector viruses add malicious data to your computer’s files. We unknowingly spread the viral code to other files by launching our favorite programs and sharing infected files with others.

HIV works in an astonishingly similar way. When humans contract HIV, the virus infects a type of cell in the immune system called a T cell. Not only is it an evolutionary snub that our own immune systems get hijacked by this virus, resulting in AIDS, but the virus literally becomes part of us, inserting its viral code into our own DNA. Even if the virus is destroyed with treatments such as HAART, the treatment is not permanent, since infected cells will produce new copies of the virus. This is why HIV patients must continue to receive treatment for their entire lives—humans do not have the luxury of being able to Format C:.

How to clean up/treat the virus

In the case of a computer virus, or malware, one of the easiest ways to treat an infection is to run a scan with a remediation product (like Malwarebytes). When Malwarebytes does a scan, it takes an incredibly close look at every single file. Is it digitally signed by a known malware author or trying to spoof a digital signature from Google? Does it contain references to known malware websites, perhaps a botnet command and control server? When it finds these indicators, it quarantines the malicious files and prevents them from causing any further damage to your computer.

When we catch a biological virus, our bodies do a similar type of interrogation, trying to find pieces of microbes that look out of place.

We have two major branches of the immune system: first, the innate immune system is far older in evolutionary terms. It acts very quickly to mount broad anti-microbial responses. We have sentinel cells that constantly survey all points of entry, from your respiratory tract to your gut. We have evolved methods of quickly detecting and eliminating various bacteria.

The second branch, the adaptive immune system, evolved more recently (roughly 450 million years ago) and is much slower to act. Yet, it can respond to a nearly unlimited number of specific threats, and perhaps most importantly, it remembers what it has targeted in the past. This memory is why we generally do not get chickenpox multiple times, and how vaccines protect us for decades on end.

The best parallel to this second type of immunity in computer security software is found in newer technologies that utilize machine-learning algorithms to recognize malware based on file-structure or behavioral peculiarities. These technologies constantly improve upon themselves, just as evolution has improved upon previous iterations of organisms since the genesis of life itself.

Protecting against malware and the flu

Fighting malware and fighting off real-life infections share the same quintessential goal: how can one distinguish the harmless from the harmful? Put another way, both our software-based and biological-based defenses must be able to tell the difference between themselves (e.g., Windows system files, your own brain cells) and things that are foreign (e.g., Trojan files, influenza virus). Failure in this process results in false positives.

Software false positives, or identifying something as malicious that is not, can have varying results, from mildly annoying (reinstalling software) to terminal (corrupting Windows itself). Similarly, false positives in our own bodies, when our immune systems erroneously attack themselves, can result in debilitating allergic responses and even autoimmune diseases such as multiple sclerosis or Type 1 diabetes.

Doctors often recite Benjamin Franklin’s quote “an ounce of prevention is worth a pound of cure.” This adage holds true for our computers and ourselves. The damage that viruses wreak on people can be irrecoverable. President Franklin Roosevelt became paralyzed due to poliovirus infection. But the development of potent polio vaccines by Jonas Salk and Albert Sabin compounded with efforts by the Bill and Melinda Gates Foundation half a century later have resulted in the near global eradication of poliovirus.

For our computers’ safety, a similar level of protection is essential, as many of the aforementioned types of malware cause irreparable damage to operating systems, resulting in reformatting the hard drive to fully remove all traces of the infection. Instead we suggest another approach: layers of technology aimed at stopping various types of malware in various stages of attack.

Just as you would use different strategies to promote your own health and prevent disease—from eating healthy to getting active to taking medications to regulate various conditions—using layers of technology increases your chances of preventing damaging infection or theft of sensitive data. From blocking the execution of malicious software, to blocking the mechanisms by which malicious code can exploit vulnerabilities in outdated software, to anticipating the mechanisms that ransomware authors use to seize control of your computer, a layered approach to protection will always be the best method to keep your computer safe.

Thus, the methods that programs such as Malwarebytes for Windows utilize to protect your computer from malicious threats bear a striking resemblance to the mechanisms that have evolved to protect our bodies from bacterial and viral infections. Similarly, the malicious programs that criminal syndicates employ to steal money and identities from unsuspecting people are themselves similar in scope and cowardice to the infection methods that microorganisms have evolved to utilize.

There is much we could learn from how our immune systems work in order to conceptually and practically advance how we protect our computers from the threats of tomorrow.

The post Our computers, ourselves: digital vs. biological security appeared first on Malwarebytes Labs.

Categories: Techie Feeds

When cybersecurity isn’t all cyber: What does it really take to work in cybersecurity?

Malwarebytes - Wed, 10/25/2017 - 20:29

With the multitude of breaches and outbreaks already witnessed in 2017, it’s become clear that industries across all verticals are challenged by cybersecurity. This is a serious business problem that needs to be addressed ASAP. As much talk as there is about organizations getting hacked, scores of customers getting affected, and companies struggling to get back on their feet after a breach, so is there about a global skills shortage in cybersecurity.

But is the cybersecurity skills gap real, or is it just a myth? Multitudes of organizations, including those within the industry, seem to think so. Others don’t share this line of thought. Regardless of where you stand, what we can all agree on is that businesses of all sizes know that they have cybersecurity issues, and they need help addressing them.

It’s no surprise that some firms have turned to universities to bridge this gap. After all, they’re responsible for teaching and training professionals of the future. However, questions have been raised when we merely put the burden on schools. Can universities deliver and maintain a high level of training? Do they have the resources they need to provide a high level of cybersecurity training? Are companies willing to wait that long before their issues can be resolved?

Some companies, on the other hand, are turning to automation as a means to close the skills shortage. This means using artificial intelligence (AI), machine learning, and other automation tools and technologies rather than relying on manual processes. A logical alternative, if not a bit pricey, but let’s be honest: automation isn’t the panacea that one would hope for in cybersecurity. People are still the most critical part of a business’s security process.

When it comes to people, organizations likely have an idea about what they’re looking for in a cybersecurity candidate: Coding, networking, analysis, and management skills are indispensable. Ideally, the more hard skills boxes are ticked, the better. Yet let’s not forget that as valuable as these skills are, so too are soft skills—and other hard skills, actually—that don’t necessarily require technical and cyber know-how. With that in mind, here are the most important skills a potential cybersecurity candidate (and business looking to hire) should focus on:

Read: How to create an intentional culture of security

‘Know thyself’

Those looking into getting a career in security must have at least three of these soft skills to succeed:

  • Communication. The ability to impart information tailored in a way that is understood by the audience; and in working in security, you’ll find that you’ll be dealing with many different kinds of audiences, from highly technical analysts to customers bordering on luddite.
  • Critical thinking. The ability to make an objective evaluation of an issue to form a judgment. This goes hand-in-hand with perceptiveness and the ability to solve problems. Being able to look at a problem with a critical eye and handle it with calm and levelheadedness are attributes worth hiring for.
  • Collaboration. The essence of teamwork. Whether one engages with members of the team in-house, across departments, or across continents, it’s vital to have interpersonal sensitivity to know, at the moment, when to be a leader and when to be a listener.
  • Self-awareness. Knowing your tasks and how to do them is one thing, but being aware when one has succeeded or made a mistake is another. Accepting responsibility for errors demonstrates a healthy dose of humility and a willingness to learn from it. Self-awareness also means knowing when to ask for help.
  • Open-minded. Often, problems don’t have just one solution. Being receptive to new ideas and approaches to problem-solving, and taking advantage of diverse opinions (to name a few) are hallmarks of leadership. Open-mindedness goes hand-in-hand with creativity, innovation, and yes, even patience.
  • Flexible. There’s no denying that the tech and cybersecurity industries grow at a fast pace. As such, one must have the willingness to accept challenging tasks and be ready to be trained for new hard skills.
Other cybersecurity jobs

The field of cybersecurity is vast and continually growing—new roles are often created within businesses depending on their needs.

Earlier, we mentioned other hard skills that, should you have them, you can leverage if you decide to make a career in cybersecurity. In the paper, It’s not where you start—it’s how you finish, the IBM Institute for Business Value has encouraged businesses to follow “the new collar” approach, wherein skills are the focus and not degrees earned. They advocate this to attract candidates from diverse, nontechnical backgrounds. They have also identified alternative cybersecurity-related roles, listed below, that organizations can consider opening positions for.

  • Technical writer. The ability to research, write, and publish different types of information in various formats (e.g., manuals, online help, FAQ pages, Knowledge Base, white papers) isn’t something anyone can just do. One has to understand what they’re writing about and do it in a clear and concise manner. If tech writers aren’t writing, they often proofread and edit works of technical professionals.
  • Trainer. With the number of SMBs worldwide that wants to get serious about cybersecurity, Security Awareness Trainers can help get them started. Their contribution could create and foster a stronger and more effective security culture in the workplace.
  • Tester. For companies looking to expand and develop security hardware and software products, hiring testers to ensure they’re functioning as designed (even during misuse) pre-release can save a lot of headaches later. Some testers are also there to make sure that devices and systems are compliant with regulations and policies.
  • Helpdesk/Support engineer. Providing available phone, email, or chat support for clients when they experience a security incident, such as being locked out of their computer due to ransomware, is highly valuable to both the company and client, especially when they are able to address the concern.
Do you have what it takes?

Cybersecurity isn’t all cyber, as one would typically expect it to be. Realize that as more and more businesses gather, store, and use important data; are required to adhere to new policies; and want to take advantage of emerging technologies, such as the Internet of Things (IoT) and cloud computing, expect that more security-related jobs like the above will be available. Realize, too, that the right skills and aptitude can help usher you to a new career in cybersecurity.

Good luck! And for those who finally made it: Welcome!

The post When cybersecurity isn’t all cyber: What does it really take to work in cybersecurity? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

BadRabbit: a closer look at the new version of Petya/NotPetya

Malwarebytes - Tue, 10/24/2017 - 23:08

Petya/NotPetya (aka EternalPetya), made headlines in June, attacking users around the world. Today, we noted an outbreak of a similar-looking malware, called BadRabbit, probably prepared by the same authors. Just like the previous edition, BadRabbit has an infector allowing for lateral movements, using SMB to propagate laterally with a hardcoded list of usernames and passwords. However, unlike NotPetya, it doesn’t use EternalBlue and is more widely spread. (Impacted countries include Ukraine, Russia, Turkey, and Bulgaria).

Another key difference between Petya/NotPetya and BadRabbit is that the initial vector is different (a website dropping a fake Flash update). Also, some of its components have been replaced. The malware package is complex, and we will likely dedicate future articles to describing all its features. But let’s have an initial look.

Analyzed samples Behavioral analysis

The dropper is an executable that pretends to be a Flash update. The malware must run with Administration privileges, but no UAC bypass technique has been deployed— it relies purely on social engineering, trying to convince the user to elevate it. After being run, it drops and deploys the main module in C:\Windows directory. This time, it is named infpub.dat. (We can see the analogy to the previous NotPetya outbreak, where the DLL was named perfc.dat):

It is run by the rundll32.exe called with parameters:

"C:\\Windows\\system32\\rundll32.exe C:\\Windows\\infpub.dat,#1 15"

Notice that the malware scans computers in the LAN:

Our guess is that the information about the detected machines is used for lateral movements.

The malware also drops other elements in the Windows directory: cscc.dat and dispci.exe

The malware encrypts files with the selected extensions. All the files are encrypted with the same key (the same plaintext gives the same ciphertext).

Below, we demonstrate a visualization of a sample BMP file before and after being encrypted by BadRabbit:

It does not change files extensions. The marker indicating that the file has been encrypted is added at the end of the file content—it’s a unicode text: “%encrypted”:

Here’s the dropped ransom note. As before, it’s in TXT format, named Readme.txt:

As NotPetya did before, BadRabbit adds a scheduled task for the system reboot:

After the attack is completed, the system is restarted and the bootlocker screen pops up:

We can clearly see the similarity with the screen that was displayed by Petya/NotPetya:

However, this time there is no fake CHKDSK known from each of the Petya editions.

Following the ransom notes, we see that there are two encryption keys that the victim must get in order to be able to recover the files. The first one is the key to the bootlocker. After unlocking the first stage, the second key is required to unlock the files.

Website for the victim

Last time, the authors of the attack tried to use a single email account to communicate with the victims. Of course, this was unreliable, as they soon lost the access to the account. This time, like most of the ransomware authors, they created a Tor-based webpage. The authors invested more effort in the user experience, and the website contains visual effects, including a ransom note that slowly emerges from colorful, animated text:

After pasting the key from the ransom note, the victim is given an individual bitcoin address:

They also provide a box that can be used for reporting problems.


This malware has multiple elements. Execution starts in the PE file that is responsible for dropping and installing other elements.

The first component—infpub.dat—is analogical to the perfc.dat known from the NotPetya attack. This time, the DLL exports two functions:

The function at ordinal #1 is deployed first by the main dropper:

This DLL contains an infector that spreads malware into other machines in the LAN. Among other methods, we see WMIC being used to deploy the modules dropped on remote machines. The responsible code looks similar to the analogical elements of Petya/NotPetya:

This time, in addition to the credentials dumped with the help of the Mimikatz-based module, the sample tries to perform a dictionary attack and “guess” some of the passwords for remote logins. The list consists of commonly used passwords:

The same DLL is also responsible for infecting files one by one. Encryption is performed with the help of Windows Crypto API:

Some of the system directories are exempted from the attack:

\\Windows \\Program Files \\ProgramData \\AppData

Their list of the attacked extensions looks like the extended version of the list used by Petya/NotPetya:

3ds 7z accdb ai asm asp aspx avhd back bak bmp brw c cab cc cer cfg conf cpp crt cs ctl cxx dbf der dib disk djvu doc docx dwg eml fdb gz h hdd hpp hxx iso java jfif jpe jpeg jpg js kdbx key mail mdb msg nrg odc odf odg odi odm odp ods odt ora ost ova ovf p12 p7b p7c pdf pem pfx php pmf png ppt pptx ps1 pst pvi py pyc pyw qcow qcow2 rar rb rtf scm sln sql tar tib tif tiff vb vbox vbs vcb vdi vfd vhd vhdx vmc vmdk vmsd vmtm vmx vsdx vsv work xls xlsx x ml xvd zip

The AES key is generated with a cryptographically secure function CryptGenRand.

Then it is passed to the encrypting routine, along with other parameters, such as a hardcoded public key (used later to protect the random key and preserve it in a form that can be decrypted only by the attackers):

MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5clDuVFr5sQxZ +feQlVvZcEK0k4uCSF5SkOkF9A3tR6O/xAt89/PVhowvu2TfBTRsnBs83 hcFH8hjG2V5F5DxXFoSxpTqVsR4lOm5KB2S8ap4TinG/GN/SVNBFwllpR hV/vRWNmKgKIdROvkHxyALuJyUuCZlIoaJ5tB0YkATEHEyRsLcntZYsdw H1P+NmXiNg2MH5lZ9bEOk7YTMfwVKNqtHaX0LJOyAkx4NR0DPOFLDQONW 9OOhZSkRx3V7PC3Q29HHhyiKVCPJsOW1l1mNtwL7KX+7kfNe0CefByEWf SBt1tbkvjdeP2xBnPjb3GE1GA/oGcGjrXc6wV8WKsfYQIDAQAB

This module drops and installs other modules used to carry out other stages of the attack. One of them is a legitimate disk cryptor (cscc.dat). It is dropped and installed as a service:

The random key is later passed to another application that is dropped by this module—dispci.exe. That element is responsible for carrying the operation of encrypting the disk.

That module gets the randomly generated key in the -id parameter:

So, the random AES key is preserved for some time in unencrypted form as a command given to be deployed.


This module communicates with the dropped driver using appropriate IOCTLs. The dropped driver is a legitimate module used for disk encryption—dispci.exe is made to adopt the driver’s features for malicious purpose. Example:

In its resources, we can find the low-level components that are installed directly to the disk (analogically to the Petya kernel installed by the previous version). The first resource is a bootloader, and the other two are analogical variants of the malicious kernel:

The low-level components: bootloader and kernel

This time the low-lever part looks different than in the case of NotPetya. Fragment of the bootloader:

It seems that authors decided to write their own kernel rather than using the one from Petya. It is also installed in a different position of the disk—at the end rather than at the beginning, as Petya did. The kernel is encrypted using a simple routine:


The code has many overlapping and analogical elements to the code of Petya/NotPetya, which suggests that the authors behind the attack are the same. Again, they tried to compose their malicious bundle out of stolen elements, however, the stolen Petya kernel has been substituted with a more advanced disk crypter in the form of a legitimate driver. It looks like the authors tried to improve upon previous mistakes and finish unfinished business. So far, it seems that in the current release, encrypted data is recoverable after buying the key, which means the BadRabbit attack is not as destructive as the previous one. However, the malware is complex and its detailed analysis will take more time. We will be updating this article with the latest findings.

Users of Malwarebytes for Windows are protected from BadRabbit. It is detected as Ransom.BadRabbit.


Summary about the previous attack, Petya/NotPetya:

This was a guest post written by Hasherezade, an independent researcher and programmer with a strong interest in InfoSec. She loves going in details about malware and sharing threat information with the community. Check her out on Twitter @hasherezade and her personal blog:

The post BadRabbit: a closer look at the new version of Petya/NotPetya appeared first on Malwarebytes Labs.

Categories: Techie Feeds

BadRabbit ransomware strikes Eastern Europe

Malwarebytes - Tue, 10/24/2017 - 21:53

A new strain of ransomware called BadRabbit is spreading through Eastern Europe. Likely created by the same authors as the Petya/Not Petya ransomware outbreak in June, BadRabbit ransomware uses a website to drop a fake Flash update and then drops its payload.

Click to view slideshow.

Countries we know to be impacted so far are Russia, Ukraine, Turkey, Bulgaria, and Germany, with attacks centered on targets as wide-ranging as infrastructure, transportation, and media outlets. It is unknown at this time whether the attack will continue to spread, but it does have the same capacity for lateral infection (the ability to move deeper into a network and gain additional points of control) as the Petya/Not Petya ransomware.

Below is a view of the pay screen for Bad Rabbit, including its fascinating animated text. This is the most intricate pay screen we’ve ever seen, although it doesn’t seem to add any new functionality.

Cybercriminals are asking for 0.05 bitcoins, or $280, in return for the ransomed files. Customers of Malwarebytes for Windows are already protected from this threat. Malwarebytes detects it as Ransom.BadRabbit.

Concerned citizens who don’t have anti-ransomware technology should back up their most important files now (either to the cloud or to an external drive, which should be ejected after the backup is complete to avoid infection). Those who do have this type of security should be sure to run all updates and turn on real-time protection, if not already activated.

Folks looking for a deeper technical dive into BadRabbit can click HERE to see a thorough breakdown of BadRabbit by Hasherezade!

The post BadRabbit ransomware strikes Eastern Europe appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Digital forensics: How to recover deleted files

Malwarebytes - Tue, 10/24/2017 - 17:00

Where I personally have a problem remembering names and birthdays, computers have a hard time “forgetting” things. Even when we tell them to do so. If you ever unintentionally deleted a file, you may have been able to retrieve it from the Recycle Bin. Or, if it was past that stage and the file was really important, you may have used System Restore. You may even have looked for recovery software. But what’s actually happening when you delete and recover those files? And are they ever truly gone? We examine the steps a forensic analyst would use to both recover deleted files and permanently delete those they want gone forever.

Deleting a file in Windows

When you send a file to the Recycle Bin, nothing happens to the file itself. The only change is in a pointer record that showed the location of the file before you deleted it. This pointer now shows the file is in the Recycle Bin. Taking the removal one step further, which can be achieved by emptying the Recycle Bin or using Shift + Delete, this pointer record is now what gets deleted.

So Windows will no longer “know” the physical location of the file. And the physical space it occupies on the hard disk is now free and ready to be used for a different objective. But it’s not immediately overwritten. This is by design. The data that was in the file is still in that same location until the operating system uses that physical location for a different purpose.

How does that help us?

Let’s for the sake of this article assume that System Restore or another backup method was not enabled, because if it were, that would the second method to try and get those important files back. The problem is that with System Restore, we sometimes dread the other changes that may be undone in the process of using it. Especially if the last usable restore point is an old one.

Knowing how the deletion procedure in Windows works can help us if and when we want to recover important deleted files. You should realize that every change you make after deleting that file diminishes the chance of getting it back in one piece. Defragmenting, for example, re-arranges a lot of the physical locations that files are in and can overwrite the “freed-up” space.

The mere act of looking for recovery software, downloading it, and installing it, may be the very thing that renders the file unrecoverable.

This is where forensic analysts come into play. While most home users wouldn’t perform many more tasks to find deleted files than mentioned above, forensic analysts will take the drive that they want to examine out of operation and slave it on another system, creating an exact snapshot image of all the data contained on the drive. This method allows them to examine the data without making any changes to the drive. And if they make changes to the copy, there is no harm done, as they can make a new copy from the original.

What if I really want my files to be deleted?

Deleting a file may erode it or make space for other files, but is it ever truly 100 percent gone? For example, are there effective ways of deleting the content of a hard drive when you sell your computer? Well, the short answer is “No.” There is no method of deletion that I would trust 100 percent. There are professional recovery tools that claim they will be able to recover files even when the drive has been re-partitioned and re-formatted.

What a forensic analyst might do is to overwrite a whole hard disk and fill every addressable block with zeroes (ASCII NUL bytes). There are secure drive erase utilities for this purpose that can reach a high efficiency rate when used several times on the same drive. At this point, there is no way of recovering overwritten data.

There is software that can erase specific files and folders by overwriting them. Take note that this procedure could turn out to be useless if you have any type of automatic backup system in place, which is recommended given the current number of ransomware threats that are out there.

And if you want to keep on using a drive, but don’t want anyone else to have access to your important files, we would advise you to use encryption. You can encrypt specific data or the whole drive to prevent uninvited eyes from opening them.

There are important differences between deleting, erasing, and overwriting. When it comes to recovering and deleting files, think like a forensic analyst. If you want to be able to recover a deleted file, the method you use will be very different from wanting to make a file virtually disappear. Choose wisely and you’ll better protect your data in the long run.

The post Digital forensics: How to recover deleted files appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (October 16 – October 22)

Malwarebytes - Mon, 10/23/2017 - 17:24

Last week was an eventful one in security, keeping our research and intel teams on their toes. Multiple security researchers homed in on suspicious and malicious apps on Google Play, affecting thousands of Android users. A new variant of Mac malware Proton was also found in the wild, this time hijacking the Elmedia Player to create a Trojanized copy of the app on its official website. If you’re a Mac user and suspect that you might be infected, our Director of Mac and Mobile, Thomas Reed, provided helpful tips to clean up your computer.

We touched on how a business can create and foster an intentional culture of security, addressed why we need such a thing, and debunked some misconceptions surrounding it. We also looked into the Bring Your Own Device (BYOD) policy, the risks associated with it, and some mitigating factors to consider.

Independent security researcher Hasherezade analyzed the Magniber ransomware, which targets systems only in South Korea. She noted that this type of highly-targeted campaign is a first of its kind, as zeroing in on a single country is unusual. Not only that, the said malware was created with multiple checks to ensure that the language and country of systems are in South Korea.

419 scams are well-known, but not all threat actors behind them contact users via social media—in this case, Twitter—and offer millions in exchange for their children.

Last week KRACK, a flaw in the wireless protocol that protects modern Wi-Fi networks, was discovered. Short for Key Installation Attack, KRACK allows malicious actors (within Wi-Fi range) to insert themselves into the network and intercept traffic between users and the router. Android and Linux users are most affected by this vulnerability.

Lead Malware Intelligence Analyst Jérôme Segura wrote about the weaponization of an old Microsoft Office feature called Dynamic Data Exchange (DDE) in a malspam attack. This was a noted alternative to using exploits or taking advantage of macros.

Lastly, Director of Malwarebytes Labs Adam Kujawa explained why we detect CoinHive, a service that provides cryptocurrency miners and can be deployed on websites using JavaScript.

Below are other notable security stories from last week:

Latest updates for consumers
  • New Scam Impersonates VAT Form To Deliver Malware. “Trustwave explained that the body of the email encourages the user to click on an embedded image of a PDF doc citing an error in their recently submitted VAT return, taking the victim to a Microsoft OneDrive file sharing service that downloads a VAT Return ZIP file—inside is a malicious Java Jar file that on execution downloads and launches malware via several VBS scripts. There is no actual attachment sent with the message.” (Source: InfoSecurity Magazine)
  • Hackers Exploit Adobe Flash Flaw to Install Infamous Spyware. “The vulnerability, which can trigger remote code execution, only came to light when security firm Kaspersky Lab noticed it as part of a hacking attempt against a customer last week.” (Source: PC Magazine)
  • ‘Worse Than KRACK’ – Google and Microsoft Hit by Massive 5-Year-Old Encryption Hole. “The problem in the Infineon chips is to do with the vendor’s implementation of the encryption, based in this case on the widely-used RSA standard. Thanks to the bugs, it’s possible to calculate someone’s private key by just having the public key.” (Source: Forbes)
  • WaterMiner – a New Evasive Crypto-Miner. “This post explains the nature of malicious cryptocurrency miners (cryptominers), dissects the newly discovered malware, and explains its evasive techniques and infection vectors that the adversaries employed to get around endpoint security tools. We also provide details about the identity of the person who is likely behind this campaign.” (Source: Minerva Labs Blog)
  • Simple Social Login for Users and Attackers. “It’s easy to see why social logins are so popular. For users, it’s a much easier mechanism. With a social login, they control one trusted identity and use it to log into other places in a trustworthy way. For site owners, it reduces friction in the signup process and feels more secure, as they don’t need to manage user passwords or store their credentials, and they know that a user’s email will be valid and won’t bounce.” (Source: InfoSecurity Magazine)
  • Are You Sharing the Same IP Address as a Criminal? Law Enforcement Call for the End of Carrier Grade NAT (CGN) to Increase Accountability Online. “The inability to identify Internet subscribers on the basis of an IP address has put the European judiciary and law enforcement communities in a difficult and complex situation, creating a public safety gap and putting the privacy of citizens at risk because it forces judiciary and law enforcement authorities to investigate many more individuals than would normally be necessary.” (Source: Europol)
  • A Look at Locky Ransomware’s Recent Spam Activities. “A closer look at Locky’s activities reveals a constant: the use of spam. While spam remains to be a major entry point for ransomware, others such as Cerber also employ vectors like exploit kits. Locky, however, appears to concentrate its distribution through large-scale spam campaigns regardless of the variants released by its operators/developers.” (Source: Trend Micro’s TrendLabs Security Intelligence Blog)
  • Necurs Malware Will Now Take a Screenshot of Your Screen, Report Runtime Errors. “This Necurs downloader often gets ignored because it’s usually pretty small and insignificant. Recently, researchers from Symantec observed two major additions to the Necurs downloader.” (Source: Bleeping Computer)
  • Google Wants Bug Hunters to Probe Popular Android Apps for Bugs. “While the name of the program might suggest that bug hunters will be after vulnerabilities in Google’s official Android app market, in reality they will be asked to unearth bugs in all of Google’s apps available on Google Play, as well as a short list of other popular ones.” (Source: Help Net Security)
  • Malware in Firmware: How to Exploit a False Sense of Security. “When thinking about security, we generally take risk into account. It is well known that risk is a composition of likelihood and potential impact, so while a bootkit’s impact is undoubtedly hefty, what can be said about the likelihood of coming across such threat?” (Source: ESET’s WeLiveSecurity Blog)
  • Quarter of Emails Claiming to Be From Feds are Malicious, Unauthenticated, Says Cyber Firm. “In the report, Agari notes federal agencies will continue to suffer from excessive malicious emails without the usage of proper Domain-based Message Authentication (DMARC) monitoring policies. The company concluded that 90 percent of the 400 federal domains are vulnerable to these types of threats.” (Source: Fifth Domain)
Latest updates for businesses
  • Hacking Container Ships is Dead Easy, Warn Security Consultants. “At a shipping conference in Athens, Greece, Ken Munro, a security researcher at Pen Test Partners, said that maritime cybersecurity is facing similar challenges now to what industrial controls security in utilities started addressing several years ago.” (Source: SC Magazine)
  • Your Board of Directors Is Exposing You To Risk. “It’s commonly accepted that your users are the weakest link in your security chain. That is actually not true in a lot of cases, though. The reality is that your true Achilles heel is probably your board of directors.” (Source: Forbes)
  • Study: 61 Percent of Organizations Have Minimal Control Of SSH Privileged Access. “Cybercriminals can abuse SSH keys to secure and automate administrator-to-machine and machine-to-machine access to critical business functions. According to Venafi’s research, even though SSH keys provide the highest levels of administrative access, they are routinely untracked, unmanaged, and poorly secured.” (Source: Venafi Press Release)
  • Top UK Organisations Still Too Exposed to Cyber Threats According to New RiskIQ Research. “Unpatched web infrastructure and de-centralised web management practices are leaving UK organisations vulnerable to cyberattacks and high profile data breaches. New RiskIQ research reveals a loss of control amongst the FT30, expanding their digital attack surface and opening doors to cybercriminals.” (Source: Realwire)
  • Microsoft: Why Identity Protection Is the Key to Corporate Security. “Microsoft has long been the preferred choice of partner for many companies, with its Microsoft 365 platform offering a comprehensive, and more importantly, secure way to ensure data stays protected. But just exactly what goes in to ensuring millions of enterprises can leave the office each evening feeling assured that their data is safe?” (Source: IT Pro Portal)
  • Password Sharing, Unauthorized Access Are Rampant Problems in the Enterprise. “While cybersecurity experts recommend that organizations deploy a Privileged Access Management (PAM) solution—a tool that enables businesses to consolidate and track employee access to various accounts—BeyondTrust’s latest report suggests businesses are seriously lacking in their efforts to deploy a more robust security strategy.” (Source:
  • Business Suffers As Over-zealous Security Tools Block Legitimate Work. “Most security teams utilise a ‘prohibition approach’—i.e. restricting user access to websites and applications—a tactic which is hampering productivity and innovation while creating major frustration for users, according to research conducted by Vanson Bourne.” (Source: Help Net Security)
  • 10 Social Engineering Attacks Your End Users Need to Know About. “Christopher Hadnagy, chief human hacker at Social-Engineer, adds that people should be aware that social attacks such as phone-based vishing where attackers try to steal money over the phone are becoming more prevalent.” (Source: Dark Reading)
  • Top Thoughts for GDPR Third-Party Management. “We see that there are three priorities for third-party management: understanding the different roles defined in GDPR; key contract elements to consider for GDPR processors; and assessing the applicable processors for compliance.” (Source: InfoSecurity Magazine)

Safe surfing, everyone!

The post A week in security (October 16 – October 22) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

More trouble in Google Play land

Malwarebytes - Fri, 10/20/2017 - 20:41

This is not a good week for Google, it seems.

After our mobile security experts repeatedly discovered adware on several apps on the Google Play store, our friends at Symantec have unearthed at least eight malicious apps that are found capable of adding affected mobile devices to a botnet. According to their blog post, the apps have been downloaded and installed onto 2.6 million smartphones, tablets, and possibly some IoTs.

Threat actors behind the bogus apps have banked on the popularity of Minecraft, a sandbox video game with a user base of 100 million. They specifically targeted Minecraft: Pocket Edition (PE), which launched in 2015. Symantec explained how the malicious apps work:

The app connects to a command and control (C&C) server on port 9001 to receive commands. The C&C server requests that the app open a socket using SOCKS and wait for a connection from a specified IP address on a specified port. A connection arrives from the specified IP address on the specified port, and a command to connect to a target server is issued. The app connects to the requested target server and receives a list of ads and associated metadata (ad type, screen size name). Using this same SOCKS proxy mechanism, the app is commanded to connect to an ad server and launch ad requests.

There is no functionality within the application to display ads.

Due to a large number of devices affected, it’s possible for the threat actors to also leverage them for DDoS attacks. This is not a new concept—using mobile devices to launch a crippling blow to websites and networks has been done before.

To minimize the possibility of downloading apps that are not behaving like they’re supposed to, consult our list of safe practices when using your mobile device. Meanwhile, users of Malwarebytes for Android who have updated to the latest version are already protected. We detect the malicious apps as Android/

Stay safe, everyone!

The post More trouble in Google Play land appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Mac malware OSX.Proton strikes again

Malwarebytes - Fri, 10/20/2017 - 16:55

The hackers responsible for the Mac malware OSX.Proton have struck again, this time infecting a copy of the Elmedia Player app that was being distributed from the official Eltima website. At this time, it is still unknown how long their website was providing the hijacked app.

Proton was silently added to Apple’s XProtect definitions in early March, and not much was known about it at the time. Then, in May, one of the servers responsible for distributing the popular Handbrake software was hacked, resulting in the distribution of a Proton-infected copy of Handbrake for a four-day period. Now, Eltima Software has fallen victim to a similar attack.

Researchers at ESET discovered the trojanized copy of Elmedia Player on Thursday morning, and Eltima Software eliminated the malware from their servers by that afternoon. However, an unknown number of people have already downloaded the malicious copy of Elmedia Player and will be infected with Proton.

The malicious Elmedia Player app looks completely legitimate, even when opened. This is because the Trojanized app is actually a wrapper, containing the real Elmedia Player application. When the malicious wrapper is opened, it opens the legitimate app as a cover to make it seem like everything is working as expected.

In the following screenshot, you can see the contents of the legitimate Elmedia Player app in the lefthand window, compared to the malicious wrapper app on the right.

This is a bit different than the technique used to Trojanize Handbrake. In the case of Handbrake, the software is open source, so the hackers were able to actually compile a malicious copy of the Handbrake app that installed the Proton malware, but otherwise behaved normally.

In this case, however, Elmedia Player is not open source, so the hackers changed their methods to open an untampered copy of the real application. To avoid suspicion by having two different Elmedia Player apps showing up on the Dock, the malicious wrapper app has the following setting in its Info.plist file:

<key>LSUIElement</key> <true/>

This means that the malicious app is treated as more of a background process, hidden from the Dock and the Force Quit window, eliminating one potential cause for user suspicion.

The only place that the malicious application differs from the legitimate one, as with the Handbrake hack, is a password request when the app launches.

Malware researcher @noarfromspace also noticed that Eltima Software’s Folx application is also affected, which we have confirmed. Since Eltima Software has cleaned up their systems at this point, it is not known how many of their other apps may also have been affected.

The maliciously-modified Eltima apps are all signed using an Apple developer certificate issued to a “Clifton Grimm.” That certificate has been revoked at this point, rendering those apps inoperable.

Malicious behaviors

As with the variant that was dropped by the hacked copy of Handbrake (Proton.B), this variant (Proton.C) will also attempt to exfiltrate the keychains and 1Password vaults containing user passwords and other sensitive information, as well as browser information, including login credentials for those who use browser functionality to remember their passwords.

However, Proton.C will also collect a number of other pieces of data. It will exfiltrate several different cryptocurrency wallets, giving the hackers the ability to steal digital money, such as Bitcoin, from the user. It also grabs other data that could be used to connect to sensitive online resources accessible to the user.

In addition, as part of the infection process, Proton.C will add a line to the sudoers file, which manages access to root privileges:

Defaults !tty_tickets

Normally, if a user is granted root privileges in the terminal, for example, those privileges will only apply within that single terminal window (session) and nowhere else. By adding this line to the end of the sudoers file, this allows the malware to authenticate once, and root privileges are allowed across all sessions.

Am I infected?

Unfortunately, we don’t know yet how long Eltima Software’s systems have been serving up Trojanized software. However, if you have downloaded any software from Eltima Software recently, you should check to see if your system is infected. The easiest method for identifying an infection would be to install Malwarebytes for Mac, which will detect and remove Proton.C for free.

You can also check by choosing Go to Folder from the Go menu in the Finder, and entering the following path:


Then click the Go button. If the Finder complains that “The folder can’t be found,” that means you’re probably not infected—assuming, of course, that you didn’t make a mistake entering the path. This is not a method we recommend to most people, due to the possibility of human error resulting in an erroneous belief that the system is clean.

If you find an infection, be sure to delete any Eltima Software applications from your system, even if they are not detected by antivirus software, just to be completely sure. It should be safe to re-download clean copies at this point.

What happens if I’m infected?

If you are infected, the first priority is to get the malware off your system.

After you have done that, you will need to begin the far harder process of remediating the effects of the breach. You should assume that every password to every online account has been compromised, and should change them all. A good password manager, such as 1Password, will help immeasurably with this. If you’re not already using such a program, we recommend that you start now. (And don’t store the master password for your password manager in the macOS keychain!)

If you have any cryptocurrency wallets, you will need to take fast action to lock those down, before the criminals behind this malware clean you out. If you had any credit card or other financial account numbers stored in the keychain or in 1Password, contact those financial institutions immediately so that those accounts can be frozen, monitored, or changed.

For those with affected business machines, you need to alert your IT admins immediately. This malware may have given the hackers the keys needed to access some or all of your company’s internal resources, which could lead to your company suffering from a breach—possibly one that results in your company spreading another variant of Proton if you work at a software company.

If people act quickly to remediate, they can lessen the impact of this particular malware and stop the infection from spreading.

The post Mac malware OSX.Proton strikes again appeared first on Malwarebytes Labs.

Categories: Techie Feeds


Subscribe to Furiously Eclectic People aggregator - Techie Feeds